Edit tour

Windows Analysis Report
Royalistic.exe

Overview

General Information

Sample Name:	Royalistic.exe
Analysis ID:	828570
MD5:	d14335f61c99a9b8a2d5e87cdf83cdd0
SHA1:	f82f3481619be8f9f11d76638db3107b1d332912
SHA256:	08cabec4d0127fb3e6530b04448cb3539c2b8f28988e60499c2dbbfe475206df
Infos:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

Uses 32bit PE files

PE file does not import any functions

Drops PE files

Contains functionality to shutdown / reboot the system

Binary contains a suspicious time stamp

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

Royalistic.exe (PID: 5700 cmdline: C:\Users\user\Desktop\Royalistic.exe MD5: D14335F61C99A9B8A2D5E87CDF83CDD0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.834425818.0000000000677000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000000.00000002.834648652.0000000004EF6000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Royalistic.exe	ReversingLabs: Detection: 25%
Source: Royalistic.exe	Virustotal: Detection: 50%			Perma Link

Source: Royalistic.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Royalistic.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlDocument\net6.0-Release\System.Xml.XmlDocument.pdb source: System.Xml.XmlDocument.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr

Source: C:\Users\user\Desktop\Royalistic.exe	Code function: 0_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A19
Source: C:\Users\user\Desktop\Royalistic.exe	Code function: 0_2_004065CE FindFirstFileA,FindClose,	0_2_004065CE
Source: C:\Users\user\Desktop\Royalistic.exe	Code function: 0_2_004027AA FindFirstFileA,	0_2_004027AA

Source: x-office-spreadsheet.png.0.dr	String found in binary or memory: http://jimmac.musichall.czif
Source: Royalistic.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Royalistic.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: System.Xml.XmlDocument.dll.0.dr	String found in binary or memory: https://github.com/dotnet/runtime

Source: C:\Users\user\Desktop\Royalistic.exe

Code function: 0_2_004054B6 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004054B6

Source: Royalistic.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\Royalistic.exe

Code function: 0_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004033B3

Source: C:\Users\user\Desktop\Royalistic.exe	Code function: 0_2_0040727F	0_2_0040727F
Source: C:\Users\user\Desktop\Royalistic.exe	Code function: 0_2_00406AA8	0_2_00406AA8
Source: C:\Users\user\Desktop\Royalistic.exe	Code function: 0_2_73432288	0_2_73432288

Source: Royalistic.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\Royalistic.exe

Process Stats: CPU usage > 98%

Source: Royalistic.exe	ReversingLabs: Detection: 25%
Source: Royalistic.exe	Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\Royalistic.exe

File read: C:\Users\user\Desktop\Royalistic.exe

Jump to behavior

Source: Royalistic.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Royalistic.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Royalistic.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Royalistic.exe

0_2_004033B3

Source: C:\Users\user\Desktop\Royalistic.exe

File created: C:\Users\user\AppData\Roaming\Kartoffelprodukterne

Jump to behavior

Source: C:\Users\user\Desktop\Royalistic.exe

File created: C:\Users\user\AppData\Local\Temp\nst18DB.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Royalistic.exe

File written: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Stinkbranden\Middagsselskaber\AsMultiLang.ini

Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/16@0/0

Source: C:\Users\user\Desktop\Royalistic.exe

Code function: 0_2_00402173 CoCreateInstance,MultiByteToWideChar,

0_2_00402173

Source: C:\Users\user\Desktop\Royalistic.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Royalistic.exe

Code function: 0_2_00404766 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404766

Source: Royalistic.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlDocument\net6.0-Release\System.Xml.XmlDocument.pdb source: System.Xml.XmlDocument.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.834648652.0000000004EF6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.834425818.0000000000677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: System.Xml.XmlDocument.dll.0.dr

Static PE information: 0x9BADDA42 [Sun Oct 6 21:14:42 2052 UTC]

Source: C:\Users\user\Desktop\Royalistic.exe

Code function: 0_2_73432288 GlobalFree,lstrcpyA,GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_73432288

Source: C:\Users\user\Desktop\Royalistic.exe	File created: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Royalistic.exe	File created: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Royalistic.exe	File created: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Konini\Firsaarsfdselsdage\Whorehouse\Faithworthy\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Royalistic.exe	File created: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Royalistic.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Royalistic.exe

RDTSC instruction interceptor: First address: 0000000005262269 second address: 0000000005262269 instructions: 0x00000000 rdtsc 0x00000002 cmp eax, E2A1F88Dh 0x00000007 cmp ebx, ecx 0x00000009 jc 00007FEA38A7321Ch 0x0000000f test dx, ax 0x00000012 inc ebp 0x00000013 inc ebx 0x00000014 jmp 00007FEA38A7330Ah 0x00000016 pushad 0x00000017 mov al, ABh 0x00000019 cmp al, ABh 0x0000001b jne 00007FEA38AAFF68h 0x00000021 popad 0x00000022 rdtsc

Source: C:\Users\user\Desktop\Royalistic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Royalistic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Royalistic.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Konini\Firsaarsfdselsdage\Whorehouse\Faithworthy\System.Xml.XmlDocument.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Royalistic.exe	Code function: 0_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A19
Source: C:\Users\user\Desktop\Royalistic.exe	Code function: 0_2_004065CE FindFirstFileA,FindClose,	0_2_004065CE
Source: C:\Users\user\Desktop\Royalistic.exe	Code function: 0_2_004027AA FindFirstFileA,	0_2_004027AA

Source: C:\Users\user\Desktop\Royalistic.exe	API call chain: ExitProcess graph end node			graph_0-4341
Source: C:\Users\user\Desktop\Royalistic.exe	API call chain: ExitProcess graph end node			graph_0-4345

Source: C:\Users\user\Desktop\Royalistic.exe

Code function: 0_2_73432288 GlobalFree,lstrcpyA,GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_73432288

Source: C:\Users\user\Desktop\Royalistic.exe

0_2_004033B3

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Access Token Manipulation	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Royalistic.exe	26%	ReversingLabs	Win32.Trojan.Generic
Royalistic.exe	51%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-core-processthreads-l1-1-1.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-crt-stdio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-crt-stdio-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Konini\Firsaarsfdselsdage\Whorehouse\Faithworthy\System.Xml.XmlDocument.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.Royalistic.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File
0.2.Royalistic.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://jimmac.musichall.czif	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://jimmac.musichall.czif	x-office-spreadsheet.png.0.dr	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_Error	Royalistic.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	Royalistic.exe	false		high
https://github.com/dotnet/runtime	System.Xml.XmlDocument.dll.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	828570
Start date and time:	2023-03-17 10:37:08 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Royalistic.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/16@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 85.7% (good quality ratio 84.3%) Quality average: 86.8% Quality standard deviation: 21.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 41 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll	Annexationist.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Annexationist.exe	Get hash	malicious	GuLoader	Browse
	file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	file.exe	Get hash	malicious	GuLoader	Browse
	file.exe	Get hash	malicious	GuLoader	Browse
	file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	file.exe	Get hash	malicious	GuLoader	Browse
	REQUEST_FOR_QUOTE.exe	Get hash	malicious	GuLoader	Browse
	REQUEST_FOR_QUOTE.exe	Get hash	malicious	GuLoader	Browse
	oOEAcj2CRw.exe	Get hash	malicious	GuLoader	Browse
	oOEAcj2CRw.exe	Get hash	malicious	GuLoader	Browse
	P8plQXLs5a.exe	Get hash	malicious	GuLoader	Browse
	P8plQXLs5a.exe	Get hash	malicious	GuLoader	Browse
	HFFIFAnqTY.exe	Get hash	malicious	GuLoader	Browse
	HFFIFAnqTY.exe	Get hash	malicious	GuLoader	Browse
	NEWORDER.EXE.exe	Get hash	malicious	FormBook, GuLoader	Browse
	NEWORDER.EXE.exe	Get hash	malicious	GuLoader	Browse
	Payment.js	Get hash	malicious	GuLoader	Browse
	YIqZ253T62.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	6.024446974480565
Encrypted:	false
SSDEEP:	192:Vm9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j
MD5:	E23600029D1B09BDB1D422FB4E46F5A6
SHA1:	5D64A2F6A257A98A689A3DB9A087A0FD5F180096
SHA-256:	7342B73593B3AA1B15E3731BFB1AFD1961802A5C66343BAC9A2C737EE94F4E38
SHA-512:	C971F513142633CE0E6EC6A04C754A286DA8016563DAB368C3FAC83AEF81FA3E9DF1003C4B63D00A46351A9D18EAA7AE7645CAEF172E5E1D6E29123AB864E7AC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Annexationist.exe, Detection: malicious, Browse Filename: Annexationist.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: REQUEST_FOR_QUOTE.exe, Detection: malicious, Browse Filename: REQUEST_FOR_QUOTE.exe, Detection: malicious, Browse Filename: oOEAcj2CRw.exe, Detection: malicious, Browse Filename: oOEAcj2CRw.exe, Detection: malicious, Browse Filename: P8plQXLs5a.exe, Detection: malicious, Browse Filename: P8plQXLs5a.exe, Detection: malicious, Browse Filename: HFFIFAnqTY.exe, Detection: malicious, Browse Filename: HFFIFAnqTY.exe, Detection: malicious, Browse Filename: NEWORDER.EXE.exe, Detection: malicious, Browse Filename: NEWORDER.EXE.exe, Detection: malicious, Browse Filename: Payment.js, Detection: malicious, Browse Filename: YIqZ253T62.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./@t.k!..k!..k!..9T..l!.. Y..l!..k!..x!...T..o!...T..j!...T..j!...T..j!..Richk!..........................PE..L.....c.........."!....."...................@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...+!.......".................. ..`.rdata.......@.......&..............@..@.data...D....P.......*..............@....reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Afdelingskontorer.Ate

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	data
Category:	dropped
Size (bytes):	263441
Entropy (8bit):	7.470128360205037
Encrypted:	false
SSDEEP:	6144:gW2L2lxw6CfR2hGhddAkBtTCNwQn4Sp5U2JvkCmLO6ta4Rh40FdmxMDoOz:gMHw9SGh1D6ndCtLO6s4R2eOMTz
MD5:	ED053E4B81682B3CEF98A00C188F9191
SHA1:	7824184CA7B4588B9665CF5D6ECDF3E6A20820C7
SHA-256:	64A7608273D8284E67F338F8B77230B0EF14C342747CE6C3F8792F567BC99498
SHA-512:	51C4089DE4328B5C37B759CF98FCDE4838C67413CF0F0EE8EB1D9CD6BB129A41C686BEC3DD424B553725C84787671FAE3F9E037C436E8D7D5B8F28F7D42CBE7D
Malicious:	false
Reputation:	low
Preview:	...............?...s.......0..................'......bbb..............>>.....II..}}.............;;;......kk.....iiii......XXXXX....qqq....iiii..++.....YY...00......s.....7...EEE..................M......&.....\\\\......../..........O..............6.......fff..................f........AA...................^^^...............TT...........$.......=..................MM..........g............O.......................................].xx..........................aa........................gg...........................CC.p........BB.rr........E....www.........................xx....D..........'......G.b....dd......,,,............h................................6.............h.....RRR.0..."....3.............................B.55....ee.BB................?.........-.22..........................A......e.```....5.....yy.DD......b......dddd..HH.............-.......lll.................2....................=.............#.................................NN.......PPP.....ee.......c.........^^.T..........

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Affaldsproblem\x-office-spreadsheet.png

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	PNG image data, 16 x 16, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	546
Entropy (8bit):	6.786347340342328
Encrypted:	false
SSDEEP:	12:6v/7X0ZKjCVdCyXM8OYSd/AuKoOjTOH6BMLHEMA:C0oCDMUaAutUTQ60HED
MD5:	D4AEA6CA7A8B03C62C36FF2AEBE20C6C
SHA1:	F0BB798B40E4CA170ECFBD72161EF7796B58B444
SHA-256:	EC1222609F69FE70F55C1817535B0138A295EB7C71CCC443D7B3ACAA44537B5B
SHA-512:	9912AC7388A0138E809D8E25F4EE90B5952D8B4063969A79BCEB2C5E8A312878897BEF56FF3BBB0185A815262C343984D9C3113B5B5C2D0069716891110A0DFD
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............(-.S....sBIT.....O.....pHYs..........+......tEXtSoftware.www.inkscape.org..<.....tEXtAuthor.Jakub Steiner.../....tEXtDescription.mimetypes7..d...!tEXtSource.http://jimmac.musichall.czif.^....PLTE................................................................................P..Z................................................................W....tRNS.....RSYs...................=^....iIDAT.W..G..@...!c ....,....YKM....c..~:s...l...U..\O..f...,..5..+.@....E........b.B..H^..V..*.8\.r?....".z........IEND.B`.

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19208
Entropy (8bit):	7.005927948691754
Encrypted:	false
SSDEEP:	384:dtUDfIeFrW1hWC5OZkum0GftpBjVzm3Sx56lgCoha6LDF:dteFuJoVijz1HB
MD5:	D699333637DB92D319661286DF7CC39E
SHA1:	0BFFB9ED366853E7019452644D26E8E8F236241B
SHA-256:	FE760614903E6D46A1BE508DCCB65CF6929D792A1DB2C365FC937F2A8A240504
SHA-512:	6FA9FF0E45F803FAF3EB9908E810A492F6F971CB96D58C06F408980AB40CBA138B52D853AA0E3C68474053690DFAFA1817F4B4C8FB728D613696B6C516FA0F51
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d................." .........................................................0.......4....`.........................................`................ ...................=..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24328
Entropy (8bit):	6.867867660778997
Encrypted:	false
SSDEEP:	384:/ZpFVhHW1hWxgYBm0GftpBjMm3SNlndaYhpn3p:boEVi6DBp
MD5:	D5166AB3034F0E1AA679BFA1907E5844
SHA1:	851DD640CB34177C43B5F47B218A686C09FA6B4C
SHA-256:	7BCAB4CA00FB1F85FEA29DD3375F709317B984A6F3B9BA12B8CF1952F97BEEE5
SHA-512:	8F2D7442191DE22457C1B8402FAAD594AF2FE0C38280AAAFC876C797CA79F7F4B6860E557E37C3DBE084FE7262A85C358E3EEAF91E16855A91B7535CB0AC832E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L......G...........!.........................0...............................@............@.............................a............0..............."...=..............T............................................................................text...a........................... ..`.rsrc........0......................@..@v......................G........8...d...d..........G........d..................G....................RSDS9uG.l..k..y.........api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02...........G....^...............(....... ...................<...y...........)...h........... ...]...............H...............)...D...^...v...............................T...u.......................9...Z...{...................0...Q...

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\drive-multidisk.png

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	569
Entropy (8bit):	7.482468865601557
Encrypted:	false
SSDEEP:	12:6v/7QkFqDaHfvZFpa7O/oH5kGxVI7F2bk7jv0E1YpA0sVrgY:x8qeH7MQ+px2qqj5Y60mr7
MD5:	B0C0FEE6A573A2776A013307457B6556
SHA1:	95157DA2FAD0902832E25CBEBE3EE4E58C265346
SHA-256:	1A41F703735FD48EE79E423993B2C6695E326269F7A61304DFF4796F59977FF2
SHA-512:	28CDDB1071E69145AC1845EC573618EC6268FDEF795B0F3638EB1DEC834C8FE0FC65517D9ED784F81F67535F25333FC986BD9C9B3AAB73BCE4C42837C81E168C
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.}R..A.....:...}...8.n.m..d.\|..Sk.X.....{m....8...1.l...m..vn..G......n.o..W,]..f.H..h....[ .%.c.b.0...w.}../.~.F&.A.....s..ql....k%......]..!......R`..I..$.>@.F.F(.....a....b...;o.&L.. ...*e....&....?......Q.V.%...-J)<~...d.V.\...E....m..L...E..b..<...k.....}........p<.G...U.b..V.].R.V\....J.8}.,x..dT.9..!~.T?xp..... .N...c."...G.. .@..R..H.p..E.GR.........J...7.t.od......p.%.iG.+v..\........&\k...s......T...}......e0..e?l..{L..Vm.0u..f.....%c.~q.m\.,...Y..U`..O.h.p.9h%..).X...m...i@.8....IEND.B`.

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Konini\Firsaarsfdselsdage\Whorehouse\Faithworthy\System.Xml.XmlDocument.dll

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16024
Entropy (8bit):	6.768484247043723
Encrypted:	false
SSDEEP:	384:EVgGf2BiWOsWql//uPHRN7/2WF//dJR9ztBcvM:EVgGL4lXM/2WF//dj9zUvM
MD5:	1FED3E9E68967F0903F43CF955EC8EAE
SHA1:	DA9D98424E2BB2AE625E9EBEBD90AD4B7F007CA4
SHA-256:	B861237F55766E286E7008AC4B1E5CE88E88FDF7741EF9C6B00540E1765390F3
SHA-512:	F030383C4D933EC13EE1E892654AEEFD5C722BE25461472639DF49FA0E165AC470BFB901A0A062CA145A6B693C607E279CDBA2A144E62A5B9D2FD6E999943364
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B............"!..0..............+... ........@.. ...................................`.................................\|+..O....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P .......................................;??5.$\|BdQ..h.X.3\...!..@...C.3.qS......rS.......?D...f....../....'.ov5..N.q.\|.FB..:....:.z!.rL.Q.... ...F&.....0.".....+.$_BSJB............v4.0.30319......`.......#~..\.......#Strings....H.......#GUID...X.......#Blob......................3......................................#.........P./...../.........O.............\...2.....g...................................p............./.......................

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Konini\Firsaarsfdselsdage\Whorehouse\Faithworthy\accessories-dictionary.png

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	639
Entropy (8bit):	7.594477595602655
Encrypted:	false
SSDEEP:	12:6v/7xXsWeAITRagJSezSlTm4IpuXLJNux3NdHbvHR+d0FKHrHPnwF4LWbf7H:wINVSo4gud4NxbvxI0erv04Lcf7H
MD5:	B8367F3483C54EFE19D1426A98402829
SHA1:	F9E9A067BFE5F2A3A4AE1C93D519B8B8792719C9
SHA-256:	0791574192B5767D904619B1F6BB30B3A5101FBD51F8C259C2CFFF078C7ECECD
SHA-512:	A4C0E3D1CAA4A828B9160D4936F5E11E42AFE00A9A611A0814884BBA9E18A691D16B142F5A23E2AEE11708C72AADAAB78F19733E1E541BD19E64437AC6E43AED
Malicious:	false
Preview:	.PNG........IHDR................a...FIDATx.....\k..7.........1k7...km...6..]...3....5....9.w....(3..2'...`..27X^S.XV......Gck.\cKu...q...)...9..sYu~YYU~p\|r4..../..k.%.%..........s...A_.q~x..]P..h4........LKC(.B . g2...0..z.......X.I..6...B.....J...i..n.\|>.D.`}/.l..@-.c.....VP..F'..$.s.$M...a.V..=6._i).:.......!....$..lR...3h.r.@q8@k+..i./.\p> ..ccs...F-I{.n'..JE...C@qE.).......l.+i....pE.b...D.Zr..m,.)!.H ..HY.(..t....uF.!.....H......iBck5................y..hk#S0.....,..H..n..a.Z.....\a.d..Y.7..oi.\%>.......165tl.L818j.c......p.V..j..2....g?...=....._.z....;....?Vw.......^...;\|...../....w......?...=.......IEND.B`.

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Laboratories53\x-office-address-book-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	2059
Entropy (8bit):	5.063551723274034
Encrypted:	false
SSDEEP:	24:t4CpYL7IyKbRAecFxMGMaMlF6Yi36fRMTXoUfQBjWIu4IZ715ByKbRAecFxMGMM:fNtAecFJM/FiqfQpQipvBNtAecFJMM
MD5:	5447BF4EF18181AA69BEC4978E312549
SHA1:	4843AA2388FE80EE474F399061C6FDBB547BC2BA
SHA-256:	EC1CDEAD87BAD12FACA206F03D6748ED11F3A50FF32E8AD341BD44A3A44D6075
SHA-512:	611A25E6FE93CFA74DF01200914D730BB608B6EB05BDB8E77F13416800B45468D4067C8516C734B8C602EF4EFEF4B90D045B7456AA2BAF243526C8145BBA3D4D
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g fill="#474747"><path d="M3 1C1 1 1 3 1 3h11v11H1s0 2 2 2h9s.459.014.947-.23C13.436 15.524 14 14.832 14 14V3c0-.833-.564-1.525-1.053-1.77C12.46.986 12 1 12 1z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;text-orientation:mixed;shape-padding:0;isolation:auto;mix-blend-mode:normal" color="#000" font-weight="400" font-family="sans-serif" overflow="visible" fill-rule="evenodd"/><path d="M.5 4h2a.499.499 0 110 1h-2a.499.499 0 110-1zm0 2h2a.499.499 0 110 1h-2a.499.499 0 110-1zm0 2h2a.499.499 0 110 1h-2a.499.499 0 110-1zm0 2h2a.499.499 0 110 1h-2a.499.499 0 110-1zm0 2h2a.499.499 0 110 1h-2a.499.499 0 110-1z"/><path d="M7.285 5.004A3.506 3.506 0 004

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Mitheithel\Homoplasy\Wice\AMD.Power.Processor.ppkg

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1245
Entropy (8bit):	5.462849750105637
Encrypted:	false
SSDEEP:	24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
MD5:	5343C1A8B203C162A3BF3870D9F50FD4
SHA1:	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
SHA-256:	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
SHA-512:	E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
Malicious:	false
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Paleograph\Statuskonto\Gusting\folder-new-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	200
Entropy (8bit):	6.353867134664978
Encrypted:	false
SSDEEP:	6:6v/lhPys1AhcwQnKFxLsaV0MSFw6YB1L5jp:6v/7RgFKBE1L5N
MD5:	B1E1142D7EF33AD94E80A7394C036540
SHA1:	D05408C3B4360DE12D0B7A1CCB04A27E946FD517
SHA-256:	9572648AC9CA12A253EFBFB3DB0160C56CBFAAC3157779285642FAEB1D86CA94
SHA-512:	18AC511A1916E99780BAB5D3CEDBCA816932D88A4230F8FFADE5C17DBF1511840033D5A05322B0AA3EE4D30A9105D2F211C84C46DDFAAA71008444669CB65A3F
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8..Q.. .D_...F....t..>d!jS....pa.....F`....t9......D.`.{`M.7`H..2' >.xS.9W.\|..@[...;T5..Q.... .Y.q.._-..F#F...n..W..8.L'A...!.....IEND.B`.

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Paleograph\Statuskonto\Gusting\folder-templates-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.12784027591558
Encrypted:	false
SSDEEP:	24:t4CptM48A8A8F+yEcGZrGF19XQzyKbRAecFxMGM7:B8A8A8F+yEcGYFmNtAecFJM7
MD5:	F5A69E814CB5E7713E3C624942DE1DA5
SHA1:	2919A07D2792295111CF54AF23742CEE14337B10
SHA-256:	06D97F580D3709C0EA0E2705425C621A17FF97CF3A449B468D2976BA0D55EFEB
SHA-512:	ABC0F7671B316DC01152253639319BED058C20D4E8C56F6D23B67AF6584F39E5F3191D97FD8F135C259E5BD7FE032939528A93029D747061500DFAE14C135D55
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g fill="#474747" fill-rule="evenodd"><path d="M3 9h1v1H3zm-1 1h1v1H2zm1 1h1v1H3zm-1 1h1v1H2zm1 1h1v1H3zm-1 1h1v1H2zm2 0h1v1H4zm2 0h1v1H6zm2 0h1v1H8zm2 0h1v1h-1zm-7 1h1v1H3zm2 0h1v1H5zm2 0h1v1H7zm2 0h1v1H9zm2 0h1v1h-1zm1-1h1v1h-1z" style="marker:none" color="#000" overflow="visible"/><path d="M3 1a1 1 0 00-1 1v7h2V3h5.086L12 5.914V14h2V5.5a1 1 0 00-.293-.707l-3.5-3.5A1 1 0 009.5 1z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;text-orientation:mixed;shape-padding:0;isolation:auto;mix-blend-mode:normal" color="#000" font-weight="400" font-family="sans-serif" overflow="visible"/><path d="M9 2v4h4z"/></g></svg>

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Paleograph\Statuskonto\Gusting\printer-printing-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	295
Entropy (8bit):	4.922153835627764
Encrypted:	false
SSDEEP:	6:tI9mc4slzcWER4W6UmUuksJtjdU0tytlN8uFWOXM2KchvXa7BGl0/:t4CDqW6zUmjW0ktl+sd1a7BM0/
MD5:	611C311204F39AB0E7F3CC8A0264246A
SHA1:	9E4A3BEA0DE6D11491E5AA69A61E1FF051D79DED
SHA-256:	1E6C4120B833698852CF451D0B5F8FCA83CD5591EA73EBC3C918547B67FBEB34
SHA-512:	919628653C7441CC4F82C7177D5A6EBBB86686A4E15435A21201B1D77B325808435323FA9FF906E6DB4D612ACEB1C00AC89B0571181D1F521636943EFE25EEF0
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 4c-.5 0-1 .5-1 1v4c0 .5.5 1 1 1h1V8h10v2h1c.5 0 1-.5 1-1V5c0-.5-.5-1-1-1zm2-3v2h8V1z" fill="#2e3436"/><path class="success" d="M4 9v5h8V9zm2.99.998l2.03.011-.01 1 2.003-.01L8.03 13 5 11l2.002.011z" fill="#33d17a"/></svg>

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Paleograph\Statuskonto\Gusting\screen-shared-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	254
Entropy (8bit):	6.643831924508014
Encrypted:	false
SSDEEP:	6:6v/lhPysJ/dh3z6yXtAMoWACcF/byM2TnmLzU/Jqj84up:6v/7p/dh7tfbAC0uM2ygR94c
MD5:	0DFD6D9ADF93297702595FA9A5D9A7AF
SHA1:	23A4AAE7E34232870AACF6B48B24377EA16519C6
SHA-256:	8CB87F7A9BFFD886E5931B865AB5731DF7CDD7D2768DA05808FE2D40027ED9C1
SHA-512:	880643F4BFD6F660B272EE93D38EE2513F26197053E41DF4AFE3FEC77FDBC0A087B295256451A1FB83ABAC594E6A0A585C2619D3DD400AF1DB49035E23FE555F
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8......0.E_.H. L..4...t.t.....R....SD....EN.lr..\|....l.`!.@.x`.)...Z...`\7......4 5..$.`AL.....B]b...y`...g.4..l.;.NL7.p.^.i*........;.(.S...P..e.........@.<...#.K....f...x~...$.C.......IEND.B`.

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Stinkbranden\Middagsselskaber\AsMultiLang.ini

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	398
Entropy (8bit):	4.737590272626814
Encrypted:	false
SSDEEP:	6:SIMYmm7jVYNEiJuXLIM/Cnjkq5cKYAbSJ94r1WR0rD1pulzV+ML6JyMx:SI0m7pYNEiJuXLIM6hcKc6curfQzxOf
MD5:	D96836E1DD4D151DA0687D7251B528DB
SHA1:	CCF444F32EDE194FCDE18BB32EBFCCF921E7CB30
SHA-256:	C013CFD743455DFFDBB614EA966EEC32977D7CBF096DD4A95081E7A650E8E6B9
SHA-512:	2442D9289CD7E741FF74DD99BEF39EBA7562B94DC153C3C4C4F7642455FFB0879330BC0C59B888F39A352C1C58418995F8AA319FB3BBA110B57FF7EE0A8751EF
Malicious:	false
Preview:	[Languages]..1028 = TChinese..3076 = TChinese..5124 = TChinese..2052 = SChinese..4100 = SChinese..30724 = SChinese..1034 = Spanish..3082 = Spanish..1046 = Portuguese..2070 = Portuguese..1043 = Dutch..1031 = German..1033 = English..1036 = French..1040 = Italian..1041 = Japanese..1049 = Russian..1055 = Turkish..1042 = Korean..1029 = Czech..1035 = Finnish..1044 = Norwegian..1053 = Swedish

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Stinkbranden\Middagsselskaber\PSReadline.psd1

Download File

Process:	C:\Users\user\Desktop\Royalistic.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1245
Entropy (8bit):	5.462849750105637
Encrypted:	false
SSDEEP:	24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
MD5:	5343C1A8B203C162A3BF3870D9F50FD4
SHA1:	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
SHA-256:	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
SHA-512:	E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
Malicious:	false
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.493705345043699
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Royalistic.exe
File size:	385376
MD5:	d14335f61c99a9b8a2d5e87cdf83cdd0
SHA1:	f82f3481619be8f9f11d76638db3107b1d332912
SHA256:	08cabec4d0127fb3e6530b04448cb3539c2b8f28988e60499c2dbbfe475206df
SHA512:	9d94b9bc836b9bb292b4e2b0ef83f1632fceb712bf60bdb3127ffaca3b4c2dcbe4aeb3f5ad3c712a47111d81c650b1a44a55e0e26f0f3f83e6727f8556d11ea2
SSDEEP:	6144:hGemq9vVMEHIx0Sc149PSjEeUlbojewwn1QuMQylhWsqfXatqMFJZV2H4ktcA8a:hmK9MNx0Sc149KAeyyeZ1QiyeVX8zHYX
TLSH:	E384F121F128BCCAD60358F01DBDA61051E5DFED80D5450D6ABA328994F239778AFF2E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................f....... ...3............@

File Icon


Icon Hash:	0355ccaeb2fe5500

Static PE Info

General

Entrypoint:	0x4033b3
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9D8B [Sat Sep 25 22:07:07 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5f0c714c36e6cc016b3a1f4bc86559e4

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=squeaked@Dipsas.Ge, OU="Skumringstimes subhalid Cocitizen ", O=Alveolariform, L=Saint-Georges-de-Luzen\xe7on, S=Occitanie, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	8/13/2022 8:32:24 AM 8/12/2025 8:32:24 AM
Subject Chain	E=squeaked@Dipsas.Ge, OU="Skumringstimes subhalid Cocitizen ", O=Alveolariform, L=Saint-Georges-de-Luzen\xe7on, S=Occitanie, C=FR
Version:	3
Thumbprint MD5:	7AB231DCE5C6FFAD69D73B26E510B330
Thumbprint SHA-1:	78B2E08127E635C646392C64AE8048CE0274B9EB
Thumbprint SHA-256:	D5FDEC97888AB854DBF29C2F3CDDD20DE4CEEBF3C0264DBC1620ACC59A819E35
Serial:	6A4A99A1737DDB2714130F7ACA2C5BCFD03D4200

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000220h
push esi
push edi
xor edi, edi
push 00008001h
mov dword ptr [ebp-10h], edi
mov dword ptr [ebp-04h], 0040A198h
mov dword ptr [ebp-08h], edi
mov byte ptr [ebp-0Ch], 00000020h
call dword ptr [004080B8h]
mov esi, dword ptr [004080BCh]
lea eax, dword ptr [ebp-000000C0h]
push eax
mov dword ptr [ebp-000000ACh], edi
mov dword ptr [ebp-2Ch], edi
mov dword ptr [ebp-28h], edi
mov dword ptr [ebp-000000C0h], 0000009Ch
call esi
test eax, eax
jne 00007FEA38B584B1h
lea eax, dword ptr [ebp-000000C0h]
mov dword ptr [ebp-000000C0h], 00000094h
push eax
call esi
cmp dword ptr [ebp-000000B0h], 02h
jne 00007FEA38B5849Ch
movsx cx, byte ptr [ebp-0000009Fh]
mov al, byte ptr [ebp-000000ACh]
sub ecx, 30h
sub al, 53h
mov byte ptr [ebp-26h], 00000004h
neg al
sbb eax, eax
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-000000B0h], 02h
jnc 00007FEA38B58494h
and byte ptr [ebp-26h], 00000000h
cmp byte ptr [ebp-000000ABh], 00000041h
jl 00007FEA38B58483h
movsx ax, byte ptr [ebp-000000ABh]
sub eax, 40h
mov word ptr [ebp-2Ch], ax
jmp 00007FEA38B58476h
mov word ptr [ebp-2Ch], di
cmp dword ptr [ebp-000000BCh], 0Ah
jnc 00007FEA38B5847Ah
and word ptr [ebp+00000000h], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcf000	0x14bf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5d730	0xa30	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x65ba	0x6600	False	0.6783088235294118	data	6.475278602230841	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1382	0x1400	False	0.4626953125	data	5.262676635269928	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x48538	0x600	False	0.4615885416666667	data	4.125526322488032	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x53000	0x7c000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xcf000	0x14bf8	0x14c00	False	0.16929828689759036	data	4.457664961464067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xcf250	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States
RT_ICON	0xdfa78	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States
RT_ICON	0xe2020	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States
RT_ICON	0xe30c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States
RT_DIALOG	0xe3530	0x100	data	English	United States
RT_DIALOG	0xe3630	0x11c	data	English	United States
RT_DIALOG	0xe3750	0xc4	data	English	United States
RT_DIALOG	0xe3818	0x60	data	English	United States
RT_GROUP_ICON	0xe3878	0x3e	data	English	United States
RT_MANIFEST	0xe38b8	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, SetWindowPos, SetCursor, GetSysColor, SetClassLongA, GetWindowLongA, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersionExA, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: Royalistic.exePID: 5700, Parent PID: 3528

General

Target ID:	0
Start time:	10:38:05
Start date:	17/03/2023
Path:	C:\Users\user\Desktop\Royalistic.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Royalistic.exe
Imagebase:	0x400000
File size:	385376 bytes
MD5 hash:	D14335F61C99A9B8A2D5E87CDF83CDD0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.834425818.0000000000677000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.834648652.0000000004EF6000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Royalistic.exePID: 5700, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	19.6%
Dynamic/Decrypted Code Coverage:	13.6%
Signature Coverage:	16.1%
Total number of Nodes:	1541
Total number of Limit Nodes:	46

Executed Functions

Function 004033B3 Relevance: 82.7, APIs: 33, Strings: 14, Instructions: 417
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			_entry_() {
				CHAR* _v8;
				long _v12;
				char _v16;
				long _v20;
				void* _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed int _v42;
				long _v44;
				signed int _v48;
				char _v163;
				char _v175;
				signed short _v182;
				struct _OSVERSIONINFOA _v196;
				struct _SHFILEINFOA _v548;
				intOrPtr* _t87;
				char* _t93;
				void* _t95;
				void* _t99;
				CHAR* _t101;
				signed int _t103;
				int _t106;
				void* _t107;
				int _t108;
				void* _t110;
				void* _t134;
				signed int _t150;
				void* _t153;
				void* _t158;
				intOrPtr* _t159;
				void* _t170;
				CHAR* _t173;
				void _t179;
				void* _t198;
				void* _t199;
				signed char* _t213;
				CHAR* _t217;
				void* _t223;

				_v20 = 0;
				_v8 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v12 = 0;
				_v16 = 0x20;
				SetErrorMode(0x8001); // executed
				_v196.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v196.dwOSVersionInfoSize = 0x9c;
				if(GetVersionExA( &_v196) != 0) {
					L3:
					_t223 = _v196.dwPlatformId - 2;
					L4:
					if(_t223 < 0) {
						_v42 = _v42 & 0x00000000;
						if(_v175 < 0x41) {
							_v48 = 0;
						} else {
							_v48 = _v175 - 0x40;
						}
					}
					if(_v196.dwMajorVersion < 0xa) {
						_v182 = _v182 & 0x00000000;
					}
					 *0x4524d8 = _v196.dwBuildNumber;
					 *0x4524dc = (_v196.dwMajorVersion & 0x0000ffff | _v196.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
					if( *0x4524de != 0x600) {
						_t159 = E00406663(0);
						if(_t159 != 0) {
							 *_t159(0xc00);
						}
					}
					_t217 = "UXTHEME";
					goto L14;
					while(1) {
						L37:
						_t179 =  *_t95;
						_t234 = _t179;
						if(_t179 == 0) {
							break;
						}
						__eflags = _t179 - 0x20;
						if(_t179 != 0x20) {
							L23:
							__eflags =  *_t95 - 0x22;
							_v16 = 0x20;
							if( *_t95 == 0x22) {
								_t95 = _t95 + 1;
								__eflags = _t95;
								_v16 = 0x22;
							}
							__eflags =  *_t95 - 0x2f;
							if( *_t95 != 0x2f) {
								L35:
								_t95 = E00405C14(_t95, _v16);
								__eflags =  *_t95 - 0x22;
								if(__eflags == 0) {
									_t95 = _t95 + 1;
									__eflags = _t95;
								}
								continue;
							} else {
								_t95 = _t95 + 1;
								__eflags =  *_t95 - 0x53;
								if( *_t95 != 0x53) {
									L30:
									__eflags =  *_t95 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
									if( *_t95 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
										L34:
										__eflags =  *(_t95 - 2) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
										if( *(_t95 - 2) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
											 *(_t95 - 2) =  *(_t95 - 2) & 0x00000000;
											__eflags = _t95 + 2;
											E00406257(0x47d000, _t95 + 2);
											L40:
											GetTempPathA(0x2000, 0x485000); // executed
											_t99 = E00403382(_t234);
											_t235 = _t99;
											if(_t99 != 0) {
												L43:
												DeleteFileA(0x483000); // executed
												_t101 = E00402F0C(_t237, _v12); // executed
												_v8 = _t101;
												if(_t101 != 0) {
													L53:
													E00403963();
													__imp__OleUninitialize();
													_t248 = _v8;
													if(_v8 == 0) {
														__eflags =  *0x4524b4;
														if( *0x4524b4 == 0) {
															L77:
															_t103 =  *0x4524cc;
															__eflags = _t103 - 0xffffffff;
															if(_t103 != 0xffffffff) {
																_v20 = _t103;
															}
															ExitProcess(_v20);
														}
														_t106 = OpenProcessToken(GetCurrentProcess(), 0x28,  &_v24);
														__eflags = _t106;
														if(_t106 != 0) {
															LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v40.Privileges));
															_v40.PrivilegeCount = 1;
															_v28 = 2;
															AdjustTokenPrivileges(_v24, 0,  &_v40, 0, 0, 0);
														}
														_t107 = E00406663(4);
														__eflags = _t107;
														if(_t107 == 0) {
															L75:
															_t108 = ExitWindowsEx(2, 0x80040002);
															__eflags = _t108;
															if(_t108 != 0) {
																goto L77;
															}
															goto L76;
														} else {
															_t110 =  *_t107(0, 0, 0, 0x25, 0x80040002);
															__eflags = _t110;
															if(_t110 == 0) {
																L76:
																E0040140B(9);
																goto L77;
															}
															goto L75;
														}
													}
													E0040596D(_v8, 0x200010);
													ExitProcess(2);
												}
												if( *0x45243c == _t101) {
													L52:
													 *0x4524cc =  *0x4524cc | 0xffffffff;
													_v20 = E00403A3D( *0x4524cc);
													goto L53;
												}
												_t213 = E00405C14(0x47b000, _t101);
												if(_t213 < 0x47b000) {
													L49:
													_t244 = _t213 - 0x47b000;
													_v8 = "Error launching installer";
													if(_t213 < 0x47b000) {
														_t173 = E004058D8(_t248);
														lstrcatA(0x485000, "~nsu");
														if(_t173 != 0) {
															lstrcatA(0x485000, "A");
														}
														lstrcatA(0x485000, ".tmp");
														if(lstrcmpiA(0x485000, 0x481000) != 0) {
															_push(0x485000);
															if(_t173 == 0) {
																E004058BB();
															} else {
																E0040583E();
															}
															SetCurrentDirectoryA(0x485000);
															if( *0x47d000 == 0) {
																E00406257(0x47d000, 0x481000);
															}
															E00406257(0x453000, _v24);
															_t194 = "A";
															_v12 = 0x1a;
															 *0x455000 = "A";
															do {
																E004062EA(_t173, 0x432050, 0x485000, 0x432050,  *((intOrPtr*)( *0x452430 + 0x120)));
																DeleteFileA(0x432050);
																_t173 = 0;
																if(_v8 != 0 && CopyFileA(0x489000, 0x432050, 1) != 0) {
																	E00406030(_t194, 0x432050, 0);
																	E004062EA(0, 0x432050, 0x485000, 0x432050,  *((intOrPtr*)( *0x452430 + 0x124)));
																	_t134 = E004058F0(0x432050);
																	if(_t134 != 0) {
																		CloseHandle(_t134);
																		_v8 = 0;
																	}
																}
																 *0x455000 =  *0x455000 + 1;
																_t62 =  &_v12;
																 *_t62 = _v12 - 1;
															} while ( *_t62 != 0);
															E00406030(_t194, 0x485000, _t173);
														}
														goto L53;
													}
													 *_t213 =  *_t213 & 0x00000000;
													_t214 =  &(_t213[4]);
													if(E00405CD7(_t244,  &(_t213[4])) == 0) {
														goto L53;
													}
													E00406257(0x47d000, _t214);
													E00406257("C:\\Users\\jones\\AppData\\Roaming\\Kartoffelprodukterne\\conchinine\\Affaldsproblem", _t214);
													_v8 = _v8 & 0x00000000;
													goto L52;
												}
												_t150 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
												while( *_t213 != _t150) {
													_t213 = _t213 - 1;
													if(_t213 >= 0x47b000) {
														continue;
													}
													goto L49;
												}
												goto L49;
											}
											GetWindowsDirectoryA(0x485000, 0x1ffb);
											lstrcatA(0x485000, "\\Temp");
											_t153 = E00403382(_t235);
											_t236 = _t153;
											if(_t153 != 0) {
												goto L43;
											}
											GetTempPathA(0x1ffc, 0x485000);
											lstrcatA(0x485000, "Low");
											SetEnvironmentVariableA("TEMP", 0x485000);
											SetEnvironmentVariableA("TMP", 0x485000);
											_t158 = E00403382(_t236);
											_t237 = _t158;
											if(_t158 == 0) {
												goto L53;
											}
											goto L43;
										}
										goto L35;
									}
									_t198 =  *((intOrPtr*)(_t95 + 4));
									__eflags = _t198 - 0x20;
									if(_t198 == 0x20) {
										L33:
										_t42 =  &_v12;
										 *_t42 = _v12 | 0x00000004;
										__eflags =  *_t42;
										goto L34;
									}
									__eflags = _t198;
									if(_t198 != 0) {
										goto L34;
									}
									goto L33;
								}
								_t199 =  *(_t95 + 1);
								__eflags = _t199 - 0x20;
								if(_t199 == 0x20) {
									L29:
									 *0x4524c0 = 1;
									goto L30;
								}
								__eflags = _t199;
								if(_t199 != 0) {
									goto L30;
								}
								goto L29;
							}
						} else {
							goto L22;
						}
						do {
							L22:
							_t95 = _t95 + 1;
							__eflags =  *_t95 - 0x20;
						} while ( *_t95 == 0x20);
						goto L23;
					}
					goto L40;
					L14:
					E004065F5(_t217); // executed
					_t217 =  &(_t217[lstrlenA(_t217) + 1]);
					if( *_t217 != 0) {
						goto L14;
					} else {
						E00406663(0xb);
						 *0x452424 = E00406663(9);
						_t87 = E00406663(7);
						if(_t87 != 0) {
							_t87 =  *_t87(0x1e);
							if(_t87 != 0) {
								 *0x4524dc =  *0x4524dc | 0x00000080;
							}
						}
						__imp__#17(_t170);
						__imp__OleInitialize(0); // executed
						 *0x4524e0 = _t87;
						SHGetFileInfoA(0x434050, 0,  &_v548, 0x160, 0); // executed
						E00406257(0x44e420, "NSIS Error");
						E00406257(0x47b000, GetCommandLineA());
						 *0x452420 = 0x400000;
						_t93 = 0x47b000;
						if( *0x47b000 == 0x22) {
							_v16 = 0x22;
							_t93 = 0x47b001;
						}
						_t95 = CharNextA(E00405C14(_t93, _v16));
						_v24 = _t95;
						goto L37;
					}
				}
				_v196.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v196);
				if(_v196.dwPlatformId != 2) {
					goto L4;
				} else {
					_v42 = 4;
					asm("sbb eax, eax");
					_v48 =  !( ~(_v196.szCSDVersion - 0x53)) & _v163 - 0x00000030;
					goto L3;
				}
			}

0x004033c5
0x004033c8
0x004033cf
0x004033d2
0x004033d6
0x004033e9
0x004033ef
0x004033f2
0x004033f5
0x00403403
0x00403444
0x00403444
0x0040344b
0x0040344b
0x0040344d
0x00403458
0x0040346b
0x0040345a
0x00403465
0x00403465
0x00403458
0x00403476
0x00403478
0x00403478
0x0040348d
0x004034b2
0x004034c0
0x004034c3
0x004034ca
0x004034d1
0x004034d1
0x004034ca
0x004034d3
0x004034d3
0x0040365a
0x0040365a
0x0040365a
0x0040365c
0x0040365e
0x00000000
0x00000000
0x0040359e
0x004035a1
0x004035a9
0x004035a9
0x004035ac
0x004035b0
0x004035b2
0x004035b2
0x004035b3
0x004035b3
0x004035b7
0x004035ba
0x0040364b
0x0040364f
0x00403654
0x00403657
0x00403659
0x00403659
0x00403659
0x00000000
0x004035c0
0x004035c0
0x004035c1
0x004035c4
0x004035dc
0x00403607
0x00403609
0x0040361b
0x00403646
0x00403649
0x00403666
0x0040366a
0x00403673
0x00403678
0x00403689
0x0040368b
0x00403690
0x00403692
0x004036ea
0x004036ef
0x004036f8
0x004036ff
0x00403702
0x00403795
0x00403795
0x0040379a
0x004037a3
0x004037a6
0x004038cf
0x004038d5
0x0040394d
0x0040394d
0x00403952
0x00403955
0x00403957
0x00403957
0x0040395d
0x0040395d
0x004038e4
0x004038ea
0x004038ec
0x004038f8
0x00403909
0x00403910
0x00403917
0x00403917
0x0040391f
0x00403924
0x0040392b
0x00403939
0x0040393c
0x00403942
0x00403944
0x00000000
0x00000000
0x00000000
0x0040392d
0x00403933
0x00403935
0x00403937
0x00403946
0x00403948
0x00000000
0x00403948
0x00000000
0x00403937
0x0040392b
0x004037b4
0x004037bb
0x004037bb
0x0040370e
0x00403786
0x00403786
0x00403792
0x00000000
0x00403792
0x00403717
0x0040371b
0x00403751
0x00403751
0x00403753
0x0040375a
0x004037cc
0x004037ce
0x004037d5
0x004037dd
0x004037dd
0x004037e8
0x004037fc
0x00403800
0x00403801
0x0040380a
0x00403803
0x00403803
0x00403803
0x00403810
0x0040381d
0x00403825
0x00403825
0x00403832
0x00403837
0x00403841
0x00403855
0x0040385b
0x00403867
0x0040386d
0x00403873
0x00403878
0x0040388e
0x0040389f
0x004038a5
0x004038ac
0x004038af
0x004038b5
0x004038b5
0x004038ac
0x004038b8
0x004038be
0x004038be
0x004038be
0x004038c5
0x004038c5
0x00000000
0x004037fc
0x0040375c
0x0040375f
0x0040376a
0x00000000
0x00000000
0x00403772
0x0040377d
0x00403782
0x00000000
0x00403782
0x00403746
0x00403748
0x0040374c
0x0040374f
0x00000000
0x00000000
0x00000000
0x0040374f
0x00000000
0x00403748
0x0040369a
0x004036a6
0x004036ab
0x004036b0
0x004036b2
0x00000000
0x00000000
0x004036ba
0x004036c2
0x004036d3
0x004036db
0x004036dd
0x004036e2
0x004036e4
0x00000000
0x00000000
0x00000000
0x004036e4
0x00000000
0x00403649
0x0040360b
0x0040360e
0x00403611
0x00403617
0x00403617
0x00403617
0x00403617
0x00000000
0x00403617
0x00403613
0x00403615
0x00000000
0x00000000
0x00000000
0x00403615
0x004035c6
0x004035c9
0x004035cc
0x004035d2
0x004035d2
0x00000000
0x004035d2
0x004035ce
0x004035d0
0x00000000
0x00000000
0x00000000
0x004035d0
0x00000000
0x00000000
0x00000000
0x004035a3
0x004035a3
0x004035a3
0x004035a4
0x004035a4
0x00000000
0x004035a3
0x00000000
0x004034d8
0x004034d9
0x004034e5
0x004034ec
0x00000000
0x004034ee
0x004034f0
0x004034fe
0x00403503
0x0040350a
0x0040350e
0x00403512
0x00403514
0x00403514
0x00403512
0x0040351c
0x00403523
0x00403529
0x00403541
0x00403551
0x00403563
0x0040356f
0x00403579
0x0040357b
0x0040357d
0x00403581
0x00403581
0x00403590
0x00403596
0x00000000
0x00403596
0x004034ec
0x0040340b
0x00403416
0x0040341f
0x00000000
0x00403421
0x00403434
0x0040343a
0x00403440
0x00000000
0x00403440

APIs

SetErrorMode.KERNELBASE(00008001), ref: 004033D6
GetVersionExA.KERNEL32(?), ref: 004033FF
GetVersionExA.KERNEL32(0000009C), ref: 00403416
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034DF
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040351C
OleInitialize.OLE32(00000000), ref: 00403523
SHGetFileInfoA.SHELL32(00434050,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403541
GetCommandLineA.KERNEL32(0044E420,NSIS Error,?,00000007,00000009,0000000B), ref: 00403556
CharNextA.USER32(00000000,0047B000,00000020,0047B000,00000000,?,00000007,00000009,0000000B), ref: 00403590
GetTempPathA.KERNELBASE(00002000,00485000,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403689
GetWindowsDirectoryA.KERNEL32(00485000,00001FFB,?,00000007,00000009,0000000B), ref: 0040369A
lstrcatA.KERNEL32(00485000,\Temp,?,00000007,00000009,0000000B), ref: 004036A6
GetTempPathA.KERNEL32(00001FFC,00485000,00485000,\Temp,?,00000007,00000009,0000000B), ref: 004036BA
lstrcatA.KERNEL32(00485000,Low,?,00000007,00000009,0000000B), ref: 004036C2
SetEnvironmentVariableA.KERNEL32(TEMP,00485000,00485000,Low,?,00000007,00000009,0000000B), ref: 004036D3
SetEnvironmentVariableA.KERNEL32(TMP,00485000,?,00000007,00000009,0000000B), ref: 004036DB
DeleteFileA.KERNELBASE(00483000,?,00000007,00000009,0000000B), ref: 004036EF
OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 0040379A
ExitProcess.KERNEL32 ref: 004037BB
lstrcatA.KERNEL32(00485000,~nsu,0047B000,00000000,?,?,00000007,00000009,0000000B), ref: 004037CE
lstrcatA.KERNEL32(00485000,0040A14C,00485000,~nsu,0047B000,00000000,?,?,00000007,00000009,0000000B), ref: 004037DD
lstrcatA.KERNEL32(00485000,.tmp,00485000,~nsu,0047B000,00000000,?,?,00000007,00000009,0000000B), ref: 004037E8
lstrcmpiA.KERNEL32(00485000,00481000,00485000,.tmp,00485000,~nsu,0047B000,00000000,?,?,00000007,00000009,0000000B), ref: 004037F4
SetCurrentDirectoryA.KERNEL32(00485000,00485000,?,00000007,00000009,0000000B), ref: 00403810
DeleteFileA.KERNEL32(00432050,00432050,?,00453000,?,?,00000007,00000009,0000000B), ref: 0040386D
CopyFileA.KERNEL32(00489000,00432050,00000001), ref: 00403882
CloseHandle.KERNEL32(00000000,00432050,00432050,?,00432050,00000000,?,00000007,00000009,0000000B), ref: 004038AF
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004038DD
OpenProcessToken.ADVAPI32(00000000), ref: 004038E4
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004038F8
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403917
ExitWindowsEx.USER32(00000002,80040002), ref: 0040393C
ExitProcess.KERNEL32 ref: 0040395D

Strings

SeShutdownPrivilege, xrefs: 004038F2
Low, xrefs: 004036BC
TMP, xrefs: 004036D6
A, xrefs: 00403451
UXTHEME, xrefs: 004034D3, 004034D8, 004034DE
~nsu, xrefs: 004037C6
", xrefs: 004035B3
.tmp, xrefs: 004037E2
Error launching installer, xrefs: 00403753
P C, xrefs: 0040384E
NSIS Error, xrefs: 00403547
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Affaldsproblem, xrefs: 00403778
TEMP, xrefs: 004036CE
\Temp, xrefs: 004036A0

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "$.tmp$A$C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Affaldsproblem$Error launching installer$Low$NSIS Error$P C$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 1000954069-2031753230
Opcode ID: 5b4a1273ff86c7f48266d57c72b3d881aaa6ca9625edc3239ebafd6de991659e
Instruction ID: 35a904cfeb39216351fef3eee688bc31b7ac6ceac067f98900564130ed648918
Opcode Fuzzy Hash: 5b4a1273ff86c7f48266d57c72b3d881aaa6ca9625edc3239ebafd6de991659e
Instruction Fuzzy Hash: DBE10470904354AADB216F758D49BAF7EB8AF4630AF0440BFE445B62D2C77C4A44CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 004054B6 Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004054B6(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				void* _t102;
				intOrPtr _t113;
				void* _t121;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t157 = _a8;
				_t150 = 0;
				_v8 =  *0x44e404;
				if(_t157 != 0x110) {
					if(_t157 == 0x405) {
						_t121 = CreateThread(0, 0, E0040544A, GetDlgItem(_a4, 0x3ec), 0,  &_a8); // executed
						FindCloseChangeNotification(_t121);
					}
					if(_t157 != 0x111) {
						L17:
						if(_t157 != 0x404) {
							L25:
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E004062EA(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							if(TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150) == 1) {
								_t165 = 1;
								_v56 = _t150;
								_v44 = 0x43c090;
								_v40 = 0x8000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t165 = _t165 + SendMessageA(_v8, 0x102d, _a4,  &_v64) + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x44e3ec == _t150) {
							ShowWindow( *0x452428, 8);
							if( *0x4524ac == _t150) {
								_t113 =  *0x438068; // 0x66851c
								E00405378( *((intOrPtr*)(_t113 + 0x34)), _t150);
							}
							E004042AD(1);
							goto L25;
						}
						 *0x436060 = 2;
						E004042AD(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040433B(_t157, _a12, _a16);
						}
						ShowWindow( *0x44e3f0, _t150);
						ShowWindow(_v8, 8);
						E00404309(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x452430;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x44e3f0 = GetDlgItem(_a4, 0x403);
				 *0x44e3e8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x44e404 = _t128;
				_v8 = _t128;
				E00404309( *0x44e3f0);
				 *0x44e3f4 = E00404BFA(4);
				 *0x44e40c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56); // executed
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004042D4(_a4);
				if(( *0x452438 & 0x00000003) != 0) {
					ShowWindow( *0x44e3f0, _t150);
					if(( *0x452438 & 0x00000002) != 0) {
						 *0x44e3f0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404309( *0x44e3e8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x452438 & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x004054c4
0x004054c7
0x004054cf
0x004054d2
0x00405667
0x00405684
0x0040568b
0x0040568b
0x0040569d
0x004056bf
0x004056c5
0x0040571a
0x0040571d
0x00000000
0x00000000
0x0040571f
0x00405725
0x00000000
0x00000000
0x0040572f
0x00405737
0x0040573a
0x00405837
0x00000000
0x00405837
0x00405749
0x00405755
0x0040575e
0x00405769
0x0040576c
0x00405775
0x0040577b
0x0040577e
0x0040577e
0x00405797
0x004057a2
0x004057a3
0x004057a6
0x004057ad
0x004057b4
0x004057bc
0x004057bc
0x004057d3
0x004057d3
0x004057da
0x004057e0
0x004057e9
0x004057f0
0x004057f9
0x004057fb
0x004057fe
0x0040580d
0x0040580f
0x00405812
0x00405813
0x00405816
0x00405817
0x00405818
0x00405820
0x0040582b
0x00405831
0x00405831
0x00000000
0x00405797
0x004056cd
0x004056fb
0x00405703
0x00405705
0x0040570e
0x0040570e
0x00405715
0x00000000
0x00405715
0x004056d1
0x004056db
0x00000000
0x0040569f
0x004056a5
0x004056e0
0x00000000
0x004056e7
0x004056ae
0x004056b5
0x004056ba
0x00000000
0x004056ba
0x0040569d
0x004054d8
0x004054dc
0x004054e4
0x004054e8
0x004054eb
0x004054ee
0x004054f1
0x004054f4
0x004054f5
0x004054f6
0x0040550f
0x00405512
0x0040551c
0x0040552b
0x00405533
0x0040553b
0x00405540
0x00405543
0x0040554f
0x00405558
0x00405561
0x00405583
0x00405589
0x0040559a
0x0040559f
0x004055ad
0x004055bb
0x004055bb
0x004055c0
0x004055ce
0x004055ce
0x004055d3
0x004055d6
0x004055db
0x004055e7
0x004055f0
0x004055fd
0x0040560c
0x004055ff
0x00405604
0x00405604
0x00405618
0x00405618
0x0040562c
0x00405635
0x0040563e
0x0040564e
0x0040565a
0x0040565a
0x00000000

APIs

GetDlgItem.USER32 ref: 00405515
GetDlgItem.USER32 ref: 00405524
GetClientRect.USER32 ref: 00405561
GetSystemMetrics.USER32 ref: 00405568
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405589
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040559A
SendMessageA.USER32(?,00001001,00000000,?), ref: 004055AD
SendMessageA.USER32(?,00001026,00000000,?), ref: 004055BB
SendMessageA.USER32(?,00001024,00000000,?), ref: 004055CE
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004055F0
ShowWindow.USER32(?,00000008), ref: 00405604
GetDlgItem.USER32 ref: 00405625
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405635
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040564E
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040565A
GetDlgItem.USER32 ref: 00405533

Part of subcall function 00404309: SendMessageA.USER32(00000028,?,00000001,00404139), ref: 00404317

GetDlgItem.USER32 ref: 00405676
CreateThread.KERNELBASE ref: 00405684
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040568B
ShowWindow.USER32(00000000), ref: 004056AE
ShowWindow.USER32(?,00000008), ref: 004056B5
ShowWindow.USER32(00000008), ref: 004056FB
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040572F
CreatePopupMenu.USER32 ref: 00405740
AppendMenuA.USER32 ref: 00405755
GetWindowRect.USER32 ref: 00405775
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040578E
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004057CA
OpenClipboard.USER32(00000000), ref: 004057DA
EmptyClipboard.USER32 ref: 004057E0
GlobalAlloc.KERNEL32(00000042,?), ref: 004057E9
GlobalLock.KERNEL32 ref: 004057F3
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405807
GlobalUnlock.KERNEL32(00000000), ref: 00405820
SetClipboardData.USER32 ref: 0040582B
CloseClipboard.USER32 ref: 00405831

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID:
API String ID: 4154960007-0
Opcode ID: 1100f4880005faef561a40811008994f6c97a2979eea71fdeb132e64cd9f5767
Instruction ID: a29ac8d60da1fb34f4aa2469bcdf397c87ff466403413f05bd0ae09002c56f5c
Opcode Fuzzy Hash: 1100f4880005faef561a40811008994f6c97a2979eea71fdeb132e64cd9f5767
Instruction Fuzzy Hash: 7BA16BB1900608BFEB119F64DE89EAE7B79FB08354F00403AFA45B61A1CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 73432288 Relevance: 25.2, APIs: 13, Strings: 1, Instructions: 667
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E73432288() {
				CHAR* _t236;
				void* _t238;
				signed int _t239;
				char _t240;
				char _t241;
				void _t242;
				CHAR* _t243;
				void* _t249;
				struct HINSTANCE__* _t250;
				CHAR* _t251;
				int _t252;
				CHAR* _t253;
				signed short _t255;
				CHAR* _t259;
				void* _t260;
				CHAR** _t261;
				intOrPtr _t264;
				void* _t272;
				signed int _t273;
				CHAR* _t274;
				CHAR* _t276;
				CHAR* _t279;
				CHAR* _t282;
				void _t283;
				signed int _t287;
				void* _t288;
				void* _t291;
				CHAR* _t298;
				signed int _t299;
				CHAR* _t303;
				CHAR* _t305;
				CHAR* _t306;
				CHAR* _t307;
				CHAR* _t312;
				CHAR* _t313;
				char _t319;
				CHAR* _t320;
				char _t323;
				signed int _t333;
				void* _t335;
				CHAR* _t336;
				CHAR* _t337;
				void _t338;
				CHAR* _t341;
				CHAR* _t343;
				signed int _t345;
				signed int _t346;
				void* _t347;
				void* _t348;
				void* _t349;
				signed int _t355;
				CHAR* _t360;
				void* _t361;
				signed int _t368;
				signed int _t369;
				CHAR* _t370;
				void* _t371;
				CHAR* _t377;
				signed int _t379;
				CHAR* _t380;
				void* _t382;
				void* _t383;
				CHAR* _t384;
				CHAR* _t385;
				CHAR* _t386;
				CHAR* _t387;
				struct HINSTANCE__* _t388;
				CHAR* _t390;
				void* _t391;
				void* _t392;

				 *(_t392 + 0x1c) = 0;
				_t382 = 0;
				 *(_t392 + 0x34) = 0;
				 *(_t392 + 0x30) = 0;
				 *(_t392 + 0x18) = 0;
				 *(_t392 + 0x2c) = 0;
				 *(_t392 + 0x3c) = 0;
				 *(_t392 + 0x28) = 0;
				_t236 = E734312C6();
				 *(_t392 + 0x14) = _t236;
				_t312 = _t236;
				 *(_t392 + 0x38) = E734312C6();
				_t238 = E7343152B();
				_t391 = _t238;
				 *(_t392 + 0x44) = _t238;
				_t383 = _t238;
				 *(_t392 + 0x24) = _t391;
				 *((intOrPtr*)(_t392 + 0x48)) = 2;
				_t239 = 0;
				while(1) {
					_t368 = _t239;
					 *(_t392 + 0x40) = _t368;
					if(_t239 != 0 && _t382 == 0) {
						break;
					}
					_t240 =  *_t391;
					 *((char*)(_t392 + 0x13)) = _t240;
					_t241 = _t240;
					_t319 = _t241;
					if(_t319 == 0) {
						_t169 = _t392 + 0x1c;
						 *_t169 =  *(_t392 + 0x1c) | 0xffffffff;
						__eflags =  *_t169;
						L132:
						_t369 = _t368;
						if(_t369 == 0) {
							_t370 = 0;
							 *_t312 = 0;
							__eflags = _t382;
							if(_t382 == 0) {
								_t382 = GlobalAlloc(0x40, 0x14a4);
								_t370 = 0;
								__eflags = 0;
								 *(_t382 + 0x810) = 0;
								 *(_t382 + 0x814) = 0;
							}
							_t242 =  *(_t392 + 0x34);
							_t177 = _t382 + 8; // 0x8
							_t320 = _t177;
							_t178 = _t382 + 0x408; // 0x408
							_t384 = _t178;
							 *_t382 = _t242;
							 *_t320 = _t370;
							 *_t384 = _t370;
							 *(_t382 + 0x808) = _t370;
							 *(_t382 + 0x80c) = _t370;
							 *(_t382 + 4) = _t370;
							_t243 = _t242 - _t370;
							__eflags = _t243;
							if(_t243 == 0) {
								__eflags = _t312 -  *(_t392 + 0x14);
								if(_t312 ==  *(_t392 + 0x14)) {
									goto L154;
								}
								_t390 = _t370;
								GlobalFree(_t382);
								_push( *(_t392 + 0x14));
								_t382 = E73431326();
								__eflags = _t382;
								if(_t382 == 0) {
									goto L154;
								} else {
									goto L147;
								}
								while(1) {
									L147:
									_t272 =  *(_t382 + 0x14a0);
									__eflags = _t272;
									if(_t272 == 0) {
										break;
									}
									_t390 = _t382;
									_t382 = _t272;
								}
								__eflags = _t390;
								if(_t390 != 0) {
									_t187 =  &(_t390[0x14a0]);
									 *_t187 = _t390[0x14a0] & 0x00000000;
									__eflags =  *_t187;
								}
								_t273 =  *(_t382 + 0x810);
								__eflags = _t273 & 0x00000008;
								if((_t273 & 0x00000008) == 0) {
									_t333 = 2;
									_t274 = _t273 | _t333;
									__eflags = _t274;
									 *(_t382 + 0x810) = _t274;
								} else {
									_t382 = E734312D5(_t382);
									 *(_t382 + 0x810) =  *(_t382 + 0x810) & 0xfffffff5;
								}
								goto L154;
							} else {
								_t276 = _t243 - 1;
								__eflags = _t276;
								if(_t276 == 0) {
									L143:
									lstrcpyA(_t320,  *(_t392 + 0x38));
									L144:
									lstrcpyA(_t384,  *(_t392 + 0x14));
									L154:
									_t312 =  *(_t392 + 0x14);
									L155:
									_t239 =  *(_t392 + 0x1c);
									_t391 = _t391 + 1;
									 *(_t392 + 0x24) = _t391;
									_t383 = _t391;
									if(_t239 != 0xffffffff) {
										continue;
									}
									break;
								}
								_t279 = _t276 - 1;
								__eflags = _t279;
								if(_t279 == 0) {
									goto L144;
								}
								__eflags = _t279 != 1;
								if(_t279 != 1) {
									goto L154;
								}
								goto L143;
							}
						}
						_t371 = _t369 - 1;
						if(_t371 == 0) {
							_t282 =  *(_t392 + 0x30);
							if( *(_t392 + 0x2c) == _t371) {
								_t282 = _t282 - 1;
							}
							 *(_t382 + 0x814) = _t282;
						}
						goto L154;
					}
					_t335 = _t319 - 0x23;
					if(_t335 == 0) {
						_t336 =  *(_t392 + 0x1c);
						__eflags = _t383 -  *(_t392 + 0x44);
						if(_t383 <=  *(_t392 + 0x44)) {
							L29:
							__eflags =  *(_t392 + 0x28);
							if( *(_t392 + 0x28) != 0) {
								L15:
								_t337 = _t336;
								__eflags = _t337;
								if(_t337 == 0) {
									_t283 =  *((intOrPtr*)(_t392 + 0x13));
									while(1) {
										__eflags = _t283 - 0x22;
										if(_t283 != 0x22) {
											break;
										}
										_t391 = _t391 + 1;
										__eflags =  *(_t392 + 0x28);
										_t383 = _t391;
										if( *(_t392 + 0x28) == 0) {
											__eflags = 1;
											 *(_t392 + 0x28) = 1;
											L121:
											 *_t312 =  *_t391;
											_t312 =  &(_t312[1]);
											goto L155;
										}
										_t157 = _t392 + 0x28;
										 *_t157 =  *(_t392 + 0x28) & 0x00000000;
										__eflags =  *_t157;
										_t283 =  *_t391;
									}
									__eflags = _t283 - 0x2a;
									if(_t283 == 0x2a) {
										_t287 = 2;
										 *(_t392 + 0x34) = _t287;
										L129:
										_t385 =  *(_t392 + 0x14);
										L130:
										_t312 = _t385;
										goto L155;
									}
									__eflags = _t283 - 0x2d;
									if(_t283 == 0x2d) {
										L117:
										_t338 =  *_t391;
										__eflags = _t338 - 0x2d;
										if(_t338 != 0x2d) {
											L122:
											_t162 = _t391 + 1; // 0x1
											_t288 = _t162;
											__eflags =  *_t288 - 0x3a;
											if( *_t288 != 0x3a) {
												goto L121;
											}
											__eflags = _t338 - 0x2d;
											if(_t338 == 0x2d) {
												goto L121;
											}
											__eflags = 1;
											 *(_t392 + 0x34) = 1;
											L125:
											_t385 =  *(_t392 + 0x14);
											_t391 = _t288;
											__eflags = _t312 - _t385;
											if(_t312 <= _t385) {
												 *( *(_t392 + 0x38)) = 0;
											} else {
												 *_t312 = 0;
												lstrcpyA( *(_t392 + 0x3c), _t385);
											}
											goto L130;
										}
										_t159 = _t383 + 1; // 0x1
										_t288 = _t159;
										__eflags =  *_t288 - 0x3e;
										if( *_t288 != 0x3e) {
											goto L122;
										}
										 *(_t392 + 0x34) = 3;
										goto L125;
									}
									__eflags = _t283 - 0x3a;
									if(_t283 != 0x3a) {
										goto L121;
									}
									goto L117;
								}
								_t341 = _t337 - 1;
								__eflags = _t341;
								if(_t341 == 0) {
									_t313 =  *(_t392 + 0x30);
									L49:
									_t291 = _t241 + 0xffffffde;
									__eflags = _t291 - 0x55;
									if(_t291 > 0x55) {
										goto L129;
									}
									_t76 = _t291 + 0x73432b1c; // 0x7343402c
									switch( *((intOrPtr*)(( *_t76 & 0x000000ff) * 4 +  &M73432A94))) {
										case 0:
											__esi =  *(__esp + 0x14);
											__ecx =  *(__esp + 0x14);
											__dl =  *((intOrPtr*)(__esp + 0x13));
											while(1) {
												__ebp = __ebp + 1;
												__al =  *__ebp;
												__eflags = __al - __dl;
												if(__al != __dl) {
													goto L87;
												}
												L86:
												__eflags =  *(__ebp + 1) - __dl;
												if( *(__ebp + 1) != __dl) {
													L91:
													 *__ecx = 0;
													__esi = E734312AF(__esi);
													goto L92;
												}
												L87:
												__eflags = __al;
												if(__al == 0) {
													goto L91;
												}
												__eflags = __al - __dl;
												if(__al == __dl) {
													__ebp = __ebp + 1;
													__eflags = __ebp;
												}
												__al =  *__ebp;
												 *__ecx =  *__ebp;
												__ecx = __ecx + 1;
												__ebp = __ebp + 1;
												__al =  *__ebp;
												__eflags = __al - __dl;
												if(__al != __dl) {
													goto L87;
												}
												goto L86;
											}
										case 1:
											L46:
											 *(_t392 + 0x18) = 1;
											goto L129;
										case 2:
											 *(__esp + 0x18) =  *(__esp + 0x18) | 0xffffffff;
											goto L129;
										case 3:
											 *(__esp + 0x18) =  *(__esp + 0x18) & 0;
											__eax = 0;
											 *(__esp + 0x20) =  *(__esp + 0x20) & 0;
											__ebx = __ebx + 1;
											__eax = 1;
											 *(__esp + 0x30) = __ebx;
											 *((intOrPtr*)(__esp + 0x2c)) = 1;
											goto L129;
										case 4:
											__eflags =  *(__esp + 0x20);
											if( *(__esp + 0x20) != 0) {
												goto L129;
											}
											 *(__esp + 0x24) = __ebp;
											__esi = E734312C6();
											__eax = __esp + 0x24;
											_push(__esi);
											__eax = E73431B4C(__eax);
											_push(__edx);
											_push(__eax);
											__eax = E7343144D(__ecx);
											__esp = __esp + 0xc;
											goto L80;
										case 5:
											 *(__esp + 0x20) =  *(__esp + 0x20) + 1;
											goto L129;
										case 6:
											_push(7);
											goto L74;
										case 7:
											_push(0x19);
											goto L101;
										case 8:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L58;
										case 9:
											_push(0x15);
											goto L101;
										case 0xa:
											_push(0x16);
											goto L101;
										case 0xb:
											_push(0x18);
											goto L101;
										case 0xc:
											__eax = 0;
											__eflags = 0;
											_t103 = __eax + 1; // 0x1
											__edx = _t103;
											goto L69;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L61;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L75;
										case 0xf:
											__eax = 0;
											__eflags = 0;
											_t105 = __eax + 1; // 0x1
											__edx = _t105;
											goto L73;
										case 0x10:
											__eax = 0;
											__eflags = 0;
											_t100 = __eax + 1; // 0x1
											__edx = _t100;
											goto L65;
										case 0x11:
											_push(3);
											goto L74;
										case 0x12:
											_push(0x17);
											L101:
											_pop(__esi);
											goto L102;
										case 0x13:
											__eax = __esp + 0x24;
											__eax = E73431B4C(__esp + 0x24);
											_push(0xb);
											_pop(__esi);
											_t134 = __eax + 1; // 0x1
											__ecx = _t134;
											__eflags = _t134 - __esi;
											_push(1);
											_pop(__ecx);
											__esi =  >=  ? _t134 : __esi;
											__esi = __eax + __esi;
											__eflags = __esi;
											L80:
											__ebp =  *(__esp + 0x24);
											goto L93;
										case 0x14:
											__esi = __esi | 0xffffffff;
											goto L102;
										case 0x15:
											 *((intOrPtr*)(__esp + 0x3c)) =  *((intOrPtr*)(__esp + 0x3c)) + 1;
											_push(3);
											goto L74;
										case 0x16:
											__eax = 0;
											goto L75;
										case 0x17:
											__eax = 0;
											__eflags = 0;
											_t104 = __eax + 1; // 0x1
											__edx = _t104;
											goto L71;
										case 0x18:
											_t342 =  *(_t382 + 0x814);
											__eflags = _t342 - _t313;
											_push(1);
											_t294 =  <=  ? _t313 : _t342;
											 *(_t392 + 0x1c) =  *(_t392 + 0x1c) & 0;
											 *(_t392 + 0x24) =  *(_t392 + 0x24) & 0;
											_t314 =  <=  ? _t313 : _t342;
											__eflags =  *(_t392 + 0x38) - 3;
											 *(_t392 + 0x34) =  <=  ? _t313 : _t342;
											__eflags = _t342 - (0 |  *(_t392 + 0x38) == 0x00000003);
											_pop(_t297);
											_t374 =  !=  ? _t297 :  *(_t392 + 0x30);
											 *(_t392 + 0x2c) =  !=  ? _t297 :  *(_t392 + 0x30);
											goto L129;
										case 0x19:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L58:
											_push(2);
											_pop(__ecx);
											 *(__esp + 0x18) = __ecx;
											goto L75;
										case 0x1a:
											L69:
											_push(5);
											goto L74;
										case 0x1b:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L61:
											_push(3);
											_pop(__esi);
											 *(__esp + 0x18) = __esi;
											goto L75;
										case 0x1c:
											__eax = 0;
											__eax = 1;
											goto L75;
										case 0x1d:
											L73:
											_push(6);
											goto L74;
										case 0x1e:
											L65:
											_push(2);
											goto L74;
										case 0x1f:
											__eax = __esp + 0x24;
											__eax = E73431B4C(__esp + 0x24);
											__ebp =  *(__esp + 0x28);
											_t138 = __eax + 1; // 0x1
											__esi = _t138;
											L92:
											_pop(__ecx);
											L93:
											__eflags = __esi;
											if(__esi == 0) {
												goto L129;
											}
											L102:
											__ecx =  *(__esp + 0x20);
											0 = 1;
											 *((intOrPtr*)(__esp + 0x2c)) = 1;
											__eflags = __ecx;
											if(__ecx != 0) {
												__eflags = __ecx - 1;
												if(__ecx == 1) {
													__eax = __ebx;
													__eax = __ebx << 5;
													__eflags = __eax;
													 *(__eax + __edi + 0x82c) = __esi;
												}
												L109:
												 *(__esp + 0x20) = __ecx;
												goto L129;
											}
											__ebx = __ebx << 5;
											__eax =  *(__ebx + __edi + 0x830);
											__eflags = __eax - 0xffffffff;
											if(__eax <= 0xffffffff) {
												L105:
												__eax = GlobalFree(__eax);
												__ecx =  *(__esp + 0x20);
												L106:
												 *(__ebx + __edi + 0x830) = __esi;
												goto L109;
											}
											__eflags = __eax - 0x19;
											if(__eax <= 0x19) {
												goto L106;
											}
											goto L105;
										case 0x20:
											L71:
											_push(4);
											L74:
											_pop(__eax);
											L75:
											__ecx =  *(0x73434090 + __eax * 4);
											__esi = __ebx;
											__esi = __ebx << 5;
											__edx =  ~__edx;
											_push(1);
											asm("sbb edx, edx");
											 *(__esp + 0x30) = 1;
											__edx = __edx & 0x00008000;
											__edx = __edx | __eax;
											0 = 1;
											 *(__esi + __edi + 0x818) = __edx;
											__edx =  *(__esp + 0x1c);
											__eflags = __ecx;
											__eax =  >  ? __ecx : 1;
											__eflags = __edx;
											_pop(__ecx);
											__eax =  <  ? __ecx :  >  ? __ecx : 1;
											 *((intOrPtr*)(__esi + __edi + 0x828)) =  <  ? __ecx :  >  ? __ecx : 1;
											__eflags = __edx - __ecx;
											if(__edx == __ecx) {
												__eax = __esp + 0x24;
												__eax = E73431B4C(__esp + 0x24);
												__ebp =  *(__esp + 0x28);
												_t116 = __eax + 1; // 0x1
												__edx = _t116;
												 *(__esp + 0x18) = __edx;
											}
											 *(__esi + __edi + 0x830) =  *(__esi + __edi + 0x830) & 0x00000000;
											__ecx = __ebx + 0x41;
											__ecx = __ebx + 0x41 << 5;
											 *(__esi + __edi + 0x81c) = __edx;
											 *((__ebx + 0x41 << 5) + __edi) =  *((__ebx + 0x41 << 5) + __edi) & 0x00000000;
											 *(__esi + __edi + 0x82c) =  *(__esi + __edi + 0x82c) & 0x00000000;
											goto L129;
										case 0x21:
											goto L129;
									}
								}
								_t343 = _t341 - 1;
								__eflags = _t343;
								if(_t343 == 0) {
									_t313 = 0;
									 *(_t392 + 0x30) = 0;
									goto L49;
								}
								__eflags = _t343 != 1;
								if(_t343 != 1) {
									goto L121;
								}
								__eflags = _t241 - 0x6e;
								if(__eflags > 0) {
									_t298 = _t241 - 0x72;
									__eflags = _t298;
									if(_t298 == 0) {
										_push(4);
										L41:
										_pop(_t299);
										L42:
										_t345 =  *(_t382 + 0x810);
										__eflags =  *(_t392 + 0x18) - 1;
										if( *(_t392 + 0x18) != 1) {
											_t346 = _t345 &  !_t299;
											__eflags = _t346;
										} else {
											_t346 = _t345 | _t299;
										}
										 *(_t382 + 0x810) = _t346;
										goto L46;
									}
									_t303 = _t298 - 1;
									__eflags = _t303;
									if(_t303 == 0) {
										_push(0x10);
										goto L41;
									}
									_t347 = 2;
									__eflags = _t303 != _t347;
									if(_t303 != _t347) {
										goto L129;
									}
									_push(0x40);
									goto L41;
								}
								if(__eflags == 0) {
									_push(8);
									goto L41;
								}
								_t305 = _t241 - 0x21;
								__eflags = _t305;
								if(_t305 == 0) {
									 *(_t392 + 0x18) =  ~( *(_t392 + 0x18));
									goto L129;
								}
								_t306 = _t305 - 0x11;
								__eflags = _t306;
								if(_t306 == 0) {
									_t299 = 0x100;
									goto L42;
								}
								_t307 = _t306 - 0x31;
								__eflags = _t307;
								if(_t307 == 0) {
									_t299 = 1;
									goto L42;
								}
								_t348 = 2;
								__eflags = _t307 != _t348;
								if(_t307 != _t348) {
									goto L129;
								} else {
									_push(0x20);
									goto L41;
								}
							}
							 *(_t392 + 0x1c) =  *(_t392 + 0x1c) & 0x00000000;
							 *(_t392 + 0x34) =  *(_t392 + 0x34) & 0x00000000;
							goto L132;
						}
						__eflags =  *((char*)(_t391 - 1)) - 0x3a;
						if( *((char*)(_t391 - 1)) != 0x3a) {
							goto L29;
						}
						__eflags = _t336;
						if(_t336 == 0) {
							goto L15;
						}
						goto L29;
					}
					_t349 = _t335 - 5;
					if(_t349 == 0) {
						__eflags =  *(_t392 + 0x28);
						if( *(_t392 + 0x28) == 0) {
							 *(_t392 + 0x1c) = 1;
							__eflags =  *(_t392 + 0x34) - 3;
							_t360 = (0 |  *(_t392 + 0x34) == 0x00000003) + 1;
							__eflags = _t360;
							 *(_t392 + 0x30) = _t360;
						}
						 *(_t392 + 0x18) =  *(_t392 + 0x18) & 0x00000000;
						_t377 =  *(_t392 + 0x28);
						__eflags = _t377;
						_t351 =  ==  ?  *(_t392 + 0x18) :  *(_t392 + 0x18);
						 *(_t392 + 0x18) =  ==  ?  *(_t392 + 0x18) :  *(_t392 + 0x18);
						 *(_t392 + 0x2c) =  *(_t392 + 0x2c) & 0x00000000;
						__eflags = _t377;
						_t353 =  ==  ?  *(_t392 + 0x2c) :  *(_t392 + 0x2c);
						 *(_t392 + 0x2c) =  ==  ?  *(_t392 + 0x2c) :  *(_t392 + 0x2c);
						__eflags = _t377;
						_t355 = 0 | _t377 == 0x00000000;
						 *(_t392 + 0x20) =  *(_t392 + 0x20) & 0x00000000;
						__eflags =  *(_t392 + 0x28);
						_t379 =  ==  ?  *(_t392 + 0x20) :  *(_t392 + 0x20);
						L13:
						 *(_t392 + 0x20) = _t379;
						_t368 =  *(_t392 + 0x40);
						__eflags = _t355;
						if(_t355 != 0) {
							goto L132;
						}
						L14:
						_t336 =  *(_t392 + 0x1c);
						goto L15;
					}
					_t361 = _t349 - 1;
					if(_t361 == 0) {
						_t380 =  *(_t392 + 0x28);
						__eflags = _t380;
						_t363 =  ==  ?  *((void*)(_t392 + 0x48)) :  *(_t392 + 0x1c);
						 *(_t392 + 0x1c) =  ==  ?  *((void*)(_t392 + 0x48)) :  *(_t392 + 0x1c);
						 *(_t392 + 0x18) =  *(_t392 + 0x18) & 0x00000000;
						__eflags = _t380;
						_t365 =  ==  ?  *(_t392 + 0x18) :  *(_t392 + 0x18);
						 *(_t392 + 0x18) =  ==  ?  *(_t392 + 0x18) :  *(_t392 + 0x18);
						__eflags = _t380;
						_t355 = 0 | _t380 == 0x00000000;
						 *(_t392 + 0x20) =  *(_t392 + 0x20) & 0x00000000;
						__eflags =  *(_t392 + 0x28);
						_t379 =  ==  ?  *(_t392 + 0x20) :  *(_t392 + 0x20);
						goto L13;
					}
					if(_t361 != 0x16) {
						goto L14;
					} else {
						 *(_t392 + 0x1c) = 3;
						 *(_t392 + 0x18) = 1;
						goto L132;
					}
				}
				GlobalFree( *(_t392 + 0x44));
				GlobalFree( *(_t392 + 0x14));
				GlobalFree( *(_t392 + 0x38)); // executed
				if(_t382 == 0 ||  *(_t382 + 0x80c) != 0) {
					L181:
					return _t382;
				} else {
					_t249 =  *_t382 - 1;
					if(_t249 == 0) {
						_t215 = _t382 + 8; // 0x8
						_t386 = _t215;
						__eflags =  *_t386;
						if( *_t386 != 0) {
							_t250 = GetModuleHandleA(_t386);
							 *(_t382 + 0x808) = _t250;
							__eflags = _t250;
							if(_t250 != 0) {
								L169:
								_t220 = _t382 + 0x408; // 0x408
								_t387 = _t220;
								_t251 = E73431ECE(_t250, _t387);
								 *(_t382 + 0x80c) = _t251;
								__eflags = _t251;
								if(_t251 == 0) {
									__eflags =  *_t387 - 0x23;
									if( *_t387 == 0x23) {
										_t222 = _t382 + 0x409; // 0x409
										_t255 = E73431326();
										__eflags = _t255;
										if(_t255 != 0) {
											__eflags = _t255 & 0xffff0000;
											if((_t255 & 0xffff0000) == 0) {
												 *(_t382 + 0x80c) = GetProcAddress( *(_t382 + 0x808), _t255 & 0x0000ffff);
											}
										}
									}
								}
								__eflags =  *(_t392 + 0x3c);
								if( *(_t392 + 0x3c) != 0) {
									L176:
									_t252 = lstrlenA(_t387);
									_t323 = 0x41;
									_t387[_t252] = _t323;
									_t253 = E73431ECE( *(_t382 + 0x808), _t387);
									__eflags = _t253;
									if(_t253 == 0) {
										__eflags =  *(_t382 + 0x80c);
										L179:
										if(__eflags != 0) {
											goto L181;
										}
										L180:
										_t233 = _t382 + 4;
										 *_t233 =  *(_t382 + 4) | 0xffffffff;
										__eflags =  *_t233;
										goto L181;
									}
									L177:
									 *(_t382 + 0x80c) = _t253;
									goto L181;
								} else {
									__eflags =  *(_t382 + 0x80c);
									if( *(_t382 + 0x80c) != 0) {
										goto L181;
									}
									goto L176;
								}
							}
							_t250 = LoadLibraryA(_t386); // executed
							 *(_t382 + 0x808) = _t250;
							__eflags = _t250;
							if(_t250 == 0) {
								goto L180;
							}
							goto L169;
						}
						_t216 = _t382 + 0x408; // 0x408
						_t259 = E73431326();
						 *(_t382 + 0x80c) = _t259;
						__eflags = _t259;
						goto L179;
					}
					_t260 = _t249 - 1;
					if(_t260 == 0) {
						_t214 = _t382 + 0x408; // 0x408
						_t261 = _t214;
						__eflags =  *_t261;
						if( *_t261 == 0) {
							goto L181;
						}
						_push(_t261);
						_t253 = E73431326();
						goto L177;
					}
					if(_t260 != 1) {
						goto L181;
					}
					_t202 = _t382 + 8; // 0x8
					_t317 = _t202;
					_push(_t202);
					_t388 = E73431326();
					 *(_t382 + 0x808) = _t388;
					if(_t388 == 0) {
						goto L180;
					}
					 *(_t382 + 0x84c) =  *(_t382 + 0x84c) & 0x00000000;
					_t264 = E734312AF(_t317);
					 *(_t382 + 0x83c) =  *(_t382 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t382 + 0x850)) = _t264;
					 *((intOrPtr*)(_t382 + 0x848)) = 1;
					 *((intOrPtr*)(_t382 + 0x838)) = 1;
					_t211 = _t382 + 0x408; // 0x408
					_t253 =  *(_t388->i + E73431326() * 4);
					goto L177;
				}
			}

0x73432291
0x73432295
0x73432297
0x7343229b
0x7343229f
0x734322a3
0x734322a7
0x734322ab
0x734322af
0x734322b4
0x734322b8
0x734322bf
0x734322c3
0x734322c8
0x734322ca
0x734322ce
0x734322d0
0x734322d4
0x734322dc
0x734322de
0x734322de
0x734322e0
0x734322e6
0x00000000
0x00000000
0x734322f0
0x734322f3
0x734322f7
0x734322fc
0x734322ff
0x734327e3
0x734327e3
0x734327e3
0x734327e8
0x734327e8
0x734327eb
0x7343280c
0x7343280e
0x73432810
0x73432812
0x73432821
0x73432823
0x73432823
0x73432825
0x7343282b
0x7343282b
0x73432831
0x73432835
0x73432835
0x73432838
0x73432838
0x7343283e
0x73432840
0x73432842
0x73432844
0x7343284a
0x73432850
0x73432853
0x73432853
0x73432855
0x7343287e
0x73432882
0x00000000
0x00000000
0x73432885
0x73432887
0x7343288d
0x73432896
0x73432899
0x7343289b
0x00000000
0x00000000
0x00000000
0x00000000
0x7343289d
0x7343289d
0x7343289d
0x734328a3
0x734328a5
0x00000000
0x00000000
0x734328a7
0x734328a9
0x734328a9
0x734328ad
0x734328af
0x734328b1
0x734328b1
0x734328b1
0x734328b1
0x734328b8
0x734328be
0x734328c0
0x734328d6
0x734328d7
0x734328d7
0x734328d9
0x734328c2
0x734328c8
0x734328cb
0x734328cb
0x00000000
0x73432857
0x73432857
0x73432857
0x7343285a
0x73432866
0x7343286b
0x73432871
0x73432876
0x734328df
0x734328df
0x734328e3
0x734328e3
0x734328e7
0x734328e8
0x734328ec
0x734328f1
0x00000000
0x00000000
0x00000000
0x734328f1
0x7343285c
0x7343285c
0x7343285f
0x00000000
0x00000000
0x73432861
0x73432864
0x00000000
0x00000000
0x00000000
0x73432864
0x73432855
0x734327ed
0x734327f0
0x734327f6
0x734327fe
0x73432800
0x73432800
0x73432801
0x73432801
0x00000000
0x734327f0
0x73432305
0x73432308
0x73432438
0x7343243c
0x73432440
0x7343244c
0x7343244c
0x73432451
0x734323ef
0x734323ef
0x734323ef
0x734323f2
0x73432746
0x7343275e
0x7343275e
0x73432760
0x00000000
0x00000000
0x7343274c
0x7343274d
0x73432752
0x73432754
0x7343278a
0x7343278b
0x7343278f
0x73432792
0x73432794
0x00000000
0x73432794
0x73432756
0x73432756
0x73432756
0x7343275b
0x7343275b
0x73432762
0x73432764
0x734327d3
0x734327d4
0x734327d8
0x734327d8
0x734327dc
0x734327dc
0x00000000
0x734327dc
0x73432766
0x73432768
0x7343276e
0x7343276e
0x73432771
0x73432774
0x7343279a
0x7343279a
0x7343279a
0x7343279d
0x734327a0
0x00000000
0x00000000
0x734327a2
0x734327a5
0x00000000
0x00000000
0x734327a9
0x734327aa
0x734327ae
0x734327ae
0x734327b2
0x734327b4
0x734327b6
0x734327cc
0x734327b8
0x734327bd
0x734327c0
0x734327c0
0x00000000
0x734327b6
0x73432776
0x73432776
0x73432779
0x7343277c
0x00000000
0x00000000
0x7343277e
0x00000000
0x7343277e
0x7343276a
0x7343276c
0x00000000
0x00000000
0x00000000
0x7343276c
0x734323f8
0x734323f8
0x734323fb
0x734324cc
0x734324d0
0x734324d0
0x734324d5
0x734324d8
0x00000000
0x00000000
0x734324de
0x734324e5
0x00000000
0x7343269f
0x734326a3
0x734326a5
0x734326a9
0x734326a9
0x734326aa
0x734326ad
0x734326af
0x00000000
0x00000000
0x734326b1
0x734326b1
0x734326b4
0x734326c7
0x734326c8
0x734326d0
0x00000000
0x734326d0
0x734326b6
0x734326b6
0x734326b8
0x00000000
0x00000000
0x734326ba
0x734326bc
0x734326be
0x734326be
0x734326be
0x734326bf
0x734326c2
0x734326c4
0x734326a9
0x734326aa
0x734326ad
0x734326af
0x00000000
0x00000000
0x00000000
0x734326af
0x00000000
0x734324b8
0x734324bb
0x00000000
0x00000000
0x7343253f
0x00000000
0x00000000
0x73432526
0x7343252a
0x7343252c
0x73432530
0x73432531
0x73432532
0x73432536
0x00000000
0x00000000
0x73432671
0x73432675
0x00000000
0x00000000
0x7343267c
0x73432685
0x73432687
0x7343268b
0x7343268d
0x73432693
0x73432694
0x73432695
0x7343269a
0x00000000
0x00000000
0x73432634
0x00000000
0x00000000
0x73432549
0x00000000
0x00000000
0x734326f2
0x00000000
0x00000000
0x73432551
0x73432553
0x73432554
0x00000000
0x00000000
0x734326e2
0x00000000
0x00000000
0x734326e6
0x00000000
0x00000000
0x734326ee
0x00000000
0x00000000
0x73432598
0x73432598
0x7343259a
0x7343259a
0x00000000
0x00000000
0x73432564
0x73432566
0x73432567
0x00000000
0x00000000
0x73432577
0x73432579
0x7343257a
0x00000000
0x00000000
0x734325aa
0x734325aa
0x734325ac
0x734325ac
0x00000000
0x00000000
0x73432583
0x73432583
0x73432585
0x73432585
0x00000000
0x00000000
0x7343258c
0x00000000
0x00000000
0x734326ea
0x734326f4
0x734326f4
0x00000000
0x00000000
0x7343263d
0x73432642
0x73432648
0x7343264a
0x7343264b
0x7343264b
0x7343264e
0x73432650
0x73432652
0x73432653
0x73432656
0x73432656
0x73432658
0x73432658
0x00000000
0x00000000
0x734326dd
0x00000000
0x00000000
0x73432590
0x73432594
0x00000000
0x00000000
0x7343254d
0x00000000
0x00000000
0x734325a1
0x734325a1
0x734325a3
0x734325a3
0x00000000
0x00000000
0x734324ec
0x734324f4
0x734324f6
0x734324f8
0x734324fb
0x734324ff
0x73432503
0x7343250b
0x73432510
0x73432517
0x73432519
0x7343251a
0x7343251d
0x00000000
0x00000000
0x73432558
0x7343255a
0x7343255a
0x7343255b
0x7343255b
0x7343255d
0x7343255e
0x00000000
0x00000000
0x7343259d
0x7343259d
0x00000000
0x00000000
0x7343256b
0x7343256d
0x7343256d
0x7343256e
0x7343256e
0x73432570
0x73432571
0x00000000
0x00000000
0x7343257e
0x73432580
0x00000000
0x00000000
0x734325af
0x734325af
0x00000000
0x00000000
0x73432588
0x73432588
0x00000000
0x00000000
0x7343265e
0x73432663
0x73432668
0x7343266c
0x7343266c
0x734326d2
0x734326d2
0x734326d3
0x734326d3
0x734326d5
0x00000000
0x00000000
0x734326f5
0x734326f5
0x734326fb
0x734326fc
0x73432700
0x73432702
0x7343272c
0x7343272e
0x73432730
0x73432732
0x73432732
0x73432735
0x73432735
0x7343273c
0x7343273d
0x00000000
0x7343273d
0x73432704
0x73432707
0x7343270e
0x73432711
0x73432718
0x73432719
0x7343271f
0x73432723
0x73432723
0x00000000
0x73432723
0x73432713
0x73432716
0x00000000
0x00000000
0x00000000
0x00000000
0x734325a6
0x734325a6
0x734325b1
0x734325b1
0x734325b2
0x734325b2
0x734325b9
0x734325bb
0x734325be
0x734325c0
0x734325c2
0x734325c4
0x734325cc
0x734325d2
0x734325d6
0x734325d7
0x734325de
0x734325e2
0x734325e4
0x734325e7
0x734325e9
0x734325ea
0x734325ed
0x734325f4
0x734325f6
0x734325f8
0x734325fd
0x73432602
0x73432607
0x73432607
0x7343260a
0x7343260a
0x7343260e
0x73432616
0x73432619
0x7343261c
0x73432623
0x73432627
0x00000000
0x00000000
0x00000000
0x00000000
0x734324e5
0x73432401
0x73432401
0x73432404
0x734324c4
0x734324c6
0x00000000
0x734324c6
0x7343240a
0x7343240d
0x00000000
0x00000000
0x73432413
0x73432416
0x7343247b
0x7343247b
0x7343247e
0x73432498
0x7343249a
0x7343249a
0x7343249b
0x7343249b
0x734324a4
0x734324a8
0x734324b0
0x734324b0
0x734324aa
0x734324aa
0x734324aa
0x734324b2
0x00000000
0x734324b2
0x73432480
0x73432480
0x73432483
0x73432494
0x00000000
0x73432494
0x73432487
0x73432488
0x7343248a
0x00000000
0x00000000
0x73432490
0x00000000
0x73432490
0x73432418
0x73432477
0x00000000
0x73432477
0x7343241a
0x7343241a
0x7343241d
0x7343246e
0x00000000
0x7343246e
0x7343241f
0x7343241f
0x73432422
0x73432467
0x00000000
0x73432467
0x73432424
0x73432424
0x73432427
0x73432464
0x00000000
0x73432464
0x7343242b
0x7343242c
0x7343242e
0x00000000
0x73432434
0x73432434
0x00000000
0x73432434
0x7343242e
0x73432453
0x73432458
0x00000000
0x73432458
0x73432442
0x73432446
0x00000000
0x00000000
0x73432448
0x7343244a
0x00000000
0x00000000
0x00000000
0x7343244a
0x7343230e
0x73432311
0x73432378
0x7343237d
0x73432382
0x73432388
0x73432390
0x73432390
0x73432391
0x73432391
0x73432399
0x7343239e
0x734323a2
0x734323a4
0x734323a9
0x734323b1
0x734323b6
0x734323b8
0x734323bd
0x734323c3
0x734323c9
0x734323cc
0x734323d1
0x734323d6
0x734323db
0x734323db
0x734323df
0x734323e3
0x734323e5
0x00000000
0x00000000
0x734323eb
0x734323eb
0x00000000
0x734323eb
0x73432313
0x73432316
0x73432335
0x73432339
0x7343233f
0x73432344
0x7343234c
0x73432351
0x73432353
0x73432358
0x7343235e
0x73432364
0x73432367
0x7343236c
0x73432371
0x00000000
0x73432371
0x7343231b
0x00000000
0x73432321
0x73432323
0x7343232c
0x00000000
0x7343232c
0x7343231b
0x73432901
0x73432907
0x7343290d
0x73432911
0x73432a8a
0x73432a93
0x73432925
0x73432927
0x7343292a
0x734329b5
0x734329b5
0x734329b8
0x734329ba
0x734329d7
0x734329dd
0x734329e3
0x734329e5
0x734329fc
0x734329fc
0x734329fc
0x73432a04
0x73432a09
0x73432a11
0x73432a13
0x73432a15
0x73432a18
0x73432a1a
0x73432a21
0x73432a27
0x73432a29
0x73432a2b
0x73432a30
0x73432a42
0x73432a42
0x73432a30
0x73432a29
0x73432a18
0x73432a48
0x73432a4c
0x73432a56
0x73432a57
0x73432a5f
0x73432a61
0x73432a6b
0x73432a72
0x73432a74
0x73432a7e
0x73432a84
0x73432a84
0x00000000
0x00000000
0x73432a86
0x73432a86
0x73432a86
0x73432a86
0x00000000
0x73432a86
0x73432a76
0x73432a76
0x00000000
0x73432a4e
0x73432a4e
0x73432a54
0x00000000
0x00000000
0x00000000
0x73432a54
0x73432a4c
0x734329e8
0x734329ee
0x734329f4
0x734329f6
0x00000000
0x00000000
0x00000000
0x734329f6
0x734329bc
0x734329c3
0x734329c9
0x734329cf
0x00000000
0x734329cf
0x73432930
0x73432933
0x7343299b
0x7343299b
0x734329a1
0x734329a3
0x00000000
0x00000000
0x734329a9
0x734329aa
0x00000000
0x734329af
0x73432938
0x00000000
0x00000000
0x7343293e
0x7343293e
0x73432941
0x73432947
0x73432949
0x73432952
0x00000000
0x00000000
0x73432958
0x73432960
0x73432965
0x7343296c
0x73432975
0x7343297b
0x73432981
0x73432994
0x00000000
0x73432994

APIs

Part of subcall function 734312C6: GlobalAlloc.KERNELBASE(00000040,734311C4,-000000A0), ref: 734312CE

lstrcpyA.KERNEL32(?,?), ref: 734327C0
GlobalAlloc.KERNEL32(00000040,000014A4), ref: 7343281B
lstrcpyA.KERNEL32(00000008,?), ref: 7343286B
lstrcpyA.KERNEL32(00000408,?), ref: 73432876
GlobalFree.KERNEL32 ref: 73432887
GlobalFree.KERNEL32 ref: 73432901
GlobalFree.KERNEL32 ref: 73432907
GlobalFree.KERNEL32 ref: 7343290D
GetModuleHandleA.KERNEL32(00000008), ref: 734329D7
LoadLibraryA.KERNELBASE(00000008), ref: 734329E8
GetProcAddress.KERNEL32(?,?), ref: 73432A3C
lstrlenA.KERNEL32(00000408), ref: 73432A57

Strings

:, xrefs: 73432442

Memory Dump Source

Source File: 00000000.00000002.853199298.0000000073431000.00000020.00000001.01000000.00000004.sdmp, Offset: 73430000, based on PE: true

Associated: 00000000.00000002.853187298.0000000073430000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853222168.0000000073434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853240329.0000000073436000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73430000_Royalistic.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID: :
API String ID: 245916457-336475711
Opcode ID: ec56419a178cb82e1ebd92632e9e7893337a224f20d7e6b053da7fab9492e63a
Instruction ID: 64942849c804dc424f703b5dedb96ba8d77145676c05331b7d60fee27b7289ca
Opcode Fuzzy Hash: ec56419a178cb82e1ebd92632e9e7893337a224f20d7e6b053da7fab9492e63a
Instruction Fuzzy Hash: 4C32A07160830ADFD34DDE34C44075ABBF5FF8E314F948A2DE5AAA3294D73095468B8A

Uniqueness

Uniqueness Score: -1.00%

Function 00405A19 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405A19(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405CD7(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x4524a8 =  *0x4524a8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406257(0x444098, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405C30(_t73);
					} else {
						lstrcatA(0x444098, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x444098,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405C14( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00406257(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004059D1(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E00405378(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x4524a8 =  *0x4524a8 + 1;
										} else {
											E00405378(0xfffffff1, _t73);
											E00406030(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405A19(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x444098 - 0x5c;
					if( *0x444098 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E004065CE(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405BE9(_t73);
							_t40 = E004059D1(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E00405378(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00405378(0xfffffff1, _t73);
							return E00406030(_t72, _t73, 0);
						}
						L33:
						 *0x4524a8 =  *0x4524a8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405a23
0x00405a28
0x00405a31
0x00405a34
0x00405a3c
0x00405a3f
0x00405a42
0x00405a4a
0x00405a4c
0x00405a4d
0x00000000
0x00405a4d
0x00405a58
0x00405a5b
0x00405a5b
0x00405a5b
0x00405a5f
0x00405a72
0x00405a79
0x00405a7e
0x00405a82
0x00405a92
0x00405a84
0x00405a8a
0x00405a8a
0x00405a97
0x00405a9a
0x00405aa5
0x00405aab
0x00405ab0
0x00405ac0
0x00405ac2
0x00405ac8
0x00405acb
0x00405ace
0x00405b86
0x00405b86
0x00405b8a
0x00405b8c
0x00405b8c
0x00405b8c
0x00405b8c
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ad4
0x00405ad4
0x00405add
0x00405ae3
0x00405ae8
0x00405aeb
0x00405aed
0x00405af1
0x00405af3
0x00405af3
0x00405af1
0x00405af6
0x00405af9
0x00405b0c
0x00405b0e
0x00405b13
0x00405b1a
0x00405b35
0x00405b3a
0x00405b3c
0x00405b60
0x00405b3e
0x00405b3e
0x00405b41
0x00405b55
0x00405b43
0x00405b46
0x00405b4e
0x00405b4e
0x00405b41
0x00405b1c
0x00405b22
0x00405b24
0x00405b2a
0x00405b2a
0x00405b24
0x00000000
0x00405b1a
0x00405afb
0x00405afe
0x00405b00
0x00000000
0x00000000
0x00405b02
0x00405b04
0x00000000
0x00000000
0x00405b06
0x00405b0a
0x00000000
0x00000000
0x00000000
0x00405b65
0x00405b6f
0x00405b75
0x00405b75
0x00405b80
0x00000000
0x00405b80
0x00405a9c
0x00405aa3
0x00000000
0x00000000
0x00000000
0x00405a61
0x00405a61
0x00405a63
0x00405b90
0x00405b92
0x00405b95
0x00405be6
0x00405be6
0x00405be6
0x00405b97
0x00405b9a
0x00405ba5
0x00405baa
0x00405bac
0x00000000
0x00000000
0x00405baf
0x00405bbb
0x00405bc0
0x00405bc2
0x00000000
0x00405bdd
0x00405bc4
0x00405bc7
0x00000000
0x00000000
0x00405bcc
0x00000000
0x00405bd3
0x00405b9c
0x00405b9c
0x00000000
0x00405b9c
0x00405a69
0x00405a6c
0x00000000
0x00000000
0x00000000
0x00405a6c

APIs

DeleteFileA.KERNELBASE(?,?,7476FA90,00485000,0047B000), ref: 00405A42
lstrcatA.KERNEL32(00444098,\*.*,00444098,?,?,7476FA90,00485000,0047B000), ref: 00405A8A
lstrcatA.KERNEL32(?,0040A014,?,00444098,?,?,7476FA90,00485000,0047B000), ref: 00405AAB
lstrlenA.KERNEL32(?,?,0040A014,?,00444098,?,?,7476FA90,00485000,0047B000), ref: 00405AB1
FindFirstFileA.KERNEL32(00444098,?,?,?,0040A014,?,00444098,?,?,7476FA90,00485000,0047B000), ref: 00405AC2
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B6F
FindClose.KERNEL32(00000000), ref: 00405B80

Strings

\*.*, xrefs: 00405A84

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: e17e1998f97f5d9c0b05528d7d3f480da4ab8f2a36dede4038293de73e58a342
Instruction ID: 7373f7c24065ba85377ce78181eb49bf834506ffe63cf7a55ce9c7ac78545b15
Opcode Fuzzy Hash: e17e1998f97f5d9c0b05528d7d3f480da4ab8f2a36dede4038293de73e58a342
Instruction Fuzzy Hash: 4651DE30904A08AADB22AB618C89BAF7B78DF42314F24417BF441752D2C77CA981DE6D

Uniqueness

Uniqueness Score: -1.00%

Function 004065CE Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065CE(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4480e0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4480e0;
			}

0x004065d9
0x004065e2
0x00000000
0x004065ef
0x004065e5
0x00000000

APIs

FindFirstFileA.KERNELBASE(7476FA90,004480E0,00446098,00405D1A,00446098,00446098,00000000,00446098,00446098,7476FA90,?,00485000,00405A39,?,7476FA90,00485000), ref: 004065D9
FindClose.KERNEL32(00000000), ref: 004065E5

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 91897166837ccdaf6e79e8037e8f47a8f79e1353e4b75f269b86cd68fbfe55b9
Instruction ID: fd41d54537010d52f50df7b9b8b9e3478e19d392ae6c51f4a024acc321f66cb9
Opcode Fuzzy Hash: 91897166837ccdaf6e79e8037e8f47a8f79e1353e4b75f269b86cd68fbfe55b9
Instruction Fuzzy Hash: 89D01231514520ABD7516B38BD0C85B7A58AF053313228A3AF066F22E4CF34CC22969C

Uniqueness

Uniqueness Score: -1.00%

Function 00403DDA Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403DDA(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t34;
				signed int _t36;
				struct HWND__* _t46;
				signed int _t65;
				struct HWND__* _t71;
				signed int _t84;
				struct HWND__* _t89;
				signed int _t97;
				int _t101;
				signed int _t115;
				int _t116;
				int _t120;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				intOrPtr _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;

				_t128 = _a8;
				if(_t128 == 0x110 || _t128 == 0x408) {
					_t32 = _a12;
					_t125 = _a4;
					__eflags = _t128 - 0x110;
					 *0x43c078 = _t32;
					if(_t128 == 0x110) {
						 *0x452428 = _t125;
						 *0x43c08c = GetDlgItem(_t125, 1);
						_t89 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x434058 = _t89;
						E004042D4(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x44e408); // executed
						 *0x44e3ec = E0040140B(4);
						_t32 = 1;
						__eflags = 1;
						 *0x43c078 = 1;
					}
					_t122 =  *0x40a1dc; // 0x0
					_t134 = 0;
					_t131 = (_t122 << 6) +  *0x452440;
					__eflags = _t122;
					if(_t122 < 0) {
						L36:
						E00404320(0x40b);
						while(1) {
							_t34 =  *0x43c078;
							 *0x40a1dc =  *0x40a1dc + _t34;
							_t131 = _t131 + (_t34 << 6);
							_t36 =  *0x40a1dc; // 0x0
							__eflags = _t36 -  *0x452444;
							if(_t36 ==  *0x452444) {
								E0040140B(1);
							}
							__eflags =  *0x44e3ec - _t134;
							if( *0x44e3ec != _t134) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x452444; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t115 =  *(_t131 + 0x14);
							E004062EA(_t115, _t125, _t131, 0x48f000,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E004042D4(_t125);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E004042D4(_t125);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E004042D4(_t125);
							_t46 = GetDlgItem(_t125, 3);
							__eflags =  *0x4524ac - _t134;
							_v28 = _t46;
							if( *0x4524ac != _t134) {
								_t115 = _t115 & 0x0000fefd | 0x00000004;
								__eflags = _t115;
							}
							ShowWindow(_t46, _t115 & 0x00000008); // executed
							EnableWindow( *(_t135 + 0x34), _t115 & 0x00000100); // executed
							E004042F6(_t115 & 0x00000002);
							_t116 = _t115 & 0x00000004;
							EnableWindow( *0x434058, _t116);
							__eflags = _t116 - _t134;
							if(_t116 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x3c), 0xf4, _t134, 1);
							__eflags =  *0x4524ac - _t134;
							if( *0x4524ac == _t134) {
								_push( *0x43c08c);
							} else {
								SendMessageA(_t125, 0x401, 2, _t134);
								_push( *0x434058);
							}
							E00404309();
							E00406257(0x43c090, E00403DBB());
							E004062EA(0x43c090, _t125, _t131,  &(0x43c090[lstrlenA(0x43c090)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t125, 0x43c090); // executed
							_push(_t134);
							_t65 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x44e3f8); // executed
									 *0x438068 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L60;
									}
									_t71 = CreateDialogParamA( *0x452420,  *_t131 +  *0x44e400 & 0x0000ffff, _t125,  *( *(_t131 + 4) * 4 + "?D@"), _t131); // executed
									__eflags = _t71 - _t134;
									 *0x44e3f8 = _t71;
									if(_t71 == _t134) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E004042D4(_t71);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t125, _t135 + 0x10);
									SetWindowPos( *0x44e3f8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x44e3ec - _t134;
									if( *0x44e3ec != _t134) {
										goto L63;
									}
									ShowWindow( *0x44e3f8, 8); // executed
									E00404320(0x405);
									goto L60;
								}
								__eflags =  *0x4524ac - _t134;
								if( *0x4524ac != _t134) {
									goto L63;
								}
								__eflags =  *0x4524a0 - _t134;
								if( *0x4524a0 != _t134) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x44e3f8);
						 *0x452428 = _t134;
						EndDialog(_t125,  *0x436060);
						goto L60;
					} else {
						__eflags = _t32 - 1;
						if(_t32 != 1) {
							L35:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t84 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t84;
						if(_t84 == 0) {
							goto L35;
						}
						SendMessageA( *0x44e3f8, 0x40f, 0, 1);
						__eflags =  *0x44e3ec;
						return 0 |  *0x44e3ec == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t134 = 0;
					if(_t128 == 0x47) {
						SetWindowPos( *0x43c070, _t125, 0, 0, 0, 0, 0x13);
					}
					_t120 = _a12;
					if(_t128 != 5) {
						L8:
						if(_t128 != 0x40d) {
							__eflags = _t128 - 0x11;
							if(_t128 != 0x11) {
								__eflags = _t128 - 0x111;
								if(_t128 != 0x111) {
									goto L28;
								}
								_t133 = _t120 & 0x0000ffff;
								_t126 = GetDlgItem(_t125, _t133);
								__eflags = _t126 - _t134;
								if(_t126 == _t134) {
									L15:
									__eflags = _t133 - 1;
									if(_t133 != 1) {
										__eflags = _t133 - 3;
										if(_t133 != 3) {
											_t127 = 2;
											__eflags = _t133 - _t127;
											if(_t133 != _t127) {
												L27:
												SendMessageA( *0x44e3f8, 0x111, _t120, _a16);
												goto L28;
											}
											__eflags =  *0x4524ac - _t134;
											if( *0x4524ac == _t134) {
												_t97 = E0040140B(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L28;
												}
												 *0x436060 = 1;
												L23:
												_push(0x78);
												L24:
												E004042AD();
												goto L28;
											}
											E0040140B(_t127);
											 *0x436060 = _t127;
											goto L23;
										}
										__eflags =  *0x40a1dc - _t134; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t133);
									goto L24;
								}
								SendMessageA(_t126, 0xf3, _t134, _t134);
								_t101 = IsWindowEnabled(_t126);
								__eflags = _t101;
								if(_t101 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongA(_t125, _t134, _t134);
							return 1;
						}
						DestroyWindow( *0x44e3f8);
						 *0x44e3f8 = _t120;
						L60:
						if( *0x444090 == _t134 &&  *0x44e3f8 != _t134) {
							ShowWindow(_t125, 0xa); // executed
							 *0x444090 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x43c070,  ~(_t120 - 1) & 0x00000005);
						if(_t120 != 2 || (GetWindowLongA(_t125, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E0040433B(_a8, _t120, _a16);
						} else {
							ShowWindow(_t125, 4);
							goto L8;
						}
					}
				}
			}

0x00403de5
0x00403dec
0x00403f53
0x00403f57
0x00403f5b
0x00403f5d
0x00403f62
0x00403f6d
0x00403f78
0x00403f7d
0x00403f7f
0x00403f81
0x00403f84
0x00403f89
0x00403f97
0x00403fa4
0x00403fab
0x00403fab
0x00403fac
0x00403fac
0x00403fb1
0x00403fb7
0x00403fbe
0x00403fc4
0x00403fc6
0x00404006
0x0040400b
0x00404010
0x00404010
0x00404015
0x0040401e
0x00404020
0x00404025
0x0040402b
0x0040402f
0x0040402f
0x00404034
0x0040403a
0x00000000
0x00000000
0x00404045
0x0040404b
0x00000000
0x00000000
0x00404054
0x0040405c
0x00404061
0x00404064
0x0040406a
0x0040406f
0x00404072
0x00404078
0x0040407d
0x00404080
0x00404086
0x0040408e
0x00404094
0x0040409a
0x0040409e
0x004040a5
0x004040a5
0x004040a5
0x004040af
0x004040c1
0x004040cd
0x004040d2
0x004040dc
0x004040e2
0x004040e4
0x004040e9
0x004040e6
0x004040e6
0x004040e6
0x004040f9
0x00404111
0x00404113
0x00404119
0x0040412e
0x0040411b
0x00404124
0x00404126
0x00404126
0x00404134
0x00404145
0x00404156
0x0040415d
0x00404163
0x00404167
0x0040416c
0x0040416e
0x00000000
0x00404174
0x00404174
0x00404176
0x00000000
0x00000000
0x0040417c
0x00404180
0x004041a5
0x004041ab
0x004041b1
0x004041b3
0x00000000
0x00000000
0x004041d9
0x004041df
0x004041e1
0x004041e6
0x00000000
0x00000000
0x004041ec
0x004041ef
0x004041f2
0x00404209
0x00404215
0x0040422e
0x00404234
0x00404238
0x0040423d
0x00404243
0x00000000
0x00000000
0x0040424d
0x00404258
0x00000000
0x00404258
0x00404182
0x00404188
0x00000000
0x00000000
0x0040418e
0x00404194
0x00000000
0x00000000
0x00000000
0x0040419a
0x0040416e
0x00404265
0x00404271
0x00404278
0x00000000
0x00403fc8
0x00403fc8
0x00403fcb
0x00403ffe
0x00403ffe
0x00404000
0x00000000
0x00000000
0x00000000
0x00404000
0x00403fcd
0x00403fd1
0x00403fd6
0x00403fd8
0x00000000
0x00000000
0x00403fe8
0x00403ff0
0x00000000
0x00403ff6
0x00403dfe
0x00403dfe
0x00403e02
0x00403e07
0x00403e16
0x00403e16
0x00403e1c
0x00403e23
0x00403e67
0x00403e6d
0x00403e86
0x00403e89
0x00403e9c
0x00403ea2
0x00000000
0x00000000
0x00403ea8
0x00403eb3
0x00403eb5
0x00403eb7
0x00403ed6
0x00403ed6
0x00403ed9
0x00403ede
0x00403ee1
0x00403ef1
0x00403ef2
0x00403ef4
0x00403f2a
0x00403f3a
0x00000000
0x00403f3a
0x00403ef6
0x00403efc
0x00403f15
0x00403f1a
0x00403f1c
0x00000000
0x00000000
0x00403f1e
0x00403f0a
0x00403f0a
0x00403f0c
0x00403f0c
0x00000000
0x00403f0c
0x00403eff
0x00403f04
0x00000000
0x00403f04
0x00403ee3
0x00403ee9
0x00000000
0x00000000
0x00403eeb
0x00000000
0x00403eeb
0x00403edb
0x00000000
0x00403edb
0x00403ec1
0x00403ec8
0x00403ece
0x00403ed0
0x004042a1
0x00000000
0x004042a1
0x00000000
0x00403ed0
0x00403e8e
0x00000000
0x00403e96
0x00403e75
0x00403e7b
0x0040427e
0x00404284
0x00404291
0x00404297
0x00404297
0x00000000
0x00403e25
0x00403e2a
0x00403e36
0x00403e3f
0x00403f40
0x00000000
0x00403e5e
0x00403e61
0x00000000
0x00403e61
0x00403e3f
0x00403e23

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E16
ShowWindow.USER32(?), ref: 00403E36
GetWindowLongA.USER32 ref: 00403E48
ShowWindow.USER32(?,00000004), ref: 00403E61
DestroyWindow.USER32 ref: 00403E75
SetWindowLongA.USER32 ref: 00403E8E
GetDlgItem.USER32 ref: 00403EAD
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403EC1
IsWindowEnabled.USER32(00000000), ref: 00403EC8
GetDlgItem.USER32 ref: 00403F73
GetDlgItem.USER32 ref: 00403F7D
KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403F97
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403FE8
GetDlgItem.USER32 ref: 0040408E
ShowWindow.USER32(00000000,?), ref: 004040AF
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004040C1
EnableWindow.USER32(?,?), ref: 004040DC
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040F2
EnableMenuItem.USER32 ref: 004040F9
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404111
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404124
lstrlenA.KERNEL32(0043C090,?,0043C090,00000000), ref: 0040414E
SetWindowTextA.USER32(?,0043C090), ref: 0040415D
ShowWindow.USER32(?,0000000A), ref: 00404291

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuUser$DestroyEnabledSystemTextlstrlen
String ID:
API String ID: 3618520773-0
Opcode ID: b673dabca76274c5076d0e044a6da74a23405ad17572b8bf379c5a70d32c39fe
Instruction ID: 1a69bbab5f1dc0e71ac1873d296b8d42e3e712d362af29a70bde279b026b61fc
Opcode Fuzzy Hash: b673dabca76274c5076d0e044a6da74a23405ad17572b8bf379c5a70d32c39fe
Instruction Fuzzy Hash: 35C1F471900205AFDB216F61EE85E2B3A78FB86749F01053EFA41B21F1CB3898519B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403A3D Relevance: 40.5, APIs: 14, Strings: 9, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403A3D(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x452430;
				_t17 = E00406663(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x43c090;
					 *0x483000 = 0x30;
					 *0x483001 = 0x78;
					 *0x483002 = 0;
					E0040613E(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x43c090, 0);
					__eflags =  *0x43c090;
					if(__eflags == 0) {
						E0040613E(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x43c090, 0);
					}
					lstrcatA(0x483000, _t74);
				} else {
					_t67 =  *_t17(); // executed
					E004061B5(0x483000, _t67 & 0x0000ffff);
				}
				E00403D02(_t71, _t84);
				 *0x4524a0 =  *0x452438 & 0x00000020;
				 *0x4524bc = 0x10000;
				if(E00405CD7(_t84, 0x47d000) != 0) {
					L16:
					if(E00405CD7(_t92, 0x47d000) == 0) {
						E004062EA(0, _t74, _t76, 0x47d000,  *((intOrPtr*)(_t76 + 0x118))); // executed
					}
					_t25 = LoadImageA( *0x452420, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x44e408 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403D02(_t71, __eflags);
							__eflags =  *0x4524c0;
							if( *0x4524c0 != 0) {
								_t28 = E0040544A(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x44e3ec;
								if( *0x44e3ec == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x43c070, 5); // executed
							_t34 = E004065F5("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E004065F5("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x44e3c0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x44e3c0);
								 *0x44e3e4 = _t81;
								RegisterClassA(0x44e3c0);
							}
							_t39 = DialogBoxParamA( *0x452420,  *0x44e400 + 0x00000069 & 0x0000ffff, 0, E00403DDA, 0); // executed
							E0040398D(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x452420;
						 *0x44e3c4 = E00401000;
						 *0x44e3d0 =  *0x452420;
						 *0x44e3d4 = _t25;
						 *0x44e3e4 = 0x40a1f4;
						if(RegisterClassA(0x44e3c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x43c070 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x452420, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x44a3c0;
					E0040613E(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x452458, 0x44a3c0, 0);
					_t57 =  *0x44a3c0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x44a3c1;
						 *((char*)(E00405C14(0x44a3c1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00406257(0x47d000, E00405BE9(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405C30(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403a43
0x00403a4c
0x00403a53
0x00403a55
0x00403a69
0x00403a7b
0x00403a82
0x00403a89
0x00403a8f
0x00403a94
0x00403a9a
0x00403aad
0x00403aad
0x00403ab8
0x00403a57
0x00403a57
0x00403a62
0x00403a62
0x00403abd
0x00403ad0
0x00403ad5
0x00403ae6
0x00403b6d
0x00403b75
0x00403b7e
0x00403b7e
0x00403b94
0x00403b9a
0x00403ba8
0x00403c29
0x00403c31
0x00403c3b
0x00403c40
0x00403c46
0x00403cd0
0x00403cd5
0x00403cd7
0x00403cf3
0x00000000
0x00403cf3
0x00403cd9
0x00403cdf
0x00403ce7
0x00403ce7
0x00000000
0x00403cdf
0x00403c54
0x00403c5f
0x00403c64
0x00403c66
0x00403c6d
0x00403c6d
0x00403c78
0x00403c80
0x00403c82
0x00403c84
0x00403c8d
0x00403c90
0x00403c96
0x00403c96
0x00403cb5
0x00403cc6
0x00000000
0x00403ccb
0x00403c33
0x00403c35
0x00000000
0x00403baa
0x00403baa
0x00403bb6
0x00403bc0
0x00403bc6
0x00403bcb
0x00403bda
0x00403cf8
0x00403cf8
0x00000000
0x00403cf8
0x00403be9
0x00403c24
0x00000000
0x00403c24
0x00403aec
0x00403aec
0x00403aef
0x00403af1
0x00000000
0x00000000
0x00403afb
0x00403b0b
0x00403b10
0x00403b17
0x00000000
0x00000000
0x00403b1b
0x00403b1d
0x00403b2a
0x00403b2a
0x00403b32
0x00403b38
0x00403b60
0x00403b68
0x00000000
0x00403b4a
0x00403b4b
0x00403b54
0x00403b5a
0x00403b5b
0x00000000
0x00403b5b
0x00403b56
0x00403b58
0x00000000
0x00000000
0x00000000
0x00403b58
0x00403b38

APIs

Part of subcall function 00406663: GetModuleHandleA.KERNEL32(?,00000000,?,004034F5,0000000B), ref: 00406675
Part of subcall function 00406663: GetProcAddress.KERNEL32(00000000,?), ref: 00406690

GetUserDefaultUILanguage.KERNELBASE(00000002,7476FA90,00485000,?,0047B000,00000009,0000000B), ref: 00403A57

Part of subcall function 004061B5: wsprintfA.USER32 ref: 004061C2

lstrcatA.KERNEL32(00483000,0043C090,80000001,Control Panel\Desktop\ResourceLocale,00000000,0043C090,00000000,00000002,7476FA90,00485000,?,0047B000,00000009,0000000B), ref: 00403AB8
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,0047D000,00483000,0043C090,80000001,Control Panel\Desktop\ResourceLocale,00000000,0043C090,00000000,00000002,7476FA90), ref: 00403B2D
lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,0047D000,00483000,0043C090,80000001,Control Panel\Desktop\ResourceLocale,00000000,0043C090,00000000), ref: 00403B40
GetFileAttributesA.KERNEL32(Call,?,0047B000,00000009,0000000B), ref: 00403B4B
LoadImageA.USER32 ref: 00403B94
RegisterClassA.USER32 ref: 00403BD1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403BE9
CreateWindowExA.USER32 ref: 00403C1E
ShowWindow.USER32(00000005,00000000,?,0047B000,00000009,0000000B), ref: 00403C54
GetClassInfoA.USER32 ref: 00403C80
GetClassInfoA.USER32 ref: 00403C8D
RegisterClassA.USER32 ref: 00403C96
DialogBoxParamA.USER32 ref: 00403CB5

Strings

.DEFAULT\Control Panel\International, xrefs: 00403AA3
RichEdit20A, xrefs: 00403C78, 00403C7E
RichEd20, xrefs: 00403C5A
.exe, xrefs: 00403B3A
RichEd32, xrefs: 00403C68
Control Panel\Desktop\ResourceLocale, xrefs: 00403A71
Call, xrefs: 00403AFB, 00403B03, 00403B10, 00403B5A, 00403B60
_Nb, xrefs: 00403BB0, 00403C18
RichEdit, xrefs: 00403C87

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 606308-634817942
Opcode ID: 95bf514c9ea4fc9c592dd570d8c938eb6a532796c2675ae0dce3c92584506eb1
Instruction ID: 9ed41b13b3066df8ef4fe5e21b3ba9d2433b63f5b2cc2a01767d3bc771330ebd
Opcode Fuzzy Hash: 95bf514c9ea4fc9c592dd570d8c938eb6a532796c2675ae0dce3c92584506eb1
Instruction Fuzzy Hash: A261B375644344AEE611AF669E45F3B3A6CEB4670EF00043FF941B62E3CA7C99019B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004062EA Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E004062EA(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				char _t50;
				char _t52;
				char _t54;
				void* _t62;
				char* _t63;
				signed int _t77;
				char _t85;
				void* _t86;
				CHAR* _t87;
				void* _t89;
				signed int _t94;
				signed int _t96;
				void* _t97;

				_t89 = __esi;
				_t86 = __edi;
				_t62 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x44e3fc - 4 + _t36 * 4);
				}
				_push(_t62);
				_push(_t89);
				_push(_t86);
				_t63 = _t36 +  *0x452458;
				_t37 = 0x44a3c0;
				_t87 = 0x44a3c0;
				if(_a4 >= 0x44a3c0 && _a4 - 0x44a3c0 < 0x4000) {
					_t87 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t85 =  *_t63;
					if(_t85 == 0) {
						break;
					}
					__eflags = _t87 - _t37 - 0x2000;
					if(_t87 - _t37 >= 0x2000) {
						break;
					}
					_t63 = _t63 + 1;
					__eflags = _t85 - 4;
					_a8 = _t63;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t87 = _t85;
							_t87 =  &(_t87[1]);
							__eflags = _t87;
						} else {
							 *_t87 =  *_t63;
							_t87 =  &(_t87[1]);
							_t63 = _t63 + 1;
						}
						continue;
					}
					_t39 =  *((char*)(_t63 + 1));
					_t77 =  *_t63;
					_t94 = (_t39 & 0x0000007f) << 0x00000007 | _t77 & 0x0000007f;
					_v24 = _t77;
					_v28 = _t77 | 0x00000080;
					_v16 = _t39;
					_v20 = _t39 | 0x00000080;
					_t63 = _a8 + 2;
					__eflags = _t85 - 2;
					if(_t85 != 2) {
						__eflags = _t85 - 3;
						if(_t85 != 3) {
							__eflags = _t85 - 1;
							if(_t85 == 1) {
								__eflags = (_t39 | 0xffffffff) - _t94;
								E004062EA(_t63, _t87, _t94, _t87, (_t39 | 0xffffffff) - _t94);
							}
							L42:
							_t87 =  &(_t87[lstrlenA(_t87)]);
							_t37 = 0x44a3c0;
							continue;
						}
						__eflags = _t94 - 0x1d;
						if(_t94 != 0x1d) {
							__eflags = (_t94 << 0xd) + 0x453000;
							E00406257(_t87, (_t94 << 0xd) + 0x453000);
						} else {
							E004061B5(_t87,  *0x452428);
						}
						__eflags = _t94 + 0xffffffeb - 7;
						if(_t94 + 0xffffffeb < 7) {
							L33:
							E00406535(_t87);
						}
						goto L42;
					}
					__eflags =  *0x4524dc;
					_t96 = 2;
					if( *0x4524dc != 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x4524a4;
						if( *0x4524a4 != 0) {
							_t96 = 4;
						}
						__eflags = _t77;
						if(__eflags >= 0) {
							__eflags = _t77 - 0x25;
							if(_t77 != 0x25) {
								__eflags = _t77 - 0x24;
								if(_t77 == 0x24) {
									GetWindowsDirectoryA(_t87, 0x2000);
									_t96 = 0;
								}
								while(1) {
									__eflags = _t96;
									if(_t96 == 0) {
										goto L30;
									}
									_t50 =  *0x452424;
									_t96 = _t96 - 1;
									__eflags = _t50;
									if(_t50 == 0) {
										L26:
										_t52 = SHGetSpecialFolderLocation( *0x452428,  *(_t97 + _t96 * 4 - 0x18),  &_v8);
										__eflags = _t52;
										if(_t52 != 0) {
											L28:
											 *_t87 =  *_t87 & 0x00000000;
											__eflags =  *_t87;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t87);
										_v12 = _t52;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t54 =  *_t50( *0x452428,  *(_t97 + _t96 * 4 - 0x18), 0, 0, _t87); // executed
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t87, 0x2000);
							goto L30;
						} else {
							E0040613E((_t77 & 0x0000003f) +  *0x452458, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t77 & 0x0000003f) +  *0x452458, _t87, _t77 & 0x00000040);
							__eflags =  *_t87;
							if( *_t87 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t87, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E004062EA(_t63, _t87, _t96, _t87, _v16);
							L30:
							__eflags =  *_t87;
							if( *_t87 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags =  *0x4524de - 0x45a;
					if( *0x4524de >= 0x45a) {
						goto L13;
					}
					__eflags = _t39 - 0x23;
					if(_t39 == 0x23) {
						goto L13;
					}
					__eflags = _t39 - 0x2e;
					if(_t39 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t87 =  *_t87 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00406257(_a4, _t37);
			}

0x004062ea
0x004062ea
0x004062ea
0x004062f0
0x004062f5
0x00406306
0x00406306
0x0040630e
0x0040630f
0x00406310
0x00406311
0x00406314
0x0040631c
0x0040631e
0x00406335
0x00406338
0x00406338
0x00406512
0x00406512
0x00406516
0x00000000
0x00000000
0x00406345
0x0040634b
0x00000000
0x00000000
0x00406351
0x00406352
0x00406355
0x00406358
0x00406505
0x0040650f
0x00406511
0x00406511
0x00406507
0x00406509
0x0040650b
0x0040650c
0x0040650c
0x00000000
0x00406505
0x0040635e
0x00406362
0x00406372
0x00406379
0x0040637c
0x00406384
0x00406387
0x0040638e
0x0040638f
0x00406392
0x004064b2
0x004064b5
0x004064e5
0x004064e8
0x004064ed
0x004064f1
0x004064f1
0x004064f6
0x004064fc
0x004064fe
0x00000000
0x004064fe
0x004064b7
0x004064ba
0x004064cf
0x004064d6
0x004064bc
0x004064c3
0x004064c3
0x004064de
0x004064e1
0x004064aa
0x004064ab
0x004064ab
0x00000000
0x004064e1
0x00406398
0x004063a1
0x004063a2
0x004063bf
0x004063bf
0x004063c6
0x004063c6
0x004063cd
0x004063d1
0x004063d1
0x004063d2
0x004063d4
0x0040640d
0x00406410
0x00406420
0x00406423
0x0040642b
0x00406431
0x00406431
0x00406490
0x00406490
0x00406492
0x00000000
0x00000000
0x00406435
0x0040643c
0x0040643d
0x0040643f
0x00406459
0x00406467
0x0040646d
0x0040646f
0x0040648d
0x0040648d
0x0040648d
0x00000000
0x0040648d
0x00406475
0x0040647e
0x00406481
0x00406487
0x0040648b
0x00000000
0x00000000
0x00000000
0x0040648b
0x00406441
0x00406444
0x00000000
0x00000000
0x00406453
0x00406455
0x00406457
0x00000000
0x00000000
0x00000000
0x00406457
0x00000000
0x00406490
0x00406418
0x00000000
0x004063d6
0x004063f1
0x004063f6
0x004063f9
0x00406499
0x00406499
0x0040649d
0x004064a5
0x004064a5
0x00000000
0x0040649d
0x00406403
0x00406494
0x00406494
0x00406497
0x00000000
0x00000000
0x00000000
0x00406497
0x004063d4
0x004063a4
0x004063ad
0x00000000
0x00000000
0x004063af
0x004063b2
0x00000000
0x00000000
0x004063b4
0x004063b7
0x00000000
0x004063b9
0x004063b9
0x00000000
0x004063b9
0x004063b7
0x0040651c
0x00406526
0x00406532
0x00406532
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 00406418
GetWindowsDirectoryA.KERNEL32(Call,00002000,?,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000,004053B0,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000), ref: 0040642B
SHGetSpecialFolderLocation.SHELL32(004053B0,0vt,?,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000,004053B0,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000), ref: 00406467
SHGetPathFromIDListA.SHELL32(0vt,Call), ref: 00406475
CoTaskMemFree.OLE32(0040A198), ref: 00406481
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004064A5
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000,004053B0,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000,00000000,0042CE48,7476EA30), ref: 004064F7

Strings

0vt, xrefs: 00406459, 00406472, 0040647B, 0040645C
Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll, xrefs: 0040630F
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063E7
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040649F
Call, xrefs: 00406314, 004063E4, 004063E5, 004063E6, 00406402, 00406417, 0040642A, 00406446, 00406471, 004064A4, 004064AA, 004064C2, 004064D5, 004064F0, 004064F6, 004064FE, 00406528

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: 0vt$Call$Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-4022678046
Opcode ID: 838a228d43f25cac2ee0c0fa74933bf62ea0f71a5a7e27bbbeaab37106ce29fc
Instruction ID: ebe98ae1178673def3e02426a949122db7229e586474bd24546af65fb667a20e
Opcode Fuzzy Hash: 838a228d43f25cac2ee0c0fa74933bf62ea0f71a5a7e27bbbeaab37106ce29fc
Instruction Fuzzy Hash: D5611571900204AFEF219F24DD94B7E3BA4AB06714F12403FE943BA2D2D67C89A1DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F0C Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00402F0C(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t50;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				 *0x45242c = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, 0x489000, 0x2000);
				_t89 = E00405DEA(0x489000, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				E00406257(0x481000, 0x489000);
				E00406257(0x48b000, E00405C30(0x481000));
				_t50 = GetFileSize(_t89, 0);
				 *0x43204c = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402EA8(1);
					if( *0x452434 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E0040336B( *0x452434 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00403143(); // executed
						if(_t57 == _v24) {
							 *0x452430 = _t94;
							 *0x452438 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x45243c =  *0x45243c + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405DA5(0x452440, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E0040336B( *0x426040);
					if(E00403355( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x452434) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E00403355(0x41e040, _t90) == 0) {
							E00402EA8(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x452434 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402EA8(0);
							}
							goto L20;
						}
						E00405DA5( &_v44, 0x41e040, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x426040; // 0x5d72a
							 *0x4524c0 =  *0x4524c0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x452434 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t24 = _t80 - 4; // 0x5
								_t93 = _t24;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x43204c) {
							_v12 = E0040671A(_v12, 0x41e040, _t90);
						}
						 *0x426040 =  *0x426040 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}

0x00402f14
0x00402f17
0x00402f1a
0x00402f34
0x00402f39
0x00402f4c
0x00402f51
0x00402f54
0x00402f5a
0x00000000
0x00402f5c
0x00402f6d
0x00402f7e
0x00402f85
0x00402f8d
0x00402f92
0x00402f94
0x0040307f
0x00403081
0x0040308d
0x00000000
0x00000000
0x00403092
0x004030b6
0x004030c1
0x004030cc
0x004030d1
0x004030d4
0x004030d5
0x004030d6
0x004030d8
0x004030e0
0x004030f7
0x004030ff
0x00403104
0x00403106
0x00403106
0x0040310e
0x0040310e
0x00403111
0x00403112
0x00403112
0x00403115
0x00403117
0x00403117
0x00403121
0x00403127
0x00403135
0x00000000
0x0040313a
0x00000000
0x004030e0
0x0040309a
0x004030ac
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f9a
0x00402f9f
0x00402fa4
0x00402fa8
0x00402faf
0x00402fb6
0x00402fb8
0x00402fb8
0x00402fc3
0x004030eb
0x004030e2
0x00000000
0x004030e2
0x00402fd0
0x00403050
0x00403054
0x00403059
0x00000000
0x00403050
0x00402fd9
0x00402fde
0x00402fe6
0x0040300c
0x00403012
0x0040301b
0x00403021
0x00403026
0x0040302c
0x00000000
0x00000000
0x00403036
0x0040303e
0x00403041
0x00403041
0x00403046
0x00403048
0x00403048
0x00000000
0x00000000
0x00000000
0x00000000
0x00403036
0x0040305a
0x00403060
0x0040306c
0x0040306c
0x0040306f
0x00403075
0x00403075
0x0040307d
0x00000000
0x0040307d

APIs

GetTickCount.KERNEL32 ref: 00402F1D
GetModuleFileNameA.KERNEL32(00000000,00489000,00002000,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00402F39

Part of subcall function 00405DEA: GetFileAttributesA.KERNELBASE(00000003,00402F4C,00489000,80000000,00000003,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405DEE
Part of subcall function 00405DEA: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405E10

GetFileSize.KERNEL32(00000000,00000000,0048B000,00000000,00481000,00481000,00489000,00489000,80000000,00000003,?,?,004036FD,?,?,00000007), ref: 00402F85
GlobalAlloc.KERNEL32(00000040,00000007,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 004030BB

Strings

soft, xrefs: 00402FFA
Error launching installer, xrefs: 00402F5C
Null, xrefs: 00403003
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004030E2
Inst, xrefs: 00402FF1
@A, xrefs: 00402F9A

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: @A$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-2937945327
Opcode ID: ef4c9a5dc92e0d7598bd923cfc77fc61e239af6537ea3ff3a5b4cfa1ca02d18f
Instruction ID: 4581bf354a42e99e0fb2dd836479f673db23d0c593d329681b7c8fb4cfaa4e30
Opcode Fuzzy Hash: ef4c9a5dc92e0d7598bd923cfc77fc61e239af6537ea3ff3a5b4cfa1ca02d18f
Instruction Fuzzy Hash: E751B431901204ABDB20AF65DD85B9F7EACEB15356F20813BF501B62D2C7BC8E418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00403143 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00403143(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x42a048;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E0040336B( *0x452478 + _t62);
				}
				if(E00403355( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E00403355(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E00403355(0x426048, _t98) == 0) {
								goto L41;
							}
							_t69 = E00405E91(_a8, 0x426048, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x4149ac =  *0x4149ac & 0x00000000;
					 *0x4149a8 =  *0x4149a8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x414490 = 8;
					 *0x41e038 = 0x416030;
					 *0x41e034 = 0x416030;
					 *0x41e030 = 0x41e030;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E00403355(0x426048, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x414480 = 0x426048;
						 *0x414484 = _t99;
						while(1) {
							_t95 = _v16;
							 *0x414488 = _t95;
							 *0x41448c = _v12;
							_t75 = E00406788("\xef\xbf\							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x414488; // 0x42ce48
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x4524d4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E00405378(0,  &_v88); // executed
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x414488; // 0x42ce48
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405E91(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x0040314b
0x0040314f
0x00403152
0x00403157
0x00403159
0x00403159
0x00403160
0x00403164
0x00403169
0x0040316b
0x0040316b
0x00403172
0x00403177
0x00403182
0x00403182
0x00403194
0x00403343
0x00403343
0x00000000
0x0040319a
0x0040319e
0x004032f0
0x00403333
0x00403335
0x00403335
0x00403341
0x00403348
0x0040334b
0x00000000
0x00000000
0x00000000
0x00000000
0x00403341
0x004032f5
0x00000000
0x00000000
0x004032f7
0x004032fa
0x004032fd
0x00403300
0x00403302
0x00403302
0x00403312
0x00000000
0x00000000
0x00403319
0x00403320
0x004032ea
0x004032ea
0x00403345
0x00403345
0x00000000
0x00403345
0x00403322
0x00403325
0x0040332c
0x00000000
0x00000000
0x00000000
0x0040332e
0x00000000
0x004032fa
0x004031aa
0x004031ac
0x004031b3
0x004031ba
0x004031ba
0x004031c1
0x004031c9
0x004031d3
0x004031d8
0x004031e0
0x004031ea
0x004031ed
0x00000000
0x00000000
0x00000000
0x00000000
0x004031f3
0x004031f3
0x004031f3
0x004031fb
0x004031fd
0x004031fd
0x0040320e
0x00000000
0x00000000
0x00403214
0x00403217
0x0040321d
0x00403223
0x00403223
0x0040322e
0x00403234
0x00403239
0x00403240
0x00403243
0x00000000
0x00000000
0x00403249
0x0040324f
0x00403251
0x0040325a
0x0040325c
0x0040328a
0x00403290
0x00403299
0x0040329e
0x0040329e
0x004032a3
0x004032de
0x00000000
0x00000000
0x00000000
0x004032a5
0x004032a9
0x004032c0
0x004032c5
0x004032c8
0x004032cb
0x004032ce
0x004032d2
0x00000000
0x00000000
0x00000000
0x004032d8
0x004032b2
0x004032b9
0x00000000
0x00000000
0x004032bb
0x00000000
0x004032bb
0x004032a3
0x004032e6
0x00000000
0x004032e6
0x00000000
0x004031f3

APIs

GetTickCount.KERNEL32 ref: 004031AA
GetTickCount.KERNEL32 ref: 00403251
MulDiv.KERNEL32(7FFFFFFF,00000064,00000007), ref: 0040327A
wsprintfA.USER32 ref: 0040328A

Strings

0`A, xrefs: 004031C4
... %d%%, xrefs: 00403284
H`B, xrefs: 00403304
{B, xrefs: 00403217, 00403229
H`B, xrefs: 00403200

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$0`A$H`B$H`B${B
API String ID: 551687249-3260306330
Opcode ID: 0c9fc1d85663aad53be424f08f543157a3ad91164e87d18aa7b079f2db5192f9
Instruction ID: 5e435b9e5989c49516ab484f42c851a836a172a2bf0c70b81729303e7d6c5b04
Opcode Fuzzy Hash: 0c9fc1d85663aad53be424f08f543157a3ad91164e87d18aa7b079f2db5192f9
Instruction Fuzzy Hash: 59516A71801219AFDB10CFA5DA8479F7BA8AB45766F14817BEC01B72C0C7789A50CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402C39(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405C56(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405BE9(E00406257(0x40a438, "C:\\Users\\jones\\AppData\\Roaming\\Kartoffelprodukterne\\conchinine\\Affaldsproblem")), ??);
				} else {
					_push(0x40a438);
					E00406257();
				}
				E00406535(0x40a438);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E004065CE(0x40a438);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405DC5(0x40a438);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405DEA(0x40a438, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00405378(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x4524a8 =  *0x4524a8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x4524a8;
						goto L32;
					} else {
						E00406257(0x40e438, 0x453000);
						E00406257(0x453000, 0x40a438);
						E004062EA(_t75, 0x40e438, 0x40a438, "C:\Users\jones\AppData\Local\Temp\nsk1BF9.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00406257(0x453000, 0x40e438);
						_t62 = E0040596D("C:\Users\jones\AppData\Local\Temp\nsk1BF9.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x4524a8 =  &( *0x4524a8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x40a438);
								_push(0xfffffffa);
								E00405378();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00405378(0xffffffea,  *(_t85 - 8)); // executed
				 *0x4524d4 =  *0x4524d4 + 1;
				_t43 = E00403143( *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 0xc), _t75, _t75); // executed
				 *0x4524d4 =  *0x4524d4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E004062EA(_t75, _t80, 0x40a438, 0x40a438, 0xffffffee);
					} else {
						E004062EA(_t75, _t80, 0x40a438, 0x40a438, 0xffffffe9);
						lstrcatA(0x40a438,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x40a438);
					E0040596D();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x0040177c
0x00401798
0x0040177e
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x004027c8
0x004027c8
0x00402ac5
0x00402ac8
0x00402ac8
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402ace
0x00402ace
0x00402ace
0x00401858
0x00401858
0x00401859
0x00401492
0x0040238f
0x0040238f
0x0040238f
0x00401856
0x0040184f
0x00402ad0
0x00402ad4
0x00402ad4
0x00401883
0x00401888
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x0040238a
0x00000000
0x0040238a
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Affaldsproblem,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Affaldsproblem,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406257: lstrcpynA.KERNEL32(0000000B,0000000B,00002000,00403556,0044E420,NSIS Error,?,00000007,00000009,0000000B), ref: 00406264

Part of subcall function 00405378: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000,0042CE48,7476EA30,?,?,?,?,?,?,?,?,?,0040329E,00000000,?), ref: 004053B1
Part of subcall function 00405378: lstrlenA.KERNEL32(0040329E,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000,0042CE48,7476EA30,?,?,?,?,?,?,?,?,?,0040329E,00000000), ref: 004053C1
Part of subcall function 00405378: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,0040329E,0040329E,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000,0042CE48,7476EA30), ref: 004053D4
Part of subcall function 00405378: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll), ref: 004053E6
Part of subcall function 00405378: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040540C
Part of subcall function 00405378: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405426
Part of subcall function 00405378: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405434

Strings

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Affaldsproblem, xrefs: 00401786
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll, xrefs: 00401826, 00401842
8@, xrefs: 004017A3

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: 8@$C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll$C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Affaldsproblem$Call
API String ID: 1941528284-169528156
Opcode ID: 03874d555682c28494de98f198ea20d949bb4d609246e22306f580c173a267ef
Instruction ID: 3e968e9bdc471329156ed959ca9c7b0cca39a402a35bfbb3b78bbd1fa7da6ddf
Opcode Fuzzy Hash: 03874d555682c28494de98f198ea20d949bb4d609246e22306f580c173a267ef
Instruction Fuzzy Hash: F341D471900215BBCB207BB5CD45DAF7679EF45369B20823FF422B20E2D77C8A518A6D

Uniqueness

Uniqueness Score: -1.00%

Function 73432128 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E73432128(intOrPtr* _a4) {
				short _v84;
				intOrPtr* _t24;
				signed int _t25;
				intOrPtr _t26;
				void* _t27;
				intOrPtr _t33;
				void* _t39;
				void* _t42;

				_t39 = E734312C6();
				_t24 = _a4;
				_t33 =  *((intOrPtr*)(_t24 + 0x814));
				_t42 = (_t33 + 0x41 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t42 - 4)) >= 0) {
					}
					_t25 =  *(_t42 - 8) & 0x000000ff;
					if(_t25 <= 7) {
						switch( *((intOrPtr*)(_t25 * 4 +  &M73432268))) {
							case 0:
								 *_t39 = 0;
								goto L17;
							case 1:
								__edx =  *__edx;
								if(__ecx > 0) {
									__ecx = __ecx - 1;
									__ecx = __ecx *  *(0x73434060 + __eax * 4);
									asm("sbb eax, eax");
									__edx = __edx &  *(0x73434080 + __eax * 4);
								}
								_push(__edx);
								goto L15;
							case 2:
								_push(__edi);
								_push(__edx[1]);
								_push( *__edx);
								__eax = E7343144D(__ecx);
								goto L16;
							case 3:
								__eax = lstrcpynA(__edi,  *__edx,  *0x73435040);
								goto L17;
							case 4:
								__ecx =  *0x73435040;
								__ecx - 1 = WideCharToMultiByte(0, 0,  *__edx, __ecx, __edi, __ecx - 1, 0, 0);
								__eax =  *0x73435040;
								 *((char*)(__eax + __edi - 1)) = 0;
								goto L17;
							case 5:
								_push(0x27);
								__eax =  &_v84;
								_push( &_v84);
								_push( *__edx);
								__imp__StringFromGUID2();
								__ecx = 0;
								__eax =  &_v84;
								__eax = WideCharToMultiByte(0, 0,  &_v84,  &_v84, __edi,  *0x73435040, 0, 0);
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfA(__edi, 0x73434058);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					if( *(_t42 + 0x14) != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t42 - 4)) > 0)) {
						GlobalFree( *(_t42 + 0x14));
					}
					_t26 =  *((intOrPtr*)(_t42 + 0xc));
					if(_t26 != 0) {
						if(_t26 != 0xffffffff) {
							if(_t26 > 0) {
								E734315C7(_t26 - 1, _t39);
								goto L26;
							}
						} else {
							E7343157E(_t39);
							L26:
						}
					}
					_t42 = _t42 - 0x20;
					_t33 = _t33 - 1;
				} while (_t33 >= 0);
				_t27 = GlobalFree(_t39); // executed
				return _t27;
			}

0x73432136
0x73432138
0x7343213b
0x73432147
0x73432149
0x7343214e
0x7343214e
0x73432156
0x7343215d
0x73432163
0x00000000
0x7343216a
0x00000000
0x00000000
0x73432172
0x73432176
0x73432178
0x73432179
0x73432184
0x73432188
0x73432188
0x7343218f
0x00000000
0x00000000
0x73432192
0x73432193
0x73432196
0x73432198
0x00000000
0x00000000
0x734321a8
0x00000000
0x00000000
0x734321d8
0x734321ee
0x734321f4
0x734321f9
0x00000000
0x00000000
0x734321b0
0x734321b2
0x734321b5
0x734321b6
0x734321b8
0x734321be
0x734321ca
0x734321d0
0x00000000
0x00000000
0x73432200
0x73432202
0x73432208
0x7343220e
0x7343220e
0x00000000
0x00000000
0x73432163
0x73432211
0x73432215
0x73432228
0x73432228
0x7343222e
0x73432233
0x73432238
0x73432244
0x73432249
0x00000000
0x7343224e
0x7343223a
0x7343223b
0x7343224f
0x7343224f
0x73432238
0x73432250
0x73432253
0x73432253
0x7343225d
0x73432267

APIs

Part of subcall function 734312C6: GlobalAlloc.KERNELBASE(00000040,734311C4,-000000A0), ref: 734312CE

GlobalFree.KERNEL32 ref: 73432228
GlobalFree.KERNEL32 ref: 7343225D

Strings

@hqt, xrefs: 734321D0, 734321EE

Memory Dump Source

Source File: 00000000.00000002.853199298.0000000073431000.00000020.00000001.01000000.00000004.sdmp, Offset: 73430000, based on PE: true

Associated: 00000000.00000002.853187298.0000000073430000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853222168.0000000073434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853240329.0000000073436000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73430000_Royalistic.jbxd

Similarity

API ID: Global$Free$Alloc
String ID: @hqt
API String ID: 1780285237-2648236075
Opcode ID: 578cdcffc16dfaa066f8644e77ad75e26379bb74fa7209ddb075c69bdcca1be1
Instruction ID: 166ab555d19e1c02d11f0217bece538d3d60ff56fc6621163da16c6d99b173d1
Opcode Fuzzy Hash: 578cdcffc16dfaa066f8644e77ad75e26379bb74fa7209ddb075c69bdcca1be1
Instruction Fuzzy Hash: 08412332208208EFE71E9F91CD44FAA7BF9FB4E700FA00158E915B7280D731A800CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00405378 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405378(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x44e404;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4524d4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004062EA(0, _t39, 0x438070, 0x438070, _a4);
					}
					_t26 = lstrlenA(0x438070);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x44e3e8, 0x438070); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x438070;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52); // executed
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x438070)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x4000) {
							_t26 = lstrcatA(0x438070, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x0040537e
0x0040538a
0x0040538d
0x00405393
0x0040539f
0x004053a2
0x004053a5
0x004053ab
0x004053ab
0x004053b1
0x004053b9
0x004053bc
0x004053d9
0x004053dd
0x004053e6
0x004053e6
0x004053f0
0x004053f9
0x00405405
0x0040540c
0x00405410
0x00405413
0x00405426
0x00405434
0x00405434
0x00405438
0x0040543a
0x0040543d
0x00000000
0x0040543d
0x004053be
0x004053c6
0x004053ce
0x004053d4
0x00000000
0x004053d4
0x004053ce
0x004053bc
0x00405447

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000,0042CE48,7476EA30,?,?,?,?,?,?,?,?,?,0040329E,00000000,?), ref: 004053B1
lstrlenA.KERNEL32(0040329E,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000,0042CE48,7476EA30,?,?,?,?,?,?,?,?,?,0040329E,00000000), ref: 004053C1
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,0040329E,0040329E,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000,0042CE48,7476EA30), ref: 004053D4
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll), ref: 004053E6
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040540C
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405426
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405434

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll, xrefs: 00405398, 004053AA, 004053B0, 004053D3, 004053DF

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll
API String ID: 2531174081-284563121
Opcode ID: 43b59e8548ca3e8478251fdd04fd0e5e98560b6af6290137ab004f16df5a9164
Instruction ID: 37f28695abd5d6743d555213097846b75af7b366b005b624e269435409e9a681
Opcode Fuzzy Hash: 43b59e8548ca3e8478251fdd04fd0e5e98560b6af6290137ab004f16df5a9164
Instruction Fuzzy Hash: 78218C71D00208BBDB11AFA5DD84ADEBFB9EF05354F14807AF904B6291C7798E808F98

Uniqueness

Uniqueness Score: -1.00%

Function 73431F58 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E73431F58(void* _a4) {
				signed int _v4;
				signed int _v8;
				signed int _t46;
				void* _t47;
				signed int _t48;
				void* _t49;
				void* _t52;
				void* _t56;
				signed int _t57;
				signed int _t59;
				void* _t60;

				_t52 = _a4;
				_t46 = 0 |  *((intOrPtr*)(_t52 + 0x814)) > 0x00000000;
				while(1) {
					_v8 = _t46;
					_t59 = _t46 << 5;
					_t60 =  *(_t59 + _t52 + 0x830);
					if(_t60 == 0 || _t60 == 0x1a) {
						goto L8;
					}
					if(_t60 != 0xffffffff) {
						_t51 = _t60 - 1;
						if(_t60 - 1 > 0x18) {
							 *(_t59 + _t52 + 0x830) = 0x1a;
							L11:
							_t56 = _t59 + _t52;
							if( *((intOrPtr*)(_t59 + _t52 + 0x81c)) >= 0) {
							}
							_t48 =  *(_t59 + _t52 + 0x818) & 0x000000ff;
							 *(_t59 + _t52 + 0x834) =  *(_t59 + _t52 + 0x834) & 0x00000000;
							_v4 = _t48;
							if(_t48 > 7) {
								L28:
								_t49 = GlobalFree(_t60); // executed
								_t57 = _v8;
								if(_t57 == 0) {
									return _t49;
								}
								_t43 = _t57 + 1; // 0x2
								_t55 =  !=  ? _t43 : 0;
								_t46 =  !=  ? _t43 : 0;
								continue;
							} else {
								switch( *((intOrPtr*)(_t48 * 4 +  &M73432108))) {
									case 0:
										 *(_t56 + 0x820) =  *(_t56 + 0x820) & 0x00000000;
										goto L28;
									case 1:
										_push(__esi);
										__eax = E73431326();
										_pop(__ecx);
										goto L18;
									case 2:
										_push(__esi);
										__eax = E73431326();
										_pop(__ecx);
										 *__ebp = __eax;
										_a4 = __edx;
										goto L28;
									case 3:
										__eax = E734312AF(__esi);
										goto L21;
									case 4:
										 *0x73435040 =  *0x73435040 +  *0x73435040;
										__eax = GlobalAlloc(0x40,  *0x73435040 +  *0x73435040);
										__ecx =  *0x73435040;
										_a4 = __eax;
										__eax = MultiByteToWideChar(0, 0, __esi,  *0x73435040, __eax,  *0x73435040);
										if(_v4 != 5) {
											__eax = _a4;
											L21:
											 *(__edi + __ebx + 0x834) = __eax;
											L18:
											 *__ebp = __eax;
											goto L28;
										}
										__eax = GlobalAlloc(0x40, 0x10);
										 *(__edi + __ebx + 0x834) = __eax;
										__edi = _a4;
										_push(__eax);
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
										goto L28;
									case 5:
										if( *__esi != 0) {
											_push(__esi);
											__eax = E73431326();
											 *(__edi + __ebx + 0x820) = __eax;
										}
										goto L28;
									case 6:
										 *(__edi + __ebx + 0x830) =  *(__edi + __ebx + 0x830) - 1;
										__ecx = ( *(__edi + __ebx + 0x830) - 1) *  *0x73435040;
										__ecx = ( *(__edi + __ebx + 0x830) - 1) *  *0x73435040 +  *0x73435038;
										_push(__ecx);
										__eax = __ecx + 0xc;
										 *(__edx + 0x820) = __eax;
										asm("cdq");
										_push(__edx);
										_push(__eax);
										__eax = E7343144D(__ecx);
										__esp = __esp + 0xc;
										goto L28;
								}
							}
						}
						_t47 = E734314E2(_t51);
						L9:
						L10:
						_t60 = _t47;
						goto L11;
					}
					_t47 = E7343152B();
					goto L10;
					L8:
					_t47 = E734312AF(0x734340c7);
					goto L9;
				}
			}

0x73431f5b
0x73431f6a
0x73431f6d
0x73431f6f
0x73431f73
0x73431f76
0x73431f7f
0x00000000
0x00000000
0x73431f89
0x73431f92
0x73431f98
0x73431fa2
0x73431fbc
0x73431fc4
0x73431fc7
0x73431fc7
0x73431fd7
0x73431fdf
0x73431fe7
0x73431fee
0x734320dc
0x734320dd
0x734320e3
0x734320e9
0x73432106
0x73432106
0x734320ed
0x734320f6
0x734320f9
0x00000000
0x73431ff4
0x73431ff4
0x00000000
0x73431ffb
0x00000000
0x00000000
0x73432007
0x73432008
0x7343200d
0x00000000
0x00000000
0x73432016
0x73432017
0x7343201c
0x7343201d
0x73432020
0x00000000
0x00000000
0x73432029
0x00000000
0x00000000
0x7343203d
0x73432042
0x73432048
0x73432056
0x7343205a
0x73432065
0x73432090
0x7343202f
0x7343202f
0x7343200e
0x7343200e
0x00000000
0x7343200e
0x7343206b
0x73432071
0x73432078
0x7343207c
0x7343207d
0x7343207e
0x73432081
0x73432088
0x00000000
0x00000000
0x73432099
0x7343209b
0x7343209c
0x734320a9
0x734320a9
0x00000000
0x00000000
0x734320b9
0x734320ba
0x734320c1
0x734320c7
0x734320c8
0x734320cb
0x734320d1
0x734320d2
0x734320d3
0x734320d4
0x734320d9
0x00000000
0x00000000
0x73431ff4
0x73431fee
0x73431f9b
0x73431fb9
0x73431fba
0x73431fba
0x00000000
0x73431fba
0x73431f8b
0x00000000
0x73431faf
0x73431fb4
0x00000000
0x73431fb4

APIs

GlobalFree.KERNELBASE(?), ref: 734320DD

Part of subcall function 734312AF: lstrcpynA.KERNEL32(00000000,?,73431502,?,734311C4,-000000A0), ref: 734312BF

GlobalAlloc.KERNEL32(00000040,?), ref: 73432042
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 7343205A
GlobalAlloc.KERNEL32(00000040,00000010), ref: 7343206B
CLSIDFromString.OLE32(00000000,00000000), ref: 73432081
GlobalFree.KERNEL32 ref: 73432088

Part of subcall function 73431958: VirtualAlloc.KERNEL32(00000000,00000010,00001000,00000040,?,734320A7,00000000,?), ref: 7343198A

Strings

pYqt@hqt, xrefs: 7343205A

Memory Dump Source

Source File: 00000000.00000002.853199298.0000000073431000.00000020.00000001.01000000.00000004.sdmp, Offset: 73430000, based on PE: true

Associated: 00000000.00000002.853187298.0000000073430000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853222168.0000000073434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853240329.0000000073436000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73430000_Royalistic.jbxd

Similarity

API ID: Global$Alloc$Free$ByteCharFromMultiStringVirtualWidelstrcpyn
String ID: pYqt@hqt
API String ID: 506890080-261047745
Opcode ID: 25205495846cc6dfa101aae009a752fd9c243f2a5794d0487cf4220ca6eb35a4
Instruction ID: b66d8316a177bfb57d73582dda38f57fb2b30410bad75adb64d6c8d82b357d3d
Opcode Fuzzy Hash: 25205495846cc6dfa101aae009a752fd9c243f2a5794d0487cf4220ca6eb35a4
Instruction Fuzzy Hash: CF41C371505205DFD30DBF14C844BEAB7F8FF4A310F94822AE949BB186DB305545CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004065F5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004065F5(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x0040660c
0x00406615
0x00406617
0x00406617
0x0040661b
0x0040662d
0x00406627
0x00406627
0x00406627
0x00406631
0x00406645
0x00406659
0x00406660

APIs

GetSystemDirectoryA.KERNEL32 ref: 0040660C
wsprintfA.USER32 ref: 00406645
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406659

Strings

\, xrefs: 0040661D
%s%s.dll, xrefs: 0040663F
UXTHEME, xrefs: 004065FE

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction ID: 9f789840e0b15416ae64874b5c60068ae2f650887ed5db1015d4ebb1f4ad26b2
Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction Fuzzy Hash: 12F0213051060A67DB14A764DD0DFFB3B5CEB08304F14047EA586F10C1DAB9D5358B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004020A5(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x4524e0");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x4524a8 =  *0x4524a8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402C39(0xfffffff0);
				 *(_t34 + 8) = E00402C39(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00405378(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x2000, 0x453000, 0x414478, 0x40a000);
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004039DD(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020a5
0x004020a5
0x004020aa
0x004020b1
0x0040216c
0x004022e5
0x004022e5
0x00402ac5
0x00402ac8
0x00402ad4
0x00402ad4
0x004020c0
0x004020ca
0x004020cd
0x004020dc
0x004020e0
0x004020e6
0x004020ea
0x00402165
0x00000000
0x00402165
0x004020ec
0x004020f5
0x004020f9
0x0040213d
0x004020fb
0x004020fe
0x00402101
0x00402131
0x00402103
0x00402106
0x0040210f
0x00402111
0x00402111
0x0040210f
0x00402101
0x00402145
0x0040215a
0x0040215a
0x00000000
0x00402145
0x004020d0
0x004020d6
0x004020da
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020D0

Part of subcall function 00405378: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000,0042CE48,7476EA30,?,?,?,?,?,?,?,?,?,0040329E,00000000,?), ref: 004053B1
Part of subcall function 00405378: lstrlenA.KERNEL32(0040329E,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000,0042CE48,7476EA30,?,?,?,?,?,?,?,?,?,0040329E,00000000), ref: 004053C1
Part of subcall function 00405378: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,0040329E,0040329E,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,00000000,0042CE48,7476EA30), ref: 004053D4
Part of subcall function 00405378: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll), ref: 004053E6
Part of subcall function 00405378: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040540C
Part of subcall function 00405378: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405426
Part of subcall function 00405378: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405434

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020E0
GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 4d896d60feef8d51983a5fd9c965a027a9da326ffd87c7b41c369c8f77405748
Instruction ID: c32ea7a8b3beed88709fb5878bffd466afe3d741a829a911a3d786ad6d955be5
Opcode Fuzzy Hash: 4d896d60feef8d51983a5fd9c965a027a9da326ffd87c7b41c369c8f77405748
Instruction Fuzzy Hash: 30210831904215F7DF206FA48F4DAAF3A606F45359F20423BF601B61D1DBFD49819A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040583E Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040583E(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405849
0x0040584d
0x00405850
0x00405856
0x0040585a
0x0040585e
0x00405866
0x0040586d
0x00405873
0x0040587a
0x00405881
0x00405889
0x0040588b
0x00000000
0x0040588b
0x00405895
0x0040589c
0x004058b2
0x00000000
0x00000000
0x00000000
0x004058b4
0x004058b8

APIs

CreateDirectoryA.KERNELBASE(?,0000000B,00485000), ref: 00405881
GetLastError.KERNEL32 ref: 00405895
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004058AA
GetLastError.KERNEL32 ref: 004058B4

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction ID: 2f5b217c954ff7fbb4119b01485a045b77912d3f79ec2e58d5a645a6a403fb95
Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction Fuzzy Hash: A7010872C00219EAEF00DBA1C944BEFBBB8EF04355F00803AD945B6290E7789658CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402C39(0xfffffff0);
				_t13 = E00405C82(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405C14(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004058BB(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004058D8(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E0040583E(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406257("C:\\Users\\jones\\AppData\\Roaming\\Kartoffelprodukterne\\conchinine\\Affaldsproblem", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x4524a8 =  *0x4524a8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x004022e5
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402ac8
0x00402ad4

APIs

Part of subcall function 00405C82: CharNextA.USER32(?,?,00446098,0000000B,00405CEE,00446098,00446098,7476FA90,?,00485000,00405A39,?,7476FA90,00485000,0047B000), ref: 00405C90
Part of subcall function 00405C82: CharNextA.USER32(00000000), ref: 00405C95
Part of subcall function 00405C82: CharNextA.USER32(00000000), ref: 00405CA9

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040583E: CreateDirectoryA.KERNELBASE(?,0000000B,00485000), ref: 00405881

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Affaldsproblem,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Affaldsproblem, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Affaldsproblem
API String ID: 1892508949-3642180464
Opcode ID: f96c9943e173af0214fb6375b7525bcca6f2cae296926ceca95c893e3c776d9f
Instruction ID: b8fbfff880949599704ab61e7222ee5c33c04614f7d3c61f622f7c10b59fc28f
Opcode Fuzzy Hash: f96c9943e173af0214fb6375b7525bcca6f2cae296926ceca95c893e3c776d9f
Instruction Fuzzy Hash: 21110431508141ABDF307BA54D405BF27B49A96324B28453FF9D1B22E3DA3D4942AA3E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E19(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3d4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405e1d
0x00405e23
0x00405e24
0x00405e24
0x00405e29
0x00405e2a
0x00405e2d
0x00405e37
0x00405e44
0x00405e47
0x00405e4f
0x00000000
0x00000000
0x00405e53
0x00000000
0x00000000
0x00405e55
0x00000000
0x00405e55
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405E2D
GetTempFileNameA.KERNELBASE(0000000B,?,00000000,?,?,004033B1,00483000,00485000,00485000,00485000,00485000,00485000,00485000,00403690,?,00000007), ref: 00405E47

Strings

nsa, xrefs: 00405E24

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction ID: db84433a099d66a6ad53f3418d19e52f8fbd3804b66164b4918815a523437c08
Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction Fuzzy Hash: 9CF0A736348208BBEB109F56ED04B9B7B9CDF91B50F10C03BFA84DB180D6B5DA548798

Uniqueness

Uniqueness Score: -1.00%

Function 73431606 Relevance: 4.6, APIs: 3, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E73431606(void* __ebx, void* __edx, void* __edi, void* __esi) {
				void* _t37;
				intOrPtr _t43;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t55;
				void* _t56;
				signed char _t62;
				signed int _t64;
				signed int _t66;
				struct HINSTANCE__* _t71;
				void* _t72;
				void* _t80;
				void* _t84;
				void* _t85;
				void* _t87;

				_t80 = __esi;
				_t72 = __edi;
				_t55 = __ebx;
				 *0x73435040 =  *((intOrPtr*)(_t87 + 8));
				 *0x7343503c =  *((intOrPtr*)(_t87 + 0x64));
				 *0x73435038 =  *((intOrPtr*)(_t87 + 0x60));
				 *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x6c)) + 0xc))( *0x73435014, E734312F7, _t84);
				_push(1);
				_t37 = E73432288();
				_t85 = _t37;
				if(_t85 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t85 + 4)) != 1) {
						E73431EDD(_t85);
					}
					E73431F58(_t85);
					if( *((intOrPtr*)(_t85 + 4)) == 0xffffffff) {
						L14:
						if(( *(_t85 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t85 + 4)) == 0) {
								_t37 = E73432128(_t85); // executed
							} else {
								_push(_t55);
								_push(_t80);
								_push(_t72);
								_t64 = 8;
								_t14 = _t85 + 0x818; // 0x818
								_t56 = _t14;
								memcpy(_t87 + 0x14, _t56, _t64 << 2);
								_t43 = E73431E71(_t85, _t87 + 0x30);
								 *(_t85 + 0x834) =  *(_t85 + 0x834) & 0x00000000;
								 *((intOrPtr*)(_t85 + 0x820)) = _t43;
								 *_t56 = 3;
								E73432128(_t85);
								_t66 = 8;
								_t37 = memcpy(_t56, _t87 + 0x28, _t66 << 2);
							}
						} else {
							E73432128(_t85);
							_t37 = GlobalFree(E7343157E(E734315F4(_t85)));
						}
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							E73431F1F(_t85);
							_t62 =  *(_t85 + 0x810);
							_t37 = _t62;
							if((_t62 & 0x00000040) != 0 &&  *_t85 == 1) {
								_t71 =  *(_t85 + 0x808);
								if(_t71 != 0) {
									FreeLibrary(_t71);
									_t37 =  *(_t85 + 0x810);
								}
							}
							if((_t37 & 0x00000020) != 0) {
								_t37 = E73431558( *0x7343502c);
							}
						}
						if(( *(_t85 + 0x810) & 0x00000002) == 0) {
							_t37 = GlobalFree(_t85); // executed
						}
						goto L28;
					}
					_t49 =  *_t85;
					if(_t49 == 0) {
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							goto L14;
						}
						E73432E4F(_t85);
						L12:
						_t85 = _t49;
						L13:
						goto L14;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						L8:
						_t49 = E73432BC4(_t85); // executed
						goto L12;
					}
					_t51 = _t50 - 1;
					if(_t51 == 0) {
						_push(_t85);
						E73431774();
						goto L13;
					}
					if(_t51 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x73431606
0x73431606
0x73431606
0x7343160d
0x73431616
0x73431620
0x73431634
0x73431637
0x73431639
0x7343163e
0x73431643
0x7343176f
0x73431773
0x73431649
0x7343164d
0x73431650
0x73431655
0x73431657
0x73431661
0x73431699
0x734316a0
0x734316c4
0x73431712
0x734316c6
0x734316c6
0x734316c7
0x734316c8
0x734316cb
0x734316d0
0x734316d0
0x734316dd
0x734316e0
0x734316e5
0x734316ed
0x734316f3
0x734316f9
0x73431709
0x7343170a
0x7343170e
0x734316a2
0x734316a3
0x734316b8
0x734316b8
0x7343171c
0x7343171f
0x73431725
0x7343172b
0x73431730
0x73431738
0x73431740
0x73431743
0x73431749
0x73431749
0x73431740
0x73431751
0x73431759
0x7343175e
0x73431751
0x73431766
0x73431769
0x73431769
0x00000000
0x73431766
0x73431666
0x73431669
0x7343168e
0x00000000
0x00000000
0x73431691
0x73431696
0x73431696
0x73431698
0x00000000
0x73431698
0x7343166b
0x7343166e
0x7343167a
0x7343167b
0x00000000
0x7343167b
0x73431670
0x73431673
0x73431682
0x73431683
0x00000000
0x73431683
0x73431678
0x00000000
0x00000000
0x00000000
0x73431678

APIs

Part of subcall function 73432288: GlobalFree.KERNEL32 ref: 73432901
Part of subcall function 73432288: GlobalFree.KERNEL32 ref: 73432907
Part of subcall function 73432288: GlobalFree.KERNEL32 ref: 7343290D

GlobalFree.KERNEL32 ref: 734316B8
FreeLibrary.KERNEL32(?), ref: 73431743
GlobalFree.KERNELBASE(00000000), ref: 73431769

Part of subcall function 73431EDD: GlobalAlloc.KERNEL32(00000040,?), ref: 73431F0C

Part of subcall function 73431774: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,73431688,00000000), ref: 73431817

Part of subcall function 73431E71: wsprintfA.USER32 ref: 73431EA4

Memory Dump Source

Source File: 00000000.00000002.853199298.0000000073431000.00000020.00000001.01000000.00000004.sdmp, Offset: 73430000, based on PE: true

Associated: 00000000.00000002.853187298.0000000073430000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853222168.0000000073434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853240329.0000000073436000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73430000_Royalistic.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-0
Opcode ID: 7b08d5caf9e75b74754fb95457ff89cb992b4544985db001a8214aeb1d402678
Instruction ID: 3dda993b3a92b7d677f71fcf93d485a5449543809454add4ac219fa596217568
Opcode Fuzzy Hash: 7b08d5caf9e75b74754fb95457ff89cb992b4544985db001a8214aeb1d402678
Instruction Fuzzy Hash: EE41AE7240030DAFDB5DBF68D944BDA37FDBB0A210F988019E90B7B291CB359545CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401B87 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B87(void* __ebx, void* __edx) {
				intOrPtr _t7;
				void* _t8;
				void _t11;
				void* _t13;
				void* _t21;
				void* _t24;
				void* _t30;
				void* _t33;
				void* _t34;
				void* _t37;

				_t27 = __ebx;
				_t7 =  *((intOrPtr*)(_t37 - 0x20));
				_t30 =  *0x414478; // 0x0
				if(_t7 == __ebx) {
					if(__edx == __ebx) {
						_t8 = GlobalAlloc(0x40, 0x2004); // executed
						_t34 = _t8;
						_t4 = _t34 + 4; // 0x4
						E004062EA(__ebx, _t30, _t34, _t4,  *((intOrPtr*)(_t37 - 0x28)));
						_t11 =  *0x414478; // 0x0
						 *_t34 = _t11;
						 *0x414478 = _t34;
					} else {
						if(_t30 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t2 = _t30 + 4; // 0x4
							E00406257(_t33, _t2);
							_push(_t30);
							 *0x414478 =  *_t30;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t7 = _t7 - 1;
						if(_t30 == _t27) {
							break;
						}
						_t30 =  *_t30;
						if(_t7 != _t27) {
							continue;
						} else {
							if(_t30 == _t27) {
								break;
							} else {
								_t32 = _t30 + 4;
								E00406257(0x40a438, _t30 + 4);
								_t21 =  *0x414478; // 0x0
								E00406257(_t32, _t21 + 4);
								_t24 =  *0x414478; // 0x0
								_push(0x40a438);
								_push(_t24 + 4);
								E00406257();
								L15:
								 *0x4524a8 =  *0x4524a8 +  *((intOrPtr*)(_t37 - 4));
								_t13 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E004062EA(_t27, _t30, _t33, _t27, 0xffffffe8));
					E0040596D();
					_t13 = 0x7fffffff;
				}
				L17:
				return _t13;
			}

0x00401b87
0x00401b87
0x00401b8a
0x00401b92
0x00401bda
0x00401c08
0x00401c11
0x00401c13
0x00401c17
0x00401c1c
0x00401c21
0x00401c23
0x00401bdc
0x00401bde
0x004027c8
0x00401be4
0x00401be4
0x00401be9
0x00401bf0
0x00401bf1
0x00401bf6
0x00401bf6
0x00401bde
0x00000000
0x00401b94
0x00401b94
0x00401b94
0x00401b97
0x00000000
0x00000000
0x00401b9d
0x00401ba1
0x00000000
0x00401ba3
0x00401ba5
0x00000000
0x00401bab
0x00401bab
0x00401bb5
0x00401bba
0x00401bc4
0x00401bc9
0x00401bce
0x00401bd2
0x00402931
0x00402ac5
0x00402ac8
0x00402ace
0x00402ace
0x00401ba5
0x00000000
0x00401ba1
0x0040237c
0x00402389
0x0040238a
0x0040238f
0x0040238f
0x00402ad0
0x00402ad4

APIs

GlobalFree.KERNEL32 ref: 00401BF6
GlobalAlloc.KERNELBASE(00000040,00002004), ref: 00401C08

Strings

Call, xrefs: 00401BAE, 00401BB4, 00401BCE

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: a31a6be7fca0968fe9806efd2bfa1918220cde2892acf27b58bb84d4507dc5d8
Instruction ID: d2b80980e39293206c5e6d60a34a0b6bee3a2bd2daddf4a89311edae202359af
Opcode Fuzzy Hash: a31a6be7fca0968fe9806efd2bfa1918220cde2892acf27b58bb84d4507dc5d8
Instruction Fuzzy Hash: 3E215E72600100A7E720FBA4DD89D9E73A59B89319B25443FF152F72D1D77CD8518B2D

Uniqueness

Uniqueness Score: -1.00%

Function 734319C7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x73435014 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x7343501c, 4, 0x40, 0x73435034); // executed
					 *0x7343501c = 0xc2;
					 *0x73435034 = 0;
					 *0x73435030 = 0;
					 *0x7343502c = 0;
					 *0x73435028 = 0;
					 *0x73435024 = 0;
					 *0x73435020 = 0;
					 *0x7343501e = 0;
				}
				return 1;
			}

0x734319d0
0x734319d5
0x734319e5
0x734319ed
0x734319f4
0x734319fa
0x73431a00
0x73431a06
0x73431a0c
0x73431a12
0x73431a18
0x73431a18
0x73431a21

APIs

VirtualProtect.KERNELBASE(7343501C,00000004,00000040,73435034), ref: 734319E5

Strings

`gqt, xrefs: 734319E5

Memory Dump Source

Source File: 00000000.00000002.853199298.0000000073431000.00000020.00000001.01000000.00000004.sdmp, Offset: 73430000, based on PE: true

Associated: 00000000.00000002.853187298.0000000073430000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853222168.0000000073434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853240329.0000000073436000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73430000_Royalistic.jbxd

Similarity

API ID: ProtectVirtual
String ID: `gqt
API String ID: 544645111-917899304
Opcode ID: d5507a1626bdefca30dc99fdad4d3ad5ca33b99711b609fe994b7b41863224a5
Instruction ID: feb3bd0d91388039fcafc292e8f4b94210a9fc7994359f9ebcef59a0389d79a5
Opcode Fuzzy Hash: d5507a1626bdefca30dc99fdad4d3ad5ca33b99711b609fe994b7b41863224a5
Instruction Fuzzy Hash: 06F098F6A19340DAC31CBF1AA5457893EF0A71D345B6045AEF6ADBB341C33281009B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00405CD7 Relevance: 3.0, APIs: 2, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405CD7(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00406257(0x446098, _a4);
				_t21 = E00405C82(0x446098);
				if(_t21 != 0) {
					E00406535(_t21);
					if(( *0x452438 & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x446098;
						while(1) {
							_t11 = lstrlenA(0x446098);
							_push(0x446098);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E004065CE();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405C30(0x446098);
								continue;
							} else {
								goto L1;
							}
						}
						E00405BE9();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405ce3
0x00405cee
0x00405cf2
0x00405cf9
0x00405d05
0x00405d11
0x00405d11
0x00405d29
0x00405d2a
0x00405d31
0x00405d32
0x00000000
0x00000000
0x00405d15
0x00405d1c
0x00405d24
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d1c
0x00405d34
0x00405d3a
0x00000000
0x00405d48
0x00405d07
0x00405d0b
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d0b
0x00405cf4
0x00000000

APIs

Part of subcall function 00406257: lstrcpynA.KERNEL32(0000000B,0000000B,00002000,00403556,0044E420,NSIS Error,?,00000007,00000009,0000000B), ref: 00406264

Part of subcall function 00405C82: CharNextA.USER32(?,?,00446098,0000000B,00405CEE,00446098,00446098,7476FA90,?,00485000,00405A39,?,7476FA90,00485000,0047B000), ref: 00405C90
Part of subcall function 00405C82: CharNextA.USER32(00000000), ref: 00405C95
Part of subcall function 00405C82: CharNextA.USER32(00000000), ref: 00405CA9

lstrlenA.KERNEL32(00446098,00000000,00446098,00446098,7476FA90,?,00485000,00405A39,?,7476FA90,00485000,0047B000), ref: 00405D2A
GetFileAttributesA.KERNELBASE(00446098,00446098,00446098,00446098,00446098,00446098,00000000,00446098,00446098,7476FA90,?,00485000,00405A39,?,7476FA90,00485000), ref: 00405D3A

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID:
API String ID: 3248276644-0
Opcode ID: d5ae26ad5e185ccb9d41ab4008376a2a7eec6025898b03740fa4c655be68b4f9
Instruction ID: ca67251d285f136759c69e236b036a1895e73ffa9f1d75b438997b26ec9dd8f6
Opcode Fuzzy Hash: d5ae26ad5e185ccb9d41ab4008376a2a7eec6025898b03740fa4c655be68b4f9
Instruction Fuzzy Hash: 12F02825108F6526E72632391D09AAF0A45CE93324719453FFCA2B62C2DA3C89429E6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x452450;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x44e40c =  *0x44e40c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x44e40c, 0x7530,  *0x44e3f4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ffdd9807c9e9fea2b97bbb89bab772424fd2da09bf17e16083ab72da1b50c14
Instruction ID: 797ac5eab5bd55ce3963157cabd24902f5215075ef1b0f0e1f2fe658c051a2dc
Opcode Fuzzy Hash: 8ffdd9807c9e9fea2b97bbb89bab772424fd2da09bf17e16083ab72da1b50c14
Instruction Fuzzy Hash: 0A01D1316242209BE7094B399D08B2A3798F711318F10823FB851F61F1D678CC129B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401A1E(char __ebx) {
				CHAR* _t7;
				long _t8;
				char _t12;
				CHAR* _t17;
				void* _t19;

				_t12 = __ebx;
				_t7 = E00402C39(1);
				 *(_t19 + 8) = _t7;
				_t8 = ExpandEnvironmentStringsA(_t7, _t17, 0x2000); // executed
				if(_t8 == 0 ||  *((intOrPtr*)(_t19 - 0x20)) != __ebx && lstrcmpA( *(_t19 + 8), _t17) == 0) {
					 *((intOrPtr*)(_t19 - 4)) = 1;
					 *_t17 = _t12;
				}
				_t17[0x1fff] = _t12;
				 *0x4524a8 =  *0x4524a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00401a1e
0x00401a22
0x00401a2e
0x00401a31
0x00401a39
0x00401a4e
0x00401a51
0x00401a51
0x00401a53
0x00402ac8
0x00402ad4

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00002000,00000001), ref: 00401A31
lstrcmpA.KERNEL32(?,?,?,00002000,00000001), ref: 00401A44

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: 1c50af3f65dd712e2a67003b502352067d8bb057969bf4ae9f8df51ece0cb7a6
Instruction ID: 0c80c25ae6124d08632ca9112a85281756203997caa87babcc69875add3a12a2
Opcode Fuzzy Hash: 1c50af3f65dd712e2a67003b502352067d8bb057969bf4ae9f8df51ece0cb7a6
Instruction Fuzzy Hash: E1F08231705201EBDB20DF769D48A9FBFA5EF92350710843FE145F6191D7788501CA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EE3
EnableWindow.USER32(00000000,00000000), ref: 00401EEE

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: e5829d17f4d71774f1761bb1148dd77d24170b1858785ddee69bb716da7efc5e
Instruction ID: 95492d4cb058fd8d3dfd6bdd8f68eb7ce1d8cbcbb3bb97f8bbdf30dd964bc089
Opcode Fuzzy Hash: e5829d17f4d71774f1761bb1148dd77d24170b1858785ddee69bb716da7efc5e
Instruction Fuzzy Hash: 12E01272A08200AFD714EBA5AA8956EB7B4EB81365B20443FF101F11D1DBB858408A69

Uniqueness

Uniqueness Score: -1.00%

Function 00406663 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406663(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E004065F5(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040666b
0x0040666e
0x00406675
0x0040667d
0x00406689
0x00000000
0x00406690
0x00406680
0x00406687
0x00000000
0x00406698
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,004034F5,0000000B), ref: 00406675
GetProcAddress.KERNEL32(00000000,?), ref: 00406690

Part of subcall function 004065F5: GetSystemDirectoryA.KERNEL32 ref: 0040660C
Part of subcall function 004065F5: wsprintfA.USER32 ref: 00406645
Part of subcall function 004065F5: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406659

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: b12ffe7be00a10b97de861747ec59dbd41b3c1b34775c1b4ed269191f8b45ceb
Instruction ID: 42df78af1693d05b1f4151e300c7058424afa75421c13d02aa0b0909378b53c4
Opcode Fuzzy Hash: b12ffe7be00a10b97de861747ec59dbd41b3c1b34775c1b4ed269191f8b45ceb
Instruction Fuzzy Hash: 7FE086326042106BD3105B755E0493B73AC9E997103020D3EF94AF2140D7399C32966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405DEA Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405DEA(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405dee
0x00405dfb
0x00405e10
0x00405e16

APIs

GetFileAttributesA.KERNELBASE(00000003,00402F4C,00489000,80000000,00000003,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405DEE
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405E10

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC5 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DC5(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405dca
0x00405dd0
0x00405dd5
0x00405dde
0x00405dde
0x00405de7

APIs

GetFileAttributesA.KERNELBASE(?,?,004059DD,?,?,00000000,00405BC0,?,?,?,?), ref: 00405DCA
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405DDE

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 1444cfec4ca9bf1d34442b2169c12043b22736e773fd5239433e8f32ad8d098d
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: 6FD0C972504421ABC6112728EE0C89BBB55DB54271702CA36FDA5A26B1DB304C569A98

Uniqueness

Uniqueness Score: -1.00%

Function 004058BB Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058BB(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004058c1
0x004058c9
0x00000000
0x004058cf
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004033A6,00485000,00485000,00485000,00485000,00485000,00403690,?,00000007,00000009,0000000B), ref: 004058C1
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004058CF

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction ID: 3fc85bafe69b7557593d5765bf5919c43deceba34b0c9ea4212deea00e127d8c
Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction Fuzzy Hash: 34C04C31214601EED6106B219E08B177BE5AB50741F25843E6646F00A0DE388469DA2D

Uniqueness

Uniqueness Score: -1.00%

Function 73432BC4 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E73432BC4(intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t44;
				void* _t47;
				signed int _t53;
				void* _t58;
				intOrPtr _t64;
				intOrPtr _t67;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t75;
				signed int _t78;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				intOrPtr _t86;
				intOrPtr _t87;

				if( *0x73435024 != 0 && E73431B3E(_a4) == 0) {
					 *0x73435030 = _t86;
					if( *0x73435034 != 0) {
						_t86 =  *0x73435034;
					} else {
						E73433100(E73431BA7());
						 *0x73435034 = _t86;
					}
				}
				_t28 = E73431BAD(_a4);
				_t87 = _t86 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E73431B38();
					_t67 = _a4;
					_t74 =  *0x73435028;
					 *((intOrPtr*)(_t29 + _t67)) = _t74;
					 *0x73435028 = _t67;
					E73431BBE();
					_t33 = ReadFile(??, ??, ??, ??, ??); // executed
					 *0x73435000 = _t33;
					 *0x73435004 = _t74;
					if( *0x73435024 != 0 && E73431B3E( *0x73435028) == 0) {
						 *0x73435034 = _t87;
						_t87 =  *0x73435030;
					}
					_t75 =  *0x73435028;
					_a4 = _t75;
					 *0x73435028 =  *((intOrPtr*)(E73431B38() + _t75));
					_t37 = E73431B2A(_t75);
					_pop(_t76);
					if(_t37 != 0) {
						_t37 = E73431BAD(_t76);
						if(_t37 > 0) {
							_push(_t37);
							_push(E73431BB8() + _a4 + _v8);
							_push(E73431BC8());
							if( *0x73435024 <= 0 || E73431B3E(_a4) != 0) {
								_pop(_t81);
								_pop(_t44);
								if( *((intOrPtr*)(_t44 + _t81)) == 2) {
								}
								_pop(_t76);
								_t37 = _t44 + _v8;
								asm("loop 0xfffffff5");
							} else {
								_pop(_t82);
								_pop(_t47);
								_t78 =  *(_t47 + _t82);
								_t64 =  *0x73435034;
								_t76 = _t64 + _t78 * 4;
								 *0x73435034 = _t64 + _t78 * 4;
								_t37 = _t47 + _v8;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x73435028 == 0) {
						 *0x73435034 = 0;
					}
					E73432B72(_t37, _t64, _t76, _a4,  *0x73435000,  *0x73435004);
					return _a4;
				}
				_push(E73431BB8() + _a4);
				_t53 = E73431BC4();
				_v8 = _t53;
				_t72 = _t28;
				_push(_t65 + _t53 * _t72);
				_t64 = E73431C27();
				_t80 = E73431C23();
				_t83 = E73431BC8();
				_t58 = _t72;
				if( *((intOrPtr*)(_t58 + _t83)) == 2) {
					_push( *((intOrPtr*)(_t58 + _t64)));
				}
				_push( *((intOrPtr*)(_t58 + _t80)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x73432bd4
0x73432be5
0x73432bf2
0x73432c06
0x73432bf4
0x73432bf9
0x73432bfe
0x73432bfe
0x73432bf2
0x73432c0f
0x73432c14
0x73432c1a
0x73432c5e
0x73432c5e
0x73432c63
0x73432c68
0x73432c6e
0x73432c70
0x73432c76
0x73432c83
0x73432c85
0x73432c8a
0x73432c97
0x73432caa
0x73432cb0
0x73432cb6
0x73432cb7
0x73432cbd
0x73432cc9
0x73432ccf
0x73432cd7
0x73432cd8
0x73432cdb
0x73432ce6
0x73432ce8
0x73432cf4
0x73432cfa
0x73432d02
0x73432d2e
0x73432d2f
0x73432d35
0x73432d35
0x73432d38
0x73432d39
0x73432d3c
0x73432d12
0x73432d12
0x73432d13
0x73432d15
0x73432d18
0x73432d1e
0x73432d21
0x73432d27
0x73432d2a
0x73432d2a
0x73432d02
0x73432ce6
0x73432d45
0x73432d47
0x73432d47
0x73432d60
0x73432d6e
0x73432d6e
0x73432c25
0x73432c26
0x73432c2b
0x73432c2f
0x73432c34
0x73432c48
0x73432c49
0x73432c4a
0x73432c4c
0x73432c51
0x73432c53
0x73432c53
0x73432c56
0x73432c5c
0x00000000

APIs

ReadFile.KERNELBASE(?), ref: 73432C83

Memory Dump Source

Source File: 00000000.00000002.853199298.0000000073431000.00000020.00000001.01000000.00000004.sdmp, Offset: 73430000, based on PE: true

Associated: 00000000.00000002.853187298.0000000073430000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853222168.0000000073434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853240329.0000000073436000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73430000_Royalistic.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b247b5e8e43f66e34965a834871a2383f40670093c047b712a8e1e4df4d773c1
Instruction ID: f3116f57de7378a29006420378e8bf258ba159dfd661d207a2e065055918ecf1
Opcode Fuzzy Hash: b247b5e8e43f66e34965a834871a2383f40670093c047b712a8e1e4df4d773c1
Instruction Fuzzy Hash: 434161B2900308DFEB0CBF65D984B9D3BF5EB0E364FB04469E508BB250D636D5518B88

Uniqueness

Uniqueness Score: -1.00%

Function 004023A4 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023A4(int __eax, CHAR* __ebx) {
				CHAR* _t11;
				void* _t13;
				CHAR* _t14;
				void* _t18;
				int _t22;

				_t11 = __ebx;
				_t5 = __eax;
				_t14 = 0;
				if(__eax != __ebx) {
					__eax = E00402C39(__ebx);
				}
				if(_t13 != _t11) {
					_t14 = E00402C39(0x11);
				}
				if( *((intOrPtr*)(_t18 - 0x18)) != _t11) {
					_t11 = E00402C39(0x22);
				}
				_t5 = WritePrivateProfileStringA(0, _t14, _t11, E00402C39(0xffffffcd)); // executed
				_t22 = _t5;
				if(_t22 == 0) {
					 *((intOrPtr*)(_t18 - 4)) = 1;
				}
				 *0x4524a8 =  *0x4524a8 +  *((intOrPtr*)(_t18 - 4));
				return 0;
			}

0x004023a4
0x004023a4
0x004023a6
0x004023aa
0x004023ad
0x004023b5
0x004023b9
0x004023c2
0x004023c2
0x004023c7
0x004023d0
0x004023d0
0x004023dd
0x004015ae
0x004015b0
0x004027c8
0x004027c8
0x00402ac8
0x00402ad4

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004023DD

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: f7546b57c2d88294b794a0ce81ec9b16f8aeca243a3d815bd59fa4cac4068163
Instruction ID: f0bce9e42b5e283f9075ac1063ffb1f66a35e0649843f6992b50a90661d40e1e
Opcode Fuzzy Hash: f7546b57c2d88294b794a0ce81ec9b16f8aeca243a3d815bd59fa4cac4068163
Instruction Fuzzy Hash: 8BE04831604128ABE7203EF21F8D97F10989B84304B64053FBA01B61C2D9FD4C4242A9

Uniqueness

Uniqueness Score: -1.00%

Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E62(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e66
0x00405e76
0x00405e7e
0x00000000
0x00405e85
0x00000000
0x00405e87

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403368,00000000,00000000,00403192,000000FF,00000004,00000000,00000000,00000000), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction ID: d159feaa40f66387c232a0365126d803d89e879c5a9a8176c13ce5bb2f202f1c
Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction Fuzzy Hash: CFE0B63221025AAFDF109F95DC00AAB7B6CEB05260F144437FD99E6150D671E961DAE4

Uniqueness

Uniqueness Score: -1.00%

Function 00405E91 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E91(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e95
0x00405ea5
0x00405ead
0x00000000
0x00405eb4
0x00000000
0x00405eb6

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040331E,00000000,00426048,000000FF,00426048,000000FF,000000FF,00000004,00000000), ref: 00405EA5

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: f6dbd1b2bb29cf3778f9da1b12eb4ab865b2d476cff05d6c6da3e568d4bed244
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: CEE0EC3221165AABEF119F65DC00AEB7B6CEB05361F004836FA95E3150D631E9219BE4

Uniqueness

Uniqueness Score: -1.00%

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040159D() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesA(E00402C39(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x4524a8 =  *0x4524a8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015a8
0x004015ae
0x004015b0
0x004027c8
0x004027c8
0x00402ac8
0x00402ad4

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6ce9327642b8d76c7b9329243de9c577ec63afb95fe4f0e80cbb09353725cb6d
Instruction ID: e4c96a1e4e3d7fafacf821d9605d951cf466c31607fdae1070ddd011c57cfc7f
Opcode Fuzzy Hash: 6ce9327642b8d76c7b9329243de9c577ec63afb95fe4f0e80cbb09353725cb6d
Instruction Fuzzy Hash: 4DD01232B14104DBDB10DFA5AB0899E73A4DB55325B308577E101F21D1D6B9D9409B3D

Uniqueness

Uniqueness Score: -1.00%

Function 00404320 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404320(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x44e3f8;
				if(_t2 != 0) {
					_t3 = SendMessageA(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00404320
0x00404327
0x00404332
0x00000000
0x00404332
0x00404338

APIs

SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00404332

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f50e63b132b24878aef5dc53f281ae586e67706c8815a59119a5f52f37cdf5c1
Instruction ID: f33369c0959fc2f31fb2d94020f8cc99ded583a01a7fd26deb419bde1f84e5de
Opcode Fuzzy Hash: f50e63b132b24878aef5dc53f281ae586e67706c8815a59119a5f52f37cdf5c1
Instruction Fuzzy Hash: 52C09B757447017FEA159F619D45F077798B760B01F1544397750F70D0C674D410D61C

Uniqueness

Uniqueness Score: -1.00%

Function 0040336B Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040336B(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403379
0x0040337f

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004030D1,?,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00403379

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404309 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404309(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x452428, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00404317
0x0040431d

APIs

SendMessageA.USER32(00000028,?,00000001,00404139), ref: 00404317

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c30535afd169c14e8b4d040e998dc10ef2daf8ec42941babfa575ffd1ce924aa
Instruction ID: 9ea9f7192fe415255892c7c1483d18bd9fbebf719f850706ff9b0d6542640036
Opcode Fuzzy Hash: c30535afd169c14e8b4d040e998dc10ef2daf8ec42941babfa575ffd1ce924aa
Instruction Fuzzy Hash: E5B09236184A00ABDA124B10DE09F497A62A769702F008029B240250B0CAB240A0EB28

Uniqueness

Uniqueness Score: -1.00%

Function 004042F6 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042F6(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x43c08c, _a4); // executed
				return _t2;
			}

0x00404300
0x00404306

APIs

KiUserCallbackDispatcher.NTDLL(?,004040D2), ref: 00404300

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 85b1628437d6bc2e0a85985499539ad5df80abf1265e93d00aa480f3fdb0d289
Instruction ID: 9ba761fd450edde39ad44ae3507cba1171b2616f218c63448c15d7f08a3949a3
Opcode Fuzzy Hash: 85b1628437d6bc2e0a85985499539ad5df80abf1265e93d00aa480f3fdb0d289
Instruction Fuzzy Hash: 87A00275444540DBCB055B50EF44D067B71A794701711D579A1459103487715460EB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405C14 Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C14(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}

0x00405c14
0x00405c27
0x00405c27
0x00405c2b
0x00000000
0x00000000
0x00405c1e
0x00405c21
0x00000000
0x00405c21
0x00000000
0x00405c1e
0x00405c2d

APIs

CharNextA.USER32(?,0040358F,0047B000,00000020,0047B000,00000000,?,00000007,00000009,0000000B), ref: 00405C21

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 1083c57b7f4745178c71a6651c3ca9c923e8efe26efc9521b350556c87d1c9f6
Instruction ID: b65ab0c2cf377467232547e2c8a82135aa839202298dd0285218b0655e624db8
Opcode Fuzzy Hash: 1083c57b7f4745178c71a6651c3ca9c923e8efe26efc9521b350556c87d1c9f6
Instruction Fuzzy Hash: 3EC0807040CF4067E510571056248677FE0EAA2700F244C5AF0C163150C23458408F29

Uniqueness

Uniqueness Score: -1.00%

Function 734312C6 Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E734312C6() {
				void* _t1;

				_t1 = GlobalAlloc(0x40,  *0x73435040); // executed
				return _t1;
			}

0x734312ce
0x734312d4

APIs

GlobalAlloc.KERNELBASE(00000040,734311C4,-000000A0), ref: 734312CE

Memory Dump Source

Source File: 00000000.00000002.853199298.0000000073431000.00000020.00000001.01000000.00000004.sdmp, Offset: 73430000, based on PE: true

Associated: 00000000.00000002.853187298.0000000073430000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853222168.0000000073434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853240329.0000000073436000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73430000_Royalistic.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 48eeb393e446af0a35c45c28657cd1f534ffeb4a042d4fc162d5f62706590046
Instruction ID: ce232cb03d3e158afb14cd066f437d0a81431b1edbe96702d4f3f930b1cbc373
Opcode Fuzzy Hash: 48eeb393e446af0a35c45c28657cd1f534ffeb4a042d4fc162d5f62706590046
Instruction Fuzzy Hash: CAA001B26401109ADE496A92AA1AB983AB1B744705F740084E3097A191866A00109A55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404766 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404766(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x438068; // 0x66851c
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xd) + 0x453000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405951(0x3fb, _t146);
					E00406535(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405951(0x3fb, _t146);
							if(E00405CD7(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00406257(0x434060, _t146);
							_t87 = E00406663(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406257(0x434060, _t146);
								_t89 = E00405C82(0x434060);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x434060,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x434060) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x434060,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405C30(0x434060);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x434060) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404BFA(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x44e3fc + 0x10)) != _t158) {
									E00404BE2(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x434050);
									} else {
										E00404B1D(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x4524c4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E004042F6(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x43c080 == _t158) {
									E004046BF();
								}
								 *0x43c080 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x43c090;
							_v60 = E00404AB7;
							_v56 = _t146;
							_v68 = E004062EA(_t146, 0x43c090, _t166, 0x436068, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405BE9(_t146);
								_t125 =  *((intOrPtr*)( *0x452430 + 0x11c));
								if( *((intOrPtr*)( *0x452430 + 0x11c)) != 0 && _t146 == 0x47d000) {
									E004062EA(_t146, 0x43c090, _t166, 0, _t125);
									if(lstrcmpiA(0x44a3c0, 0x43c090) != 0) {
										lstrcatA(_t146, 0x44a3c0);
									}
								}
								 *0x43c080 =  *0x43c080 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405C56(_t146) != 0 && E00405C82(_t146) == 0) {
						E00405BE9(_t146);
					}
					 *0x44e3f8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004042D4(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004042D4(_t166);
					E00404309(_t165);
					_t138 = E00406663(8);
					if(_t138 == 0) {
						L53:
						return E0040433B(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x00404766
0x0040476c
0x00404772
0x0040477f
0x0040478d
0x00404790
0x00404798
0x0040479e
0x0040479e
0x004047aa
0x004047ad
0x0040481b
0x00404822
0x004048f9
0x00404900
0x0040490f
0x0040490f
0x00404913
0x0040491d
0x0040492a
0x0040492c
0x0040492c
0x0040493a
0x00404941
0x00404948
0x0040494b
0x00404982
0x00404984
0x0040498a
0x0040498f
0x00404993
0x00404995
0x00404995
0x004049b1
0x00000000
0x004049b3
0x004049b6
0x004049c4
0x004049ca
0x004049cb
0x004049ce
0x004049d1
0x00000000
0x004049d1
0x0040494d
0x0040494f
0x00404953
0x00000000
0x00000000
0x00000000
0x00000000
0x00404955
0x00404955
0x00404962
0x00404967
0x00000000
0x00000000
0x0040496b
0x0040496d
0x0040496d
0x00404975
0x00404977
0x0040497a
0x0040497d
0x00404980
0x00000000
0x00000000
0x00000000
0x00000000
0x00404980
0x004049dd
0x004049e7
0x004049ea
0x004049ed
0x004049f4
0x004049f4
0x004049f6
0x004049f6
0x004049fb
0x004049fd
0x00404a05
0x00404a0c
0x00404a0e
0x00404a19
0x00404a19
0x00404a0e
0x00404a29
0x00404a33
0x00404a3b
0x00404a56
0x00404a3d
0x00404a46
0x00404a46
0x00404a3b
0x00404a5b
0x00404a60
0x00404a65
0x00404a6e
0x00404a6e
0x00404a77
0x00404a79
0x00404a79
0x00404a85
0x00404a8d
0x00404a97
0x00404a97
0x00404a9c
0x00000000
0x00404a9c
0x0040494b
0x00404902
0x00404909
0x00000000
0x00000000
0x00000000
0x00404909
0x00404828
0x00404831
0x0040484b
0x00404850
0x0040485a
0x00404861
0x0040486d
0x00404870
0x00404873
0x0040487a
0x00404882
0x00404885
0x00404889
0x00404890
0x00404898
0x004048f2
0x0040489a
0x0040489b
0x004048a2
0x004048ac
0x004048b4
0x004048c1
0x004048d5
0x004048d9
0x004048d9
0x004048d5
0x004048de
0x004048eb
0x004048eb
0x00404898
0x00000000
0x00404850
0x0040483e
0x00000000
0x00000000
0x00404844
0x00000000
0x004047af
0x004047bc
0x004047c5
0x004047d2
0x004047d2
0x004047d9
0x004047df
0x004047e8
0x004047eb
0x004047ee
0x004047f6
0x004047f9
0x004047fc
0x00404802
0x00404809
0x00404810
0x00404aa2
0x00404ab4
0x00404816
0x00404819
0x00000000
0x00404819
0x00404810

APIs

GetDlgItem.USER32 ref: 004047B5
SetWindowTextA.USER32(00000000,?), ref: 004047DF
SHBrowseForFolderA.SHELL32(?,00436068,?), ref: 00404890
CoTaskMemFree.OLE32(00000000), ref: 0040489B
lstrcmpiA.KERNEL32(Call,0043C090,00000000,?,?), ref: 004048CD
lstrcatA.KERNEL32(?,Call), ref: 004048D9
SetDlgItemTextA.USER32 ref: 004048EB

Part of subcall function 00405951: GetDlgItemTextA.USER32 ref: 00405964

Part of subcall function 00406535: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,7476FA90,00485000,0047B000,0040338E,00485000,00485000,00403690,?,00000007,00000009,0000000B), ref: 0040658D
Part of subcall function 00406535: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,7476FA90,00485000,0047B000,0040338E,00485000,00485000,00403690,?,00000007,00000009,0000000B), ref: 0040659A
Part of subcall function 00406535: CharNextA.USER32(0000000B,?,7476FA90,00485000,0047B000,0040338E,00485000,00485000,00403690,?,00000007,00000009,0000000B), ref: 0040659F
Part of subcall function 00406535: CharPrevA.USER32(0000000B,0000000B,7476FA90,00485000,0047B000,0040338E,00485000,00485000,00403690,?,00000007,00000009,0000000B), ref: 004065AF

GetDiskFreeSpaceA.KERNEL32(00434060,?,?,0000040F,?,00434060,00434060,?,00000001,00434060,?,?,000003FB,?), ref: 004049A9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004049C4

Part of subcall function 00404B1D: lstrlenA.KERNEL32(0043C090,0043C090,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A38,000000DF,00000000,00000400,?), ref: 00404BBB
Part of subcall function 00404B1D: wsprintfA.USER32 ref: 00404BC3
Part of subcall function 00404B1D: SetDlgItemTextA.USER32 ref: 00404BD6

Strings

`@C, xrefs: 00404933
A, xrefs: 00404889
Call, xrefs: 004048C7, 004048CC, 004048D7

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$Call$`@C
API String ID: 2624150263-2632166419
Opcode ID: 886dd6027509445de1254c1c02213b8efb168328cfb5d74d40d411f38c0dfe58
Instruction ID: 1e5cde7c6216eed5206fee0a992a61c18a0705ae5e449ea6cb8cf0fac14b4d51
Opcode Fuzzy Hash: 886dd6027509445de1254c1c02213b8efb168328cfb5d74d40d411f38c0dfe58
Instruction Fuzzy Hash: 74A16EB1A00209ABDB11AFA6CD41BAF77B8AF84314F10847BF601B62D1D77C99418F6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402173() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402C39(0xfffffff0);
				 *(_t111 - 0xc) = E00402C39(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402C39(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402C39(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402C39(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405C56( *(_t111 - 0xc)) == 0) {
					E00402C39(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\jones\\AppData\\Roaming\\Kartoffelprodukterne\\conchinine\\Affaldsproblem");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x2000) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x4524a8 =  *0x4524a8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x0040217c
0x00402186
0x00402190
0x0040219d
0x004021a8
0x004021ab
0x004021c5
0x004021cb
0x004021d1
0x004021d4
0x004021de
0x004021e2
0x004021e2
0x004021e7
0x004021f8
0x00402200
0x004022dc
0x004022dc
0x004022e3
0x00402206
0x00402206
0x00402215
0x00402219
0x0040221c
0x00402222
0x00402230
0x00402233
0x00402235
0x00402240
0x00402240
0x00402245
0x00402247
0x0040224e
0x0040224e
0x00402251
0x0040225a
0x0040225d
0x00402262
0x00402264
0x00402271
0x00402271
0x00402274
0x00402280
0x00402283
0x0040228c
0x00402292
0x00402299
0x004022b2
0x004022b4
0x004022c2
0x004022c2
0x004022b2
0x004022c5
0x004022cb
0x004022cb
0x004022ce
0x004022d4
0x004022da
0x004022ef
0x00000000
0x00000000
0x00000000
0x004022da
0x004022e5
0x00402ac8
0x00402ad4

APIs

CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00002000,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA

Strings

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Affaldsproblem, xrefs: 00402238

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Affaldsproblem
API String ID: 123533781-3642180464
Opcode ID: 5e377e6dc369950b4bd387b1741f5469387283e61ea840e5f03918cf49859148
Instruction ID: de46d6ec528c0b0c8935217740d64446ab711007b8cbb855df2cc617b58c6e92
Opcode Fuzzy Hash: 5e377e6dc369950b4bd387b1741f5469387283e61ea840e5f03918cf49859148
Instruction Fuzzy Hash: 37511675A00208BFDF10DFE4C988A9D7BB6AF48314F2045AAF505EB2D1DA799981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004027AA Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004027AA(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402C39(2), _t19 - 0x1d0) != 0xffffffff) {
					E004061B5(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E00406257();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x4524a8 =  *0x4524a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027c2
0x004027d6
0x004027e1
0x004027e2
0x00402931
0x004027c4
0x004027c4
0x004027c6
0x004027c8
0x004027c8
0x00402ac8
0x00402ad4

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B9

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1934c0195a216b1d1ad692ed7a14c4f3ea3c9676c1ec8a7b1ec9cc285c8c6fea
Instruction ID: 399c6a6cf60972f2d7a512407c1446c7d57098f317d76a59d8a1514aa82d2ac6
Opcode Fuzzy Hash: 1934c0195a216b1d1ad692ed7a14c4f3ea3c9676c1ec8a7b1ec9cc285c8c6fea
Instruction Fuzzy Hash: 51F0A072608144ABD710EBA49A49AEEB7689F52324F60447BF142B20C2D7B889449B3A

Uniqueness

Uniqueness Score: -1.00%

Function 00406AA8 Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406AA8(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00407217( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408408; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408408; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040727F( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004071D7))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00407217( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00407217( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x44a3a8;
												if( *0x44a3a8 != 0) {
													L22:
													_t412 =  *0x40a42c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a430; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x449224; // 0x449b28
													_t446[5] = _t414;
													_t415 =  *0x449220; // 0x44a328
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x449228;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x4496a8;
													if(_t416 < 0x4496a8) {
														L15:
														__eflags = _t416 - 0x449464;
														_t438 = 8;
														if(_t416 > 0x449464) {
															__eflags = _t416 - 0x449628;
															if(_t416 >= 0x449628) {
																__eflags = _t416 - 0x449688;
																if(_t416 < 0x449688) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040727F(0x449228, 0x120, 0x101, 0x40841c, 0x40845c, 0x449224, 0x40a42c, 0x449b28, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x449228, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x449228 + _t440;
														E0040727F(0x449228, 0x1e, 0, 0x40849c, 0x4084d8, 0x449220, 0x40a430, 0x449b28, _t448 - 8);
														 *0x44a3a8 =  *0x44a3a8 + 1;
														__eflags =  *0x44a3a8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405DA5( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00407217( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040727F( &(__esi[3]), __edi, 0x101, 0x40841c, 0x40845c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040727F(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40849c, 0x4084d8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00407217( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406aa8
0x00406aa8
0x00406aa8
0x00406aa8
0x00406aa8
0x00406aac
0x00000000
0x00000000
0x00406ab2
0x00406ab2
0x00406ab5
0x00406ab8
0x00406abd
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406ac8
0x00406acb
0x00000000
0x00000000
0x00406acd
0x00406acd
0x00406ad0
0x00406ad5
0x00406ad7
0x00406ada
0x00406ae0
0x0040683f
0x0040683f
0x00406842
0x00406848
0x0040684e
0x00406857
0x0040685d
0x00406860
0x00406867
0x0040686c
0x00406872
0x0040687d
0x0040687d
0x00406ae6
0x00406ae6
0x00406af0
0x00000000
0x00000000
0x00406af6
0x00406af6
0x00406afa
0x00406afd
0x00406afd
0x00406b01
0x00406b07
0x00406b07
0x00406b0a
0x00406b0d
0x00406b13
0x00000000
0x00000000
0x00406b15
0x00406b37
0x00406b37
0x00406b3a
0x00000000
0x00000000
0x00406b17
0x00406b1b
0x00000000
0x00000000
0x00406b21
0x00406b21
0x00406b24
0x00406b27
0x00406b2c
0x00406b2e
0x00406b31
0x00406b34
0x00406b34
0x00406b3c
0x00406b3c
0x00406b42
0x00406b45
0x00406b48
0x00406b48
0x00406b4f
0x00406b53
0x00406b57
0x00406b5a
0x00406b5d
0x00406b63
0x00406b68
0x00000000
0x00000000
0x00406b6a
0x00406b7e
0x00406b7e
0x00406b82
0x00000000
0x00000000
0x00406b6c
0x00406b6f
0x00406b6f
0x00406b76
0x00406b7b
0x00406b7b
0x00406b7b
0x00406b84
0x00406b84
0x00406b87
0x00406b95
0x00406b9b
0x00406ba0
0x00406ba6
0x00406bac
0x00406bb2
0x00406bb9
0x00406bcd
0x00406bcd
0x0040719c
0x0040719c
0x0040719c
0x004071a1
0x00000000
0x00000000
0x004067d9
0x004067d9
0x00000000
0x00406dd4
0x00406dd4
0x00406dd8
0x00406ddb
0x00406dde
0x00406de1
0x00000000
0x00000000
0x00406de7
0x00406de7
0x00406e0c
0x00406e0c
0x00406e0c
0x00406e0e
0x00000000
0x00000000
0x00406dec
0x00406dec
0x00406df0
0x00000000
0x00000000
0x00406df6
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e03
0x00406e06
0x00406e09
0x00406e09
0x00406e09
0x00406e10
0x00406e10
0x00406e18
0x00406e1b
0x00406e1e
0x00406e21
0x00406e25
0x00406e28
0x00406e2a
0x00406e2d
0x00406e2f
0x00406e43
0x00406e43
0x00406e46
0x00406e60
0x00406e60
0x00406e63
0x00000000
0x00000000
0x00406e69
0x00406e69
0x00406e6c
0x00000000
0x00000000
0x00406e72
0x00406e72
0x00000000
0x00406e72
0x00406e48
0x00406e4b
0x00406e52
0x00406e55
0x00000000
0x00406e55
0x00406e31
0x00406e35
0x00406e38
0x00000000
0x00000000
0x00406e7d
0x00406e7d
0x00406ea2
0x00406ea2
0x00406ea2
0x00406ea4
0x00000000
0x00000000
0x00406e82
0x00406e82
0x00406e86
0x00000000
0x00000000
0x00406e8c
0x00406e8c
0x00406e8f
0x00406e92
0x00406e95
0x00406e97
0x00406e99
0x00406e9c
0x00406e9f
0x00406e9f
0x00406e9f
0x00406ea6
0x00406eae
0x00406eb1
0x00406eb4
0x00406eb6
0x00406eb9
0x00406eb9
0x00406ebb
0x00406ebf
0x00406ec2
0x00406ec5
0x00406ec8
0x00000000
0x00000000
0x00406ece
0x00406ece
0x00406ef3
0x00406ef3
0x00406ef3
0x00406ef5
0x00000000
0x00000000
0x00406ed3
0x00406ed3
0x00406ed7
0x00000000
0x00000000
0x00406edd
0x00406edd
0x00406ee0
0x00406ee3
0x00406ee6
0x00406ee8
0x00406eea
0x00406eed
0x00406ef0
0x00406ef0
0x00406ef0
0x00406ef7
0x00406ef7
0x00406eff
0x00406f02
0x00406f05
0x00406f08
0x00406f0c
0x00406f0f
0x00406f11
0x00406f14
0x00406f17
0x00406f31
0x00406f31
0x00406f34
0x00000000
0x00000000
0x00406f3a
0x00406f3a
0x00406f3d
0x00406f44
0x00000000
0x00406f44
0x00406f19
0x00406f1c
0x00406f23
0x00406f26
0x00000000
0x00000000
0x00406f4c
0x00406f4c
0x00406f71
0x00406f71
0x00406f71
0x00406f73
0x00000000
0x00000000
0x00406f51
0x00406f51
0x00406f55
0x00000000
0x00000000
0x00406f5b
0x00406f5b
0x00406f5e
0x00406f61
0x00406f64
0x00406f66
0x00406f68
0x00406f6b
0x00406f6e
0x00406f6e
0x00406f6e
0x00406f75
0x00406f7d
0x00406f80
0x00406f83
0x00406f85
0x00406f88
0x00406f88
0x00406f8a
0x00000000
0x00000000
0x00406f90
0x00406f90
0x00406f93
0x00406f98
0x00406f9a
0x00406fa0
0x00406fa2
0x00406fb7
0x00406fb9
0x00406fb9
0x00406fa4
0x00406faa
0x00406fac
0x00406fae
0x00406fae
0x00406fbb
0x00406fbf
0x00406fc2
0x00406fc8
0x00406fc8
0x00406fcb
0x00406fcb
0x00406fcb
0x00406fcd
0x00000000
0x00000000
0x00406fd3
0x00406fd3
0x00406fd9
0x00406fdb
0x00407000
0x00407003
0x00407009
0x0040700e
0x00407014
0x0040701a
0x0040701c
0x0040701f
0x00407028
0x0040702e
0x0040702e
0x00407021
0x00407023
0x00407025
0x00407025
0x00407030
0x00407036
0x00407038
0x0040703b
0x0040703d
0x00407043
0x00407045
0x00407047
0x00407049
0x0040704b
0x0040704e
0x00407057
0x0040705a
0x0040705a
0x00407050
0x00407050
0x00407053
0x00407053
0x0040704e
0x00407045
0x0040705c
0x0040705e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040705e
0x00406fdd
0x00406fdd
0x00406fe3
0x00406fe9
0x00406feb
0x00000000
0x00000000
0x00406fed
0x00406fed
0x00406fef
0x00406ff1
0x00406ffa
0x00406ffa
0x00406ff3
0x00406ff3
0x00406ff6
0x00406ff6
0x00406ffc
0x00406ffe
0x00000000
0x00000000
0x00407064
0x00407064
0x00407069
0x0040706b
0x0040706c
0x0040706d
0x0040706e
0x00407074
0x00407077
0x0040707a
0x0040707d
0x0040707f
0x00407085
0x00407085
0x00407088
0x00407088
0x00407088
0x00407088
0x00407091
0x00000000
0x00000000
0x00407096
0x00407096
0x00407099
0x0040709c
0x0040709e
0x00407135
0x00407135
0x00407138
0x0040713a
0x0040713b
0x0040713c
0x0040713f
0x00000000
0x0040713f
0x004070a4
0x004070a4
0x004070aa
0x004070ac
0x004070d1
0x004070d4
0x004070da
0x004070df
0x004070e5
0x004070eb
0x004070ed
0x004070f0
0x004070f9
0x004070ff
0x004070ff
0x004070f2
0x004070f4
0x004070f6
0x004070f6
0x00407101
0x00407107
0x00407109
0x0040710c
0x0040710e
0x00407114
0x00407116
0x00407118
0x0040711a
0x0040711c
0x0040711f
0x00407128
0x0040712b
0x0040712b
0x00407121
0x00407121
0x00407124
0x00407124
0x0040711f
0x00407116
0x0040712d
0x0040712f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040712f
0x004070ae
0x004070ae
0x004070b4
0x004070ba
0x004070bc
0x00000000
0x00000000
0x004070be
0x004070be
0x004070c0
0x004070c2
0x004070c9
0x004070c9
0x004070cb
0x004070c4
0x004070c4
0x004070c6
0x004070c6
0x004070cd
0x004070cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407147
0x00407147
0x0040714a
0x0040714c
0x0040714f
0x00407152
0x00407152
0x00407152
0x00407152
0x00000000
0x00000000
0x00000000
0x00406800
0x004067e4
0x00000000
0x004067ea
0x004067ed
0x004067f7
0x004067fa
0x004067fd
0x00000000
0x004067fd
0x004067e4
0x00406808
0x0040680b
0x0040680f
0x00406819
0x00406823
0x00406826
0x0040682c
0x00406960
0x00406962
0x00406968
0x0040696b
0x0040696e
0x00000000
0x0040696e
0x00406832
0x00406832
0x00406833
0x0040688b
0x0040688b
0x00406892
0x00406938
0x00406938
0x0040693d
0x00406940
0x00406945
0x00406948
0x0040694d
0x00406950
0x00406955
0x00406958
0x00406958
0x00000000
0x00406898
0x00406898
0x00406898
0x00406898
0x0040689c
0x0040689c
0x004068be
0x004068c1
0x004068c3
0x004068c6
0x004068cb
0x004068a1
0x004068a1
0x004068a6
0x004068a8
0x004068aa
0x004068af
0x004068b5
0x004068ba
0x004068bc
0x004068bc
0x004068b1
0x004068b1
0x004068b1
0x004068af
0x00000000
0x004068cd
0x004068fa
0x004068ff
0x00406901
0x00406902
0x00406904
0x00406905
0x00406905
0x00406905
0x0040692d
0x00406932
0x00406932
0x00000000
0x00406932
0x004068cb
0x00406892
0x00406835
0x00406835
0x00406836
0x00406880
0x00000000
0x00406880
0x00406838
0x00406839
0x00000000
0x00000000
0x00000000
0x00000000
0x00406995
0x00406995
0x00406995
0x00406998
0x00000000
0x00000000
0x00406975
0x00406975
0x00406979
0x00000000
0x00000000
0x0040697f
0x0040697f
0x00406982
0x00406985
0x0040698a
0x0040698c
0x0040698f
0x00406992
0x00406992
0x00406992
0x0040699a
0x0040699a
0x0040699d
0x0040699f
0x004069a4
0x004069a7
0x004069a9
0x004069ac
0x00000000
0x00000000
0x004069b2
0x004069b2
0x004069b4
0x00000000
0x00000000
0x004069ba
0x004069ba
0x004069be
0x00000000
0x00000000
0x004069c4
0x004069c4
0x004069c7
0x004069c9
0x00406a67
0x00406a67
0x00406a6a
0x00406a6c
0x00406a6c
0x00406a6f
0x00406a72
0x00406a74
0x00406a76
0x00406a78
0x00406a78
0x00406a81
0x00406a86
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a9b
0x00406a9b
0x00406aa1
0x00406aa1
0x00406aa1
0x00000000
0x00406a95
0x004069cf
0x004069cf
0x004069d5
0x004069d8
0x004069da
0x00406a05
0x00406a08
0x00406a0e
0x00406a13
0x00406a19
0x00406a1f
0x00406a21
0x00406a24
0x00406a2d
0x00406a33
0x00406a33
0x00406a26
0x00406a28
0x00406a2a
0x00406a2a
0x00406a35
0x00406a3b
0x00406a3e
0x00406a40
0x00406a42
0x00406a48
0x00406a4a
0x00406a4c
0x00406a4f
0x00406a58
0x00406a58
0x00406a5a
0x00406a51
0x00406a51
0x00406a54
0x00406a54
0x00406a5c
0x00406a5c
0x00406a4a
0x00406a5f
0x00406a61
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a61
0x004069dc
0x004069dc
0x004069e2
0x004069e8
0x004069ea
0x00000000
0x00000000
0x004069ec
0x004069ec
0x004069ee
0x004069f0
0x004069f3
0x004069fa
0x004069fa
0x004069fc
0x004069f5
0x004069f5
0x004069f7
0x004069f7
0x004069fe
0x00406a00
0x00406a03
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b07
0x00406b0a
0x00406b0d
0x00406b13
0x00000000
0x00000000
0x00000000
0x00000000
0x00406cea
0x00406cea
0x00406cea
0x00406ced
0x00406cf0
0x00406cf2
0x00406cf5
0x00406cfb
0x00406d02
0x00406d04
0x00000000
0x00000000
0x00406bd8
0x00406bd8
0x00406c00
0x00406c00
0x00406c00
0x00406c02
0x00000000
0x00000000
0x00406be0
0x00406be0
0x00406be4
0x00000000
0x00000000
0x00406bea
0x00406bea
0x00406bed
0x00406bf0
0x00406bf3
0x00406bf5
0x00406bf7
0x00406bfa
0x00406bfd
0x00406bfd
0x00406bfd
0x00406c04
0x00406c04
0x00406c0c
0x00406c0f
0x00406c15
0x00406c18
0x00406c1c
0x00406c20
0x00406c23
0x00406c26
0x00406c3e
0x00406c3e
0x00406c41
0x00406c4f
0x00406c52
0x00406c43
0x00406c43
0x00406c45
0x00406c4c
0x00406c4c
0x00406c7b
0x00406c7b
0x00406c7b
0x00406c7e
0x00406c80
0x00000000
0x00000000
0x00406c5b
0x00406c5b
0x00406c5f
0x00000000
0x00000000
0x00406c65
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c70
0x00406c72
0x00406c75
0x00406c78
0x00406c78
0x00406c78
0x00406c82
0x00406c82
0x00406c84
0x00406c86
0x00406c91
0x00406c94
0x00406c97
0x00406c99
0x00406c9b
0x00406c9d
0x00406ca0
0x00406ca3
0x00406ca8
0x00406cab
0x00406cae
0x00406cb1
0x00406cb8
0x00406cbb
0x00406cbd
0x00000000
0x00000000
0x00406cc3
0x00406cc3
0x00406cc7
0x00406cd8
0x00406cd8
0x00406cd8
0x00406cda
0x00406cda
0x00406cde
0x00406cde
0x00406cde
0x00406ce0
0x00406ce1
0x00406ce4
0x00406ce4
0x00406ce4
0x00406ce7
0x00000000
0x00406ce7
0x00406cc9
0x00406cc9
0x00406ccc
0x00000000
0x00000000
0x00406cd2
0x00406cd2
0x00000000
0x00406cd2
0x00406c28
0x00406c28
0x00406c2a
0x00406c2c
0x00406c2f
0x00406c32
0x00406c36
0x00406c36
0x00406d0a
0x00406d0a
0x00406d0d
0x00406d14
0x00406d18
0x00406d1a
0x00406d1d
0x00406d20
0x00406d25
0x00406d28
0x00406d2a
0x00406d2b
0x00406d2e
0x00406d39
0x00406d3c
0x00406d53
0x00406d58
0x00406d5f
0x00406d64
0x00406d68
0x00406d6a
0x00406d6a
0x00406d6a
0x00406d6d
0x00406d6f
0x00000000
0x00406d75
0x00406d75
0x00406d79
0x00406d84
0x00406d97
0x00406d9c
0x00406da1
0x00406da3
0x00000000
0x00000000
0x00406da9
0x00406da9
0x00406dac
0x00406dae
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc8
0x00406dcb
0x00406dce
0x00406dd1
0x00000000
0x00406dd1
0x00406db0
0x00406db0
0x00406db6
0x00000000
0x00000000
0x00000000
0x00406db6
0x00000000
0x00000000
0x00000000
0x00407155
0x00407155
0x0040715b
0x00407161
0x00407166
0x0040716c
0x00407172
0x00407174
0x00407177
0x00407180
0x00407186
0x00407186
0x00407179
0x0040717b
0x0040717d
0x0040717d
0x00407188
0x0040718a
0x0040718d
0x004071c8
0x004071c8
0x00000000
0x0040718f
0x0040718f
0x0040718f
0x00407195
0x00407198
0x0040719a
0x004071cf
0x004071d1
0x00000000
0x004071d1
0x00000000
0x0040719a
0x00000000
0x004067d9
0x004071a7
0x00000000
0x004071a7
0x00406bbb
0x00406bbd
0x00000000
0x00000000
0x00406bbf
0x00406bbf
0x00406bc2
0x00000000
0x00406bc2
0x00406b07
0x00406ac8
0x004071ac
0x004071af
0x004071b1
0x004071ba
0x004071c0
0x00000000

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
Instruction ID: c3f2784b42629965e79a9deb6a6c5a882cbc70a40949ec996fd179ba06f8b65e
Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
Instruction Fuzzy Hash: EBE1BB71904719DFDB24CF58C880BAAB7F1FB45305F11852EE497A72C1E738AA91CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040727F Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040727F(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x4496a8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x4496a8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x4496a8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x0040728a
0x00407292
0x00407296
0x00407298
0x0040729b
0x0040729d
0x0040729d
0x0040729f
0x004072a6
0x004072a8
0x004072a8
0x004072ae
0x004072c3
0x004072cb
0x004072cd
0x004072cf
0x004072d2
0x004072d3
0x004072d3
0x004072d9
0x00000000
0x00000000
0x004072db
0x004072de
0x00000000
0x00000000
0x00000000
0x004072de
0x004072e2
0x004072e5
0x004072e7
0x004072e7
0x004072ea
0x004072f0
0x004072f1
0x00000000
0x00000000
0x00000000
0x004072f1
0x004072f6
0x004072f9
0x004072fb
0x004072fb
0x00407301
0x00407303
0x00407314
0x00407307
0x0040730b
0x004075b0
0x00000000
0x004075b0
0x00407311
0x00407312
0x00407312
0x0040731a
0x0040731d
0x00407321
0x00407323
0x00407325
0x00407328
0x00000000
0x00000000
0x00407330
0x00407336
0x00407338
0x0040733a
0x0040733b
0x00407350
0x00407350
0x00407353
0x00407355
0x00407355
0x00407357
0x0040735c
0x0040735e
0x00407365
0x00407367
0x0040736f
0x0040736f
0x00407371
0x00407372
0x00407381
0x00407385
0x00407389
0x0040738c
0x0040738f
0x00407394
0x00407397
0x0040739d
0x004073a4
0x004073aa
0x004075a3
0x004075a3
0x004075a8
0x004075b7
0x00000000
0x00000000
0x00000000
0x004075a8
0x004073b7
0x004073ba
0x004073bd
0x004073c0
0x004073c4
0x00000000
0x00000000
0x004073cf
0x004073d2
0x004073d3
0x004073d5
0x004073db
0x004073de
0x00000000
0x00000000
0x004073e4
0x004073e5
0x004073e8
0x004073eb
0x004073ee
0x004073f4
0x004073f6
0x004073f6
0x004073fe
0x00407402
0x00407407
0x0040742c
0x00407432
0x00407434
0x00407436
0x00407439
0x00407442
0x00000000
0x00000000
0x00407409
0x00407409
0x00407412
0x00407416
0x00000000
0x00000000
0x00407427
0x00407427
0x0040742a
0x00000000
0x00000000
0x0040741a
0x0040741d
0x0040741f
0x00407423
0x00000000
0x00000000
0x00407425
0x00407425
0x00000000
0x00407427
0x0040744b
0x00407451
0x0040745b
0x0040745d
0x00407462
0x00407464
0x0040749a
0x00407466
0x00407466
0x00407469
0x0040746c
0x00407476
0x00407479
0x00407480
0x0040748b
0x00407492
0x00407492
0x0040749c
0x0040749f
0x004074a1
0x004074a7
0x004074a7
0x004074b0
0x004074b3
0x004074b8
0x004074c7
0x004074cf
0x004074d4
0x004074f8
0x00407500
0x00407504
0x0040750a
0x004074d6
0x004074e4
0x004074e7
0x004074ed
0x004074ed
0x0040750e
0x004074c9
0x004074c9
0x004074c9
0x0040751f
0x00407523
0x0040752f
0x0040752a
0x0040752d
0x0040752d
0x00407537
0x0040753c
0x00407544
0x00407540
0x00407542
0x00407542
0x0040754a
0x0040754c
0x00407553
0x0040755d
0x00407567
0x00407583
0x00407587
0x004073cc
0x004073d2
0x004073d3
0x004073d5
0x004073db
0x004073de
0x00000000
0x00000000
0x00000000
0x004073de
0x00000000
0x00000000
0x00000000
0x00000000
0x00407569
0x00407569
0x00407569
0x0040756e
0x00407577
0x00407580
0x00000000
0x00407580
0x0040758d
0x0040758d
0x00407590
0x00407597
0x0040759a
0x00000000
0x004073bd
0x0040733d
0x0040733f
0x0040733f
0x00407343
0x00407346
0x00407347
0x00407347
0x00000000
0x0040733f
0x004072b3
0x004072b9
0x00000000

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f0ca315d4942290e4845dc22ac506fa28f6714ce5458d8b639d44a854dd49c
Instruction ID: 0ca4a47b5fc6764e995cd925f966ceec75b0dec410f7dca902c933a8aa8fc986
Opcode Fuzzy Hash: c7f0ca315d4942290e4845dc22ac506fa28f6714ce5458d8b639d44a854dd49c
Instruction Fuzzy Hash: 0FC13631E042199BCF18CF68D8905EEBBB2FF89314F25866AD85677380D734A942CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00404CD9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404CD9(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x452448;
				_v28 =  *0x452430 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x452439 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x2018 + _t298 + 8) =  *(_t244 * 0x2018 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x2018 + _t298 + 8) =  *(_t244 * 0x2018 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404C27(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x2018 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x452438) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x43c074;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x43c088;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x43c074 = 0;
								 *0x43c088 = 0;
								 *0x452480 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x452439 & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404CA7();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x43c088;
									_t206 =  *0x452448;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x45244c <= 0) {
										L86:
										if( *0x4524de == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x44e3fc + 0x10)) != 0) {
											E00404BE2(0x3ff, 0xfffffffb, E00404BFA(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x806]);
									} while (_v24 <  *0x45244c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x43c088);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x452480 = _a4;
					_v20 = 2;
					 *0x43c088 = GlobalAlloc(0x40,  *0x45244c << 2);
					_t264 = LoadImageA( *0x452420, 0x6e, 0, 0, 0, 0);
					 *0x43c07c =  *0x43c07c | 0xffffffff;
					_v16 = _t264;
					 *0x43c084 = SetWindowLongA(_v8, 0xfffffffc, E004052EC);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x43c074 = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x43c074);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E004062EA(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004042D4(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004042D4(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x45244c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x43c088 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x43c088 + _t329 * 4) = _t290;
									_v16 =  *( *0x43c088 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x2018]);
							_v32 = _t316;
						} while (_t329 <  *0x45244c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E00404309(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404309(_v12);
								L93:
								return E0040433B(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404cf7
0x00404cff
0x00404d07
0x00404d0d
0x00404d25
0x00404d28
0x00404d29
0x00404f56
0x00404f5d
0x00404f71
0x00404f5f
0x00404f61
0x00404f64
0x00404f65
0x00404f6c
0x00404f6c
0x00404f7d
0x00404f8b
0x00404f8e
0x00404fa4
0x00405019
0x0040501c
0x0040501e
0x00405028
0x00405036
0x00405036
0x00405038
0x00405042
0x00405048
0x0040504b
0x0040504e
0x00405069
0x00405050
0x0040505a
0x0040505a
0x0040504e
0x00405042
0x00000000
0x0040501c
0x00404fa9
0x00404fb4
0x00404fb9
0x00404fc0
0x00404fc5
0x00404fc9
0x00404fd4
0x00404fd4
0x00404fd8
0x00404fdc
0x00404fe0
0x00404ff3
0x00404fe2
0x00404fe2
0x00404fe9
0x00404fef
0x00404feb
0x00404feb
0x00404feb
0x00404fe9
0x00404ff7
0x00404ff9
0x0040500c
0x0040500f
0x00405012
0x00405012
0x00404fdc
0x00000000
0x00404fc9
0x00404fab
0x00404fb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040506c
0x0040506c
0x00405073
0x004050e4
0x004050ec
0x004050f4
0x004050f4
0x004050fd
0x004050ff
0x00405106
0x00405109
0x00405109
0x0040510f
0x00405116
0x00405119
0x00405119
0x0040511f
0x00405125
0x0040512b
0x0040512b
0x00405138
0x00405299
0x004052a0
0x004052bd
0x004052c3
0x004052d5
0x004052d5
0x00000000
0x0040513e
0x00405140
0x00405145
0x0040514a
0x0040514f
0x00405151
0x00405151
0x00405152
0x00405153
0x00405155
0x00405155
0x0040515d
0x0040519e
0x004051a0
0x004051b0
0x004051b3
0x004051b8
0x004051bf
0x004051c2
0x00405264
0x0040526d
0x00405275
0x00405275
0x00405283
0x00405294
0x00405294
0x00000000
0x00405283
0x004051c8
0x004051cb
0x004051d1
0x004051d6
0x004051d8
0x004051da
0x004051e0
0x004051e7
0x004051ec
0x004051f3
0x004051f6
0x004051f6
0x004051fd
0x00405209
0x0040520d
0x0040520f
0x0040520f
0x004051ff
0x00405201
0x00405201
0x0040522f
0x0040523b
0x0040524a
0x0040524a
0x0040524c
0x0040524f
0x00405258
0x00000000
0x0040515f
0x0040516a
0x0040516d
0x00405172
0x00405174
0x00405178
0x00405188
0x00405192
0x00405194
0x00405197
0x00000000
0x00000000
0x00000000
0x00000000
0x0040517a
0x0040517a
0x00405180
0x00405182
0x00405182
0x00405183
0x00405184
0x00000000
0x0040517a
0x0040515d
0x00405138
0x0040507b
0x00000000
0x00405091
0x0040509b
0x004050a0
0x00000000
0x00000000
0x004050b2
0x004050b7
0x004050c3
0x004050c3
0x004050c5
0x004050d4
0x004050d6
0x004050da
0x004050dd
0x00000000
0x004050dd
0x0040507b
0x00404d2f
0x00404d32
0x00404d35
0x00404d45
0x00404d58
0x00404d63
0x00404d69
0x00404d77
0x00404d8a
0x00404d8f
0x00404d9a
0x00404da3
0x00404db9
0x00404dc9
0x00404dd5
0x00404dd5
0x00404dda
0x00404de0
0x00404de2
0x00404de5
0x00404dea
0x00404def
0x00404df1
0x00404df1
0x00404e11
0x00404e11
0x00404e13
0x00404e14
0x00404e19
0x00404e1f
0x00404e23
0x00404e28
0x00404e30
0x00404e34
0x00404e39
0x00404e3e
0x00404e46
0x00404e49
0x00404f18
0x00404f2b
0x00000000
0x00404e4f
0x00404e52
0x00404e55
0x00404e58
0x00404e58
0x00404e5d
0x00404e66
0x00404e69
0x00404e6d
0x00404e70
0x00404e73
0x00404e7c
0x00404e85
0x00404e88
0x00404e8b
0x00404e8e
0x00404ecc
0x00404ef7
0x00404ece
0x00404edd
0x00404edd
0x00404e90
0x00404e93
0x00404ea1
0x00404eab
0x00404eb3
0x00404eba
0x00404ec5
0x00404ec5
0x00404e8e
0x00404efd
0x00404efe
0x00404f0a
0x00404f0a
0x00404f16
0x00404f31
0x00404f34
0x00404f51
0x00000000
0x00404f36
0x00404f3b
0x00404f44
0x004052d7
0x004052e9
0x004052e9
0x00404f34
0x00000000
0x00404f16
0x00404e49

APIs

GetDlgItem.USER32 ref: 00404CF0
GetDlgItem.USER32 ref: 00404CFD
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D4C
LoadImageA.USER32 ref: 00404D63
SetWindowLongA.USER32 ref: 00404D7D
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D8F
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DA3
SendMessageA.USER32(?,00001109,00000002), ref: 00404DB9
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404DC5
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404DD5
DeleteObject.GDI32(00000110), ref: 00404DDA
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404E05
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404E11
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404EAB
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404EDB

Part of subcall function 00404309: SendMessageA.USER32(00000028,?,00000001,00404139), ref: 00404317

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404EEF
GetWindowLongA.USER32 ref: 00404F1D
SetWindowLongA.USER32 ref: 00404F2B
ShowWindow.USER32(?,00000005), ref: 00404F3B
SendMessageA.USER32(?,00000419,00000000,?), ref: 00405036
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040509B
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004050B0
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 004050D4
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 004050F4
ImageList_Destroy.COMCTL32(?), ref: 00405109
GlobalFree.KERNEL32 ref: 00405119
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405192
SendMessageA.USER32(?,00001102,?,?), ref: 0040523B
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040524A
InvalidateRect.USER32(?,00000000,00000001), ref: 00405275
ShowWindow.USER32(?,00000000), ref: 004052C3
GetDlgItem.USER32 ref: 004052CE
ShowWindow.USER32(00000000), ref: 004052D5

Strings

, xrefs: 004052AD
M, xrefs: 00404E93
N, xrefs: 00404F74

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 722e34d199a2cc1df1e11776506d2daa6a38aa26af04167630ed6e88af3af4de
Instruction ID: 1a89480aaa14410690893e3e2f323560a6be9801fb1e0a4c64b47d85f3ee2a2e
Opcode Fuzzy Hash: 722e34d199a2cc1df1e11776506d2daa6a38aa26af04167630ed6e88af3af4de
Instruction Fuzzy Hash: A90268B0900209EFEB149FA4CD85AAE7BB5FB45314F14817AF614BA2E1C7788E41DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040443F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040443F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x43405c =  *0x43405c + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E0040433B(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x44a3c0;
							if(_t100 - _t109 < 0x4000) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								E004046E3(_a4, _v8);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x452428, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x452428, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x43405c != 0) {
						goto L25;
					} else {
						_t103 =  *0x438068; // 0x66851c
						_t25 = _t103 + 0x14; // 0x668530
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004042F6(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004046BF();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x44e3fc - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x452458;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E0040440A;
				E004042D4(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E004042D4(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004042F6( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00404309(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x452430 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x43405c = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x43405c = 0;
				return 0;
			}

0x0040444f
0x00404574
0x004045d0
0x004045d4
0x004046a1
0x004046a3
0x004046a3
0x004046a9
0x004046a9
0x004046ac
0x00000000
0x004046b3
0x004045e2
0x004045e4
0x004045ee
0x004045f9
0x004045fc
0x004045ff
0x0040460a
0x0040460d
0x00404614
0x00404622
0x0040463a
0x0040463c
0x00404644
0x00404653
0x00404655
0x00404655
0x00404614
0x0040465f
0x00000000
0x0040466a
0x0040466e
0x0040467f
0x0040467f
0x00404685
0x00404693
0x00404693
0x00000000
0x00404697
0x0040465f
0x0040457f
0x00000000
0x00404593
0x00404593
0x00404599
0x00404599
0x0040459f
0x00000000
0x00000000
0x004045c4
0x004045c6
0x004045cb
0x00000000
0x004045cb
0x0040457f
0x00404455
0x00404458
0x0040445d
0x0040446e
0x0040446e
0x00404475
0x00404478
0x0040447a
0x0040447f
0x00404488
0x0040448e
0x0040449a
0x0040449d
0x004044a6
0x004044ab
0x004044ae
0x004044b3
0x004044ca
0x004044d1
0x004044e4
0x004044e7
0x004044fc
0x00404503
0x00404508
0x0040450d
0x0040450d
0x0040451c
0x0040452b
0x0040453d
0x00404542
0x00404552
0x00404554
0x00000000

APIs

CheckDlgButton.USER32 ref: 004044CA
GetDlgItem.USER32 ref: 004044DE
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004044FC
GetSysColor.USER32(?), ref: 0040450D
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040451C
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040452B
lstrlenA.KERNEL32(?), ref: 0040452E
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040453D
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404552
GetDlgItem.USER32 ref: 004045B4
SendMessageA.USER32(00000000), ref: 004045B7
GetDlgItem.USER32 ref: 004045E2
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404622
LoadCursorA.USER32 ref: 00404631
SetCursor.USER32(00000000), ref: 0040463A
LoadCursorA.USER32 ref: 00404650
SetCursor.USER32(00000000), ref: 00404653
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040467F
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404693

Strings

N, xrefs: 004045D0
D@, xrefs: 0040463E
Call, xrefs: 0040460D

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: D@$Call$N
API String ID: 3103080414-412525607
Opcode ID: 15772a3c75ca3d8061e8ccc65e3c54641ef039aaa1b6f429936ff2e1fb0ef24c
Instruction ID: 2bd06c0691c76b957e6ebeae131719b0bc75d5682994f338a7987809ed17278e
Opcode Fuzzy Hash: 15772a3c75ca3d8061e8ccc65e3c54641ef039aaa1b6f429936ff2e1fb0ef24c
Instruction Fuzzy Hash: A661A1B1A40309BFEB109F61DC45B6A3B68EB85714F10443AFB04BB1D1D7B9A9618F98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x452430;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x44e420, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x452428;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,0044E420,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: e50ea74f15248b3a8d8dcc9d44ab31c14e61b46c1ddd60218d8e11a1e588ca0f
Instruction ID: 0bd4ef5fed811bbf4bded0a7f85d82f2f783d311ad13c466ed52a022670cf4ac
Opcode Fuzzy Hash: e50ea74f15248b3a8d8dcc9d44ab31c14e61b46c1ddd60218d8e11a1e588ca0f
Instruction Fuzzy Hash: E7417C71800209AFCF058FA5DE459AFBFB9FF45315F00802AF991AA1A0C774EA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405EC0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EC0(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x448620 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x448a20, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x448220, "%s=%s\r\n", 0x448620, 0x448a20);
						_t53 = _t52 + 0x10;
						E004062EA(_t37, 0x400, 0x448a20, 0x448a20,  *((intOrPtr*)( *0x452430 + 0x128)));
						_t12 = E00405DEA(0x448a20, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405E62(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405D4F(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405D4F(_t38, _t21 + 0xa, 0x40a3d8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405DA5(_t24 + _t46, 0x448220, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E91(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405DEA(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x448620, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405ec0
0x00405ec9
0x00405ed0
0x00405ee4
0x00405f0c
0x00405f17
0x00405f1b
0x00405f3b
0x00405f42
0x00405f4c
0x00405f59
0x00405f5e
0x00405f63
0x00405f67
0x00405f76
0x00405f78
0x00405f85
0x00405f89
0x00406024
0x00000000
0x00405f9f
0x00405fac
0x00405fd0
0x00405fd4
0x00405ff3
0x00405ff7
0x00405ff7
0x00405ff9
0x00406002
0x0040600d
0x00406018
0x0040601e
0x00000000
0x0040601e
0x00405fd6
0x00405fd9
0x00405fe4
0x00405fe0
0x00405fe2
0x00405fe3
0x00405fe3
0x00405feb
0x00405fed
0x00000000
0x00405fed
0x00405fb7
0x00405fbd
0x00000000
0x00405fbd
0x00405f89
0x00405f67
0x00405ee6
0x00405ef1
0x00405efa
0x00405efe
0x00000000
0x00000000
0x00405efe
0x0040602f

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406051,?,?), ref: 00405EF1
GetShortPathNameA.KERNEL32 ref: 00405EFA

Part of subcall function 00405D4F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5F
Part of subcall function 00405D4F: lstrlenA.KERNEL32(00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D91

GetShortPathNameA.KERNEL32 ref: 00405F17
wsprintfA.USER32 ref: 00405F35
GetFileSize.KERNEL32(00000000,00000000,00448A20,C0000000,00000004,00448A20,?,?,?,?,?), ref: 00405F70
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F7F
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB7
SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,00448220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 0040600D
GlobalFree.KERNEL32 ref: 0040601E
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406025

Part of subcall function 00405DEA: GetFileAttributesA.KERNELBASE(00000003,00402F4C,00489000,80000000,00000003,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405DEE
Part of subcall function 00405DEA: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405E10

Strings

%s=%s, xrefs: 00405F2B
[Rename], xrefs: 00405F9F, 00405FB1

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 86c75f9ffb992eab75565988558f4edcfd0a1f7ba9e91908d43dc06201ce60aa
Instruction ID: a927ddba45d5df7a47f9583d2fa9cd5bb3fc37aebfc63fa68c1436a548016810
Opcode Fuzzy Hash: 86c75f9ffb992eab75565988558f4edcfd0a1f7ba9e91908d43dc06201ce60aa
Instruction Fuzzy Hash: 7C310531200B166BC2207B659D48F6B7A9CEF49758F15043FFA42F62D2DB7CD8118AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040433B Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040433B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x0040434d
0x00404403
0x00000000
0x00404403
0x0040435e
0x00404362
0x00000000
0x0040437c
0x0040437c
0x00404385
0x00000000
0x00000000
0x00404387
0x00404393
0x00404396
0x00404396
0x0040439c
0x004043a2
0x004043a2
0x004043ae
0x004043b4
0x004043bb
0x004043be
0x004043c1
0x004043c3
0x004043c3
0x004043cb
0x004043d1
0x004043d1
0x004043db
0x004043e0
0x004043e3
0x004043e8
0x004043eb
0x004043eb
0x004043fb
0x004043fb
0x00000000
0x004043fe

APIs

GetWindowLongA.USER32 ref: 00404358
GetSysColor.USER32(00000000), ref: 00404396
SetTextColor.GDI32(?,00000000), ref: 004043A2
SetBkMode.GDI32(?,?), ref: 004043AE
GetSysColor.USER32(?), ref: 004043C1
SetBkColor.GDI32(?,?), ref: 004043D1
DeleteObject.GDI32(?), ref: 004043EB
CreateBrushIndirect.GDI32(?), ref: 004043F5

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction ID: d64fbe2596ca860a271eaf52242e9b3e10407c8dba4713a28e38d7cfcaef20bb
Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction Fuzzy Hash: 822174716007049FCB30DF68D908B5BBBF8AF81710B04892EED96A26E1C734D915CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404C27 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C27(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404c35
0x00404c42
0x00404c48
0x00404c86
0x00404c86
0x00404c95
0x00404c9c
0x00000000
0x00404c9e
0x00404c4a
0x00404c59
0x00404c61
0x00404c64
0x00404c76
0x00404c7c
0x00404c83
0x00000000
0x00404c83
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404C42
GetMessagePos.USER32 ref: 00404C4A
ScreenToClient.USER32 ref: 00404C64
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404C76
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404C9C

Strings

f, xrefs: 00404C78

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: 6a0354fd0873e2a66e4e803e7b6bfaf8a717de4a4c12bc6328b4bc3a065c57a7
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: DB015E71900219BAEB00DBA4DD85BFFBBBCAF55B25F10012BBB40B61D0C7B499018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402E25 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E25(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x426040; // 0x5d72a
					_t11 =  *0x43204c;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402e32
0x00402e40
0x00402e46
0x00402e46
0x00402e54
0x00402e56
0x00402e5c
0x00402e63
0x00402e65
0x00402e65
0x00402e7b
0x00402e8b
0x00402e9d
0x00402e9d
0x00402ea5

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
MulDiv.KERNEL32(0005D72A,00000064,?), ref: 00402E6B
wsprintfA.USER32 ref: 00402E7B
SetWindowTextA.USER32(?,?), ref: 00402E8B
SetDlgItemTextA.USER32 ref: 00402E9D

Strings

verifying installer: %d%%, xrefs: 00402E75

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: e1da18572ac3f187fc77d5c4af13952b4a3d26122b54d68a4e28551509f817f3
Instruction ID: d1e0a2a93c5684a536d9419adbf701d81bd0aa6c2e01a71bf08629b566d4acbd
Opcode Fuzzy Hash: e1da18572ac3f187fc77d5c4af13952b4a3d26122b54d68a4e28551509f817f3
Instruction Fuzzy Hash: 4A016270640209FBEF209F60DE09EAE3769EB04344F008039FA06B51D0DBB89955CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004027E8(int __ebx) {
				CHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402C39(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x78) = _t26;
				if(E00405C56(_t26) == 0) {
					E00402C39(0xffffffed);
				}
				E00405DC5(_t55);
				_t29 = E00405DEA(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0xc) =  *(_t61 - 0x24);
					if( *(_t61 - 0x20) != _t49) {
						_t37 =  *0x452434;
						 *(_t61 - 0x30) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E0040336B(_t49);
							E00403355(_t54,  *(_t61 - 0x30));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x20));
							 *(_t61 - 0x38) = _t59;
							if(_t59 != _t49) {
								E00403143( *(_t61 - 0x24), _t49, _t59,  *(_t61 - 0x20));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x8c) =  *_t59;
									E00405DA5( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x8c);
								}
								GlobalFree( *(_t61 - 0x38));
							}
							E00405E91( *(_t61 + 8), _t54,  *(_t61 - 0x30));
							GlobalFree(_t54);
							 *(_t61 - 0xc) =  *(_t61 - 0xc) | 0xffffffff;
						}
					}
					_t52 = E00403143( *(_t61 - 0xc),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileA( *(_t61 - 0x78));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x4524a8 =  *0x4524a8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x004027e8
0x004027ea
0x004027ef
0x004027f4
0x004027f7
0x00402801
0x00402805
0x00402805
0x0040280b
0x00402818
0x00402820
0x00402823
0x0040282f
0x00402832
0x00402838
0x00402846
0x0040284b
0x0040284f
0x00402852
0x0040285b
0x00402867
0x0040286b
0x0040286e
0x00402878
0x0040289d
0x00402884
0x0040288c
0x00402892
0x00402897
0x00402897
0x004028a4
0x004028a4
0x004028b1
0x004028b7
0x004028bd
0x004028bd
0x0040284f
0x004028d1
0x004028d3
0x004028d3
0x004028dd
0x004028de
0x004028e2
0x004028e6
0x004028ec
0x004028ec
0x004028f3
0x004022e5
0x00402ac8
0x00402ad4

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
GlobalFree.KERNEL32 ref: 004028A4
GlobalFree.KERNEL32 ref: 004028B7
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: a3127964956f8a126563134f11b56d6a7ee8279a476d2f452480084297a57a74
Instruction ID: 62dc5015629f04e2a446b0396b5ca5864e91704113ef4cf620f7a35519d741bb
Opcode Fuzzy Hash: a3127964956f8a126563134f11b56d6a7ee8279a476d2f452480084297a57a74
Instruction Fuzzy Hash: 4B31AD32800128BBDF207FA5DE88D9E7B79BF08324F14423AF454B62D1CB7989419B68

Uniqueness

Uniqueness Score: -1.00%

Function 73431C2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E73431C2B(signed int __edx, char _a8, void* _a16) {
				char _v8;
				char _v28;
				void* _v32;
				signed int _v36;
				signed int _v40;
				void* _t28;
				char _t31;
				char _t32;
				signed int _t33;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t51;
				void* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;
				signed int _t63;
				char _t67;
				signed int _t70;
				signed int _t72;
				void* _t79;
				void* _t81;
				signed int _t83;
				signed int _t86;
				void* _t91;

				_t70 = __edx;
				asm("xorps xmm0, xmm0");
				 *0x73435040 = _a8;
				 *0x7343503c = _a16;
				asm("movlpd [esp+0x10], xmm0");
				_t28 = E7343152B();
				_push(_t28);
				_v32 = _t28;
				_t72 = E73431326();
				_t63 = _t70;
				_t79 = E7343152B();
				_a16 = _t79;
				_t67 =  *_t79;
				_t31 = _t67;
				_a8 = _t31;
				if(_t67 == 0x7e) {
					L3:
					_t68 = _v36;
					_t83 = _v40;
					L4:
					_t32 = _t31;
					_t91 = _t32 - 0x2f;
					if(_t91 > 0) {
						_t33 = _t32 - 0x3c;
						__eflags = _t33;
						if(_t33 == 0) {
							__eflags =  *((char*)(_t79 + 1)) - 0x3c;
							if( *((char*)(_t79 + 1)) != 0x3c) {
								__eflags = _t63 - _t68;
								if(__eflags > 0) {
									L18:
									asm("xorps xmm0, xmm0");
									asm("movlpd [esp+0x10], xmm0");
									_t72 = _v40;
									_t63 = _v36;
									L19:
									_push( &_v28);
									_push(_t63);
									_push(_t72);
									E7343144D(_t68);
									E7343157E( &_v28);
									GlobalFree(_v32);
									return GlobalFree(_t79);
								}
								if(__eflags < 0) {
									L57:
									_t72 = 1;
									_t63 = 0;
									goto L19;
								}
								__eflags = _t72 - _t83;
								if(_t72 >= _t83) {
									goto L18;
								}
								goto L57;
							}
							_t70 = _t63;
							_t68 = _t83;
							_t41 = E73433090(_t72, _t83, _t70);
							L53:
							_t72 = _t41;
							_t63 = _t70;
							goto L19;
						}
						_t42 = _t33 - 1;
						__eflags = _t42;
						if(_t42 == 0) {
							__eflags = _t72 - _t83;
							if(_t72 != _t83) {
								goto L18;
							}
							__eflags = _t63 - _t68;
							L22:
							if(__eflags != 0) {
								goto L18;
							}
							goto L57;
						}
						_t43 = _t42 - 1;
						__eflags = _t43;
						if(_t43 == 0) {
							__eflags =  *((char*)(_t79 + 1)) - 0x3e;
							if( *((char*)(_t79 + 1)) != 0x3e) {
								__eflags = _t63 - _t68;
								if(__eflags < 0) {
									goto L18;
								}
								if(__eflags > 0) {
									goto L57;
								}
								__eflags = _t72 - _t83;
								if(_t72 <= _t83) {
									goto L18;
								}
								goto L57;
							}
							__eflags =  *((char*)(_t79 + 2)) - 0x3e;
							_t44 = _t72;
							_t70 = _t63;
							_t68 = _t83;
							if( *((char*)(_t79 + 2)) != 0x3e) {
								_t41 = E734330B0(_t44, _t68, _t70);
							} else {
								_t41 = E734330E0(_t44, _t68, _t70);
							}
							goto L53;
						}
						_t45 = _t43 - 0x20;
						__eflags = _t45;
						if(_t45 == 0) {
							_t72 = _t72 ^ _t83;
							_t63 = _t63 ^ _t68;
							goto L19;
						}
						_t46 = _t45 - 0x1e;
						__eflags = _t46;
						if(_t46 == 0) {
							__eflags =  *((char*)(_t79 + 1)) - 0x7c;
							if( *((char*)(_t79 + 1)) != 0x7c) {
								_t72 = _t72 | _t83;
								_t63 = _t63 | _t68;
								goto L19;
							}
							__eflags = _t72 | _t63;
							if((_t72 | _t63) != 0) {
								goto L57;
							}
							L17:
							__eflags = _t83 | _t68;
							if((_t83 | _t68) != 0) {
								goto L57;
							}
							goto L18;
						}
						__eflags = _t46 == 0;
						if(_t46 == 0) {
							_t72 =  !_t72;
							_t63 =  !_t63;
						}
						goto L19;
					}
					if(_t91 == 0) {
						L24:
						__eflags = _t83 | _t68;
						if((_t83 | _t68) != 0) {
							_push(_t68);
							_push(_t83);
							_push(_t63);
							_push(_t72);
							_t51 = E73432FB0();
							_t86 = _t63;
							_t72 = _t51;
							_t63 = _t70;
						} else {
							asm("xorps xmm0, xmm0");
							_t68 = _t72;
							asm("movlpd [esp+0x10], xmm0");
							_t86 = _t63;
							_t63 = _v36;
							_t72 = _v40;
						}
						__eflags = _v8 - 0x2f;
						if(_v8 != 0x2f) {
							_t72 = _t68;
							_t63 = _t86;
						}
						goto L19;
					}
					_t52 = _t32 - 0x21;
					if(_t52 == 0) {
						__eflags = _t72 | _t63;
						goto L22;
					}
					_t53 = _t52 - 4;
					if(_t53 == 0) {
						goto L24;
					}
					_t54 = _t53 - 1;
					if(_t54 == 0) {
						__eflags =  *((char*)(_t79 + 1)) - 0x26;
						if( *((char*)(_t79 + 1)) != 0x26) {
							_t72 = _t72 & _t83;
							_t63 = _t63 & _t68;
							goto L19;
						}
						__eflags = _t72 | _t63;
						if((_t72 | _t63) == 0) {
							goto L18;
						}
						goto L17;
					}
					_t55 = _t54 - 4;
					if(_t55 == 0) {
						_t41 = E73432ED0(_t72, _t63, _t83, _t68);
						goto L53;
					} else {
						_t56 = _t55 - 1;
						if(_t56 == 0) {
							_t72 = _t72 + _t83;
							asm("adc ebx, ecx");
						} else {
							if(_t56 == 0) {
								_t72 = _t72 - _t83;
								asm("sbb ebx, ecx");
							}
						}
						goto L19;
					}
				}
				_a8 = _t67;
				if(_t67 == 0x21) {
					goto L3;
				} else {
					_t81 = E7343152B();
					_push(_t81);
					_t83 = E73431326();
					_v40 = _t70;
					GlobalFree(_t81);
					_t79 = _a16;
					_t68 = _v40;
					_t31 =  *_t79;
					_a8 = _t31;
					goto L4;
				}
			}

0x73431c2b
0x73431c32
0x73431c38
0x73431c42
0x73431c47
0x73431c4d
0x73431c52
0x73431c53
0x73431c5d
0x73431c5f
0x73431c66
0x73431c68
0x73431c6c
0x73431c6e
0x73431c70
0x73431c77
0x73431cad
0x73431cad
0x73431cb1
0x73431cb5
0x73431cb5
0x73431cb8
0x73431cbb
0x73431da3
0x73431da3
0x73431da6
0x73431e3b
0x73431e3f
0x73431e55
0x73431e57
0x73431d1a
0x73431d1a
0x73431d1d
0x73431d23
0x73431d27
0x73431d2b
0x73431d2f
0x73431d30
0x73431d31
0x73431d32
0x73431d3c
0x73431d4e
0x73431d5a
0x73431d5a
0x73431e5d
0x73431e67
0x73431e69
0x73431e6a
0x00000000
0x73431e6a
0x73431e5f
0x73431e61
0x00000000
0x00000000
0x00000000
0x73431e61
0x73431e43
0x73431e45
0x73431e47
0x73431e4c
0x73431e4c
0x73431e4e
0x00000000
0x73431e4e
0x73431dac
0x73431dac
0x73431daf
0x73431e2c
0x73431e2e
0x00000000
0x00000000
0x73431e34
0x73431d63
0x73431d63
0x00000000
0x00000000
0x00000000
0x73431d65
0x73431db1
0x73431db1
0x73431db4
0x73431df8
0x73431dfc
0x73431e18
0x73431e1a
0x00000000
0x00000000
0x73431e20
0x00000000
0x00000000
0x73431e22
0x73431e24
0x00000000
0x00000000
0x00000000
0x73431e2a
0x73431dfe
0x73431e02
0x73431e04
0x73431e06
0x73431e08
0x73431e11
0x73431e0a
0x73431e0a
0x73431e0a
0x00000000
0x73431e08
0x73431db6
0x73431db6
0x73431db9
0x73431def
0x73431df1
0x00000000
0x73431df1
0x73431dbb
0x73431dbb
0x73431dbe
0x73431dd3
0x73431dd7
0x73431de6
0x73431de8
0x00000000
0x73431de8
0x73431dd9
0x73431ddb
0x00000000
0x00000000
0x73431d12
0x73431d12
0x73431d14
0x00000000
0x00000000
0x00000000
0x73431d14
0x73431dc1
0x73431dc4
0x73431dca
0x73431dcc
0x73431dcc
0x00000000
0x73431dc4
0x73431cc1
0x73431d6a
0x73431d6c
0x73431d6e
0x73431d87
0x73431d88
0x73431d89
0x73431d8a
0x73431d8b
0x73431d90
0x73431d92
0x73431d94
0x73431d70
0x73431d70
0x73431d73
0x73431d75
0x73431d7b
0x73431d7d
0x73431d81
0x73431d81
0x73431d96
0x73431d9b
0x73431d9d
0x73431d9f
0x73431d9f
0x00000000
0x73431d9b
0x73431cc7
0x73431cca
0x73431d61
0x00000000
0x73431d61
0x73431cd0
0x73431cd3
0x00000000
0x00000000
0x73431cd9
0x73431cdc
0x73431d08
0x73431d0c
0x73431d5b
0x73431d5d
0x00000000
0x73431d5d
0x73431d0e
0x73431d10
0x00000000
0x00000000
0x00000000
0x73431d10
0x73431cde
0x73431ce1
0x73431cfe
0x00000000
0x73431ce3
0x73431ce3
0x73431ce6
0x73431cf4
0x73431cf6
0x73431ce8
0x73431cec
0x73431cee
0x73431cf0
0x73431cf0
0x73431cec
0x00000000
0x73431ce6
0x73431ce1
0x73431c79
0x73431c80
0x00000000
0x73431c82
0x73431c87
0x73431c89
0x73431c91
0x73431c93
0x73431c97
0x73431c9d
0x73431ca1
0x73431ca5
0x73431ca7
0x00000000
0x73431ca7

APIs

GlobalFree.KERNEL32 ref: 73431C97
GlobalFree.KERNEL32 ref: 73431D4E
GlobalFree.KERNEL32 ref: 73431D51
__alldvrm.LIBCMT ref: 73431D8B

Strings

/, xrefs: 73431D96

Memory Dump Source

Source File: 00000000.00000002.853199298.0000000073431000.00000020.00000001.01000000.00000004.sdmp, Offset: 73430000, based on PE: true

Associated: 00000000.00000002.853187298.0000000073430000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853222168.0000000073434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853240329.0000000073436000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73430000_Royalistic.jbxd

Similarity

API ID: FreeGlobal$__alldvrm
String ID: /
API String ID: 482422042-2043925204
Opcode ID: 95bfaaedfd28a7f7b9f9e870346fd44f14194c5d6c41af777e4c0e8a939c338a
Instruction ID: 4fd2b83334097bdb2a005157dc9cc89f852087376ff1a826e3235ef372fa341b
Opcode Fuzzy Hash: 95bfaaedfd28a7f7b9f9e870346fd44f14194c5d6c41af777e4c0e8a939c338a
Instruction Fuzzy Hash: 19510C72A083458FF31EBE7585C433A76FAAB8F104FD8052DE162B3344D6A2E846435A

Uniqueness

Uniqueness Score: -1.00%

Function 734310C6 Relevance: 8.9, APIs: 7, Instructions: 155
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E734310C6(void* _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				signed int _v0;
				void _t29;
				void* _t30;
				void* _t36;
				void* _t43;
				intOrPtr _t52;
				void* _t56;
				void* _t62;
				void* _t63;
				void _t66;
				void* _t67;
				void* _t74;
				signed int _t75;
				void* _t79;
				void* _t80;
				void* _t82;
				signed int _t83;
				void* _t85;
				void _t88;
				void _t89;
				void* _t90;
				void* _t92;
				void* _t94;

				 *0x73435040 = _a8;
				 *0x7343503c = _a16;
				 *0x73435038 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73435014, E734312F7, _t79, _t82);
				_t83 =  *0x73435040 * 0x14;
				_v0 = _t83;
				_t90 = E7343152B();
				_a8 = _t90;
				_t80 = _t90;
				_t66 = _v0;
				if(_t66 == 0) {
					L28:
					return GlobalFree(_t90);
				}
				do {
					_t29 = _t66;
					_t80 = _t80 + 1;
					_t94 = _t29 - 0x66;
					if(_t94 > 0) {
						_t30 = _t29 - 0x6c;
						if(_t30 == 0) {
							L24:
							_t31 =  *0x73435010;
							if( *0x73435010 != 0) {
								E734312FA( *0x73435038, _t31 + 4, _t83);
								_t67 =  *0x73435010;
								_t92 = _t92 + 0xc;
								 *0x73435010 =  *_t67;
								GlobalFree(_t67);
							}
							goto L26;
						}
						_t36 = _t30 - 4;
						if(_t36 == 0) {
							L15:
							GlobalFree(E7343157E(E734314E2( *_t80 - 0x30)));
							_t80 = _t80 + 1;
							goto L26;
						}
						_t43 = _t36;
						if(_t43 == 0) {
							L13:
							GlobalFree(E734315C7( *_t80 - 0x30, E7343152B()));
							_t80 = _t80 + 1;
							L11:
							_t83 = _v0;
							goto L26;
						}
						L8:
						if(_t43 != 1) {
							goto L26;
						}
						_t88 = GlobalAlloc(0x40, _t83 + 4);
						_t11 = _t88 + 4; // 0x4
						E734312FA(_t11,  *0x73435038, _v0);
						 *_t88 =  *0x73435010;
						 *0x73435010 = _t88;
						L10:
						_t92 = _t92 + 0xc;
						goto L11;
					}
					if(_t94 == 0) {
						_t74 =  *0x7343503c;
						_t85 =  *_t74;
						 *_t74 =  *_t85;
						_t75 = _v0;
						_t52 =  *((intOrPtr*)(_t75 + 0xc));
						_a12 = _t52;
						if( *((char*)(_t85 + 4)) == 0x1e) {
							E734312FA(_t75, _t85 + 6, 0x38);
							_t75 = _v0;
							_t92 = _t92 + 0xc;
							_t52 = _a12;
						}
						 *((intOrPtr*)(_t75 + 0xc)) = _t52;
						GlobalFree(_t85);
						goto L11;
					}
					_t56 = _t29 - 0x46;
					if(_t56 == 0) {
						_t89 = GlobalAlloc(0x40,  *0x73435040 + 8);
						 *((intOrPtr*)(_t89 + 4)) = 0x1e;
						_t14 = _t89 + 6; // 0x6
						E734312FA(_t14, _v0, 0x38);
						 *_t89 =  *( *0x7343503c);
						 *( *0x7343503c) = _t89;
						goto L10;
					}
					_t62 = _t56 - 6;
					if(_t62 == 0) {
						goto L24;
					}
					_t63 = _t62 - 4;
					if(_t63 == 0) {
						 *_t80 =  *_t80 + 0xa;
						goto L15;
					}
					_t43 = _t63;
					if(_t43 == 0) {
						 *_t80 =  *_t80 + 0xa;
						goto L13;
					}
					goto L8;
					L26:
					_t66 =  *_t80;
				} while (_t66 != 0);
				_t90 = _a8;
				goto L28;
			}

0x734310cc
0x734310d6
0x734310e0
0x734310f4
0x734310f7
0x734310fe
0x7343110d
0x7343110f
0x73431113
0x73431115
0x7343111a
0x734312a7
0x734312ae
0x734312ae
0x73431124
0x73431124
0x73431127
0x73431128
0x7343112b
0x73431250
0x73431253
0x7343126d
0x7343126d
0x73431274
0x73431281
0x73431286
0x7343128c
0x73431292
0x73431297
0x73431297
0x00000000
0x73431274
0x73431255
0x73431258
0x734311b8
0x734311cd
0x734311cf
0x00000000
0x734311cf
0x7343125f
0x73431262
0x7343119b
0x734311b0
0x734311b2
0x7343118f
0x7343118f
0x00000000
0x7343118f
0x73431154
0x73431157
0x00000000
0x00000000
0x7343116d
0x73431175
0x73431179
0x73431184
0x73431186
0x7343118c
0x7343118c
0x00000000
0x7343118c
0x73431131
0x73431213
0x73431219
0x7343121d
0x73431223
0x73431226
0x73431229
0x7343122d
0x73431236
0x7343123b
0x7343123e
0x73431241
0x73431241
0x73431246
0x73431249
0x00000000
0x73431249
0x73431137
0x7343113a
0x734311e6
0x734311ea
0x734311f1
0x734311f8
0x73431205
0x7343120c
0x00000000
0x7343120c
0x73431140
0x73431143
0x00000000
0x00000000
0x73431149
0x7343114c
0x734311b5
0x00000000
0x734311b5
0x7343114f
0x73431152
0x73431198
0x00000000
0x73431198
0x00000000
0x73431299
0x73431299
0x7343129b
0x734312a3
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 73431163
GlobalFree.KERNEL32 ref: 734311B0
GlobalFree.KERNEL32 ref: 734311CD
GlobalAlloc.KERNEL32(00000040,?), ref: 734311E0
GlobalFree.KERNEL32 ref: 73431249
GlobalFree.KERNEL32 ref: 73431297
GlobalFree.KERNEL32 ref: 734312A8

Memory Dump Source

Source File: 00000000.00000002.853199298.0000000073431000.00000020.00000001.01000000.00000004.sdmp, Offset: 73430000, based on PE: true

Associated: 00000000.00000002.853187298.0000000073430000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853222168.0000000073434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853240329.0000000073436000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73430000_Royalistic.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 46c9a4d1cc1cce6f95d42be62da1df2a1f18f44bb221d45bca477226d0c8c9fe
Instruction ID: ed7454c33714265928a8f30230d4cc468c6a780f21c934a9e5dd33bafb7e1e53
Opcode Fuzzy Hash: 46c9a4d1cc1cce6f95d42be62da1df2a1f18f44bb221d45bca477226d0c8c9fe
Instruction Fuzzy Hash: 8D51BEB61083409FD709EF69C990BA97BF8FF0E204B644459E49AFB390D732E901CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00406535 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406535(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405C56(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405C14("*?|<>/\":", _t5))) == 0) {
							E00405DA5(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406537
0x0040653f
0x00406553
0x00406553
0x00406559
0x00406566
0x00406566
0x00406567
0x00406569
0x0040656d
0x0040656f
0x00406578
0x0040657a
0x00406594
0x0040659c
0x0040659c
0x004065a1
0x004065a3
0x004065a5
0x004065a9
0x004065aa
0x004065ad
0x004065b5
0x004065b7
0x004065bb
0x00000000
0x00000000
0x004065c1
0x004065c6
0x00000000
0x00000000
0x00000000
0x004065c6
0x004065cb

APIs

CharNextA.USER32(0000000B,*?|<>/":,00000000,?,7476FA90,00485000,0047B000,0040338E,00485000,00485000,00403690,?,00000007,00000009,0000000B), ref: 0040658D
CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,7476FA90,00485000,0047B000,0040338E,00485000,00485000,00403690,?,00000007,00000009,0000000B), ref: 0040659A
CharNextA.USER32(0000000B,?,7476FA90,00485000,0047B000,0040338E,00485000,00485000,00403690,?,00000007,00000009,0000000B), ref: 0040659F
CharPrevA.USER32(0000000B,0000000B,7476FA90,00485000,0047B000,0040338E,00485000,00485000,00403690,?,00000007,00000009,0000000B), ref: 004065AF

Strings

*?|<>/":, xrefs: 0040657D

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 28daa348592e837642e08a63fb50167dd7553375ed6c1e47afa6a3256008987e
Instruction ID: f1a46c244338e9c327de57877a99ef2f1f2ce6c7380876dc27bda46ebf0462ee
Opcode Fuzzy Hash: 28daa348592e837642e08a63fb50167dd7553375ed6c1e47afa6a3256008987e
Instruction Fuzzy Hash: 671134918047903DFB3216386C04B776FC94F9B760F5A007BE4C2722CAC63C5CA6826D

Uniqueness

Uniqueness Score: -1.00%

Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402D3B(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004060DD(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402D3B(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406663(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402d46
0x00402d4f
0x00402d58
0x00402d64
0x00402d6d
0x00402d77
0x00402d9c
0x00402da2
0x00402da7
0x00402da8
0x00402dd8
0x00402db1
0x00402db3
0x00402e03
0x00402e06
0x00000000
0x00402e0c
0x00402dc2
0x00402dc7
0x00402dc9
0x00000000
0x00000000
0x00402dd1
0x00402dd6
0x00402dd7
0x00402dd7
0x00402de4
0x00402dec
0x00402df3
0x00000000
0x00402e1c
0x00000000
0x00402dfb
0x00402d87
0x00402d9a
0x00000000
0x00000000
0x00000000
0x00402d9a
0x00402e22

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: d3065a1495d08a70ee0ec73ce03137b35b959529f7d494a5279a47c727d8abac
Instruction ID: d48e4a71bfa48a15fd7248f9ae3dc224302ba9e6f67c9eaa91d5645e55e2e307
Opcode Fuzzy Hash: d3065a1495d08a70ee0ec73ce03137b35b959529f7d494a5279a47c727d8abac
Instruction Fuzzy Hash: D9213771500108BADF129F90CE89EEB7B7DEF44344F10047AFA15B11A0D7B49EA4AAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402C17(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402C39(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x452420,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E004061B5();
				}
				 *0x4524a8 =  *0x4524a8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d65
0x00401d69
0x00401d7e
0x00401d6b
0x00401d6d
0x00401d73
0x00401d73
0x00401d84
0x00401d87
0x00401d91
0x00401d94
0x00401d9c
0x00401dad
0x00401db0
0x00401dbb
0x00401db2
0x00401db4
0x00401db4
0x00401dbf
0x00401dcc
0x00401df3
0x00401e02
0x00401e10
0x00401e18
0x00401e20
0x00401e20
0x00401e29
0x00401e2f
0x00402a42
0x00402a42
0x00402ac8
0x00402ad4

APIs

GetDlgItem.USER32 ref: 00401D7E
GetClientRect.USER32 ref: 00401DCC
LoadImageA.USER32 ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: a576bf6efa7c2fb23105444ffa85423c352b0735285158bf1a86dfd814425e5e
Instruction ID: e108dfa7ff8bed4c569463ce295f5c853ec5e47b290a4dfb9769ed3a77c2d4ca
Opcode Fuzzy Hash: a576bf6efa7c2fb23105444ffa85423c352b0735285158bf1a86dfd814425e5e
Instruction Fuzzy Hash: 63213B72E00109AFDF15DFA4DD85AAEBBB5EB48300F24407EF901F62A1DB789941DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402C17(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x414438->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x414448 = E00402C17(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x41444f = 1;
				 *0x41444c = _t15 & 0x00000001;
				 *0x41444d = _t15 & 0x00000002;
				 *0x41444e = _t15 & 0x00000004;
				E004062EA(_t9, _t31, _t33, 0x414454,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x414438);
				_push(_t18);
				_push(_t33);
				E004061B5();
				 *0x4524a8 =  *0x4524a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e35
0x00401e40
0x00401e42
0x00401e4f
0x00401e66
0x00401e6b
0x00401e78
0x00401e7d
0x00401e81
0x00401e8c
0x00401e93
0x00401ea5
0x00401eab
0x00401eb0
0x00401eba
0x00402628
0x00401569
0x00402a42
0x00402ac8
0x00402ad4

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32 ref: 00401E6B
CreateFontIndirectA.GDI32(00414438), ref: 00401EBA

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e89e6eedd1c15f4ce250c8d11fd485d8fe03999d8a0dbcf2c806e51525b441ac
Instruction ID: 8ddd809678b75effdda657bd79c7971a8a008a3e86d82937076eaa48eaf57caa
Opcode Fuzzy Hash: e89e6eedd1c15f4ce250c8d11fd485d8fe03999d8a0dbcf2c806e51525b441ac
Instruction Fuzzy Hash: 8D01B571504240AFE7006BB0EE4ABDD7FF49B95319F14447DF281B71E2CA7804898B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00404B1D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404B1D(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E004062EA(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E004062EA(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E004062EA(_t41, _t47, 0x43c090, 0x43c090, _a8);
				wsprintfA(_t32 + lstrlenA(0x43c090), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x44e3f8, _a4, 0x43c090);
			}

0x00404b23
0x00404b28
0x00404b30
0x00404b31
0x00404b3e
0x00404b46
0x00404b47
0x00404b49
0x00404b4b
0x00404b4d
0x00404b50
0x00404b50
0x00404b57
0x00404b5d
0x00404b5d
0x00404b64
0x00404b6b
0x00404b6e
0x00404b71
0x00404b71
0x00404b75
0x00404b85
0x00404b87
0x00404b8a
0x00404b33
0x00404b33
0x00404b3a
0x00404b3a
0x00404b92
0x00404b9d
0x00404bb3
0x00404bc3
0x00404bdf

APIs

lstrlenA.KERNEL32(0043C090,0043C090,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A38,000000DF,00000000,00000400,?), ref: 00404BBB
wsprintfA.USER32 ref: 00404BC3
SetDlgItemTextA.USER32 ref: 00404BD6

Strings

%u.%u%s%s, xrefs: 00404BA5

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: d9fdd94c6c7d21cc1bd3bad7b599d4d8a7aee2a07ccce26fc953cdd7643c1a86
Instruction ID: 7c3cbaaa6cddaf4418f9485f50c6cec2219b2b57f28ad8e3923d4dc00c9a2874
Opcode Fuzzy Hash: d9fdd94c6c7d21cc1bd3bad7b599d4d8a7aee2a07ccce26fc953cdd7643c1a86
Instruction Fuzzy Hash: 7811E773A0412867DB00766D9C41FAF3298DB85374F25027BFA26F31D1E978DC1282A8

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402C17(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402C17(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402C39(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402C39(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402C39();
					_t32 = E00402C39();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402C17();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402C17(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E004061B5();
				}
				 *0x4524a8 =  *0x4524a8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c2e
0x00401c30
0x00401c37
0x00401c3a
0x00401c3d
0x00401c47
0x00401c4b
0x00401c4e
0x00401c57
0x00401c57
0x00401c5a
0x00401c5e
0x00401c67
0x00401c67
0x00401c6a
0x00401c6e
0x00401c70
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd8
0x00401cdb
0x00401cdb
0x00401ce4
0x00000000
0x00401c72
0x00401c79
0x00401c7b
0x00401c7e
0x00401c84
0x00401c8b
0x00401c8e
0x00401cb6
0x00401cea
0x00401cea
0x00401c90
0x00401c9e
0x00401ca6
0x00401ca9
0x00401ca9
0x00401c8e
0x00401ced
0x00401cf0
0x00401cf6
0x00402a42
0x00402a42
0x00402ac8
0x00402ad4

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: a2a89bb8462c7151f84b5e8a0709187cefd4722cf5762b3f674c81304cb6edd9
Instruction ID: fb252943c263502b915e172e451356f37a414cf8932e3a565ad31ae7147df210
Opcode Fuzzy Hash: a2a89bb8462c7151f84b5e8a0709187cefd4722cf5762b3f674c81304cb6edd9
Instruction Fuzzy Hash: E2217371948208BEEB059FB5DA86AAD7FB4EF45304F10447EF101B61D1D7B989819B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040247E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040247E(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t18;
				void* _t19;
				int _t22;
				int _t28;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t35;
				void* _t37;
				void* _t40;

				_t31 = __edx;
				_t28 = __ebx;
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				_t32 = __eax;
				 *(_t37 - 0x38) =  *(_t37 - 0x14);
				 *(_t37 - 0x78) = E00402C39(2);
				_t18 = E00402C39(0x11);
				 *(_t37 - 4) = 1;
				_t19 = E00402CC9(_t40, _t32, _t18, 2);
				 *(_t37 + 8) = _t19;
				if(_t19 != __ebx) {
					_t22 = 0;
					if(_t35 == 1) {
						E00402C39(0x23);
						_t22 = lstrlenA(0x40e438) + 1;
					}
					if(_t35 == 4) {
						 *0x40e438 = E00402C17(3);
						 *((intOrPtr*)(_t37 - 0x88)) = _t31;
						_t22 = _t35;
					}
					if(_t35 == 3) {
						_t22 = E00403143( *((intOrPtr*)(_t37 - 0x1c)), _t28, 0x40e438, 0x6000);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x78), _t28,  *(_t37 - 0x38), 0x40e438, _t22) == 0) {
						 *(_t37 - 4) = _t28;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x4524a8 =  *0x4524a8 +  *(_t37 - 4);
				return 0;
			}

0x0040247e
0x0040247e
0x0040247e
0x00402481
0x00402488
0x00402492
0x00402495
0x0040249e
0x004024a5
0x004024ac
0x004024af
0x004024b5
0x004024bf
0x004024c3
0x004024ce
0x004024ce
0x004024d2
0x004024dc
0x004024e2
0x004024e8
0x004024e8
0x004024ec
0x004024f8
0x004024f8
0x00402511
0x00402513
0x00402513
0x00402516
0x004025ed
0x004025ed
0x00402ac8
0x00402ad4

APIs

lstrlenA.KERNEL32(0040E438,00000023,00000011,00000002), ref: 004024C9
RegSetValueExA.ADVAPI32(?,?,?,?,0040E438,00000000,00000011,00000002), ref: 00402509
RegCloseKey.ADVAPI32(?,?,?,0040E438,00000000,00000011,00000002), ref: 004025ED

Strings

8@, xrefs: 004024BA

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: 8@
API String ID: 2655323295-819625340
Opcode ID: 4c072f9a7ce7e23c540161612128db661e48e2455f0730e82c594c4547d587b3
Instruction ID: 5c472bfcd106fad06d1ca2f2b491726f83d19557c2f496224d1fecae1d857e91
Opcode Fuzzy Hash: 4c072f9a7ce7e23c540161612128db661e48e2455f0730e82c594c4547d587b3
Instruction Fuzzy Hash: C3115E71E04208BEEB10AFA5DE49AAEBA74AB44714F20443BF505B71C1D6B98D909B68

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA8 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402EA8(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x432048 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x45242c) {
							_t3 = CreateDialogParamA( *0x452420, 0x6f, 0, E00402E25, 0);
							 *0x432048 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040669F(0);
					}
				} else {
					_t6 =  *0x432048;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x432048 = 0;
					return _t6;
				}
			}

0x00402eaf
0x00402ecf
0x00402ed9
0x00402ee5
0x00402ef6
0x00402eff
0x00000000
0x00402f04
0x00402f0b
0x00402ed1
0x00402ed8
0x00402ed8
0x00402eb1
0x00402eb1
0x00402eb8
0x00402ebb
0x00402ebb
0x00402ec1
0x00402ec8
0x00402ec8

APIs

DestroyWindow.USER32(?,00000000,00403086,00000001,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00402EBB
GetTickCount.KERNEL32 ref: 00402ED9
CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402EF6
ShowWindow.USER32(00000000,00000005,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00402F04

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 215ea6209036c334194e630b3a6d8c331bd9e7ebc391d59cacfd35bfdff6c725
Instruction ID: f2601d1978d4935414455477ceead43ade8f8f36080c659767c01e9f51b987ab
Opcode Fuzzy Hash: 215ea6209036c334194e630b3a6d8c331bd9e7ebc391d59cacfd35bfdff6c725
Instruction Fuzzy Hash: 12F05E31441A20ABC6216B60FF8C99B7B74A705B12B21583AF105B11F6C6B84889CBEC

Uniqueness

Uniqueness Score: -1.00%

Function 73431E71 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 28
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73431E71(intOrPtr _a4, CHAR* _a8) {
				intOrPtr _t11;
				intOrPtr _t19;
				CHAR* _t21;

				_t11 = _a4;
				if( *((intOrPtr*)(_t11 + 4)) != 1) {
					_t21 = _a8;
					_t13 =  ==  ? 0x734340c4 : 0x734340bc;
					lstrcpyA(_t21,  ==  ? 0x734340c4 : 0x734340bc);
				} else {
					_t19 =  *((intOrPtr*)(_t11 + 0x1498));
					if(( *(_t11 + 0x810) & 0x00000100) != 0) {
						_t19 =  *((intOrPtr*)( *((intOrPtr*)(_t11 + 0x80c)) + 1));
					}
					_t21 = _a8;
					wsprintfA(_t21, "callback%d", _t19);
				}
				return _t21;
			}

0x73431e71
0x73431e7c
0x73431eaf
0x73431ebf
0x73431ec4
0x73431e7e
0x73431e88
0x73431e8e
0x73431e96
0x73431e96
0x73431e99
0x73431ea4
0x73431eaa
0x73431ecd

APIs

wsprintfA.USER32 ref: 73431EA4
lstrcpyA.KERNEL32(?,error,00000818,734316E5,00000000,?), ref: 73431EC4

Strings

error, xrefs: 73431EBA, 73431EC2
callback%d, xrefs: 73431E9E

Memory Dump Source

Source File: 00000000.00000002.853199298.0000000073431000.00000020.00000001.01000000.00000004.sdmp, Offset: 73430000, based on PE: true

Associated: 00000000.00000002.853187298.0000000073430000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853222168.0000000073434000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.853240329.0000000073436000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73430000_Royalistic.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error
API String ID: 2408954437-1307476583
Opcode ID: 507e58b8dc034d3398afac2a95ad0aacea7c421129676c12fbec412c9db43497
Instruction ID: e4a5ea1384e7a51b6e49701b0c6f23a0f7ce1fa8bd03b4d5d6b95b5b98dd9da5
Opcode Fuzzy Hash: 507e58b8dc034d3398afac2a95ad0aacea7c421129676c12fbec412c9db43497
Instruction Fuzzy Hash: BBF034313051209FC708AB049949BEA73FAEF8A310F5984A8F85AAB341C771AC018B99

Uniqueness

Uniqueness Score: -1.00%

Function 004052EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004052EC(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x43c07c != _t16) {
							_push(_t16);
							_push(6);
							 *0x43c07c = _t16;
							E00404CA7();
						}
						L11:
						return CallWindowProcA( *0x43c084, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404C27(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404320(0x413);
				return 0;
			}

0x004052f0
0x004052fa
0x00405316
0x00405338
0x0040533b
0x00405341
0x0040534b
0x0040534c
0x0040534e
0x00405354
0x00405354
0x0040535e
0x00000000
0x0040536c
0x00405323
0x0040535b
0x0040535b
0x00000000
0x0040535b
0x0040532f
0x00405331
0x00000000
0x00405331
0x00405300
0x00000000
0x00000000
0x00405307
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040531B
CallWindowProcA.USER32 ref: 0040536C

Part of subcall function 00404320: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00404332

Strings

, xrefs: 004052FC

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 55b41b329312dcc7f374a5f01e52e89ce4d23385b54215be366866303fde3b52
Instruction ID: 1a66df526f819bcac04dd73860a054bf484f2535563b1484c434c9e94afb1d49
Opcode Fuzzy Hash: 55b41b329312dcc7f374a5f01e52e89ce4d23385b54215be366866303fde3b52
Instruction Fuzzy Hash: 34017C72104608EBEF206F61ED91AAB372AEB84395F145037FE05751D0C7BA8D929F29

Uniqueness

Uniqueness Score: -1.00%

Function 0040613E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040613E(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x2000;
				_t21 = E004060DD(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x1fff] = _t30[0x1fff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x0040614c
0x0040614e
0x00406166
0x0040616b
0x00406170
0x004061ad
0x004061ad
0x00406172
0x00406184
0x0040618f
0x00406195
0x0040619f
0x00000000
0x00000000
0x0040619f
0x004061b2

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00002000,Call,?,?,?,?,00000002,Call,?,004063F6,80000002), ref: 00406184
RegCloseKey.ADVAPI32(?,?,004063F6,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll), ref: 0040618F

Strings

Call, xrefs: 00406141, 00406175

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 7056b7a96e9edebd67e9f8198eb1911ecb61e0a26e20b736ac15770181a1f0eb
Instruction ID: 5cbf1d77a42ccbfbde14d2bcc727d6f9e9f9e3285794b8b30d10470a11d9e604
Opcode Fuzzy Hash: 7056b7a96e9edebd67e9f8198eb1911ecb61e0a26e20b736ac15770181a1f0eb
Instruction Fuzzy Hash: 7501BC32500209ABDF22CF60CC09FDB3FA8EF44360F01803AF916A6192D378C964CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D4F Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D4F(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405d5f
0x00405d61
0x00405d64
0x00405d90
0x00405d69
0x00405d72
0x00405d77
0x00405d82
0x00405d85
0x00405da1
0x00405d87
0x00405d8e
0x00000000
0x00405d8e
0x00405d9a
0x00405d9e
0x00405d9e
0x00405d98
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5F
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D77
CharNextA.USER32(00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D88
lstrlenA.KERNEL32(00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D91

Memory Dump Source

Source File: 00000000.00000002.834235432.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.834230894.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834244274.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000045B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834249681.00000000004CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.834352262.00000000004DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Royalistic.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction ID: 87b880d6ec66590321046a57115c6c0db4d123b3cd257c49f1686e195a850605
Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction Fuzzy Hash: 0DF0F632200814FFCB02DFA4DD44D9FBBA8EF55350B2580BAE840F7210D634DE019BA8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Royalistic.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsk1BF9.tmp\System.dll

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Afdelingskontorer.Ate

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Affaldsproblem\x-office-spreadsheet.png

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-core-processthreads-l1-1-1.dll

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-crt-stdio-l1-1-0.dll

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\drive-multidisk.png

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Konini\Firsaarsfdselsdage\Whorehouse\Faithworthy\System.Xml.XmlDocument.dll

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Konini\Firsaarsfdselsdage\Whorehouse\Faithworthy\accessories-dictionary.png

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Laboratories53\x-office-address-book-symbolic.svg

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Mitheithel\Homoplasy\Wice\AMD.Power.Processor.ppkg

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Paleograph\Statuskonto\Gusting\folder-new-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Paleograph\Statuskonto\Gusting\folder-templates-symbolic.svg

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Paleograph\Statuskonto\Gusting\printer-printing-symbolic.svg

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Paleograph\Statuskonto\Gusting\screen-shared-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Stinkbranden\Middagsselskaber\AsMultiLang.ini

C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Stinkbranden\Middagsselskaber\PSReadline.psd1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Windows Analysis Report
Royalistic.exe

Function 004033B3 Relevance: 82.7, APIs: 33, Strings: 14, Instructions: 417
stringfilecomCOMMON

Function 004054B6 Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Function 73432288 Relevance: 25.2, APIs: 13, Strings: 1, Instructions: 667
stringlibrarymemoryCOMMONCrypto

Function 00405A19 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159
filestringCOMMON

Function 004065CE Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00403DDA Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403A3D Relevance: 40.5, APIs: 14, Strings: 9, Instructions: 215
stringregistryCOMMON

Function 004062EA Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 198
stringCOMMON

Function 00402F0C Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 181
memoryCOMMON

Function 00403143 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 73432128 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117
COMMON

Function 00405378 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 73431F58 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134
memoryCOMMON

Function 004065F5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Function 0040583E Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 00405E19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Function 73431606 Relevance: 4.6, APIs: 3, Instructions: 123
COMMON

Function 00401B87 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Function 734319C7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Function 00405CD7 Relevance: 3.0, APIs: 2, Instructions: 46
stringCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30
stringCOMMON

Function 00406663 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405DEA Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405DC5 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 004058BB Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 73432BC4 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Function 004023A4 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 00405E91 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18
COMMON